Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

command service & Smithfraud-C problems

Started by gremban , May 27 2008 12:29 PM

Please log in to reply

#1
gremban

Posted 27 May 2008 - 12:29 PM

Member

Member
11 posts

OK guy's I've infected my computer at work...getting multiple pop-ups...Icon's disappearing...desktop changes on it's own...I've run Spybot S/D... it cannot correct "cmdservice" & "Smithfraud-C core-service"
I also get a Explorer warning window..."Stop running script? A script on this page is causing I/E to run slowly. If it continues to run, your computer may become unresponsive." (with no browser window open)
The computer was nearly inoperable until I restored it to last Friday...at least now I can get on the net

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:35:11 PM, on 5/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe
C:\Program Files\Common Files\NMSAccessU.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Summer\lsass.exe
C:\WINDOWS\System32\Rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Weather Pulse\weatherpulse.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ZVolume\ZVolume.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Vasilios Applications\Instant Memory Cleaner\Instant Memory Cleaner.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\WINDOWS\System32\dlbtcoms.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Intuit\QuickBooks Pro\qbw32.exe
C:\Program Files\Common Files\Intuit\QuickBooks\axlbridge.exe
C:\Program Files\ACT\ACT for Win 7\Act7.exe
C:\WINDOWS\System32\wbem\unsecapp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Documents and Settings\Summer\Desktop\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [APL] "C:\Program Files\ACT\ACT for Win 7\APL.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [csr] csrrs.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LSA Shellu] C:\Documents and Settings\Summer\lsass.exe
O4 - HKLM\..\Run: [{2D-DE-E7-78-DW}] c:\windows\system32\rwwnw64d.exe DWram
O4 - HKLM\..\Run: [{c0f33a35-cfa6-7426-e7c1-542840def001}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{fbb7469d-f7eb-bb5b-860e-c46b28bda0af}.dll" DllInit
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\pcntnkdm.exe DWram
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1188.exe 61A847B5BBF72813339330466188719AB689201522886B092CBD44BD8689220221DD325762EA4EBF
968951185EFC412806867680AEDE604D64C2661373F819EBDCD66A47
O4 - HKLM\..\Run: [9c62ded7] rundll32.exe "C:\WINDOWS\system32\gagcanvg.dll",b
O4 - HKLM\..\Run: [BM9f51ed4b] Rundll32.exe "C:\WINDOWS\system32\bfsollrf.dll",s
O4 - HKLM\..\RunServices: [csr] csrrs.exe
O4 - HKLM\..\RunOnce: [SpybotDeletingA7338] command /c del "C:\WINDOWS\system32\drivers\core.cache.dsk_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9757] cmd /c del "C:\WINDOWS\system32\drivers\core.cache.dsk_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7840] command /c del "C:\WINDOWS\b149.exe_tobedeleted_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2894] cmd /c del "C:\WINDOWS\b149.exe_tobedeleted_old"
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [Weather Pulse] C:\Program Files\Weather Pulse\weatherpulse.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ZVolume] C:\Program Files\ZVolume\ZVolume.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingB8137] command /c del "C:\WINDOWS\system32\drivers\core.cache.dsk_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9787] cmd /c del "C:\WINDOWS\system32\drivers\core.cache.dsk_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingB6836] command /c del "C:\WINDOWS\b149.exe_tobedeleted_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9705] cmd /c del "C:\WINDOWS\b149.exe_tobedeleted_old"
O4 - Startup: Deewoo.lnk = ?
O4 - Startup: DW_Start.lnk = ?
O4 - Startup: Instant Memory Cleaner.lnk = C:\Program Files\Vasilios Applications\Instant Memory Cleaner\Instant Memory Cleaner.exe
O4 - Startup: Microsoft Outlook (2).lnk = ?
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Save to &KBase... - C:\Program Files\netXtract\SaveToKBmenu.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: netXtract® - {1FB62888-D13A-11d3-AF5D-00C0DF647817} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://crm.safetynet-inc.com'
O16 - DPF: Web-Based Email Tools - http://email.secures...et/Download.CAB
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebo...toUploader5.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1158936801437
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1158933669500
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://servicemagic....p/view22RTE.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebo...Uploader4_5.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{540A0807-7E34-4BB9-A609-300232ADF87D}: NameServer = 24.247.15.53,24.247.24.53
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks Pro\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O23 - Service: dlbt_device - Dell - C:\WINDOWS\System32\dlbtcoms.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\Common Files\NMSAccessU.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: QuickBooksDB18 - iAnywhere Solutions, Inc. - C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Windows Media Player\profsybyxu.html

--
End of file - 11301 bytes

#2
kahdah

Posted 27 May 2008 - 06:58 PM

GeekU Teacher

Retired Staff
15,822 posts

Hello gremban

Welcome to G2Go.

=====================
The first thing I will need you to do is to Download ONE of these anti-virus programs and install it.
These are free.
Antivir
or
AVG free 8.0
Note this is free antispyware protection and Antivirus protection.
or
Avast

as long as you only install one.
=====================
Download SDFix and save it to your Desktop.

Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
Finally copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

#3
gremban

Posted 28 May 2008 - 08:29 AM

Member

Topic Starter
Member
11 posts

Thanks for the help with this!

SDFix: Version 1.186
Run by Summer on Wed 05/28/2008 at 09:59 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name :
FTDISKK

Path :
System32\drivers\ftdiskk.sys

FTDISKK - Deleted

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting

Checking Files :

Trojan Files Found:

C:\Temp\1cb\syscheck.log - Deleted
C:\Temp\vtmp2\ktnv33.log - Deleted
C:\WINDOWS\system32\~.exe - Deleted
C:\WINDOWS\system32\drivers\core.cache(2).dsk - Deleted
C:\WINDOWS\system32\drivers\core.cache(3).dsk - Deleted
C:\WINDOWS\system32\drivers\core.cache(4).dsk - Deleted
C:\WINDOWS\system32\drivers\core.cache(5).dsk - Deleted
C:\WINDOWS\system32\drivers\core.cache(6).dsk - Deleted
C:\WINDOWS\system32\drivers\core.cache(7).dsk - Deleted
C:\WINDOWS\system32\drivers\core.cache(8).dsk - Deleted
C:\WINDOWS\system32\drivers\core.cache(9).dsk - Deleted
C:\Documents and Settings\Summer\lsass.exe - Deleted
C:\Documents and Settings\Summer\services.exe - Deleted
C:\Documents and Settings\Summer\Start Menu\Programs\Startup\Deewoo.lnk - Deleted
C:\Documents and Settings\Summer\Start Menu\Programs\Startup\DW_Start.lnk - Deleted
C:\Documents and Settings\Summer\x.dat - Deleted
C:\WINDOWS\system32\atmtd.dll - Deleted
C:\WINDOWS\system32\drivers\core.cache.dsk - Deleted
C:\WINDOWS\system32\pac.txt - Deleted
C:\WINDOWS\system32\rwwnw64d.exe - Deleted
C:\WINDOWS\wr.txt - Deleted
C:\WINDOWS\system32\drivers\FTDISKK.sys - Deleted

x.dat and z.dat data copied to \SDFix\Data.txt

Folder C:\Temp\1cb - Removed
Folder C:\Temp\tn3 - Removed
Folder C:\Temp\vtmp2 - Removed

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-28 10:18:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\ACT\\ACT for Win 7\\Act7.exe"="C:\\Program Files\\ACT\\ACT for Win 7\\Act7.exe:*:Enabled:ACT! 7.x/2005"
"C:\\WINDOWS\\system32\\fxsclnt.exe"="C:\\WINDOWS\\system32\\fxsclnt.exe:*:Enabled:Microsoft Fax Console"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\QuickTime\\QuickTimePlayer.exe"="C:\\Program Files\\QuickTime\\QuickTimePlayer.exe:*:Enabled:QuickTime Player"
"C:\\Program Files\\DNA\\btdna.exe"="C:\\Program Files\\DNA\\btdna.exe:*:Enabled:DNA"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\Intuit\\QuickBooks Pro\\QBDBMgrN.exe"="C:\\Program Files\\Intuit\\QuickBooks Pro\\QBDBMgrN.exe:*:Enabled:QuickBooks 2008 Data Manager"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"="C:\\Program Files\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"

Remaining Files :

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Tue 2 Aug 2005 293,888 A.SHR --- "C:\WINDOWS\QXR0aXR1ZGUgJiBFeHBlcmllbmNlLCBJbmM\command.exe"
Tue 19 Sep 2006 56 ..SHR --- "C:\WINDOWS\system32\2B4DB80345.sys"
Wed 12 Mar 2008 88 ..SHR --- "C:\WINDOWS\system32\4503B84D2B.sys"
Tue 27 May 2008 4,184 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Wed 9 Apr 2008 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 25 Jun 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Mon 13 Nov 2006 319,456 A..H. --- "C:\Program Files\Common Files\Motorola Shared\MotPCSDrivers\difxapi.dll"
Tue 9 Oct 2007 28,672 ...H. --- "C:\Documents and Settings\Summer\Application Data\Microsoft\Word\~WRL0301.tmp"
Fri 9 May 2008 58,880 ...H. --- "C:\Documents and Settings\Summer\Application Data\Microsoft\Word\~WRL0465.tmp"
Fri 9 May 2008 58,368 ...H. --- "C:\Documents and Settings\Summer\Application Data\Microsoft\Word\~WRL0496.tmp"
Tue 13 May 2008 58,880 ...H. --- "C:\Documents and Settings\Summer\Application Data\Microsoft\Word\~WRL0650.tmp"
Fri 22 Sep 2006 90,112 ...H. --- "C:\Documents and Settings\Summer\Application Data\Microsoft\Word\~WRL0711.tmp"
Tue 6 May 2008 35,328 ...H. --- "C:\Documents and Settings\Summer\Application Data\Microsoft\Word\~WRL0738.tmp"
Fri 9 May 2008 58,880 ...H. --- "C:\Documents and Settings\Summer\Application Data\Microsoft\Word\~WRL0767.tmp"
Tue 6 May 2008 30,208 ...H. --- "C:\Documents and Settings\Summer\Application Data\Microsoft\Word\~WRL0818.tmp"
Fri 22 Sep 2006 89,600 ...H. --- "C:\Documents and Settings\Summer\Application Data\Microsoft\Word\~WRL1126.tmp"
Tue 6 May 2008 35,328 ...H. --- "C:\Documents and Settings\Summer\Application Data\Microsoft\Word\~WRL1161.tmp"
Tue 13 May 2008 59,392 ...H. --- "C:\Documents and Settings\Summer\Application Data\Microsoft\Word\~WRL1686.tmp"
Wed 14 May 2008 58,880 ...H. --- "C:\Documents and Settings\Summer\Application Data\Microsoft\Word\~WRL1821.tmp"
Mon 12 May 2008 58,368 ...H. --- "C:\Documents and Settings\Summer\Application Data\Microsoft\Word\~WRL2339.tmp"
Fri 22 Sep 2006 90,112 ...H. --- "C:\Documents and Settings\Summer\Application Data\Microsoft\Word\~WRL2433.tmp"
Wed 14 May 2008 59,392 ...H. --- "C:\Documents and Settings\Summer\Application Data\Microsoft\Word\~WRL2618.tmp"
Wed 14 May 2008 59,392 ...H. --- "C:\Documents and Settings\Summer\Application Data\Microsoft\Word\~WRL2641.tmp"
Mon 12 May 2008 58,880 ...H. --- "C:\Documents and Settings\Summer\Application Data\Microsoft\Word\~WRL3256.tmp"
Fri 9 May 2008 58,880 ...H. --- "C:\Documents and Settings\Summer\Application Data\Microsoft\Word\~WRL3285.tmp"
Wed 14 May 2008 19,456 ...H. --- "C:\Documents and Settings\Summer\Application Data\Microsoft\Word\~WRL3584.tmp"
Wed 14 May 2008 23,040 ...H. --- "C:\Documents and Settings\Summer\Application Data\Microsoft\Word\~WRL3668.tmp"
Wed 7 May 2008 58,880 ...H. --- "C:\Documents and Settings\Summer\Application Data\Microsoft\Word\~WRL3688.tmp"
Thu 8 May 2008 58,880 ...H. --- "C:\Documents and Settings\Summer\Application Data\Microsoft\Word\~WRL3973.tmp"
Wed 14 May 2008 19,456 ...H. --- "C:\Documents and Settings\Summer\Application Data\Microsoft\Word\~WRL4047.tmp"

Finished!

#4
kahdah

Posted 28 May 2008 - 10:22 AM

GeekU Teacher

Retired Staff
15,822 posts

You are welcome

Please visit this web page for instructions for downloading and running ComboFix
http://www.bleepingc...to-use-combofix
Post the log from ComboFix when you've accomplished all of that, along with a new HijackThis log.

#5
gremban

Posted 28 May 2008 - 01:22 PM

Member

Topic Starter
Member
11 posts

[b]Again thank you![/b]

ComboFix 08-05-27.4 - Summer 2008-05-28 14:57:49.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.530 [GMT -4:00]
Running from: C:\Documents and Settings\Summer\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Summer\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Summer\Application Data\macromedia\Flash Player\#SharedObjects\ZTQJGZV9\www.broadcaster.com
C:\Documents and Settings\Summer\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Summer\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\temp\17o7
C:\temp\17o7\tmpTF.log
C:\WINDOWS\BM9f51ed4b.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\gvnacgag.ini
C:\WINDOWS\system32\hrwshjon.dll
C:\WINDOWS\system32\kkvcwdsp.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\MWHNnUvw.ini
C:\WINDOWS\system32\MWHNnUvw.ini2
C:\WINDOWS\system32\ps.exe
C:\WINDOWS\system32\psdwcvkk.ini
C:\WINDOWS\system32\smpi1

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CORE
-------\Service_core

((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-28 )))))))))))))))))))))))))))))))
.

2008-05-28 10:37 . 2008-05-28 14:25 <DIR> d--h----- C:\$AVG8.VAULT$
2008-05-28 09:50 . 2008-05-28 09:50 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-28 09:44 . 2008-05-28 10:23 <DIR> d-------- C:\SDFix
2008-05-28 09:28 . 2008-05-28 14:43 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-05-28 09:28 . 2008-05-28 09:31 <DIR> d-------- C:\Documents and Settings\Summer\Application Data\AVGTOOLBAR
2008-05-28 09:28 . 2008-05-28 09:28 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-05-28 09:28 . 2008-05-28 09:28 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-05-28 09:28 . 2008-05-28 09:28 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-05-28 09:27 . 2008-05-28 09:27 <DIR> d-------- C:\Program Files\AVG
2008-05-28 09:27 . 2008-05-28 09:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-05-27 13:03 . 2008-05-27 13:03 <DIR> d-------- C:\VundoFix Backups
2008-05-27 09:42 . 2008-05-27 09:42 372,224 --a------ C:\WINDOWS\system32\{fbb7469d-f7eb-bb5b-860e-c46b28bda0af}.dll
2008-05-27 09:32 . 2008-05-27 09:32 895 --a------ C:\WINDOWS\b104.exe.bin
2008-05-27 09:27 . 2008-05-27 09:27 891 --a------ C:\WINDOWS\b103.exe.bin
2008-05-27 09:22 . 2008-05-27 09:22 212,992 --a------ C:\WINDOWS\b116.exe.bin
2008-05-27 09:12 . 2008-05-27 09:42 96,645 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-05-27 09:12 . 2008-05-27 09:42 87,941 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-05-27 09:09 . 2008-05-27 09:09 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-05-27 09:09 . 2008-05-27 10:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-27 09:09 . 2008-05-27 10:34 213,280 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-05-27 09:09 . 2008-05-27 10:34 8,480 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-05-27 09:09 . 2008-05-27 10:34 3,932 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-05-27 09:09 . 2008-05-27 10:34 1,868 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-05-23 09:01 . 2008-05-23 09:01 375,296 --a------ C:\WINDOWS\system32\wvUnNHWM.dll
2008-05-23 08:57 . 2008-05-28 13:39 <DIR> d--hs---- C:\WINDOWS\QXR0aXR1ZGUgJiBFeHBlcmllbmNlLCBJbmM
2008-05-23 08:57 . 2008-05-23 09:51 200,768 --a------ C:\WINDOWS\system32\pcntnkdm.exe
2008-05-23 08:57 . 2008-05-28 08:37 63,918 --a------ C:\WINDOWS\system32\{fbb7469d-f7eb-bb5b-860e-c46b28bda0af}.dll-uninst.exe
2008-05-23 08:57 . 2008-05-23 08:57 861 --a------ C:\WINDOWS\system32\winpfz33.sys
2008-05-23 08:56 . 2008-05-28 13:55 <DIR> d-------- C:\WINDOWS\system32\vntiho18
2008-05-23 08:56 . 2008-05-28 13:52 <DIR> d-------- C:\WINDOWS\system32\igv
2008-05-23 08:56 . 2008-05-28 13:52 <DIR> d-------- C:\WINDOWS\system32\hI2
2008-05-23 08:56 . 2008-05-28 13:50 <DIR> d-------- C:\WINDOWS\system32\at1
2008-05-23 08:56 . 2008-05-28 13:49 <DIR> d-------- C:\WINDOWS\system32\1064a
2008-05-14 16:19 . 2008-05-14 16:19 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-14 16:19 . 2008-05-14 16:19 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-12 15:31 . 2008-05-12 15:31 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-05-12 15:31 . 2008-05-12 15:31 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2008-05-12 15:21 . 2008-05-12 15:23 <DIR> d-------- C:\Program Files\Avanquest update
2008-05-12 15:20 . 2008-05-12 15:27 <DIR> d-------- C:\Program Files\Motorola Phone Tools
2008-05-12 15:20 . 2008-05-12 15:20 <DIR> d-------- C:\Program Files\Common Files\Motorola Shared
2008-05-12 15:20 . 2008-05-12 15:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BVRP Software
2008-05-12 15:20 . 2006-11-13 14:45 1,419,232 --a------ C:\WINDOWS\system32\wdfcoinstaller01005.dll
2008-05-12 15:20 . 2006-12-13 17:52 20,992 --a------ C:\WINDOWS\system32\drivers\motmodem.sys
2008-05-12 15:19 . 2008-05-12 15:19 <DIR> d-------- C:\Documents and Settings\Summer\Application Data\InstallShield

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-28 19:05 --------- d-----w C:\Documents and Settings\Summer\Application Data\OpenOffice.org2
2008-05-28 19:04 --------- d-----w C:\Program Files\Trojan Remover
2008-05-28 19:01 --------- d-----w C:\Documents and Settings\Summer\Application Data\DNA
2008-05-28 18:07 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-05-28 12:29 --------- d-----w C:\Program Files\Weather Pulse
2008-05-15 20:01 --------- d-----w C:\Documents and Settings\Summer\Application Data\BitTorrent
2008-05-14 20:21 --------- d-----w C:\Documents and Settings\Summer\Application Data\AdobeUM
2008-05-12 19:21 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-09 16:29 --------- d-----w C:\Program Files\OpenOffice.org 2.4
2008-04-09 16:28 --------- d-----w C:\Program Files\Java
2008-04-02 16:01 --------- d-----w C:\Program Files\Microsoft Works
2007-05-16 16:12 32,768 ----a-w C:\Documents and Settings\Summer\setup9x.exe
2007-05-16 14:57 90,112 ----a-w C:\Documents and Settings\Summer\ps.exe
2007-05-16 14:57 73 ----a-w C:\Documents and Settings\Summer\n.bat
2007-05-16 14:57 167 ----a-w C:\Documents and Settings\Summer\7417.bat
2007-05-15 19:31 167 ----a-w C:\Documents and Settings\Summer\5776.bat
2007-05-15 18:31 167 ----a-w C:\Documents and Settings\Summer\2933.bat
2007-05-15 18:30 90,112 ----a-w C:\Documents and Settings\Jason\ps.exe
2007-05-15 18:30 73 ----a-w C:\Documents and Settings\Jason\n.bat
2007-05-15 18:30 549 ----a-w C:\Documents and Settings\Jason\x.dat
2007-05-15 18:30 167 ----a-w C:\Documents and Settings\Jason\8373.bat
2007-05-15 18:29 32,768 ----a-w C:\Documents and Settings\Jason\setup9x.exe
2007-05-15 18:22 167 ----a-w C:\Documents and Settings\Summer\1631.bat
2007-01-25 08:52 65,536 ----a-w C:\Program Files\Common Files\NMSAccessU.exe
2005-07-29 20:24 472 --sha-r C:\WINDOWS\QXR0aXR1ZGUgJiBFeHBlcmllbmNlLCBJbmM\krlXurlYt3o0L21IyJ15wA55vAh5MF1LvAg.vbs
2006-09-19 21:25 56 --sh--r C:\WINDOWS\system32\2B4DB80345.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3095D50F-F1BA-4BBC-A54D-819EEB7E0898}]
C:\WINDOWS\system32\tuvSLEVN.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{645f8351-85b6-689c-ea11-b3309d12c430}]
2008-05-27 09:42 372224 --a------ C:\WINDOWS\system32\{fbb7469d-f7eb-bb5b-860e-c46b28bda0af}.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7F650917-006C-4260-87C0-89CC7AE467C6}]
2008-05-23 09:01 375296 --a------ C:\WINDOWS\system32\wvUnNHWM.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
2008-05-28 09:28 2050816 --a------ C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= "C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL" [2008-05-28 09:28 2050816]

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-9990-79a187e2698e}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [2008-05-28 09:28 2050816]

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-9990-79a187e2698e}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Weather Pulse"="C:\Program Files\Weather Pulse\weatherpulse.exe" [2008-04-21 08:36 1859072]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"ZVolume"="C:\Program Files\ZVolume\ZVolume.exe" [2006-05-09 20:07 339968]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-05-08 08:33 289088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2006-10-22 13:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 13:22 7700480]
"Dell Photo AIO Printer 922"="C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-03-29 15:12 290816]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 12:28 684032]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-09-13 21:36 50688]
"APL"="C:\Program Files\ACT\ACT for Win 7\APL.exe" [2005-05-24 16:42 20480]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 13:22 86016]
"TrojanScanner"="C:\Program Files\Trojan Remover\Trjscan.exe" [2007-05-15 18:21 1217104]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 16:15 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 16:15 81920]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-12-11 11:56 286720]
"{c0f33a35-cfa6-7426-e7c1-542840def001}"="C:\WINDOWS\system32\{fbb7469d-f7eb-bb5b-860e-c46b28bda0af}.dll" [2008-05-27 09:42 372224]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-05-28 09:27 1177368]

C:\Documents and Settings\Summer\Start Menu\Programs\Startup\
Instant Memory Cleaner.lnk - C:\Program Files\Vasilios Applications\Instant Memory Cleaner\Instant Memory Cleaner.exe [2007-06-01 13:28:39 1155241]
Microsoft Outlook (2).lnk - C:\WINDOWS\Installer\{00030409-78E1-11D2-B60F-006097C998E7}\outicon.exe [2006-09-08 14:43:10 104960]
OpenOffice.org 2.4.lnk - C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe [2008-01-21 15:41:28 393216]
Yahoo! Widget Engine.lnk - C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe [2007-07-20 13:57:16 2913584]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-01-26 18:06:24 110592]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 16:05:56 65588]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-01-13 20:44:46 972064]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{3095D50F-F1BA-4BBC-A54D-819EEB7E0898}"= C:\WINDOWS\system32\tuvSLEVN.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvSLEVN]
tuvSLEVN.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"msacm.divxa32"= DivXa32.acm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\ACT\\ACT for Win 7\\Act7.exe"=
"C:\\WINDOWS\\system32\\fxsclnt.exe"=
"C:\\StubInstaller.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\msncall.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\Intuit\\QuickBooks Pro\\QBDBMgrN.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-05-28 09:28]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-05-28 09:27]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-05-28 09:27]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-05-28 09:28]
R2 MSSQL$ACT7;MSSQL$ACT7;C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe [2003-05-31 18:02]
R2 NMSAccessU;NMSAccessU;C:\Program Files\Common Files\NMSAccessU.exe [2007-01-25 04:52]
R2 QuickBooksDB18;QuickBooksDB18;C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe [2006-09-13 11:32]
R3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 02:01]
S3 SQLAgent$ACT7;SQLAgent$ACT7;C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlagent.EXE [2002-12-17 19:23]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bb80a447-2737-11dd-b668-000d56205b41}]
\Shell\Auto\command - E:\Start.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fce1f1a6-4824-11db-b604-000d56205b41}]
\Shell\Auto\command - E:\Start.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-05-17 03:16:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-05-28 19:06:14 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-28 15:04:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\Documents and Settings\Summer\Local Settings\Application Data\ApplicationHistory\APL.exe.625fcfa3.ini.inuse

scan completed successfully
hidden files: 1

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.bin
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2008-05-28 15:12:30 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-28 19:12:24

Pre-Run: 101,495,390,208 bytes free
Post-Run: 101,358,276,608 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

246 --- E O F --- 2007-12-21 21:58:52

________________________________________________________________________________
______________

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:19:08 PM, on 5/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe
C:\Program Files\Common Files\NMSAccessU.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Weather Pulse\weatherpulse.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\ZVolume\ZVolume.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Vasilios Applications\Instant Memory Cleaner\Instant Memory Cleaner.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Documents and Settings\Summer\Desktop\HiJackThis\HijackThis.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
O2 - BHO: (no name) - {3095D50F-F1BA-4BBC-A54D-819EEB7E0898} - C:\WINDOWS\system32\tuvSLEVN.dll (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: gooochi browser optimizer - {645f8351-85b6-689c-ea11-b3309d12c430} - C:\WINDOWS\system32\{fbb7469d-f7eb-bb5b-860e-c46b28bda0af}.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7F650917-006C-4260-87C0-89CC7AE467C6} - C:\WINDOWS\system32\wvUnNHWM.dll (file missing)
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile - {D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [APL] "C:\Program Files\ACT\ACT for Win 7\APL.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [{c0f33a35-cfa6-7426-e7c1-542840def001}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{fbb7469d-f7eb-bb5b-860e-c46b28bda0af}.dll" DllStart
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [Weather Pulse] C:\Program Files\Weather Pulse\weatherpulse.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ZVolume] C:\Program Files\ZVolume\ZVolume.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - Startup: Instant Memory Cleaner.lnk = C:\Program Files\Vasilios Applications\Instant Memory Cleaner\Instant Memory Cleaner.exe
O4 - Startup: Microsoft Outlook (2).lnk = ?
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Save to &KBase... - C:\Program Files\netXtract\SaveToKBmenu.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: netXtract® - {1FB62888-D13A-11d3-AF5D-00C0DF647817} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://crm.safetynet-inc.com'
O16 - DPF: Web-Based Email Tools - http://email.secures...et/Download.CAB
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebo...toUploader5.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1158936801437
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1158933669500
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://servicemagic....p/view22RTE.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebo...Uploader4_5.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{540A0807-7E34-4BB9-A609-300232ADF87D}: NameServer = 24.247.15.53,24.247.24.53
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks Pro\HelpAsyncPluggableProtocol.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: tuvSLEVN - tuvSLEVN.dll (file missing)
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\System32\dlbtcoms.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\Common Files\NMSAccessU.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: QuickBooksDB18 - iAnywhere Solutions, Inc. - C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe

--
End of file - 10774 bytes

#6
kahdah

Posted 28 May 2008 - 03:04 PM

GeekU Teacher

Retired Staff
15,822 posts

1. Please open Notepad

Click Start , then Run
type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\{fbb7469d-f7eb-bb5b-860e-c46b28bda0af}.dll
C:\WINDOWS\b104.exe.bin
C:\WINDOWS\b116.exe.bin
C:\WINDOWS\b116.exe.bin
C:\WINDOWS\system32\wvUnNHWM.dll
C:\WINDOWS\system32\pcntnkdm.exe
C:\WINDOWS\system32\{fbb7469d-f7eb-bb5b-860e-c46b28bda0af}.dll-uninst.exe
C:\WINDOWS\system32\winpfz33.sys
C:\Documents and Settings\Summer\setup9x.exe
C:\Documents and Settings\Summer\ps.exe
C:\Documents and Settings\Summer\n.bat
C:\Documents and Settings\Summer\7417.bat
C:\Documents and Settings\Summer\5776.bat
C:\Documents and Settings\Summer\2933.bat
C:\Documents and Settings\Jason\ps.exe
C:\Documents and Settings\Jason\n.bat
C:\Documents and Settings\Jason\x.dat
C:\Documents and Settings\Jason\8373.bat
C:\Documents and Settings\Jason\setup9x.exe
C:\Documents and Settings\Summer\1631.bat
E:\Start.exe
Folder::
C:\VundoFix Backups
C:\WINDOWS\QXR0aXR1ZGUgJiBFeHBlcmllbmNlLCBJbmM
C:\WINDOWS\system32\vntiho18
C:\WINDOWS\system32\igv
C:\WINDOWS\system32\hI2
C:\WINDOWS\system32\at1
C:\WINDOWS\system32\1064a
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3095D50F-F1BA-4BBC-A54D-819EEB7E0898}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{645f8351-85b6-689c-ea11-b3309d12c430}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7F650917-006C-4260-87C0-89CC7AE467C6}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"{c0f33a35-cfa6-7426-e7c1-542840def001}"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{3095D50F-F1BA-4BBC-A54D-819EEB7E0898}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvSLEVN]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bb80a447-2737-11dd-b668-000d56205b41}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fce1f1a6-4824-11db-b604-000d56205b41}]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt
A new HijackThis log.

#7
gremban

Posted 29 May 2008 - 01:48 PM

Member

Topic Starter
Member
11 posts

ComboFix 08-05-27.4 - Summer 2008-05-29 15:31:36.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.466 [GMT -4:00]
Running from: C:\Documents and Settings\Summer\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Summer\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Documents and Settings\Jason\8373.bat
C:\Documents and Settings\Jason\n.bat
C:\Documents and Settings\Jason\ps.exe
C:\Documents and Settings\Jason\setup9x.exe
C:\Documents and Settings\Jason\x.dat
C:\Documents and Settings\Summer\1631.bat
C:\Documents and Settings\Summer\2933.bat
C:\Documents and Settings\Summer\5776.bat
C:\Documents and Settings\Summer\7417.bat
C:\Documents and Settings\Summer\n.bat
C:\Documents and Settings\Summer\ps.exe
C:\Documents and Settings\Summer\setup9x.exe
C:\WINDOWS\b104.exe.bin
C:\WINDOWS\b116.exe.bin
C:\WINDOWS\system32\{fbb7469d-f7eb-bb5b-860e-c46b28bda0af}.dll
C:\WINDOWS\system32\{fbb7469d-f7eb-bb5b-860e-c46b28bda0af}.dll-uninst.exe
C:\WINDOWS\system32\pcntnkdm.exe
C:\WINDOWS\system32\winpfz33.sys
C:\WINDOWS\system32\wvUnNHWM.dll
E:\Start.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Jason\8373.bat
C:\Documents and Settings\Jason\n.bat
C:\Documents and Settings\Jason\ps.exe
C:\Documents and Settings\Jason\setup9x.exe
C:\Documents and Settings\Jason\x.dat
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\favicon.ico
C:\Documents and Settings\Summer\1631.bat
C:\Documents and Settings\Summer\2933.bat
C:\Documents and Settings\Summer\5776.bat
C:\Documents and Settings\Summer\7417.bat
C:\Documents and Settings\Summer\Local Settings\Temporary Internet Files\bestwiner.stt
C:\Documents and Settings\Summer\Local Settings\Temporary Internet Files\CPV.stt
C:\Documents and Settings\Summer\Local Settings\Temporary Internet Files\favicon.ico
C:\Documents and Settings\Summer\n.bat
C:\Documents and Settings\Summer\ps.exe
C:\Documents and Settings\Summer\setup9x.exe
C:\VundoFix Backups
C:\WINDOWS\b103.exe.bin
C:\WINDOWS\b104.exe.bin
C:\WINDOWS\b116.exe.bin
C:\WINDOWS\QXR0aXR1ZGUgJiBFeHBlcmllbmNlLCBJbmM
C:\WINDOWS\QXR0aXR1ZGUgJiBFeHBlcmllbmNlLCBJbmM\krlXurlYt3o0L21IyJ15wA55vAh5MF1LvAg.vbs
C:\WINDOWS\system32\{fbb7469d-f7eb-bb5b-860e-c46b28bda0af}.dll-uninst.exe
C:\WINDOWS\system32\{fbb7469d-f7eb-bb5b-860e-c46b28bda0af}.dll
C:\WINDOWS\system32\1064a
C:\WINDOWS\system32\at1
C:\WINDOWS\system32\hI2
C:\WINDOWS\system32\igv
C:\WINDOWS\system32\pcntnkdm.exe
C:\WINDOWS\system32\vntiho18
C:\WINDOWS\system32\winpfz33.sys

.
((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-29 )))))))))))))))))))))))))))))))
.

2008-05-28 10:37 . 2008-05-28 15:18 <DIR> d--h----- C:\$AVG8.VAULT$
2008-05-28 09:50 . 2008-05-28 09:50 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-28 09:44 . 2008-05-28 10:23 <DIR> d-------- C:\SDFix
2008-05-28 09:28 . 2008-05-29 09:56 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-05-28 09:28 . 2008-05-29 08:42 <DIR> d-------- C:\Documents and Settings\Summer\Application Data\AVGTOOLBAR
2008-05-28 09:28 . 2008-05-28 09:28 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-05-28 09:28 . 2008-05-28 09:28 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-05-28 09:28 . 2008-05-28 09:28 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-05-28 09:27 . 2008-05-28 09:27 <DIR> d-------- C:\Program Files\AVG
2008-05-28 09:27 . 2008-05-28 09:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-05-27 09:12 . 2008-05-27 09:42 96,645 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-05-27 09:12 . 2008-05-27 09:42 87,941 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-05-27 09:09 . 2008-05-27 09:09 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-05-27 09:09 . 2008-05-27 10:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-27 09:09 . 2008-05-27 10:34 213,280 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-05-27 09:09 . 2008-05-27 10:34 8,480 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-05-27 09:09 . 2008-05-27 10:34 3,932 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-05-27 09:09 . 2008-05-27 10:34 1,868 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-05-14 16:19 . 2008-05-14 16:19 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-14 16:19 . 2008-05-14 16:19 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-12 15:31 . 2008-05-12 15:31 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-05-12 15:31 . 2008-05-12 15:31 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2008-05-12 15:21 . 2008-05-12 15:23 <DIR> d-------- C:\Program Files\Avanquest update
2008-05-12 15:20 . 2008-05-12 15:27 <DIR> d-------- C:\Program Files\Motorola Phone Tools
2008-05-12 15:20 . 2008-05-12 15:20 <DIR> d-------- C:\Program Files\Common Files\Motorola Shared
2008-05-12 15:20 . 2008-05-12 15:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BVRP Software
2008-05-12 15:20 . 2006-11-13 14:45 1,419,232 --a------ C:\WINDOWS\system32\wdfcoinstaller01005.dll
2008-05-12 15:20 . 2006-12-13 17:52 20,992 --a------ C:\WINDOWS\system32\drivers\motmodem.sys
2008-05-12 15:19 . 2008-05-12 15:19 <DIR> d-------- C:\Documents and Settings\Summer\Application Data\InstallShield

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-29 19:36 --------- d-----w C:\Documents and Settings\Summer\Application Data\DNA
2008-05-29 17:55 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-05-29 13:15 4,184 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-05-29 12:36 --------- d-----w C:\Program Files\Trojan Remover
2008-05-29 12:19 --------- d-----w C:\Program Files\Weather Pulse
2008-05-28 19:05 --------- d-----w C:\Documents and Settings\Summer\Application Data\OpenOffice.org2
2008-05-15 20:01 --------- d-----w C:\Documents and Settings\Summer\Application Data\BitTorrent
2008-05-14 20:21 --------- d-----w C:\Documents and Settings\Summer\Application Data\AdobeUM
2008-05-12 19:21 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-09 16:29 --------- d-----w C:\Program Files\OpenOffice.org 2.4
2008-04-09 16:28 --------- d-----w C:\Program Files\Java
2008-04-02 16:01 --------- d-----w C:\Program Files\Microsoft Works
2007-01-25 08:52 65,536 ----a-w C:\Program Files\Common Files\NMSAccessU.exe
2006-09-19 21:25 56 --sh--r C:\WINDOWS\system32\2B4DB80345.sys
.

((((((((((((((((((((((((((((( snapshot@2008-05-28_15.12.05.85 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-28 19:03:04 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-29 12:27:13 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-03-25 03:21:18 2,889,088 ----a-w C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
+ 2008-03-25 03:21:20 218,496 ----a-w C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
+ 2008-05-29 15:13:14 70,264 ----a-w C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
+ 2008-05-29 12:27:25 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_6cc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
2008-05-28 09:28 2050816 --a------ C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= "C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL" [2008-05-28 09:28 2050816]

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-9990-79a187e2698e}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [2008-05-28 09:28 2050816]

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-9990-79a187e2698e}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Weather Pulse"="C:\Program Files\Weather Pulse\weatherpulse.exe" [2008-04-21 08:36 1859072]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"ZVolume"="C:\Program Files\ZVolume\ZVolume.exe" [2006-05-09 20:07 339968]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-05-08 08:33 289088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2006-10-22 13:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 13:22 7700480]
"Dell Photo AIO Printer 922"="C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-03-29 15:12 290816]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 12:28 684032]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-09-13 21:36 50688]
"APL"="C:\Program Files\ACT\ACT for Win 7\APL.exe" [2005-05-24 16:42 20480]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 13:22 86016]
"TrojanScanner"="C:\Program Files\Trojan Remover\Trjscan.exe" [2007-05-15 18:21 1217104]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 16:15 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 16:15 81920]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-12-11 11:56 286720]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-05-28 09:27 1177368]

C:\Documents and Settings\Summer\Start Menu\Programs\Startup\
Instant Memory Cleaner.lnk - C:\Program Files\Vasilios Applications\Instant Memory Cleaner\Instant Memory Cleaner.exe [2007-06-01 13:28:39 1155241]
Microsoft Outlook (2).lnk - C:\WINDOWS\Installer\{00030409-78E1-11D2-B60F-006097C998E7}\outicon.exe [2006-09-08 14:43:10 104960]
Yahoo! Widget Engine.lnk - C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe [2007-07-20 13:57:16 2913584]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-01-26 18:06:24 110592]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 16:05:56 65588]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-01-13 20:44:46 972064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"msacm.divxa32"= DivXa32.acm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\ACT\\ACT for Win 7\\Act7.exe"=
"C:\\WINDOWS\\system32\\fxsclnt.exe"=
"C:\\StubInstaller.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\msncall.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\Intuit\\QuickBooks Pro\\QBDBMgrN.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-05-28 09:28]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-05-28 09:27]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-05-28 09:27]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-05-28 09:28]
R2 MSSQL$ACT7;MSSQL$ACT7;C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe [2003-05-31 18:02]
R2 NMSAccessU;NMSAccessU;C:\Program Files\Common Files\NMSAccessU.exe [2007-01-25 04:52]
R2 QuickBooksDB18;QuickBooksDB18;C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe [2006-09-13 11:32]
R3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 02:01]
S3 SQLAgent$ACT7;SQLAgent$ACT7;C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlagent.EXE [2002-12-17 19:23]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-05-17 03:16:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-05-29 12:30:23 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-29 15:35:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2008-05-29 15:38:37
ComboFix-quarantined-files.txt 2008-05-29 19:37:34
ComboFix2.txt 2008-05-28 19:12:31

Pre-Run: 101,266,550,784 bytes free
Post-Run: 101,248,606,208 bytes free

217 --- E O F --- 2008-05-29 14:31:42

________________________________________________________________________________
_____

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:47:43 PM, on 5/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe
C:\Program Files\Common Files\NMSAccessU.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Weather Pulse\weatherpulse.exe
C:\Program Files\ZVolume\ZVolume.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Vasilios Applications\Instant Memory Cleaner\Instant Memory Cleaner.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\dlbtcoms.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Summer\Desktop\HiJackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile - {D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [APL] "C:\Program Files\ACT\ACT for Win 7\APL.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [Weather Pulse] C:\Program Files\Weather Pulse\weatherpulse.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ZVolume] C:\Program Files\ZVolume\ZVolume.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - Startup: Instant Memory Cleaner.lnk = C:\Program Files\Vasilios Applications\Instant Memory Cleaner\Instant Memory Cleaner.exe
O4 - Startup: Microsoft Outlook (2).lnk = ?
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Save to &KBase... - C:\Program Files\netXtract\SaveToKBmenu.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: netXtract® - {1FB62888-D13A-11d3-AF5D-00C0DF647817} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://crm.safetynet-inc.com'
O16 - DPF: Web-Based Email Tools - http://email.secures...et/Download.CAB
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebo...toUploader5.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1158936801437
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1158933669500
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://servicemagic....p/view22RTE.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebo...Uploader4_5.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{540A0807-7E34-4BB9-A609-300232ADF87D}: NameServer = 24.247.15.53,24.247.24.53
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks Pro\HelpAsyncPluggableProtocol.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\System32\dlbtcoms.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\Common Files\NMSAccessU.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: QuickBooksDB18 - iAnywhere Solutions, Inc. - C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe

--
End of file - 9672 bytes

#8
kahdah

Posted 29 May 2008 - 02:08 PM

GeekU Teacher

Retired Staff
15,822 posts

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.
==================
Please download ATF Cleaner by Atribune.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
====================================
Please do an online scan with Kaspersky WebScanner
(This scanner is for use with internet explorer only)
Click on "Accept"

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
- Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as button:
Save the file in txt format to your desktop.
Post that information in your next post.

===================
Post those logs and if you have to then make several posts in t his thread to fit them all.
Also a new Hijackthis log please.

#9
gremban

Posted 29 May 2008 - 02:23 PM

Member

Topic Starter
Member
11 posts

OK I'll be on it in the morning! I do appreciate the help! You will find a little extra in you pay this week!

#10
kahdah

Posted 29 May 2008 - 02:45 PM

GeekU Teacher

Retired Staff
15,822 posts

Thanks and you are welcome

#11
gremban

Posted 29 May 2008 - 02:55 PM

Member

Topic Starter
Member
11 posts

Kaspersky Scan will come in the AM

Malwarebytes' Anti-Malware 1.12
Database version: 799

Scan type: Quick Scan
Objects scanned: 41511
Time elapsed: 7 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#12
gremban

Posted 30 May 2008 - 07:02 AM

Member

Topic Starter
Member
11 posts

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, May 30, 2008 9:01:31 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 29/05/2008
Kaspersky Anti-Virus database records: 812777
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 87448
Number of viruses found: 27
Number of infected objects: 69
Number of suspicious objects: 0
Duration of the scan process: 02:40:54

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg8\emc\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgcore.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avglng.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgrs.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgsched.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgui.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgwd.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\commonpriv.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-05172007-164819.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCCoreService10.zip/core.sys Infected: Rootkit.Win32.Agent.eq skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCCoreService10.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinSmallazl.zip/mrofinu1188.exe Infected: Trojan-Downloader.Win32.Homles.bq skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinSmallazl.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinSmallazl1.zip/mrofinu1000106.exe Infected: Trojan-Downloader.Win32.Homles.bo skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinSmallazl1.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinSmallazl2.zip/b149.exe Infected: not-a-virus:Downloader.Win32.Agent.ak skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinSmallazl2.zip ZIP: infected - 1 skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\QBDataServiceUser18\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\QBDataServiceUser18\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\QBDataServiceUser18\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\QBDataServiceUser18\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Summer\Application Data\Sun\Java\Deployment\cache\6.0\13\1fea448d-548163ef/BaaaaBaa.class Infected: Trojan.Java.ClassLoader.ao skipped
C:\Documents and Settings\Summer\Application Data\Sun\Java\Deployment\cache\6.0\13\1fea448d-548163ef/VaaaaaaaBaa.class Infected: Trojan.Java.ClassLoader.ao skipped
C:\Documents and Settings\Summer\Application Data\Sun\Java\Deployment\cache\6.0\13\1fea448d-548163ef/Baaaaa.class Infected: Trojan.Java.ClassLoader.ao skipped
C:\Documents and Settings\Summer\Application Data\Sun\Java\Deployment\cache\6.0\13\1fea448d-548163ef ZIP: infected - 3 skipped
C:\Documents and Settings\Summer\Application Data\Sun\Java\Deployment\cache\6.0\14\1907720e-1e8403c6/BaaaaBaa.class Infected: Trojan.Java.ClassLoader.ao skipped
C:\Documents and Settings\Summer\Application Data\Sun\Java\Deployment\cache\6.0\14\1907720e-1e8403c6/VaaaaaaaBaa.class Infected: Trojan.Java.ClassLoader.ao skipped
C:\Documents and Settings\Summer\Application Data\Sun\Java\Deployment\cache\6.0\14\1907720e-1e8403c6/Baaaaa.class Infected: Trojan.Java.ClassLoader.ao skipped
C:\Documents and Settings\Summer\Application Data\Sun\Java\Deployment\cache\6.0\14\1907720e-1e8403c6 ZIP: infected - 3 skipped
C:\Documents and Settings\Summer\Application Data\Sun\Java\Deployment\cache\6.0\27\63f76a5b-1de378a8/BaaaaBaa.class Infected: Trojan.Java.ClassLoader.ao skipped
C:\Documents and Settings\Summer\Application Data\Sun\Java\Deployment\cache\6.0\27\63f76a5b-1de378a8/VaaaaaaaBaa.class Infected: Trojan.Java.ClassLoader.ao skipped
C:\Documents and Settings\Summer\Application Data\Sun\Java\Deployment\cache\6.0\27\63f76a5b-1de378a8/Baaaaa.class Infected: Trojan.Java.ClassLoader.ao skipped
C:\Documents and Settings\Summer\Application Data\Sun\Java\Deployment\cache\6.0\27\63f76a5b-1de378a8 ZIP: infected - 3 skipped
C:\Documents and Settings\Summer\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Summer\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Summer\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Summer\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Summer\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Summer\Local Settings\History\History.IE5\MSHist012008052920080530\index.dat Object is locked skipped
C:\Documents and Settings\Summer\Local Settings\Temp\flaDFE.tmp Object is locked skipped
C:\Documents and Settings\Summer\Local Settings\Temp\~DF50B0.tmp Object is locked skipped
C:\Documents and Settings\Summer\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Summer\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Summer\My Documents\ACT\ACT for Win 7\Databases\A_E.ADF Object is locked skipped
C:\Documents and Settings\Summer\My Documents\ACT\ACT for Win 7\Databases\A_E.ALF Object is locked skipped
C:\Documents and Settings\Summer\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Summer\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Data\master.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Data\mastlog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Data\model.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Data\modellog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Data\tempdb.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Data\templog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\LOG\ERRORLOG Object is locked skipped
C:\QooBox\Quarantine\C\Documents and Settings\Jason\ps.exe.vir Infected: not-a-virus:PSWTool.Win32.PassView.az skipped
C:\QooBox\Quarantine\C\Documents and Settings\Summer\ps.exe.vir Infected: not-a-virus:PSWTool.Win32.PassView.az skipped
C:\QooBox\Quarantine\C\WINDOWS\b116.exe.bin.vir/b116.exe Infected: Trojan-Downloader.Win32.Agent.ezc skipped
C:\QooBox\Quarantine\C\WINDOWS\b116.exe.bin.vir ZIP: infected - 1 skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ps.exe.vir Infected: not-a-virus:PSWTool.Win32.PassView.az skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{56AE2526-220C-4160-98CC-4BA5E7F59A2A}\RP32\A0001097.exe/data0005 Infected: Trojan-Downloader.Win32.VB.bco skipped
C:\System Volume Information\_restore{56AE2526-220C-4160-98CC-4BA5E7F59A2A}\RP32\A0001097.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{56AE2526-220C-4160-98CC-4BA5E7F59A2A}\RP87\A0002985.dll Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{56AE2526-220C-4160-98CC-4BA5E7F59A2A}\RP87\A0003060.exe Infected: Trojan-Downloader.Win32.Homles.bo skipped
C:\System Volume Information\_restore{56AE2526-220C-4160-98CC-4BA5E7F59A2A}\RP89\A0003068.exe Infected: not-a-virus:AdWare.Win32.Insider.c skipped
C:\System Volume Information\_restore{56AE2526-220C-4160-98CC-4BA5E7F59A2A}\RP89\A0004077.exe Infected: Trojan-Downloader.Win32.Agent.pbq skipped
C:\System Volume Information\_restore{56AE2526-220C-4160-98CC-4BA5E7F59A2A}\RP89\A0004095.exe Infected: Trojan-Downloader.Win32.Agent.qqn skipped
C:\System Volume Information\_restore{56AE2526-220C-4160-98CC-4BA5E7F59A2A}\RP89\A0004098.exe Infected: Trojan.Win32.VB.cng skipped
C:\System Volume Information\_restore{56AE2526-220C-4160-98CC-4BA5E7F59A2A}\RP89\A0004102.exe Infected: Trojan-Downloader.Win32.Homles.bq skipped
C:\System Volume Information\_restore{56AE2526-220C-4160-98CC-4BA5E7F59A2A}\RP89\A0004103.exe Infected: not-a-virus:AdWare.Win32.Rond.f skipped
C:\System Volume Information\_restore{56AE2526-220C-4160-98CC-4BA5E7F59A2A}\RP89\A0004104.exe Infected: not-a-virus:AdWare.Win32.Insider.c skipped
C:\System Volume Information\_restore{56AE2526-220C-4160-98CC-4BA5E7F59A2A}\RP89\A0004105.dll Infected: not-a-virus:AdWare.Win32.Agent.byy skipped
C:\System Volume Information\_restore{56AE2526-220C-4160-98CC-4BA5E7F59A2A}\RP90\A0004168.exe Infected: Trojan-Downloader.Win32.Agent.nfz skipped
C:\System Volume Information\_restore{56AE2526-220C-4160-98CC-4BA5E7F59A2A}\RP90\A0004169.exe Infected: Trojan-Downloader.Win32.Agent.jih skipped
C:\System Volume Information\_restore{56AE2526-220C-4160-98CC-4BA5E7F59A2A}\RP90\A0004273.exe Infected: not-a-virus:AdWare.Win32.Insider.c skipped
C:\System Volume Information\_restore{56AE2526-220C-4160-98CC-4BA5E7F59A2A}\RP90\A0004278.exe Infected: Trojan.Win32.BHO.bkm skipped
C:\System Volume Information\_restore{56AE2526-220C-4160-98CC-4BA5E7F59A2A}\RP90\A0004280.exe Infected: not-a-virus:AdWare.Win32.Insider.f skipped
C:\System Volume Information\_restore{56AE2526-220C-4160-98CC-4BA5E7F59A2A}\RP90\A0004285.exe Infected: Trojan-Downloader.Win32.Homles.bq skipped
C:\System Volume Information\_restore{56AE2526-220C-4160-98CC-4BA5E7F59A2A}\RP91\A0004347.exe Infected: Trojan-Downloader.Win32.Homles.bo skipped
C:\System Volume Information\_restore{56AE2526-220C-4160-98CC-4BA5E7F59A2A}\RP92\A0004354.dll Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{56AE2526-220C-4160-98CC-4BA5E7F59A2A}\RP93\A0004403.exe Infected: Trojan-Downloader.Win32.Homles.bq skipped
C:\System Volume Information\_restore{56AE2526-220C-4160-98CC-4BA5E7F59A2A}\RP93\A0004404.exe Infected: Trojan-Downloader.Win32.Homles.bo skipped
C:\System Volume Information\_restore{56AE2526-220C-4160-98CC-4BA5E7F59A2A}\RP93\A0004612.dll Infected: not-a-virus:AdWare.Win32.Agent.byy skipped
C:\System Volume Information\_restore{56AE2526-220C-4160-98CC-4BA5E7F59A2A}\RP94\A0004676.exe Infected: Trojan.Win32.VB.cng skipped
C:\System Volume Information\_restore{56AE2526-220C-4160-98CC-4BA5E7F59A2A}\RP94\A0004704.exe Infected: Trojan.Win32.VB.cng skipped
C:\System Volume Information\_restore{56AE2526-220C-4160-98CC-4BA5E7F59A2A}\RP94\A0004785.exe/data0005 Infected: Trojan-Downloader.Win32.VB.bco skipped
C:\System Volume Information\_restore{56AE2526-220C-4160-98CC-4BA5E7F59A2A}\RP94\A0004785.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{56AE2526-220C-4160-98CC-4BA5E7F59A2A}\RP94\A0004790.exe Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{56AE2526-220C-4160-98CC-4BA5E7F59A2A}\RP94\A0004791.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.bg skipped
C:\System Volume Information\_restore{56AE2526-220C-4160-98CC-4BA5E7F59A2A}\RP94\A0004792.exe Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\System Volume Information\_restore{56AE2526-220C-4160-98CC-4BA5E7F59A2A}\RP94\A0004793.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.Agent.byy skipped
C:\System Volume Information\_restore{56AE2526-220C-4160-98CC-4BA5E7F59A2A}\RP94\A0004793.exe/stream Infected: not-a-virus:AdWare.Win32.Agent.byy skipped
C:\System Volume Information\_restore{56AE2526-220C-4160-98CC-4BA5E7F59A2A}\RP94\A0004793.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{56AE2526-220C-4160-98CC-4BA5E7F59A2A}\RP94\A0004794.exe Infected: Trojan.Win32.Agent.lom skipped
C:\System Volume Information\_restore{56AE2526-220C-4160-98CC-4BA5E7F59A2A}\RP94\A0004795.exe Infected: Trojan-Downloader.Win32.Small.vvk skipped
C:\System Volume Information\_restore{56AE2526-220C-4160-98CC-4BA5E7F59A2A}\RP94\A0004797.exe Infected: Trojan-Downloader.Win32.VB.bco skipped
C:\System Volume Information\_restore{56AE2526-220C-4160-98CC-4BA5E7F59A2A}\RP94\A0004798.exe Infected: Trojan-Downloader.Win32.VB.epp skipped
C:\System Volume Information\_restore{56AE2526-220C-4160-98CC-4BA5E7F59A2A}\RP94\A0004801.dll Infected: Trojan.Win32.Inject.cif skipped
C:\System Volume Information\_restore{56AE2526-220C-4160-98CC-4BA5E7F59A2A}\RP95\A0004838.exe Infected: not-a-virus:PSWTool.Win32.PassView.az skipped
C:\System Volume Information\_restore{56AE2526-220C-4160-98CC-4BA5E7F59A2A}\RP97\A0004999.exe Infected: not-a-virus:PSWTool.Win32.PassView.az skipped
C:\System Volume Information\_restore{56AE2526-220C-4160-98CC-4BA5E7F59A2A}\RP97\A0005006.exe Infected: not-a-virus:PSWTool.Win32.PassView.az skipped
C:\System Volume Information\_restore{56AE2526-220C-4160-98CC-4BA5E7F59A2A}\RP97\change.log Object is locked skipped
C:\WINDOWS\b.0xe Infected: Backdoor.Win32.EggDrop.v skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\csrrs.0xe Infected: Backdoor.Win32.EggDrop.v skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_6cc.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\~1.tmp Infected: Packed.Win32.PolyCrypt.d skipped

Scan process completed.

#13
gremban

Posted 30 May 2008 - 07:04 AM

Member

Topic Starter
Member
11 posts

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:04:57 AM, on 5/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe
C:\Program Files\Common Files\NMSAccessU.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Weather Pulse\weatherpulse.exe
C:\Program Files\ZVolume\ZVolume.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Vasilios Applications\Instant Memory Cleaner\Instant Memory Cleaner.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\dlbtcoms.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Intuit\QuickBooks Pro\qbw32.exe
C:\Program Files\Common Files\Intuit\QuickBooks\axlbridge.exe
C:\Documents and Settings\Summer\Desktop\HiJackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile - {D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [APL] "C:\Program Files\ACT\ACT for Win 7\APL.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [Weather Pulse] C:\Program Files\Weather Pulse\weatherpulse.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ZVolume] C:\Program Files\ZVolume\ZVolume.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - Startup: Instant Memory Cleaner.lnk = C:\Program Files\Vasilios Applications\Instant Memory Cleaner\Instant Memory Cleaner.exe
O4 - Startup: Microsoft Outlook (2).lnk = ?
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Save to &KBase... - C:\Program Files\netXtract\SaveToKBmenu.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: netXtract® - {1FB62888-D13A-11d3-AF5D-00C0DF647817} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://crm.safetynet-inc.com'
O16 - DPF: Web-Based Email Tools - http://email.secures...et/Download.CAB
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebo...toUploader5.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1158936801437
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1158933669500
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://servicemagic....p/view22RTE.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebo...Uploader4_5.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{540A0807-7E34-4BB9-A609-300232ADF87D}: NameServer = 24.247.15.53,24.247.24.53
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks Pro\HelpAsyncPluggableProtocol.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\System32\dlbtcoms.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\Common Files\NMSAccessU.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: QuickBooksDB18 - iAnywhere Solutions, Inc. - C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe

--
End of file - 10038 bytes

#14
kahdah

Posted 30 May 2008 - 07:13 AM

GeekU Teacher

Retired Staff
15,822 posts

Please re-open Hijackthis and click on "Do a system scan only"
Then place a check mark next to these entries below:

O2 - BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile - {D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)

Now click on Fix Checked and then close Hijackthis.
=================================
Please download the OTMoveIt2 by OldTimer.

Save it to your desktop.
Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

C:\WINDOWS\b.0xe
C:\Documents and Settings\Summer\Application Data\Sun\Java\Deployment\cache\6.0\27\63f76a5b-1de378a8.ZIP
C:\Documents and Settings\Summer\Application Data\Sun\Java\Deployment\cache\6.0\14\1907720e-1e8403c6.ZIP
C:\Documents and Settings\Summer\Application Data\Sun\Java\Deployment\cache\6.0\13\1fea448d-548163ef.ZIP
C:\Documents and Settings\Summer\Application Data\Sun\Java\Deployment\cache\6.0\13\1fea448d-548163ef
C:\Documents and Settings\Summer\Application Data\Sun\Java\Deployment\cache\6.0\14\1907720e-1e8403c6
C:\Documents and Settings\Summer\Application Data\Sun\Java\Deployment\cache\6.0\27\63f76a5b-1de378a8
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinSmallazl2.zip 
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCCoreService10.zip
C:\WINDOWS\system32\csrrs.0xe 
C:\~1.tmp

Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light Yellow bar) and choose Paste.
Click the red Moveit! button.
OTMoveit2 will create a log of moved files in the C:\_OTMoveIt\MovedFiles folder. The log's name will appear as the date and time it was created, with the format mmddyyyy_hhmmss.log. Open this log in Notepad and post its contents in your next reply.
Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
===========
Post back with that log and we will wrap it up.