Find your solution!

lynx560 · 25-Mar-2008, 09:56 AM #1

I am running ESET NOD32 v.2.70.39.0. It is auto-updated.

As of 3/2/2008 it has been popping up intermittently with many different viruses. While they are all quarantined &/or deleted (a good thing), I really need to know how to get rid of the source of all these. When I run the virus scanner, it doesnt find anything, and when I run Spybot & Adaware they dont find anything either.

The list of the virii/adware shown by NOD32 include:
snapsnet[1].exe
rasesnet[1].exe
rasesnet.exe
yazzsnet[1].exe
yazzsnet.exe
17PHolmes[1].cmt
17PHolmes572.exe
mrofinu572.exe
A0011955.exe
Spy.Agent.NBQ
PowerReg
A0012011.exe
xxyxust.dll
removalfile.bat
A0000571.exe
css4[1]
pmnlk.dll
ddayx.dll
ssttr.dll
jkklj.dll

I will post the complete log file if needed

I also have HighjackThis & will post that log if requested.

Please help !!!

**cybertech** · 25-Mar-2008, 06:18 PM #2

Please post the HighjackThis log and make sure you have the current version:

http://www.trendsecure.com/portal/en...HJTInstall.exe

lynx560 · 25-Mar-2008, 07:06 PM #3

Thank you for your reply.

Just to let you know, I have tried to remove this problem but only had limited success. Now I am only getting the "css4[1]" (full info: C:\Documents and Settings\Dad\Local Settings\Temporary Internet Files\Content.IE5\3C58LDCM\css4[1] - Win32/Adware.Virtumonde application) followed by different named .dll files (new ones include vtutu.dll, mllhj.dll, awtsr.dll, ddabb.dll, awvtu.dll, & jkklj.dll). I have wiped my IE (& Firefox) cache using CCLeaner but it keeps coming back.

Here is my Trend Micro HijackThis v2.0.2 log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:55:11 PM, on 3/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\DU Meter\DUMeterSvc.exe
C:\WINDOWS\system32\hzrController.exe
C:\WINDOWS\system32\hzrService.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Hazard Shield\Realtime.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Atomic Clock Sync\Atomic.exe
C:\Program Files\Volumouse\volumouse.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\HJ_This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\pchealth\helpctr\System\panels\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3FECA576-7AD2-4E11-A6AD-6B59D4FB5DB9} - C:\WINDOWS\system32\iifcyxx.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Hazard Shield] "C:\Program Files\Hazard Shield\Realtime.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TrueImageMonitor.exe] "C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [AcronisTimounterMonitor] "C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [Atomic.exe] C:\Program Files\Atomic Clock Sync\Atomic.exe
O4 - HKCU\..\Run: [$Volumouse$] "C:\Program Files\Volumouse\volumouse.exe" /nodlg
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://pogoclub.oberon-media.com/onl...jolauncher.cab
O16 - DPF: {8FA2192F-B95D-40E3-898F-8D7ABB8E00D0} (SpinTop Games Launcher) - http://clubgames.pogo.com/online2/po...esLauncher.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O20 - Winlogon Notify: iifcyxx - C:\WINDOWS\SYSTEM32\iifcyxx.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DU Meter Service (DUMeterSvc) - Hagel Technologies Ltd - C:\Program Files\DU Meter\DUMeterSvc.exe
O23 - Service: HazardShield - Unknown owner - C:\WINDOWS\system32\hzrController.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

--
End of file - 8347 bytes

The file iifcyxx.dll (O20 - Winlogon Notify: iifcyxx - C:\WINDOWS\SYSTEM32\iifcyxx.dll) is listed in my IE addons as a BHO & I have disabled it, but can not delete/fix it with HighjackThis.

Thank you for your time,
Lynx560

**cybertech** · 26-Mar-2008, 06:17 PM #4

Please visit this webpage for instructions for downloading and running ComboFix.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

lynx560 · 27-Mar-2008, 08:45 AM #5

To put it delicately, I had quite a scare these past few hours. I visited the web page you recommended, read it & downloaded Combofix. I also installed the Recovery Console as directed by the web site. I rebooted to check that the console had properly installed. I got the proper screen & proceeded to load normal windows. When it got to the desktop, I started having a major problem. All my icons and the task bar both started flashing off & on and then finally disappeared altogether. I tried to shut off my virus scanner & malware apps but it never gave me the time. I tried to reboot & use the Rec Console to boot to Safe Mode, but the same flashing happened. I rebooted to normal & after a few tries, got into msconfig; where I shut down the virus scanner (as instructed for Combofix). When the computer rebooted, it still flashed but I was able to run Combofix. After rebooting, the flashing stopped (Thank God !!!)
Thats where I am now. I will now post my Combofix log & my HJT log.

lynx560 · 27-Mar-2008, 08:56 AM #6

Please note that one of the files deleted (iifcyxx.dll) also resides in a .zip file located at C:\WINDOWS\system32\ as noted in the log (5th one down in the Files Created section.
Here is the log.

ComboFix 08-03-25.4 - Dad 2008-03-27 4:59:23.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.699 [GMT -7:00]
Running from: C:\Documents and Settings\Dad\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\awtqp.dll
C:\WINDOWS\system32\awtqq.dll
C:\WINDOWS\system32\ddcca.dll
C:\WINDOWS\system32\geebc.dll
C:\WINDOWS\system32\iifcyxx.dll
C:\WINDOWS\system32\mljjg.dll
C:\WINDOWS\system32\pqtwa.ini
C:\WINDOWS\system32\pqtwa.ini2

.
((((((((((((((((((((((((( Files Created from 2008-02-27 to 2008-03-27 )))))))))))))))))))))))))))))))
.

2008-03-27 04:39 . 2007-09-12 15:13 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Gtek
2008-03-27 04:39 . 2006-05-03 20:56 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Corel
2008-03-26 04:48 . 2008-03-26 04:48 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-26 04:48 . 2008-03-26 04:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-25 04:21 . 2008-03-25 04:21 28,295 --a------ C:\WINDOWS\system32\iifcyxx.zip
2008-03-25 03:53 . 2008-03-26 05:05 <DIR> d-------- C:\Program Files\HJ_This
2008-03-24 04:47 . 2008-03-24 04:48 <DIR> d-------- C:\Program Files\Nirsoft
2008-03-24 03:22 . 2008-03-24 03:22 <DIR> d-------- C:\Program Files\Microsoft Baseline Security Analyzer 2
2008-03-24 03:22 . 2008-03-24 03:50 <DIR> d-------- C:\Documents and Settings\Dad\SecurityScans
2008-03-23 09:07 . 2008-03-23 09:08 <DIR> d-------- C:\WINDOWS\$regcmp$
2008-03-23 09:05 . 2008-03-23 09:05 <DIR> d-------- C:\Program Files\Registry Clean Expert
2008-03-21 05:16 . 2008-01-04 20:56 1,526,640 --a------ C:\WINDOWS\WRSetup.dll
2008-03-20 01:33 . 2008-03-20 01:34 <DIR> d-------- C:\Documents and Settings\Mom & Dad\Application Data\Orbit
2008-03-16 20:37 . 2008-03-16 20:47 <DIR> d-------- C:\Program Files\WhatsRunning
2008-03-16 09:11 . 2008-03-16 09:11 <DIR> d-------- C:\WINDOWS\DLLArchive
2008-03-16 05:46 . 2008-03-22 05:14 <DIR> d-------- C:\Orbit Downloads
2008-03-16 05:42 . 2008-03-16 05:42 <DIR> d-------- C:\Program Files\Orbitdownloader
2008-03-16 05:42 . 2008-03-22 08:41 <DIR> d-------- C:\Documents and Settings\Dad\Application Data\Orbit
2008-03-15 08:15 . 2008-03-15 08:15 <DIR> d-------- C:\Program Files\AnalogX
2008-03-15 06:14 . 2008-03-15 06:15 <DIR> d-------- C:\Program Files\Mp3Trim
2008-03-10 05:02 . 2008-03-15 19:58 36 --a------ C:\WINDOWS\mafosav.INI
2008-03-10 04:53 . 2008-03-10 04:54 <DIR> d-------- C:\Program Files\Mario Forever
2008-03-04 14:59 . 2008-03-04 14:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Acronis
2008-03-04 14:55 . 2008-03-04 14:55 <DIR> d-------- C:\Program Files\Common Files\Acronis
2008-03-04 14:55 . 2008-03-04 14:55 <DIR> d-------- C:\Program Files\Acronis
2008-03-04 14:55 . 2008-03-04 14:55 392,320 --a------ C:\WINDOWS\system32\drivers\timntr.sys
2008-03-04 14:55 . 2008-03-04 14:55 114,048 --a------ C:\WINDOWS\system32\drivers\snapman.sys
2008-03-04 14:55 . 2008-03-04 14:55 32,768 --a------ C:\WINDOWS\system32\drivers\tifsfilt.sys
2008-03-04 02:47 . 2004-08-04 03:00 250,032 --a------ C:\NTLDR
2008-03-04 01:09 . 2008-03-04 02:46 <DIR> d-------- C:\fixwareout
2008-03-03 05:21 . 2008-03-03 05:09 691,545 --a------ C:\WINDOWS\unins000.exe
2008-03-03 05:21 . 2008-03-03 05:21 2,544 --a------ C:\WINDOWS\unins000.dat
2008-03-03 04:36 . 2008-03-03 04:36 <DIR> d-------- C:\Documents and Settings\Mom & Dad\Application Data\Webroot
2008-03-03 03:35 . 2008-03-03 04:29 <DIR> d-------- C:\Documents and Settings\Mom & Dad\.housecall6.6
2008-03-02 08:49 . 2008-03-02 09:33 <DIR> d-------- C:\Program Files\ImageDupeless
2008-02-29 07:22 . 2008-02-29 07:39 <DIR> d-------- C:\Documents and Settings\Dad\Anniv Trip

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-27 11:52 --------- d-----w C:\Program Files\Hazard Shield
2008-03-27 11:51 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-27 11:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-26 22:57 --------- d-----w C:\Documents and Settings\Dad\Application Data\CaribbeanHideaway
2008-03-26 19:27 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-03-26 15:41 --------- d-----w C:\Documents and Settings\Mom & Dad\Application Data\CaribbeanHideaway
2008-03-26 00:00 --------- d-----w C:\Program Files\Zoom Player
2008-03-23 12:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\RFA_Backups
2008-03-21 13:00 --------- d-----w C:\Program Files\Spider
2008-03-21 12:48 --------- d-----w C:\Program Files\Webroot
2008-03-21 12:48 --------- d-----w C:\Documents and Settings\Dad\Application Data\Webroot
2008-03-21 12:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Webroot
2008-03-15 15:24 --------- d-----w C:\Program Files\QuickTime
2008-03-15 15:24 --------- d-----w C:\Program Files\PokerStars
2008-03-15 15:24 --------- d-----w C:\Program Files\Modem Helper
2008-03-15 15:21 --------- d-----w C:\Program Files\Empty Folder Nuker
2008-03-15 15:21 --------- d-----w C:\Program Files\DivX
2008-03-15 15:21 --------- d-----w C:\Program Files\Dell
2008-03-15 15:21 --------- d-----w C:\Program Files\(E)lephant
2008-03-15 03:31 --------- d-----w C:\Program Files\Proxyrama
2008-03-14 11:24 --------- d-----w C:\Program Files\Atomic Clock Sync
2008-03-09 13:53 --------- d-----w C:\Program Files\Winamp
2008-03-06 17:19 --------- d-----w C:\Program Files\Oberon Media
2008-03-04 04:09 --------- d-----w C:\Program Files\GetRight
2008-03-04 03:12 --------- d-----w C:\Program Files\GenoPro
2008-03-03 12:24 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-03 10:46 --------- d-----w C:\Program Files\ESET
2008-02-24 16:50 --------- d-----w C:\Program Files\Common Files\Webroot Shared
2008-02-23 17:49 --------- d-----w C:\Program Files\iTunes
2008-02-23 17:49 --------- d-----w C:\Program Files\iPod
2008-02-21 12:32 --------- d-----w C:\Program Files\LopeSoft
2008-02-19 18:46 --------- d-----w C:\Program Files\Caribbean Hideaway
2008-02-19 17:07 --------- d-----w C:\Program Files\CCleaner
2008-02-18 13:06 --------- d-----w C:\Program Files\Lavalys
2008-02-18 08:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\SpinTop Games
2008-02-17 13:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-13 16:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\MumboJumbo
2008-02-13 15:50 --------- d-----w C:\Program Files\My Drivers
2008-02-12 14:36 --------- d-----w C:\Documents and Settings\Dad\Application Data\FDRLab
2008-02-12 14:35 --------- d-----w C:\Program Files\FDRLab
2008-02-12 05:20 --------- d-----w C:\Documents and Settings\Mom & Dad\Application Data\Pogo Games
2008-02-12 04:53 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-05 15:27 --------- d-----w C:\Program Files\Diskeeper Corporation
2008-02-05 15:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Diskeeper Corporation
2008-02-03 09:23 --------- d-----w C:\Program Files\Common Files\ACD Systems
2008-02-03 08:51 --------- d-----w C:\Documents and Settings\Dad\Application Data\Ahead
2008-01-28 14:23 --------- d-----w C:\Program Files\MFInstall
2008-01-28 03:45 --------- d-----w C:\Program Files\HCC Lite
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"$Volumouse$"="C:\Program Files\Volumouse\volumouse.exe" [2006-01-06 19:52 25600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 17:42 1404928]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-30 21:05 344064]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 16:41 45056]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 09:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 09:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 09:36 114688]
"Logitech Utility"="Logi_MwX.Exe" [2002-11-08 02:50 19968 C:\WINDOWS\LOGI_MWX.EXE]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"Hazard Shield"="C:\Program Files\Hazard Shield\Realtime.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-01 00:13 385024]
"TrueImageMonitor.exe"="C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2007-02-16 19:45 1169776]
"AcronisTimounterMonitor"="C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-02-16 19:57 1945960]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-02-16 19:49 149024]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explor er]
"NoRecentDocsNetHood"= 01000000

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Atomic.exe]
--a------ 2004-06-17 10:46 524288 C:\Program Files\Atomic Clock Sync\Atomic.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
--a------ 2007-03-12 18:53 1055792 C:\Program Files\Nero\Nero 7\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2005-06-10 08:44 249856 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-19 14:10 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-09 18:53 153136 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nod32kui]
--a------ 2007-12-08 04:56 949376 C:\Program Files\Eset\nod32kui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-02-01 00:13 385024 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SecurDisc]
--a--c--- 2007-03-12 18:54 1626160 C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiteAdvisor]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--------- 2006-10-18 20:05 204288 C:\Program Files\Windows Media Player\WMPNSCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RasMan"=3 (0x3)
"InCDsrv"=2 (0x2)
"Fax"=2 (0x2)
"Diskeeper"=2 (0x2)
"WMPNetworkSvc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"C:\\WINDOWS\\system32\\mmc.exe"=
"C:\\Program Files\\Proxyrama\\Proxyrama.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"C:\\Program Files\\Orbitdownloader\\orbitnet.exe"=

R1 DUMeterSvc;DU Meter Service;C:\Program Files\DU Meter\DUMeterSvc.exe [2007-10-15 16:19]
R1 HazardShield;HazardShield;C:\WINDOWS\system32\hzrController.exe [2008-02-12 07:26]
R1 wwEngineSvc;Window Washer Engine;C:\Program Files\Webroot\Washer\WasherSvc.exe [2007-11-26 15:47]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-24 13:12:17 C:\WINDOWS\Tasks\User_Feed_Synchronization-{56C50D45-EFC1-4839-92CA-C6A1E5D946F1}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-27 05:07:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DUMeterSvc]
"ImagePath"="C:\Program Files\DU Meter\DUMeterSvc.exe /startedbyscm:E1F6D4BE-40E33354-DUMeterService"
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\hzrService.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
.
**************************************************************************
.
Completion time: 2008-03-27 5:09:27 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-27 12:09:23
ComboFix2.txt 2008-01-31 13:19:06
.
2008-03-13 10:05:43 --- E O F ---

lynx560 · 27-Mar-2008, 09:00 AM #7

Here is the HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:22:16 AM, on 3/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\DU Meter\DUMeterSvc.exe
C:\WINDOWS\system32\hzrController.exe
C:\WINDOWS\system32\hzrService.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Volumouse\volumouse.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HJ_This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\pchealth\helpctr\System\panels\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Hazard Shield] "C:\Program Files\Hazard Shield\Realtime.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TrueImageMonitor.exe] "C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [AcronisTimounterMonitor] "C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKCU\..\Run: [$Volumouse$] "C:\Program Files\Volumouse\volumouse.exe" /nodlg
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://pogoclub.oberon-media.com/onl...jolauncher.cab
O16 - DPF: {8FA2192F-B95D-40E3-898F-8D7ABB8E00D0} (SpinTop Games Launcher) - http://clubgames.pogo.com/online2/po...esLauncher.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DU Meter Service (DUMeterSvc) - Hagel Technologies Ltd - C:\Program Files\DU Meter\DUMeterSvc.exe
O23 - Service: HazardShield - Unknown owner - C:\WINDOWS\system32\hzrController.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

--
End of file - 8046 bytes

Thank you very much for your time & patience

**cybertech** · 27-Mar-2008, 01:49 PM #8

Open Notepad and copy and paste the text in the quote box below into it:

Quote:

File::
C:\WINDOWS\system32\iifcyxx.zip

Save the file to you desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems

Upgrading Java:

Download the latest version of Java Runtime Environment (JRE) 6 update 5.
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download to install the newest version.

lynx560 · 27-Mar-2008, 07:59 PM #9

It seems the file C:\WINDOWS\system32\iifcyxx.zip has been deleted & I also updated Java.
Here is my CF log:

ComboFix 08-03-25.4 - Dad 2008-03-27 16:42:53.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.677 [GMT -7:00]
Running from: C:\Documents and Settings\Dad\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Dad\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active

FILE ::
C:\WINDOWS\system32\iifcyxx.zip
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\iifcyxx.zip

.
((((((((((((((((((((((((( Files Created from 2008-02-27 to 2008-03-27 )))))))))))))))))))))))))))))))
.

2008-03-27 16:37 . 2008-03-27 16:37 <DIR> d-------- C:\Program Files\Common Files\Java
2008-03-27 16:37 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-27 04:39 . 2007-09-12 15:13 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Gtek
2008-03-27 04:39 . 2006-05-03 20:56 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Corel
2008-03-26 04:48 . 2008-03-26 04:48 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-26 04:48 . 2008-03-26 04:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-25 03:53 . 2008-03-27 05:22 <DIR> d-------- C:\Program Files\HJ_This
2008-03-24 04:47 . 2008-03-24 04:48 <DIR> d-------- C:\Program Files\Nirsoft
2008-03-24 03:22 . 2008-03-24 03:22 <DIR> d-------- C:\Program Files\Microsoft Baseline Security Analyzer 2
2008-03-24 03:22 . 2008-03-24 03:50 <DIR> d-------- C:\Documents and Settings\Dad\SecurityScans
2008-03-23 09:07 . 2008-03-23 09:08 <DIR> d-------- C:\WINDOWS\$regcmp$
2008-03-23 09:05 . 2008-03-23 09:05 <DIR> d-------- C:\Program Files\Registry Clean Expert
2008-03-21 05:16 . 2008-01-04 20:56 1,526,640 --a------ C:\WINDOWS\WRSetup.dll
2008-03-20 01:33 . 2008-03-20 01:34 <DIR> d-------- C:\Documents and Settings\Mom & Dad\Application Data\Orbit
2008-03-16 20:37 . 2008-03-16 20:47 <DIR> d-------- C:\Program Files\WhatsRunning
2008-03-16 09:11 . 2008-03-16 09:11 <DIR> d-------- C:\WINDOWS\DLLArchive
2008-03-16 05:46 . 2008-03-27 06:21 <DIR> d-------- C:\Orbit Downloads
2008-03-16 05:42 . 2008-03-16 05:42 <DIR> d-------- C:\Program Files\Orbitdownloader
2008-03-16 05:42 . 2008-03-27 06:23 <DIR> d-------- C:\Documents and Settings\Dad\Application Data\Orbit
2008-03-15 08:15 . 2008-03-15 08:15 <DIR> d-------- C:\Program Files\AnalogX
2008-03-15 06:14 . 2008-03-15 06:15 <DIR> d-------- C:\Program Files\Mp3Trim
2008-03-10 05:02 . 2008-03-15 19:58 36 --a------ C:\WINDOWS\mafosav.INI
2008-03-10 04:53 . 2008-03-10 04:54 <DIR> d-------- C:\Program Files\Mario Forever
2008-03-04 14:59 . 2008-03-04 14:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Acronis
2008-03-04 14:55 . 2008-03-04 14:55 <DIR> d-------- C:\Program Files\Common Files\Acronis
2008-03-04 14:55 . 2008-03-04 14:55 <DIR> d-------- C:\Program Files\Acronis
2008-03-04 14:55 . 2008-03-04 14:55 392,320 --a------ C:\WINDOWS\system32\drivers\timntr.sys
2008-03-04 14:55 . 2008-03-04 14:55 114,048 --a------ C:\WINDOWS\system32\drivers\snapman.sys
2008-03-04 14:55 . 2008-03-04 14:55 32,768 --a------ C:\WINDOWS\system32\drivers\tifsfilt.sys
2008-03-04 02:47 . 2004-08-04 03:00 250,032 --a------ C:\NTLDR
2008-03-04 01:09 . 2008-03-04 02:46 <DIR> d-------- C:\fixwareout
2008-03-03 05:21 . 2008-03-03 05:09 691,545 --a------ C:\WINDOWS\unins000.exe
2008-03-03 05:21 . 2008-03-03 05:21 2,544 --a------ C:\WINDOWS\unins000.dat
2008-03-03 04:36 . 2008-03-03 04:36 <DIR> d-------- C:\Documents and Settings\Mom & Dad\Application Data\Webroot
2008-03-03 03:35 . 2008-03-03 04:29 <DIR> d-------- C:\Documents and Settings\Mom & Dad\.housecall6.6
2008-03-02 08:49 . 2008-03-02 09:33 <DIR> d-------- C:\Program Files\ImageDupeless
2008-02-29 07:22 . 2008-02-29 07:39 <DIR> d-------- C:\Documents and Settings\Dad\Anniv Trip

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-27 23:37 --------- d-----w C:\Program Files\Java
2008-03-27 13:49 --------- d-----w C:\Documents and Settings\Dad\Application Data\CaribbeanHideaway
2008-03-27 11:52 --------- d-----w C:\Program Files\Hazard Shield
2008-03-27 11:51 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-27 11:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-26 19:27 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-03-26 15:41 --------- d-----w C:\Documents and Settings\Mom & Dad\Application Data\CaribbeanHideaway
2008-03-26 00:00 --------- d-----w C:\Program Files\Zoom Player
2008-03-23 12:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\RFA_Backups
2008-03-21 13:00 --------- d-----w C:\Program Files\Spider
2008-03-21 12:48 --------- d-----w C:\Program Files\Webroot
2008-03-21 12:48 --------- d-----w C:\Documents and Settings\Dad\Application Data\Webroot
2008-03-21 12:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Webroot
2008-03-15 15:24 --------- d-----w C:\Program Files\QuickTime
2008-03-15 15:24 --------- d-----w C:\Program Files\PokerStars
2008-03-15 15:24 --------- d-----w C:\Program Files\Modem Helper
2008-03-15 15:21 --------- d-----w C:\Program Files\Empty Folder Nuker
2008-03-15 15:21 --------- d-----w C:\Program Files\DivX
2008-03-15 15:21 --------- d-----w C:\Program Files\Dell
2008-03-15 15:21 --------- d-----w C:\Program Files\(E)lephant
2008-03-15 03:31 --------- d-----w C:\Program Files\Proxyrama
2008-03-14 11:24 --------- d-----w C:\Program Files\Atomic Clock Sync
2008-03-09 13:53 --------- d-----w C:\Program Files\Winamp
2008-03-06 17:19 --------- d-----w C:\Program Files\Oberon Media
2008-03-04 04:09 --------- d-----w C:\Program Files\GetRight
2008-03-04 03:12 --------- d-----w C:\Program Files\GenoPro
2008-03-03 12:24 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-03 10:46 --------- d-----w C:\Program Files\ESET
2008-02-24 16:50 --------- d-----w C:\Program Files\Common Files\Webroot Shared
2008-02-23 17:49 --------- d-----w C:\Program Files\iTunes
2008-02-23 17:49 --------- d-----w C:\Program Files\iPod
2008-02-21 12:32 --------- d-----w C:\Program Files\LopeSoft
2008-02-19 18:46 --------- d-----w C:\Program Files\Caribbean Hideaway
2008-02-19 17:07 --------- d-----w C:\Program Files\CCleaner
2008-02-18 13:06 --------- d-----w C:\Program Files\Lavalys
2008-02-18 08:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\SpinTop Games
2008-02-17 13:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-13 16:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\MumboJumbo
2008-02-13 15:50 --------- d-----w C:\Program Files\My Drivers
2008-02-12 14:36 --------- d-----w C:\Documents and Settings\Dad\Application Data\FDRLab
2008-02-12 14:35 --------- d-----w C:\Program Files\FDRLab
2008-02-12 05:20 --------- d-----w C:\Documents and Settings\Mom & Dad\Application Data\Pogo Games
2008-02-12 04:53 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-05 15:27 --------- d-----w C:\Program Files\Diskeeper Corporation
2008-02-05 15:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Diskeeper Corporation
2008-02-03 09:23 --------- d-----w C:\Program Files\Common Files\ACD Systems
2008-02-03 08:51 --------- d-----w C:\Documents and Settings\Dad\Application Data\Ahead
2008-01-28 14:23 --------- d-----w C:\Program Files\MFInstall
2008-01-28 03:45 --------- d-----w C:\Program Files\HCC Lite
.

((((((((((((((((((((((((((((( snapshot@2008-03-27_ 5.09.10.78 )))))))))))))))))))))))))))))))))))))))))
.
- 2003-11-19 21:36:26 24,681 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-02-22 08:23:35 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2003-11-19 21:36:30 28,779 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-02-22 08:23:39 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-02-22 09:33:32 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2008-03-27 23:46:45 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_74c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"$Volumouse$"="C:\Program Files\Volumouse\volumouse.exe" [2006-01-06 19:52 25600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 17:42 1404928]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-30 21:05 344064]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 16:41 45056]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 09:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 09:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 09:36 114688]
"Logitech Utility"="Logi_MwX.Exe" [2002-11-08 02:50 19968 C:\WINDOWS\LOGI_MWX.EXE]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-01 00:13 385024]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-12-08 04:56 949376]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 14:10 267048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Atomic.exe"="C:\Program Files\Atomic Clock Sync\Atomic.exe" [2004-06-17 10:46 524288]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explor er]
"NoRecentDocsNetHood"= 01000000

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
--a------ 2007-02-16 19:49 149024 C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
--a------ 2007-02-16 19:57 1945960 C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Hazard Shield]
C:\Program Files\Hazard Shield\Realtime.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
--a------ 2007-03-12 18:53 1055792 C:\Program Files\Nero\Nero 7\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2005-06-10 08:44 249856 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-09 18:53 153136 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-02-01 00:13 385024 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SecurDisc]
--a--c--- 2007-03-12 18:54 1626160 C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiteAdvisor]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
--a------ 2007-02-16 19:45 1169776 C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--------- 2006-10-18 20:05 204288 C:\Program Files\Windows Media Player\WMPNSCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RasMan"=3 (0x3)
"InCDsrv"=2 (0x2)
"Fax"=2 (0x2)
"Diskeeper"=2 (0x2)
"WMPNetworkSvc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"C:\\WINDOWS\\system32\\mmc.exe"=
"C:\\Program Files\\Proxyrama\\Proxyrama.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"C:\\Program Files\\Orbitdownloader\\orbitnet.exe"=

R1 DUMeterSvc;DU Meter Service;C:\Program Files\DU Meter\DUMeterSvc.exe [2007-10-15 16:19]
R1 HazardShield;HazardShield;C:\WINDOWS\system32\hzrController.exe [2008-02-12 07:26]
R1 wwEngineSvc;Window Washer Engine;C:\Program Files\Webroot\Washer\WasherSvc.exe [2007-11-26 15:47]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-24 13:12:17 C:\WINDOWS\Tasks\User_Feed_Synchronization-{56C50D45-EFC1-4839-92CA-C6A1E5D946F1}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-27 16:46:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DUMeterSvc]
"ImagePath"="C:\Program Files\DU Meter\DUMeterSvc.exe /startedbyscm:E1F6D4BE-40E33354-DUMeterService"
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\hzrService.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-03-27 16:49:20 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-27 23:49:16
ComboFix2.txt 2008-03-27 23:14:24
ComboFix3.txt 2008-03-27 12:09:28
ComboFix4.txt 2008-01-31 13:19:06
.
2008-03-13 10:05:43 --- E O F ---

lynx560 · 27-Mar-2008, 08:00 PM **#10**

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:56:47 PM, on 3/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\DU Meter\DUMeterSvc.exe
C:\WINDOWS\system32\hzrController.exe
C:\WINDOWS\system32\hzrService.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Atomic Clock Sync\Atomic.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Volumouse\volumouse.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\HJ_This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\pchealth\helpctr\System\panels\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Atomic.exe] C:\Program Files\Atomic Clock Sync\Atomic.exe
O4 - HKCU\..\Run: [$Volumouse$] "C:\Program Files\Volumouse\volumouse.exe" /nodlg
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://pogoclub.oberon-media.com/onl...jolauncher.cab
O16 - DPF: {8FA2192F-B95D-40E3-898F-8D7ABB8E00D0} (SpinTop Games Launcher) - http://clubgames.pogo.com/online2/po...esLauncher.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DU Meter Service (DUMeterSvc) - Hagel Technologies Ltd - C:\Program Files\DU Meter\DUMeterSvc.exe
O23 - Service: HazardShield - Unknown owner - C:\WINDOWS\system32\hzrController.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

--
End of file - 8091 bytes

**cybertech** · 28-Mar-2008, 10:12 AM **#11**

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Click Exit on the Main menu to close the program.

Download (save and select your desktop to save it to) SUPERAntiSpyware Free for Home Users

Double-click SUPERAntiSpyware.exe and use the default settings for installation.
An icon will be created on your desktop. Double-click that icon to launch the program.
If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
Under "Configuration and Preferences", click the Preferences button.
Click the Scanning Control tab.
Under Scanner Options make sure the following are checked (leave all others unchecked):
- Close browsers before scanning.
- Scan for tracking cookies.
- Terminate memory threats before quarantining.
Click the "Close" button to leave the control center screen.
Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
On the left, make sure you check C:\Fixed Drive and all other fixed drives..
On the right, under "Complete Scan", choose Perform Complete Scan.
Click "Next" to start the scan. Please be patient while it scans your computer.
After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
Make sure everything has a checkmark next to it and click "Next".
A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
If asked if you want to reboot, click "Yes".
To retrieve the removal information after reboot, launch SUPERAntispyware again.
- Click Preferences, then click the Statistics/Logs tab.
- Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
- If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
- Please copy and paste the Scan Log results in your next reply with a new hijackthis log.
Click Close to exit the program.

Please perform a scan with Kaspersky Webscan Online Virus Scanner

Read the Requirements and Privacy statement, then select "Accept".
A new window will appear promting you to install an ActiveX component from Kaspersky - "Do you want to install this software?".
Click "Yes" or select "Install" to download the ActiveX controls that allows ActiveScan to run.
When the download is complete it will say ready, click "Next".
Click "Scan Settings" and check the option to use the Extended Database if available otherwise Standard).
Click "Scan Options" and select both "Scan Archives" and "Scan Mail Bases".
Click "OK".
Under "Select a target to scan", click on "My Computer".
When the scan is complete choose to save the results as "Save as Text" named kaspersky.txt to your desktop and post them in your next reply.

Kaspersky does not remove anything but will provide a log of anything it finds. On August 8th, 2006 Kaspersky updated the software used for Free Online Virus Scanner. In order to continue using the online scanner you will need to uninstall the old version (if previously used) from your Add/Remove Programs list and then install the latest version. To do this, follow the steps here and reboot afterwards if your system does not reboot automatically or it will show 'Kaspersky Online Scanner license key was not found!

lynx560 · 29-Mar-2008, 01:07 AM **#12**

Ran ATF Cleaner - all items deleted

Downloaded, updated & ran SUPERAntiSpyware
Here is the log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/28/2008 at 07:36 PM

Application Version : 4.0.1154

Core Rules Database Version : 3427
Trace Rules Database Version: 1419

Scan type : Complete Scan
Total Scan Time : 00:50:39

Memory items scanned : 504
Memory threats detected : 0
Registry items scanned : 5480
Registry threats detected : 2
File items scanned : 67104
File threats detected : 1

Trojan.Unknown Origin
HKLM\Software\xpre
HKLM\Software\xpre#execount

Adware.Vundo Variant
C:\PROGRAM FILES\HJ_THIS\BACKUPS\BACKUP-20080325-040815-685.DLL

lynx560 · 29-Mar-2008, 01:11 AM **#13**

Downloaded, updated, & ran Kaspersky Webscan Online Virus Scanner
Here is the log:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, March 28, 2008 9:59:46 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 29/03/2008
Kaspersky Anti-Virus database records: 670089
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 68340
Number of viruses found: 14
Number of infected objects: 49
Number of suspicious objects: 0
Duration of the scan process: 01:26:10

Infected Object Name / Virus Name / Last Action
C:\89277cb4cb095c9405d8\admparse.dll Object is locked skipped
C:\89277cb4cb095c9405d8\advpack.dll Object is locked skipped
C:\89277cb4cb095c9405d8\browseui.dll Object is locked skipped
C:\89277cb4cb095c9405d8\corpol.dll Object is locked skipped
C:\89277cb4cb095c9405d8\custsat.dll Object is locked skipped
C:\89277cb4cb095c9405d8\dxtmsft.dll Object is locked skipped
C:\89277cb4cb095c9405d8\dxtrans.dll Object is locked skipped
C:\89277cb4cb095c9405d8\extmgr.dll Object is locked skipped
C:\89277cb4cb095c9405d8\hmmapi.dll Object is locked skipped
C:\89277cb4cb095c9405d8\icardie.dll Object is locked skipped
C:\89277cb4cb095c9405d8\icrav03.rat Object is locked skipped
C:\89277cb4cb095c9405d8\ie4uinit.exe Object is locked skipped
C:\89277cb4cb095c9405d8\ieakeng.dll Object is locked skipped
C:\89277cb4cb095c9405d8\ieaksie.dll Object is locked skipped
C:\89277cb4cb095c9405d8\ieakui.dll Object is locked skipped
C:\89277cb4cb095c9405d8\ieapfltr.dll Object is locked skipped
C:\89277cb4cb095c9405d8\iedkcs32.dll Object is locked skipped
C:\89277cb4cb095c9405d8\iedw.exe Object is locked skipped
C:\89277cb4cb095c9405d8\ieencode.dll Object is locked skipped
C:\89277cb4cb095c9405d8\ieframe.dll Object is locked skipped
C:\89277cb4cb095c9405d8\iepeers.dll Object is locked skipped
C:\89277cb4cb095c9405d8\ieproxy.dll Object is locked skipped
C:\89277cb4cb095c9405d8\iernonce.dll Object is locked skipped
C:\89277cb4cb095c9405d8\iertutil.dll Object is locked skipped
C:\89277cb4cb095c9405d8\iesetup.dll Object is locked skipped
C:\89277cb4cb095c9405d8\ieudinit.exe Object is locked skipped
C:\89277cb4cb095c9405d8\ieui.dll Object is locked skipped
C:\89277cb4cb095c9405d8\ieuinit.inf Object is locked skipped
C:\89277cb4cb095c9405d8\iexplore.exe Object is locked skipped
C:\89277cb4cb095c9405d8\imgutil.dll Object is locked skipped
C:\89277cb4cb095c9405d8\inetcpl.cpl Object is locked skipped
C:\89277cb4cb095c9405d8\inseng.dll Object is locked skipped
C:\89277cb4cb095c9405d8\install.ins Object is locked skipped
C:\89277cb4cb095c9405d8\jscript.dll Object is locked skipped
C:\89277cb4cb095c9405d8\jsproxy.dll Object is locked skipped
C:\89277cb4cb095c9405d8\licmgr10.dll Object is locked skipped
C:\89277cb4cb095c9405d8\msfeeds.dll Object is locked skipped
C:\89277cb4cb095c9405d8\msfeeds.mof Object is locked skipped
C:\89277cb4cb095c9405d8\msfeedsbs.dll Object is locked skipped
C:\89277cb4cb095c9405d8\msfeedsbs.mof Object is locked skipped
C:\89277cb4cb095c9405d8\msfeedssync.exe Object is locked skipped
C:\89277cb4cb095c9405d8\mshta.exe Object is locked skipped
C:\89277cb4cb095c9405d8\mshtml.dll Object is locked skipped
C:\89277cb4cb095c9405d8\mshtml.tlb Object is locked skipped
C:\89277cb4cb095c9405d8\mshtmled.dll Object is locked skipped
C:\89277cb4cb095c9405d8\mshtmler.dll Object is locked skipped
C:\89277cb4cb095c9405d8\msls31.dll Object is locked skipped
C:\89277cb4cb095c9405d8\msrating.dll Object is locked skipped
C:\89277cb4cb095c9405d8\mstime.dll Object is locked skipped
C:\89277cb4cb095c9405d8\occache.dll Object is locked skipped
C:\89277cb4cb095c9405d8\occache.ini Object is locked skipped
C:\89277cb4cb095c9405d8\pngfilt.dll Object is locked skipped
C:\89277cb4cb095c9405d8\shdocvw.dll Object is locked skipped
C:\89277cb4cb095c9405d8\shlwapi.dll Object is locked skipped
C:\89277cb4cb095c9405d8\spmsg.dll Object is locked skipped
C:\89277cb4cb095c9405d8\spuninst.exe Object is locked skipped
C:\89277cb4cb095c9405d8\spupdsvc.exe Object is locked skipped
C:\89277cb4cb095c9405d8\tdc.ocx Object is locked skipped
C:\89277cb4cb095c9405d8\ticrf.rat Object is locked skipped
C:\89277cb4cb095c9405d8\update\idndl.exe Object is locked skipped
C:\89277cb4cb095c9405d8\update\ie7.cat Object is locked skipped
C:\89277cb4cb095c9405d8\update\iecustom.dll Object is locked skipped
C:\89277cb4cb095c9405d8\update\iereseticons.exe Object is locked skipped
C:\89277cb4cb095c9405d8\update\iesetup.exe Object is locked skipped
C:\89277cb4cb095c9405d8\update\legitlibm.dll Object is locked skipped
C:\89277cb4cb095c9405d8\update\nlsdl.exe Object is locked skipped
C:\89277cb4cb095c9405d8\update\update.exe Object is locked skipped
C:\89277cb4cb095c9405d8\update\update.exe.manifest Object is locked skipped
C:\89277cb4cb095c9405d8\update\update.inf Object is locked skipped
C:\89277cb4cb095c9405d8\update\update.ver Object is locked skipped
C:\89277cb4cb095c9405d8\update\updspapi.dll Object is locked skipped
C:\89277cb4cb095c9405d8\update\xmllitesetup.exe Object is locked skipped
C:\89277cb4cb095c9405d8\url.dll Object is locked skipped
C:\89277cb4cb095c9405d8\urlmon.dll Object is locked skipped
C:\89277cb4cb095c9405d8\vbscript.dll Object is locked skipped
C:\89277cb4cb095c9405d8\vgx.dll Object is locked skipped
C:\89277cb4cb095c9405d8\webcheck.dll Object is locked skipped
C:\89277cb4cb095c9405d8\webcheck.ini Object is locked skipped
C:\89277cb4cb095c9405d8\winfxdocobj.exe Object is locked skipped
C:\89277cb4cb095c9405d8\wininet.dll Object is locked skipped
C:\d31be34a274b5ca30ba322fd\%temp%dd_msxml_retMSI.txt Object is locked skipped
C:\Documents and Settings\Dad\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Dad\Files\Apps\Installed\Freeware\WirelessKeyview.zip/WirelessKeyView.exe Infected: not-a-virus:PSWTool.Win32.Messen.v skipped
C:\Documents and Settings\Dad\Files\Apps\Installed\Freeware\WirelessKeyview.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Dad\Files\Apps\Installed\Shareware\Nero-7.8.5.0.zip/Nero-7.8.5.0_eng.exe/Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
C:\Documents and Settings\Dad\Files\Apps\Installed\Shareware\Nero-7.8.5.0.zip/Nero-7.8.5.0_eng.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
C:\Documents and Settings\Dad\Files\Apps\Installed\Shareware\Nero-7.8.5.0.zip ZIP: infected - 2 skipped
C:\Documents and Settings\Dad\Files\Apps\XP\WinXP Media Center 2005\MCE_2005_SP2_JUNE_07.iso/$OEM$/$$/system32/CMDOW.EXE Infected: not-a-virus:RiskTool.Win32.HideWindows skipped
C:\Documents and Settings\Dad\Files\Apps\XP\WinXP Media Center 2005\MCE_2005_SP2_JUNE_07.iso ISOimage: infected - 1 skipped
C:\Documents and Settings\Dad\Local Settings\Application Data\ApplicationHistory\cli.exe.c88dbd71.ini.inuse Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db.shadow Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\Temp\Perflib_Perfdata_8b0.dat Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\Temp\Perflib_Perfdata_ee8.dat Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\Temp\Perflib_Perfdata_ef4.dat Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Dad\ntuser.dat Object is locked skipped
C:\Documents and Settings\Dad\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Hagel Technologies\DU Meter\DUMeter.sqb Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Mom & Dad\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db Object is locked skipped
C:\Documents and Settings\Mom & Dad\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db.shadow Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\(E)lephant\Plugins\(E)lephant - MU.Downloader.exe Infected: Worm.Win32.AutoRun.cfp skipped
C:\Program Files\ESET\cache\CACHE.NDB Object is locked skipped
C:\Program Files\ESET\cache\FND0.NFI/data0006 Infected: Trojan-Downloader.Win32.VB.cge skipped
C:\Program Files\ESET\cache\FND0.NFI NSIS: infected - 1 skipped
C:\Program Files\ESET\cache\FND0.NFI PE-Crypt.XorPE: infected - 1 skipped
C:\Program Files\ESET\cache\FND1.NFI/data0003 Infected: Trojan.Win32.Scapur.k skipped
C:\Program Files\ESET\cache\FND1.NFI NSIS: infected - 1 skipped
C:\Program Files\ESET\cache\FND1.NFI PE-Crypt.XorPE: infected - 1 skipped
C:\Program Files\ESET\cache\FND3.NFI Infected: Trojan-Downloader.Win32.Agent.idv skipped
C:\Program Files\ESET\cache\FND4.NFI/data0006 Infected: Trojan-Downloader.Win32.VB.caw skipped
C:\Program Files\ESET\cache\FND4.NFI NSIS: infected - 1 skipped
C:\Program Files\ESET\cache\FND4.NFI PE-Crypt.XorPE: infected - 1 skipped
C:\Program Files\ESET\cache\FND5.NFI Infected: Trojan-Downloader.Win32.Agent.jya skipped
C:\Program Files\ESET\infected\0EJMO4DA.NQF Infected: Trojan-Downloader.Win32.Agent.lqu skipped
C:\Program Files\ESET\infected\CXRVVJAA.NQF Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Program Files\ESET\infected\E4MKI0CA.NQF Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Program Files\ESET\infected\OGVY0MDA.NQF/data0006 Infected: Trojan-Downloader.Win32.VB.dkg skipped
C:\Program Files\ESET\infected\OGVY0MDA.NQF NSIS: infected - 1 skipped
C:\Program Files\ESET\infected\OGVY0MDA.NQF PE-Crypt.XorPE: infected - 1 skipped
C:\Program Files\ESET\infected\PGO1BHCA.NQF Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Program Files\ESET\infected\R1E0IYBA.NQF Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Program Files\ESET\infected\RI3GMPDA.NQF Infected: Trojan-Downloader.Win32.Homles.as skipped
C:\Program Files\ESET\infected\T00Q1RBA.NQF Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Program Files\ESET\infected\TRMSHKBA.NQF/data0003 Infected: Trojan.Win32.Scapur.k skipped
C:\Program Files\ESET\infected\TRMSHKBA.NQF NSIS: infected - 1 skipped
C:\Program Files\ESET\infected\TRMSHKBA.NQF PE-Crypt.XorPE: infected - 1 skipped
C:\Program Files\ESET\infected\XH1AOADA.NQF Infected: Trojan-Downloader.Win32.Agent.jya skipped
C:\Program Files\ESET\logs\virlog.dat Object is locked skipped
C:\Program Files\ESET\logs\warnlog.dat Object is locked skipped
C:\Program Files\Nirsoft\Wireless Keyview\WirelessKeyView.exe Infected: not-a-virus:PSWTool.Win32.Messen.v skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\awtqq.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ddcca.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\geebc.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\iifcyxx.zip.vir/iifcyxx.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.lnz skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\iifcyxx.zip.vir ZIP: infected - 1 skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\mljjg.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\catchme2008-03-27_ 50710.56.zip/awtqp.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\catchme2008-03-27_ 50710.56.zip/iifcyxx.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.lnz skipped
C:\QooBox\Quarantine\catchme2008-03-27_ 50710.56.zip ZIP: infected - 2 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP22\A0001124.exe Infected: not-a-virus:PSWTool.Win32.Messen.v skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP29\A0002349.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP29\A0002350.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP29\A0002351.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP29\A0002352.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP37\A0002912.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.lnz skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP37\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\S924F2C46.tmp Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_798.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.

lynx560 · 29-Mar-2008, 01:14 AM **#14**

Here is my current HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:12:44 PM, on 3/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\DU Meter\DUMeterSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Atomic Clock Sync\Atomic.exe
C:\Program Files\Volumouse\volumouse.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\HJ_This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\pchealth\helpctr\System\panels\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Atomic.exe] C:\Program Files\Atomic Clock Sync\Atomic.exe
O4 - HKCU\..\Run: [$Volumouse$] "C:\Program Files\Volumouse\volumouse.exe" /nodlg
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://pogoclub.oberon-media.com/onl...jolauncher.cab
O16 - DPF: {8FA2192F-B95D-40E3-898F-8D7ABB8E00D0} (SpinTop Games Launcher) - http://clubgames.pogo.com/online2/po...esLauncher.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DU Meter Service (DUMeterSvc) - Hagel Technologies Ltd - C:\Program Files\DU Meter\DUMeterSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

--
End of file - 8018 bytes

**cybertech** · 29-Mar-2008, 01:19 PM **#15**

Please download OTMoveIt2 by OldTimer.

Save it to your desktop.
Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).

Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

Code:

C:\Documents and Settings\Dad\Files\Apps\Installed\Freeware\WirelessKeyview.zip
C:\Documents and Settings\Dad\Files\Apps\Installed\Shareware\Nero-7.8.5.0.zip
C:\Program Files\(E)lephant\Plugins\(E)lephant - MU.Downloader.exe
C:\Program Files\ESET\cache\FND0.NFI
C:\Program Files\ESET\cache\FND1.NFI
C:\Program Files\ESET\cache\FND3.NFI
C:\Program Files\ESET\cache\FND4.NFI
C:\Program Files\ESET\cache\FND5.NFI
C:\Program Files\Nirsoft\Wireless Keyview\WirelessKeyView.exe

Return to OTMoveIt2, right click in the Paste Custom List Of Files/Patterns To Move window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt2

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Tag Cloud
audio bios blue screen boot bsod computer connection crash dcom dell driver drivers email error excel firefox google hard drive hardware hijackthis internet keyboard laptop logon logs off malware microsoft motherboard network networking problem ram recovery redirect router screen slow software sound trojan usb userinit.exe virus vista wifi windows windows 7 windows 7 64 bit windows xp wireless

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)