1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: Messenger link-type virus/trojan. Please help!

Discussion in 'Virus & Other Malware Removal' started by JGG, Apr 13, 2008.

Thread Status:
Not open for further replies.
Advertisement
  1. JGG

    JGG Thread Starter

    Joined:
    Sep 17, 2007
    Messages:
    56
    Hi All,

    Unfortunately, I've again got a problem that I had last fall (see below thread):

    http://forums.techguy.org/malware-re...ml#post5123145

    Basically, it signs me out and then sends out spam/virus type links to my contacts.

    Again, I've tried everything, including starts and scans in safe-mode, but I think I still have it since some of my contacts still report getting the virus-type links from my messenger service.

    Below is the hijack-this link.

    Last time, I received prompt and effective help from the guys on this forum. It was great!I'd really appreciate any help, again!!

    Thanks.

    ********************************************************


    Logfile of Trend Micro HijackThis v2.0.0 (BETA)
    Scan saved at 8:10:56 PM, on 13/04/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\PROGRA~1\MICROS~4\GAMECO~1\Common\SWTrayV4.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
    C:\Program Files\DAEMON Tools\daemon.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Pop-Up Stopper Free Edition\PSFree.exe
    C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
    C:\Program Files\Sonique\sqstart.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
    C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\ZyDAS Technology Corporation\ZyDAS Wireless LAN\ZDConfig.exe
    C:\Program Files\Java\jre1.5.0_09\bin\jucheck.exe
    C:\Program Files\Windows Live\Messenger\usnsvc.exe
    C:\Program Files\Azureus\Azureus.exe
    C:\WINDOWS\system32\SNDVOL32.EXE
    C:\Program Files\internet explorer\iexplore.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Sonique\Sonique.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Documents and Settings\Percy\Desktop\ER\swa\HiJackThis_v2.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MICROS~4\GAMECO~1\Common\SWTrayV4.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
    O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
    O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Pop-Up Stopper Free Edition\PSFree.exe"
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [SoniqueQuickStart] C:\Program Files\Sonique\sqstart.exe -nostick
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Startup: user_manual.lnk = ?
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: ZDConfig.lnk = C:\Program Files\ZyDAS Technology Corporation\ZyDAS Wireless LAN\ZDConfig.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Translate with ABBYY &Lingvo - res://C:\Program Files\ABBYY Lingvo 11 Six Languages\Lingvo.exe/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O15 - Trusted IP range: 213.159.117.202
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1206994990312
    O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
    O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup142f1.cab
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

    --
    End of file - 9350 bytes

    *********************************************

    PS. I posted this issue earlier, weeks ago, but no one responded to my request. If someone could please remove it:

    http://forums.techguy.org/malware-removal-hijackthis-logs/699053-messenger-trojan-virus.html
     
  2. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Hi, Thanks for the PM. You should read the first thread in the Malware forum. If you don't receive help within 2 days just use the report button.

    Run HJT again and put a check in the following:

    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O4 - Startup: user_manual.lnk = ?
    O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -

    Close all applications and browser windows before you click "fix checked".


    [​IMG] Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems

    Upgrading Java:
    • Download the latest version of Java Runtime Environment (JRE) 6 update 5.
    • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
    • Click the "Download" button to the right.
    • Check the box that says: "Accept License Agreement".
    • The page will refresh.
    • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
    • Close any programs you may have running - especially your web browser.
    • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
    • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button.
    • Repeat as many times as necessary to remove each Java version.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on the download to install the newest version.

    Please download (save) MsnCleaner.zip to your desktop.
    Extract the content of MsnCleaner.zip to your Desktop.
    Restart in Safe Mode.
    • To boot up in Safe mode, continuously tap the F8 key while starting your computer.
    • You should see a black screen displaying the Windows Advanced Menu Options.
    • Using your keyboard's arrow keys, select Safe mode, then hit Enter.

    Double-click MsnCleaner.exe to run it.
    Click the Analyze button.
    A report will be created once after you finish scan.
    If it finds an infection, click the Deleted button.
    Now, please reboot back to normal mode.
    Please post the contents of C:\MsnCleaner.txt in a reply to this post.




    Please perform a scan with Kaspersky Webscan Online Virus Scanner

    1. Read the Requirements and Privacy statement, then select "Accept".
    2. A new window will appear promting you to install an ActiveX component from Kaspersky - "Do you want to install this software?".
    3. Click "Yes" or select "Install" to download the ActiveX controls that allows ActiveScan to run.
    4. When the download is complete it will say ready, click "Next".
    5. Click "Scan Settings" and check the option to use the Extended Database if available otherwise Standard).
    6. Click "Scan Options" and select both "Scan Archives" and "Scan Mail Bases".
    7. Click "OK".
    8. Under "Select a target to scan", click on "My Computer".
    9. When the scan is complete choose to save the results as "Save as Text" named kaspersky.txt to your desktop and post them in your next reply.

    Kaspersky does not remove anything but will provide a log of anything it finds. On August 8th, 2006 Kaspersky updated the software used for Free Online Virus Scanner. In order to continue using the online scanner you will need to uninstall the old version (if previously used) from your Add/Remove Programs list and then install the latest version. To do this, follow the steps here and reboot afterwards if your system does not reboot automatically or it will show 'Kaspersky Online Scanner license key was not found!
     
  3. JGG

    JGG Thread Starter

    Joined:
    Sep 17, 2007
    Messages:
    56
    Thanks so much for the reply. I thought typing "bump" was the way to go, but I guess not.

    I followed all the steps and the results are below. Please note that I could not find msn cleaner when I re-booted in safe mode, so I did the scan in normal mode.

    Thanks again.



    ************
    msn cleaner log
    ************

    - Logfile MSNCleaner 1.6.2 by www.forospyware.com
    - Created Logfile: 17/04/2008 on 12:49:43 AM
    - Operative System: Windows XP
    - Boot mode: Normal
    _________________________________________

    Detected files: 2
    Deleted file: 0
    Undeleted Files: 0

    C:\WINDOWS\img_1123.zip
    C:\WINDOWS\SYSTEM32\tmp.txt


    **************
    kaspersky log
    **************

    -------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER REPORT
    Thursday, April 17, 2008 12:03:31 PM
    Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
    Kaspersky Online Scanner version: 5.0.98.0
    Kaspersky Anti-Virus database last update: 17/04/2008
    Kaspersky Anti-Virus database records: 711708
    -------------------------------------------------------------------------------

    Scan Settings:
    Scan using the following antivirus database: extended
    Scan Archives: true
    Scan Mail Bases: true

    Scan Target - My Computer:
    A:\
    C:\
    D:\
    F:\
    G:\
    H:\
    I:\
    J:\

    Scan Statistics:
    Total number of scanned objects: 299922
    Number of viruses found: 23
    Number of infected objects: 62
    Number of suspicious objects: 0
    Duration of the scan process: 06:40:22

    Infected Object Name / Virus Name / Last Action
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped
    C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
    C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\ntuser.dat Object is locked skipped
    C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\Percy\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.54430 Infected: not-virus:Hoax.Win32.Agent.by skipped
    C:\Documents and Settings\Percy\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\Percy\Local Settings\Application Data\Ahead\Nero Home\bl.db Object is locked skipped
    C:\Documents and Settings\Percy\Local Settings\Application Data\Ahead\Nero Home\bl.db-journal Object is locked skipped
    C:\Documents and Settings\Percy\Local Settings\Application Data\Ahead\Nero Home\is2.db Object is locked skipped
    C:\Documents and Settings\Percy\Local Settings\Application Data\Ahead\Nero Home\is2.db-journal Object is locked skipped
    C:\Documents and Settings\Percy\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped
    C:\Documents and Settings\Percy\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\pending.dat Object is locked skipped
    C:\Documents and Settings\Percy\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_104C_2146_4C21_27C4\dfsr.db Object is locked skipped
    C:\Documents and Settings\Percy\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_104C_2146_4C21_27C4\fsr.log Object is locked skipped
    C:\Documents and Settings\Percy\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_104C_2146_4C21_27C4\fsrtmp.log Object is locked skipped
    C:\Documents and Settings\Percy\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_104C_2146_4C21_27C4\tmp.edb Object is locked skipped
    C:\Documents and Settings\Percy\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\Percy\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\Percy\Local Settings\Application Data\Microsoft\Windows Live Contacts\[email protected]\real\members.stg Object is locked skipped
    C:\Documents and Settings\Percy\Local Settings\Application Data\Microsoft\Windows Live Contacts\[email protected]\shadow\members.stg Object is locked skipped
    C:\Documents and Settings\Percy\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\Percy\Local Settings\History\History.IE5\MSHist012008041720080418\index.dat Object is locked skipped
    C:\Documents and Settings\Percy\Local Settings\Temp\Perflib_Perfdata_6cc.dat Object is locked skipped
    C:\Documents and Settings\Percy\Local Settings\Temp\~DFAECE.tmp Object is locked skipped
    C:\Documents and Settings\Percy\Local Settings\Temp\~DFAED9.tmp Object is locked skipped
    C:\Documents and Settings\Percy\Local Settings\Temp\~DFBFA5.tmp Object is locked skipped
    C:\Documents and Settings\Percy\Local Settings\Temp\~DFC02F.tmp Object is locked skipped
    C:\Documents and Settings\Percy\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\Percy\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\Percy\ntuser.dat.LOG Object is locked skipped
    C:\My Old PC stuff\Outlook Express\Mail\Inbox.mbx/[From "knat" <[email protected]>][Date Tue, 31 Oct 2000 19:06:32 +0530]/UNNAMED/html Infected: Email-Worm.VBS.KakWorm skipped
    C:\My Old PC stuff\Outlook Express\Mail\Inbox.mbx/[From "knat" <[email protected]>][Date Tue, 31 Oct 2000 19:06:32 +0530]/UNNAMED Infected: Email-Worm.VBS.KakWorm skipped
    C:\My Old PC stuff\Outlook Express\Mail\Inbox.mbx/[From "madhu dhamdhere" <[email protected]>][Date Sun, 19 Nov 2000 14:37:55 -0800]/UNNAMED/html Infected: Email-Worm.VBS.KakWorm skipped
    C:\My Old PC stuff\Outlook Express\Mail\Inbox.mbx/[From "madhu dhamdhere" <[email protected]>][Date Sun, 19 Nov 2000 14:37:55 -0800]/UNNAMED Infected: Email-Worm.VBS.KakWorm skipped
    C:\My Old PC stuff\Outlook Express\Mail\Inbox.mbx/[From "madhu dhamdhere" <[email protected]>][Date Mon, 20 Nov 2000 14:46:12 -0800]/UNNAMED/html Infected: Email-Worm.VBS.KakWorm skipped
    C:\My Old PC stuff\Outlook Express\Mail\Inbox.mbx/[From "madhu dhamdhere" <[email protected]>][Date Mon, 20 Nov 2000 14:46:12 -0800]/UNNAMED Infected: Email-Worm.VBS.KakWorm skipped
    C:\My Old PC stuff\Outlook Express\Mail\Inbox.mbx/[From "madhu dhamdhere" <[email protected]>][Date Tue, 21 Nov 2000 20:16:26 -0800]/UNNAMED/html Infected: Email-Worm.VBS.KakWorm skipped
    C:\My Old PC stuff\Outlook Express\Mail\Inbox.mbx/[From "madhu dhamdhere" <[email protected]>][Date Tue, 21 Nov 2000 20:16:26 -0800]/UNNAMED Infected: Email-Worm.VBS.KakWorm skipped
    C:\My Old PC stuff\Outlook Express\Mail\Inbox.mbx/[From "madhu dhamdhere" <[email protected]>][Date Wed, 22 Nov 2000 18:23:17 -0800]/UNNAMED Infected: Email-Worm.VBS.KakWorm skipped
    C:\My Old PC stuff\Outlook Express\Mail\Inbox.mbx/[From "madhu dhamdhere" <[email protected]>][Date Fri, 24 Nov 2000 22:29:20 -0800]/UNNAMED/html Infected: Email-Worm.VBS.KakWorm skipped
    C:\My Old PC stuff\Outlook Express\Mail\Inbox.mbx/[From "madhu dhamdhere" <[email protected]>][Date Fri, 24 Nov 2000 22:29:20 -0800]/UNNAMED Infected: Email-Worm.VBS.KakWorm skipped
    C:\My Old PC stuff\Outlook Express\Mail\Inbox.mbx Mail MS Internet Mail: infected - 11 skipped
    C:\My Old PC stuff\Outlook Express\Mail\Outbox.mbx/[From "Darius Contractor" <[email protected]>][Date Wed, 22 Nov 2000 09:16:24 -0500]/UNNAMED/UNNAMED Infected: Email-Worm.VBS.KakWorm skipped
    C:\My Old PC stuff\Outlook Express\Mail\Outbox.mbx/[From "Darius Contractor" <[email protected]>][Date Wed, 22 Nov 2000 09:16:24 -0500]/UNNAMED Infected: Email-Worm.VBS.KakWorm skipped
    C:\My Old PC stuff\Outlook Express\Mail\Outbox.mbx Mail MS Internet Mail: infected - 2 skipped
    C:\Program Files\Common Files\Real\Toolbar\RealBar.dll Infected: not-a-virus:AdWare.Win32.MegaSearch.s skipped
    C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
    C:\Program Files\WAV to MP3 Encoder\bs3-m3.exe/data0002 Infected: not-a-virus:AdWare.Win32.BookedSpace.a skipped
    C:\Program Files\WAV to MP3 Encoder\bs3-m3.exe NSIS: infected - 1 skipped
    C:\Program Files\WAV to MP3 Encoder\m3_bbi6009.exe/data0002 Infected: not-a-virus:AdWare.Win32.BargainBuddy.v skipped
    C:\Program Files\WAV to MP3 Encoder\m3_bbi6009.exe/data0003 Infected: not-a-virus:AdWare.Win32.BargainBuddy.a skipped
    C:\Program Files\WAV to MP3 Encoder\m3_bbi6009.exe NSIS: infected - 2 skipped
    C:\Program Files\WAV to MP3 Encoder\setupwavtomp3.exe/WISE0016.BIN/data0008 Infected: not-a-virus:AdWare.Win32.CommonName.b skipped
    C:\Program Files\WAV to MP3 Encoder\setupwavtomp3.exe/WISE0016.BIN/data0009 Infected: not-a-virus:AdWare.Win32.CommonName.b skipped
    C:\Program Files\WAV to MP3 Encoder\setupwavtomp3.exe/WISE0016.BIN/data0010 Infected: not-a-virus:AdWare.Win32.CommonName.b skipped
    C:\Program Files\WAV to MP3 Encoder\setupwavtomp3.exe/WISE0016.BIN Infected: not-a-virus:AdWare.Win32.CommonName.b skipped
    C:\Program Files\WAV to MP3 Encoder\setupwavtomp3.exe/WISE0017.BIN/data0002 Infected: not-a-virus:AdWare.Win32.BookedSpace.a skipped
    C:\Program Files\WAV to MP3 Encoder\setupwavtomp3.exe/WISE0017.BIN Infected: not-a-virus:AdWare.Win32.BookedSpace.a skipped
    C:\Program Files\WAV to MP3 Encoder\setupwavtomp3.exe/WISE0018.BIN Infected: not-a-virus:AdWare.Win32.EZula.p skipped
    C:\Program Files\WAV to MP3 Encoder\setupwavtomp3.exe/WISE0019.BIN/data0002 Infected: not-a-virus:AdWare.Win32.BargainBuddy.v skipped
    C:\Program Files\WAV to MP3 Encoder\setupwavtomp3.exe/WISE0019.BIN/data0003 Infected: not-a-virus:AdWare.Win32.BargainBuddy.a skipped
    C:\Program Files\WAV to MP3 Encoder\setupwavtomp3.exe/WISE0019.BIN Infected: not-a-virus:AdWare.Win32.BargainBuddy.a skipped
    C:\Program Files\WAV to MP3 Encoder\setupwavtomp3.exe/WISE0026.BIN/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.e skipped
    C:\Program Files\WAV to MP3 Encoder\setupwavtomp3.exe/WISE0026.BIN/data0001.cab/SaveUninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.bl skipped
    C:\Program Files\WAV to MP3 Encoder\setupwavtomp3.exe/WISE0026.BIN/data0001.cab/Weather/Weather.exe Infected: not-a-virus:AdWare.Win32.SaveNow skipped
    C:\Program Files\WAV to MP3 Encoder\setupwavtomp3.exe/WISE0026.BIN/data0001.cab/Weather/Uninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.bl skipped
    C:\Program Files\WAV to MP3 Encoder\setupwavtomp3.exe/WISE0026.BIN/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.bl skipped
    C:\Program Files\WAV to MP3 Encoder\setupwavtomp3.exe/WISE0026.BIN Infected: not-a-virus:AdWare.Win32.SaveNow.bl skipped
    C:\Program Files\WAV to MP3 Encoder\setupwavtomp3.exe WiseSFX: infected - 16 skipped
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP320\A0044167.exe Infected: Trojan-Downloader.Win32.Zlob.lfq skipped
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP320\A0044169.exe Infected: Trojan-Downloader.Win32.Zlob.lft skipped
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP320\A0046170.exe Infected: Trojan-Downloader.Win32.Zlob.lfq skipped
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP320\A0046171.dll Infected: Trojan-Downloader.Win32.Zlob.lhh skipped
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP320\A0046172.exe Infected: Trojan-Downloader.Win32.Zlob.lft skipped
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP320\A0050168.exe Infected: Trojan-Downloader.Win32.Zlob.lfq skipped
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP320\A0051170.dll Infected: Trojan-Downloader.Win32.Zlob.lhh skipped
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP320\A0051171.exe Infected: Trojan-Downloader.Win32.Zlob.lft skipped
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP320\A0051175.exe Infected: Trojan-Downloader.Win32.Zlob.lfd skipped
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP320\A0051176.exe Infected: not-virus:Hoax.Win32.Gavec.az skipped
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP320\A0052168.exe Infected: Trojan-Downloader.Win32.Zlob.lfq skipped
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP320\A0052170.dll Infected: Trojan-Downloader.Win32.Zlob.lhh skipped
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP320\A0052171.exe Infected: Trojan-Downloader.Win32.Zlob.lgc skipped
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP320\A0052172.exe Infected: Trojan-Downloader.Win32.Zlob.lft skipped
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP320\A0052173.exe Infected: Trojan-Downloader.Win32.Zlob.lhe skipped
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP320\A0052174.dll Infected: Trojan-Downloader.Win32.Zlob.lge skipped
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP322\A0054440.exe Infected: not-a-virus:Downloader.Win32.WinFixer.fs skipped
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP328\change.log Object is locked skipped
    C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
    C:\WINDOWS\Downloaded Program Files\CONFLICT.1\HDPlugin1019.dll Infected: not-a-virus:AdWare.Win32.Gator.1019 skipped
    C:\WINDOWS\img_1123.zip/image14.JPG-www.imageshack.com Infected: IM-Worm.Win32.Agent.u skipped
    C:\WINDOWS\img_1123.zip ZIP: infected - 1 skipped
    C:\WINDOWS\SchedLgU.Txt Object is locked skipped
    C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
    C:\WINDOWS\Sti_Trace.log Object is locked skipped
    C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
    C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
    C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
    C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
    C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
    C:\WINDOWS\SYSTEM32\CONFIG\Internet.evt Object is locked skipped
    C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
    C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
    C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
    C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
    C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
    C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
    C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
    C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
    C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
    C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
    C:\WINDOWS\SYSTEM32\DRIVERS\atapi.sys Object is locked skipped
    C:\WINDOWS\SYSTEM32\DRIVERS\dtscsi.sys Object is locked skipped
    C:\WINDOWS\SYSTEM32\DRIVERS\sptd.sys Object is locked skipped
    C:\WINDOWS\SYSTEM32\DRIVERS\sptd6093.sys Object is locked skipped
    C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
    C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
    C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
    C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
    C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
    C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
    C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
    C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
    C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
    C:\WINDOWS\WIASERVC.LOG Object is locked skipped
    C:\WINDOWS\WindowsUpdate.log Object is locked skipped
    G:\Downloaded Stuff\mirc616.exe/data0001.bin Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
    G:\Downloaded Stuff\mirc616.exe mIRC: infected - 1 skipped
    G:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
    G:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP328\change.log Object is locked skipped
    H:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
    H:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP328\change.log Object is locked skipped
    I:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
    I:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP328\change.log Object is locked skipped

    Scan process completed.
     
  4. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Please download the OTMoveIt2 by OldTimer.
    • Save it to your desktop.
    • Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
    • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      C:\Program Files\Common Files\Real\Toolbar\RealBar.dll
      C:\Program Files\WAV to MP3 Encoder\bs3-m3.exe
      C:\Program Files\WAV to MP3 Encoder\m3_bbi6009.exe
      C:\Program Files\WAV to MP3 Encoder\setupwavtomp3.exe
      C:\WINDOWS\Downloaded Program Files\CONFLICT.1\HDPlugin1019.dll
      C:\WINDOWS\img_1123.zip
      
      
      
    • Return to OTMoveIt2, right click in the Paste Custom List Of Files/Patterns To Move window (under the yellow bar) and choose Paste.
    • Click the red Moveit! button.
    • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
    • Close OTMoveIt2
    Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.


    Next


    You have some very old e-mail here that is also infected, dated 2000.

    C:\My Old PC stuff\Outlook Express\Mail\Inbox.mbx/[From "knat" <[email protected]>][Date Tue, 31 Oct 2000 19:06:32 +0530]/UNNAMED/html Infected: Email-Worm.VBS.KakWorm skipped
    C:\My Old PC stuff\Outlook Express\Mail\Inbox.mbx/[From "knat" <[email protected]>][Date Tue, 31 Oct 2000 19:06:32 +0530]/UNNAMED Infected: Email-Worm.VBS.KakWorm skipped
    C:\My Old PC stuff\Outlook Express\Mail\Inbox.mbx/[From "madhu dhamdhere" <[email protected]>][Date Sun, 19 Nov 2000 14:37:55 -0800]/UNNAMED/html Infected: Email-Worm.VBS.KakWorm skipped
    C:\My Old PC stuff\Outlook Express\Mail\Inbox.mbx/[From "madhu dhamdhere" <[email protected]>][Date Sun, 19 Nov 2000 14:37:55 -0800]/UNNAMED Infected: Email-Worm.VBS.KakWorm skipped
    C:\My Old PC stuff\Outlook Express\Mail\Inbox.mbx/[From "madhu dhamdhere" <[email protected]>][Date Mon, 20 Nov 2000 14:46:12 -0800]/UNNAMED/html Infected: Email-Worm.VBS.KakWorm skipped
    C:\My Old PC stuff\Outlook Express\Mail\Inbox.mbx/[From "madhu dhamdhere" <[email protected]>][Date Mon, 20 Nov 2000 14:46:12 -0800]/UNNAMED Infected: Email-Worm.VBS.KakWorm skipped
    C:\My Old PC stuff\Outlook Express\Mail\Inbox.mbx/[From "madhu dhamdhere" <[email protected]>][Date Tue, 21 Nov 2000 20:16:26 -0800]/UNNAMED/html Infected: Email-Worm.VBS.KakWorm skipped
    C:\My Old PC stuff\Outlook Express\Mail\Inbox.mbx/[From "madhu dhamdhere" <[email protected]>][Date Tue, 21 Nov 2000 20:16:26 -0800]/UNNAMED Infected: Email-Worm.VBS.KakWorm skipped
    C:\My Old PC stuff\Outlook Express\Mail\Inbox.mbx/[From "madhu dhamdhere" <[email protected]>][Date Wed, 22 Nov 2000 18:23:17 -0800]/UNNAMED Infected: Email-Worm.VBS.KakWorm skipped
    C:\My Old PC stuff\Outlook Express\Mail\Inbox.mbx/[From "madhu dhamdhere" <[email protected]>][Date Fri, 24 Nov 2000 22:29:20 -0800]/UNNAMED/html Infected: Email-Worm.VBS.KakWorm skipped
    C:\My Old PC stuff\Outlook Express\Mail\Inbox.mbx/[From "madhu dhamdhere" <[email protected]>][Date Fri, 24 Nov 2000 22:29:20 -0800]/UNNAMED Infected: Email-Worm.VBS.KakWorm skipped
    C:\My Old PC stuff\Outlook Express\Mail\Inbox.mbx Mail MS Internet Mail: infected - 11 skipped
    C:\My Old PC stuff\Outlook Express\Mail\Outbox.mbx/[From "Darius Contractor" <[email protected]>][Date Wed, 22 Nov 2000 09:16:24 -0500]/UNNAMED/UNNAMED Infected: Email-Worm.VBS.KakWorm skipped
    C:\My Old PC stuff\Outlook Express\Mail\Outbox.mbx/[From "Darius Contractor" <[email protected]>][Date Wed, 22 Nov 2000 09:16:24 -0500]/UNNAMED Infected: Email-Worm.VBS.KakWorm skipped
    C:\My Old PC stuff\Outlook Express\Mail\Outbox.mbx Mail MS Internet Mail: infected - 2 skipped


    Are you still using Outlook Express? This looks like it was moved from an old system to a new one or new installation of the OS. My Old PC stuff is the file path. If you are not using these files any more I would just delete the file or folder Mail
    C:\My Old PC stuff\Outlook Express\Mail\Outbox.mbx and Inbox.mbx
    Or even up one more level to Outlook Express
     
  5. JGG

    JGG Thread Starter

    Joined:
    Sep 17, 2007
    Messages:
    56
    Hi. I deleted the old files. Below are the results from "oldtimer":

    Thanks.

    ********************************************

    C:\Program Files\Common Files\Real\Toolbar\RealBar.dll unregistered successfully.
    C:\Program Files\Common Files\Real\Toolbar\RealBar.dll moved successfully.
    C:\Program Files\WAV to MP3 Encoder\bs3-m3.exe moved successfully.
    C:\Program Files\WAV to MP3 Encoder\m3_bbi6009.exe moved successfully.
    C:\Program Files\WAV to MP3 Encoder\setupwavtomp3.exe moved successfully.
    C:\WINDOWS\Downloaded Program Files\CONFLICT.1\HDPlugin1019.dll unregistered successfully.
    C:\WINDOWS\Downloaded Program Files\CONFLICT.1\HDPlugin1019.dll moved successfully.
    C:\WINDOWS\img_1123.zip moved successfully.

    OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 04182008_000351
     
  6. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Please post a new hijackthis log.

    Are you having any problems now?
     
  7. JGG

    JGG Thread Starter

    Joined:
    Sep 17, 2007
    Messages:
    56
    Hi. I don't think I have any problems now. One of the indications of the problems was messenger signing me out at least once a day and sending out the spam message at the same time. I did a virus scan a few weeks ago and it deleted some files.

    I thought I was OK. I would sometimes get signed out about once every 2 days, but no one reported any spam messages. Then, this past weekend, someone did say that they got one from me, so it seems it was still there. No sign outs in the past 2 days though, so I hope everything is OK.

    The hijackthis logfile is below:

    Thanks again.

    **************************************************

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:03:36 PM, on 18/04/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\MICROS~4\GAMECO~1\Common\SWTrayV4.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Pop-Up Stopper Free Edition\PSFree.exe
    C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
    C:\Program Files\Sonique\sqstart.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\Program Files\ZyDAS Technology Corporation\ZyDAS Wireless LAN\ZDConfig.exe
    C:\Program Files\Windows Live\Messenger\usnsvc.exe
    C:\WINDOWS\system32\SNDVOL32.EXE
    C:\Program Files\Azureus\Azureus.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MICROS~4\GAMECO~1\Common\SWTrayV4.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
    O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
    O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [PCPitstop Registration Reminder] C:\Program Files\PCPitstop\Exterminate\Reminder.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Pop-Up Stopper Free Edition\PSFree.exe"
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [SoniqueQuickStart] C:\Program Files\Sonique\sqstart.exe -nostick
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
    O4 - Global Startup: ZDConfig.lnk = C:\Program Files\ZyDAS Technology Corporation\ZyDAS Wireless LAN\ZDConfig.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Translate with ABBYY &Lingvo - res://C:\Program Files\ABBYY Lingvo 11 Six Languages\Lingvo.exe/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O15 - Trusted IP range: 213.159.117.202
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1206994990312
    O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup142f1.cab
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe

    --
    End of file - 7664 bytes
     
  8. JGG

    JGG Thread Starter

    Joined:
    Sep 17, 2007
    Messages:
    56
    Maybe I spoke too soon - I was just signed out of messenger. My friends who are online don't report receiving some sort of spam message though, so it seems to be some other sort of problem. I don't think it's a connection issue though.

    Thanks.
     
  9. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    See if this finds anything.
    Please download Malwarebytes Anti-Malware from Here or Here
    Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform Quick Scan, then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy the entire report and paste it in your next reply.
    Extra Note:

    If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.
     
  10. JGG

    JGG Thread Starter

    Joined:
    Sep 17, 2007
    Messages:
    56
    I had another messenger sign out today, but no spam/virus problems it seems. I suppose I'll try re-installing it again. It's something that I can live with anyway.

    The logfile is below. Again, it seems eveything appears ok..



    ******************************************

    Malwarebytes' Anti-Malware 1.11
    Database version: 658

    Scan type: Quick Scan
    Objects scanned: 57967
    Time elapsed: 16 minute(s), 58 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
     
  11. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    You can and should remove all of the tools I requested you to download and/or folders associated with them now. It is pointless to keep these tools around as they are updated so frequently that the tools can be outdated within a few days, sometimes within just hours.

    OTMoveIt2 by OldTimer has a CleanUp! option you can use to remove most of the fixes and associated files and folders.
    • Make sure you have an Internet Connection.
    • Double-click OTMoveIt2.exe to run it.
    • Click on the CleanUp! button
    • A list of tool components used in the Cleanup of malware will be downloaded.
    • If your Firewall or Real Time protection attempts to block OtMoveit2 to rech the Internet, please allow the application to do so.
    • Click Yes to beging the Cleanup process and remove these components, including this application.
    • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.


    It's a good idea to Flush your System Restore after removing malware:
    Turn off system restore and then turn it back on: http://support.microsoft.com/kb/310405



    Now you should Clean up your PC


    Here are some additional links for you to check out to help you with your computer security.

    How did I get infected in the first place.

    Good free tools and advice on how to tighten your security settings.

    Security Help Tools
     
  12. JGG

    JGG Thread Starter

    Joined:
    Sep 17, 2007
    Messages:
    56
    Before I go ahead and do this, it seems the problem is still there. Earlier today, I was signed out of messenger and 2 of my online contacts said they received the spam IM from me.

    Now, since then, I unintsalled and reinstalled messenger, with a reboot inbetween. Should I just wait and see what this does, or is there something else I should do in the meantime?

    Thanks.
     
  13. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Please visit this webpage for instructions on installing recovery console and downloading/running ComboFix.

    Post the log from ComboFix along with a new HijackThis log.
     
  14. JGG

    JGG Thread Starter

    Joined:
    Sep 17, 2007
    Messages:
    56
    Thanks. Here are the new logs:

    **************************************
    Combofix
    **************************************

    ComboFix 08-04-20.5 - Percy 2008-04-22 17:43:09.3 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.205 [GMT -4:00]
    Running from: C:\Documents and Settings\Percy\Desktop\ComboFix.exe
    Command switches used :: C:\Documents and Settings\Percy\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    * Created a new restore point
    .

    ((((((((((((((((((((((((( Files Created from 2008-03-22 to 2008-04-22 )))))))))))))))))))))))))))))))
    .

    2008-04-18 00:25 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
    2008-04-18 00:23 . 2008-04-18 00:23 <DIR> d-------- C:\Program Files\Common Files\Java
    2008-04-18 00:03 . 2008-04-18 00:03 <DIR> d-------- C:\_OTMoveIt
    2008-04-17 00:51 . 2008-04-17 00:51 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
    2008-04-17 00:51 . 2008-04-17 00:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
    2008-04-17 00:49 . 2008-04-17 00:50 <DIR> d-------- C:\MSNCleaner
    2008-04-17 00:09 . 2008-04-17 00:09 1,625 --a------ C:\1208405327595-integrated.jnlp
    2008-04-17 00:08 . 2008-04-17 00:08 1,287 --a------ C:\1208405381081-integrated.jnlp
    2008-04-15 23:39 . 2008-04-19 18:44 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
    2008-04-15 23:39 . 2008-04-15 23:39 <DIR> d-------- C:\Documents and Settings\Percy\Application Data\Malwarebytes
    2008-04-15 23:39 . 2008-04-15 23:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-04-15 23:38 . 2008-04-15 23:38 <DIR> d-------- C:\Program Files\Common Files\Download Manager
    2008-04-15 19:19 . 2008-04-15 19:19 <DIR> d-------- C:\Documents and Settings\Percy\Application Data\InterMute
    2008-04-15 01:24 . 2008-04-15 01:24 <DIR> d-------- C:\Program Files\PCPitstop
    2008-04-15 01:24 . 2008-04-15 01:24 <DIR> d-------- C:\Program Files\Common Files\Scanner
    2008-04-03 00:29 . 2008-04-03 00:29 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
    2008-04-01 04:13 . 2008-04-01 04:13 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
    2008-04-01 04:10 . 2006-08-21 05:14 128,896 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\fltmgr.sys
    2008-04-01 04:06 . 2008-04-01 04:06 <DIR> d-------- C:\Program Files\MSXML 4.0
    2008-03-31 16:42 . 2007-07-09 09:09 584,192 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\rpcrt4.dll
    2008-03-31 16:34 . 2006-06-26 13:37 8,192 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\rasadhlp.dll
    2008-03-31 16:25 . 2008-03-31 17:29 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
    2008-03-31 16:25 . 2007-07-30 20:19 271,224 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll
    2008-03-31 16:25 . 2007-07-30 20:19 30,072 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll.mui
    2008-03-31 16:24 . 2008-04-21 17:32 <DIR> d-------- C:\Program Files\Windows Live
    2008-03-31 16:24 . 2008-04-21 17:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
    2008-03-31 16:23 . 2007-07-30 20:18 34,136 --a------ C:\WINDOWS\SYSTEM32\wucltui.dll.mui
    2008-03-31 16:23 . 2007-07-30 20:19 25,944 --a------ C:\WINDOWS\SYSTEM32\wuaucpl.cpl.mui
    2008-03-31 16:23 . 2007-07-30 20:19 25,944 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll.mui
    2008-03-31 16:23 . 2007-07-30 20:18 20,312 --a------ C:\WINDOWS\SYSTEM32\wuaueng.dll.mui

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-04-22 20:53 --------- d-----w C:\Program Files\Sonique
    2008-04-21 21:35 --------- d-----w C:\Documents and Settings\Percy\Application Data\Azureus
    2008-04-18 04:25 --------- d-----w C:\Program Files\Java
    2008-04-18 04:03 --------- d-----w C:\Program Files\WAV to MP3 Encoder
    2008-04-17 04:48 --------- d-----w C:\Program Files\SUPERAntiSpyware
    2008-04-16 04:04 --------- d-----w C:\Program Files\Common Files\Symantec Shared
    2008-04-16 04:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
    2008-04-16 00:13 --------- d-----w C:\Program Files\WinMX
    2008-04-08 05:39 --------- d-----w C:\Documents and Settings\Percy\Application Data\Vso
    2008-03-31 20:21 --------- d-----w C:\Program Files\MSN Messenger
    2008-03-19 20:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\TEMP
    2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys
    2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\win32k.sys
    2008-03-15 06:13 --------- d-----w C:\Program Files\iTunes
    2008-03-15 06:13 --------- d-----w C:\Program Files\iPod
    2008-03-15 06:06 --------- d-----w C:\Program Files\QuickTime
    2008-03-08 11:32 --------- d-----w C:\Program Files\Azureus
    2008-02-27 21:47 --------- d-----w C:\Program Files\vixy.net
    2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\SYSTEM32\gdi32.dll
    2008-02-20 06:51 282,624 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\gdi32.dll
    2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\SYSTEM32\dnsrslvr.dll
    2008-02-20 05:32 45,568 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsrslvr.dll
    2008-02-20 05:32 148,992 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsapi.dll
    2008-02-16 22:29 3,059,712 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
    2008-02-15 09:23 18,432 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iedw.exe
    2008-02-13 08:51 1,328 ----a-w C:\FSUIPC_reg.bin
    2008-02-07 04:29 1,388,544 ----a-w C:\WINDOWS\SYSTEM32\MSVBVM60.dll
    2008-02-06 10:17 737,280 -c--a-w C:\WINDOWS\iun6002.exe
    2007-01-30 06:50 87,608 ----a-w C:\Documents and Settings\Percy\Application Data\ezpinst.exe
    2007-01-30 06:50 47,360 ----a-w C:\Documents and Settings\Percy\Application Data\pcouffin.sys
    2006-11-20 23:12 108,984 ----a-w C:\Documents and Settings\Percy\Application Data\GDIPFONTCACHEV1.DAT
    2004-02-12 23:46 1,040,384 -c--a-w C:\Program Files\mplayerc.exe
    2005-04-15 20:12 61 --sh--w C:\WINDOWS\cnerolf.dat
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "PopUpStopperFreeEdition"="C:\Program Files\Pop-Up Stopper Free Edition\PSFree.exe" [2005-03-17 11:10 536576]
    "MsnMsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 11:34 5724184]
    "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-10-09 12:28 139264]
    "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-02 20:04 68856]
    "SoniqueQuickStart"="C:\Program Files\Sonique\sqstart.exe" [2007-10-16 05:32 44832]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-10-06 15:16 5058560]
    "SideWinderTrayV4"="C:\PROGRA~1\MICROS~4\GAMECO~1\Common\SWTrayV4.exe" [2000-06-02 20:07 24650]
    "nwiz"="nwiz.exe" [2003-10-06 15:16 741376 C:\WINDOWS\SYSTEM32\nwiz.exe]
    "NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2003-10-06 15:16 49152]
    "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-10-16 19:37 180269]
    "PestPatrol Control Center"="C:\PROGRA~1\PESTPA~1\PPControl.exe" [ ]
    "PPMemCheck"="C:\PROGRA~1\PESTPA~1\PPMemCheck.exe" [ ]
    "CookiePatrol"="C:\PROGRA~1\PESTPA~1\CookiePatrol.exe" [ ]
    "Lexmark X74-X75"="C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe" [2002-10-14 16:09 57344]
    "DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2005-12-10 10:57 133016]
    "NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 17:40 155648]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-01 00:13 385024]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 14:10 267048]
    "PCPitstop Registration Reminder"="C:\Program Files\PCPitstop\Exterminate\Reminder.exe" [2007-05-24 12:21 991232]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2003-01-18 20:03:45 49254]
    Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 03:01:04 83360]
    SpySubtract.lnk - C:\Program Files\interMute\SpySubtract\SpySub.exe [2008-04-15 19:19:01 1187840]
    ZDConfig.lnk - C:\Program Files\ZyDAS Technology Corporation\ZyDAS Wireless LAN\ZDConfig.exe [2006-07-09 22:11:00 184320]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "SpecifyDefaultButtons"= 0 (0x0)
    "Btn_Search"= 0 (0x0)
    "NoBandCustomize"= 0 (0x0)
    "NoToolbarCustomize"= 0 (0x0)

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
    "{FA010552-4A27-4cb1-A1BB-3E2D697F1639}"= c:\Program Files\interMute\SpySubtract\sshook.dll [2008-04-15 19:19 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "vidc.I420"= i263_32.drv
    "msacm.l3acm"= l3codecp.acm
    "vidc.xvid"= xvid.dll
    "VIDC.I263"= i263_32.drv
    "vidc.DIV3"= DivXc32.dll
    "vidc.DIV4"= DivXc32f.dll
    "vidc.3ivx"= 3ivxVfWCodec.dll
    "msacm.divxa32"= DivXa32.acm
    "msacm.imc"= imc32.acm
    "vidc.3IV2"= 3ivxVfWCodec.dll
    "msacm.fraunhoferacm"= l3codecp.acm

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
    backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dmdnb.exe]
    C:\WINDOWS\System32\dmdnb.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotAction_ca]
    C:\Program Files\ComSoft\Dialers\HotAction_ca\HotAction_ca.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X74-X75]
    --a------ 2002-10-14 16:09 57344 C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PestPatrolCL]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
    --a------ 2004-10-16 19:37 204845 C:\Program Files\Real\RealPlayer\RealPlay.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WetGirls_ca]
    C:\Program Files\GMSoft\Dialers\WetGirls_ca\WetGirls_ca.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "Symantec Core LC"=2 (0x2)
    "SPBBCSvc"=2 (0x2)
    "navapsvc"=2 (0x2)

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "C:\\Program Files\\Azureus\\Azureus.exe"=
    "C:\\Program Files\\Microsoft Games\\Flight Simulator 9\\fs9.exe"=
    "C:\\WINDOWS\\SYSTEM32\\dpnsvr.exe"=
    "C:\\Program Files\\mIRC\\mirc.exe"=
    "C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
    "C:\\Program Files\\Sonique\\Sonique.exe"=
    "C:\\Program Files\\iTunes\\iTunes.exe"=
    "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "2642:UDP"= 2642:UDP:Windows Media Format SDK (iexplore.exe)
    "2643:UDP"= 2643:UDP:Windows Media Format SDK (iexplore.exe)
    "2644:UDP"= 2644:UDP:Windows Media Format SDK (iexplore.exe)

    R3 ZDNDIS5;ZDNDIS5 Protocol Driver;C:\WINDOWS\System32\ZDNDIS5.SYS [2002-10-30 11:43]
    S0 ElbyVCD;ElbyVCD;C:\WINDOWS\system32\DRIVERS\ElbyVCD.sys []
    S1 vdnt32;MemDRV;C:\WINDOWS\System32\vdnt32.sys []
    S3 NMSCFG;NIC Management Service Configuration Driver;C:\WINDOWS\System32\drivers\NMSCFG.SYS [2002-05-03 13:30]
    S3 NMSSvc;Intel(R) NMS;C:\WINDOWS\System32\NMSSvc.exe [2002-05-03 13:29]
    S3 ZD1201U;ZyDAS ZD1201 IEEE 802.11b Wireless LAN Driver (USB);C:\WINDOWS\system32\DRIVERS\zd1201u.sys [2003-05-15 18:29]

    .
    Contents of the 'Scheduled Tasks' folder
    "2008-04-22 03:30:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
    .
    **************************************************************************

    catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-04-22 17:47:54
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2008-04-22 18:08:03
    ComboFix-quarantined-files.txt 2008-04-22 22:07:36
    ComboFix2.txt 2008-04-22 21:13:24
    ComboFix3.txt 2007-09-17 22:33:31

    Pre-Run: 5,259,784,192 bytes free
    Post-Run: 5,226,926,080 bytes free

    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
    [operating systems]
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
    C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

    199 --- E O F --- 2008-04-09 07:10:04





    *********************************************
    Hijackthis
    *********************************************

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 6:21:02 PM, on 22/04/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\MICROS~4\GAMECO~1\Common\SWTrayV4.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
    C:\Program Files\DAEMON Tools\daemon.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
    C:\Program Files\Pop-Up Stopper Free Edition\PSFree.exe
    C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
    C:\Program Files\Sonique\sqstart.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
    C:\Program Files\interMute\SpySubtract\SpySub.exe
    C:\Program Files\ZyDAS Technology Corporation\ZyDAS Wireless LAN\ZDConfig.exe
    C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\Program Files\Windows Live\Messenger\usnsvc.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MICROS~4\GAMECO~1\Common\SWTrayV4.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
    O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
    O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [PCPitstop Registration Reminder] C:\Program Files\PCPitstop\Exterminate\Reminder.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Pop-Up Stopper Free Edition\PSFree.exe"
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [SoniqueQuickStart] C:\Program Files\Sonique\sqstart.exe -nostick
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
    O4 - Global Startup: ZDConfig.lnk = C:\Program Files\ZyDAS Technology Corporation\ZyDAS Wireless LAN\ZDConfig.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Translate with ABBYY &Lingvo - res://C:\Program Files\ABBYY Lingvo 11 Six Languages\Lingvo.exe/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O15 - Trusted IP range: 213.159.117.202
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1206994990312
    O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup142f1.cab
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe

    --
    End of file - 8266 bytes
     
  15. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Open Notepad and copy and paste the text in the quote box below into it:

    Save the file to you desktop and name it CFScript.txt

    Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

    [​IMG]

    This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/703456

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice