Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91734 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] Hijcked task manager control alt delete Not working


  • This topic is locked This topic is locked
21 replies to this topic

#1 Stephanie1470

Stephanie1470

    New Member

  • New Member
  • Pip
  • 12 posts

Posted 27 March 2008 - 05:48 PM

[size=4]Hello,
Problem with deskto PC with XP. probably a 3 yr old machine. (Dell)
I am not completely compuer savy but understand some things I have been hijacked to some degree. Have a page that wants me to down load some software for spyware removal. I can not use control alt delete.. and a few otehr things not doing right Also get web pages, porn and others just opening even when Not on the internet...computer is turned on...but just desktop is showng come back in a couple of hrs and lots of screnes on my desktop
. My desktop PC has Norton 360 Run No help and AVG Run no help as well as XoftSpy Run no help..all of these did find from time to tim things but have not corrected the problem I have run a Hijack this LOG and note pad version..Also read someones post on things to clck on to remove...but had nothing to remove.
Thanks for any help
Steph

Edited by Stephanie1470, 27 March 2008 - 06:43 PM.

    Advertisements

Register to Remove


#2 Stephanie1470

Stephanie1470

    New Member

  • New Member
  • Pip
  • 12 posts

Posted 27 March 2008 - 06:15 PM

Logfile of HijackThis v1.99.1
Scan saved at 8:09:08 PM, on 3/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\All Users\Application Data\nurabwjw\rybmbuha.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\SpyHunter\PopupBlocker\EnigmaPopupStop.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\NCLAUNCH.EXe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\dqzczsbs.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Sierra\Planner\PLNRnote.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.rr.com/br...H...RR&d=homerr
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/br...h...rr&d=homerr
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.rr.com/br...H...RR&d=homerr
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.rr.com/br...h...rr&d=homerr
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/br...h...rr&d=homerr
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Road Runner High Speed Online
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: GNX Bingo - {903AD98D-8A91-4FBB-B5E1-4FFCA9003E6A} - C:\WINDOWS\kdftlboeorn.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\UIBHO.dll
O3 - Toolbar: qvdntlmw - {19188BC4-4E06-48E6-9C54-8E94425AEF02} - C:\WINDOWS\qvdntlmw.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [EnigmaPopupStop] C:\Program Files\SpyHunter\PopupBlocker\EnigmaPopupStop.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [vqsbmmby] C:\WINDOWS\system32\dqzczsbs.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Event Planner Reminders Tray Icon.lnk = C:\Sierra\Planner\PLNRnote.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...Bridge-c139.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan....s/ascstubie.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symant...ex/symdlmgr.cab
O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan....bs/nanoinst.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart...ploadClient.cab
O16 - DPF: {C432C4BD-3566-411C-8F3C-E5E0D3AE5D33} (CBrowser Class) - http://www.streaming...MINIBrowser.CAB
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: MonSys - {1e90a637-aa6d-430b-bc5f-a74e18ee8779} - C:\WINDOWS\Installer\{1e90a637-aa6d-430b-bc5f-a74e18ee8779}\MonSys.dll
O21 - SSODL: SrvWin - {e6ce8f7a-5f6b-49d5-9cbd-22930c11f95d} - C:\WINDOWS\Installer\{e6ce8f7a-5f6b-49d5-9cbd-22930c11f95d}\SrvWin.dll
O21 - SSODL: dwnrpofk - {392A3F7E-3723-499A-9EC6-BF08C67CAD1E} - C:\WINDOWS\dwnrpofk.dll
O21 - SSODL: ServiceKernel - {04f6c1a2-deb9-4a2d-b800-4b2fe06cf4f3} - C:\WINDOWS\Installer\{04f6c1a2-deb9-4a2d-b800-4b2fe06cf4f3}\ServiceKernel.dll
O21 - SSODL: RamRom - {a8566d9f-4469-4a27-bbc9-13bd3a3eab0f} - C:\WINDOWS\Installer\{a8566d9f-4469-4a27-bbc9-13bd3a3eab0f}\RamRom.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)

#3 IndiGenus

IndiGenus

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 5,251 posts
  • Interests:Computer Security, Music, Sports

Posted 29 March 2008 - 05:33 PM

Hi Stephanie1470 and welcome to the forums.

My name is Dave. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can sometimes take a while to research so please be patient and I'd be grateful if you would note the following:
  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.
  • I recommend you make a backup of any data that you have created, such as documents, pictures, music, ect... before we begin the fix.

You are pretty heavily infected here, but we should be able to get you cleaned up.

Please download SDFix and save it to your Desktop.

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Double click on SDFix.exe. It should automatically extract a folder called SDFix to your system drive (usually C:\). Please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
  • Open the SDFix folder and double click on RunThis.bat to start the script.
  • Type Y and press Enter to begin the script.
  • It will start cleaning your PC and then prompt you to press any key to Reboot.
  • Press any key to restart the PC.
  • Your system will take longer than normal to restart as the fixtool will be removing files.
  • When the desktop loads the Fixtool will complete the removal and display Finished.
  • Press any key to end the script and to load your desktop icons.
  • A text file should automatically open, so please copy the contents and post them here

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Please download ComboFix by sUBs from HERE or HERE
  • You must download it to and run it from your Desktop
  • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
  • Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
IndiGenus

The help you receive here is free, but if you would like to help me continue the fight against Malware then Posted Image

Logs will be closed if you haven't replied within 5 days



Proud Graduate of TC/WTT Classroom



"To find perfect composure in the midst of change is to find ourselves in nirvana."

Suzuki Roshi


#4 Stephanie1470

Stephanie1470

    New Member

  • New Member
  • Pip
  • 12 posts

Posted 29 March 2008 - 09:26 PM

Hi Dave, Thanks for the reply and suggestions. It is Sat night late....I will attempt to do some back ups on Sunday...have a lot of files to move, but I do have an external HD 160GB. Friends are telline me to jsut back up and re-format...That might be easy...but I might try your suggested way first...I need to try and learn some of this stuff. I can do pretty well on the cputer...but a lot of terms I get lost. I will do the back up they try your suggestions...and we can go from there... I am going to assume that the files that I back up..will not be corrupted...HOPE SO.. Thanks for the reply. Steph

#5 Stephanie1470

Stephanie1470

    New Member

  • New Member
  • Pip
  • 12 posts

Posted 31 March 2008 - 05:42 AM

Ji Dave, It took forever to get a backup ...59 GB info..Problem was....or part of the problem...someone helped to transfer information while I was out...however upon looking to see if the new location information would work....it would no open...so re sent or backuped again.. Documents went well, emails took much longer...as I have a great deal of important correspondence...I needed to keep. Now have the emails saved...but replacing or re-loading..may be an issue...ofher problem was a big list of favorites. 1st attemtp NOT so good. 2nd attempt is OK. Anyway I ran the SDFix....on the First try..when I tried to open the folder in SAFE mode I had to use WinZip to get it to open....anyway a number of files began to show in the box at the begining ..got to finish and restarted with a key press and got a box saying "Final Check" Running catchme, please wait, this may take up to 5 minutes.....I waited about 20 and nothing else happend...so hit the X and closed the window. Nothing seemed different so I repeated the process.. this time there was No winzip...but there was about 2 or 3 times the numbe of files the rastered by the screen....after the prompt to restart....the same thing happened... cleaning window came up..then prompt to close with a kep press... when it re-booted... the Running Catchme box came up again ...but nothing else for 20 minutes.. You say to "please copy the contents and post them here" however I have or never saw any thing to post..or a way to get anyting to post. Thanks for more instructions. PS I have also had to be on the internet for various needed items..since my log. a couple of days ago....is that a big problem..?? I fortunately do not see any INCREASE in my problems...about the same ..though certain things are running slow. but still about the same. Thanks Steph

#6 IndiGenus

IndiGenus

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 5,251 posts
  • Interests:Computer Security, Music, Sports

Posted 31 March 2008 - 07:36 AM

Hi,

It took forever to get a backup ...59 GB info......as I have a great deal of important correspondence...I needed to keep


Well if you have important data I would recommend coming up with a good regular back up plan for occasions like this, where you get a serious Malware infection....or if you run into some other unforseen PC issue (they're all unforseen right?)

Let's try this. Move on to run combofix, remember to make sure Symantec is completely disabled before running it. Hopefully it will finish and we can get a log.
IndiGenus

The help you receive here is free, but if you would like to help me continue the fight against Malware then Posted Image

Logs will be closed if you haven't replied within 5 days



Proud Graduate of TC/WTT Classroom



"To find perfect composure in the midst of change is to find ourselves in nirvana."

Suzuki Roshi


#7 Stephanie1470

Stephanie1470

    New Member

  • New Member
  • Pip
  • 12 posts

Posted 31 March 2008 - 05:40 PM

Hi Dave,
Here is my combofix log followed by my HJ log
Combo Fix
ComboFix 08-03-30.4 - Marty1 2008-03-31 19:25:56.1 - NTFSx86
Running from: C:\Documents and Settings\Marty1\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Marty1\Desktopblackbird.jpg
C:\Documents and Settings\Marty1\DesktopEditorFKWP1.5.exe
C:\Documents and Settings\Marty1\DesktopEditorFKWP2.0.exe
C:\Documents and Settings\Marty1\Desktopfilemanagerclient.exe
C:\Documents and Settings\Marty1\Desktopfkwp1.5.exe
C:\Documents and Settings\Marty1\Desktopfkwp2.0.exe
C:\Documents and Settings\Marty1\Desktopfwebd.exe
C:\Documents and Settings\Marty1\DesktopFWebdEditor.exe
C:\Documents and Settings\Marty1\DesktopTrojan.Win32.BlackBird.exe
C:\Documents and Settings\Marty1\Desktopvirii
C:\Documents and Settings\Steve\Desktopblackbird.jpg
C:\Documents and Settings\Steve\DesktopEditorFKWP1.5.exe
C:\Documents and Settings\Steve\DesktopEditorFKWP2.0.exe
C:\Documents and Settings\Steve\Desktopfilemanagerclient.exe
C:\Documents and Settings\Steve\Desktopfkwp1.5.exe
C:\Documents and Settings\Steve\Desktopfkwp2.0.exe
C:\Documents and Settings\Steve\Desktopfwebd.exe
C:\Documents and Settings\Steve\DesktopFWebdEditor.exe
C:\Documents and Settings\Steve\DesktopTrojan.Win32.BlackBird.exe
C:\Documents and Settings\Steve\Desktopvirii
C:\WINDOWS\mslagent
C:\WINDOWS\system32akttzn.exe
C:\WINDOWS\system32anticipator.dll
C:\WINDOWS\system32awtoolb.dll
C:\WINDOWS\system32bdn.com
C:\WINDOWS\system32bsva-egihsg52.exe
C:\WINDOWS\system32dpcproxy.exe
C:\WINDOWS\system32emesx.dll
C:\WINDOWS\system32h@tkeysh@@k.dll
C:\WINDOWS\system32hoproxy.dll
C:\WINDOWS\system32hxiwlgpm.dat
C:\WINDOWS\system32hxiwlgpm.exe
C:\WINDOWS\system32medup012.dll
C:\WINDOWS\system32medup020.dll
C:\WINDOWS\system32msgp.exe
C:\WINDOWS\system32msnbho.dll
C:\WINDOWS\system32mssecu.exe
C:\WINDOWS\system32msvchost.exe
C:\WINDOWS\system32mtr2.exe
C:\WINDOWS\system32mwin32.exe
C:\WINDOWS\system32netode.exe
C:\WINDOWS\system32newsd32.exe
C:\WINDOWS\system32ps1.exe
C:\WINDOWS\system32psof1.exe
C:\WINDOWS\system32psoft1.exe
C:\WINDOWS\system32regc64.dll
C:\WINDOWS\system32regm64.dll
C:\WINDOWS\system32Rundl1.exe
C:\WINDOWS\system32smp
C:\WINDOWS\system32smp\msrc.exe
C:\WINDOWS\system32sncntr.exe
C:\WINDOWS\system32ssurf022.dll
C:\WINDOWS\system32ssvchost.com
C:\WINDOWS\system32ssvchost.exe
C:\WINDOWS\system32sysreq.exe
C:\WINDOWS\system32taack.dat
C:\WINDOWS\system32taack.exe
C:\WINDOWS\system32temp#01.exe
C:\WINDOWS\system32thun.dll
C:\WINDOWS\system32thun32.dll
C:\WINDOWS\system32VBIEWER.OCX
C:\WINDOWS\system32vbsys2.dll
C:\WINDOWS\system32vcatchpi.dll
C:\WINDOWS\system32winlogonpc.exe
C:\WINDOWS\system32winsystem.exe
C:\WINDOWS\system32WINWGPX.EXE
C:\WINDOWS\Web\def.htm

.
((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-31 )))))))))))))))))))))))))))))))
.

2008-03-30 21:39 . 2008-03-30 21:39 <DIR> d-------- C:\WINDOWS\ERUNT
2008-03-30 21:27 . 2008-03-31 06:32 <DIR> d-------- C:\SDFix
2008-03-30 12:52 . 2008-03-30 19:39 <DIR> d-------- C:\Program Files\ErrorSmart
2008-03-30 12:52 . 2008-03-30 12:57 <DIR> d-------- C:\Documents and Settings\Marty1\Application Data\ErrorSmart
2008-03-30 10:29 . 2008-03-30 12:45 <DIR> d-------- C:\WINDOWS\SYSTEM32\NtmsData
2008-03-25 19:13 . 2008-03-25 19:13 <DIR> d-------- C:\Program Files\PC-Cleaner
2008-03-25 18:54 . 2008-03-25 18:54 102,400 --a------ C:\WINDOWS\SYSTEM32\rkzsvmda.exe
2008-03-25 14:53 . 2008-03-25 14:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nurabwjw
2008-03-25 14:53 . 2008-03-25 14:53 90,112 --a------ C:\WINDOWS\SYSTEM32\dqzczsbs.exe
2008-02-26 19:01 . 2008-02-26 19:01 <DIR> d-------- C:\Program Files\Dell Support Center
2008-02-26 19:01 . 2008-02-26 19:01 <DIR> d-------- C:\Program Files\Common Files\supportsoft
2008-02-26 19:01 . 2008-02-26 19:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SupportSoft
2008-02-12 14:20 . 2008-03-31 07:16 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-12 14:20 . 2008-02-12 14:20 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-10 09:50 . 2008-02-10 09:50 0 --a------ C:\WINDOWS\PowerReg.dat
2008-02-10 09:48 . 2008-02-10 09:48 <DIR> d-------- C:\Program Files\Infogrames Interactive

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-31 22:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-03-31 00:44 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-27 22:58 --------- d-----w C:\Program Files\XoftSpySE
2008-03-22 18:36 --------- d-----w C:\Program Files\e-Sword
2008-03-07 01:32 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-03-07 01:32 23,904 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-03-07 01:32 10,537 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-02-26 23:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Dell
2008-02-22 01:19 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-18 20:11 --------- d-----w C:\Program Files\Dell AIO Printer A920
2008-02-10 13:48 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-04 14:13 --------- d-----w C:\Program Files\Dvd-cloner
2008-01-11 05:53 44,544 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\pngfilt.dll
2007-12-19 23:01 347,136 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtmsft.dll
2007-12-18 09:51 179,584 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mrxdav.sys
2007-12-08 14:44 60,800 ----a-w C:\WINDOWS\SYSTEM32\S32EVNT1.DLL
2007-12-08 05:21 3,592,192 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2007-12-06 11:01 625,664 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2007-12-06 11:00 70,656 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2007-12-06 11:00 13,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2007-12-06 04:59 161,792 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\SYSTEM32\oleaut32.dll
2007-12-04 18:38 550,912 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\oleaut32.dll
2007-09-24 01:53 128,976 ------w C:\Documents and Settings\Marty1\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09 460784]
"NCLaunch"="C:\WINDOWS\NCLAUNCH.EXe" [2006-04-25 16:47 40960]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-10 07:41 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"vqsbmmby"="C:\WINDOWS\system32\dqzczsbs.exe" [2008-03-25 14:53 90112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-03-23 13:16 135168]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-05-25 23:35 335872]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 12:43 53248]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2003-08-26 20:47 204800]
"EnigmaPopupStop"="C:\Program Files\SpyHunter\PopupBlocker\EnigmaPopupStop.exe" [2004-01-29 16:22 2596864]
"StorageGuard"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 01:01 155648]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-07-29 01:04 114741]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-05-12 08:39 180269]
"mmtask"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [2004-04-20 13:24 53248]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 00:46 57344]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"NWEReboot"="" []
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25 6731312]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-07 16:55 267064]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-07-17 21:54 116072]
"Dell AIO Printer A920"="C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe" [2003-05-02 19:46 270336]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 18:38 583048]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 10:24 16384]
"ErrorSmart"="C:\Program Files\ErrorSmart\ErrorSmart.exe" [2007-10-25 16:11 18244856]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2004-07-17 12:57:43 24576]
Event Planner Reminders Tray Icon.lnk - C:\Sierra\Planner\PLNRnote.exe [2004-08-11 18:22:23 184320]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]
ymetray.lnk - C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2007-10-03 14:56:10 54512]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegedit"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegedit"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"DisableCurrentUserRun"= 0 (0x0)
"DisableCurrentUserRunOnce"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisableLocalMachineRun"= 0 (0x0)
"DisableLocalMachineRunOnce"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"DisableLocalMachineRun"= 0 (0x0)
"DisableLocalMachineRunOnce"= 0 (0x0)
"DisableCurrentUserRun"= 0 (0x0)
"DisableCurrentUserRunOnce"= 0 (0x0)
"NoFind"= 0 (0x0)
"NoRun"= 0 (0x0)
"HideClock"= 0 (0x0)
"NoTrayContextMenu"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"C:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R1 Cinemsup;Cinemsup;C:\WINDOWS\system32\drivers\Cinemsup.sys [2002-07-19 09:10]

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-03-31 11:17:33 C:\WINDOWS\Tasks\ErrorSmart Scheduled Scan.job"
- C:\Program Files\ErrorSmart\ErrorSmart.ex
- C:\Program Files\ErrorSmart.Marty1+Runs ErrorSmart to optimize your registry.
"2008-03-31 12:52:17 C:\WINDOWS\Tasks\User_Feed_Synchronization-{80FEE2D8-466A-47DE-A158-F3A309258FF5}.job"
- C:\WINDOWS\system32\msfeedssync.exe
"2008-03-31 21:00:18 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2008-03-27 00:39:10 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-31 19:30:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-31 19:31:38
ComboFix-quarantined-files.txt 2008-03-31 23:31:29
Pre-Run: 23,809,085,440 bytes free
Post-Run: 23,787,536,384 bytes free
.
2008-03-12 07:01:46 --- E O F ---

HERE IS THE HJ THIS LOG FILE FROM NOTE PAD...WOULD YOU RATHER HAVE THE OTEHR VERSIOH ? NOT NOTEPAD

Logfile of HijackThis v1.99.1
Scan saved at 7:36:28 PM, on 3/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\SpyHunter\PopupBlocker\EnigmaPopupStop.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\NCLAUNCH.EXe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\dqzczsbs.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Sierra\Planner\PLNRnote.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ErrorSmart\ErrorSmart.exe
C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/br...h...rr&d=homerr
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [EnigmaPopupStop] C:\Program Files\SpyHunter\PopupBlocker\EnigmaPopupStop.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [ErrorSmart] C:\Program Files\ErrorSmart\ErrorSmart.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [vqsbmmby] C:\WINDOWS\system32\dqzczsbs.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Event Planner Reminders Tray Icon.lnk = C:\Sierra\Planner\PLNRnote.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...Bridge-c139.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan....s/ascstubie.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symant...ex/symdlmgr.cab
O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan....bs/nanoinst.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart...ploadClient.cab
O16 - DPF: {C432C4BD-3566-411C-8F3C-E5E0D3AE5D33} (CBrowser Class) - http://www.streaming...MINIBrowser.CAB
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

#8 IndiGenus

IndiGenus

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 5,251 posts
  • Interests:Computer Security, Music, Sports

Posted 31 March 2008 - 05:57 PM

1. Please open Notepad
  • Click Start , then Run
  • Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\SYSTEM32\rkzsvmda.exe
C:\WINDOWS\SYSTEM32\dqzczsbs.exe

Folder::
C:\Program Files\PC-Cleaner
C:\Documents and Settings\All Users\Application Data\nurabwjw

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vqsbmmby"=-


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

IndiGenus

The help you receive here is free, but if you would like to help me continue the fight against Malware then Posted Image

Logs will be closed if you haven't replied within 5 days



Proud Graduate of TC/WTT Classroom



"To find perfect composure in the midst of change is to find ourselves in nirvana."

Suzuki Roshi


#9 Stephanie1470

Stephanie1470

    New Member

  • New Member
  • Pip
  • 12 posts

Posted 31 March 2008 - 07:43 PM

Hi Dave, I posted the box into NOTEPAD as per #2.........but I am not clear on step #3 or #4. Where do I click to Save...is it at the top of the NOTEPad window under File I have two choices , one is plain save, one is save as.. Then step#4 not sure how I am getting something on the desktop to drag into combofix Steph

#10 IndiGenus

IndiGenus

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 5,251 posts
  • Interests:Computer Security, Music, Sports

Posted 31 March 2008 - 07:50 PM

Hi Steph,
If you click on Save or Save As... it should do the same thing, ask you to name the file and where to put it. Name it CFScript.txt and save it directly on the desktop.

Then to drag it use your mouse and place the arrow over CFScript.txt, left click once and hold down. Then drag it on top of combofix as shown in the picture and let go of the mouse. That should start combofix.

Hopefully that gets you through it.

Dave

Edited by IndiGenus, 31 March 2008 - 07:51 PM.

IndiGenus

The help you receive here is free, but if you would like to help me continue the fight against Malware then Posted Image

Logs will be closed if you haven't replied within 5 days



Proud Graduate of TC/WTT Classroom



"To find perfect composure in the midst of change is to find ourselves in nirvana."

Suzuki Roshi

    Advertisements

Register to Remove


#11 Stephanie1470

Stephanie1470

    New Member

  • New Member
  • Pip
  • 12 posts

Posted 31 March 2008 - 08:24 PM

Hi DAve,
Thanks for the clarification...the unwanted advertisement for spamware is now gone..and no popups this last run Immediately Below is the combofix record followed by the HJ this log
Thanks again
Steph

ComboFix 08-03-30.4 - Marty1 2008-03-31 22:12:32.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.434 [GMT -4:00]
Running from: C:\Documents and Settings\Marty1\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Marty1\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\SYSTEM32\dqzczsbs.exe
C:\WINDOWS\SYSTEM32\rkzsvmda.exe
.
TimedOut: progfile.dat

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\nurabwjw
C:\Documents and Settings\All Users\Application Data\nurabwjw\rybmbuha.exe
C:\Program Files\PC-Cleaner
C:\WINDOWS\SYSTEM32\dqzczsbs.exe
C:\WINDOWS\SYSTEM32\rkzsvmda.exe

.
((((((((((((((((((((((((( Files Created from 2008-03-01 to 2008-04-01 )))))))))))))))))))))))))))))))
.

2008-03-30 21:39 . 2008-03-30 21:39 <DIR> d-------- C:\WINDOWS\ERUNT
2008-03-30 21:27 . 2008-03-31 06:32 <DIR> d-------- C:\SDFix
2008-03-30 12:52 . 2008-03-30 19:39 <DIR> d-------- C:\Program Files\ErrorSmart
2008-03-30 12:52 . 2008-03-30 12:57 <DIR> d-------- C:\Documents and Settings\Marty1\Application Data\ErrorSmart
2008-03-30 10:29 . 2008-03-30 12:45 <DIR> d-------- C:\WINDOWS\SYSTEM32\NtmsData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-01 00:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-03-31 00:44 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-27 22:58 --------- d-----w C:\Program Files\XoftSpySE
2008-03-22 18:36 --------- d-----w C:\Program Files\e-Sword
2008-03-07 01:32 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-03-07 01:32 23,904 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-03-07 01:32 10,537 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-02-26 23:01 --------- d-----w C:\Program Files\Dell Support Center
2008-02-26 23:01 --------- d-----w C:\Program Files\Common Files\supportsoft
2008-02-26 23:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\SupportSoft
2008-02-26 23:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Dell
2008-02-22 01:19 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-18 20:11 --------- d-----w C:\Program Files\Dell AIO Printer A920
2008-02-10 13:48 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-10 13:48 --------- d-----w C:\Program Files\Infogrames Interactive
2008-02-04 14:13 --------- d-----w C:\Program Files\Dvd-cloner
2008-01-11 05:53 44,544 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\pngfilt.dll
2007-09-24 01:53 128,976 ------w C:\Documents and Settings\Marty1\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09 460784]
"NCLaunch"="C:\WINDOWS\NCLAUNCH.EXe" [2006-04-25 16:47 40960]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-10 07:41 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-03-23 13:16 135168]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-05-25 23:35 335872]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 12:43 53248]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2003-08-26 20:47 204800]
"EnigmaPopupStop"="C:\Program Files\SpyHunter\PopupBlocker\EnigmaPopupStop.exe" [2004-01-29 16:22 2596864]
"StorageGuard"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 01:01 155648]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-07-29 01:04 114741]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-05-12 08:39 180269]
"mmtask"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [2004-04-20 13:24 53248]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 00:46 57344]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"NWEReboot"="" []
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25 6731312]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-07 16:55 267064]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-07-17 21:54 116072]
"Dell AIO Printer A920"="C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe" [2003-05-02 19:46 270336]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 18:38 583048]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 10:24 16384]
"ErrorSmart"="C:\Program Files\ErrorSmart\ErrorSmart.exe" [2007-10-25 16:11 18244856]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2004-07-17 12:57:43 24576]
Event Planner Reminders Tray Icon.lnk - C:\Sierra\Planner\PLNRnote.exe [2004-08-11 18:22:23 184320]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]
ymetray.lnk - C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2007-10-03 14:56:10 54512]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegedit"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegedit"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"DisableCurrentUserRun"= 0 (0x0)
"DisableCurrentUserRunOnce"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisableLocalMachineRun"= 0 (0x0)
"DisableLocalMachineRunOnce"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"DisableLocalMachineRun"= 0 (0x0)
"DisableLocalMachineRunOnce"= 0 (0x0)
"DisableCurrentUserRun"= 0 (0x0)
"DisableCurrentUserRunOnce"= 0 (0x0)
"NoFind"= 0 (0x0)
"NoRun"= 0 (0x0)
"HideClock"= 0 (0x0)
"NoTrayContextMenu"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"C:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R1 Cinemsup;Cinemsup;C:\WINDOWS\system32\drivers\Cinemsup.sys [2002-07-19 09:10]

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-03-31 11:17:33 C:\WINDOWS\Tasks\ErrorSmart Scheduled Scan.job"
- C:\Program Files\ErrorSmart\ErrorSmart.ex
- C:\Program Files\ErrorSmart.Marty1+Runs ErrorSmart to optimize your registry.
"2008-03-31 12:52:17 C:\WINDOWS\Tasks\User_Feed_Synchronization-{80FEE2D8-466A-47DE-A158-F3A309258FF5}.job"
- C:\WINDOWS\system32\msfeedssync.exe
"2008-03-31 21:00:18 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2008-03-27 00:39:10 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-31 22:16:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-31 22:17:02
ComboFix-quarantined-files.txt 2008-04-01 02:16:59
ComboFix2.txt 2008-03-31 23:31:39
Pre-Run: 23,911,333,888 bytes free
Post-Run: 23,890,993,152 bytes free
.
2008-03-12 07:01:46 --- E O F ---
---------------------------------------------------------------------------------------------------
HiJack this LOG

Logfile of HijackThis v1.99.1
Scan saved at 10:23:10 PM, on 3/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\SpyHunter\PopupBlocker\EnigmaPopupStop.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\NCLAUNCH.EXe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Sierra\Planner\PLNRnote.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ErrorSmart\ErrorSmart.exe
C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/br...h...rr&d=homerr
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [EnigmaPopupStop] C:\Program Files\SpyHunter\PopupBlocker\EnigmaPopupStop.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [ErrorSmart] C:\Program Files\ErrorSmart\ErrorSmart.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Event Planner Reminders Tray Icon.lnk = C:\Sierra\Planner\PLNRnote.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...Bridge-c139.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan....s/ascstubie.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symant...ex/symdlmgr.cab
O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan....bs/nanoinst.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart...ploadClient.cab
O16 - DPF: {C432C4BD-3566-411C-8F3C-E5E0D3AE5D33} (CBrowser Class) - http://www.streaming...MINIBrowser.CAB
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

#12 IndiGenus

IndiGenus

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 5,251 posts
  • Interests:Computer Security, Music, Sports

Posted 01 April 2008 - 07:37 AM

Looking better, let's continue with the cleanup.

Please download ATF Cleaner by Atribune.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Next:

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location and post the results.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Please do an online scan with Kaspersky WebScanner

You need to use Internet Explorer for this scan.

Click on Kaspersky Online Scanner and click Accept

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Please also post a fresh HJT log and let me know how it's running.
IndiGenus

The help you receive here is free, but if you would like to help me continue the fight against Malware then Posted Image

Logs will be closed if you haven't replied within 5 days



Proud Graduate of TC/WTT Classroom



"To find perfect composure in the midst of change is to find ourselves in nirvana."

Suzuki Roshi


#13 Stephanie1470

Stephanie1470

    New Member

  • New Member
  • Pip
  • 12 posts

Posted 02 April 2008 - 05:35 AM

Hi Dave...It is Wed AM....Here is Malwarebytes information...I also ran the kasperkey program..It was late last night ..so I went to bed while running....upon waking up..it had run..found some bugs...but there was no button I could see that gave me the option to click and save text. I am runnig program again. Should be home when it is finished...may be able to see a "Save as text" option then...IF not ..then I need to know where to go. the only button I could see was "Stop Scan" There was also the same link to download the program window at the top as I had initially seen and clicked to activiat the program. ALSO as a side note or interesting...the Kasperkey pag will NOT maximize It will just move around but stays the same size. Thanks again will await further clarification.. Steph ------------------------------------------------------------- Malwarebytes' Anti-Malware 1.10 Database version: 581 Scan type: Quick Scan Objects scanned: 35404 Time elapsed: 5 minute(s), 34 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 5 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CLASSES_ROOT\Interface\{841098dc-eea3-4332-9c67-51cf88fe66a7} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Typelib\{9e15cbba-a508-4838-ac11-8d44be41cea9} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Typelib\{50ccd00a-66b6-4d95-aaef-8ee959498f92} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Software\Microsoft\Internet Explorertoolbar (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Classes\stfngdvw.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)

#14 IndiGenus

IndiGenus

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 5,251 posts
  • Interests:Computer Security, Music, Sports

Posted 02 April 2008 - 08:48 AM

Sounds good Steph. If you still have issues with Kaspersky we can try one of the other online scanners. Here is one...

TrendMicro™ HouseCall Java Scan
  • Please go HERE to run the Trend Micro™ HouseCall Scan.
  • Click Scan now. It's free!
  • Read and put a Check next to Yes I accept the terms of use.
  • Click the Launching HouseCall>> button.
  • If confirmed that HouseCall can run on your system, under Using Java-based HouseCall kernel click the Starting HouseCall>> button.
  • You may receive a Security Warning about the TrendMicro Java applet, click YES.
  • Under Scan complete computer for malware, grayware, and vulnerabilities click the Next>> button.
  • Please be patient while it installs, updates, and scans your system.
  • Once the scan is complete, it will take you to the summary page.
  • Under Cleanup options, choose clean all detected infections automatically.
  • Click the Clean now>> button.
  • If anything was found you may be prompted to run the scan again, you can just close the browser window.

Post any details about the scan in your next reply along with a fresh HJT log and a description of how your PC is behaving.
IndiGenus

The help you receive here is free, but if you would like to help me continue the fight against Malware then Posted Image

Logs will be closed if you haven't replied within 5 days



Proud Graduate of TC/WTT Classroom



"To find perfect composure in the midst of change is to find ourselves in nirvana."

Suzuki Roshi


#15 Stephanie1470

Stephanie1470

    New Member

  • New Member
  • Pip
  • 12 posts

Posted 02 April 2008 - 06:03 PM

Hi Dave,
My computer was turned off by friend whey they sat down to do something, and saw a black screen..I was at work...so I ran the kasperkey a 3rd time....anyway 3 times a charm and I got a log..I also have many infections still. Am I picking up stuff bcause I have not been able to do this all straight thru..Tomorrow I may be at home more but wonder if I loose ground each time I go out on the NEt. My computer does seem to be working much better, inspite of what kasperkey says I have. Must have had a truck load of stuff.

Anyway below is my Kasperkey log and a new HJT log. I may try and run the housecall you mentioned in the last email as well
Thanks steph
--------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, April 02, 2008 7:47:33 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 2/04/2008
Kaspersky Anti-Virus database records: 678667


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
E:\

Scan Statistics
Total number of scanned objects 182944
Number of viruses found 22
Number of infected objects 52
Number of suspicious objects 79
Duration of the scan process 01:52:17

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e8b3706d38d7802f89ec26d202f21819_1dce0e75-1303-433a-bfc1-6b582bd25551 Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Confid.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Content.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Privacy.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Restrict.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\WebHist.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\064D4756/Data.txt .exe Infected: Email-Worm.Win32.NetSky.aa skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\064D4756 ZIP: infected - 1 skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\064D4756 CryptFF: infected - 1 skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\13670646.exe Infected: Trojan.Win32.Qhost.rz skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\26423E7E.htm Infected: Trojan-Downloader.JS.Small.bq skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\27286C9E/bwolf@aspeonline.com.zip/bwolf@aspeonline.com.doc .pif Infected: Email-Worm.Win32.Mydoom.m skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\27286C9E/bwolf@aspeonline.com.zip Infected: Email-Worm.Win32.Mydoom.m skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\27286C9E ZIP: infected - 2 skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\27286C9E CryptFF: infected - 2 skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3E781B21/smartpages.com.html .exe Infected: Email-Worm.Win32.Mydoom.m skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3E781B21 ZIP: infected - 1 skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3E781B21 CryptFF: infected - 1 skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\41DC5EDE.txt Infected: not-virus:Hoax.Win32.Renos.jh skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\48ED4B12 Infected: Email-Worm.Win32.Sober.p skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\55AD4CA0.exe Infected: Trojan-Spy.Win32.Tofger.bd skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5E5F32A2 Infected: Email-Worm.Win32.Mydoom.m skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\60FB4609 Infected: not-a-virus:AdWare.Win32.WinAD.at skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\681F0E1C.wmf Infected: Exploit.Win32.IMG-WMF.u skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6C9B7761 Infected: not-a-virus:AdWare.Win32.WinAD.ak skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\70DA14C7.tmp Infected: Email-Worm.Win32.Sober.y skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7ADB29ED/Data.txt .exe Infected: Email-Worm.Win32.NetSky.aa skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7ADB29ED ZIP: infected - 1 skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7ADB29ED CryptFF: infected - 1 skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\D2608A11.TMP Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Marty1\Application Data\ErrorSmart\Log\2008 Apr 02 - 05_34_44 PM_921.log Object is locked skipped

C:\Documents and Settings\Marty1\Application Data\GTek\GTUpdate\AUpdate\DellSupport\DSAgnt.log Object is locked skipped

C:\Documents and Settings\Marty1\Application Data\GTek\GTUpdate\AUpdate\DellSupport\DSAgnt_GTActions.log Object is locked skipped

C:\Documents and Settings\Marty1\Application Data\GTek\GTUpdate\AUpdate\DellSupport\gdql_d_DSAgnt.log Object is locked skipped

C:\Documents and Settings\Marty1\Application Data\GTek\GTUpdate\AUpdate\DellSupport\glog.log Object is locked skipped

C:\Documents and Settings\Marty1\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Marty1\Desktop\downloads\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\Marty1\Desktop\downloads\SmitfraudFix.zip/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\Marty1\Desktop\downloads\SmitfraudFix.zip ZIP: infected - 1 skipped

C:\Documents and Settings\Marty1\Local Settings\Application Data\Identities\{8C31AE73-C99F-4DB0-A26E-42BFABE572D4}\Microsoft\Outlook Express\Folders.dbx Object is locked skipped

C:\Documents and Settings\Marty1\Local Settings\Application Data\Identities\{8C31AE73-C99F-4DB0-A26E-42BFABE572D4}\Microsoft\Outlook Express\Inbox.dbx Object is locked skipped

C:\Documents and Settings\Marty1\Local Settings\Application Data\Identities\{8C31AE73-C99F-4DB0-A26E-42BFABE572D4}\Microsoft\Outlook Express\Offline.dbx Object is locked skipped

C:\Documents and Settings\Marty1\Local Settings\Application Data\Identities\{8C31AE73-C99F-4DB0-A26E-42BFABE572D4}\Microsoft\Outlook Express\Pop3uidl.dbx Object is locked skipped

C:\Documents and Settings\Marty1\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\paid for stuff video and other.dbx/[From eBay ][Date Mon, 23 Jan 2006 13:50:42 -0800]/UNNAMED/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped

C:\Documents and Settings\Marty1\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\paid for stuff video and other.dbx/[From eBay ][Date Mon, 23 Jan 2006 13:50:42 -0800]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped

C:\Documents and Settings\Marty1\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\paid for stuff video and other.dbx/[From "service@paypal.com" ][Date Sun, 27 Aug 2006 10:00:20 -0400]/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped

C:\Documents and Settings\Marty1\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\paid for stuff video and other.dbx Mail MS Outlook 5: suspicious - 3 skipped

C:\Documents and Settings\Marty1\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped

C:\Documents and Settings\Marty1\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Inbox/30 Jan 2006 12:55 from eBay:You Won eBay Item: NEW BEHRINGER FBQ.html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped

C:\Documents and Settings\Marty1\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Inbox/06 Feb 2006 07:11 from eBay:You Won eBay Item: Behringer Ultra-D.html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped

C:\Documents and Settings\Marty1\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Inbox/08 Mar 2006 15:45 from eBay:You Won eBay Item: YOU CAN TEACH YOU.html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped

C:\Documents and Settings\Marty1\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Inbox/17 Mar 2006 22:12 from eBay:You Won eBay Item: New Blue Braided .html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped

C:\Documents and Settings\Marty1\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Inbox/12 Apr 2006 17:05 to kimmym511@ec.rr.com:Security Measures.Chase.html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped

C:\Documents and Settings\Marty1\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Inbox/24 Apr 2006 00:50 from Paypal Security Notice:ID 49984 Paypal Se/ID 49984 Paypal Security Notice.htm Suspicious: Trojan-Spy.HTML.Fraud.gen skipped

C:\Documents and Settings\Marty1\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Inbox/15 Jul 2006 23:16 from eBay:You Won eBay Item: Aria 12 String Ac.html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped

C:\Documents and Settings\Marty1\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Inbox/26 Aug 2006 01:27:Accounts Management.html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped

C:\Documents and Settings\Marty1\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Inbox/12 Oct 2006 05:30 from eBay:You Won eBay Item: Wind Rhythms The .html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped

C:\Documents and Settings\Marty1\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Inbox/14 Nov 2006 08:07 to sfreeman@ec.rr.com:We have suspended your e.html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped

C:\Documents and Settings\Marty1\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Inbox/08 Apr 2007 06:44 from service@paypal.com:Confirm your Premier A/Confirm your Premier Account.htm Suspicious: Trojan-Spy.HTML.Fraud.gen skipped

C:\Documents and Settings\Marty1\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Inbox/25 Jul 2007 11:07 from aw-confirm@ebay.com/ATT16564.htm Suspicious: Trojan-Spy.HTML.Fraud.gen skipped

C:\Documents and Settings\Marty1\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Inbox/23 Jan 2008 00:38 from Citi Bank N.A.:CitiBank Alert Message for.html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped

C:\Documents and Settings\Marty1\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Inbox/30 Jan 2006 12:55 from eBay:You Won eBay Item: NEW BEHRINGER FBQ.html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped

C:\Documents and Settings\Marty1\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Inbox/06 Feb 2006 07:11 from eBay:You Won eBay Item: Behringer Ultra-D.html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped

C:\Documents and Settings\Marty1\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Inbox/08 Mar 2006 15:45 from eBay:You Won eBay Item: YOU CAN TEACH YOU.html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped

C:\Documents and Settings\Marty1\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Inbox/17 Mar 2006 22:12 from eBay:You Won eBay Item: New Blue Braided .html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped

C:\Documents and Settings\Marty1\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Inbox/12 Apr 2006 17:05 to kimmym511@ec.rr.com:Security Measures.Chase.html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped

C:\Documents and Settings\Marty1\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Inbox/24 Apr 2006 00:50 from Paypal Security Notice:ID 49984 Paypal Se/ID 49984 Paypal Security Notice.htm Suspicious: Trojan-Spy.HTML.Fraud.gen skipped

C:\Documents and Settings\Marty1\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Inbox/15 Jul 2006 23:16 from eBay:You Won eBay Item: Aria 12 String Ac.html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped

C:\Documents and Settings\Marty1\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Inbox/26 Aug 2006 01:27:Accounts Management.html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped

C:\Documents and Settings\Marty1\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Inbox/12 Oct 2006 05:30 from eBay:You Won eBay Item: Wind Rhythms The .html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped

C:\Documents and Settings\Marty1\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Inbox/14 Nov 2006 08:07 to sfreeman@ec.rr.com:We have suspended your e.html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped

C:\Documents and Settings\Marty1\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Inbox/08 Apr 2007 06:44 from service@paypal.com:Confirm your Premier A/Confirm your Premier Account.htm Suspicious: Trojan-Spy.HTML.Fraud.gen skipped

C:\Documents and Settings\Marty1\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Inbox/25 Jul 2007 11:07 from aw-confirm@ebay.com/ATT16564.htm Suspicious: Trojan-Spy.HTML.Fraud.gen skipped

C:\Documents and Settings\Marty1\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Inbox/23 Jan 2008 00:38 from Citi Bank N.A.:CitiBank Alert Message for.html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped

C:\Documents and Settings\Marty1\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Sent Items/26 Jul 2004 01:28 to spoof@ebay.com:Fw: TKO Notice: ***Urgent Sa.html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped

C:\Documents and Settings\Marty1\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Sent Items/27 Jul 2004 01:12 to spoof@ebay.com:Fw: FIP NOTICE: eBay Registr.html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped

C:\Documents and Settings\Marty1\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Sent Items/31 Jul 2004 00:55 to spoof@ebay.com:Fw: eBay.html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped

C:\Documents and Settings\Marty1\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Sent Items/15 Aug 2004 17:35 to spoof@paypal.com:Fw: Case ID Number: PP-040.html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped

C:\Documents and Settings\Marty1\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Sent Items/23 Aug 2004 11:46 to spoof@ebay.com:Fw: Billing Issues.html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped

C:\Documents and Settings\Marty1\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Sent Items/17 Sep 2004 11:51 to spoof@ebay.com:Fw: Your credit/debit card i.html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped

C:\Documents and Settings\Marty1\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Sent Items/14 Oct 2004 11:44 to spoof@ebay.com:Fw: Security Issues.html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped

C:\Documents and Settings\Marty1\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Sent Items/16 Oct 2004 20:50 to spoof@ebay.com:Fw: FPA NOTICE: eBay Registr.html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped

C:\Documents and Settings\Marty1\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Sent Items/17 Oct 2004 17:03 to eBay Customer Support:Fw: Security Issues.html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped

C:\Documents and Settings\Marty1\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Sent Items/18 Oct 2004 11:46 to spoof@paypal.com:Fw: PayPal® Account Review.html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped

C:\Documents and Settings\Marty1\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Sent Items/18 Oct 2004 20:15 to eBay Customer Support:Fw: Security Issues.html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped

C:\Documents and Settings\Marty1\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Sent Items/10 Nov 2004 12:32 to eBay Customer Support:Fw: TKO NOTICE: Pay y.html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped

C:\Documents and Settings\Marty1\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Sent Items/23 Dec 2004 18:39 to spoof@paypal.com:Fw: PayPal Fraud Protectio.html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped

C:\Documents and Settings\Marty1\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Sent Items/06 Jan 2005 01:49 to spoof@paypal.com:Fw: PayPal® Account Review.html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped

C:\Documents and Settings\Marty1\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Sent Items/15 Apr 2005 18:56 to spoof@paypal.com:Fw: Your PayPal ® account .html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped

C:\Documents and Settings\Marty1\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Sent Items/06 Jun 2005 02:08 to spoof@paypal.com:Fw: PayPal Account Inciden.html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped

C:\Documents and Settings\Marty1\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Sent Items/06 Jun 2005 14:09 to spoof@paypal.com:Fw: PayPal Account Review .html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped

C:\Documents and Settings\Marty1\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Sent Items/20 Jun 2005 10:23 to spoof@paypal.com:Fw: [Norton AntiSpam] Upda.html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped

C:\Documents and Settings\Marty1\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Sent Items/05 Sep 2005 21:00 to spoof@paypal.com:Fw: [Norton AntiSpam] TKO .html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped

C:\Documents and Settings\Marty1\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Sent Items/24 Apr 2006 00:59 to spoof@paypal.com:Fw: ID 49984 Paypal Securi.html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped

C:\Documents and Settings\Marty1\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Sent Items/26 Aug 2006 12:41 to spoof@paypal.com:Fw: Accounts Management.html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped

C:\Documents and Settings\Marty1\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Sent Items/12 Sep 2006 00:59 to spoof@ebay.com:Fw: Urgent Safeharbor Depart.html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped

C:\Documents and Settings\Marty1\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Sent Items/03 Oct 2006 16:15 to spoof@ebay.com:Fw: Urgent Safeharbor Depart.html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped

C:\Documents and Settings\Marty1\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Sent Items/15 Nov 2006 02:45 to spoof@ebay.com:Fw: We have suspended your e.html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped

C:\Documents and Settings\Marty1\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Sent Items/26 Jul 2004 01:28 to spoof@ebay.com:Fw: TKO Notice: ***Urgent Sa.html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped

C:\Documents and Settings\Marty1\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Sent Items/27 Jul 2004 01:12 to spoof@ebay.com:Fw: FIP NOTICE: eBay Registr.html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped

C:\Documents and Settings\Marty1\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Sent Items/31 Jul 2004 00:55 to spoof@ebay.com:Fw: eBay.html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped

C:\Documents and Settings\Marty1\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Sent Items/15 Aug 2004 17:35 to spoof@paypal.com:Fw: Case ID Number: PP-040.html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped

C:\Documents and Settings\Marty1\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Sent Items/23 Aug 2004 11:46 to spoof@ebay.com:Fw: Billing Issues.html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped

C:\Documents and Settings\Marty1\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Sent Items/17 Sep 2004 11:51 to spoof@ebay.com:Fw: Your credit/debit card i.html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped

C:\Documents and Settings\Marty1\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Sent Items/14 Oct 2004 11:44 to spoof@ebay.com:Fw: Security Issues.html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped

C:\Documents and Settings\Marty1\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Sent Items/16 Oct 2004 20:50 to spoof@ebay.com:Fw: FPA NOTICE: eBay Registr.html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped

C:\Documents and Settings\Marty1\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Sent Items/17 Oct 2004 17:03 to eBay Customer Support:Fw: Security Issues.html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped

C:\Documents and Settings\Marty1\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Sent Items/18 Oct 2004 11:46 to spoof@paypal.com:Fw: PayPal® Account Review.html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped

C:\Documents and Settings\Marty1\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Sent Items/18 Oct 2004 20:15 to eBay Customer Support:Fw: Security Issues.html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped

C:\Documents and Settings\Marty1\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Sent Items/10 Nov 2004 12:32 to eBay Customer Support:Fw: TKO NOTICE: Pay y.html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped

C:\Documents and Settings\Marty1\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Sent Items/23 Dec 2004 18:39 to spoof@paypal.com:Fw: PayPal Fraud Protectio.html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped

C:\Documents and Settings\Marty1\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Sent Items/06 Jan 2005 01:49 to spoof@paypal.com:Fw: PayPal® Account Review.html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped

C:\Documents and Settings\Marty1\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Sent Items/15 Apr 2005 18:56 to spoof@paypal.com:Fw: Your PayPal ® account .html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped

C:\Documents and Settings\Marty1\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Sent Items/06 Jun 2005 02:08 to spoof@paypal.com:Fw: PayPal Account Inciden.html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped

C:\Documents and Settings\Marty1\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Sent Items/06 Jun 2005 14:09 to spoof@paypal.com:Fw: PayPal Account Review .html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped

C:\Documents and Settings\Marty1\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Sent Items/20 Jun 2005 10:23 to spoof@paypal.com:Fw: [Norton AntiSpam] Upda.html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped

C:\Documents and Settings\Marty1\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Sent Items/05 Sep 2005 21:00 to spoof@paypal.com:Fw: [Norton AntiSpam] TKO .html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped

C:\Documents and Settings\Marty1\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Sent Items/24 Apr 2006 00:59 to spoof@paypal.com:Fw: ID 49984 Paypal Securi.html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped

C:\Documents and Settings\Marty1\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Sent Items/26 Aug 2006 12:41 to spoof@paypal.com:Fw: Accounts Management.html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped

C:\Documents and Settings\Marty1\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Sent Items/12 Sep 2006 00:59 to spoof@ebay.com:Fw: Urgent Safeharbor Depart.html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped

C:\Documents and Settings\Marty1\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Sent Items/03 Oct 2006 16:15 to spoof@ebay.com:Fw: Urgent Safeharbor Depart.html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped

C:\Documents and Settings\Marty1\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Sent Items/15 Nov 2006 02:45 to spoof@ebay.com:Fw: We have suspended your e.html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped

C:\Documents and Settings\Marty1\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Mail MS Mail: suspicious - 74 skipped

C:\Documents and Settings\Marty1\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Marty1\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Marty1\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped

C:\Documents and Settings\Marty1\Local Settings\History\History.IE5\MSHist012008040220080403\index.dat Object is locked skipped

C:\Documents and Settings\Marty1\Local Settings\Temp\~DF4049.tmp Object is locked skipped

C:\Documents and Settings\Marty1\Local Settings\Temp\~DFAB36.tmp Object is locked skipped

C:\Documents and Settings\Marty1\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Marty1\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Marty1\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Myla\My Documents\smitfraud\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Program Files\Audible\Bin\AM Install1.INF Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\AntiSpam\Log\Spam.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\Bonus\Log\Shazam.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\coShared\WA\1.7\NCOWAD.dat Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\coShared\WA\1.7\NCOWADMT.dat Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\coShared\WA\1.7\NCOWAS.dat Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\coShared\WA\1.7\NCOWAS.ldb Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped

C:\Program Files\Norton 360\Log\AutoProtect.log Object is locked skipped

C:\Program Files\Norton 360\Log\AVContext.log Object is locked skipped

C:\Program Files\Norton 360\Log\AVManual.log Object is locked skipped

C:\Program Files\Norton 360\Log\Backup.log Object is locked skipped

C:\Program Files\Norton 360\Log\CUInternetPageViewHistory.log Object is locked skipped

C:\Program Files\Norton 360\Log\CUInternetSearchHistory.log Object is locked skipped

C:\Program Files\Norton 360\Log\CUInternetTempFiles.log Object is locked skipped

C:\Program Files\Norton 360\Log\CUWindowsTempFiles.log Object is locked skipped

C:\Program Files\Norton 360\Log\EmailScan.log Object is locked skipped

C:\Program Files\Norton 360\Log\InternetSecurity.log Object is locked skipped

C:\Program Files\Norton 360\Log\ISIntrusionPrevented.log Object is locked skipped

C:\Program Files\Norton 360\Log\ISIOTraffic.log Object is locked skipped

C:\Program Files\Norton 360\Log\ISNewNetwork.log Object is locked skipped

C:\Program Files\Norton 360\Log\LiveUpdate.log Object is locked skipped

C:\Program Files\Norton 360\Log\NCO.log Object is locked skipped

C:\Program Files\Norton 360\Log\VABrowserSettings.log Object is locked skipped

C:\Program Files\Norton 360\Log\VAIPAddresses.log Object is locked skipped

C:\Program Files\Norton 360\Log\VAWeakPasswords.log Object is locked skipped

C:\Program Files\Norton 360\Log\WDFScanner.log Object is locked skipped

C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\dqzczsbs.exe.vir Infected: Trojan-Downloader.Win32.Obfuscated.em skipped

C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\rkzsvmda.exe.vir Infected: Trojan-Downloader.Win32.Obfuscated.ec skipped

C:\SDFix\backups_old\backups.zip/backups/dwnrpofk.dll Infected: not-a-virus:AdWare.Win32.Vapsup.dbi skipped

C:\SDFix\backups_old\backups.zip/backups/kdftlboeorn.dll Infected: not-a-virus:AdWare.Win32.Vapsup.dat skipped

C:\SDFix\backups_old\backups.zip/backups/norlatmx.exe Infected: not-a-virus:AdWare.Win32.Vapsup.dau skipped

C:\SDFix\backups_old\backups.zip/backups/qvdntlmw.dll Infected: not-a-virus:AdWare.Win32.Vapsup.dbh skipped

C:\SDFix\backups_old\backups.zip/backups/vbgtorfd.dll Infected: not-a-virus:AdWare.Win32.Vapsup.daw skipped

C:\SDFix\backups_old\backups.zip ZIP: infected - 5 skipped

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1399\A0178667.dll Infected: not-a-virus:AdWare.Win32.Agent.au skipped

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1405\A0180239.dll Infected: Trojan-Downloader.Win32.Agent.lsw skipped

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1405\A0180240.dll Infected: Trojan-Downloader.Win32.Agent.lsw skipped

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1405\A0180241.dll Infected: Trojan-Downloader.Win32.Agent.lsw skipped

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1405\A0180242.dll Infected: Trojan-Downloader.Win32.Agent.lsw skipped

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1408\A0181419.dll Infected: not-a-virus:AdWare.Win32.Vapsup.dat skipped

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1408\A0181420.dll Infected: not-a-virus:AdWare.Win32.Vapsup.dbi skipped

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1408\A0181421.exe Infected: not-a-virus:AdWare.Win32.Vapsup.dau skipped

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1408\A0181422.dll Infected: not-a-virus:AdWare.Win32.Vapsup.dbh skipped

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1408\A0181423.dll Infected: not-a-virus:AdWare.Win32.Vapsup.daw skipped

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1408\A0181429.dll Infected: not-a-virus:AdWare.Win32.Vapsup.dbi skipped

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1408\A0181431.dll Infected: not-a-virus:AdWare.Win32.Vapsup.dat skipped

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1408\A0181432.exe Infected: not-a-virus:AdWare.Win32.Vapsup.dau skipped

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1408\A0181433.dll Infected: not-a-virus:AdWare.Win32.Vapsup.dbh skipped

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1408\A0181436.dll Infected: not-a-virus:AdWare.Win32.Vapsup.daw skipped

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1411\A0181740.exe Infected: Trojan-Downloader.Win32.Obfuscated.em skipped

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1411\A0181741.exe Infected: Trojan-Downloader.Win32.Obfuscated.ec skipped

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1412\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{EA50A946-51FC-4974-9A34-69E80E65D634}.bin Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\Internet.evt Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped

C:\WINDOWS\SYSTEM32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\Temp\JETBE70.tmp Object is locked skipped

C:\WINDOWS\Temp\JETBF89.tmp Object is locked skipped

C:\WINDOWS\WIADEBUG.LOG Object is locked skipped

C:\WINDOWS\WIASERVC.LOG Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
---------------------------------------------------------------------------------------------------------------

NEW HJT log

Logfile of HijackThis v1.99.1
Scan saved at 8:01:58 PM, on 4/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\SpyHunter\PopupBlocker\EnigmaPopupStop.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\NCLAUNCH.EXe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Sierra\Planner\PLNRnote.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ErrorSmart\ErrorSmart.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Outlook Express\MSIMN.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/br...h...rr&d=homerr
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.rr.com/br...h...rr&d=homerr
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/br...h...rr&d=homerr
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [EnigmaPopupStop] C:\Program Files\SpyHunter\PopupBlocker\EnigmaPopupStop.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [ErrorSmart] C:\Program Files\ErrorSmart\ErrorSmart.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Event Planner Reminders Tray Icon.lnk = C:\Sierra\Planner\PLNRnote.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...Bridge-c139.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan....s/ascstubie.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symant...ex/symdlmgr.cab
O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan....bs/nanoinst.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart...ploadClient.cab
O16 - DPF: {C432C4BD-3566-411C-8F3C-E5E0D3AE5D33} (CBrowser Class) - http://www.streaming...MINIBrowser.CAB
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users