WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93112 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

[Resolved] Gah! Horrible Spyware

Started by katXed , Dec 25 2007 08:51 PM

This topic is locked

14 replies to this topic

#1 katXed

New Member

New Member
7 posts

Posted 25 December 2007 - 08:51 PM

I had a bunch of spy ware (AV System Care) but I've gotten rid of most of it thanks to AVG Anti-spyware & SUPERspyware blaster...when I had all that Norton (360) wasn't detecting any of it. But now Norton is the one that is telling me I have this W32.Trats!inf and its says I have to manually uninstall it and tries to get rid of it but when Norton has me reboot its always still there.

Here is my Hijack Log:

Logfile of HijackThis v1.99.1
Scan saved at 9:39:38 PM, on 12/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\Katie\My Documents\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon .exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Documents and Settings\Katie\My Documents\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr .Exe" /background
O4 - HKCU\..\Run: [RocketDock] "C:\Documents and Settings\Katie\My Documents\RocketDock\RocketDock .exe"
O4 - HKCU\..\Run: [Rainlendar2] C:\Documents and Settings\Katie\My Documents\Rainlendar2\Rainlendar2.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe" -quiet
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Katie\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1094235272626
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Documents and Settings\Katie\My Documents\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
________________________________________________________________________________
_____________

Start Up Log:
StartupList report, 12/25/2007, 9:42:03 PM
StartupList version: 1.52.2
Started from : C:\Program Files\Hijackthis\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v7.00 (7.00.6000.16574)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\Katie\My Documents\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon .exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Hijackthis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Katie\Start Menu\Programs\Startup]
Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

!AVG Anti-Spyware = "C:\Documents and Settings\Katie\My Documents\AVG Anti-Spyware 7.5\avgas.exe" /minimized
Openwares LiveUpdate = C:\Program Files\LiveUpdate\LiveUpdate.exe
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
MsnMsgr = "C:\Program Files\Windows Live\Messenger\MsnMsgr .Exe" /background
RocketDock = "C:\Documents and Settings\Katie\My Documents\RocketDock\RocketDock .exe"
Rainlendar2 = C:\Documents and Settings\Katie\My Documents\Rainlendar2\Rainlendar2.exe
Yahoo! Pager = "C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe" -quiet

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\plusmcry.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Enumerating Download Program Files:

[Windows Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\system32\LegitCheckControl.DLL
CODEBASE = http://download.micr...heckControl.cab

[UnoCtrl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\GAME_UNO1.dll
CODEBASE = http://messenger.zon...1/GAME_UNO1.cab

[WUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\wuweb.dll
CODEBASE = http://v5.windowsupd...b?1094235272626

[MessengerStatsClient Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MessengerStatsPAClient.dll
CODEBASE = http://messenger.zon...nt.cab56907.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9c.ocx
CODEBASE = http://download.macr...ash/swflash.cab

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: @C:\WINDOWS\system32\@c:\windows\system32\ctfmon.exe.tmp

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll
WPDShServiceObj: C:\WINDOWS\system32\WPDShServiceObj.dll

--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

MEUf0R8xPM = rundll32.exe "C:\WINDOWS\system32\ndaTqsVqrX.dll",DllCleanServer

--------------------------------------------------

End of report, 5,934 bytes
Report generated in 0.063 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Advertisements

Register to Remove

#2 silver

Malware Expert Emeritus

Authentic Member
2,994 posts

Posted 30 December 2007 - 02:43 AM

Hi katXed,

Temporarily disable AVG Antispyware:
Open AVG Antispyware and make sure the Status screen is selected
Next to Resident Shield press Change state so that the status reads inactive
Close AVG Antispyware

Then download ComboFix to your desktop

Double click combofix.exe and follow the prompts
Note: Do not click ComboFix's window while it's running - it may cause it to stall!
If after ComboFix finishes you do not have internet access, then reboot your computer to restore it
When finished, it shall produce a log for you, please post it in your next response

Next, navigate to the HijackThis folder with Windows Explorer:
C:\Program Files\Hijackthis
Right-click the HijackThis program file HijackThis and rename it to scan
If you have a shortcut to HijackThis on your Desktop it will no longer work, so please delete it and make a new one by right-clicking scan.exe and choosing Send To->Desktop (create shortcut)

Now open HijackThis, select Open the Misc Tools section
Press the Open Uninstall Manager... button, then press Save list...
Save the Uninstall log to your Desktop and include a copy in your next response.
Now press Back and Scan and then Save log to create and save a new HijackThis log.

Once complete, please post the ComboFix report, the uninstall list and a new HijackThis log.

Edited by silver, 30 December 2007 - 02:45 AM.

ASAP & UNITE Member

#3 katXed

New Member

New Member
7 posts

Posted 31 December 2007 - 02:41 PM

Thank-you so much...

Combo Fix Log:
________________________________________________
ComboFix 07-12-31.4 - Katie 2007-12-31 15:12:00.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.85 [GMT -5:00]
Running from: C:\Documents and Settings\Katie\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\PerfInfo
C:\WINDOWS\ppqvmpqr
C:\WINDOWS\ppqvmpqr\1.png
C:\WINDOWS\ppqvmpqr\2.png
C:\WINDOWS\ppqvmpqr\3.png
C:\WINDOWS\ppqvmpqr\4.png
C:\WINDOWS\ppqvmpqr\5.png
C:\WINDOWS\ppqvmpqr\6.png
C:\WINDOWS\ppqvmpqr\bottom-rc.gif
C:\WINDOWS\ppqvmpqr\content.png
C:\WINDOWS\ppqvmpqr\download.gif
C:\WINDOWS\ppqvmpqr\frame-bottom-left.gif
C:\WINDOWS\ppqvmpqr\frame-h1bg.gif
C:\WINDOWS\ppqvmpqr\head.png
C:\WINDOWS\ppqvmpqr\indexuc.html
C:\WINDOWS\ppqvmpqr\indexud.html
C:\WINDOWS\ppqvmpqr\main.css
C:\WINDOWS\ppqvmpqr\net.png
C:\WINDOWS\ppqvmpqr\pc-mag.gif
C:\WINDOWS\ppqvmpqr\pc.gif
C:\WINDOWS\ppqvmpqr\poloska1.png
C:\WINDOWS\ppqvmpqr\poloska2.png
C:\WINDOWS\ppqvmpqr\poloska3.png
C:\WINDOWS\ppqvmpqr\promouc1.html
C:\WINDOWS\ppqvmpqr\promouc2.html
C:\WINDOWS\ppqvmpqr\promouc3.html
C:\WINDOWS\ppqvmpqr\promouc4.html
C:\WINDOWS\ppqvmpqr\promouc5.html
C:\WINDOWS\ppqvmpqr\promoud1.html
C:\WINDOWS\ppqvmpqr\promoud2.html
C:\WINDOWS\ppqvmpqr\promoud3.html
C:\WINDOWS\ppqvmpqr\promoud4.html
C:\WINDOWS\ppqvmpqr\promoud5.html
C:\WINDOWS\ppqvmpqr\reg.png
C:\WINDOWS\ppqvmpqr\repair.png
C:\WINDOWS\ppqvmpqr\scr-1.png
C:\WINDOWS\ppqvmpqr\scr-2.png
C:\WINDOWS\ppqvmpqr\styles.css
C:\WINDOWS\ppqvmpqr\top-rc.gif
C:\WINDOWS\ppqvmpqr\vline.gif
C:\WINDOWS\system32\aawxqwyq.dll
C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\hcqgvfjq.dll
C:\WINDOWS\system32\jkjyield.dll
C:\WINDOWS\system32\pskill.exe
C:\WINDOWS\system32\ttstv.ini
C:\WINDOWS\system32\ttstv.ini2
C:\WINDOWS\system32\vtstt.dll

.
((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-31 )))))))))))))))))))))))))))))))
.

2007-12-31 15:09 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-12-28 15:32 . 2007-12-29 12:20 1,031,319 --ahs---- C:\WINDOWS\system32\suweaakh.ini
2007-12-27 21:03 . 2007-12-28 14:26 1,031,199 --ahs---- C:\WINDOWS\system32\kvqcbbdj.ini
2007-12-26 22:48 . 2007-12-26 23:18 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-12-26 22:48 . 2007-12-26 23:18 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-12-26 22:48 . 2007-12-26 23:18 10,740 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-12-26 22:48 . 2007-12-26 23:18 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-12-26 14:25 . 2007-12-26 14:25 <DIR> d-------- C:\Documents and Settings\Caroline\Application Data\Grisoft
2007-12-26 13:40 . 2007-12-26 13:39 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-12-26 13:38 . 2007-12-26 13:57 <DIR> d-------- C:\Documents and Settings\Katie\.housecall6.6
2007-12-25 20:47 . 2007-12-25 20:47 <DIR> d-------- C:\Documents and Settings\Katie\Application Data\ArcSoft
2007-12-25 20:19 . 2007-12-25 20:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems
2007-12-25 20:18 . 2007-12-25 20:18 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2007-12-25 18:44 . 2007-12-25 18:44 <DIR> d-------- C:\WINDOWS\system32\Adobe
2007-12-25 16:14 . 2007-12-25 16:14 <DIR> d-------- C:\WINDOWS\E80F62FF5D3C4A1984099721F2928206.TMP
2007-12-25 16:00 . 2007-12-25 16:00 <DIR> d-------- C:\Documents and Settings\Katie\Application Data\SupportSoft
2007-12-25 13:02 . 2007-12-25 20:43 20 ---h----- C:\Documents and Settings\All Users\Application Data\PKP_DLec.DAT
2007-12-25 12:25 . 2007-12-25 13:13 <DIR> d-------- C:\Documents and Settings\Katie\Application Data\Nikon
2007-12-25 12:25 . 2006-10-25 14:14 5,709,824 -ra------ C:\WINDOWS\system32\NkNEFPlugin.dll
2007-12-25 12:25 . 2003-03-19 13:28 2,179,072 --a------ C:\WINDOWS\system32\mfc71d.dll
2007-12-25 12:25 . 2002-01-06 06:48 974,848 --a------ C:\WINDOWS\system32\mfc70.dll
2007-12-25 12:25 . 2003-03-19 12:04 765,952 --a------ C:\WINDOWS\system32\msvcp71d.dll
2007-12-25 12:25 . 2003-03-19 12:03 544,768 --a------ C:\WINDOWS\system32\msvcr71d.dll
2007-12-25 12:25 . 2002-01-05 20:40 487,424 --a------ C:\WINDOWS\system32\msvcp70.dll
2007-12-25 12:22 . 2007-12-25 12:22 <DIR> d-------- C:\Program Files\Common Files\muvee Technologies
2007-12-25 12:22 . 2005-12-05 13:21 495,616 -ra------ C:\WINDOWS\system32\DRAGNKL1.dll
2007-12-25 12:22 . 2006-08-10 15:35 180,224 -ra------ C:\WINDOWS\system32\Strato4.dll
2007-12-25 12:22 . 2005-12-05 16:13 180,224 -ra------ C:\WINDOWS\system32\picn1120.dll
2007-12-25 12:22 . 2005-12-05 16:13 155,648 -ra------ C:\WINDOWS\system32\picn1020.dll
2007-12-25 12:22 . 2005-12-05 17:24 110,592 -ra------ C:\WINDOWS\system32\RCSigProc.dll
2007-12-25 12:22 . 2005-12-05 17:24 76,800 -ra------ C:\WINDOWS\system32\RedEye.dll
2007-12-25 12:22 . 2005-12-05 16:13 48,128 -ra------ C:\WINDOWS\system32\picn20.dll
2007-12-25 12:21 . 2007-12-25 12:21 <DIR> d-------- C:\Program Files\Nikon
2007-12-25 12:21 . 2007-12-25 13:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ultima_T15
2007-12-25 12:21 . 2007-12-25 13:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\EnterNHelp
2007-12-25 12:21 . 2007-12-25 20:45 0 ---h----- C:\Documents and Settings\All Users\Application Data\PKP_DLds.DAT
2007-12-25 12:16 . 1995-08-01 04:44 212,480 --a------ C:\WINDOWS\PCDLIB32.DLL
2007-12-25 12:12 . 2007-12-25 13:13 <DIR> d-------- C:\Program Files\Common Files\Nikon
2007-12-25 11:31 . 2007-12-25 12:44 <DIR> d-------- C:\Documents and Settings\Katie\.rainlendar2
2007-12-25 10:25 . 2007-12-25 14:56 <DIR> d-------- C:\Program Files\LIVEUPDATE
2007-12-25 09:12 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-12-25 09:12 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2007-12-25 09:12 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2007-12-25 01:46 . 2007-12-25 02:15 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2007-12-25 01:44 . 2007-12-27 00:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2007-12-24 23:09 . 2007-12-24 23:09 <DIR> d-------- C:\Documents and Settings\Katie\Application Data\Grisoft
2007-12-24 23:09 . 2007-12-24 23:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-24 18:11 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-12-24 17:03 . 2007-12-24 17:03 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-12-24 14:52 . 2007-12-24 14:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-24 13:27 . 2007-12-24 13:27 <DIR> d-------- C:\Documents and Settings\Lawrence\Application Data\Thunderbird
2007-12-24 13:27 . 2007-12-24 13:27 <DIR> d-------- C:\Documents and Settings\Lawrence\Application Data\Talkback
2007-12-24 12:58 . 2007-12-27 12:41 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2007-12-24 10:29 . 2007-12-24 10:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\IconTweaker
2007-12-24 09:59 . 2007-12-24 10:19 <DIR> d-------- C:\Documents and Settings\Lawrence\Shared
2007-12-24 09:59 . 2007-12-24 10:06 <DIR> d-------- C:\Documents and Settings\Lawrence\Incomplete
2007-12-24 09:58 . 2007-12-24 12:59 <DIR> d-------- C:\Documents and Settings\Lawrence\Application Data\LimeWire
2007-12-24 09:00 . 2007-12-24 09:16 <DIR> d-------- C:\WINDOWS\system32\VIRepair
2007-12-22 23:46 . 2007-12-22 23:46 <DIR> d-------- C:\Program Files\MSBuild
2007-12-22 23:38 . 2007-12-22 23:38 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2007-12-22 23:36 . 2007-12-22 23:36 <DIR> d-------- C:\Program Files\Reference Assemblies
2007-12-22 23:34 . 2006-06-29 13:07 14,048 --a------ C:\WINDOWS\system32\spmsg2.dll
2007-12-21 19:22 . 2007-12-21 23:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2007-12-21 17:42 . 2007-12-21 17:43 <DIR> d-------- C:\Documents and Settings\Katie\Application Data\Thunderbird
2007-12-21 17:20 . 2007-12-21 17:20 <DIR> d-------- C:\Program Files\Messenger Plus! Live
2007-12-21 17:12 . 2007-12-25 00:25 <DIR> d-------- C:\Documents and Settings\Katie\Tracing
2007-12-21 17:09 . 2007-12-21 20:56 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-12-21 17:06 . 2007-12-27 00:52 <DIR> d-------- C:\Program Files\Windows Live
2007-12-21 15:34 . 2007-12-21 15:35 <DIR> d-------- C:\Documents and Settings\Katie\Application Data\ViStart
2007-12-21 15:28 . 2007-12-21 15:28 <DIR> d-------- C:\Documents and Settings\Katie\Application Data\Styler
2007-12-21 15:25 . 2007-12-24 12:57 <DIR> d-------- C:\WINDOWS\system32\VITrans
2007-12-21 15:25 . 2006-12-03 17:15 111,104 --a------ C:\WINDOWS\system32\Uharc.exe
2007-12-21 15:25 . 2006-12-03 17:15 19,968 --a------ C:\WINDOWS\system32\reico.exe
2007-12-21 15:25 . 2006-12-03 17:14 8,636 --a------ C:\WINDOWS\system32\modifype.exe
2007-12-16 17:00 . 2007-12-16 17:11 <DIR> d-------- C:\Documents and Settings\Katie\Application Data\gtk-2.0
2007-12-10 23:34 . 2007-12-10 23:34 <DIR> d-------- C:\WINDOWS\system32\ICO
2007-12-10 20:59 . 2007-12-10 21:09 <DIR> d-------- C:\Documents and Settings\Katie\Application Data\ZipZag
2007-12-09 14:40 . 2007-12-09 15:47 <DIR> d-------- C:\Documents and Settings\Katie\Application Data\Audacity
2007-11-30 23:57 . 2007-11-30 23:57 317,616 --a------ C:\WINDOWS\system32\drivers\srtspl.sys
2007-11-30 23:57 . 2007-11-30 23:57 279,088 --a------ C:\WINDOWS\system32\drivers\srtsp.sys
2007-11-30 23:57 . 2007-11-30 23:57 43,696 --a------ C:\WINDOWS\system32\drivers\srtspx.sys
2007-11-30 23:57 . 2007-11-30 23:57 10,549 --a------ C:\WINDOWS\system32\drivers\srtspx.cat
2007-11-30 23:57 . 2007-11-30 23:57 10,549 --a------ C:\WINDOWS\system32\drivers\srtspl.cat
2007-11-30 23:57 . 2007-11-30 23:57 10,545 --a------ C:\WINDOWS\system32\drivers\srtsp.cat
2007-11-30 23:57 . 2007-11-30 23:57 1,430 --a------ C:\WINDOWS\system32\drivers\srtspl.inf
2007-11-30 23:57 . 2007-11-30 23:57 1,421 --a------ C:\WINDOWS\system32\drivers\srtspx.inf
2007-11-30 23:57 . 2007-11-30 23:57 1,415 --a------ C:\WINDOWS\system32\drivers\srtsp.inf
2007-11-20 16:27 . 2007-12-09 01:21 <DIR> d-------- C:\Documents and Settings\Katie\Application Data\NCH Swift Sound
2007-11-20 16:23 . 2007-12-09 01:24 <DIR> d-------- C:\Program Files\NCH Swift Sound
2007-11-20 16:23 . 2007-11-20 16:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2007-11-20 15:59 . 2007-11-20 15:59 249,856 --------- C:\WINDOWS\Setup1.exe
2007-11-20 15:57 . 2007-11-20 15:57 73,216 --a------ C:\WINDOWS\ST6UNST.EXE
2007-11-19 22:10 . 2007-10-10 18:55 6,065,664 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-11-19 22:10 . 2007-04-17 04:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-11-19 22:10 . 2007-03-08 00:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2007-11-19 22:10 . 2007-10-10 18:55 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-11-19 22:10 . 2007-10-10 18:55 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-11-19 22:10 . 2007-10-10 18:55 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-11-19 22:10 . 2007-10-10 18:55 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2007-11-19 22:10 . 2007-10-10 18:55 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-31 20:08 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-29 19:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-28 21:13 --------- d-----w C:\Documents and Settings\Katie\Application Data\U3
2007-12-28 02:01 --------- d-----w C:\Program Files\Norton 360
2007-12-27 18:59 --------- d-----w C:\Documents and Settings\Katie\Application Data\LimeWire
2007-12-27 05:36 --------- d-----w C:\Program Files\Yahoo!
2007-12-27 04:18 --------- d-----w C:\Program Files\Symantec
2007-12-26 02:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-12-26 01:48 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-26 01:21 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-25 19:27 --------- d-----w C:\Program Files\Microsoft AntiSpyware
2007-12-24 14:58 --------- d-----w C:\Program Files\LimeWire
2007-12-24 14:08 --------- d-----w C:\Program Files\images
2007-12-23 02:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-12-23 02:30 --------- d-----w C:\Program Files\Java
2007-12-11 02:47 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-12-09 06:37 --------- d-----w C:\Program Files\userdata
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-06 00:34 --------- d-----w C:\Documents and Settings\Katie\Application Data\AdobeUM
2007-10-31 20:29 --------- d-----w C:\Documents and Settings\Caroline\Application Data\U3
2007-09-03 08:26 12,640,736 -c--a-w C:\Program Files\aim_beta_6_5_3_12.exe
2007-08-16 17:36 17,908 ----a-w C:\Program Files\irunin.ini
2007-08-16 17:35 8,134 -c--a-w C:\Program Files\irunin.bmp
2007-08-16 17:35 15,938 -c--a-w C:\Program Files\irunin.lng
2007-08-16 17:35 149,841 -c--a-w C:\Program Files\irunin.dat
2003-12-17 21:26 14,775,618 -c--a-w C:\Program Files\Zuma Deluxe.exe
2003-12-14 20:34 57 -c--a-w C:\Program Files\status.js
2003-12-14 20:32 27,587 -c--a-w C:\Program Files\theUninstallFile.txt
2003-12-14 20:32 1,290,240 ----a-w C:\Program Files\Zuma.exe
2003-12-14 20:31 95 -c--a-w C:\Program Files\mainimage_top.gif
2003-12-14 20:31 91 -c--a-w C:\Program Files\mainimage_bottom.gif
2003-12-14 20:31 902 -c--a-w C:\Program Files\contentbox.gif
2003-12-14 20:31 828 -c--a-w C:\Program Files\button_center.gif
2003-12-14 20:31 741 -c--a-w C:\Program Files\mainimage_left.gif
2003-12-14 20:31 6,561 -c--a-w C:\Program Files\racnotinstalled.htm
2003-12-14 20:31 53 -c--a-w C:\Program Files\empty.gif
2003-12-14 20:31 49 -c--a-w C:\Program Files\spacer.gif
2003-12-14 20:31 38,543 -c--a-w C:\Program Files\gameart.jpg
2003-12-14 20:31 333 -c--a-w C:\Program Files\wrapper.ini
2003-12-14 20:31 314 -c--a-w C:\Program Files\butt_next_over.gif
2003-12-14 20:31 310 -c--a-w C:\Program Files\butt_back_over.gif
2003-12-14 20:31 287 -c--a-w C:\Program Files\launch.ini
2003-12-14 20:31 285 -c--a-w C:\Program Files\osd212.osd
2003-12-14 20:31 279 -c--a-w C:\Program Files\meter_bottom.gif
2003-12-14 20:31 27,957 -c--a-w C:\Program Files\readme.html
2003-12-14 20:31 263 -c--a-w C:\Program Files\meter_top.gif
2003-12-14 20:31 224 -c--a-w C:\Program Files\feedback.htm
2003-12-14 20:31 218 -c--a-w C:\Program Files\butt_next.gif
2003-12-14 20:31 213 -c--a-w C:\Program Files\butt_back.gif
2003-12-14 20:31 210 -c--a-w C:\Program Files\setup.ini
2003-12-14 20:31 208 -c--a-w C:\Program Files\button_right.gif
2003-12-14 20:31 192 -c--a-w C:\Program Files\meter_right.gif
2003-12-14 20:31 191 -c--a-w C:\Program Files\meter_left.gif
2003-12-14 20:31 187 -c--a-w C:\Program Files\button_left.gif
2003-12-14 20:31 150 -c--a-w C:\Program Files\horzline.gif
2003-12-14 20:31 149 -c--a-w C:\Program Files\meter_upperleft.gif
2003-12-14 20:31 149 -c--a-w C:\Program Files\meter_lowerright.gif
2003-12-14 20:31 147 -c--a-w C:\Program Files\meter_upperright.gif
2003-12-14 20:31 146 -c--a-w C:\Program Files\meter_lowerleft.gif
2003-12-14 20:31 14,190 -c--a-w C:\Program Files\pregame.htm
2003-12-14 20:31 124 -c--a-w C:\Program Files\butt_left.gif
2003-12-14 20:31 123 -c--a-w C:\Program Files\butt_right.gif
2003-12-14 20:31 115 -c--a-w C:\Program Files\mainimage_right.gif
2003-12-14 20:31 102,196 ----a-w C:\Program Files\bass.dll
2003-12-14 20:31 101 -c--a-w C:\Program Files\fill.gif
2003-12-14 20:31 1,285 -c--a-w C:\Program Files\contentbox_bottom.gif
2003-12-14 20:31 1,241 -c--a-w C:\Program Files\contentbox_top.gif
2003-11-21 20:11 49 -c-ha-w C:\Program Files\Config.dat
.

----a-w		 4,670,968 2007-12-25 14:15:59  C:\Documents and Settings\Katie\Desktop\YahooMessenger .exe
----a-w		 6,731,312 2007-12-26 18:10:39  C:\Documents and Settings\Katie\My Documents\AVG Anti-Spyware 7.5\avgas .exe
----a-w		   313,472 2007-12-25 14:16:03  C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager .exe
----a-w			36,040 2007-12-25 14:16:11  C:\Program Files\Common Files\Microsoft Shared\DW\dwtrig20 .exe
----a-w		   115,816 2007-12-26 04:26:51  C:\Program Files\Common Files\Symantec Shared\ccApp .exe
----a-w			36,975 2007-12-25 04:14:07  C:\Program Files\Java\jre1.5.0_06\bin\jusched .exe
----a-w		   473,928 2007-12-25 14:15:09  C:\Program Files\Microsoft AntiSpyware\gcasServ .exe
----a-w		   131,072 2007-12-25 14:15:06  C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray .exe
----a-w		 3,739,672 2007-12-25 04:14:42  C:\Program Files\Windows Live\Messenger\MsnMsgr  .Exe
----a-w		   204,288 2007-12-25 14:16:21  C:\Program Files\Windows Media Player\WMPNSCFG .exe
----a-w			15,360 2007-12-27 17:41:37  C:\WINDOWS\system32\ctfmon .exe

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2007-12-27 21:02 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [ ]
"Rainlendar2"="C:\Documents and Settings\Katie\My Documents\Rainlendar2\Rainlendar2.exe" [ ]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"!AVG Anti-Spyware"="C:\Documents and Settings\Katie\My Documents\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25 6731312]
"Openwares LiveUpdate"="C:\Program Files\LiveUpdate\LiveUpdate.exe" [ ]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 00:59 115816]

C:\Documents and Settings\Lawrence\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2007-09-17 09:19:14]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"MEUf0R8xPM"= rundll32.exe "C:\WINDOWS\system32\ndaTqsVqrX.dll",DllCleanServer

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winhab32]
winhab32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ

*Newly Created Service* - COMHOST
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-31 15:29:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-31 15:32:15 - machine was rebooted
C:\qoobox\ComboFix-quarantined-files.txt 2007-12-31 20:32:11
.
2007-12-26 02:11:28 --- E O F ---
_____________________________________________________________________________
Hijack Uninstall List:

Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player ActiveX
Adobe Help Center 1.0
Adobe Photoshop 6.0
Adobe Photoshop CS2
Adobe Reader 7.0.9
Adobe Stock Photos 1.0
Adobe SVG Viewer
AppCore
AV
AVG Anti-Spyware 7.5
Canon Camera Window for ZoomBrowser EX
Canon PhotoRecord
Canon Utilities File Viewer Utility 1.2
Canon Utilities PhotoStitch 3.1
Canon Utilities RemoteCapture 2.7
Canon Utilities ZoomBrowser EX
ccCommon
GearDrvs
Hijackthis 1.99.1
HijackThis 1.99.1
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
IconTweaker
J2SE Runtime Environment 5.0 Update 6
LimeWire 4.14.10
LiveUpdate (Symantec Corporation)
LiveUpdate (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)
Messenger Plus! Live
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft .NET Framework 3.0
Microsoft AntiSpyware
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Plus! for Windows XP
Microsoft User-Mode Driver Framework Feature Pack 1.0
Mozilla Firefox (2.0.0.11)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 Parser and SDK
MSXML 6.0 Parser (KB933579)
Norton 360
Norton 360
Norton 360
Norton 360
Norton 360 (Symantec Corporation)
Norton 360 Help
Norton Confidential Browser Component
Norton Confidential Web Authentification Component
Norton Confidential Web Protection Component
NVIDIA Drivers
NvMixer
Rainlendar2 (remove only)
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB944653)
SPBBC 32bit
SuppSoft
Symantec Technical Support Controls
Symantec Technical Support Web Controls
SymNet
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925720)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Windows Communication Foundation
Windows Genuine Advantage v1.3.0254.0
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live installer
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Presentation Foundation
Windows Workflow Foundation
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinRAR archiver
Zuma Deluxe! 1.0
_____________________________________________________________
New Hijack This Log:

Logfile of HijackThis v1.99.1
Scan saved at 3:37:30 PM, on 12/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\Katie\My Documents\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\Scan.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Documents and Settings\Katie\My Documents\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Rainlendar2] C:\Documents and Settings\Katie\My Documents\Rainlendar2\Rainlendar2.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Katie\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1094235272626
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winhab32 - winhab32.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Documents and Settings\Katie\My Documents\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

#4 silver

Malware Expert Emeritus

Authentic Member
2,994 posts

Posted 31 December 2007 - 09:20 PM

Hi katXed,

Check that ComboFix.exe is on your Desktop

Then open Notepad: press Start->Run, type notepad and click OK

Copy/paste the contents of the below code box into Notepad:

File::
C:\WINDOWS\system32\suweaakh.ini
C:\WINDOWS\system32\kvqcbbdj.ini
C:\WINDOWS\system32\ndaTqsVqrX.dll
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winhab32]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"MEUf0R8xPM"=-
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

Save this to your Desktop as CFScript.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

Note: Do not click ComboFix's window while it's running - it may cause it to stall!

Then please do an online scan with Kaspersky:

Open Kaspersky Online Scanner in Internet Explorer

You will be prompted to install an ActiveX component from Kaspersky,
Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT and then Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
- Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:Select My Computer
The program will start to scan your system.
Once the scan is complete, click on the Save as Text button and save the file to your desktop

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license is accepted, reset to 100%.

Once complete, please post the new ComboFix report, the Kaspersky log and a new HijackThis log.

ASAP & UNITE Member

#5 katXed

New Member

New Member
7 posts

Posted 01 January 2008 - 09:55 PM

Kaspersky Report :
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, January 01, 2008 10:49:51 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 1/01/2008
Kaspersky Anti-Virus database records: 501232
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\

Scan Statistics:
Total number of scanned objects: 66027
Number of viruses found: 3
Number of infected objects: 9
Number of suspicious objects: 0
Duration of the scan process: 04:00:55

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\8dac938deeb709e8e08e332c899b8504_a1d9a30d-98c2-4219-a849-ed80faea861b Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\b53472796b692c5f760ba0d7ac0719c4_a1d9a30d-98c2-4219-a849-ed80faea861b Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\index.qbs Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\19BBCBD6.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\3B274747.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\899A7D47.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log Object is locked skipped
C:\Documents and Settings\Katie\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6d3811e3-714f173c.zip/vmain.class Infected: Exploit.Java.Gimsh.b skipped
C:\Documents and Settings\Katie\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6d3811e3-714f173c.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Katie\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Katie\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db Object is locked skipped
C:\Documents and Settings\Katie\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db.shadow Object is locked skipped
C:\Documents and Settings\Katie\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_360.wmdb Object is locked skipped
C:\Documents and Settings\Katie\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Katie\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Katie\Local Settings\Application Data\Microsoft\Windows Media\11.0\WMSDKNSD.XML Object is locked skipped
C:\Documents and Settings\Katie\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Katie\Local Settings\History\History.IE5\MSHist012008010120080102\index.dat Object is locked skipped
C:\Documents and Settings\Katie\Local Settings\Temp\hsperfdata_Katie\3464 Object is locked skipped
C:\Documents and Settings\Katie\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Katie\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Katie\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Kelly\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Kelly\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Kelly\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Lawrence\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db Object is locked skipped
C:\Documents and Settings\Lawrence\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db.shadow Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\coShared\WA\1.5\NCOWAD.dat Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\coShared\WA\1.5\NCOWADMT.dat Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\coShared\WA\1.5\NCOWAS.dat Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\coShared\WA\1.5\NCOWAS.ldb Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\Norton 360\Log\AutoProtect.log Object is locked skipped
C:\Program Files\Norton 360\Log\AVContext.log Object is locked skipped
C:\Program Files\Norton 360\Log\AVManual.log Object is locked skipped
C:\Program Files\Norton 360\Log\Backup.log Object is locked skipped
C:\Program Files\Norton 360\Log\CUInternetPageViewHistory.log Object is locked skipped
C:\Program Files\Norton 360\Log\CUInternetSearchHistory.log Object is locked skipped
C:\Program Files\Norton 360\Log\CUInternetTempFiles.log Object is locked skipped
C:\Program Files\Norton 360\Log\CUWindowsTempFiles.log Object is locked skipped
C:\Program Files\Norton 360\Log\EmailScan.log Object is locked skipped
C:\Program Files\Norton 360\Log\InternetSecurity.log Object is locked skipped
C:\Program Files\Norton 360\Log\ISIntrusionPrevented.log Object is locked skipped
C:\Program Files\Norton 360\Log\ISIOTraffic.log Object is locked skipped
C:\Program Files\Norton 360\Log\ISNewNetwork.log Object is locked skipped
C:\Program Files\Norton 360\Log\LiveUpdate.log Object is locked skipped
C:\Program Files\Norton 360\Log\NCO.log Object is locked skipped
C:\Program Files\Norton 360\Log\VABrowserSettings.log Object is locked skipped
C:\Program Files\Norton 360\Log\VAIPAddresses.log Object is locked skipped
C:\Program Files\Norton 360\Log\VAWeakPasswords.log Object is locked skipped
C:\Program Files\Norton 360\Log\WDFScanner.log Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ctfmon.exe.tmp.vir/data0000.bin Infected: Virus.Win32.Trats.d skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ctfmon.exe.tmp.vir EmbeddedEXE: infected - 1 skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\pskill.exe.vir Infected: not-a-virus:RiskTool.Win32.PsKill.e skipped
C:\QooBox\Quarantine\catchme2007-12-31_152831.54.zip/vtstt.dll Infected: Virus.Win32.Trats.d skipped
C:\QooBox\Quarantine\catchme2007-12-31_152831.54.zip ZIP: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{E1F8D929-4560-4AED-A497-A7FBC4774E6D}\RP2\A0000007.exe Infected: not-a-virus:RiskTool.Win32.PsKill.e skipped
C:\System Volume Information\_restore{E1F8D929-4560-4AED-A497-A7FBC4774E6D}\RP2\A0000011.dll Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{E1F8D929-4560-4AED-A497-A7FBC4774E6D}\RP3\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\TEMP\JETB0EC.tmp Object is locked skipped
C:\WINDOWS\TEMP\JETB87D.tmp Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

_______________________________________________________________
Combo Fix:
ComboFix 07-12-31.4 - Katie 2008-01-01 1:00:01.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.159 [GMT -5:00]
Running from: C:\Documents and Settings\Katie\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Katie\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\kvqcbbdj.ini
C:\WINDOWS\system32\ndaTqsVqrX.dll
C:\WINDOWS\system32\suweaakh.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\kvqcbbdj.ini
C:\WINDOWS\system32\suweaakh.ini

.
((((((((((((((((((((((((( Files Created from 2007-12-01 to 2008-01-01 )))))))))))))))))))))))))))))))
.

2007-12-31 15:09 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-12-26 22:48 . 2007-12-26 23:18 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-12-26 22:48 . 2007-12-26 23:18 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-12-26 22:48 . 2007-12-26 23:18 10,740 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-12-26 22:48 . 2007-12-26 23:18 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-12-26 14:25 . 2007-12-26 14:25 <DIR> d-------- C:\Documents and Settings\Caroline\Application Data\Grisoft
2007-12-26 13:40 . 2007-12-26 13:39 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-12-26 13:38 . 2007-12-26 13:57 <DIR> d-------- C:\Documents and Settings\Katie\.housecall6.6
2007-12-25 20:47 . 2007-12-25 20:47 <DIR> d-------- C:\Documents and Settings\Katie\Application Data\ArcSoft
2007-12-25 20:19 . 2007-12-25 20:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems
2007-12-25 20:18 . 2007-12-25 20:18 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2007-12-25 18:44 . 2007-12-25 18:44 <DIR> d-------- C:\WINDOWS\system32\Adobe
2007-12-25 16:14 . 2007-12-25 16:14 <DIR> d-------- C:\WINDOWS\E80F62FF5D3C4A1984099721F2928206.TMP
2007-12-25 16:00 . 2007-12-25 16:00 <DIR> d-------- C:\Documents and Settings\Katie\Application Data\SupportSoft
2007-12-25 13:02 . 2007-12-25 20:43 20 ---h----- C:\Documents and Settings\All Users\Application Data\PKP_DLec.DAT
2007-12-25 12:25 . 2007-12-25 13:13 <DIR> d-------- C:\Documents and Settings\Katie\Application Data\Nikon
2007-12-25 12:25 . 2006-10-25 14:14 5,709,824 -ra------ C:\WINDOWS\system32\NkNEFPlugin.dll
2007-12-25 12:25 . 2003-03-19 13:28 2,179,072 --a------ C:\WINDOWS\system32\mfc71d.dll
2007-12-25 12:25 . 2002-01-06 06:48 974,848 --a------ C:\WINDOWS\system32\mfc70.dll
2007-12-25 12:25 . 2003-03-19 12:04 765,952 --a------ C:\WINDOWS\system32\msvcp71d.dll
2007-12-25 12:25 . 2003-03-19 12:03 544,768 --a------ C:\WINDOWS\system32\msvcr71d.dll
2007-12-25 12:25 . 2002-01-05 20:40 487,424 --a------ C:\WINDOWS\system32\msvcp70.dll
2007-12-25 12:22 . 2007-12-25 12:22 <DIR> d-------- C:\Program Files\Common Files\muvee Technologies
2007-12-25 12:22 . 2005-12-05 13:21 495,616 -ra------ C:\WINDOWS\system32\DRAGNKL1.dll
2007-12-25 12:22 . 2006-08-10 15:35 180,224 -ra------ C:\WINDOWS\system32\Strato4.dll
2007-12-25 12:22 . 2005-12-05 16:13 180,224 -ra------ C:\WINDOWS\system32\picn1120.dll
2007-12-25 12:22 . 2005-12-05 16:13 155,648 -ra------ C:\WINDOWS\system32\picn1020.dll
2007-12-25 12:22 . 2005-12-05 17:24 110,592 -ra------ C:\WINDOWS\system32\RCSigProc.dll
2007-12-25 12:22 . 2005-12-05 17:24 76,800 -ra------ C:\WINDOWS\system32\RedEye.dll
2007-12-25 12:22 . 2005-12-05 16:13 48,128 -ra------ C:\WINDOWS\system32\picn20.dll
2007-12-25 12:21 . 2007-12-25 12:21 <DIR> d-------- C:\Program Files\Nikon
2007-12-25 12:21 . 2007-12-25 13:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ultima_T15
2007-12-25 12:21 . 2007-12-25 13:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\EnterNHelp
2007-12-25 12:21 . 2007-12-25 20:45 0 ---h----- C:\Documents and Settings\All Users\Application Data\PKP_DLds.DAT
2007-12-25 12:16 . 1995-08-01 04:44 212,480 --a------ C:\WINDOWS\PCDLIB32.DLL
2007-12-25 12:12 . 2007-12-25 13:13 <DIR> d-------- C:\Program Files\Common Files\Nikon
2007-12-25 11:31 . 2007-12-25 12:44 <DIR> d-------- C:\Documents and Settings\Katie\.rainlendar2
2007-12-25 10:25 . 2007-12-25 14:56 <DIR> d-------- C:\Program Files\LIVEUPDATE
2007-12-25 09:12 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-12-25 09:12 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2007-12-25 09:12 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2007-12-25 01:46 . 2007-12-25 02:15 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2007-12-25 01:44 . 2007-12-27 00:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2007-12-24 23:09 . 2007-12-24 23:09 <DIR> d-------- C:\Documents and Settings\Katie\Application Data\Grisoft
2007-12-24 23:09 . 2007-12-24 23:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-24 18:11 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-12-24 17:03 . 2007-12-24 17:03 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-12-24 14:52 . 2007-12-24 14:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-24 13:27 . 2007-12-24 13:27 <DIR> d-------- C:\Documents and Settings\Lawrence\Application Data\Thunderbird
2007-12-24 13:27 . 2007-12-24 13:27 <DIR> d-------- C:\Documents and Settings\Lawrence\Application Data\Talkback
2007-12-24 12:58 . 2007-12-27 12:41 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2007-12-24 10:29 . 2007-12-24 10:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\IconTweaker
2007-12-24 09:59 . 2007-12-24 10:19 <DIR> d-------- C:\Documents and Settings\Lawrence\Shared
2007-12-24 09:59 . 2007-12-24 10:06 <DIR> d-------- C:\Documents and Settings\Lawrence\Incomplete
2007-12-24 09:58 . 2007-12-24 12:59 <DIR> d-------- C:\Documents and Settings\Lawrence\Application Data\LimeWire
2007-12-24 09:00 . 2007-12-24 09:16 <DIR> d-------- C:\WINDOWS\system32\VIRepair
2007-12-22 23:46 . 2007-12-22 23:46 <DIR> d-------- C:\Program Files\MSBuild
2007-12-22 23:38 . 2007-12-22 23:38 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2007-12-22 23:36 . 2007-12-22 23:36 <DIR> d-------- C:\Program Files\Reference Assemblies
2007-12-22 23:34 . 2006-06-29 13:07 14,048 --a------ C:\WINDOWS\system32\spmsg2.dll
2007-12-21 19:22 . 2007-12-21 23:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2007-12-21 17:42 . 2007-12-21 17:43 <DIR> d-------- C:\Documents and Settings\Katie\Application Data\Thunderbird
2007-12-21 17:20 . 2007-12-21 17:20 <DIR> d-------- C:\Program Files\Messenger Plus! Live
2007-12-21 17:12 . 2007-12-25 00:25 <DIR> d-------- C:\Documents and Settings\Katie\Tracing
2007-12-21 17:09 . 2007-12-21 20:56 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-12-21 17:06 . 2007-12-27 00:52 <DIR> d-------- C:\Program Files\Windows Live
2007-12-21 15:34 . 2007-12-21 15:35 <DIR> d-------- C:\Documents and Settings\Katie\Application Data\ViStart
2007-12-21 15:28 . 2007-12-21 15:28 <DIR> d-------- C:\Documents and Settings\Katie\Application Data\Styler
2007-12-21 15:25 . 2007-12-24 12:57 <DIR> d-------- C:\WINDOWS\system32\VITrans
2007-12-21 15:25 . 2006-12-03 17:15 111,104 --a------ C:\WINDOWS\system32\Uharc.exe
2007-12-21 15:25 . 2006-12-03 17:15 19,968 --a------ C:\WINDOWS\system32\reico.exe
2007-12-21 15:25 . 2006-12-03 17:14 8,636 --a------ C:\WINDOWS\system32\modifype.exe
2007-12-16 17:00 . 2007-12-16 17:11 <DIR> d-------- C:\Documents and Settings\Katie\Application Data\gtk-2.0
2007-12-10 23:34 . 2007-12-10 23:34 <DIR> d-------- C:\WINDOWS\system32\ICO
2007-12-10 20:59 . 2007-12-10 21:09 <DIR> d-------- C:\Documents and Settings\Katie\Application Data\ZipZag
2007-12-09 14:40 . 2007-12-09 15:47 <DIR> d-------- C:\Documents and Settings\Katie\Application Data\Audacity

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-31 20:08 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-29 19:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-28 21:13 --------- d-----w C:\Documents and Settings\Katie\Application Data\U3
2007-12-28 02:02 15,360 ----a-w C:\WINDOWS\system32\ctfmon.exe
2007-12-28 02:01 --------- d-----w C:\Program Files\Norton 360
2007-12-27 18:59 --------- d-----w C:\Documents and Settings\Katie\Application Data\LimeWire
2007-12-27 05:36 --------- d-----w C:\Program Files\Yahoo!
2007-12-27 04:18 --------- d-----w C:\Program Files\Symantec
2007-12-26 02:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-12-26 01:48 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-26 01:21 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-25 19:27 --------- d-----w C:\Program Files\Microsoft AntiSpyware
2007-12-24 14:58 --------- d-----w C:\Program Files\LimeWire
2007-12-24 14:08 --------- d-----w C:\Program Files\images
2007-12-23 04:38 --------- d-----w C:\Program Files\Common Files\Real
2007-12-23 02:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-12-23 02:30 --------- d-----w C:\Program Files\Java
2007-12-11 02:47 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-12-09 06:37 --------- d-----w C:\Program Files\userdata
2007-12-09 06:24 --------- d-----w C:\Program Files\NCH Swift Sound
2007-12-09 06:21 --------- d-----w C:\Documents and Settings\Katie\Application Data\NCH Swift Sound
2007-12-01 04:57 43,696 ----a-w C:\WINDOWS\system32\drivers\srtspx.sys
2007-12-01 04:57 317,616 ----a-w C:\WINDOWS\system32\drivers\srtspl.sys
2007-12-01 04:57 279,088 ----a-w C:\WINDOWS\system32\drivers\srtsp.sys
2007-12-01 04:57 10,549 ----a-w C:\WINDOWS\system32\drivers\srtspx.cat
2007-12-01 04:57 10,549 ----a-w C:\WINDOWS\system32\drivers\srtspl.cat
2007-12-01 04:57 10,545 ----a-w C:\WINDOWS\system32\drivers\srtsp.cat
2007-12-01 04:57 1,430 ----a-w C:\WINDOWS\system32\drivers\srtspl.inf
2007-12-01 04:57 1,421 ----a-w C:\WINDOWS\system32\drivers\srtspx.inf
2007-12-01 04:57 1,415 ----a-w C:\WINDOWS\system32\drivers\srtsp.inf
2007-11-20 21:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2007-11-20 20:59 249,856 ------w C:\WINDOWS\Setup1.exe
2007-11-20 20:57 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2007-11-17 23:05 --------- d-----w C:\Documents and Settings\Katie\Application Data\HighAndes
2007-11-17 23:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\HighAndes
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-06 00:34 --------- d-----w C:\Documents and Settings\Katie\Application Data\AdobeUM
2007-11-04 02:22 --------- d-----w C:\Documents and Settings\Katie\Application Data\Talkback
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-18 16:31 51,224 ----a-w C:\WINDOWS\system32\sirenacm.dll
2007-10-17 17:23 10,752 ----a-w C:\WINDOWS\system32\WhoisCL.exe
2007-09-03 08:26 12,640,736 -c--a-w C:\Program Files\aim_beta_6_5_3_12.exe
2007-08-16 17:36 17,908 ----a-w C:\Program Files\irunin.ini
2007-08-16 17:35 8,134 -c--a-w C:\Program Files\irunin.bmp
2007-08-16 17:35 15,938 -c--a-w C:\Program Files\irunin.lng
2007-08-16 17:35 149,841 -c--a-w C:\Program Files\irunin.dat
2003-12-17 21:26 14,775,618 -c--a-w C:\Program Files\Zuma Deluxe.exe
2003-12-14 20:34 57 -c--a-w C:\Program Files\status.js
2003-12-14 20:32 27,587 -c--a-w C:\Program Files\theUninstallFile.txt
2003-12-14 20:32 1,290,240 ----a-w C:\Program Files\Zuma.exe
2003-12-14 20:31 95 -c--a-w C:\Program Files\mainimage_top.gif
2003-12-14 20:31 91 -c--a-w C:\Program Files\mainimage_bottom.gif
2003-12-14 20:31 902 -c--a-w C:\Program Files\contentbox.gif
2003-12-14 20:31 828 -c--a-w C:\Program Files\button_center.gif
2003-12-14 20:31 741 -c--a-w C:\Program Files\mainimage_left.gif
2003-12-14 20:31 6,561 -c--a-w C:\Program Files\racnotinstalled.htm
2003-12-14 20:31 53 -c--a-w C:\Program Files\empty.gif
2003-12-14 20:31 49 -c--a-w C:\Program Files\spacer.gif
2003-12-14 20:31 38,543 -c--a-w C:\Program Files\gameart.jpg
2003-12-14 20:31 333 -c--a-w C:\Program Files\wrapper.ini
2003-12-14 20:31 314 -c--a-w C:\Program Files\butt_next_over.gif
2003-12-14 20:31 310 -c--a-w C:\Program Files\butt_back_over.gif
2003-12-14 20:31 287 -c--a-w C:\Program Files\launch.ini
2003-12-14 20:31 285 -c--a-w C:\Program Files\osd212.osd
2003-12-14 20:31 279 -c--a-w C:\Program Files\meter_bottom.gif
2003-12-14 20:31 27,957 -c--a-w C:\Program Files\readme.html
2003-12-14 20:31 263 -c--a-w C:\Program Files\meter_top.gif
2003-12-14 20:31 224 -c--a-w C:\Program Files\feedback.htm
2003-12-14 20:31 218 -c--a-w C:\Program Files\butt_next.gif
2003-12-14 20:31 213 -c--a-w C:\Program Files\butt_back.gif
2003-12-14 20:31 210 -c--a-w C:\Program Files\setup.ini
2003-12-14 20:31 208 -c--a-w C:\Program Files\button_right.gif
2003-12-14 20:31 192 -c--a-w C:\Program Files\meter_right.gif
2003-12-14 20:31 191 -c--a-w C:\Program Files\meter_left.gif
2003-12-14 20:31 187 -c--a-w C:\Program Files\button_left.gif
2003-12-14 20:31 150 -c--a-w C:\Program Files\horzline.gif
2003-12-14 20:31 149 -c--a-w C:\Program Files\meter_upperleft.gif
2003-12-14 20:31 149 -c--a-w C:\Program Files\meter_lowerright.gif
2003-12-14 20:31 147 -c--a-w C:\Program Files\meter_upperright.gif
2003-12-14 20:31 146 -c--a-w C:\Program Files\meter_lowerleft.gif
2003-12-14 20:31 14,190 -c--a-w C:\Program Files\pregame.htm
2003-12-14 20:31 124 -c--a-w C:\Program Files\butt_left.gif
2003-12-14 20:31 123 -c--a-w C:\Program Files\butt_right.gif
2003-12-14 20:31 115 -c--a-w C:\Program Files\mainimage_right.gif
2003-12-14 20:31 102,196 ----a-w C:\Program Files\bass.dll
2003-12-14 20:31 101 -c--a-w C:\Program Files\fill.gif
2003-12-14 20:31 1,285 -c--a-w C:\Program Files\contentbox_bottom.gif
2003-12-14 20:31 1,241 -c--a-w C:\Program Files\contentbox_top.gif
2003-11-21 20:11 49 -c-ha-w C:\Program Files\Config.dat
.

----a-w		 4,670,968 2007-12-25 14:15:59  C:\Documents and Settings\Katie\Desktop\YahooMessenger .exe
----a-w		 6,731,312 2007-12-26 18:10:39  C:\Documents and Settings\Katie\My Documents\AVG Anti-Spyware 7.5\avgas .exe
----a-w		   313,472 2007-12-25 14:16:03  C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager .exe
----a-w			36,040 2007-12-25 14:16:11  C:\Program Files\Common Files\Microsoft Shared\DW\dwtrig20 .exe
----a-w		   115,816 2007-12-26 04:26:51  C:\Program Files\Common Files\Symantec Shared\ccApp .exe
----a-w			36,975 2007-12-25 04:14:07  C:\Program Files\Java\jre1.5.0_06\bin\jusched .exe
----a-w		   473,928 2007-12-25 14:15:09  C:\Program Files\Microsoft AntiSpyware\gcasServ .exe
----a-w		   131,072 2007-12-25 14:15:06  C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray .exe
----a-w		 3,739,672 2007-12-25 04:14:42  C:\Program Files\Windows Live\Messenger\MsnMsgr  .Exe
----a-w		   204,288 2007-12-25 14:16:21  C:\Program Files\Windows Media Player\WMPNSCFG .exe
----a-w			15,360 2007-12-27 17:41:37  C:\WINDOWS\system32\ctfmon .exe

#6 silver

Malware Expert Emeritus

Authentic Member
2,994 posts

Posted 02 January 2008 - 02:25 AM

Hi katXed,

Things are looking a lot better but we have a few more things to take care of.

Backup Your Registry with ERUNT:

Download erunt.zip to your Desktop from here:
http://aumha.org/downloads/erunt.zip
Right-click erunt.zip, select Extract All... and follow the prompts to extract ERUNT to a new folder on your Desktop
Inside the new folder, double-click ERUNT.exe to start the program
OK all the prompts to back up your registry to the default location.

Note: to restore your registry, go to the backup folder and start ERDNT.exe

Open Notepad: press Start->Run, type notepad into the box and press OK
Copy/paste the following quote box into Notepad. Before starting select Format from the top menu and make sure Word Wrap is NOT checked.

@echo off
copy /y "C:\Documents and Settings\Katie\Desktop\YahooMessenger .exe" "C:\Documents and Settings\Katie\Desktop\YahooMessenger.exe" >> "%userprofile%\desktop\output.txt"
del /q /f "C:\Documents and Settings\Katie\My Documents\AVG Anti-Spyware 7.5\avgas .exe" >> "%userprofile%\desktop\output.txt"
copy /y "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager .exe" "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" >> "%userprofile%\desktop\output.txt"
copy /y "C:\Program Files\Common Files\Microsoft Shared\DW\dwtrig20 .exe" "C:\Program Files\Common Files\Microsoft Shared\DW\dwtrig20.exe" >> "%userprofile%\desktop\output.txt"
del /q /f "C:\Program Files\Common Files\Symantec Shared\ccApp .exe" >> "%userprofile%\desktop\output.txt"
copy /y "C:\Program Files\Java\jre1.5.0_06\bin\jusched .exe" "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" >> "%userprofile%\desktop\output.txt"
copy /y "C:\Program Files\Microsoft AntiSpyware\gcasServ .exe" "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" >> "%userprofile%\desktop\output.txt"
copy /y "C:\Program Files\Windows Live\Messenger\MsnMsgr  .Exe" "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" >> "%userprofile%\desktop\output.txt"
copy /y "C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray .exe" "C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe" >> "%userprofile%\desktop\output.txt"
copy /y "C:\Program Files\Windows Media Player\WMPNSCFG .exe" "C:\Program Files\Windows Media Player\WMPNSCFG.exe" >> "%userprofile%\desktop\output.txt"
del /q /f "C:\WINDOWS\system32\ctfmon .exe" >> "%userprofile%\desktop\output.txt"
del /q /f "C:\Documents and Settings\Katie\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6d3811e3-714f173c.zip" >> "%userprofile%\desktop\output.txt"
dir /a /s C:\WINDOWS\system32\ICO >> "%userprofile%\desktop\output.txt"
dir /a /s C:\Program Files\images >> "%userprofile%\desktop\output.txt"
dir /a /s C:\Program Files\userdata >> "%userprofile%\desktop\output.txt"
echo REGEDIT4 > temp.reg
echo.>> temp.reg
echo [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] >> temp.reg
echo "Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00 >> temp.reg
echo.>> temp.reg
regedit /s temp.reg
regedit /a temp.txt HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
type temp.txt >> "%userprofile%\desktop\output.txt"
del temp.txt
del temp.reg

Go to the menu at the top of the Notepad File and Save as
Save it to your Desktop as "runme.bat" (you MUST include the quotes)
Locate runme.bat on your Desktop and double-click it. A black box should open and close after a short time, this is normal. Another text file should appear on your Desktop called output.txt, do not open it until the black box has closed. Post the contents of this file in your next response.

Once complete, please post the contents of output.txt and a new HijackThis log.

Edited by silver, 02 January 2008 - 02:37 AM.

ASAP & UNITE Member

#7 katXed

New Member

New Member
7 posts

Posted 03 January 2008 - 05:19 PM

Output Text:

1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
Volume in drive C has no label.
Volume Serial Number is 68C2-518D

Directory of C:\WINDOWS\system32\ICO

12/10/2007 11:34 PM <DIR> .
12/10/2007 11:34 PM <DIR> ..
06/09/2006 12:14 AM 90,126 CD-DVD_Drive.ico
06/09/2006 12:09 AM 90,126 CD-DVD_Drive_Alt.ico
06/09/2006 12:15 AM 90,126 Clock.ico
06/09/2006 12:15 AM 90,126 Control-Panel.ico
06/09/2006 12:15 AM 90,126 Envelope.ico
06/09/2006 12:15 AM 90,126 Favorites.ico
06/09/2006 12:15 AM 90,126 Floppy_Drive.ico
06/09/2006 12:15 AM 90,126 Folder-close.ico
06/09/2006 12:10 AM 90,126 Folder-close_blue.ico
06/09/2006 12:09 AM 90,126 Folder.ico
06/09/2006 12:10 AM 90,126 Folder_blue.ico
06/09/2006 12:16 AM 90,126 Globe.ico
06/09/2006 12:16 AM 90,126 Hard_Drive.ico
06/09/2006 12:16 AM 90,126 Home.ico
06/09/2006 12:10 AM 90,126 Locker-blue.ico
06/09/2006 12:16 AM 90,126 Locker.ico
06/09/2006 12:08 AM 90,126 My-Computer.ico
06/09/2006 12:16 AM 90,126 My-Documents.ico
06/09/2006 12:17 AM 90,126 My-Music.ico
06/09/2006 12:17 AM 90,126 My-Network.ico
06/09/2006 12:19 AM 90,126 My-PC.ico
06/09/2006 12:19 AM 90,126 My-Pictures.ico
06/09/2006 12:19 AM 90,126 Printer.ico
06/09/2006 12:10 AM 90,126 Search.ico
06/09/2006 12:19 AM 90,126 Search_black.ico
12/10/2007 11:35 PM 37,376 Thumbs.db
06/09/2006 12:19 AM 90,126 Trashcan_empty.ico
06/09/2006 12:20 AM 90,126 Trashcan_full.ico
28 File(s) 2,470,778 bytes

Total Files Listed:
28 File(s) 2,470,778 bytes
2 Dir(s) 63,972,458,496 bytes free
REGEDIT4

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
"Bounds"=hex:00,30,00,00,00,20,00,00
"Security Packages"=hex(7):6b,65,72,62,65,72,6f,73,00,6d,73,76,31,5f,30,00,73,\
63,68,61,6e,6e,65,6c,00,77,64,69,67,65,73,74,00,00
"LsaPid"=dword:000002c8
"SecureBoot"=dword:00000001
"auditbaseobjects"=dword:00000000
"crashonauditfail"=dword:00000000
"disabledomaincreds"=dword:00000000
"everyoneincludesanonymous"=dword:00000000
"fipsalgorithmpolicy"=dword:00000000
"forceguest"=dword:00000001
"fullprivilegeauditing"=hex:00
"limitblankpassworduse"=dword:00000001
"lmcompatibilitylevel"=dword:00000000
"nodefaultadminowner"=dword:00000001
"nolmhash"=dword:00000000
"restrictanonymous"=dword:00000000
"restrictanonymoussam"=dword:00000001
"Notification Packages"=hex(7):00
"ImpersonatePrivilegeUpgradeToolHasRun"=dword:00000001
"enabledcom"="y"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\AccessProviders]
"ProviderOrder"=hex(7):57,69,6e,64,6f,77,73,20,4e,54,20,41,63,63,65,73,73,20,\
50,72,6f,76,69,64,65,72,00,00

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\AccessProviders\Windows NT Access Provider]
"ProviderPath"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,\
33,32,5c,6e,74,6d,61,72,74,61,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\Audit]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\Audit\PerUserAuditing]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\Audit\PerUserAuditing\System]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\Data]
"Pattern"=hex:be,39,09,e4,f8,ae,f7,a2,fc,88,a6,a6,fe,87,a5,98,33,34,37,65,33,\
30,38,62,00,68,07,00,01,00,00,00,dc,00,00,00,e0,00,00,00,48,fa,06,00,97,55,\
5a,74,04,00,00,00,a0,fd,06,00,b8,fd,06,00,5b,8e,7a,86

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\GBG]
"GrafBlumGroup"=hex:1c,c7,98,4d,44,23,5f,34,3a

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\JD]
"Lookup"=hex:8d,fa,0f,fb,b5,08

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\Kerberos]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\Kerberos\Domains]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\Kerberos\SidCache]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\MSV1_0]
"Auth132"="IISSUBA"
"ntlmminclientsec"=dword:00000000
"ntlmminserversec"=dword:00000000

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\Skew1]
"SkewMatrix"=hex:0e,db,c9,80,3e,16,db,df,7f,18,5d,e3,45,1d,5d,99

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\SSO]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\SSO\Passport1.4]
"SSOURL"="http://www.passport.com"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\SspiCache]
"Time"=hex:52,60,dd,fb,eb,94,c4,01

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\SspiCache\digest.dll]
"Name"="Digest"
"Comment"="Digest SSPI Authentication Package"
"Capabilities"=dword:00004050
"RpcId"=dword:0000ffff
"Version"=dword:00000001
"TokenSize"=dword:0000ffff
"Time"=hex:00,ce,2e,70,df,79,c4,01
"Type"=dword:00000031

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\SspiCache\msapsspc.dll]
"Name"="DPA"
"Comment"="DPA Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000011
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:00,ce,2e,70,df,79,c4,01
"Type"=dword:00000031

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\SspiCache\msnsspc.dll]
"Name"="MSN"
"Comment"="MSN Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000012
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:00,ce,2e,70,df,79,c4,01
"Type"=dword:00000031

________________________________________________________________________________
_
Hijack This Log:

Logfile of HijackThis v1.99.1
Scan saved at 6:16:18 PM, on 1/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\Katie\My Documents\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WgaTray.exe
C:\Documents and Settings\Katie\My Documents\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Hijackthis\Scan.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Documents and Settings\Katie\My Documents\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Rainlendar2] C:\Documents and Settings\Katie\My Documents\Rainlendar2\Rainlendar2.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Katie\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1094235272626
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Documents and Settings\Katie\My Documents\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

#8 silver

Malware Expert Emeritus

Authentic Member
2,994 posts

Posted 03 January 2008 - 10:19 PM

Hi katXed,

That looks very good

Next, please open Start->Control Panel->Add/Remove Programs, look down the list for this and remove it:

J2SE Runtime Environment 5.0 Update 6

This is out of date and is now a security risk, you can get the latest update (version 6 update 3) from here

You have a program called Messenger Plus! Live installed. When installing it offers a choice either to Install the sponsor program or I refuse to give my support, don't install the sponsor. The sponsor program is malware so if you installed it we need to remove it. Even if you didn't install the sponsor program I recommend you remove this program anyway as the developer is spreading malware for profit - read more information about this here.
To remove the program open Start->Control Panel->Add/Remove Programs, find Messenger Plus! Live and select Remove

You have LimeWire, a P2P file sharing program installed on your computer. This program does not come bundled with malware as some similar programs do, but peer-to-peer file sharing networks are one of the biggest sources of malware we see. Anything downloaded from them cannot be trusted to be clean, because even if the file appears to be what it claims to be, it can have malware embedded in it.
I recommend you remove it, but of course the choice is yours.
You can remove LimeWire 4.14.10 via Add/Remove Programs.

Party Poker has been reported as being malware-related so I strongly recommend you remove it.
To do so, open Add/Remove Programs, findPartyPoker on the list and select Remove

Microsoft AntiSpyware has been replaced by Windows Defender. I recommend you remove Microsoft AntiSpyware and get the latest version from here:
http://www.microsoft...re/default.mspx

Your installation of AVG Antispyware has been installed to a folder in My Documents. This is not ideal because crucial files can accidentally be deleted. I recommend you uninstall the program and reinstall it to it's default location, the program can be downloaded from here:
http://www.ewido.net/en/download/
NOTE: If you have paid for AVG Antispyware, please ensure you have the relevant license information before uninstalling. If you aren't sure about this then contact AVG customer support about how to reinstall before making changes.

Once complete, please post a new HijackThis log and tell me how your computer is running.

ASAP & UNITE Member

#9 katXed

New Member

New Member
7 posts

Posted 04 January 2008 - 10:30 PM

I got rid of the Messenger Plus, deleted the Java and got the new upgrade, uninstalled AVG, & reinstalled it in the correct place, & also updated to Windows Defender. The party poker wasn't in the add/remove programs list. It is also disabled in IE 7 I checked in the extension list. I am guessing it is a short cut or something that doesn't work..It was on the computer when I got it (it was previously owned by a college student). The computer seems to be running fine I haven't had any problems at all, except lately Firefox has been running slower, but I'm thinking thats due to add-ons which I also need to clean out. Otherwise everything is great. Thank-you so much. But..can I delete Combofix, the Kaspersky plug -ins, all of the logs I have saved on my desktop, the Hijack this? I just figured I would ask.. but thanks again and here is my new Hijack This:

Logfile of HijackThis v1.99.1
Scan saved at 11:30:10 PM, on 1/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\Scan.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Rainlendar2] C:\Documents and Settings\Katie\My Documents\Rainlendar2\Rainlendar2.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Katie\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1094235272626
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

#10 silver

Malware Expert Emeritus

Authentic Member
2,994 posts

Posted 04 January 2008 - 11:25 PM

Hi katXed,

Good job with the uninstalls and reinstallations, and great to hear things are running well.
Regarding Party Poker, you can remove the buttons from Internet Explorer by doing this:

Then, open HijackThis, choose Do a system scan only and place a checkmark next to the following lines:

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

Then close all open windows apart from HijackThis, press Fix checked, OK the prompt and close HijackThis.

You can delete ComboFix.exe from your Desktop along with runme.bat, output.txt and any the logs you've saved. Also please delete this folder:

C:\QooBox

You can remove the Kaspersky Web Scanner via Add/Remove Programs if you wish.

We also need to clean System Restore as follows:

Create a new, clean System Restore point which you can use in case of future system problems:
Press Start->All Programs->Accessories->System Tools->System Restore
Select Create a restore point, then Next, type a name like All Clean then press the Create button and once it's done press Close

Now remove old, infected System Restore points:
Next click Start->Run and type cleanmgr in the box and press OK
Ensure the boxes for Temporary Files and Temporary Internet Files are checked, you can choose to check other boxes if you wish but they are not required.
Select the More Options tab, under System Restore press Clean up... and say Yes to the prompt
Press OK and Yes to confirm

As I've suggested removing those lines with HijackThis I need to ask for one more HijackThis log before we finish up.
Please post it and let me know if everything went OK.

ASAP & UNITE Member

#11 katXed

New Member

New Member
7 posts

Posted 05 January 2008 - 10:18 PM

I couldn't delete the C:\QooBox because certain files weren't found. Also Norton keeps asking me to reboot because of security risk "Trojan.Vundo". I've rebooted but its not removing it.

Logfile of HijackThis v1.99.1
Scan saved at 11:04:59 PM, on 1/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Hijackthis\Scan.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Rainlendar2] C:\Documents and Settings\Katie\My Documents\Rainlendar2\Rainlendar2.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1094235272626
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

#12 silver

Malware Expert Emeritus

Authentic Member
2,994 posts

Posted 05 January 2008 - 11:07 PM

Hi katXed,

Without seeing the Norton log, I can't tell what it's finding, but I suspect it's targetting the leftovers in C:\QooBox.

Download OTMoveIt to your desktop and double-click the program to start it.

Close all programs apart from OTMoveIt as this step will require a reboot
On the OTMoveIt main screen, press the CleanUp! button
Say Yes to the prompt and then allow the program to reboot your computer.

Then please check to see if C:\QooBox has gone, and if Norton has stopped complaining.

In your response, please let me know what happened, and also whether you have successfully completed the System Restore instructions yet.

ASAP & UNITE Member

#13 katXed

New Member

New Member
7 posts

Posted 07 January 2008 - 09:04 PM

I downloaded OTMoveIT & C:/Qoobox is now gone. I did clean out the system restore (sorry I forgot to mention that on my last post), and Norton has left me alone about the virus so I am guessing that it was the Qoobox as you said. The only problem that I am having now is with installing Windows XP update (KB934238). My computer has been bugging me about it the past few days and I try to download it but it doesn't download and completely disappears until the next re-boot.

#14 silver

Malware Expert Emeritus

Authentic Member
2,994 posts

Posted 07 January 2008 - 10:23 PM

Hi katXed,

Great to hear that you got rid of QooBox, I think your machine is now clean

Windows Update problems can have many different causes, and I'm not a specialist in the area so I may have to refer you for help with this issue. However, I would suggest you try the Windows Update Troubleshooter before doing anything else, it may solve your problems:
http://v4.windowsupd...m/troubleshoot/

Let me know how you get on.

Here are some tips to help you keep your computer clean:

You have good protection software installed however please ensure it is kept up to date. Check that your antivirus and antispyware programs are set to automatically update themselves daily, and that your firewall is the latest version.

Spywareblaster is a free program which prevents the download and installation of Internet Explorer ActiveX based malware by immunizing your system against it. You can download Spywareblaster from here and a tutorial to help you get started is available here.

Consider a custom hosts file such as MVPS HOSTS. This custom hosts file effectively blocks a wide range of unwanted ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.
For information on how to download and install, please read this tutorial by WinHelp2002
Note: Be sure to follow the instructions to disable the DNS Client service before installing a custom hosts file.

Please take care when downloading programs. One of the easiest ways to be infected is to download freeware/shareware programs which come laden with malware - this includes allowing websites to install browser plug-ins orActiveX controls. Before downloading, it is crucial to check whether the source is reputable.
One way to check is to use McAfee SiteAdvisor. Copy the domain name into the space provided and SiteAdvisor will give you a report on the website which can help you decide if it is safe. They also have a toolbar for IE and Firefox which adds this functionality to your browser.
closeclose otherseditpermalinkreferencesPlease take care when downloading programs. One of the easiest ways to be infected is to download freeware/shareware programs which come laden with malware - this includes allowing websites to install browser plug-ins orActiveX controls. Before downloading, it is crucial to check whether the source is reputable.
One way to check is to use McAfee SiteAdvisor. Copy the domain name into the space provided and SiteAdvisor will give you a report on the website which can help you decide if it is safe. They also have a toolbar for IE and Firefox which adds this functionality to your browser.

Download and install the free version of WinPatrol. This program protects your computer in a variety of ways and will work well with your existing security software. Have a look at this tutorial to help you get started with the program.

Find out more about how to prevent infection in the future
http://forum.malware...pic.php?p=33687

ASAP & UNITE Member

#15 silver

Malware Expert Emeritus

Authentic Member
2,994 posts

Posted 15 January 2008 - 09:12 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.

ASAP & UNITE Member

Body Background

skin color theme

[Resolved] Gah! Horrible Spyware

#1 katXed

Advertisements

Register to Remove

#2 silver

#3 katXed

#4 silver

#5 katXed

#6 silver

#7 katXed

#8 silver

#9 katXed

#10 silver

#11 katXed

#12 silver

#13 katXed

#14 silver

#15 silver

Related Topics

1 user(s) are reading this topic

About What the Tech

Follow Us

Body Background

skin color theme

[Resolved] Gah! Horrible Spyware

#1 katXed

Advertisements Register to Remove

#2 silver

#3 katXed

#4 silver

#5 katXed

#6 silver

#7 katXed

#8 silver

#9 katXed

#10 silver

#11 katXed

#12 silver

#13 katXed

#14 silver

#15 silver

Related Topics

1 user(s) are reading this topic

About What the Tech

Follow Us

Sign In

Advertisements

Register to Remove