WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93112 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

[Resolved] Zlob downloader, smitfraud & AntiSpyWare2007 probl

Started by sgl9vp , Dec 19 2007 03:08 PM

This topic is locked

14 replies to this topic

#1 sgl9vp

New Member

New Member
8 posts

Posted 19 December 2007 - 03:08 PM

Hi,

I managed to end up the following on my computer :

Zlob downloader
AntiSpyWare2007
Clickbank
Smitfraud-C

along with the classic yellow warning bar telling me:

“Warning: possible spyware or adware infection! Click here to scan your computer for spyware and adware…”

Following the instructions on this forum I've run ATF Cleaner, Spybot and AVG Anti-Spyware (in that order).

Spybot found the problems I've listed above and remediated them (I think). I've pasted the AVG Scan Report and the HijackThis report below.

Can somebody please check if I have actually managed to remove these problems from my machine, or am I going to get them just creeping up again due to something buried in the registry?

Thank you in advance for your help.

V

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 20:34:08 19/12/2007

+ Scan result:

:mozilla.26:C:\Documents and Settings\V\Application Data\Mozilla\Firefox\Profiles\9dl5s9jr.default\cookies.txt -> TrackingCookie.Netflame : Cleaned.

::Report end

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:56:22, on 19/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\Program Files\RssReader\RssReader.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ombak.co.uk/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BDEX System - {4DD1180E-8EEE-4801-AB5D-05CC3DFE3AF0} - C:\WINDOWS\ttvbonkog.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: CutePDF Form Filler - {D41289F2-69C6-417B-897E-C653D677CBAF} - C:\Program Files\Acro Software\CutePDF Filler Evaluation\CPFillerCoE.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: The leosrv - {A3B1F7ED-8EDA-410F-8CB9-F6AFD8301B7C} - C:\WINDOWS\leosrv.dll (file missing)
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Smart Start UP] C:\Program Files\NewSoft\Smart Start UP\PnPDetect.exe /Automation
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus C45 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE /P23 "EPSON Stylus C45 Series" /O6 "USB003" /M "Stylus C45"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [RssReader] C:\Program Files\RssReader\RssReader.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check(3).lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1153263780953
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photob...ploader_uni.cab
O21 - SSODL: xcvwer - {CB1E65E7-DF9A-4211-9287-C8F4C44CA769} - C:\WINDOWS\xcvwer.dll
O21 - SSODL: hjoqor - {06DEEBD6-2A6C-471A-B49E-D70701B2174F} - C:\WINDOWS\hjoqor.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 9140 bytes

Advertisements

Register to Remove

#2 Scotty

Always Happy

Authentic Member
3,634 posts

Posted 19 December 2007 - 05:57 PM

Hi! Welcome to the WTT forums.
My name is Scotty. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research.
Please be patient.

Please make a uninstall list using HijackThis
To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here in a reply.

Download and Run SmitfraudFix
Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

You too could train to help others- Join the Classroom

#3 sgl9vp

New Member

New Member
8 posts

Posted 20 December 2007 - 05:47 AM

Hi Scotty,

Thanks for taking a look at this for me.

Ok, I've done what you've asked for and have pasted the reports below. Also, it's worth mentioning that I think whatever I had on my computer is not entirely gone as I ended up with a pop up window earlier claiming to offer a free scan of my system as it was probably running slowly. Of course I didn't click on it. However, I didn't think at the time to note down exactly what it said. Apologies.....

Uninstall Report:

Adobe Flash Player 9 ActiveX
Adobe Flash Player Plugin
Adobe Reader 8.1.1
Adobe Shockwave Player
AltoMP3 Gold 5.12
Athlon 64 Processor Driver
ATI Control Panel
ATI Display Driver
AVG Anti-Spyware 7.5
CamStudio
Conexant AC-Link Audio
Customer Experience Enhancement
CutePDF Form Filler 3.2 (Evaluation)
CutePDF Writer 2.6
EPSON Printer Software
Exact Audio Copy 0.95b4
HijackThis 2.0.2
Hotfix for Windows XP (KB896256)
HP Help and Support
HP Imaging Device Functions 6.0
HP Photosmart Premier Software 6.0
HP QuickPlay 2.0
HP Software Update
HP User Guides 0025
HP User Guides--System Recovery
HP Wireless Assistant 2.00 C1
Intel® Integrated Performance Primitives RTI 4.0
J2SE Runtime Environment 5.0 Update 6
Java™ 6 Update 3
K-Lite Codec Pack 2.73 Full
Last.fm 1.4.1.57486
McAfee VirusScan Enterprise
Media Video Codec v1.6
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Office Standard Edition 2003
Microsoft Works
Mozilla Firefox (2.0.0.11)
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
Nero Suite
Nokia Connectivity Cable Driver
Nokia PC Suite
Nokia PC Suite
NOMAD Explorer
OpticFilm 7200
PADI Divemaster Lesson Guides
PADI Instructor Manual 2007
PC Connectivity Solution
PowerDVD
Presto! ImageFolio 4
Presto! Mr. Photo 3
Presto! PageManager 6.07
Project64 1.6
QCA KS 3 Science
Quick Launch Buttons 5.20 G1
QuickTime
RealPlayer
RssReader
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB944653)
SilverFast SE CD Documentation 6.4.0
SilverFast UScan-SE
Skype 2.5
Smart Start UP
Soft Data Fax Modem with SmartCP
Sonic Audio Module
Sonic Copy Module
Sonic Data Module
Sonic Express Labeler
Sonic MyDVD Plus
Sonic Update Manager
Spybot - Search & Destroy 1.4
Spyware Doctor 5.1
Synaptics Pointing Device Driver
Texas Instruments PCIxx21/x515/xx12 drivers.
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Winamp (remove only)
Windows Driver Package - Nokia (WUDFRd) WPD (03/19/2007 6.83.31.1)
Windows Driver Package - Nokia Modem (02/15/2007 3.1)
Windows Driver Package - Nokia Modem (11/03/2006 6.82.0.1)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB883667
Windows XP Hotfix - KB884575
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885464
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885855
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888239
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB888402
Windows XP Hotfix - KB889673
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB892559
ZoneAlarm
ZoneAlarm Spy Blocker

SmitfraudFix Report

SmitFraudFix v2.274

Scan done at 11:38:23.18, 20/12/2007
Run from C:\Documents and Settings\V\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

C:\WINDOWS\binret.exe FOUND !
C:\WINDOWS\ttvbon???.dll FOUND !
C:\WINDOWS\xcvwer.dll FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\V

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\V\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\V\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix.exe by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Rustock

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Broadcom 802.11b/g WLAN - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{1607F96B-D732-48AC-AB3C-43E2180C1B92}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{1607F96B-D732-48AC-AB3C-43E2180C1B92}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{1607F96B-D732-48AC-AB3C-43E2180C1B92}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

#4 Scotty

Always Happy

Authentic Member
3,634 posts

Posted 20 December 2007 - 05:56 AM

Hi

Run Smitfraudfix
Open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

If you already have Combofix, please delete this copy and download it again as it's being updated regularly.

Please Download and Save Combofix from Bleeping Computer. Save it to your desktop.

If you can't download it, please try these 2 alternative sites:

Forospyware
Geeks to Go

Save it to your Desktop.
Disconnect from the Internet, than disable your anti-virus and any real-time anti-spyware monitors that are running.
Click Start>Run copy/paste or type "%userprofile%\desktop\combofix.exe" /killall into the Run box and click OK.
When finished, it shall produce a log for you. Post that log in your next reply with a new HijackThis log.

Note 1: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Note 2:Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task-Manager use the Processes tab (press ctrl alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

In your next reply post:
rapport.txt
ComboFix.txt
New HijackThis log taken after the above scan has run

You too could train to help others- Join the Classroom

#5 sgl9vp

New Member

New Member
8 posts

Posted 20 December 2007 - 06:15 AM

Sorry, just to check. You want me to run the SmitfraudFix in Normal mode not Safe mode? Cheers V

#6 Scotty

Always Happy

Authentic Member
3,634 posts

Posted 20 December 2007 - 06:36 AM

Yes, Normal Mode. :thumbup:

You too could train to help others- Join the Classroom

#7 sgl9vp

New Member

New Member
8 posts

Posted 20 December 2007 - 06:56 AM

ok, Done all as requested.

Here's the logs.

V

SmitFraudFix v2.274

Scan done at 12:21:02.70, 20/12/2007
Run from C:\Documents and Settings\V\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\binret.exe Deleted
C:\WINDOWS\ttvbon???.dll Deleted
C:\WINDOWS\xcvwer.dll Deleted
Deleting [HKEY_CLASSES_ROOT\CLSID\{CB1E65E7-DF9A-4211-9287-C8F4C44CA769}]

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix.exe by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CS2\Services\Tcpip\..\{1607F96B-D732-48AC-AB3C-43E2180C1B92}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

ComboFix 07-12-20.1 - V 2007-12-20 12:36:36.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.138 [GMT 0:00]
Running from: C:\Documents and Settings\V\desktop\combofix.exe
Command switches used :: /killall
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\dat.txt
C:\WINDOWS\rs.txt
C:\WINDOWS\search_res.txt
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2007-11-20 to 2007-12-20 )))))))))))))))))))))))))))))))
.

2007-12-20 12:21 . 2007-12-20 12:21 81 --a------ C:\WINDOWS\clean.reg
2007-12-20 11:38 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-12-20 11:38 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-12-20 11:38 . 2007-12-19 22:57 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe
2007-12-20 11:38 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-12-20 11:38 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-12-20 11:38 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-12-20 11:38 . 2007-12-20 12:21 4,584 --a------ C:\WINDOWS\system32\tmp.reg
2007-12-19 20:55 . 2007-12-19 20:55 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-19 16:48 . 2007-12-19 16:48 <DIR> d-------- C:\Documents and Settings\V\Application Data\Grisoft
2007-12-19 16:48 . 2007-12-19 16:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-19 16:48 . 2007-05-30 12:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-12-19 16:05 . 2007-12-19 16:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-19 15:21 . 2007-12-19 16:54 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-12-19 15:21 . 2007-12-19 15:21 <DIR> d-------- C:\Documents and Settings\V\Application Data\PC Tools
2007-12-19 15:21 . 2005-09-23 08:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-12-19 15:21 . 2007-12-19 15:24 74,240 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-12-19 15:21 . 2007-12-19 15:24 56,832 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-12-19 15:21 . 2007-10-18 00:14 41,288 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-12-19 15:21 . 2007-10-18 00:16 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-12-19 14:41 . 2007-12-19 16:46 <DIR> d-------- C:\Documents and Settings\V\Application Data\AntiSpyware
2007-12-19 12:07 . 2007-12-19 12:07 <DIR> d-------- C:\Program Files\MediaVideoCodec
2007-12-18 16:19 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-16 13:58 . 2007-12-19 12:21 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-16 13:58 . 2007-12-16 13:58 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-15 13:53 . 2007-12-15 13:53 <DIR> d-------- C:\Program Files\ZoneAlarmSB
2007-12-01 10:58 . 2007-12-01 11:03 24 --a------ C:\WINDOWS\system32\sysogg.dll
2007-12-01 10:54 . 2002-11-13 11:14 1,703,936 --a------ C:\WINDOWS\system32\NCTAudioFile.dll
2007-12-01 10:54 . 2002-06-13 13:50 376,832 --a------ C:\WINDOWS\system32\actskin4.ocx
2007-12-01 10:54 . 2002-09-06 11:36 233,472 --a------ C:\WINDOWS\system32\lame_enc.dll
2007-12-01 10:54 . 2002-07-09 22:42 140,288 --a------ C:\WINDOWS\system32\Comdlg32.ocx
2007-11-30 16:01 . 2007-11-30 16:01 <DIR> d-------- C:\Documents and Settings\V\Application Data\Ahead
2007-11-30 14:49 . 2007-12-18 22:30 155 --a------ C:\WINDOWS\NeroDigital.ini
2007-11-30 14:39 . 2007-11-30 14:39 <DIR> d-------- C:\Program Files\Common Files\Nero
2007-11-30 14:36 . 2004-07-26 16:16 1,568,768 --------- C:\WINDOWS\system32\ImagX7.dll
2007-11-30 14:36 . 2004-07-26 16:16 476,320 --------- C:\WINDOWS\system32\ImagXpr7.dll
2007-11-30 14:36 . 2004-07-26 16:16 471,040 --------- C:\WINDOWS\system32\ImagXRA7.dll
2007-11-30 14:36 . 2004-07-09 08:43 364,544 --------- C:\WINDOWS\system32\TwnLib4.dll
2007-11-30 14:36 . 2004-07-26 16:16 262,144 --------- C:\WINDOWS\system32\ImagXR7.dll
2007-11-30 14:36 . 2001-07-09 10:50 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2007-11-30 14:36 . 2000-06-26 10:45 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll
2007-11-30 14:35 . 2007-11-30 14:35 <DIR> d-------- C:\Program Files\Common Files\Ahead
2007-11-30 14:35 . 2007-11-30 14:36 <DIR> d-------- C:\Program Files\Ahead
2007-11-26 17:48 . 2007-12-19 16:48 <DIR> d-------- C:\QUARANTINE
2007-11-26 17:46 . 2007-11-26 21:33 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-26 13:01 . 2007-11-26 13:03 <DIR> d-------- C:\Program Files\ExamPro
2007-11-26 13:01 . 1996-11-26 01:00 345,088 --a------ C:\WINDOWS\system\ATX40H.DLL
2007-11-26 13:01 . 1996-12-16 16:56 91,136 --a------ C:\WINDOWS\system\ATXPIC.DLL
2007-11-26 13:01 . 1995-08-24 08:02 81,920 --a------ C:\WINDOWS\system\BIVBX11.DLL
2007-11-26 13:01 . 1996-10-18 11:22 34,816 --a------ C:\WINDOWS\system\ATXOLE.DLL
2007-11-26 13:01 . 2007-11-26 13:01 185 --a------ C:\WINDOWS\exampro.ini
2007-11-26 12:03 . 2007-11-26 12:03 <DIR> d-------- C:\Documents and Settings\V\Application Data\Nokia Multimedia Player
2007-11-22 12:58 . 2007-11-22 12:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Suite
2007-11-22 12:57 . 2007-11-22 12:57 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2007-11-22 12:57 . 2007-11-22 12:58 <DIR> d-------- C:\Documents and Settings\V\Application Data\Nokia
2007-11-22 12:56 . 2007-11-22 12:56 <DIR> d-------- C:\Program Files\PC Connectivity Solution
2007-11-22 12:56 . 2007-11-22 12:57 <DIR> d-------- C:\Program Files\DIFX
2007-11-22 12:56 . 2007-11-22 12:57 <DIR> d-------- C:\Program Files\Common Files\Nokia
2007-11-22 12:56 . 2007-11-22 12:58 <DIR> d-------- C:\Documents and Settings\V\Application Data\PC Suite
2007-11-22 12:54 . 2007-11-22 12:56 <DIR> d-------- C:\Program Files\Nokia
2007-11-22 12:51 . 2007-11-22 12:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Installations

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-20 12:40 808,992 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2007-12-20 12:39 11,576 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-12-18 16:19 --------- d-----w C:\Program Files\Java
2007-12-16 11:39 --------- d-----w C:\Program Files\Last.fm
2007-12-06 15:21 --------- d---a-w C:\Program Files\paint shop pro 5
2007-12-06 11:15 4,269,740 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2007-12-02 19:00 --------- d-----w C:\Documents and Settings\V\Application Data\Skype
2007-11-14 16:05 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2007-11-13 14:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Last.fm
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-09 22:22 --------- d-----w C:\Program Files\EPSON
2007-11-09 22:13 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-28 12:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-10-25 17:06 --------- d-----w C:\Program Files\RssReader
2007-10-24 16:24 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-24 13:26 --------- d-----w C:\Documents and Settings\V\Application Data\AdobeUM
2005-09-23 23:49 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
2006-07-13 16:16 22 --sha-w C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4DD1180E-8EEE-4801-AB5D-05CC3DFE3AF0}]
C:\WINDOWS\ttvbonkog.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
2007-12-15 13:53 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{0BF43445-2F28-4351-9252-17FE6E806AA0}
{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}
{A3B1F7ED-8EDA-410F-8CB9-F6AFD8301B7C}

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CLASSES_ROOT\clsid\{a3b1f7ed-8eda-410f-8cb9-f6afd8301b7c}]
[HKEY_CLASSES_ROOT\leosrv.ToolBar.1]
[HKEY_CLASSES_ROOT\TypeLib\{23D94DCF-33DF-4A3A-9E2E-CA0E03DF6D03}]
[HKEY_CLASSES_ROOT\leosrv.ToolBar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [2007-12-15 13:53 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" []
"RssReader"="C:\Program Files\RssReader\RssReader.exe" [2004-04-04 16:21]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-11-10 20:05]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-16 22:11]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-19 20:50]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2005-12-12 10:39]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2005-12-22 07:57]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2005-08-01 13:26]
"RecGuard"="C:\Windows\SMINST\RecGuard.exe" [2005-10-11 09:23]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-12-13 15:45]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-07-20 11:58]
"Smart Start UP"="C:\Program Files\NewSoft\Smart Start UP\PnPDetect.exe" [2003-01-21 14:25]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 15:57]
"EPSON Stylus C45 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.exe" []
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2006-11-29 00:50]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 05:39]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 13:20]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 09:25]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 08:00]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 15:58]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 08:00 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\V\Start Menu\Programs\Startup\
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2007-11-13 14:44:15]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
EPSON Status Monitor 3 Environment Check(3).lnk - C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE [2007-06-28 09:59:28]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2005-08-22 09:06]
S3 k510bus;Sony Ericsson K510 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\k510bus.sys [2006-02-17 19:34]
S3 k510mdfl;Sony Ericsson K510 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\k510mdfl.sys [2006-02-17 19:34]
S3 k510mdm;Sony Ericsson K510 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\k510mdm.sys [2006-02-17 19:34]
S3 k510mgmt;Sony Ericsson K510 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\k510mgmt.sys [2006-02-17 19:34]
S3 k510obex;Sony Ericsson K510 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\k510obex.sys [2006-02-17 19:34]
S3 usb2vcom;USB to Serial Bridge Controller;C:\WINDOWS\system32\Drivers\usb2vcom.sys [2006-07-17 01:53]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5a091f3e-7e7a-11db-a3f1-0014a5a857fd}]
\Shell\AutoRun\command - F:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bce4aa20-824c-11dc-a5af-0014a5a857fd}]
\Shell\AutoRun\command - F:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cc524684-57aa-11db-a39d-0014a5a857fd}]
\Shell\AutoRun\command - F:\rose.ico

.
Contents of the 'Scheduled Tasks' folder
"2007-12-19 14:42:03 C:\WINDOWS\Tasks\AntiSpyware Scheduled Scan.job"
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-20 12:41:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe [1768] 0x8253C020

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe??????????e????|?????? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-20 12:47:03 - machine was rebooted
.
2007-12-15 12:30:21 --- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:54:30, on 20/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\Program Files\RssReader\RssReader.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BDEX System - {4DD1180E-8EEE-4801-AB5D-05CC3DFE3AF0} - C:\WINDOWS\ttvbonkog.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: CutePDF Form Filler - {D41289F2-69C6-417B-897E-C653D677CBAF} - C:\Program Files\Acro Software\CutePDF Filler Evaluation\CPFillerCoE.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: The leosrv - {A3B1F7ED-8EDA-410F-8CB9-F6AFD8301B7C} - C:\WINDOWS\leosrv.dll (file missing)
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Smart Start UP] C:\Program Files\NewSoft\Smart Start UP\PnPDetect.exe /Automation
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus C45 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE /P23 "EPSON Stylus C45 Series" /O6 "USB003" /M "Stylus C45"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [RssReader] C:\Program Files\RssReader\RssReader.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check(3).lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1153263780953
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photob...ploader_uni.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8580 bytes

#8 Scotty

Always Happy

Authentic Member
3,634 posts

Posted 20 December 2007 - 02:01 PM

Hi

Download Flash_Disinfector from here and save it to your desktop.
Doubleclick on Flash_Disinfector.exe to run it and follow the prompts.
Wait until it has finished scanning and then exit the program.
The utility may ask you to insert your flash drive and/or other removable drives. This may include your mobile phone.
Please do so and allow the utility to clean up those drives as well.

Run HijackThis, select Do a system scan only and place checks against the following entries (if they are still present):

O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: The leosrv - {A3B1F7ED-8EDA-410F-8CB9-F6AFD8301B7C} - C:\WINDOWS\leosrv.dll (file missing)

WITH ALL OTHER WINDOWS CLOSED Click on Fix Checked and exit HijackThis.

Remember to disconnect from the Internet and disable your anti-virus before carrying out the next instruction, and to reenable the anti-virus before reconnecting to the Internet

Open Notepad - it must be Notepad, not Wordpad.
Copy the text below in the code box by highlighting all the text with your mouse and pressing Ctrl+C

File::
C:\WINDOWS\system32\VCCLSID.exe
C:\WINDOWS\system32\SrchSTS.exe
C:\WINDOWS\system32\IEDFix.exe
C:\WINDOWS\system32\Process.exe
C:\WINDOWS\system32\dumphive.exe
C:\WINDOWS\system32\WS2Fix.exe 
C:\WINDOWS\ttvbonkog.dll

Folder::
C:\Documents and Settings\V\Desktop\SmitfraudFix

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4DD1180E-8EEE-4801-AB5D-05CC3DFE3AF0}]
[-HKEY_CLASSES_ROOT\clsid\{a3b1f7ed-8eda-410f-8cb9-f6afd8301b7c}]
[-HKEY_CLASSES_ROOT\leosrv.ToolBar.1]
[-HKEY_CLASSES_ROOT\TypeLib\{23D94DCF-33DF-4A3A-9E2E-CA0E03DF6D03}]
[-HKEY_CLASSES_ROOT\leosrv.ToolBar]

DirLook::
C:\Program Files\MediaVideoCodec

Go to the Notepad window and click Edit > Paste
Then click File > Save
Name the file "CFScript.txt" (including the quotes)
Save the file to your Desktop

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task-Manager use the Processes tab (press ctrl alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

In your next reply post:
ComboFix.txt
New HJT log taken after the above scan has run

You too could train to help others- Join the Classroom

#9 sgl9vp

New Member

New Member
8 posts

Posted 20 December 2007 - 03:21 PM

Blimey, and there was me thinking that this was going to be a quick fix!!!

Don't worry, I truly appreciate the help you're providing and I'm getting to learn loads on the way!

Ok, I've copied the ComboFix log and the noew HJT log below. Here's hoping it's all gone!!!

ComboFix 07-12-20.1 - V 2007-12-20 21:04:53.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.135 [GMT 0:00]
Running from: C:\Documents and Settings\V\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\V\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\dumphive.exe
C:\WINDOWS\system32\IEDFix.exe
C:\WINDOWS\system32\Process.exe
C:\WINDOWS\system32\SrchSTS.exe
C:\WINDOWS\system32\VCCLSID.exe
C:\WINDOWS\system32\WS2Fix.exe
C:\WINDOWS\ttvbonkog.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\dumphive.exe
C:\WINDOWS\system32\IEDFix.exe
C:\WINDOWS\system32\Process.exe
C:\WINDOWS\system32\SrchSTS.exe
C:\WINDOWS\system32\VCCLSID.exe
C:\WINDOWS\system32\WS2Fix.exe

.
((((((((((((((((((((((((( Files Created from 2007-11-20 to 2007-12-20 )))))))))))))))))))))))))))))))
.

2007-12-20 12:21 . 2007-12-20 12:21 81 --a------ C:\WINDOWS\clean.reg
2007-12-20 11:38 . 2007-12-20 12:21 4,584 --a------ C:\WINDOWS\system32\tmp.reg
2007-12-19 20:55 . 2007-12-19 20:55 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-19 16:48 . 2007-12-19 16:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-19 16:05 . 2007-12-20 17:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-19 15:21 . 2005-09-23 08:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-12-19 14:41 . 2007-12-19 16:46 <DIR> d-------- C:\Documents and Settings\V\Application Data\AntiSpyware
2007-12-19 12:07 . 2007-12-20 14:23 <DIR> d-------- C:\Program Files\MediaVideoCodec
2007-12-18 16:19 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-16 13:58 . 2007-12-19 12:21 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-16 13:58 . 2007-12-16 13:58 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-15 13:53 . 2007-12-15 13:53 <DIR> d-------- C:\Program Files\ZoneAlarmSB
2007-12-01 10:58 . 2007-12-01 11:03 24 --a------ C:\WINDOWS\system32\sysogg.dll
2007-12-01 10:54 . 2002-11-13 11:14 1,703,936 --a------ C:\WINDOWS\system32\NCTAudioFile.dll
2007-12-01 10:54 . 2002-06-13 13:50 376,832 --a------ C:\WINDOWS\system32\actskin4.ocx
2007-12-01 10:54 . 2002-09-06 11:36 233,472 --a------ C:\WINDOWS\system32\lame_enc.dll
2007-12-01 10:54 . 2002-07-09 22:42 140,288 --a------ C:\WINDOWS\system32\Comdlg32.ocx
2007-11-30 16:01 . 2007-11-30 16:01 <DIR> d-------- C:\Documents and Settings\V\Application Data\Ahead
2007-11-30 14:49 . 2007-12-18 22:30 155 --a------ C:\WINDOWS\NeroDigital.ini
2007-11-30 14:39 . 2007-11-30 14:39 <DIR> d-------- C:\Program Files\Common Files\Nero
2007-11-30 14:36 . 2004-07-26 16:16 1,568,768 --------- C:\WINDOWS\system32\ImagX7.dll
2007-11-30 14:36 . 2004-07-26 16:16 476,320 --------- C:\WINDOWS\system32\ImagXpr7.dll
2007-11-30 14:36 . 2004-07-26 16:16 471,040 --------- C:\WINDOWS\system32\ImagXRA7.dll
2007-11-30 14:36 . 2004-07-09 08:43 364,544 --------- C:\WINDOWS\system32\TwnLib4.dll
2007-11-30 14:36 . 2004-07-26 16:16 262,144 --------- C:\WINDOWS\system32\ImagXR7.dll
2007-11-30 14:36 . 2001-07-09 10:50 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2007-11-30 14:36 . 2000-06-26 10:45 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll
2007-11-30 14:35 . 2007-11-30 14:35 <DIR> d-------- C:\Program Files\Common Files\Ahead
2007-11-30 14:35 . 2007-11-30 14:36 <DIR> d-------- C:\Program Files\Ahead
2007-11-26 17:48 . 2007-12-19 16:48 <DIR> d-------- C:\QUARANTINE
2007-11-26 17:46 . 2007-11-26 21:33 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-26 13:01 . 2007-11-26 13:03 <DIR> d-------- C:\Program Files\ExamPro
2007-11-26 13:01 . 1996-11-26 01:00 345,088 --a------ C:\WINDOWS\system\ATX40H.DLL
2007-11-26 13:01 . 1996-12-16 16:56 91,136 --a------ C:\WINDOWS\system\ATXPIC.DLL
2007-11-26 13:01 . 1995-08-24 08:02 81,920 --a------ C:\WINDOWS\system\BIVBX11.DLL
2007-11-26 13:01 . 1996-10-18 11:22 34,816 --a------ C:\WINDOWS\system\ATXOLE.DLL
2007-11-26 13:01 . 2007-11-26 13:01 185 --a------ C:\WINDOWS\exampro.ini
2007-11-26 12:03 . 2007-11-26 12:03 <DIR> d-------- C:\Documents and Settings\V\Application Data\Nokia Multimedia Player
2007-11-22 12:58 . 2007-11-22 12:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Suite
2007-11-22 12:57 . 2007-11-22 12:57 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2007-11-22 12:57 . 2007-11-22 12:58 <DIR> d-------- C:\Documents and Settings\V\Application Data\Nokia
2007-11-22 12:56 . 2007-11-22 12:56 <DIR> d-------- C:\Program Files\PC Connectivity Solution
2007-11-22 12:56 . 2007-11-22 12:57 <DIR> d-------- C:\Program Files\DIFX
2007-11-22 12:56 . 2007-11-22 12:57 <DIR> d-------- C:\Program Files\Common Files\Nokia
2007-11-22 12:56 . 2007-11-22 12:58 <DIR> d-------- C:\Documents and Settings\V\Application Data\PC Suite
2007-11-22 12:54 . 2007-11-22 12:56 <DIR> d-------- C:\Program Files\Nokia
2007-11-22 12:51 . 2007-11-22 12:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Installations

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-20 21:06 995,360 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2007-12-20 20:45 13,520 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-12-20 14:19 --------- d-----w C:\Program Files\AltoMP3 Gold
2007-12-18 16:19 --------- d-----w C:\Program Files\Java
2007-12-16 11:39 --------- d-----w C:\Program Files\Last.fm
2007-12-06 15:21 --------- d---a-w C:\Program Files\paint shop pro 5
2007-12-06 11:15 4,269,740 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2007-12-02 19:00 --------- d-----w C:\Documents and Settings\V\Application Data\Skype
2007-11-14 16:05 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2007-11-13 14:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Last.fm
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-09 22:22 --------- d-----w C:\Program Files\EPSON
2007-11-09 22:13 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-28 12:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-10-25 17:06 --------- d-----w C:\Program Files\RssReader
2007-10-24 16:24 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-24 13:26 --------- d-----w C:\Documents and Settings\V\Application Data\AdobeUM
2005-09-23 23:49 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
2006-07-13 16:16 22 --sha-w C:\WINDOWS\SMINST\HPCD.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Program Files\MediaVideoCodec ----

((((((((((((((((((((((((((((( snapshot@2007-12-20_12.44.57.46 )))))))))))))))))))))))))))))))))))))))))
.
- 2006-07-17 06:58:22 64,088 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.Vbe.Interop\11.0.0.0__71e9bce111e9429c\Microsoft.Vbe.Interop.dll
+ 2007-12-20 17:37:13 66,936 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.Vbe.Interop\11.0.0.0__71e9bce111e9429c\Microsoft.Vbe.Interop.dll
- 2006-07-17 06:58:21 223,800 ----a-w C:\WINDOWS\assembly\GAC\office\11.0.0.0__71e9bce111e9429c\OFFICE.DLL
+ 2007-12-20 17:36:57 226,656 ----a-w C:\WINDOWS\assembly\GAC\office\11.0.0.0__71e9bce111e9429c\OFFICE.DLL
+ 2003-07-14 21:57:34 38,968 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\AUTHZAX.DLL
+ 2003-07-14 21:53:06 94,768 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\AW.DLL
+ 2003-07-14 21:56:54 14,904 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\DSITF.DLL
+ 2003-07-14 21:57:14 98,360 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\DSSM.EXE
+ 2003-07-14 21:41:44 13,368 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\FINDER.EXE
+ 2003-07-14 21:40:12 179,768 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\FPERSON.DLL
+ 2003-07-14 21:40:12 165,944 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\FPLACE.DLL
+ 2003-06-18 16:31:10 252,928 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MDIINK.DLL
+ 2003-07-14 21:51:44 87,104 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MSENCODE.DLL
+ 2003-07-14 21:52:52 17,464 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MSMH.DLL
+ 2003-07-14 21:57:16 120,888 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MSOAUTH.DLL
+ 2003-07-14 21:52:52 27,704 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MSODCW.DLL
+ 2003-07-14 21:52:56 55,360 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MSOHTMED.EXE
+ 2003-07-11 01:15:48 1,292,872 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MSONSEXT.DLL
+ 2003-07-15 02:18:52 376,888 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MSORUN.DLL
+ 2003-07-14 21:52:54 28,224 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MSOSTYLE.DLL
+ 2003-07-14 21:52:52 35,896 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MSOSV.DLL
+ 2003-07-14 21:53:20 39,488 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MSOSVFBR.DLL
+ 2003-07-14 21:46:16 42,040 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MSOXEV.DLL
+ 2003-07-14 21:45:12 55,360 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MSOXMLED.EXE
+ 2003-07-14 21:45:12 39,488 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MSOXMLMF.DLL
+ 2003-06-18 16:31:50 16,384 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MSPGIMME.DLL
+ 2003-06-19 15:05:50 364,648 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MSPVIEW.EXE
+ 2003-07-14 21:52:58 41,528 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MSSH.DLL
+ 2003-07-14 22:00:54 145,984 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\MSWEBCAP.DLL
+ 2003-07-14 21:57:10 56,888 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\NAME.DLL
+ 2003-07-14 21:56:52 13,888 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\NPOFFICE.DLL
+ 2006-07-17 06:58:21 223,800 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\OFFICE.DLL
+ 2003-07-15 02:14:26 242,240 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\OISGRAPH.DLL
+ 2003-07-14 22:05:24 1,054,264 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\OMFC.DLL
+ 2003-07-14 21:44:34 102,968 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\OUTLCTL.DLL
+ 2003-07-14 21:43:16 49,208 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\OUTLWAB.DLL
+ 2003-07-15 02:18:44 93,752 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\PP7X32.DLL
+ 2003-05-08 20:54:00 77,824 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\REFEDIT.DLL
+ 2003-07-14 21:57:08 40,512 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\REFIEBAR.DLL
+ 2003-07-21 10:46:38 390,712 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\RTFHTML.DLL
+ 2003-07-14 21:44:16 66,616 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\SENDTO.DLL
+ 2003-07-14 21:57:08 58,944 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\SEQCHK10.DLL
+ 2003-07-14 21:53:14 11,848 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\SMARTTAGINSTALL.EXE
+ 2006-07-17 06:58:22 64,088 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.5614\VBIDEPIA.DLL
+ 2005-05-04 07:06:27 465,640 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.8173\MSDMENG.DLL
+ 2005-05-04 07:06:30 1,411,816 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.8173\MSDMINE.DLL
+ 2005-05-04 07:06:24 199,408 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.8173\MSMDUN80.DLL
- 2007-12-15 12:29:35 12,288 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2007-12-20 17:39:14 12,288 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2007-12-15 12:29:35 135,168 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2007-12-20 17:39:14 135,168 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2007-12-15 12:29:35 11,264 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2007-12-20 17:39:15 11,264 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2007-12-15 12:29:35 27,136 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2007-12-20 17:39:15 27,136 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2007-12-15 12:29:35 4,096 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2007-12-20 17:39:15 4,096 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2007-12-15 12:29:36 794,624 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2007-12-20 17:39:15 794,624 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2007-12-15 12:29:35 249,856 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2007-12-20 17:39:14 249,856 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2007-12-15 12:29:36 23,040 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2007-12-20 17:39:15 23,040 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2007-12-15 12:29:35 286,720 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2007-12-20 17:39:13 286,720 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2007-12-15 12:29:34 409,600 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2007-12-20 17:39:13 409,600 ----a-r C:\WINDOWS\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2005-03-17 21:39:56 1,146,320 ----a-w C:\WINDOWS\system32\FM20.DLL
+ 2007-06-06 10:53:34 1,195,888 ----a-w C:\WINDOWS\system32\FM20.DLL
- 2003-07-14 21:57:04 32,584 ----a-w C:\WINDOWS\system32\FM20ENU.DLL
+ 2007-03-22 19:17:04 35,440 ----a-w C:\WINDOWS\system32\FM20ENU.DLL
- 2007-11-19 09:37:25 250,288 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2007-12-20 20:49:19 250,288 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
- 2007-03-15 10:19:28 1,476,992 ------w C:\WINDOWS\system32\LegitCheckControl.dll
+ 2007-10-11 14:12:48 1,468,968 ------w C:\WINDOWS\system32\LegitCheckControl.dll
- 2004-03-22 22:17:05 24,816 ----a-w C:\WINDOWS\system32\mdimon.dll
+ 2007-04-09 13:23:54 28,040 ----a-w C:\WINDOWS\system32\mdimon.dll
- 2006-12-10 06:10:02 14,640 ------w C:\WINDOWS\system32\spmsg.dll
+ 2007-10-08 14:46:18 14,640 ------w C:\WINDOWS\system32\spmsg.dll
- 2004-03-22 22:17:02 765,680 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\mdigraph.dll
+ 2007-04-09 13:24:04 758,664 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\mdigraph.dll
- 2004-03-22 22:17:08 42,224 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\mdiui.dll
+ 2007-04-09 13:23:58 46,472 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\mdiui.dll
- 2004-03-22 22:17:02 765,680 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\mdigraph.dll
+ 2007-04-09 13:24:04 758,664 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\mdigraph.dll
- 2004-03-22 22:17:08 42,224 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\mdiui.dll
+ 2007-04-09 13:23:58 46,472 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\mdiui.dll
- 2004-03-22 22:17:06 25,840 ----a-w C:\WINDOWS\system32\spool\prtprocs\w32x86\mdippr.dll
+ 2007-04-09 13:23:54 28,552 ----a-w C:\WINDOWS\system32\spool\prtprocs\w32x86\mdippr.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
2007-12-15 13:53 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [2007-12-15 13:53 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" []
"RssReader"="C:\Program Files\RssReader\RssReader.exe" [2004-04-04 16:21]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-11-10 20:05]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-16 22:11]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-19 20:50]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2005-12-12 10:39]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2005-12-22 07:57]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2005-08-01 13:26]
"RecGuard"="C:\Windows\SMINST\RecGuard.exe" [2005-10-11 09:23]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-12-13 15:45]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-07-20 11:58]
"Smart Start UP"="C:\Program Files\NewSoft\Smart Start UP\PnPDetect.exe" [2003-01-21 14:25]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 15:57]
"EPSON Stylus C45 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.exe" []
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2006-11-29 00:50]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 05:39]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 13:20]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 08:00]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 15:58]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 08:00 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\V\Start Menu\Programs\Startup\
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2007-11-13 14:44:15]

R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2005-08-22 09:06]
S3 k510bus;Sony Ericsson K510 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\k510bus.sys [2006-02-17 19:34]
S3 k510mdfl;Sony Ericsson K510 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\k510mdfl.sys [2006-02-17 19:34]
S3 k510mdm;Sony Ericsson K510 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\k510mdm.sys [2006-02-17 19:34]
S3 k510mgmt;Sony Ericsson K510 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\k510mgmt.sys [2006-02-17 19:34]
S3 k510obex;Sony Ericsson K510 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\k510obex.sys [2006-02-17 19:34]
S3 usb2vcom;USB to Serial Bridge Controller;C:\WINDOWS\system32\Drivers\usb2vcom.sys [2006-07-17 01:53]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5a091f3e-7e7a-11db-a3f1-0014a5a857fd}]
\Shell\AutoRun\command - F:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bce4aa20-824c-11dc-a5af-0014a5a857fd}]
\Shell\AutoRun\command - F:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cc524684-57aa-11db-a39d-0014a5a857fd}]
\Shell\AutoRun\command - F:\rose.ico

.
Contents of the 'Scheduled Tasks' folder
"2007-12-19 14:42:03 C:\WINDOWS\Tasks\AntiSpyware Scheduled Scan.job"
- C:\Program Files\AntiSpywareApp\AntiSpyware.ex
- C:\Program Files\AntiSpywareApp
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-20 21:07:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe??????????s????|?p???? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-20 21:08:11
C:\ComboFix2.txt ... 2007-12-20 12:47
.
2007-12-15 12:30:21 --- E O F ---

Logfile of HijackThis v1.99.1
Scan saved at 21:20:30, on 20/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: CutePDF Form Filler - {D41289F2-69C6-417B-897E-C653D677CBAF} - C:\Program Files\Acro Software\CutePDF Filler Evaluation\CPFillerCoE.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Smart Start UP] C:\Program Files\NewSoft\Smart Start UP\PnPDetect.exe /Automation
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus C45 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE /P23 "EPSON Stylus C45 Series" /O6 "USB003" /M "Stylus C45"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [RssReader] C:\Program Files\RssReader\RssReader.exe
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1153263780953
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photob...ploader_uni.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#10 Scotty

Always Happy

Authentic Member
3,634 posts

Posted 20 December 2007 - 06:31 PM

Hi

Nearly there.

Navigate to, and delete the following folder.
C:\Program Files\MediaVideoCodec

If you did not create this folder, and it is empty like I believe delete it also. If it contains files, leave it and let me know in your next reply, so I can take a closer look.
C:\Documents and Settings\V\Application Data\AntiSpyware

Please do an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:
- Scan using the following Anti-Virus database:
  
  + Extended(If available otherwise Standard)
- Scan Options:
  
  + Scan Archives
  + Scan Mail Bases
Click OK
Now under select a target to scan select My Computer
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button
Save the file to your desktop.
Copy and paste that information in your next post.

With the exception of Internet Explorer, which is needed for the Kaspersky Scan, keep ALL programs closed until the scan is complete.

You too could train to help others- Join the Classroom

#11 sgl9vp

New Member

New Member
8 posts

Posted 21 December 2007 - 03:02 AM

Ok deleted C:\Program Files\MediaVideoCodec Checked the folder C:\Documents and Settings\V\Application Data\AntiSpyware and it is not empty. It contains two folder called 'Quarantine' and 'Registry Backups'. Both of these are empty. The only other folder is a DAT file with the filename rs, file size 8.98kb (9,202 bytes) - size on diks 12.0 kb (12,288 bytes). In properties and summary there is is nothing in the title, Subject, category, Keywords, Comments, Source, Author and Revision Number. I'm running the Kapersky scan at the moment and will update you but I thought I'd get going on this one meanwhile. Cheers V

#12 sgl9vp

New Member

New Member
8 posts

Posted 21 December 2007 - 06:16 AM

...........and here's the Kapersky Log.......... ------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER REPORT Friday, December 21, 2007 12:10:54 PM Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.98.0 Kaspersky Anti-Virus database last update: 21/12/2007 Kaspersky Anti-Virus database records: 490968 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: C:\ D:\ E:\ Scan Statistics: Total number of scanned objects: 67171 Number of viruses found: 8 Number of infected objects: 15 Number of suspicious objects: 0 Duration of the scan process: 02:10:19 Infected Object Name / Virus Name / Last Action C:\autorun.inf\lpt3.This folder was created by Flash_Disinfector Object is locked skipped C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Db\Agent_ZEBBEDY.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Db\PrdMgr_ZEBBEDY.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\AccessProtectionLog.txt Object is locked skipped C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\BufferOverflowProtectionLog.txt Object is locked skipped C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\OnAccessScanLog.txt Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\V\Cookies\index.dat Object is locked skipped C:\Documents and Settings\V\Local Settings\Application Data\Last.fm\Client\lastfmhelper.log Object is locked skipped C:\Documents and Settings\V\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\V\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\V\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\V\Local Settings\Temp\BIT42F.tmp Object is locked skipped C:\Documents and Settings\V\Local Settings\Temp\NAILogs\UpdaterUI_ZEBBEDY.log Object is locked skipped C:\Documents and Settings\V\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\V\NTUSER.DAT Object is locked skipped C:\Documents and Settings\V\ntuser.dat.LOG Object is locked skipped C:\Program Files\Online Services\BTYahoo\HPPre05.msi/Data1.cab/btwebcontrol.dll Infected: not-a-virus:Dialer.Win32.BT.g skipped C:\Program Files\Online Services\BTYahoo\HPPre05.msi/Data1.cab Infected: not-a-virus:Dialer.Win32.BT.g skipped C:\Program Files\Online Services\BTYahoo\HPPre05.msi Embedded: infected - 2 skipped C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP185\A0056303.exe/stream/data0004 Infected: Trojan-Downloader.Win32.Zlob.fha skipped C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP185\A0056303.exe/stream Infected: Trojan-Downloader.Win32.Zlob.fha skipped C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP185\A0056303.exe NSIS: infected - 2 skipped C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP185\A0056333.exe/file1 Infected: not-a-virus:FraudTool.Win32.AntiSpyware.a skipped C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP185\A0056333.exe/file3 Infected: not-a-virus:FraudTool.Win32.AntiSpyware.a skipped C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP185\A0056333.exe Inno: infected - 2 skipped C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP185\A0056341.dll Infected: not-a-virus:AdWare.Win32.Vapsup.sy skipped C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP186\A0056451.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP186\A0056462.exe Infected: not-a-virus:AdWare.Win32.Vapsup.sv skipped C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP186\A0056463.dll Infected: not-a-virus:AdWare.Win32.Vapsup.sx skipped C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP186\A0056464.dll Infected: not-a-virus:AdWare.Win32.Vapsup.sw skipped C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP191\A0057034.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP191\change.log Object is locked skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped C:\WINDOWS\Internet Logs\ZEBBEDY.ldb Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\EventCache\{33A2AE7D-6EDB-496B-AE43-16E967AFD791}.bin Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\Sti_Trace.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\default Object is locked skipped C:\WINDOWS\system32\config\default.LOG Object is locked skipped C:\WINDOWS\system32\config\SAM Object is locked skipped C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SECURITY Object is locked skipped C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\software Object is locked skipped C:\WINDOWS\system32\config\software.LOG Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\system Object is locked skipped C:\WINDOWS\system32\config\system.LOG Object is locked skipped C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped C:\WINDOWS\system32\h323log.txt Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\TEMP\ZLT02abd.TMP Object is locked skipped C:\WINDOWS\TEMP\ZLT03568.TMP Object is locked skipped C:\WINDOWS\wiadebug.log Object is locked skipped C:\WINDOWS\wiaservc.log Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped D:\autorun.inf\lpt3.This folder was created by Flash_Disinfector Object is locked skipped Scan process completed.

#13 Scotty

Always Happy

Authentic Member
3,634 posts

Posted 21 December 2007 - 07:58 AM

Hello

You may wish to keep hold of the Kaspersky Online Scan as an extra on-demand virus-scanner.
If not you can uninstall it through Start>Control Panel>Add/Remove Programs

Time for some housekeeping

Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the x and the /u, it needs to be there.
When shown the disclaimer, Select "2"

Open Add/Remove Programs in Control Panel and remove this J2SE Runtime Environment 5.0 Update 6

Congratulations, you appear to be malware free.

Here are some free programs I recommend, although you will not need them all.

Spybot Search and Destroy
Download it from here . Just choose a mirror and off you go.
Find here the tutorial on how to use Spybot properly here

Install Spyware Guard
Download it from here
Find here the tutorial on how to use Spyware Guard here

Install SpyWare Blaster
Download it from here
Find here the tutorial on how to use Spyware Blaster here

Install WinPatrol
Download it from here
Here you can find information about how WinPatrol works here

Make sure your Windows is ALWAYS up to date!

An unpatched Windows is vulnerable and even with the "best" Antivirus and Firewall installed, malware will find its way through.
So visit http://windowsupdate.microsoft.com/ to download and install the latest updates.

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.

Please check out Tony Klein's article "How did I get infected in the first place?"

Follow this list and your potential for being infected again will reduce dramatically.

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.

You too could train to help others- Join the Classroom

#14 sgl9vp

New Member

New Member
8 posts

Posted 21 December 2007 - 09:12 AM

Brilliant. Thank you so much for you help. It is truly appreciated. V

#15 Scotty

Always Happy

Authentic Member
3,634 posts

Posted 21 December 2007 - 09:40 AM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.

You too could train to help others- Join the Classroom

Body Background

skin color theme