Jump to content

Build Theme!
  •  
  • Infected?

big grin WE'RE SURE THAT YOU'LL LOVE US!

We invite you to ask questions, share experiences, and learn. It's 100% free. Did we mention that it's free. It is. It's free. Join 91600 other members! Anybody can ask, anybody can answer. Consistently helpful members with best answers are invited to staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Hijackthis Log


  • This topic is locked This topic is locked
8 replies to this topic

#1 vdsteg

vdsteg

    New Member

  • Authentic Member
  • Pip
  • 10 posts

Posted 19 February 2007 - 11:22 PM

Logfile of HijackThis v1.99.1
Scan saved at 11:05:55 PM, on 2/19/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\PROGRA~1\CHARTE~1\backweb\3528733\Program\SERVIC~1.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\FSGK32.EXE
C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\program\fsbwsys.exe
C:\Program Files\Charter High-Speed Security Suite\Common\FSMA32.EXE
C:\Program Files\Charter High-Speed Security Suite\Common\FSMB32.EXE
C:\WINNT\system32\regsvc.exe
C:\Program Files\Charter High-Speed Security Suite\Common\FCH32.EXE
C:\WINNT\system32\UAService7.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Charter High-Speed Security Suite\Common\FAMEH32.EXE
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsqh.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsrw.exe
C:\Program Files\Charter High-Speed Security Suite\FSPC\fspc.exe
C:\Program Files\Charter High-Speed Security Suite\FSPC\fshttps\fshttps.exe
C:\Program Files\Charter High-Speed Security Suite\FWES\Program\fsdfwd.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fssm32.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINNT\system32\mobsync.exe
C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.EXE
C:\Program Files\Charter High-Speed Security Suite\FSGUI\ispnews.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Program\fspex.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearchIndexer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsav32.exe
C:\PROGRA~1\CHARTE~1\ANTI-S~1\fsaw.exe
C:\Program Files\Charter High-Speed Security Suite\FSGUI\fsguidll.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SE...S01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SE...S01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.charter.net/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SE...S01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {67982BB7-0F95-44C5-92DC-E3AF3DC19D6D} - C:\Program Files\Video ActiveX Object\isadd.dll (file missing)
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: Protection Bar - {84938242-5C5B-4A55-B6B9-A1507543B418} - C:\Program Files\Video ActiveX Object\iesplugin.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Charter High-Speed Security Suite\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\Charter High-Speed Security Suite\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [News Service] "C:\Program Files\Charter High-Speed Security Suite\FSGUI\ispnews.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - Global Startup: Charter High-Speed Security Suite.lnk = C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Program\fspex.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
O8 - Extra context menu item: &Block this popup - C:\Program Files\Charter High-Speed Security Suite\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/229?d87d5a9618004dd9b57299f88dab6edd
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/230?d87d5a9618004dd9b57299f88dab6edd
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F02} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: &Suspend Webpage Filter - {200DB664-75B5-47c0-8B45-A44ACCF73F02} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F03} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: &Deny this website - {200DB664-75B5-47c0-8B45-A44ACCF73F03} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F04} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: &Allow this website - {200DB664-75B5-47c0-8B45-A44ACCF73F04} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Charter High-Speed Security Suite\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Charter High-Speed Security Suite\Anti-Spyware\ieshield.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O10 - Broken Internet access because of LSP provider 'winsflt.dll' missing
O12 - Plugin for .htm: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{72B38438-EF15-49D6-B7BD-49A156A8C610}: NameServer = 85.255.114.82,85.255.112.168
O17 - HKLM\System\CCS\Services\Tcpip\..\{9A54B269-01D2-46FD-8D67-977D24836643}: NameServer = 85.255.114.82,85.255.112.168
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.82 85.255.112.168
O17 - HKLM\System\CS1\Services\Tcpip\..\{72B38438-EF15-49D6-B7BD-49A156A8C610}: NameServer = 85.255.114.82,85.255.112.168
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.82 85.255.112.168
O17 - HKLM\System\CS2\Services\Tcpip\..\{72B38438-EF15-49D6-B7BD-49A156A8C610}: NameServer = 85.255.114.82,85.255.112.168
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.82 85.255.112.168
O21 - SSODL: didymiums - {e6adaaf0-79b2-4cf1-a660-50a0b33991a1} - C:\WINNT\system32\vblhanf.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Charter High-Speed Security Suite (BackWeb Plug-in - 3528733) - BackWeb Technologies Inc. - C:\PROGRA~1\CHARTE~1\backweb\3528733\Program\SERVIC~1.EXE
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe
O23 - Service: FSBWSYS (fsbwsys) - F-Secure Corp. - C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure HTTP Server (fshttps) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\FSPC\fshttps\fshttps.exe
O23 - Service: FSMA - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\Common\FSMA32.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSSQLServerADHelper - Unknown owner - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe (file missing)
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINNT\system32\UAService7.exe

    Advertisements

Register to Remove


#2 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 20 February 2007 - 07:24 AM

Hello vdsteg and Welcome to TomCoyote,

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:
http://downloads.sub.../Fixwareout.exe
http://www.bleepingc.../Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

At the end of the fix, you may need to restart your computer again.

Please set your system to show all files; please see here if you're unsure how to do this.

Scan with HijackThis. Place a check against each of the following:
O2 - BHO: (no name) - {67982BB7-0F95-44C5-92DC-E3AF3DC19D6D} - C:\Program Files\Video ActiveX Object\isadd.dll (file missing)
O3 - Toolbar: Protection Bar - {84938242-5C5B-4A55-B6B9-A1507543B418} - C:\Program Files\Video ActiveX Object\iesplugin.dll (file missing)
O17 - HKLM\System\CCS\Services\Tcpip\..\{72B38438-EF15-49D6-B7BD-49A156A8C610}: NameServer = 85.255.114.82,85.255.112.168
O17 - HKLM\System\CCS\Services\Tcpip\..\{9A54B269-01D2-46FD-8D67-977D24836643}: NameServer = 85.255.114.82,85.255.112.168
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.82 85.255.112.168
O17 - HKLM\System\CS1\Services\Tcpip\..\{72B38438-EF15-49D6-B7BD-49A156A8C610}: NameServer = 85.255.114.82,85.255.112.168
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.82 85.255.112.168
O17 - HKLM\System\CS2\Services\Tcpip\..\{72B38438-EF15-49D6-B7BD-49A156A8C610}: NameServer = 85.255.114.82,85.255.112.168
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.82 85.255.112.168
O21 - SSODL: didymiums - {e6adaaf0-79b2-4cf1-a660-50a0b33991a1} - C:\WINNT\system32\vblhanf.dll

Close all windows or browsers except for Hijackthis. Click on Fix Checked when finished and exit HijackThis.

Reboot into Safe Mode: please see here if you are not sure how to do this.

Using Windows Explorer, locate the following files/folders, and delete them:
C:\WINNT\system32\vblhanf.dll<=file
Exit Explorer, and reboot as normal afterwards.

Finally, please post a fresh HijackThis log, along with the contents of the logfile C:\fixwareout\report.txt

Now lets check some settings on your system.
(2000/XP) Only
In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Click the Networking tab. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically
Press OK twice to get out of the properties screen and reboot if it asks.
That option might not be avaiable on some systems
Next Go start run type cmd and hit OK
type
ipconfig /flushdns
then hit enter, type exit hit enter
(that space between g and / is needed)

Edited by Susan528, 20 February 2007 - 07:25 AM.

Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

#3 vdsteg

vdsteg

    New Member

  • Authentic Member
  • Pip
  • 10 posts

Posted 21 February 2007 - 12:12 AM

Fresh HijackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 12:07:44 AM, on 2/21/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\PROGRA~1\CHARTE~1\backweb\3528733\Program\SERVIC~1.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\FSGK32.EXE
C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\program\fsbwsys.exe
C:\Program Files\Charter High-Speed Security Suite\Common\FSMA32.EXE
C:\Program Files\Charter High-Speed Security Suite\Common\FSMB32.EXE
C:\WINNT\system32\regsvc.exe
C:\Program Files\Charter High-Speed Security Suite\Common\FCH32.EXE
C:\WINNT\system32\UAService7.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Charter High-Speed Security Suite\Common\FAMEH32.EXE
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsqh.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsrw.exe
C:\Program Files\Charter High-Speed Security Suite\FSPC\fspc.exe
C:\Program Files\Charter High-Speed Security Suite\FSPC\fshttps\fshttps.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Charter High-Speed Security Suite\FWES\Program\fsdfwd.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fssm32.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.EXE
C:\Program Files\Charter High-Speed Security Suite\FSGUI\ispnews.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Program\fspex.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearchIndexer.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsav32.exe
C:\PROGRA~1\CHARTE~1\ANTI-S~1\fsaw.exe
C:\Program Files\Charter High-Speed Security Suite\FSGUI\fsguidll.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SE...S01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SE...S01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.charter.net/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SE...S01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Charter High-Speed Security Suite\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\Charter High-Speed Security Suite\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [News Service] "C:\Program Files\Charter High-Speed Security Suite\FSGUI\ispnews.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - Global Startup: Charter High-Speed Security Suite.lnk = C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Program\fspex.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
O8 - Extra context menu item: &Block this popup - C:\Program Files\Charter High-Speed Security Suite\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/229?d87d5a9618004dd9b57299f88dab6edd
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/230?d87d5a9618004dd9b57299f88dab6edd
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F02} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: &Suspend Webpage Filter - {200DB664-75B5-47c0-8B45-A44ACCF73F02} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F03} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: &Deny this website - {200DB664-75B5-47c0-8B45-A44ACCF73F03} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F04} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: &Allow this website - {200DB664-75B5-47c0-8B45-A44ACCF73F04} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Charter High-Speed Security Suite\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Charter High-Speed Security Suite\Anti-Spyware\ieshield.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O10 - Broken Internet access because of LSP provider 'winsflt.dll' missing
O12 - Plugin for .htm: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Charter High-Speed Security Suite (BackWeb Plug-in - 3528733) - BackWeb Technologies Inc. - C:\PROGRA~1\CHARTE~1\backweb\3528733\Program\SERVIC~1.EXE
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe
O23 - Service: FSBWSYS (fsbwsys) - F-Secure Corp. - C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure HTTP Server (fshttps) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\FSPC\fshttps\fshttps.exe
O23 - Service: FSMA - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\Common\FSMA32.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSSQLServerADHelper - Unknown owner - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe (file missing)
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINNT\system32\UAService7.exe


Fixware logfile:


Fixwareout Last edited 2/11/2007
Post this report in the forums please
...
»»»»»Prerun check
HKLM\SOFTWARE\~\Winlogon\ "System"="kdfnl.exe"

»»»»» System restarted

»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
....
»»»»» Misc files.
....
»»»»» Checking for older varients.
....

Search five digit cs, dm, kd, jb, other, files.
The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection.



Click browse, find the file then click submit.
http://www.virustota...h/index_en.html
Or http://virusscan.jotti.org/

»»»»» Other
C:\WINNT\Temp\kdfnl.ren 63452 06/19/03



»»»»» Current runs
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe /logon"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"F-Secure Manager"="\"C:\\Program Files\\Charter High-Speed Security Suite\\Common\\FSM32.EXE\" /splash"
"F-Secure TNB"="\"C:\\Program Files\\Charter High-Speed Security Suite\\TNB\\TNBUtil.exe\" /CHECKALL /WAITFORSW"
"F-Secure Startup Wizard"="\"C:\\Program Files\\Charter High-Speed Security Suite\\FSGUI\\FSSW.EXE\" /reboot"
"News Service"="\"C:\\Program Files\\Charter High-Speed Security Suite\\FSGUI\\ispnews.exe\""
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_04\\bin\\jusched.exe"
"SpywareBot"="C:\\Program Files\\SpywareBot\\SpywareBot.exe -boot"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DW4"="\"C:\\Program Files\\The Weather Channel FW\\Desktop Weather\\DesktopWeather.exe\""
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»

Let me know if you need anything else.

THANKS!

#4 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 21 February 2007 - 06:56 AM

Let's just check a few more things before I give you the final instructions.

Updating Java
  • Download the latest version of Java Runtime Environment (JRE) 6.0.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6-windows-i586.exe to install the newest version.

======
GMER
Please create a new subfolder in the Program Files folder called GMER. If you have an older version of GMER installed, you must delete it.
  • Download GMER and extract it to the C:\program files\GMER folder.
  • Please rename the GMER file
    Note: You can rename gmer.exe to anything you like as long as you keep the .exe ending.
    Run the Gmer.exe renamed program by double-clicking the executable file (gmer.exe) in Windows Explorer.
    You may be prompted to scan immediately if GMER detects rootkit activity.
  • If you are prompted to scan your system click "yes" to begin the scan.
  • If you are not prompted, Click the "Rootkit" tab, then click "Scan".
DO NOT touch the PC at ALL for Whatever reason/s until it has 100% completed its scan, or attempted scan in case of some error etc !

At the end of the scan, click "Copy" to copy the scan results to the clipboard. Then paste the results in a notepad file and save it for your next reply.

Now run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner

* Turn off the real time scanner of any existing antivirus program while performing the online scan
Next Click on Launch Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Standard
  • Scan Options:
  • Scan Archives
  • Scan Mail Bases
  • Click OK
  • Now under select a target to scan:
  • Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
  • Save the file to your desktop.
Copy and paste that information from Kapersky in your next post.

Please post (reply) with the results from the GMER scan, the Kapersky scan, and a fresh hijackthis log.
Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

#5 vdsteg

vdsteg

    New Member

  • Authentic Member
  • Pip
  • 10 posts

Posted 01 March 2007 - 10:34 PM

Sorry it took me a while to get back to this. I do appreciate the assistance.

GMER log

GMER 1.0.12.12027 - http://www.gmer.net
Rootkit scan 2007-02-28 23:49:39
Windows 5.0.2195 Service Pack 4


---- System - GMER 1.0.12 ----

SSDT \WINNT\System32\drivers\fsndis5.sys ZwCreateProcess
SSDT \WINNT\System32\drivers\fsndis5.sys ZwCreateSection
SSDT \WINNT\System32\drivers\fsndis5.sys ZwCreateThread
SSDT \WINNT\System32\drivers\fsndis5.sys ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.12 ----

PAGE ntoskrnl.exe!IoCreateDevice 8049D59A 5 Bytes JMP F3C30FD0 \WINNT\System32\drivers\fsndis5.sys
PAGENDSI NDIS.SYS!NdisOpenAdapter BFEABEB6 5 Bytes JMP F3C30EB4 \WINNT\System32\drivers\fsndis5.sys
PAGENDSI NDIS.SYS!NdisRegisterProtocol BFEAC410 5 Bytes JMP F3C30C49 \WINNT\System32\drivers\fsndis5.sys
PAGENDSI NDIS.SYS!NdisDeregisterProtocol BFEB3DF8 5 Bytes JMP F3C30CB0 \WINNT\System32\drivers\fsndis5.sys
PAGENDSI NDIS.SYS!NdisCloseAdapter BFEB3E69 5 Bytes JMP F3C30EE4 \WINNT\System32\drivers\fsndis5.sys
PAGENDSP NDIS.SYS!NdisReturnPackets BFEB497D 5 Bytes JMP F3C3513A \WINNT\System32\drivers\fsndis5.sys
PAGENDSP NDIS.SYS!NdisSend BFEB69BD 5 Bytes JMP F3C353FE \WINNT\System32\drivers\fsndis5.sys
PAGENDSP NDIS.SYS!NdisSendPackets BFEB69D4 5 Bytes JMP F3C354D0 \WINNT\System32\drivers\fsndis5.sys
PAGENDSP NDIS.SYS!NdisTransferData BFEB69E7 5 Bytes JMP F3C3525C \WINNT\System32\drivers\fsndis5.sys
PAGENDSP NDIS.SYS!NdisRequest BFEB6A2E 5 Bytes JMP F3C33578 \WINNT\System32\drivers\fsndis5.sys
.text NTDLL.DLL!NtClose 77F828C8 5 Bytes JMP 7203407A
.text NTDLL.DLL!NtCreateSection 77F85EB0 5 Bytes JMP 72034098
.text NTDLL.DLL!NtCreateProcess 77F92362 5 Bytes JMP 72034205

---- User code sections - GMER 1.0.12 ----

.text C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearchIndexer.exe[1916] KERNEL32.dll!WriteFile 7C586350 5 Bytes JMP 646A05B2 C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\mssrch.dll
.text C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearchFilter.exe[3128] KERNEL32.dll!SetErrorMode 7C5852C3 4 Bytes [ C2, 04, 00, 90 ]
.text C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearchFilter.exe[3128] USER32.dll!MessageBoxA 77E36544 1 Byte [ CC ]

---- Devices - GMER 1.0.12 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_NAMED_PIPE [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_READ [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_WRITE [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_INFORMATION [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_INFORMATION [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_EA [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_EA [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_FLUSH_BUFFERS [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_VOLUME_INFORMATION [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_VOLUME_INFORMATION [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_DIRECTORY_CONTROL [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_FILE_SYSTEM_CONTROL [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_LOCK_CONTROL [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_MAILSLOT [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_SECURITY [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_SECURITY [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_POWER [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_SYSTEM_CONTROL [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CHANGE [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_QUOTA [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_QUOTA [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_PNP [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_NAMED_PIPE [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_READ [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_WRITE [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_INFORMATION [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_INFORMATION [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_EA [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_EA [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_FLUSH_BUFFERS [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_VOLUME_INFORMATION [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_VOLUME_INFORMATION [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DIRECTORY_CONTROL [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_FILE_SYSTEM_CONTROL [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_LOCK_CONTROL [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_MAILSLOT [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_SECURITY [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_SECURITY [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_POWER [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SYSTEM_CONTROL [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CHANGE [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_QUOTA [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_QUOTA [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_PNP [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_NAMED_PIPE [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_READ [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_WRITE [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_INFORMATION [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_INFORMATION [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_EA [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_EA [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_FLUSH_BUFFERS [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_VOLUME_INFORMATION [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_VOLUME_INFORMATION [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_DIRECTORY_CONTROL [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_FILE_SYSTEM_CONTROL [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_LOCK_CONTROL [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_MAILSLOT [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_SECURITY [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_SECURITY [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_POWER [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_SYSTEM_CONTROL [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CHANGE [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_QUOTA [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_QUOTA [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_PNP [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_NAMED_PIPE [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_READ [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_WRITE [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_INFORMATION [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_INFORMATION [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_EA [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_EA [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_FLUSH_BUFFERS [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_VOLUME_INFORMATION [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_VOLUME_INFORMATION [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DIRECTORY_CONTROL [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_FILE_SYSTEM_CONTROL [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SHUTDOWN [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_LOCK_CONTROL [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_MAILSLOT [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_SECURITY [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_SECURITY [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_POWER [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SYSTEM_CONTROL [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CHANGE [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_QUOTA [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_QUOTA [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_PNP [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE_NAMED_PIPE [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSE [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_READ [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_WRITE [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_INFORMATION [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_INFORMATION [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_EA [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_EA [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_FLUSH_BUFFERS [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_VOLUME_INFORMATION [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_VOLUME_INFORMATION [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DIRECTORY_CONTROL [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_FILE_SYSTEM_CONTROL [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SHUTDOWN [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_LOCK_CONTROL [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLEANUP [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE_MAILSLOT [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_SECURITY [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_SECURITY [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_POWER [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SYSTEM_CONTROL [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CHANGE [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_QUOTA [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_QUOTA [BFECD9E8] fsdfw.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_PNP [BFECD9E8] fsdfw.sys

---- EOF - GMER 1.0.12 ----

Kaspersky Scan:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, March 01, 2007 10:34:47 PM
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 2/03/2007
Kaspersky Anti-Virus database records: 259793
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 44309
Number of viruses found: 3
Number of infected objects: 8 / 0
Number of suspicious objects: 2
Duration of the scan process: 01:43:06

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\Application Data\ispnews\ispn.ini Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\ispnews\ispnc.items Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\ispnews\ispnr.items Object is locked skipped
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Desktop\dvds-access1002-1.exe/stream/Script Infected: Trojan.Win32.DNSChanger.ih skipped
C:\Documents and Settings\Administrator\Desktop\dvds-access1002-1.exe/stream Infected: Trojan.Win32.DNSChanger.ih skipped
C:\Documents and Settings\Administrator\Desktop\dvds-access1002-1.exe NSIS: infected - 2 skipped
C:\Documents and Settings\Administrator\Desktop\dvds-access1002.exe/stream/Script Infected: Trojan.Win32.DNSChanger.ih skipped
C:\Documents and Settings\Administrator\Desktop\dvds-access1002.exe/stream Infected: Trojan.Win32.DNSChanger.ih skipped
C:\Documents and Settings\Administrator\Desktop\dvds-access1002.exe NSIS: infected - 2 skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\GatherLogs\MyIndex\MyIndex.348.Crwl Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\GatherLogs\MyIndex\MyIndex.348.gthr Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\Build\Indexer\CiFiles\00010008.ci Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\Build\Indexer\CiFiles\CiPT0000.000 Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\Build\Indexer\CiFiles\INDEX.000 Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\Build\Indexer\NlFiles\CiST0000.000 Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\Build\Indexer\NlFiles\DocId.Map Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.chk1.gthr Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.chk2.gthr Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Hash.gthr Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Hash.gthr.Dir Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Hash.gthr.h0 Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Hash.gthr.h0.Dir Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Hash.gthr.h1 Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Hash.gthr.h1.Dir Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Hash.gthr.h3 Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Hash.gthr.h4A Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Hash.gthr.h4A.Dir Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Hash.gthr.h4B Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Hash.gthr.h4B.Dir Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Hash.gthr.idx Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Idm.gthr Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Ntfy34.gthr Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Properties\MSS.log Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Properties\MSStmp.log Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Properties\RSApp.edb Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Properties\tmp.edb Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Desktop Search\Logs\MAPI.txt Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Desktop Search\Temp\rssgthrsvc\Ntf2.tmp Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Desktop Search\Temp\rssgthrsvc\Ntf3.tmp Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012007030120070302\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\V5D9EFLE\deliver46860[1].htm Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\VXI2CQ47\asecuritynotice[1] Infected: not-virus:Hoax.JS.Agent.a skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobVideoActiveXObject.zip/uninst.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobVideoActiveXObject.zip ZIP: suspicious - 1 skipped
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\dbupdate.log Object is locked skipped
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\Qrt.log Object is locked skipped
C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Users\Default\Data\cache.dat Object is locked skipped
C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Users\Default\Data\chandir.dat Object is locked skipped
C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Users\Default\Data\chandir.idx Object is locked skipped
C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Users\Default\Data\chn.dat Object is locked skipped
C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Users\Default\Data\chn.idx Object is locked skipped
C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Users\Default\Data\D0000000.FCS Object is locked skipped
C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Users\Default\Data\fsbwupst.log Object is locked skipped
C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Users\Default\Data\inuse.txt Object is locked skipped
C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Users\Default\Data\L0000087.FCS Object is locked skipped
C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Users\Default\Data\main.log Object is locked skipped
C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Users\Default\Data\prs.dat Object is locked skipped
C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Users\Default\Data\prs.idx Object is locked skipped
C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Users\Default\Data\prs_die.dat Object is locked skipped
C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Users\Default\Data\prs_die.idx Object is locked skipped
C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Users\Default\Data\prs_dnd.dat Object is locked skipped
C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Users\Default\Data\prs_dnd.idx Object is locked skipped
C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Users\Default\Data\prs_ext.dat Object is locked skipped
C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Users\Default\Data\prs_ext.idx Object is locked skipped
C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Users\Default\Data\prs_rcv.dat Object is locked skipped
C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Users\Default\Data\prs_rcv.idx Object is locked skipped
C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Users\Default\Data\storydb.dat Object is locked skipped
C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Users\Default\Data\storydb.idx Object is locked skipped
C:\Program Files\Charter High-Speed Security Suite\Common\admin.pub Object is locked skipped
C:\Program Files\Charter High-Speed Security Suite\Common\policy.bpf Object is locked skipped
C:\Program Files\Charter High-Speed Security Suite\Common\policy.ipf Object is locked skipped
C:\Program Files\Charter High-Speed Security Suite\Spam Control\log\fs_sa_log.txt Object is locked skipped
C:\WINNT\CSC\00000001 Object is locked skipped
C:\WINNT\Debug\ipsecpa.log Object is locked skipped
C:\WINNT\Debug\oakley.log Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\rnapxs\rnapxs.dat Object is locked skipped
C:\WINNT\SoftwareDistribution\EventCache\{B99D5B0C-28E9-490A-AF51-BCF8D9EB43BF}.bin Object is locked skipped
C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\default Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\software Object is locked skipped
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\config\system Object is locked skipped
C:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped
C:\WINNT\system32\Perflib_Perfdata_77c.dat Object is locked skipped
C:\WINNT\Temp\kdfnl.ren Infected: Trojan.Win32.DNSChanger.ih skipped
C:\WINNT\WindowsUpdate.log Object is locked skipped

Scan process completed.

#6 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 02 March 2007 - 08:30 AM

Please download ATF Cleaner by Atribune.

This program is for XP and Windows 2000 only
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose:Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click
  • No at the prompt.
If you use Opera browser
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE:If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Please set your system to show all files; please see here if you're unsure how to do this.

Reboot into Safe Mode: please see here if you are not sure how to do this.

Using Windows Explorer, locate the following files/folders, and delete them:
[B C:\Documents and Settings\Administrator\Desktop\dvds-access1002-1.exe<=file
C:\Documents and Settings\Administrator\Desktop\dvds-access1002.exe<=file
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\VXI2CQ47\asecuritynotice[1]<=file
C:\WINNT\Temp\kdfnl.ren<=file[/B]
Exit Explorer, and reboot as normal afterwards.

Run Kapersky again and please post(reply) with the results and a fresh hijackthis log. Let's make sure we got them.
Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

#7 vdsteg

vdsteg

    New Member

  • Authentic Member
  • Pip
  • 10 posts

Posted 04 March 2007 - 07:28 AM

I didn't find any of the four files listed in the last response (dvds-access1002, asecuritynotice, or kdfnl.ren).

Results of Kaspersky scan:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, March 04, 2007 7:26:49 AM
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 4/03/2007
Kaspersky Anti-Virus database records: 260136
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 29687
Number of viruses found: 0
Number of infected objects: 0 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:25:10

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\Application Data\ispnews\ispn.ini Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\ispnews\ispnc.items Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\ispnews\ispnr.items Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\UserData\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\GatherLogs\MyIndex\MyIndex.349.Crwl Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\GatherLogs\MyIndex\MyIndex.349.gthr Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\Build\Indexer\CiFiles\00010008.ci Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\Build\Indexer\CiFiles\CiPT0000.000 Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\Build\Indexer\CiFiles\INDEX.000 Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\Build\Indexer\NlFiles\CiST0000.000 Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\Build\Indexer\NlFiles\DocId.Map Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.chk1.gthr Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.chk2.gthr Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Crwl2564.gthr Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Crwl2565.gthr Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Crwl2566.gthr Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Crwl2567.gthr Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Crwl2568.gthr Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Crwl2569.gthr Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Crwl2570.gthr Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Crwl2571.gthr Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Hash.gthr Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Hash.gthr.Dir Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Hash.gthr.h0 Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Hash.gthr.h0.Dir Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Hash.gthr.h1 Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Hash.gthr.h1.Dir Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Hash.gthr.h3 Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Hash.gthr.h4A Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Hash.gthr.h4A.Dir Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Hash.gthr.h4B Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Hash.gthr.h4B.Dir Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Hash.gthr.idx Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Idm.gthr Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Ntfy34.gthr Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Properties\MSS.log Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Properties\RSApp.edb Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Properties\tmp.edb Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Desktop Search\Logs\MAPI.txt Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Desktop Search\Temp\rssgthrsvc\Ntf9.tmp Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Desktop Search\Temp\rssgthrsvc\NtfA.tmp Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012007030320070304\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\dbupdate.log Object is locked skipped
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\Qrt.log Object is locked skipped
C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Users\Default\Data\chandir.dat Object is locked skipped
C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Users\Default\Data\chandir.idx Object is locked skipped
C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Users\Default\Data\chn.dat Object is locked skipped
C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Users\Default\Data\chn.idx Object is locked skipped
C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Users\Default\Data\D0000000.FCS Object is locked skipped
C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Users\Default\Data\fsbwupst.log Object is locked skipped
C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Users\Default\Data\inuse.txt Object is locked skipped
C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Users\Default\Data\L0000087.FCS Object is locked skipped
C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Users\Default\Data\main.log Object is locked skipped
C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Users\Default\Data\prs.dat Object is locked skipped
C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Users\Default\Data\prs.idx Object is locked skipped
C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Users\Default\Data\prs_die.dat Object is locked skipped
C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Users\Default\Data\prs_die.idx Object is locked skipped
C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Users\Default\Data\prs_dnd.dat Object is locked skipped
C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Users\Default\Data\prs_dnd.idx Object is locked skipped
C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Users\Default\Data\prs_ext.dat Object is locked skipped
C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Users\Default\Data\prs_ext.idx Object is locked skipped
C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Users\Default\Data\prs_rcv.dat Object is locked skipped
C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Users\Default\Data\prs_rcv.idx Object is locked skipped
C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Users\Default\Data\storydb.dat Object is locked skipped
C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Users\Default\Data\storydb.idx Object is locked skipped
C:\Program Files\Charter High-Speed Security Suite\Common\admin.pub Object is locked skipped
C:\Program Files\Charter High-Speed Security Suite\Common\policy.bpf Object is locked skipped
C:\Program Files\Charter High-Speed Security Suite\Common\policy.ipf Object is locked skipped
C:\Program Files\Charter High-Speed Security Suite\Spam Control\log\fs_sa_log.txt Object is locked skipped
C:\WINNT\CSC\00000001 Object is locked skipped
C:\WINNT\Debug\ipsecpa.log Object is locked skipped
C:\WINNT\Debug\oakley.log Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\rnapxs\rnapxs.dat Object is locked skipped
C:\WINNT\SoftwareDistribution\EventCache\{8FCFFC82-A4FF-48CB-A370-481C0A6DAEAE}.bin Object is locked skipped
C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\default Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\software Object is locked skipped
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\config\system Object is locked skipped
C:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped
C:\WINNT\system32\Perflib_Perfdata_2ac.dat Object is locked skipped
C:\WINNT\WindowsUpdate.log Object is locked skipped

Scan process completed.


Results of Hijackthis scan:

Logfile of HijackThis v1.99.1
Scan saved at 7:29:34 AM, on 3/4/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\PROGRA~1\CHARTE~1\backweb\3528733\Program\SERVIC~1.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\FSGK32.EXE
C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\program\fsbwsys.exe
C:\Program Files\Charter High-Speed Security Suite\Common\FSMA32.EXE
C:\Program Files\Charter High-Speed Security Suite\Common\FSMB32.EXE
C:\WINNT\system32\regsvc.exe
C:\Program Files\Charter High-Speed Security Suite\Common\FCH32.EXE
C:\WINNT\system32\UAService7.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Charter High-Speed Security Suite\Common\FAMEH32.EXE
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsqh.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsrw.exe
C:\Program Files\Charter High-Speed Security Suite\FSPC\fspc.exe
C:\Program Files\Charter High-Speed Security Suite\FSPC\fshttps\fshttps.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Charter High-Speed Security Suite\FWES\Program\fsdfwd.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fssm32.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.EXE
C:\WINNT\system32\mobsync.exe
C:\Program Files\Charter High-Speed Security Suite\FSGUI\ispnews.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Program\fspex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearchIndexer.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsav32.exe
C:\WINNT\system32\wuauclt.exe
C:\PROGRA~1\CHARTE~1\ANTI-S~1\fsaw.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Charter High-Speed Security Suite\FSGUI\fsguidll.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SE...S01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SE...S01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.charter.net/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SE...S01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Charter High-Speed Security Suite\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\Charter High-Speed Security Suite\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [News Service] "C:\Program Files\Charter High-Speed Security Suite\FSGUI\ispnews.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - Global Startup: Charter High-Speed Security Suite.lnk = C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Program\fspex.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
O8 - Extra context menu item: &Block this popup - C:\Program Files\Charter High-Speed Security Suite\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/229?d87d5a9618004dd9b57299f88dab6edd
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/230?d87d5a9618004dd9b57299f88dab6edd
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F02} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: &Suspend Webpage Filter - {200DB664-75B5-47c0-8B45-A44ACCF73F02} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F03} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: &Deny this website - {200DB664-75B5-47c0-8B45-A44ACCF73F03} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F04} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: &Allow this website - {200DB664-75B5-47c0-8B45-A44ACCF73F04} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Charter High-Speed Security Suite\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Charter High-Speed Security Suite\Anti-Spyware\ieshield.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O10 - Broken Internet access because of LSP provider 'winsflt.dll' missing
O12 - Plugin for .htm: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Charter High-Speed Security Suite (BackWeb Plug-in - 3528733) - BackWeb Technologies Inc. - C:\PROGRA~1\CHARTE~1\backweb\3528733\Program\SERVIC~1.EXE
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe
O23 - Service: FSBWSYS (fsbwsys) - F-Secure Corp. - C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure HTTP Server (fshttps) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\FSPC\fshttps\fshttps.exe
O23 - Service: FSMA - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\Common\FSMA32.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSSQLServerADHelper - Unknown owner - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe (file missing)
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINNT\system32\UAService7.exe

Thanks.

#8 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 04 March 2007 - 11:18 AM

Good work vdsteg :) Your hijackthis log is clean and Kapersky log is clean. Here are the final recommendations.

STEP 1.
======
System Restore for Windows XP
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)
  • Turn off System Restore.
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • Check Turn off System Restore.
  • Click Apply, and then click OK.
Reboot.

Turn ON System Restore.
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • UN-Check *Turn off System Restore*.
  • Click Apply, and then click OK.

STEP 2.
======
DON’T BECOME OVERCONFIDENT WITH ANTIVIRUS APPLICATIONS INSTALLED!!!

http://forum.malware...39eba6ea0b5e8ee

Stay up to date on security patches and be extremely wary of clicking on links and attachments that arrive unbidden in instant messages and e-mail.

"The number one thing the majority of the malicious code we're seeing now does is disable or delete anti-virus and other security software," Dunham said. "In a lot of cases, once the user clicks on that attachment, it's already too late."


Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Visit Microsoft's Update Site Frequently - It is important that you visit Windows Updates regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.
    A tutorial on installing & using this product can be found here:
    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
    A tutorial on installing & using this product can be found here:
    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

  • More info on how to prevent malware you can also find here (By Tony Klein)
Follow this list and your potential for being infected again will reduce dramatically.

Thank you for allowing me to assist you.

Susan
Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

#9 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 07 March 2007 - 10:56 PM

Glad we could be of assistance. This topic is now closed. If you wish it reopened, please send us an email (Click for address) with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
Make sure you use proper prevention to keep from having problems occur to your computer in the future.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php
Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users