On Nov 25 2008 at 09:57 AM I ran the Malwarebytes' Anti-Malware program and my log is below:
[quote]Malwarebytes' Anti-Malware 1.30
Database version: 1419
Windows 5.1.2600 Service Pack 2
11/25/2008 8:07:27 AM
mbam-log-2008-11-25 (08-07-27).txt
Scan type: Full Scan (C:\|)
Objects scanned: 270652
Time elapsed: 3 hour(s), 38 minute(s), 24 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 31
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 32
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\c:/windows/downloaded program files/popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\vccpgdataaccess.pgdataaccessctrl.1 (Adware.Delphinmediaviewer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2bb15d36-43be-4743-a3a0-3308f4b1a610} (Adware.Delphinmediaviewer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{41700749-a109-4254-af13-be54011e8783} (Adware.Delphinmediaviewer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a8b0f390-e6bf-4027-a4d4-1e4363f5e27b} (Trojan.Lop) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a9e33220-0b05-11d7-88d2-444553540000} (Trojan.Lop) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e0abbf96-17dc-44ca-96d0-6217064a97ba} (Trojan.Lop) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{5d60ff48-95be-4956-b4c6-6bb168a70310} (Trojan.KeenValue) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a8bd9566-9895-4fa3-918d-a51d4cd15865} (Adware.Delphinmediaviewer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d0070620-1e72-42e7-a14c-3a255ad31839} (Adware.Delphinmediaviewer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3E7145B1-EA07-42CE-9299-11DF39FF54BD} (Adware.2ndThought ) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{34EF5B1C-52CB-400b-8B7C-F787018B3826} (Adware.2ndThought ) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{2a7db8d1-43be-4ad3-a81e-9bb8c9d00073} (Adware.Delphinmediaviewer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{f7258f6e-9f60-49c0-8c82-f0a0993d68e0} (Trojan.Lop) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{97d860c4-f072-477b-b241-409f7cffb954} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1a7bcc8e-b65d-409a-bb67-57e8226d1780} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\NetPumper (Adware.NetPumper) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TSA (Adware.TargetSaver) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\Program Files\p2pnetworks (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Keisha Davis\Application Data\NetPumper (Adware.NetPumper) -> Quarantined and deleted successfully.
Files Infected:
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Local Settings\Temp\~tmp143 (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Local Settings\Temp\syswcc32.exe (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1868\A0547740.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1868\A0550806.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\karna.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\karna.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\p2pnetworks\alp2plib.log (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Program Files\p2pnetworks\mpp2pl.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Program Files\p2pnetworks\p2pnetworks.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Program Files\p2pnetworks\uninst.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Keisha Davis\Application Data\NetPumper\Keisha_20Davis.ini (Adware.NetPumper) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\atmccli.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\atmgr.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\DLLCACHE\figaro.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\DRIVERS\BEEP.SYS (Fake.Beep.Sys) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\DLLCACHE\beep.sys (Fake.Beep.Sys) -> Quarantined and deleted successfully.
C:\U.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\userinit.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\brastk.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\wini10254.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\brastk.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\osconfig.dll (Spyware.MarketScore) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\osmim.dll (Spyware.MarketScore) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\okshook.dll (Spyware.MarketScore) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\osrouter.dll (Spyware.MarketScore) -> Quarantined and deleted successfully.
C:\Documents and Settings\Keisha Davis\Application Data\tvmknwrd.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Local Settings\Temp\ie.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\smdat32a.sys (Rootkit.Agent) -> Quarantined and deleted successfully.[/quote]
After running this, the red circle / white X was gone but the system still seemed a little sluggish and I was getting NotifyAlert.exe error messages and something about a JIT Debugger error as well.
Then on Nov 25 2008 at 02:48 PM I installed / downloaded Recovery Console, ComboFix and HiJack-This in that order. ComboFix and HiJack This logs are below:
[quote]ComboFix 08-11-24.03 - Keisha Davis 2008-11-25 13:48:16.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.654 [GMT -5:00]
Running from: c:\documents and settings\Keisha Davis\Desktop\ComboFix.exe
.
((((((((((((((((((((((((( Files Created from 2008-10-25 to 2008-11-25 )))))))))))))))))))))))))))))))
.
2008-11-25 01:17 . 2008-11-25 01:17 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-25 01:17 . 2008-11-25 01:17 <DIR> d-------- c:\documents and settings\Keisha Davis\Application Data\Malwarebytes
2008-11-25 01:17 . 2008-11-25 01:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-25 01:17 . 2008-10-22 16:10 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2008-11-25 01:17 . 2008-10-22 16:10 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys
2008-10-29 23:15 . 2008-10-29 23:15 <DIR> d-------- c:\program files\Xilisoft
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-25 18:05 4,588 ----a-w c:\windows\SYSTEM32\PerfStringBackup.TMP
2008-11-13 08:29 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-10-30 03:30 --------- d-----w c:\documents and settings\Keisha Davis\Application Data\Apple Computer
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 11:10 453,632 ----a-w c:\windows\SYSTEM32\DLLCACHE\mrxsmb.sys
2008-10-16 19:13 202,776 ----a-w c:\windows\SYSTEM32\wuweb.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\SYSTEM32\wuaueng.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\SYSTEM32\wuapi.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\SYSTEM32\wucltui.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\SYSTEM32\DLLCACHE\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\SYSTEM32\DLLCACHE\cdm.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\SYSTEM32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\SYSTEM32\wuauclt.exe
2008-10-16 19:09 51,224 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\SYSTEM32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\SYSTEM32\wups.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\SYSTEM32\DLLCACHE\wups.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\SYSTEM32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\SYSTEM32\muweb.dll
2008-10-16 14:04 --------- d-----w c:\documents and settings\Keisha Davis\Application Data\webex
2008-10-15 16:57 332,800 ----a-w c:\windows\SYSTEM32\DLLCACHE\netapi32.dll
2008-10-15 14:08 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-10-15 07:56 --------- d-----w c:\program files\Spyware Doctor
2008-10-14 11:45 --------- d-----w c:\program files\HP
2008-10-13 20:13 --------- d-----w c:\program files\iTunes
2008-10-13 20:13 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-13 20:12 --------- d-----w c:\program files\iPod
2008-10-12 00:32 --------- d-----w c:\documents and settings\Keisha Davis\Application Data\PC Tools
2008-10-12 00:23 --------- d--h--w c:\documents and settings\Keisha Davis\Application Data\GTek
2008-10-12 00:23 --------- d--h--w c:\documents and settings\Guest\Application Data\Gtek
2008-10-12 00:23 --------- d-----w c:\documents and settings\All Users\Application Data\GTek
2008-10-12 00:19 --------- d-----w c:\program files\Dell Support Center
2008-10-12 00:19 --------- d-----w c:\documents and settings\All Users\Application Data\SupportSoft
2008-10-11 23:20 --------- d-----w c:\program files\FreeFixer
2008-10-06 14:46 --------- d-----w c:\program files\Yahoo! Games
2008-10-03 17:41 6,066,176 ------w c:\windows\SYSTEM32\DLLCACHE\ieframe.dll
2008-10-01 17:01 32,000 ----a-w c:\windows\system32\drivers\usbaapl.sys
2008-09-30 21:43 1,286,152 ----a-w c:\windows\SYSTEM32\msxml4.dll
2008-09-28 20:37 --------- d-----w c:\documents and settings\Keisha Davis\Application Data\GamesCafe
2008-09-27 09:54 --------- d-----w c:\program files\Windows Media Connect 2
2008-09-27 09:29 --------- d-----w c:\program files\Bonjour
2008-09-27 09:27 --------- d-----w c:\program files\QuickTime
2008-09-27 09:26 --------- d-----w c:\program files\Common Files\Apple
2008-09-27 09:22 --------- d-----w c:\program files\Apple Software Update
2008-09-25 17:27 --------- d-----w c:\documents and settings\All Users\Application Data\Trymedia
2008-09-15 11:57 1,846,016 ----a-w c:\windows\SYSTEM32\win32k.sys
2008-09-15 11:57 1,846,016 ----a-w c:\windows\SYSTEM32\DLLCACHE\win32k.sys
2008-09-04 16:42 1,106,944 ----a-w c:\windows\SYSTEM32\msxml3.dll
2008-09-04 16:42 1,106,944 ----a-w c:\windows\SYSTEM32\DLLCACHE\msxml3.dll
2008-08-30 01:06 1,350,664 ----a-w c:\windows\SYSTEM32\msxml6.dll
2008-08-29 14:18 87,336 ----a-w c:\windows\SYSTEM32\dns-sd.exe
2008-08-29 13:53 61,440 ----a-w c:\windows\SYSTEM32\dnssd.dll
2008-08-28 10:04 333,056 ----a-w c:\windows\SYSTEM32\DLLCACHE\srv.sys
2008-08-27 08:24 3,593,216 ----a-w c:\windows\SYSTEM32\DLLCACHE\mshtml.dll
2008-08-25 08:38 13,824 ------w c:\windows\SYSTEM32\DLLCACHE\ieudinit.exe
2008-08-25 08:37 70,656 ------w c:\windows\SYSTEM32\DLLCACHE\ie4uinit.exe
2008-02-06 05:38 54,752 ----a-w c:\documents and settings\Keisha Davis\Application Data\GDIPFONTCACHEV1.DAT
2006-11-27 00:10 46,760 ----a-w c:\documents and settings\Guest\Application Data\GDIPFONTCACHEV1.DAT
2005-11-28 03:58 26,958 ----a-w c:\program files\Movieland Terms.html
2005-05-31 00:15 1,917 ----a-w c:\program files\Installed Items.lnk
2004-08-30 15:28 39 ----a-w c:\documents and settings\Keisha Davis\Application Data\tvmcwrd.dll
2003-11-05 02:22 6,656 ----a-w c:\documents and settings\Keisha Davis\Application Data\xuarautn.exe
2003-11-05 02:20 6,656 ----a-w c:\documents and settings\Keisha Davis\Application Data\vmztfccr.exe
2003-11-04 04:21 6,656 ----a-w c:\documents and settings\Keisha Davis\Application Data\hgnmcbhf.exe
2003-11-02 02:29 6,656 ----a-w c:\documents and settings\Keisha Davis\Application Data\bdvaooet.exe
2003-10-10 06:01 40,960 ---ha-w c:\documents and settings\Keisha Davis\ncmyb.dll
2003-10-10 06:01 1,842,680 ---ha-w c:\documents and settings\Keisha Davis\kyf.dat
2004-07-03 00:38 320,872 --sha-r c:\windows\SYSTEM32\2bdsrch.dll
2004-07-02 06:24 316,776 --sha-r c:\windows\SYSTEM32\2odsrch.dll
2004-06-19 03:46 316,776 --sha-r c:\windows\SYSTEM32\add.dll
2004-06-19 03:46 316,776 --sha-r c:\windows\SYSTEM32\andl.dll
2004-06-19 03:46 316,776 --sh--r c:\windows\SYSTEM32\aqdl.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TSIFile]
@="{FE2E26BF-1833-43B6-920F-23EA82E9BD51}"
[HKEY_CLASSES_ROOT\CLSID\{FE2E26BF-1833-43B6-920F-23EA82E9BD51}]
2005-05-02 13:30 1448448 --a------ c:\progra~1\THESIM~1\TSRWIZ~1\SHELLI~1.DLL
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2006-11-30 4662776]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-01-03 50528]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DwlClient"="c:\program files\Common Files\Dell\EUSW\Support.exe" [2004-05-27 323584]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-10-06 5058560]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Continue Setup.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Continue Setup.lnk
backup=c:\windows\pss\Continue Setup.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\updater.lnk
backup=c:\windows\pss\updater.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Desktop Search.lnk
backup=c:\windows\pss\Windows Desktop Search.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Keisha Davis^Start Menu^Programs^Startup^Connection Manager.lnk]
path=c:\documents and settings\Keisha Davis\Start Menu\Programs\Startup\Connection Manager.lnk
backup=c:\windows\pss\Connection Manager.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AStart]
c:\windows\AStart [X]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2008-01-03 11:15 50528 c:\program files\AIM6\aim6.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
--a------ 2008-09-03 19:12 111936 c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJCFD]
--a------ 2002-09-10 21:26 368706 c:\program files\BroadJump\Client Foundation\CFD.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 02:56 15360 c:\windows\SYSTEM32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
-ra------ 2002-08-14 19:22 28672 c:\windows\SYSTEM32\DSentry.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a------ 2005-01-12 14:54 241664 c:\program files\HP\hpcoretech\hpcmpmgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2007-05-08 15:24 54840 c:\program files\HP\HP Software Update\hpwuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-10-01 17:57 289576 c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
--a------ 2002-12-20 18:01 184320 c:\program files\McAfee.com\Agent\mcagent.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
--a------ 2002-09-04 09:28 151552 c:\progra~1\McAfee.com\Agent\mcupdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
--a------ 2005-03-12 06:25 11776 c:\progra~1\MUSICM~1\MUSICM~1\mimboot.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Notification Utility]
--a------ 2005-12-26 01:05 409600 c:\program files\ItBill\itbill.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2003-10-06 13:16 5058560 c:\windows\SYSTEM32\nvcpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2003-10-06 13:16 49152 c:\windows\SYSTEM32\nvmctray.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QAGENT]
--a------ 2001-08-01 11:30 94208 c:\program files\QUICKENW\qagent.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 14:09 413696 c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-30 16:45 313472 c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
--a------ 2002-10-04 14:09 139264 c:\progra~1\McAfee.com\VSO\mcvsshld.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2006-11-30 21:49 4662776 c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
--a------ 2003-08-29 03:59 122880 c:\windows\BCMSMMSG.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2003-10-06 13:16 741376 c:\windows\SYSTEM32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\WINDOWS\\SYSTEM32\\mshta.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Documents and Settings\\Keisha Davis\\My Documents\\IEXPLORE.EXE"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;"c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe" [2008-01-11 30312]
R2 cpextender;Check Point SSL Network Extender;c:\program files\CheckPoint\SSL Network Extender\slimsvc.exe [2006-09-12 307295]
R2 mrtRate;mrtRate;c:\windows\system32\drivers\mrtRate.sys [2006-06-26 34712]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2008-03-09 24652]
R3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ [2008-02-26 29183504]
R3 VNA;Check Point Virtual Network Adapter;c:\windows\system32\DRIVERS\vna.sys [2006-09-12 109008]
S2 WinToolsSvc;WinTools for IE service;c:\program files\Common Files\WinTools\WToolsS.exe []
*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
2008-10-11 c:\windows\Tasks\ACD67A3D9189EC5D.job
- c:\progra~1\basedo~1\setupmediaaxis.exe []
2008-10-11 c:\windows\Tasks\AF26BAA391852CB7.job
- c:\progra~1\basedo~1\setupmediaaxis.exe []
2008-10-11 c:\windows\Tasks\At1.job
- c:\windows\system32\Nc0b2af6.exe []
2008-10-11 c:\windows\Tasks\At10.job
- c:\windows\system32\Nc0b2af6.exe []
2008-10-11 c:\windows\Tasks\At11.job
- c:\windows\system32\Nc0b2af6.exe []
2008-10-11 c:\windows\Tasks\At12.job
- c:\windows\system32\Nc0b2af6.exe []
2008-10-11 c:\windows\Tasks\At13.job
- c:\windows\system32\Nc0b2af6.exe []
2008-10-11 c:\windows\Tasks\At14.job
- c:\windows\system32\Nc0b2af6.exe []
2008-10-11 c:\windows\Tasks\At15.job
- c:\windows\system32\Nc0b2af6.exe []
2008-10-11 c:\windows\Tasks\At16.job
- c:\windows\system32\Nc0b2af6.exe []
2008-10-11 c:\windows\Tasks\At17.job
- c:\windows\system32\Nc0b2af6.exe []
2008-10-11 c:\windows\Tasks\At18.job
- c:\windows\system32\Nc0b2af6.exe []
2008-10-11 c:\windows\Tasks\At19.job
- c:\windows\system32\Nc0b2af6.exe []
2008-10-11 c:\windows\Tasks\At2.job
- c:\windows\system32\Nc0b2af6.exe []
2008-10-11 c:\windows\Tasks\At20.job
- c:\windows\system32\Nc0b2af6.exe []
2008-10-11 c:\windows\Tasks\At21.job
- c:\windows\system32\Nc0b2af6.exe []
2008-10-11 c:\windows\Tasks\At22.job
- c:\windows\system32\Nc0b2af6.exe []
2008-10-11 c:\windows\Tasks\At23.job
- c:\windows\system32\Nc0b2af6.exe []
2008-10-11 c:\windows\Tasks\At24.job
- c:\windows\system32\Nc0b2af6.exe []
2008-10-11 c:\windows\Tasks\At25.job
- c:\windows\system32\Y60Kw108.exe []
2008-10-11 c:\windows\Tasks\At26.job
- c:\windows\system32\Y60Kw108.exe []
2008-10-11 c:\windows\Tasks\At27.job
- c:\windows\system32\Y60Kw108.exe []
2008-10-11 c:\windows\Tasks\At28.job
- c:\windows\system32\Y60Kw108.exe []
2008-10-11 c:\windows\Tasks\At29.job
- c:\windows\system32\Y60Kw108.exe []
2008-10-11 c:\windows\Tasks\At3.job
- c:\windows\system32\Nc0b2af6.exe []
2008-10-11 c:\windows\Tasks\At30.job
- c:\windows\system32\Y60Kw108.exe []
2008-10-11 c:\windows\Tasks\At31.job
- c:\windows\system32\Y60Kw108.exe []
2008-10-11 c:\windows\Tasks\At32.job
- c:\windows\system32\Y60Kw108.exe []
2008-10-11 c:\windows\Tasks\At33.job
- c:\windows\system32\Y60Kw108.exe []
2008-10-11 c:\windows\Tasks\At34.job
- c:\windows\system32\Y60Kw108.exe []
2008-10-11 c:\windows\Tasks\At35.job
- c:\windows\system32\Y60Kw108.exe []
2008-10-11 c:\windows\Tasks\At36.job
- c:\windows\system32\Y60Kw108.exe []
2008-10-11 c:\windows\Tasks\At37.job
- c:\windows\system32\Y60Kw108.exe []
2008-10-11 c:\windows\Tasks\At38.job
- c:\windows\system32\Y60Kw108.exe []
2008-10-11 c:\windows\Tasks\At39.job
- c:\windows\system32\Y60Kw108.exe []
2008-10-11 c:\windows\Tasks\At4.job
- c:\windows\system32\Nc0b2af6.exe []
2008-10-11 c:\windows\Tasks\At40.job
- c:\windows\system32\Y60Kw108.exe []
2008-10-11 c:\windows\Tasks\At41.job
- c:\windows\system32\Y60Kw108.exe []
2008-10-11 c:\windows\Tasks\At42.job
- c:\windows\system32\Y60Kw108.exe []
2008-10-11 c:\windows\Tasks\At43.job
- c:\windows\system32\Y60Kw108.exe []
2008-10-11 c:\windows\Tasks\At44.job
- c:\windows\system32\Y60Kw108.exe []
2008-10-11 c:\windows\Tasks\At45.job
- c:\windows\system32\Y60Kw108.exe []
2008-10-11 c:\windows\Tasks\At46.job
- c:\windows\system32\Y60Kw108.exe []
2008-10-11 c:\windows\Tasks\At47.job
- c:\windows\system32\Y60Kw108.exe []
2008-10-11 c:\windows\Tasks\At48.job
- c:\windows\system32\Y60Kw108.exe []
2008-10-11 c:\windows\Tasks\At5.job
- c:\windows\system32\Nc0b2af6.exe []
2008-10-11 c:\windows\Tasks\At6.job
- c:\windows\system32\Nc0b2af6.exe []
2008-10-11 c:\windows\Tasks\At7.job
- c:\windows\system32\Nc0b2af6.exe []
2008-10-11 c:\windows\Tasks\At8.job
- c:\windows\system32\Nc0b2af6.exe []
2008-10-11 c:\windows\Tasks\At9.job
- c:\windows\system32\Nc0b2af6.exe []
2008-10-11 c:\windows\Tasks\EasyShare Registration RunOnce Task.job
- c:\windows\system32\rundll32.exe [2004-08-04 02:56]
2008-10-05 c:\windows\Tasks\EasyShare Registration Task.job
- c:\windows\system32\rundll32.exe [2004-08-04 02:56]
2004-02-18 c:\windows\Tasks\HP DArC Task #Hewlett-Packard#hp officejet 5500 series#1077087270.job
- c:\program files\HP\hpcoretech\comp\hpdarc.exe [2005-01-12 14:54]
2004-09-19 c:\windows\Tasks\HP DArC Task #Hewlett-Packard#hp officejet 5500 series#1095535072.job
- c:\program files\HP\hpcoretech\comp\hpdarc.exe [2005-01-12 14:54]
2008-10-11 c:\windows\Tasks\McAfee.com Update Check (D6J63F21-Owner).job
- c:\progra~1\McAfee.com\Agent\mcupdate.exe [2002-09-04 09:28]
2008-10-11 c:\windows\Tasks\McAfee.com Update Check (D6J63F21-Owner).job
- c:\progra~1\McAfee.com\Agent [2008-02-22 19:16]
2008-10-11 c:\windows\Tasks\McAfee.com Update Check (KEISHA-Guest).job
- c:\progra~1\McAfee.com\Agent\mcupdate.exe [2002-09-04 09:28]
2008-10-11 c:\windows\Tasks\McAfee.com Update Check (KEISHA-Guest).job
- c:\progra~1\McAfee.com\Agent [2008-02-22 19:16]
2008-10-11 c:\windows\Tasks\McAfee.com Update Check (KEISHA-Keisha Davis).job
- c:\progra~1\McAfee.com\Agent\mcupdate.exe [2002-09-04 09:28]
2008-10-11 c:\windows\Tasks\McAfee.com Update Check (KEISHA-Keisha Davis).job
- c:\progra~1\McAfee.com\Agent [2008-02-22 19:16]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Keisha Davis\Application Data\Mozilla\Firefox\Profiles\gcavcvdb.default\
.
**************************************************************************
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(1660)
c:\progra~1\THESIM~1\TSRWIZ~1\SHELLI~1.DLL
.
Completion time: 2008-11-25 13:54:25
ComboFix-quarantined-files.txt 2008-11-25 18:52:47
ComboFix2.txt 2008-11-25 18:14:44
Pre-Run: 6,085,468,160 bytes free
Post-Run: 6,067,286,016 bytes free
355 --- E O F --- 2008-11-13 08:30:09[/quote]
The HiJack-This log is below:
[quote]Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:24:20 PM, on 11/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CheckPoint\SSL Network Extender\slimsvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\SearchIndexer.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\MICROS~3\Office12\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.bellsouth.net
O16 - DPF: Yahoo! Dominoes - http://download.game...ts/y/dot8_x.cab
O16 - DPF: Yahoo! Gin - http://download.game...nts/y/nt1_x.cab
O16 - DPF: Yahoo! Literati - http://download.game...nts/y/tt4_x.cab
O16 - DPF: {01118D00-3E00-11D2-8470-0060089874ED} - http://www.fastacces...oad/tgctlpw.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {19529B56-E206-4F0B-B44E-97B5F4861E6A} (Crystal Reports Print Control 11.5) - https://clinicalrepo...rintControl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.co.../sysreqlab2.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installen...gine/isetup.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {B4CB50E4-0309-4906-86EA-10B6641C8392} (SlimClient Class) - https://vpn.sra.com/...LL/extender.cab
O16 - DPF: {D3E33EA6-92BF-444E-9DF3-E7F879F2006F} (TSRFileManagerXControl Control) - http://www.thesimsre...ationWizard.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://vnc.webex.co...bex/ieatgpc.cab
O16 - DPF: {EF732B7C-BFF6-49B1-A32C-3C74C318FDCC} (VPlayer Control) - http://www.thesecret...player_ocx.jpeg
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/p...t/msnchat45.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Check Point SSL Network Extender (cpextender) - Check Point Software Technologies - C:\Program Files\CheckPoint\SSL Network Extender\slimsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe (file missing)
--
End of file - 7734 bytes[/quote]
OK so lastly I ran the kaspersky online scanner as well as generated a fresh HJT log. As you can see there are still a lot of items coming up so I am sure that the PC is still infected.
[quote]--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, December 3, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, December 02, 2008 08:37:19
Records in database: 1431435
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
A:\
C:\
D:\
E:\
Scan statistics:
Files scanned: 215222
Threat name: 65
Infected objects: 235
Suspicious objects: 0
Duration of the scan: 05:01:52
File name / Threat name / Threats count
C:\Documents and Settings\All Users\Application Data\Mail Mp3 Flaw 64\DEAFAIM.exe Infected: Packed.Win32.PolyCrypt.d 1
C:\Documents and Settings\Keisha Davis\.jpi_cache\file\1.0\Dummy.class-2870b5a-65a7f41a.class Infected: Trojan.Java.ClassLoader.Dummy.e 1
C:\Documents and Settings\Keisha Davis\.jpi_cache\file\1.0\WebCounter.class-5519b10e-6a6a0155.class Infected: Trojan.Java.ClassLoader.c 1
C:\Documents and Settings\Keisha Davis\Application Data\bdvaooet.exe Infected: Trojan-Downloader.Win32.Small.bp 1
C:\Documents and Settings\Keisha Davis\Application Data\hgnmcbhf.exe Infected: Trojan-Downloader.Win32.Small.bp 1
C:\Documents and Settings\Keisha Davis\Application Data\vmztfccr.exe Infected: Trojan-Downloader.Win32.Small.bp 1
C:\Documents and Settings\Keisha Davis\Application Data\xuarautn.exe Infected: Trojan-Downloader.Win32.Small.bp 1
C:\Documents and Settings\Keisha Davis\FLEOK\msbb.exe Infected: not-a-virus:AdWare.Win32.180Solutions 1
C:\Documents and Settings\Keisha Davis\My Documents\ .htm Infected: Trojan.JS.NoClose.r 1
C:\Documents and Settings\Keisha Davis\ncmyb.dll Infected: not-a-virus:AdWare.Win32.180Solutions 1
C:\Program Files\altpayV2\altpayV2.exe Infected: not-a-virus:AdWare.Win32.WeirWeb.a 1
C:\Program Files\Common Files\tsa\ts2.exe Infected: Trojan-Downloader.Win32.TSUpdate.h 1
C:\Program Files\Common Files\tsa\tsl.exe Infected: Trojan-Downloader.Win32.TSUpdate.f 1
C:\Program Files\Common Files\tsa\tsl2.exe Infected: Trojan-Downloader.Win32.TSUpdate.g 1
C:\Program Files\Common Files\tsa\tsm2.exe Infected: Trojan-Downloader.Win32.TSUpdate.g 1
C:\Program Files\Common Files\tsa\tsp2.exe Infected: Trojan-Downloader.Win32.TSUpdate.g 1
C:\Program Files\Hijack This\backups\backup-20040904-172001-173.dll Infected: Trojan-Downloader.Win32.Swizzor.fg 1
C:\Program Files\Internet Explorer\smxva.exe Infected: Backdoor.Win32.Padodor.gen 1
C:\Program Files\Internet Explorer\ttvvrkun.exe Infected: Trojan-Spy.Win32.Agent.n 1
C:\Program Files\Internet Explorer\winupdt.exe Infected: not-a-virus:AdWare.Win32.BestPhrases.a 1
C:\Program Files\ItBill\itbill.exe Infected: Backdoor.Win32.Agent.so 1
C:\Program Files\Windrv\Util\Remove.exe Infected: not-a-virus:AdWare.Win32.WebSearch.bc 1
C:\Program Files\xpdrv32\Util\CD51D9RR.dll Infected: not-a-virus:AdWare.Win32.WebSearch.bf 1
C:\Program Files\xpdrv32\Util\Remove.exe Infected: not-a-virus:AdWare.Win32.WebSearch.bf 1
C:\Qoobox\Quarantine\C\Program Files\MediaPipe\altpayV2.exe.vir Infected: not-a-virus:AdWare.Win32.WeirWeb.a 1
C:\Qoobox\Quarantine\C\Program Files\MediaPipe\api.exe.vir Infected: not-a-virus:AdWare.Win32.WeirWeb.a 1
C:\Qoobox\Quarantine\C\updt.exe.vir Infected: not-a-virus:AdWare.Win32.BestPhrases.a 1
C:\Qoobox\Quarantine\C\WINDOWS\NDNuninstall4_80.exe.vir Infected: not-a-virus:AdWare.Win32.NewDotNet 1
C:\Qoobox\Quarantine\C\WINDOWS\NDNuninstall4_88-1.exe.vir Infected: not-a-virus:AdWare.Win32.NewDotNet 1
C:\Qoobox\Quarantine\C\WINDOWS\NDNuninstall4_88.exe.vir Infected: not-a-virus:AdWare.Win32.NewDotNet 1
C:\Qoobox\Quarantine\C\WINDOWS\NDNuninstall4_94.exe.vir Infected: not-a-virus:AdWare.Win32.NewDotNet 1
C:\Qoobox\Quarantine\C\WINDOWS\NDNuninstall5_20-1.exe.vir Infected: not-a-virus:AdWare.Win32.NewDotNet 1
C:\Qoobox\Quarantine\C\WINDOWS\NDNuninstall5_40.exe.vir Infected: not-a-virus:AdWare.Win32.NewDotNet 1
C:\Qoobox\Quarantine\C\WINDOWS\NDNuninstall5_48.exe.vir Infected: not-a-virus:AdWare.Win32.NewDotNet 1
C:\Qoobox\Quarantine\C\WINDOWS\NDNuninstall5_64.exe.vir Infected: not-a-virus:AdWare.Win32.NewDotNet 1
C:\Qoobox\Quarantine\C\WINDOWS\NDNuninstall6_10.exe.vir Infected: not-a-virus:AdWare.Win32.NewDotNet 1
C:\Qoobox\Quarantine\C\WINDOWS\NDNuninstall6_22.exe.vir Infected: not-a-virus:AdWare.Win32.NewDotNet 1
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\cidrules.dll.vir Infected: Trojan-Downloader.Win32.TargetSoft.a 1
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\inetadpt.dll.vir Infected: Trojan-Downloader.Win32.TargetSoft.a 1
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\update.exe.vir Infected: Trojan.Win32.Aditer.b 1
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\wincore.dll.vir Infected: Trojan-Downloader.Win32.TargetSoft.a 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1868\A0547747.exe Infected: Trojan-Downloader.Win32.Small.afht 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1868\A0547761.exe Infected: Trojan-Downloader.Win32.Small.afht 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1868\A0547766.exe Infected: Trojan-Downloader.Win32.Small.afht 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1868\A0549766.exe Infected: Trojan-Downloader.Win32.Small.afht 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1868\A0549768.exe Infected: Trojan-Downloader.Win32.Small.afht 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1868\A0550796.exe Infected: Trojan-Downloader.Win32.Small.afht 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1868\A0550800.exe Infected: Trojan-Downloader.Win32.Firu.aup 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1868\A0550814.exe Infected: Trojan-Downloader.Win32.Small.afht 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1868\A0550816.exe Infected: Trojan-Downloader.Win32.Small.afht 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1868\A0550850.exe Infected: Trojan-Downloader.Win32.Small.afht 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1868\A0550861.exe Infected: Trojan-Downloader.Win32.Small.afht 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1868\A0550874.exe Infected: Trojan-Downloader.Win32.Small.afht 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1868\A0550901.exe Infected: Trojan-Downloader.Win32.Small.afht 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1868\A0550903.exe Infected: Trojan-Downloader.Win32.Small.afht 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1868\A0550917.exe Infected: Trojan-Downloader.Win32.Small.afht 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1868\A0550918.exe Infected: Trojan-Downloader.Win32.Small.afht 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1876\A0554618.exe Infected: not-a-virus:FraudTool.Win32.XPSecurityCenter.be 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1877\A0556843.sys Infected: Backdoor.Win32.UltimateDefender.a 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1877\A0556844.SYS Infected: Backdoor.Win32.UltimateDefender.a 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1877\A0556845.sys Infected: Backdoor.Win32.UltimateDefender.a 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1878\A0556907.exe Infected: not-a-virus:AdWare.Win32.WeirWeb.a 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1878\A0556908.exe Infected: not-a-virus:AdWare.Win32.WeirWeb.a 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1878\A0556914.exe Infected: not-a-virus:AdWare.Win32.BestPhrases.a 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1878\A0556916.dll Infected: Trojan-Downloader.Win32.TargetSoft.a 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1878\A0556917.exe Infected: Trojan.Win32.Aditer.b 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1878\A0556918.exe Infected: not-a-virus:AdWare.Win32.NewDotNet 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1878\A0556919.exe Infected: not-a-virus:AdWare.Win32.NewDotNet 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1878\A0556920.exe Infected: not-a-virus:AdWare.Win32.NewDotNet 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1878\A0556921.exe Infected: not-a-virus:AdWare.Win32.NewDotNet 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1878\A0556922.exe Infected: not-a-virus:AdWare.Win32.NewDotNet 1
C:\System Volume Information