slow pc, viruses and scvhoost

stardust7178 · 07:13 PM

Two days ago I noticed the pc was running incredibly slow while I was searching for info on the internet having several IE windows open and Firefox too. Then yesterday BitDefender started to show repeatedly a series of alerts regarding viruses it just blocked:
Generic.Malware.SP!BdldPk!g.AC827233
Exploit.HTML.Agent.AD
Exploit.HTML.Agent.Z

It starts to happen the moment I log onto Yahoo messenger. When the antivirus alert is displayed the messenger brings up an error dialog informing me of a script error, showing the URL url removed by Cookiegal and asking if I want to continue running the script on the page. It also displays a second error message saying that Window cannot find scvhoost.exe. Further more I noticed that sometimes when I use either of the two browsers the status bar says it tries to connect to url removed by Cookiegal

I scanned the pc with BitDefender, Spybot and Ad-Aware. Nothing, they said it’s clean. I ran Micro Trend online scan and again nothing except the warning that a few Windows updates are needed. I tried Panda online scan but it crashed both browsers. The problem still remains.

Earlier I was on the other pc, they’re both connected to the same rooter. Nod32 came with a similar warning regarding url removed by Cookiegal and although it claimed it fixed the problem the warning showed up again sometime later when I reopened IE. Initially I was browsing imdb.com and after the first alert it failed to display the ads on the site.

I obviously need help with this. Thanks a lot.

Here is the HijackThis report for the first pc:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:32:18 PM, on 3/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\AVerMedia\AVerQuick\AVerQuick.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINCMD5\WINCMD32.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
E:\Arhive\Utilitare\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMax] "C:\Program Files\Analog Devices\SoundMAX\smax4.exe" /tray
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AVerQuick.lnk = C:\Program Files\Common Files\AVerMedia\AVerQuick\AVerQuick.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444379354000} -
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: wampapache - Apache Software Foundation - c:\Wamp\apache2\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - c:\Wamp\mysql\bin\mysqld-nt.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

--
End of file - 6158 bytes

**Cookiegal** · 25-Mar-2008, 10:27 AM #2

Hi and welcome to TSG,

Please visit Combofix Guide & Instructions for instructions for downloading and running ComboFix:

Post the log from ComboFix when you've accomplished that along with a new HijackThis log.

Important notes regarding ComboFix:

ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

Combofix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished.

Note: During this process, it would help a great deal and be very much appreciated if you would refrain from installing any new software or hardware on this machine, unless absolutely necessary, until the clean up process is finished as it makes our job more tedious, with additional new files that may have to be researched, which is very time consuming.

Also, please do not run any security programs or fixes on your own as doing so may compromise what we will be doing. It is important that you wait for instructions.

stardust7178 · 25-Mar-2008, 01:28 PM #3

I ran ComboFix as instructed and here are the report and HijackThis log. I find it odd that it says the recovery console is not installed, I followed all the steps from the guide and I thought I installed it right before running Combofix. I noticed it freed quite a bit of space on drive C. Oh, and I put back on the antivirus and firewall before going online. What next?

ComboFix 08-03-25.1 - viosanacasa 2008-03-25 19:14:34.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.734 [GMT -8:00]
Running from: C:\Documents and Settings\viosanacasa\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-02-26 to 2008-03-26 )))))))))))))))))))))))))))))))
.

2008-03-24 17:50 . 2008-03-24 17:56 <DIR> d-------- C:\Program Files\XoftSpySE
2008-03-24 08:48 . 2008-03-24 08:48 7,168 --ahs---- C:\WINDOWS\Thumbs.db
2008-03-23 14:49 . 2008-03-23 14:49 <DIR> d-------- C:\Program Files\AskPBar
2008-03-23 14:47 . 2008-03-25 18:21 <DIR> d-------- C:\Program Files\Trillian
2008-03-22 12:49 . 2008-03-22 12:41 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-03-22 12:40 . 2008-03-22 12:52 <DIR> d-------- C:\Documents and Settings\viosanacasa\.housecall6.6
2008-03-22 11:34 . 2008-03-22 20:27 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-03-22 11:34 . 2008-03-22 19:50 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-03-22 11:34 . 2008-03-22 19:50 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-03-22 11:34 . 2008-03-22 19:50 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-03-20 19:18 . 2008-03-20 19:18 <DIR> d-------- C:\Program Files\Yahoo!
2008-03-19 18:10 . 2008-03-19 18:10 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-19 18:10 . 2008-03-19 18:10 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-11 14:30 . 2008-03-11 14:30 <DIR> d-------- C:\Program Files\QuickTime
2008-03-11 14:21 . 2008-03-11 14:24 <DIR> d-------- C:\Program Files\SecondLife
2008-03-11 14:21 . 2008-03-11 14:22 <DIR> d-------- C:\Documents and Settings\viosanacasa\Application Data\SecondLife
2008-03-10 18:35 . 2008-03-22 20:19 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-26 03:11 81,984 ----a-w C:\WINDOWS\system32\bdod.bin
2008-03-24 22:35 --------- d-----w C:\Documents and Settings\viosanacasa\Application Data\CoreFtp
2008-03-23 04:14 --------- d-----w C:\Program Files\Common Files\LightScribe
2008-03-11 22:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-03-11 14:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-09 01:21 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLec.DAT
2008-03-07 03:02 85,520 ----a-w C:\WINDOWS\system32\drivers\bdfndisf.sys
2008-02-18 19:36 --------- d-----w C:\Program Files\Lavasoft
2008-02-18 19:36 --------- d-----w C:\Documents and Settings\viosanacasa\Application Data\Lavasoft
2008-02-18 18:28 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-02-07 00:45 --------- d-----w C:\Program Files\Final Draft 7
2008-02-07 00:45 --------- d-----w C:\Documents and Settings\viosanacasa\Application Data\Final Draft
2008-02-07 00:41 --------- d-----w C:\Program Files\Final Draft Tagger
2008-02-07 00:41 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-07 00:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Final Draft
2007-12-26 02:25 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2006-06-23 06:48 32,768 ----a-r C:\WINDOWS\inf\UpdateUSB.exe
2006-05-03 09:06 163,328 --sh--r C:\WINDOWS\system32\flvDX.dll
2007-02-21 10:47 31,232 --sh--r C:\WINDOWS\system32\msfDX.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 04:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JMB36X IDE Setup"="C:\WINDOWS\JM\JMInsIDE.exe" [2006-10-30 04:44 36864]
"BDAgent"="C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe" [2008-03-06 19:01 360448]
"NvMediaCenter"="NvMCTray.dll" [2006-06-01 01:22 86016 C:\WINDOWS\system32\nvmctray.dll]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"SoundMax"="C:\Program Files\Analog Devices\SoundMAX\smax4.exe" [2006-07-13 07:12 729088]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-06-01 01:22 7618560]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-31 23:13 385024]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-11-10 18:28:19 113664]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]
AVerQuick.lnk - C:\Program Files\Common Files\AVerMedia\AVerQuick\AVerQuick.exe [2007-11-05 14:33:00 618496]
NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [2007-12-26 17:46:28 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2006-06-01 01:22 86016 C:\WINDOWS\system32\NvMcTray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-06-01 01:22 1519616 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
--------- 2006-07-13 07:12 729088 C:\Program Files\Analog Devices\SoundMAX\Smax4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
-ra------ 2006-12-18 05:34 868352 C:\Program Files\Analog Devices\Core\smax4pnp.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

R3 AVerFC2;AVerMedia AFII PCI Analog TV;C:\WINDOWS\system32\drivers\AF2VCap.sys [2007-07-05 22:03]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;C:\WINDOWS\system32\DRIVERS\bdfndisf.sys [2008-03-06 19:02]
S3 wampapache;wampapache;"c:\Wamp\apache2\bin\httpd.exe" -k runservice []
S3 wampmysqld;wampmysqld;c:\Wamp\mysql\bin\mysqld-nt.exe [2007-07-06 12:14]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan

.
Contents of the 'Scheduled Tasks' folder
"2008-03-25 01:50:45 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-25 19:15:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\bdfsfltr]
"ImagePath"=hex:73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00 ,52,\

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\bdfsfltr]
"ImagePath"=hex:73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00 ,52,\
.
Completion time: 2008-03-25 19:16:03
ComboFix-quarantined-files.txt 2008-03-26 03:16:01

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:24:51 PM, on 3/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\AVerMedia\AVerQuick\AVerQuick.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINCMD5\WINCMD32.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
E:\Arhive\Utilitare\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMax] "C:\Program Files\Analog Devices\SoundMAX\smax4.exe" /tray
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AVerQuick.lnk = C:\Program Files\Common Files\AVerMedia\AVerQuick\AVerQuick.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444379354000} -
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: wampapache - Apache Software Foundation - c:\Wamp\apache2\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - c:\Wamp\mysql\bin\mysqld-nt.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

--
End of file - 6066 bytes

**Cookiegal** · 25-Mar-2008, 04:02 PM #4

Download and scan with SUPERAntiSpyware Free for Home Users

Double-click SUPERAntiSpyware.exe and use the default settings for installation.
An icon will be created on your desktop. Double-click that icon to launch the program.
If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
Under "Configuration and Preferences", click the Preferences button.
Click the Scanning Control tab.
Under Scanner Options make sure the following are checked (leave all others unchecked):
- Close browsers before scanning.
- Scan for tracking cookies.
- Terminate memory threats before quarantining.
Click the "Close" button to leave the control center screen.
Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
On the left, make sure you check C:\Fixed Drive.
On the right, under "Complete Scan", choose Perform Complete Scan.
Click "Next" to start the scan. Please be patient while it scans your computer.
After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
Make sure everything has a checkmark next to it and click "Next".
A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
If asked if you want to reboot, click "Yes".
To retrieve the removal information after reboot, launch SUPERAntispyware again.
- Click Preferences, then click the Statistics/Logs tab.
- Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
- If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
- Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.

Please go HERE to run Panda's ActiveScan

Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on My Computer to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Please post the results from the SuperAntiSpyware and Panda scans along with a new HijackThis log.

stardust7178 · 25-Mar-2008, 05:49 PM #5

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/25/2008 at 10:58 PM

Application Version : 4.0.1154

Core Rules Database Version : 3424
Trace Rules Database Version: 1416

Scan type : Complete Scan
Total Scan Time : 00:33:12

Memory items scanned : 387
Memory threats detected : 0
Registry items scanned : 5055
Registry threats detected : 0
File items scanned : 21991
File threats detected : 43

Adware.Tracking Cookie
C:\Documents and Settings\viosanacasa\Cookies\viosanacasa@gettyimages.122.2o7[1].txt
C:\Documents and Settings\viosanacasa\Cookies\viosanacasa@ads.techguy[1].txt
C:\Documents and Settings\viosanacasa\Cookies\viosanacasa@showit[2].txt
C:\Documents and Settings\viosanacasa\Cookies\viosanacasa@adinterax[2].txt
C:\Documents and Settings\viosanacasa\Cookies\viosanacasa@weborama[1].txt
C:\Documents and Settings\viosanacasa\Cookies\viosanacasa@mediafire[2].txt
C:\Documents and Settings\viosanacasa\Cookies\viosanacasa@pandasoftware.112.2o7[1].txt
C:\Documents and Settings\viosanacasa\Cookies\viosanacasa@2o7[2].txt
C:\Documents and Settings\viosanacasa\Cookies\viosanacasa@bs.serving-sys[2].txt
C:\Documents and Settings\viosanacasa\Cookies\viosanacasa@tacoda[1].txt
C:\Documents and Settings\viosanacasa\Cookies\viosanacasa@richmedia.yahoo[1].txt
C:\Documents and Settings\viosanacasa\Cookies\viosanacasa@linkto.mediafire[2].txt
C:\Documents and Settings\viosanacasa\Cookies\viosanacasa@silo.thefind[1].txt
C:\Documents and Settings\viosanacasa\Cookies\viosanacasa@stats.searchtrack[2].txt
C:\Documents and Settings\viosanacasa\Cookies\viosanacasa@smartadserver[1].txt
C:\Documents and Settings\viosanacasa\Cookies\viosanacasa@serving-sys[2].txt
C:\Documents and Settings\viosanacasa\Cookies\viosanacasa@adbrite[2].txt
C:\Documents and Settings\viosanacasa\Cookies\viosanacasa@stats.francais-volants[2].txt
C:\Documents and Settings\viosanacasa\Cookies\viosanacasa@estat[1].txt
C:\Documents and Settings\viosanacasa\Cookies\viosanacasa@please[1].txt
C:\Documents and Settings\viosanacasa\Cookies\viosanacasa@partner2profit[2].txt
C:\Documents and Settings\viosanacasa\Cookies\viosanacasa@ads.pointroll[1].txt
C:\Documents and Settings\viosanacasa\Cookies\viosanacasa@ad.yieldmanager[2].txt
C:\Documents and Settings\viosanacasa\Cookies\viosanacasa@revsci[2].txt
C:\Documents and Settings\viosanacasa\Cookies\viosanacasa@adopt.euroclick[1].txt
C:\Documents and Settings\viosanacasa\Cookies\viosanacasa@list[1].txt
C:\Documents and Settings\viosanacasa\Cookies\viosanacasa@atwola[1].txt
C:\Documents and Settings\viosanacasa\Cookies\viosanacasa@tribalfusion[1].txt
C:\Documents and Settings\viosanacasa\Cookies\viosanacasa@ads.softure[2].txt
C:\Documents and Settings\viosanacasa\Cookies\viosanacasa@112.2o7[2].txt
C:\Documents and Settings\viosanacasa\Cookies\viosanacasa@yadro[1].txt
C:\Documents and Settings\viosanacasa\Cookies\viosanacasa@sales.liveperson[2].txt
C:\Documents and Settings\viosanacasa\Cookies\viosanacasa@rm.yieldmanager[1].txt
C:\Documents and Settings\viosanacasa\Cookies\viosanacasa@tizer.mediarotator[1].txt
C:\Documents and Settings\viosanacasa\Cookies\viosanacasa@overture[2].txt
C:\Documents and Settings\viosanacasa\Cookies\viosanacasa@7046965[2].txt
C:\Documents and Settings\viosanacasa\Cookies\viosanacasa@www.countertracker[2].txt
C:\Documents and Settings\viosanacasa\Cookies\viosanacasa@thefind[1].txt
C:\Documents and Settings\viosanacasa\Cookies\viosanacasa@questionmarket[2].txt
C:\Documents and Settings\viosanacasa\Cookies\viosanacasa@adsense[4].txt
C:\Documents and Settings\viosanacasa\Cookies\viosanacasa@adsense[1].txt
C:\Documents and Settings\viosanacasa\Cookies\viosanacasa@adsense[2].txt
C:\Documents and Settings\viosanacasa\Cookies\viosanacasa@adinterax[1].txt

Panda Online Scan Log
-------------------------------
Incident Status Location

Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\viosanacasa\Application Data\Mozilla\Firefox\Profiles\cog1g9l3.default\cookies.txt[server.iad.liveperson.net/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\viosanacasa\Application Data\Mozilla\Firefox\Profiles\cog1g9l3.default\cookies.txt[server.iad.liveperson.net/hc/19452074]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\viosanacasa\Application Data\Mozilla\Firefox\Profiles\cog1g9l3.default\cookies.txt[.247realmedia.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\viosanacasa\Application Data\Mozilla\Firefox\Profiles\cog1g9l3.default\cookies.txt[.overture.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\viosanacasa\Application Data\Mozilla\Firefox\Profiles\cog1g9l3.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\viosanacasa\Application Data\Mozilla\Firefox\Profiles\cog1g9l3.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\viosanacasa\Application Data\Mozilla\Firefox\Profiles\cog1g9l3.default\cookies.txt[.atwola.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\viosanacasa\Application Data\Mozilla\Firefox\Profiles\cog1g9l3.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\viosanacasa\Application Data\Mozilla\Firefox\Profiles\cog1g9l3.default\cookies.txt[searchportal.information.com/]
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\viosanacasa\Application Data\Mozilla\Firefox\Profiles\cog1g9l3.default\cookies.txt[.bravenet.com/]
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\viosanacasa\Application Data\Mozilla\Firefox\Profiles\cog1g9l3.default\cookies.txt[.yadro.ru/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\viosanacasa\Application Data\Mozilla\Firefox\Profiles\cog1g9l3.default\cookies.txt[.com.com/]
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\viosanacasa\Application Data\Mozilla\Firefox\Profiles\cog1g9l3.default\cookies.txt[.xiti.com/]
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\viosanacasa\Application Data\Mozilla\Firefox\Profiles\cog1g9l3.default\cookies.txt[.adserver.easyad.info/]
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\viosanacasa\Application Data\Mozilla\Firefox\Profiles\cog1g9l3.default\cookies.txt[.adtech.de/]
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\viosanacasa\Application Data\Mozilla\Firefox\Profiles\cog1g9l3.default\cookies.txt[.adultfriendfinder.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\viosanacasa\Application Data\Mozilla\Firefox\Profiles\cog1g9l3.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\viosanacasa\Application Data\Mozilla\Firefox\Profiles\cog1g9l3.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\viosanacasa\Application Data\Mozilla\Firefox\Profiles\cog1g9l3.default\cookies.txt[.bs.serving-sys.com/]
Spyware:Cookie/FortuneCity Not disinfected C:\Documents and Settings\viosanacasa\Application Data\Mozilla\Firefox\Profiles\cog1g9l3.default\cookies.txt[.fortunecity.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\viosanacasa\Application Data\Mozilla\Firefox\Profiles\cog1g9l3.default\cookies.txt[.go.com/]
Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\viosanacasa\Application Data\Mozilla\Firefox\Profiles\cog1g9l3.default\cookies.txt[.gostats.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\viosanacasa\Application Data\Mozilla\Firefox\Profiles\cog1g9l3.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\viosanacasa\Application Data\Mozilla\Firefox\Profiles\cog1g9l3.default\cookies.txt[.revenue.net/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\viosanacasa\Application Data\Mozilla\Firefox\Profiles\cog1g9l3.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Smartadserver Not disinfected C:\Documents and Settings\viosanacasa\Application Data\Mozilla\Firefox\Profiles\cog1g9l3.default\cookies.txt[.smartadserver.com/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\viosanacasa\Application Data\Mozilla\Firefox\Profiles\cog1g9l3.default\cookies.txt[.trafficmp.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\viosanacasa\Application Data\Mozilla\Firefox\Profiles\cog1g9l3.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/DomainSponsor Not disinfected C:\Documents and Settings\viosanacasa\Application Data\Mozilla\Firefox\Profiles\cog1g9l3.default\cookies.txt[landing.domainsponsor.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\viosanacasa\Cookies\viosanacasa@com[1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\viosanacasa\Cookies\viosanacasa@go[1].txt
Virus:Trj/Bancos.RQ Not disinfected C:\Documents and Settings\viosanacasa\Desktop\ComboFix.exe[327882R2FWJFW\pv.cfexe]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:48:54 PM, on 3/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\AVerMedia\AVerQuick\AVerQuick.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINCMD5\WINCMD32.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
E:\Arhive\Utilitare\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMax] "C:\Program Files\Analog Devices\SoundMAX\smax4.exe" /tray
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AVerQuick.lnk = C:\Program Files\Common Files\AVerMedia\AVerQuick\AVerQuick.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444379354000} -
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: wampapache - Apache Software Foundation - c:\Wamp\apache2\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - c:\Wamp\mysql\bin\mysqld-nt.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

--
End of file - 6573 bytes

**Cookiegal** · 25-Mar-2008, 07:14 PM #6

Rescan with HijackThis, close all browser windows except HijackThis, put a check mark beside these entries and click fix checked.

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} -

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444379354000} -

How are things now?

stardust7178 · 26-Mar-2008, 11:32 AM #7

OK, I fixed those entries. It seems to be working better and no more antivirus alerts since runing ComboFix. I'll give it a couple of more days to make sure since I haven't been on the computer much the part two days.

I noticed something though, all forders in the BitDefender directory are packed with tmp files with 0 size. I don't think it's normal and it didn't let me delete them. Any suggestion?

**Cookiegal** · 26-Mar-2008, 06:49 PM #8

What are the names of the folders in the BitDefender directory?

stardust7178 · 27-Mar-2008, 03:30 AM #9

BitDefender 2008
BitDefender 2008/_roHTML
BitDefender 2008/as2core
BitDefender 2008/as2core/antispam_sig_10192
BitDefender 2008/as2core/antispam_sig_10193
BitDefender 2008/Firewall
BitDefender 2008/Firewall/Profiles
BitDefender 2008/Firewall/Res
BitDefender 2008/Ini
BitDefender 2008/Ini/Default
BitDefender 2008/Lang
BitDefender 2008/Nag/Close2Exp
BitDefender 2008/Nag/Expired
BitDefender 2008/Nag/Invalid
BitDefender 2008/Nag/Trial
BitDefender 2008/pic
BitDefender 2008/Rom
BitDefender 2008/Script
BitDefender 2008/Skin/Default
BitDefender 2008/Survey
BitDefender 2008/tbextension
BitDefender 2008/tbextension/content
BitDefender 2008/tbextension/locale/en-US
BitDefender 2008/Themes/Default/images

Most of the tmp files seem to be created on 25 of March and they are in every folder that contains other files too.

**Cookiegal** · 27-Mar-2008, 07:16 PM **#10**

Can you give me the names of some of the temp files please?

stardust7178 · 28-Mar-2008, 02:42 AM **#11**

101, 102, 103, ... A7, A8, ... E0F, EF9, ... it seems to be just about any combination of numbers and letters from A to F that is not longer than 3 chars, only a few file names are 4 in length.

**Cookiegal** · 28-Mar-2008, 07:55 PM **#12**

Can you uninstall BitDefender and reinstall it?

stardust7178 · 31-Mar-2008, 02:34 AM **#13**

Yes, I can, but I would prefer not to have to do that. Isn't there an easier way?

**Cookiegal** · 31-Mar-2008, 01:59 PM **#14**

I don't know what these tmp files are. Some programs create tmp files when scanning so that may be the case. Uninstalling and reinstalling would eliminate them and then you could see if they get recreated.

Otherwise, try deleting them all in safe mode.

stardust7178 · 04-Apr-2008, 02:33 AM **#15**

Ok, I'll try that. Thanks a lot for helping so far.