Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93112 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] trustedantivirus

Started by sethmac , Jan 16 2008 07:51 AM

  • This topic is locked This topic is locked
9 replies to this topic

#1 sethmac

sethmac

    New Member

  • New Member
  • Pip
  • 9 posts

Posted 16 January 2008 - 07:51 AM

First off, thank you for offering this service. I have run AVG, AdAware, and SpyWare Doctor without success. Nothing will touch the trustedantivirus. I have a yellow bar at the top of my webpages that says I might be infected and need to click it to download trustedantivirus, which I've never done. It also puts half-naked women on normal advertisements such as the Yahoo homepage. Here is my HJT post. Please help me! Thank you.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:43:45 AM, on 1/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Qurb\QSP-2.1.213.4\QOELoader.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: (no name) - {0F6858D3-82D0-180F-1315-157811FE2EA3} - PrcIdle.dll (file missing)
O2 - BHO: BDEX System - {5085333B-FD15-4754-A571-852F7077C5F2} - C:\WINDOWS\dxpvqlmqng.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\Qurb\QSP-2.1.213.4\QOELoader.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/...UI.cab55579.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/...dy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/...at.cab55579.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.su...ows-i586-jc.cab
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (MSN Games – Hearts) - http://zone.msn.com/...tz.cab67031.cab
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/...vl.cab55579.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/...xy.cab55579.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 6857 bytes

    Advertisements

Register to Remove

#2 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 16 January 2008 - 12:16 PM

Hello sethmac and welcome to the What the Tech Forums

My name is Trevuren and I will be helping you with your problem.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

Regards,

Trevuren
Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

#3 sethmac

sethmac

    New Member

  • New Member
  • Pip
  • 9 posts

Posted 16 January 2008 - 06:49 PM

Okay. Again, thanks.

Run by Administrator on Wed 01/16/2008 at 06:05 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\dat.txt - Deleted
C:\WINDOWS\dxpvqlmqng.dll - Deleted
C:\WINDOWS\foxflpd.exe - Deleted
C:\WINDOWS\rs.txt - Deleted
C:\WINDOWS\search_res.txt - Deleted




Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-16 18:19:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...


scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 5


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\WinMX\\WinMX.exe"="C:\\Program Files\\WinMX\\WinMX.exe:*:Enabled:WinMX Application"
"C:\\Program Files\\Yahoo! Games\\Flip Words\\FlipWords.exe"="C:\\Program Files\\Yahoo! Games\\Flip Words\\FlipWords.exe:*:Disabled:FlipWords"
"C:\\Program Files\\Yahoo! Games\\Hamsterball\\Hamsterball.exe"="C:\\Program Files\\Yahoo! Games\\Hamsterball\\Hamsterball.exe:*:Enabled:Hamsterball"
"C:\\Program Files\\Yahoo! Games\\Insaniquarium Deluxe\\InsaniquariumDeluxe.exe"="C:\\Program Files\\Yahoo! Games\\Insaniquarium Deluxe\\InsaniquariumDeluxe.exe:*:Enabled:Insaniquarium"
"C:\\Program Files\\Kazaa\\kazaa.exe"="C:\\Program Files\\Kazaa\\kazaa.exe:*:Enabled:Kazaa"
"C:\\Program Files\\PopCap Games\\Dynomite Deluxe\\Dynomite.exe"="C:\\Program Files\\PopCap Games\\Dynomite Deluxe\\Dynomite.exe:*:Disabled:Dynomite"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Disabled:RealOne Player"
"C:\\Program Files\\Yahoo! Games\\Wheel of Fortune\\Wheel of Fortune.exe"="C:\\Program Files\\Yahoo! Games\\Wheel of Fortune\\Wheel of Fortune.exe:*:Enabled:Wheel of Fortune"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\FreshGames\\Word Mojo Gold\\WordMojoGold.exe"="C:\\Program Files\\FreshGames\\Word Mojo Gold\\WordMojoGold.exe:*:Enabled:WordMojoGold"
"C:\\Program Files\\Yahoo! Games\\Word Challenger\\Word Challenger.exe"="C:\\Program Files\\Yahoo! Games\\Word Challenger\\Word Challenger.exe:*:Enabled:Macromedia Projector"
"C:\\Program Files\\Alphaqueue\\alphaqueue.exe"="C:\\Program Files\\Alphaqueue\\alphaqueue.exe:*:Enabled:Macromedia Projector"
"C:\\Program Files\\GameHouse\\Glinx\\Glinx.exe"="C:\\Program Files\\GameHouse\\Glinx\\Glinx.exe:*:Enabled:Super Glinx!"
"C:\\Program Files\\GameHouse\\TextTwist\\TextTwist.exe"="C:\\Program Files\\GameHouse\\TextTwist\\TextTwist.exe:*:Enabled:Super TextTwist"
"C:\\Program Files\\Yahoo! Games\\Spelvin\\Spelvin_Yahoo.exe"="C:\\Program Files\\Yahoo! Games\\Spelvin\\Spelvin_Yahoo.exe:*:Enabled:Macromedia Projector"
"C:\\Program Files\\GameHouse\\CollapseCrunch\\Collapse3.exe"="C:\\Program Files\\GameHouse\\CollapseCrunch\\Collapse3.exe:*:Enabled:Collapse! Crunch"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Sun 22 Jul 2007 31 A..H. --- "C:\WINDOWS\uccspecc.sys"
Thu 22 Jan 2004 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sat 22 Jan 2005 401 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv18.bak"
Sun 3 Dec 2006 1,287,168 ...H. --- "C:\Documents and Settings\Seth\Desktop\~WRL0004.tmp"
Mon 4 Dec 2006 1,122,304 ...H. --- "C:\Documents and Settings\Seth\Desktop\~WRL0441.tmp"
Sun 3 Dec 2006 1,291,264 ...H. --- "C:\Documents and Settings\Seth\Desktop\~WRL2307.tmp"
Sun 16 Dec 2007 3,687,825 A..H. --- "C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1186\A0105233.exe"
Sun 6 Jan 2008 0 A..H. --- "C:\Documents and Settings\Kim\Local Settings\Temp\BIT7.tmp"
Sun 6 Jan 2008 0 A..H. --- "C:\Documents and Settings\Kim\Local Settings\Temp\BIT8.tmp"
Sun 6 Jan 2008 0 A..H. --- "C:\Documents and Settings\Kim\Local Settings\Temp\BIT9.tmp"
Sun 3 Dec 2006 102,912 ...H. --- "C:\Documents and Settings\Seth\Application Data\Microsoft\Word\~WRL0005.tmp"
Sun 15 Jan 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch5\lock.tmp"

Finished!






HJT


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:48:36 PM, on 1/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Qurb\QSP-2.1.213.4\QOELoader.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: (no name) - {0F6858D3-82D0-180F-1315-157811FE2EA3} - PrcIdle.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\Qurb\QSP-2.1.213.4\QOELoader.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/...UI.cab55579.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/...dy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/...at.cab55579.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.su...ows-i586-jc.cab
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (MSN Games – Hearts) - http://zone.msn.com/...tz.cab67031.cab
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/...vl.cab55579.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/...xy.cab55579.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 6730 bytes

#4 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 16 January 2008 - 06:59 PM

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

#5 sethmac

sethmac

    New Member

  • New Member
  • Pip
  • 9 posts

Posted 17 January 2008 - 06:12 PM

It's already running better. Thank you.




ComboFix 08-01-17.3 - Seth 2008-01-16 23:08:08.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.85 [GMT -6:00]
Running from: C:\Documents and Settings\Seth\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Kim\Desktop\Error Cleaner.url
C:\Documents and Settings\Kim\Desktop\Privacy Protector.url
C:\Documents and Settings\Kim\Desktop\Spyware&Malware Protection.url
C:\Documents and Settings\Kim\Favorites\Error Cleaner.url
C:\Documents and Settings\Kim\Favorites\Privacy Protector.url
C:\Documents and Settings\Kim\Favorites\Spyware&Malware Protection.url

.
((((((((((((((((((((((((( Files Created from 2007-12-17 to 2008-01-17 )))))))))))))))))))))))))))))))
.

2008-01-16 23:07 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-16 18:03 . 2008-01-16 18:03 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-16 06:34 . 2008-01-16 06:34 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-13 00:36 . 2008-01-13 00:36 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-09 18:01 . 2008-01-09 18:14 2,750 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2008-01-08 23:25 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\SYSTEM32\VCCLSID.exe
2008-01-08 23:25 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2008-01-08 23:25 . 2007-12-20 23:11 81,920 --a------ C:\WINDOWS\SYSTEM32\IEDFix.exe
2008-01-08 23:25 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe
2008-01-08 23:25 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2008-01-08 23:25 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\SYSTEM32\WS2Fix.exe
2008-01-08 11:01 . 2008-01-08 11:01 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\PlayFirst
2008-01-07 15:38 . 2008-01-07 15:38 <DIR> d-------- C:\Program Files\PlayFirst
2008-01-07 11:51 . 2008-01-07 12:09 <DIR> d-------- C:\Program Files\XoftSpySE
2008-01-07 11:30 . 2008-01-08 22:56 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-01-06 23:03 . 2008-01-06 23:03 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-01-06 21:22 . 2008-01-06 21:22 <DIR> d-------- C:\Documents and Settings\Kim\Application Data\Grisoft
2008-01-06 15:15 . 2008-01-06 15:15 <DIR> d-------- C:\Documents and Settings\Seth\Application Data\Grisoft
2008-01-06 15:14 . 2008-01-06 15:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-06 14:45 . 2008-01-06 14:45 <DIR> d-------- C:\Program Files\MediaStarCodec
2007-12-25 20:15 . 2007-12-25 20:21 <DIR> d-------- C:\Program Files\support.com
2007-12-25 20:15 . 2007-12-25 20:15 <DIR> d-------- C:\Program Files\Common Files\SupportSoft
2007-12-25 20:15 . 2007-12-25 20:15 949 --a------ C:\net_save.dna

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-17 05:04 --------- d-----w C:\Program Files\Coupons
2008-01-17 05:03 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-11 23:04 --------- d-----w C:\Documents and Settings\Seth\Application Data\ZoomBrowser EX
2008-01-11 23:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\ZoomBrowser
2008-01-07 21:39 --------- d-----w C:\Documents and Settings\Seth\Application Data\PlayFirst
2008-01-07 18:09 --------- d-----w C:\Documents and Settings\Seth\Application Data\Lavasoft
2008-01-06 15:09 --------- d-----w C:\Program Files\Yahoo! Games
2008-01-06 06:01 --------- d-----w C:\Program Files\MSN Games
2007-12-30 17:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\PlayFirst
2007-12-19 04:27 --------- d-----w C:\Documents and Settings\Seth\Application Data\iWin
2007-12-17 05:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\SpinTop Games
2007-12-15 23:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\JollyBear
2007-12-13 05:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sandlot Games
2007-12-09 16:50 --------- d-----w C:\Program Files\Java
2007-12-09 16:49 --------- d-----w C:\Program Files\Common Files\Java
2007-12-07 23:08 --------- d-----w C:\Program Files\Sonic
2007-12-07 23:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\PopCap
2007-11-30 22:58 --------- d-----w C:\Program Files\Google
2007-11-18 18:22 --------- d-----w C:\Program Files\iDump
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\SYSTEM32\lsasrv.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll
2007-10-27 23:39 230,912 ----a-w C:\WINDOWS\SYSTEM32\wmasf.dll
2006-12-24 01:36 75,152 ----a-w C:\Documents and Settings\Seth\Application Data\GDIPFONTCACHEV1.DAT
2006-11-01 23:43 2,855,080 ----a-w C:\Program Files\aawsepersonal.exe
2006-01-16 05:32 169,560 ----a-w C:\Program Files\o2ksr1a.exe
2006-01-02 20:53 5,943,936 ----a-w C:\Program Files\spyware doctor setup ok.exe
2006-01-02 20:32 205 ----a-w C:\Documents and Settings\Seth\3.dat
2004-03-09 00:56 16,706,160 ----a-w C:\Program Files\AdbeRdr60_enu_full.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-02 17:33 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-04-07 00:19 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-07 00:07 114688]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-08-06 01:04 114741]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2003-08-13 10:27 28672]
"diagent"="C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 01:01 135264]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [ ]
"QOELOADER"="C:\Program Files\Qurb\QSP-2.1.213.4\QOELoader.exe" [2004-12-17 16:02 6656]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-12-11 21:55 185896]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-31 18:44 271672]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2004-01-20 03:07:33]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 14:05:56]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)


*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
"2005-04-07 04:12:21 C:\WINDOWS\Tasks\XoftSpy.job"
- C:\Program Files\XoftSpy\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-16 23:13:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-16 23:15:47
ComboFix-quarantined-files.txt 2008-01-17 05:15:38
.
2008-01-09 00:11:01 --- E O F ---





HJT
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:11:53 PM, on 1/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Qurb\QSP-2.1.213.4\QOELoader.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: (no name) - {0F6858D3-82D0-180F-1315-157811FE2EA3} - PrcIdle.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\Qurb\QSP-2.1.213.4\QOELoader.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/...UI.cab55579.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/...dy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/...at.cab55579.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.su...ows-i586-jc.cab
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (MSN Games – Hearts) - http://zone.msn.com/...tz.cab67031.cab
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/...vl.cab55579.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/...xy.cab55579.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 6185 bytes

#6 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 17 January 2008 - 06:59 PM

A. You don't appear to be running any anti-virus software

Anti-virus software are programs that detect, clean, and/or erase harmful virus files on a computer. Unchecked, virus files can unintentionally be forwarded to others, and thereby spread infection. Keeping your anti-virus updated is essential.

Please download a free anti-virus software from one these excellent vendors NOW:
It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts.


You don't appear to have a software firewall running

It is important that you use a software firewall, to prevent unauthorized traffic both out of and into your computer.
If you have disabled it, please re-enable it.
If you do not have a firewall installed, please download and install one of these excellent (and free) products:
It is important to note that you should only have one firewall installed at a time.


B. Please RUN HijackThis
  • Click the SCAN button to produce a log.

  • Place a check mark beside each one of the following items:
    R3 - URLSearchHook: (no name) - {0F6858D3-82D0-180F-1315-157811FE2EA3} - PrcIdle.dll (file missing)

  • Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.


C.
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\SYSTEM32\VCCLSID.exe
C:\WINDOWS\SYSTEM32\IEDFix.exe
C:\WINDOWS\SYSTEM32\WS2Fix.exe
C:\Documents and Settings\All Users\Application Data\PopCap

DirLook::
C:\Program Files\support.com

KillAll::
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Save the above as CFScript.txt

4. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

6. ComboFix will automatically REBOOT your machine when the KillAll:: switch is used..

7. Next, re-enable all the programs that you disabled prior to running ComboFix.

8. Post the following logs/Reports:
  • ComboFix.txt
  • Fresh HijackThis log run after all the other tools have performed their cleanup.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.


D. I need you to run the following scan: Eset Online Scanner
  • Place a check mark in the box YES, I accept the Terms Of Use
  • Click the Start button.
  • Now click the Install button.
  • Click Start. The scanner engine will initialize and update.
  • Do Not place a check mark in the box beside Remove found threats.
  • Click the Scan button. The scan will now run, please be patient.
  • When the scan finishes click the Details tab.
  • Copy and paste the contents of the C:\ProgramFiles\EsetOnlineScanner\log.txt into your next reply.

Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

#7 sethmac

sethmac

    New Member

  • New Member
  • Pip
  • 9 posts

Posted 18 January 2008 - 08:23 PM

Okay done. I did close AVG and ZoneAlarm as ComboFix was running, but that was only because I waited about one hour for ComboFix to begin a NotePad file. Everything else went off without a hitch. Let's start with ESET file:

# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=2806 (20080118)
# vers_arch_module=1.063 (20080117)
# vers_adv_heur_module=1.060 (20070601)
# EOSSerial=3a6853bd2da8e54d8271f281a5dd9eb7
# end=finished
# remove_checked=false
# unwanted_checked=false
# utc_time=2008-01-19 02:00:45
# local_time=2008-01-18 08:00:45 (-0600, Central Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=186816
# found=142
# scan_time=7631
C:\c002.chm multiple infiltrations D4C6A715B2C5178841D93B9C2D7C99EB
C:\c002.chm »CHM »/on-line.exe Win32/Dialer.BH trojan 00000000000000000000000000000000
C:\c002.chm »CHM »/1.htm Exploit/CodeBase trojan 00000000000000000000000000000000
C:\c002.chm »CHM »/htm2chm_explorer Exploit/CodeBase trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\6.0\16\704874d0-6d950a2a multiple infiltrations 8BE223E929475D1921D8D543B6B380A2
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\6.0\16\704874d0-6d950a2a »ZIP »GetAccess.class Java/Exploit.Bytverify.F trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\6.0\16\704874d0-6d950a2a »ZIP »InsecureClassLoader.class Java/Exploit.Bytverify.F trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\6.0\16\704874d0-6d950a2a »ZIP »Dummy.class JS/IEStart trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\6.0\16\704874d0-6d950a2a »ZIP »Installer.class Java/OpenConnection.F trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\6.0\3\56400ac3-2398bf37 multiple infiltrations 8BE223E929475D1921D8D543B6B380A2
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\6.0\3\56400ac3-2398bf37 »ZIP »GetAccess.class Java/Exploit.Bytverify.F trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\6.0\3\56400ac3-2398bf37 »ZIP »InsecureClassLoader.class Java/Exploit.Bytverify.F trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\6.0\3\56400ac3-2398bf37 »ZIP »Dummy.class JS/IEStart trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\6.0\3\56400ac3-2398bf37 »ZIP »Installer.class Java/OpenConnection.F trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\6.0\33\2f597be1-78508b0a multiple infiltrations 1DD8496841D6D633F963397F34670C39
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\6.0\33\2f597be1-78508b0a »ZIP »Beyond.class a variant of Java/ClassLoader trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\6.0\33\2f597be1-78508b0a »ZIP »BlackBox.class a variant of Java/ClassLoader trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\6.0\33\2f597be1-78508b0a »ZIP »Dummy.class Java/Exploit.Bytverify.H trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\6.0\33\2f597be1-78508b0a »ZIP »VerifierBug.class a variant of Java/TrojanDownloader.Byteverify trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\6.0\37\1e34fb65-5921f8df multiple infiltrations 8BE223E929475D1921D8D543B6B380A2
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\6.0\37\1e34fb65-5921f8df »ZIP »GetAccess.class Java/Exploit.Bytverify.F trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\6.0\37\1e34fb65-5921f8df »ZIP »InsecureClassLoader.class Java/Exploit.Bytverify.F trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\6.0\37\1e34fb65-5921f8df »ZIP »Dummy.class JS/IEStart trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\6.0\37\1e34fb65-5921f8df »ZIP »Installer.class Java/OpenConnection.F trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\6.0\46\77cbe92e-72512179 multiple infiltrations 8BE223E929475D1921D8D543B6B380A2
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\6.0\46\77cbe92e-72512179 »ZIP »GetAccess.class Java/Exploit.Bytverify.F trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\6.0\46\77cbe92e-72512179 »ZIP »InsecureClassLoader.class Java/Exploit.Bytverify.F trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\6.0\46\77cbe92e-72512179 »ZIP »Dummy.class JS/IEStart trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\6.0\46\77cbe92e-72512179 »ZIP »Installer.class Java/OpenConnection.F trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\6.0\49\78effc31-5612ecda multiple infiltrations AD1E67E571C3B721D3F4DD5C7CE1851D
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\6.0\49\78effc31-5612ecda »ZIP »Counter.class Java/ClassLoader.H trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\6.0\49\78effc31-5612ecda »ZIP »Dummy.class Java/Dummy trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\6.0\49\78effc31-5612ecda »ZIP »Matrix.class Java/OpenStream.C trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\6.0\49\78effc31-5612ecda »ZIP »Parser.class Java/ClassLoader.B trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\6.0\5\11867d05-4dd9c3b1 Java/ClassLoader.AA trojan 7B1484415BD02DFD7741B4FC4EF9FA82
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\6.0\5\11867d05-4dd9c3b1 »ZIP »BlackBox.class Java/ClassLoader.AA trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\6.0\5\11867d05-4dd9c3b1 »ZIP »VerifierBug.class Java/ClassLoader.AA trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\6.0\5\11867d05-4dd9c3b1 »ZIP »Dummy.class Java/ClassLoader.AA trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\6.0\5\11867d05-4dd9c3b1 »ZIP »Beyond.class Java/ClassLoader.AA trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\6.0\51\179db173-7dbb3fe9 multiple infiltrations 8BE223E929475D1921D8D543B6B380A2
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\6.0\51\179db173-7dbb3fe9 »ZIP »GetAccess.class Java/Exploit.Bytverify.F trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\6.0\51\179db173-7dbb3fe9 »ZIP »InsecureClassLoader.class Java/Exploit.Bytverify.F trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\6.0\51\179db173-7dbb3fe9 »ZIP »Dummy.class JS/IEStart trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\6.0\51\179db173-7dbb3fe9 »ZIP »Installer.class Java/OpenConnection.F trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\6.0\51\5c7ec733-14aaa1b0 multiple infiltrations 8BE223E929475D1921D8D543B6B380A2
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\6.0\51\5c7ec733-14aaa1b0 »ZIP »GetAccess.class Java/Exploit.Bytverify.F trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\6.0\51\5c7ec733-14aaa1b0 »ZIP »InsecureClassLoader.class Java/Exploit.Bytverify.F trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\6.0\51\5c7ec733-14aaa1b0 »ZIP »Dummy.class JS/IEStart trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\6.0\51\5c7ec733-14aaa1b0 »ZIP »Installer.class Java/OpenConnection.F trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\6.0\51\5c7ec733-3c606d2c multiple infiltrations 8BE223E929475D1921D8D543B6B380A2
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\6.0\51\5c7ec733-3c606d2c »ZIP »GetAccess.class Java/Exploit.Bytverify.F trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\6.0\51\5c7ec733-3c606d2c »ZIP »InsecureClassLoader.class Java/Exploit.Bytverify.F trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\6.0\51\5c7ec733-3c606d2c »ZIP »Dummy.class JS/IEStart trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\6.0\51\5c7ec733-3c606d2c »ZIP »Installer.class Java/OpenConnection.F trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\6.0\51\5c7ec733-7a4cf232 multiple infiltrations 8BE223E929475D1921D8D543B6B380A2
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\6.0\51\5c7ec733-7a4cf232 »ZIP »GetAccess.class Java/Exploit.Bytverify.F trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\6.0\51\5c7ec733-7a4cf232 »ZIP »InsecureClassLoader.class Java/Exploit.Bytverify.F trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\6.0\51\5c7ec733-7a4cf232 »ZIP »Dummy.class JS/IEStart trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\6.0\51\5c7ec733-7a4cf232 »ZIP »Installer.class Java/OpenConnection.F trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\6.0\53\d957a35-248f1f5b multiple infiltrations 8BE223E929475D1921D8D543B6B380A2
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\6.0\53\d957a35-248f1f5b »ZIP »GetAccess.class Java/Exploit.Bytverify.F trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\6.0\53\d957a35-248f1f5b »ZIP »InsecureClassLoader.class Java/Exploit.Bytverify.F trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\6.0\53\d957a35-248f1f5b »ZIP »Dummy.class JS/IEStart trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\6.0\53\d957a35-248f1f5b »ZIP »Installer.class Java/OpenConnection.F trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\6.0\55\6b29a237-52b996c2 multiple infiltrations 39E7F18B001E43697F4C68E85127F29A
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\6.0\55\6b29a237-52b996c2 »ZIP »Beyond.class a variant of Java/ClassLoader trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\6.0\55\6b29a237-52b996c2 »ZIP »BlackBox.class a variant of Java/ClassLoader trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\6.0\55\6b29a237-52b996c2 »ZIP »VerifierBug.class a variant of Java/TrojanDownloader.Byteverify trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\6.0\62\212f58be-48bd973d multiple infiltrations 42BB7292F03A0C24AE2B8660F231BDE7
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\6.0\62\212f58be-48bd973d »ZIP »a.class Java/ClassLoader.B trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\6.0\62\212f58be-48bd973d »ZIP »Dummy.class JS/IEStart trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\6.0\62\212f58be-48bd973d »ZIP »VerifierBug.class JS/IEStart.G trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\a.jar-66f3eebb-36b1cad7.zip multiple infiltrations 42BB7292F03A0C24AE2B8660F231BDE7
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\a.jar-66f3eebb-36b1cad7.zip »ZIP »a.class Java/ClassLoader.B trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\a.jar-66f3eebb-36b1cad7.zip »ZIP »Dummy.class JS/IEStart trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\a.jar-66f3eebb-36b1cad7.zip »ZIP »VerifierBug.class JS/IEStart.G trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-10ffa0b5-5562a676.zip multiple infiltrations 8BE223E929475D1921D8D543B6B380A2
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-10ffa0b5-5562a676.zip »ZIP »GetAccess.class Java/Exploit.Bytverify.F trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-10ffa0b5-5562a676.zip »ZIP »InsecureClassLoader.class Java/Exploit.Bytverify.F trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-10ffa0b5-5562a676.zip »ZIP »Dummy.class JS/IEStart trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-10ffa0b5-5562a676.zip »ZIP »Installer.class Java/OpenConnection.F trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-10ffa0b5-7633cfb1.zip multiple infiltrations 8BE223E929475D1921D8D543B6B380A2
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-10ffa0b5-7633cfb1.zip »ZIP »GetAccess.class Java/Exploit.Bytverify.F trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-10ffa0b5-7633cfb1.zip »ZIP »InsecureClassLoader.class Java/Exploit.Bytverify.F trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-10ffa0b5-7633cfb1.zip »ZIP »Dummy.class JS/IEStart trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-10ffa0b5-7633cfb1.zip »ZIP »Installer.class Java/OpenConnection.F trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-11faa9ed-1f2445d7.zip multiple infiltrations 8BE223E929475D1921D8D543B6B380A2
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-11faa9ed-1f2445d7.zip »ZIP »GetAccess.class Java/Exploit.Bytverify.F trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-11faa9ed-1f2445d7.zip »ZIP »InsecureClassLoader.class Java/Exploit.Bytverify.F trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-11faa9ed-1f2445d7.zip »ZIP »Dummy.class JS/IEStart trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-11faa9ed-1f2445d7.zip »ZIP »Installer.class Java/OpenConnection.F trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-11faa9ed-1f5c7005.zip multiple infiltrations 8BE223E929475D1921D8D543B6B380A2
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-11faa9ed-1f5c7005.zip »ZIP »GetAccess.class Java/Exploit.Bytverify.F trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-11faa9ed-1f5c7005.zip »ZIP »InsecureClassLoader.class Java/Exploit.Bytverify.F trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-11faa9ed-1f5c7005.zip »ZIP »Dummy.class JS/IEStart trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-11faa9ed-1f5c7005.zip »ZIP »Installer.class Java/OpenConnection.F trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-11faa9ed-4c898418.zip multiple infiltrations 8BE223E929475D1921D8D543B6B380A2
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-11faa9ed-4c898418.zip »ZIP »GetAccess.class Java/Exploit.Bytverify.F trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-11faa9ed-4c898418.zip »ZIP »InsecureClassLoader.class Java/Exploit.Bytverify.F trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-11faa9ed-4c898418.zip »ZIP »Dummy.class JS/IEStart trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-11faa9ed-4c898418.zip »ZIP »Installer.class Java/OpenConnection.F trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-44b9e447-529a1885.zip multiple infiltrations 8BE223E929475D1921D8D543B6B380A2
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-44b9e447-529a1885.zip »ZIP »GetAccess.class Java/Exploit.Bytverify.F trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-44b9e447-529a1885.zip »ZIP »InsecureClassLoader.class Java/Exploit.Bytverify.F trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-44b9e447-529a1885.zip »ZIP »Dummy.class JS/IEStart trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-44b9e447-529a1885.zip »ZIP »Installer.class Java/OpenConnection.F trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-4ae9b3bc-24bbf774.zip multiple infiltrations 8BE223E929475D1921D8D543B6B380A2
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-4ae9b3bc-24bbf774.zip »ZIP »GetAccess.class Java/Exploit.Bytverify.F trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-4ae9b3bc-24bbf774.zip »ZIP »InsecureClassLoader.class Java/Exploit.Bytverify.F trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-4ae9b3bc-24bbf774.zip »ZIP »Dummy.class JS/IEStart trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-4ae9b3bc-24bbf774.zip »ZIP »Installer.class Java/OpenConnection.F trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-d350b51-73e82ea2.zip multiple infiltrations 8BE223E929475D1921D8D543B6B380A2
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-d350b51-73e82ea2.zip »ZIP »GetAccess.class Java/Exploit.Bytverify.F trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-d350b51-73e82ea2.zip »ZIP »InsecureClassLoader.class Java/Exploit.Bytverify.F trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-d350b51-73e82ea2.zip »ZIP »Dummy.class JS/IEStart trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-d350b51-73e82ea2.zip »ZIP »Installer.class Java/OpenConnection.F trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\clsld.jar-49a517fa-795c61f6.zip multiple infiltrations 8BE223E929475D1921D8D543B6B380A2
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\clsld.jar-49a517fa-795c61f6.zip »ZIP »GetAccess.class Java/Exploit.Bytverify.F trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\clsld.jar-49a517fa-795c61f6.zip »ZIP »InsecureClassLoader.class Java/Exploit.Bytverify.F trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\clsld.jar-49a517fa-795c61f6.zip »ZIP »Dummy.class JS/IEStart trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\clsld.jar-49a517fa-795c61f6.zip »ZIP »Installer.class Java/OpenConnection.F trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-6840731f-6f3912e7.zip Java/ClassLoader.AA trojan 7B1484415BD02DFD7741B4FC4EF9FA82
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-6840731f-6f3912e7.zip »ZIP »BlackBox.class Java/ClassLoader.AA trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-6840731f-6f3912e7.zip »ZIP »VerifierBug.class Java/ClassLoader.AA trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-6840731f-6f3912e7.zip »ZIP »Dummy.class Java/ClassLoader.AA trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-6840731f-6f3912e7.zip »ZIP »Beyond.class Java/ClassLoader.AA trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count1.jar-65df90c4-4389dd8a.zip multiple infiltrations 1DD8496841D6D633F963397F34670C39
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count1.jar-65df90c4-4389dd8a.zip »ZIP »Beyond.class a variant of Java/ClassLoader trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count1.jar-65df90c4-4389dd8a.zip »ZIP »BlackBox.class a variant of Java/ClassLoader trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count1.jar-65df90c4-4389dd8a.zip »ZIP »Dummy.class Java/Exploit.Bytverify.H trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count1.jar-65df90c4-4389dd8a.zip »ZIP »VerifierBug.class a variant of Java/TrojanDownloader.Byteverify trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count3.jar-525e657c-18179aeb.zip multiple infiltrations 39E7F18B001E43697F4C68E85127F29A
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count3.jar-525e657c-18179aeb.zip »ZIP »Beyond.class a variant of Java/ClassLoader trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count3.jar-525e657c-18179aeb.zip »ZIP »BlackBox.class a variant of Java/ClassLoader trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count3.jar-525e657c-18179aeb.zip »ZIP »VerifierBug.class a variant of Java/TrojanDownloader.Byteverify trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\demo.jar-65faee52-26fbdb93.zip Java/ClassLoader.J trojan 69D17CD9CC8A5CA4CABE3927752FC806
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\demo.jar-65faee52-26fbdb93.zip »ZIP »BlackBox.class Java/ClassLoader.J trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv407.jar-16c6c3e3-696cbc67.zip multiple infiltrations AD1E67E571C3B721D3F4DD5C7CE1851D
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv407.jar-16c6c3e3-696cbc67.zip »ZIP »Counter.class Java/ClassLoader.H trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv407.jar-16c6c3e3-696cbc67.zip »ZIP »Dummy.class Java/Dummy trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv407.jar-16c6c3e3-696cbc67.zip »ZIP »Matrix.class Java/OpenStream.C trojan 00000000000000000000000000000000
C:\Documents and Settings\Seth\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv407.jar-16c6c3e3-696cbc67.zip »ZIP »Parser.class Java/ClassLoader.B trojan 00000000000000000000000000000000





Next is ComboFix:

ComboFix 08-01-17.3 - Seth 2008-01-18 17:14:04.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.87 [GMT -6:00]
Running from: C:\Documents and Settings\Seth\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Seth\Desktop\CFScript.text
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\Documents and Settings\All Users\Application Data\PopCap
C:\WINDOWS\SYSTEM32\IEDFix.exe
C:\WINDOWS\SYSTEM32\VCCLSID.exe
C:\WINDOWS\SYSTEM32\WS2Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\SYSTEM32\IEDFix.exe
C:\WINDOWS\SYSTEM32\VCCLSID.exe
C:\WINDOWS\SYSTEM32\WS2Fix.exe

.
((((((((((((((((((((((((( Files Created from 2007-12-18 to 2008-01-18 )))))))))))))))))))))))))))))))
.

2008-01-18 16:52 . 2008-01-18 17:29 133,152 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.dat
2008-01-18 16:52 . 2008-01-18 17:22 2,588 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.idx
2008-01-18 16:41 . 2008-01-18 16:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-01-18 16:41 . 2007-11-14 16:05 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-01-18 16:41 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\SYSTEM32\SpOrder.dll
2008-01-18 16:41 . 2008-01-18 16:50 4,212 ---h----- C:\WINDOWS\SYSTEM32\zllictbl.dat
2008-01-18 16:39 . 2008-01-18 17:28 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-01-18 16:34 . 2008-01-18 16:57 <DIR> d-------- C:\Documents and Settings\Seth\Application Data\AVG7
2008-01-18 16:34 . 2008-01-18 16:34 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-18 16:33 . 2008-01-18 16:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-01-16 23:07 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-16 18:03 . 2008-01-16 18:03 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-16 06:34 . 2008-01-16 06:34 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-13 00:36 . 2008-01-13 00:36 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-09 18:01 . 2008-01-09 18:14 2,750 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2008-01-08 23:25 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2008-01-08 23:25 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe
2008-01-08 23:25 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2008-01-08 11:01 . 2008-01-08 11:01 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\PlayFirst
2008-01-07 15:38 . 2008-01-07 15:38 <DIR> d-------- C:\Program Files\PlayFirst
2008-01-07 11:51 . 2008-01-07 12:09 <DIR> d-------- C:\Program Files\XoftSpySE
2008-01-07 11:30 . 2008-01-08 22:56 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-01-06 23:03 . 2008-01-06 23:03 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-01-06 21:22 . 2008-01-06 21:22 <DIR> d-------- C:\Documents and Settings\Kim\Application Data\Grisoft
2008-01-06 15:15 . 2008-01-06 15:15 <DIR> d-------- C:\Documents and Settings\Seth\Application Data\Grisoft
2008-01-06 15:14 . 2008-01-18 16:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-06 14:45 . 2008-01-06 14:45 <DIR> d-------- C:\Program Files\MediaStarCodec
2007-12-25 20:15 . 2007-12-25 20:21 <DIR> d-------- C:\Program Files\support.com
2007-12-25 20:15 . 2007-12-25 20:15 <DIR> d-------- C:\Program Files\Common Files\SupportSoft
2007-12-25 20:15 . 2007-12-25 20:15 949 --a------ C:\net_save.dna

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-17 05:04 --------- d-----w C:\Program Files\Coupons
2008-01-17 05:03 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-11 23:04 --------- d-----w C:\Documents and Settings\Seth\Application Data\ZoomBrowser EX
2008-01-11 23:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\ZoomBrowser
2008-01-07 21:39 --------- d-----w C:\Documents and Settings\Seth\Application Data\PlayFirst
2008-01-07 18:09 --------- d-----w C:\Documents and Settings\Seth\Application Data\Lavasoft
2008-01-06 15:09 --------- d-----w C:\Program Files\Yahoo! Games
2008-01-06 06:01 --------- d-----w C:\Program Files\MSN Games
2007-12-30 17:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\PlayFirst
2007-12-19 04:27 --------- d-----w C:\Documents and Settings\Seth\Application Data\iWin
2007-12-17 05:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\SpinTop Games
2007-12-15 23:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\JollyBear
2007-12-13 05:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sandlot Games
2007-12-09 16:50 --------- d-----w C:\Program Files\Java
2007-12-09 16:49 --------- d-----w C:\Program Files\Common Files\Java
2007-12-07 23:08 --------- d-----w C:\Program Files\Sonic
2007-12-07 23:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\PopCap
2007-11-30 22:58 --------- d-----w C:\Program Files\Google
2007-11-18 18:22 --------- d-----w C:\Program Files\iDump
2006-12-24 01:36 75,152 ----a-w C:\Documents and Settings\Seth\Application Data\GDIPFONTCACHEV1.DAT
2006-11-01 23:43 2,855,080 ----a-w C:\Program Files\aawsepersonal.exe
2006-01-16 05:32 169,560 ----a-w C:\Program Files\o2ksr1a.exe
2006-01-02 20:53 5,943,936 ----a-w C:\Program Files\spyware doctor setup ok.exe
2006-01-02 20:32 205 ----a-w C:\Documents and Settings\Seth\3.dat
2004-03-09 00:56 16,706,160 ----a-w C:\Program Files\AdbeRdr60_enu_full.exe
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Program Files\support.com ----

2007-05-03 17:09 397352 --a------ C:\Program Files\support.com\uninstall\chsi_uninstaller.exe
2007-04-03 14:05 92854 --a------ C:\Program Files\support.com\misc\comcast.ico


((((((((((((((((((((((((((((( snapshot@2008-01-16_23.15.17.32 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-17 05:07:34 233,472 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-18 23:12:55 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-17 05:07:34 12,288 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-18 23:12:55 12,288 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-17 05:07:34 233,472 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-18 23:12:55 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-17 05:07:35 12,288 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-18 23:12:56 12,288 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-17 05:07:35 3,903,488 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-18 23:12:56 3,919,872 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-17 05:07:35 172,032 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-18 23:12:56 172,032 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-18 22:33:55 821,856 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\avg7core.sys
+ 2008-01-18 22:34:00 4,224 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\avg7rsw.sys
+ 2008-01-18 22:34:01 27,776 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\avg7rsxp.sys
+ 2008-01-18 22:34:04 3,968 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\avgclean.sys
+ 2008-01-18 22:34:04 19,904 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\avgmfx86.sys
+ 2008-01-18 22:34:04 4,960 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\avgtdi.sys
+ 2007-07-19 21:10:28 127,768 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\klif.sys
+ 2007-11-14 22:04:46 796,048 ----a-w C:\WINDOWS\SYSTEM32\libeay32_0.9.6l.dll
+ 2007-11-14 22:04:52 83,432 ----a-w C:\WINDOWS\SYSTEM32\vsdata.dll
+ 2007-11-14 22:05:16 394,952 ----a-w C:\WINDOWS\SYSTEM32\vsdatant.sys
+ 2007-11-14 22:04:52 157,160 ----a-w C:\WINDOWS\SYSTEM32\vsinit.dll
+ 2007-11-14 22:04:52 103,912 ----a-w C:\WINDOWS\SYSTEM32\vsmonapi.dll
+ 2007-11-14 22:04:52 275,944 ----a-w C:\WINDOWS\SYSTEM32\vspubapi.dll
+ 2007-11-14 22:04:52 71,144 ----a-w C:\WINDOWS\SYSTEM32\vsregexp.dll
+ 2007-11-14 22:04:54 472,552 ----a-w C:\WINDOWS\SYSTEM32\vsutil.dll
+ 2007-11-14 22:04:54 46,568 ----a-w C:\WINDOWS\SYSTEM32\vswmi.dll
+ 2007-11-14 22:04:54 99,816 ----a-w C:\WINDOWS\SYSTEM32\vsxml.dll
+ 2007-11-14 22:04:56 83,432 ----a-w C:\WINDOWS\SYSTEM32\zlcomm.dll
+ 2007-11-14 22:04:56 71,144 ----a-w C:\WINDOWS\SYSTEM32\zlcommdb.dll
+ 2007-11-14 22:04:44 370,208 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\av.dll
+ 2007-05-31 06:03:30 65,248 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\avsys\bases\aphish.dat
+ 2006-06-30 20:47:36 21,568 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\avsys\bases\avcmhk4.dll
+ 2007-05-31 06:03:16 77,824 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\avsys\CKAHComm.dll
+ 2007-05-31 06:03:16 110,592 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\avsys\CKAHrule.dll
+ 2007-05-31 06:03:16 331,776 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\avsys\CKAHUM.dll
+ 2007-05-31 06:03:16 38,400 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\avsys\FSSync.dll
+ 2007-07-19 21:10:32 110,360 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\avsys\instdrivers\w2kxp32\kl1.sys
+ 2007-07-19 21:10:32 186,128 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\avsys\instdrivers\w2kxp32\klif.sys
+ 2007-05-31 06:03:48 110,360 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\avsys\instdrivers\x32\kl1.sys
+ 2007-07-19 21:10:28 127,768 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\avsys\instdrivers\x32\klif.sys
+ 2007-05-31 06:03:50 45,056 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\avsys\instdrivers\x32\regcat.exe
+ 2006-09-20 05:12:14 208,960 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\avsys\inv.dll
+ 2007-09-12 03:09:16 274,432 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\avsys\kave.dll
+ 2006-12-20 00:13:52 1,093,632 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\avsys\libeay32.dll
+ 2007-05-31 06:03:20 548,864 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\avsys\msvcp80.dll
+ 2007-05-31 06:03:20 626,688 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\avsys\msvcr80.dll
+ 2007-05-31 06:03:18 184,320 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\avsys\prloader.dll
+ 2007-05-31 06:03:22 90,112 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\avsys\prremote.dll
+ 2007-09-12 03:09:16 135,168 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\avsys\ScanningProcess.exe
+ 2006-12-20 00:13:52 200,704 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\avsys\ssleay32.dll
+ 2007-11-14 22:04:44 99,816 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\camupd.dll
+ 2004-01-30 18:35:08 813,568 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\dbghelp.dll
+ 2007-11-14 22:04:46 128,480 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\fbl.dll
+ 2007-11-14 22:04:46 38,376 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\featuremap.dll
+ 2007-11-14 22:04:46 321,016 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\imsecure.dll
+ 2007-11-14 22:05:18 288,144 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\lib\ConfigWizard.zip.dll
+ 2007-11-14 22:05:18 152,976 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\lib\licenseui.zip.dll
+ 2007-11-14 22:05:18 26,000 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\lib\zlsvc.zip.dll
+ 2007-11-14 22:05:18 1,361,296 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\lib\zpy.zip.dll
+ 2007-11-14 22:05:20 71,056 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\lib\zui.zip.dll
+ 2007-11-14 22:06:34 30,184 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\plugins\rpc_server\rpc_server.dll
+ 2007-11-14 22:06:36 30,216 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\plugins\vsmon_plugin\vsmon_plugin.dll
+ 2007-10-19 02:18:38 714,208 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\qrbase.dll
+ 2007-10-19 02:18:38 787,936 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\qrsrecl.dll
+ 2007-11-14 22:04:48 173,544 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\scheduler.dll
+ 2007-01-11 17:12:08 2,432,259 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\spyware.dat
+ 2007-10-19 02:18:40 1,500,640 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\srescan.dll
+ 2007-10-19 02:18:44 51,176 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\srescan.sys
+ 2007-11-14 22:04:50 456,168 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\ssleay32.dll
+ 2007-11-14 22:06:36 214,528 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\streamapi\httpblocker\httpblocker.dll
+ 2007-11-14 22:06:36 3,266,040 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\streamapi\imslsp\imslsp.dll
+ 2006-09-05 02:59:14 503,875 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\upd_core.dll
+ 2007-10-11 22:50:32 832,984 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\updating.dll
+ 2007-11-14 22:05:06 144,936 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\updclient.exe
+ 2007-01-11 23:31:06 286,787 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\updtrsdk.dll
+ 2007-11-14 22:04:52 108,008 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\vsavpro.dll
+ 2007-11-14 22:04:52 83,432 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\vsdb.dll
+ 2007-11-14 22:05:06 75,304 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
+ 2007-11-14 22:04:52 2,029,032 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\vsmondll.dll
+ 2007-11-14 22:04:54 1,361,384 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\vsruledb.dll
+ 2007-11-14 22:04:54 239,080 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\vsvault.dll
+ 2007-01-11 17:12:08 2,432,259 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\zlasdbup.dat
+ 2007-11-14 22:04:56 177,640 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\zlparser.dll
+ 2007-11-14 22:04:56 79,344 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\zlquarantine.dll
+ 2007-11-14 22:04:58 382,440 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\zlsre.dll
+ 2007-11-14 22:04:58 120,296 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\zlupdate.dll
+ 2007-11-14 22:05:00 1,086,952 ----a-w C:\WINDOWS\SYSTEM32\zpeng24.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-02 17:33 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-04-07 00:19 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-07 00:07 114688]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-08-06 01:04 114741]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2003-08-13 10:27 28672]
"diagent"="C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 01:01 135264]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [ ]
"QOELOADER"="C:\Program Files\Qurb\QSP-2.1.213.4\QOELoader.exe" [2004-12-17 16:02 6656]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-12-11 21:55 185896]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-31 18:44 271672]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-18 16:33 579072]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-18 16:33 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2004-01-20 03:07:33]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 14:05:56]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)


.
Contents of the 'Scheduled Tasks' folder
"2005-04-07 04:12:21 C:\WINDOWS\Tasks\XoftSpy.job"
- C:\Program Files\XoftSpy\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-18 17:29:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-18 17:34:56 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-18 23:34:46
ComboFix2.txt 2008-01-17 05:15:47
.
2008-01-09 00:11:01 --- E O F ---







And finally, HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:39:16 PM, on 1/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Qurb\QSP-2.1.213.4\QOELoader.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\Qurb\QSP-2.1.213.4\QOELoader.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/...UI.cab55579.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/...dy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/...at.cab55579.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.su...ows-i586-jc.cab
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (MSN Games – Hearts) - http://zone.msn.com/...tz.cab67031.cab
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/...vl.cab55579.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/...xy.cab55579.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

--
End of file - 7254 bytes

Again, thanks for the help.

#8 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 18 January 2008 - 08:41 PM

A. Your Java is out of date and your java cache is infected. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6u4.
  • Scroll down to where it says "The Java SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • In the pull down menu next to Platform select Windows
  • Check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement"
  • Click Continue
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u4-windowsi586-p.exe to install the newest version.


Now to Clean out the Java cache:

Go into the Control Panel and double-click the Java Icon.
  • Under Temporary Internet Files, click the Delete Files button.
  • There are three options in the window to clear the cache - Leave ALL 3 Checked
    • Downloaded Applets
      Downloaded Applications
      Other Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Java Control Panel.


B. Your log looks clean. If you have no more malware-related problems that you are aware of, just give me the OK and we can start the final but essential cleanup procedures and recommendations.


Edit: Using Windows Explorer (Windows Key + E) locate and DELETE the following file: C:\c002.chm

Trevuren

Edited by Trevuren, 18 January 2008 - 08:48 PM.

Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

#9 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 21 January 2008 - 11:01 PM

I hope you are well and not experiencing any difficulties carrying out my last set of instructions. If you are, do not hesitate to ask for further explanations. If however, your problem has been solved or you no longer require our assistance, please advise us accordingly and we will archive your topic.

Trevuren
Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

#10 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 26 January 2008 - 02:38 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.
Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·