Jump to content

Build Theme!
  •  
  • Infected?

big grin WE'RE SURE THAT YOU'LL LOVE US!

We invite you to ask questions, share experiences, and learn. It's 100% free. Did we mention that it's free. It is. It's free. Join 91461 other members! Anybody can ask, anybody can answer. Consistently helpful members with best answers are invited to staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] Somebody please help me... hijackthis.log attached


  • This topic is locked This topic is locked
18 replies to this topic

#1 RockiesInOctober

RockiesInOctober

    New Member

  • New Member
  • Pip
  • 13 posts

Posted 13 April 2008 - 09:50 PM

Hello,

Please help me to clean up my computer because every once in a while a pop-up will appear wanting me to "fix the problem." I have read that I definitely should not purchase from those websites, but I haven't been able to get them to go away. Please help me. Thank you!

Here is my log from Hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 9:36:17 PM, on 4/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\carpserv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Lance\iTunes\iTunesHelper.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\gjankbmz.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://store.presari...t...c02&lc=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [ISLP2STA.EXE] ISLP2STA.EXE START
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Viewbar] C:\Documents and Settings\Lance\Desktop\Viewbar\AGLOCO Viewbar\Viewbar.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Lance\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [ppjocuug] C:\WINDOWS\system32\gjankbmz.exe
O8 - Extra context menu item: &Search - http://edits.mywebse...arch.jhtml?p=ZU
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\AIM\AIM.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Advisor - {1FBE245E-D937-4600-BD20-8407CA92EA83} - C:\Program Files\COMPAQ\Compaq Advisor\bin\rbaLauncher.exe (file missing) (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
O16 - DPF: {02A2D714-433E-46E4-B217-7C3B3FAF8EAE} (ScrabbleCubes Control) - http://www.worldwinn...rabblecubes.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akama...ex/qtplugin.cab
O16 - DPF: {18C3FD15-74F6-4280-9C98-3590C966B7B8} (SkillGam Control) - http://www.worldwinn...am/skillgam.cab
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://www.worldwinn...GamesLoader.cab
O16 - DPF: {58FC4C77-71C2-4972-A8CD-78691AD85158} (BJA Control) - http://www.worldwinn...jattack/bja.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...O/GAME_UNO1.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} (Bejeweled Control) - http://www.worldwinn...d/bejeweled.cab
O16 - DPF: {6C6FE41A-0DA6-42A1-9AD8-792026B2B2A7} (FreeCell Control) - http://www.worldwinn...ll/freecell.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - http://www.worldwinn...jo/wordmojo.cab
O16 - DPF: {97438FE9-D361-4279-BA82-98CC0877A717} (Cubis Control) - http://www.worldwinn...cubis/cubis.cab
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} (Hangman Control) - http://www.worldwinn...man/hangman.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {C738EA53-97C2-441B-AC52-DFBC597BCBE5} (Chess Control) - http://www.worldwinn...chess/chess.cab
O16 - DPF: {C93C1C34-CEA9-49B1-9046-040F59E0E0D8} (Paint Control) - http://www.worldwinn...paint/paint.cab
O16 - DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} (FamilyFeud Control) - http://www.worldwinn.../familyfeud.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://signin3.valu...OCX/flashax.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: cru629.dat
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

    Advertisements

Register to Remove


#2 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 14 April 2008 - 05:26 AM

Hi

If you already have Combofix, please delete that copy and download it again as it's being updated regularly.

There is a tutorial on the basic use of Combofix here:
http://www.bleepingc...to-use-combofix


Please download Combofix from Bleeping Computer.

If you can't download it from there, please try these 2 alternative sites:

Forospyware
Geeks to Go

  • Save it to your Desktop.
  • Disconnect from the Internet, than disable your anti-virus and any real-time anti-spyware monitors that are running.
  • Click Start>Run copy/paste or type "%userprofile%\desktop\combofix.exe" /killall into the Run box and click OK.
  • When finished, it shall produce a log for you. Post that log in your next reply with a new HijackThis log.
1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.



In your next reply post:
ComboFix.txt
New HijackThis log taken after the above scan has run

You too could train to help others- Join the Classroom

Posted Image


Posted Image

Posted Image

#3 RockiesInOctober

RockiesInOctober

    New Member

  • New Member
  • Pip
  • 13 posts

Posted 14 April 2008 - 11:46 AM

Thank you so much for looking at this! Here are my two logs starting with the Hijackthis log and then with the CF log. Thanks again!

---Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 11:44, on 2008-04-14
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\carpserv.exe
C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Lance\iTunes\iTunesHelper.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\gjankbmz.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://store.presari...t...c02&lc=0409
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [ISLP2STA.EXE] ISLP2STA.EXE START
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Viewbar] C:\Documents and Settings\Lance\Desktop\Viewbar\AGLOCO Viewbar\Viewbar.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Lance\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [ppjocuug] C:\WINDOWS\system32\gjankbmz.exe
O8 - Extra context menu item: &Search - http://edits.mywebse...arch.jhtml?p=ZU
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\AIM\AIM.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Advisor - {1FBE245E-D937-4600-BD20-8407CA92EA83} - C:\Program Files\COMPAQ\Compaq Advisor\bin\rbaLauncher.exe (file missing) (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
O16 - DPF: {02A2D714-433E-46E4-B217-7C3B3FAF8EAE} (ScrabbleCubes Control) - http://www.worldwinn...rabblecubes.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akama...ex/qtplugin.cab
O16 - DPF: {18C3FD15-74F6-4280-9C98-3590C966B7B8} (SkillGam Control) - http://www.worldwinn...am/skillgam.cab
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://www.worldwinn...GamesLoader.cab
O16 - DPF: {58FC4C77-71C2-4972-A8CD-78691AD85158} (BJA Control) - http://www.worldwinn...jattack/bja.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...O/GAME_UNO1.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} (Bejeweled Control) - http://www.worldwinn...d/bejeweled.cab
O16 - DPF: {6C6FE41A-0DA6-42A1-9AD8-792026B2B2A7} (FreeCell Control) - http://www.worldwinn...ll/freecell.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - http://www.worldwinn...jo/wordmojo.cab
O16 - DPF: {97438FE9-D361-4279-BA82-98CC0877A717} (Cubis Control) - http://www.worldwinn...cubis/cubis.cab
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} (Hangman Control) - http://www.worldwinn...man/hangman.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {C738EA53-97C2-441B-AC52-DFBC597BCBE5} (Chess Control) - http://www.worldwinn...chess/chess.cab
O16 - DPF: {C93C1C34-CEA9-49B1-9046-040F59E0E0D8} (Paint Control) - http://www.worldwinn...paint/paint.cab
O16 - DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} (FamilyFeud Control) - http://www.worldwinn.../familyfeud.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://signin3.valu...OCX/flashax.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe



---And now the CF log:

ComboFix 08-04-13.3 - Lance 2008-04-14 11:16:56.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.191 [GMT -6:00]
Running from: C:\Documents and Settings\Lance\desktop\combofix.exe
Command switches used :: /killall
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Lance\Desktopvirii
C:\Program Files\ContextTool
C:\Program Files\ContextTool\ContextHelper.dat
C:\Program Files\ContextTool\ContextTool-1.dll
C:\Program Files\ContextTool\ContextTool-3.dll
C:\Program Files\ContextTool\pcre3.dll
C:\Program Files\ContextTool\uninstall.exe
C:\Program Files\outlook
C:\WINDOWS\a.bat
C:\WINDOWS\adaway.lic
C:\WINDOWS\base64.tmp
C:\WINDOWS\bdn.com
C:\WINDOWS\BM354cd689.xml
C:\WINDOWS\dat.txt
C:\WINDOWS\FVProtect.exe
C:\WINDOWS\iTunesMusic.exe
C:\WINDOWS\mssecu.exe
C:\WINDOWS\pskt.ini
C:\WINDOWS\rs.txt
C:\WINDOWS\system32akttzn.exe
C:\WINDOWS\system32anticipator.dll
C:\WINDOWS\system32awtoolb.dll
C:\WINDOWS\system32bdn.com
C:\WINDOWS\system32bsva-egihsg52.exe
C:\WINDOWS\system32dpcproxy.exe
C:\WINDOWS\system32emesx.dll
C:\WINDOWS\system32h@tkeysh@@k.dll
C:\WINDOWS\system32hoproxy.dll
C:\WINDOWS\system32hxiwlgpm.dat
C:\WINDOWS\system32hxiwlgpm.exe
C:\WINDOWS\system32medup012.dll
C:\WINDOWS\system32medup020.dll
C:\WINDOWS\system32msgp.exe
C:\WINDOWS\system32msnbho.dll
C:\WINDOWS\system32mssecu.exe
C:\WINDOWS\system32msvchost.exe
C:\WINDOWS\system32mtr2.exe
C:\WINDOWS\system32mwin32.exe
C:\WINDOWS\system32netode.exe
C:\WINDOWS\system32newsd32.exe
C:\WINDOWS\system32ps1.exe
C:\WINDOWS\system32psof1.exe
C:\WINDOWS\system32psoft1.exe
C:\WINDOWS\system32regc64.dll
C:\WINDOWS\system32regm64.dll
C:\WINDOWS\system32Rundl1.exe
C:\WINDOWS\system32smp
C:\WINDOWS\system32smp\msrc.exe
C:\WINDOWS\system32sncntr.exe
C:\WINDOWS\system32ssurf022.dll
C:\WINDOWS\system32ssvchost.com
C:\WINDOWS\system32ssvchost.exe
C:\WINDOWS\system32sysreq.exe
C:\WINDOWS\system32taack.dat
C:\WINDOWS\system32taack.exe
C:\WINDOWS\system32temp#01.exe
C:\WINDOWS\system32thun.dll
C:\WINDOWS\system32thun32.dll
C:\WINDOWS\system32VBIEWER.OCX
C:\WINDOWS\system32vbsys2.dll
C:\WINDOWS\system32vcatchpi.dll
C:\WINDOWS\system32winlogonpc.exe
C:\WINDOWS\system32winsystem.exe
C:\WINDOWS\system32WINWGPX.EXE
C:\WINDOWS\userconfig9x.dll
C:\WINDOWS\Web\def.htm
C:\WINDOWS\winsystem.exe
C:\WINDOWS\zip1.tmp
C:\WINDOWS\zip2.tmp
C:\WINDOWS\zip3.tmp
C:\WINDOWS\zipped.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_aiqpbter


((((((((((((((((((((((((( Files Created from 2008-03-14 to 2008-04-14 )))))))))))))))))))))))))))))))
.

2008-04-12 19:27 . 2008-04-12 19:27 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-11 23:41 . 2008-04-12 19:42 <DIR> d-------- C:\Program Files\XoftSpySE
2008-04-09 12:56 . 2008-04-09 12:56 197 --a------ C:\WINDOWS\system32\MRT.INI
2008-03-28 21:47 . 2008-03-28 21:47 3,908 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-28 09:03 . 2008-03-28 09:31 <DIR> d-------- C:\temp\ext45874
2008-03-28 09:03 . 2008-03-28 09:03 <DIR> d-------- C:\temp
2008-03-28 01:35 . 2008-03-28 01:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-28 01:34 . 2008-04-12 19:32 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-03-28 01:34 . 2008-04-12 19:32 <DIR> d-------- C:\Documents and Settings\Lance\Application Data\SUPERAntiSpyware.com
2008-03-28 00:36 . 2008-03-28 00:36 1,152 --a------ C:\WINDOWS\system32\windrv.sys
2008-03-27 23:54 . 2008-03-27 23:54 <DIR> d-------- C:\Documents and Settings\Lance\Application Data\Ludia
2008-03-27 23:52 . 2008-03-27 23:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ludia
2008-03-27 23:50 . 2008-03-27 23:50 <DIR> d-------- C:\Program Files\Trymedia
2008-03-26 13:30 . 2008-03-26 13:30 4,096 --a------ C:\Documents and Settings\Lance\DesktopTrojan.Win32.BlackBird.exe
2008-03-26 13:30 . 2008-03-26 13:30 4,096 --a------ C:\Documents and Settings\Lance\DesktopFWebdEditor.exe
2008-03-26 13:30 . 2008-03-26 13:30 4,096 --a------ C:\Documents and Settings\Lance\Desktopfwebd.exe
2008-03-26 13:30 . 2008-03-26 13:30 4,096 --a------ C:\Documents and Settings\Lance\Desktopfkwp2.0.exe
2008-03-26 13:30 . 2008-03-26 13:30 4,096 --a------ C:\Documents and Settings\Lance\Desktopfkwp1.5.exe
2008-03-26 13:30 . 2008-03-26 13:30 4,096 --a------ C:\Documents and Settings\Lance\Desktopfilemanagerclient.exe
2008-03-26 13:30 . 2008-03-26 13:30 4,096 --a------ C:\Documents and Settings\Lance\DesktopEditorFKWP2.0.exe
2008-03-26 13:30 . 2008-03-26 13:30 4,096 --a------ C:\Documents and Settings\Lance\DesktopEditorFKWP1.5.exe
2008-03-26 13:29 . 2008-04-09 12:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\gfarcjyv
2008-03-26 13:29 . 2008-03-26 13:29 94,208 --a------ C:\WINDOWS\system32\gjankbmz.exe
2008-03-26 13:09 . 2008-03-26 13:09 48 --a------ C:\xmp.bat
2008-03-21 16:14 . 2008-03-21 16:16 <DIR> d-------- C:\Program Files\Gold Miner Vegas
2008-03-19 12:16 . 2008-03-19 12:16 <DIR> d-------- C:\Program Files\ReflexiveArcade
2008-03-15 00:12 . 2002-08-29 01:00 4,224 --a------ C:\WINDOWS\system32\drivers\beep.sys
2008-03-15 00:12 . 2002-08-29 01:00 4,224 --a------ C:\WINDOWS\system32\dllcache\beep.sys
2008-03-15 00:06 . 2008-03-15 00:06 1,366,923 ---hs---- C:\WINDOWS\system32\dbvywlsh.tmp
2008-03-14 23:38 . 2008-03-14 23:38 <DIR> d-------- C:\Documents and Settings\Lance\Application Data\Malwarebytes
2008-03-14 23:38 . 2008-03-14 23:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-14 23:37 . 2008-03-28 00:35 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-03-14 22:50 . 2008-03-14 22:50 19,848 --a------ C:\WINDOWS\kuvaleg.exe
2008-03-14 22:50 . 2008-03-14 22:50 19,262 --a------ C:\Documents and Settings\All Users\Application Data\arobi.com
2008-03-14 22:50 . 2008-03-14 22:50 18,988 --a------ C:\Documents and Settings\All Users\Application Data\edudap.vbs
2008-03-14 22:50 . 2008-03-14 22:50 18,666 --a------ C:\WINDOWS\hivypowit.sys
2008-03-14 22:50 . 2008-03-14 22:50 18,256 --a------ C:\WINDOWS\system32\hywivozi.scr
2008-03-14 22:50 . 2008-03-14 22:50 18,183 --a------ C:\Program Files\Common Files\asisixica.dat
2008-03-14 22:50 . 2008-03-14 22:50 18,064 --a------ C:\WINDOWS\system32\qukebit.dl
2008-03-14 22:50 . 2008-03-14 22:50 17,827 --a------ C:\Program Files\Common Files\usuparago.pif
2008-03-14 22:50 . 2008-03-14 22:50 17,390 --a------ C:\WINDOWS\pedemewo.com
2008-03-14 22:50 . 2008-03-14 22:50 15,418 --a------ C:\Documents and Settings\All Users\Application Data\xygygupiju.scr
2008-03-14 22:50 . 2008-03-14 22:50 15,352 --a------ C:\WINDOWS\ziruzy.ban
2008-03-14 22:50 . 2008-03-14 22:50 15,011 --a------ C:\WINDOWS\ivedyre.vbs
2008-03-14 22:50 . 2008-03-14 22:50 14,001 --a------ C:\WINDOWS\ygytuko.exe
2008-03-14 22:50 . 2008-03-14 22:50 13,608 --a------ C:\Documents and Settings\All Users\Application Data\sikixylume.bat
2008-03-14 22:50 . 2008-03-14 22:50 12,592 --a------ C:\Program Files\Common Files\ofilygez.scr
2008-03-14 22:49 . 2008-03-14 22:49 0 --a------ C:\WINDOWS\VPC32.INI
2008-03-14 17:03 . 2008-03-14 17:03 17,592 --a------ C:\WINDOWS\system32\kutumuduqo.scr
2008-03-14 17:03 . 2008-03-14 17:03 16,714 --a------ C:\WINDOWS\system32\xavibyzad.scr
2008-03-14 17:03 . 2008-03-14 17:03 16,035 --a------ C:\WINDOWS\system32\unifeby.pif
2008-03-14 17:03 . 2008-03-14 17:03 13,282 --a------ C:\Documents and Settings\All Users\Application Data\bufuvuzyca.exe
2008-03-14 17:03 . 2008-03-14 17:03 11,864 --a------ C:\WINDOWS\xohizuz.lib
2008-03-14 17:03 . 2008-03-14 17:03 10,361 --a------ C:\Documents and Settings\Lance\Application Data\ulymodukal.sys
2008-03-14 17:02 . 2008-03-14 17:02 18,513 --a------ C:\WINDOWS\xelave.dll
2008-03-14 17:02 . 2008-03-14 17:02 17,171 --a------ C:\Documents and Settings\All Users\Application Data\exeh.scr
2008-03-14 17:02 . 2008-03-14 17:02 15,853 --a------ C:\Documents and Settings\All Users\Application Data\kipotegu.sys
2008-03-14 17:02 . 2008-03-14 17:02 15,482 --a------ C:\WINDOWS\system32\emuk._sy
2008-03-14 17:02 . 2008-03-14 17:02 14,640 --a------ C:\Documents and Settings\All Users\Application Data\ideqeres.bat
2008-03-14 17:02 . 2008-03-14 17:02 14,577 --a------ C:\WINDOWS\elym._dl
2008-03-14 17:02 . 2008-03-14 17:02 14,237 --a------ C:\Program Files\Common Files\esejebenan.dll
2008-03-14 17:02 . 2008-03-14 17:02 11,817 --a------ C:\WINDOWS\eciraxenil._sy
2008-03-14 17:02 . 2008-03-14 17:02 11,262 --a------ C:\WINDOWS\avyruz.dat
2008-03-14 11:39 . 2008-03-28 22:13 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-14 11:39 . 2008-03-28 22:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-14 02:16 . 2008-03-14 02:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PopCap
2008-03-14 02:04 . 2008-03-14 02:04 44 --a------ C:\p2hhr.bat
2008-03-14 02:03 . 2008-03-14 02:04 2 --a------ C:\914351546
2008-03-14 01:16 . 2008-03-19 12:22 <DIR> d-------- C:\Program Files\PopCap Games
2008-03-14 01:16 . 2008-03-17 22:56 16 --a------ C:\WINDOWS\popcinfot.dat
2008-03-14 01:16 . 2008-03-14 01:16 0 --a------ C:\WINDOWS\popcreg.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-14 17:30 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-04-14 05:08 --------- d--h--w C:\Documents and Settings\Lance\Application Data\Move Networks
2008-04-14 04:32 --------- d-----w C:\Program Files\Yahoo!
2008-04-13 01:59 --------- d-----w C:\Program Files\Introduction to Accounting
2008-04-10 09:28 --------- d-----w C:\Documents and Settings\Lance\Application Data\U3
2008-03-31 18:32 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-29 02:28 --------- d-----w C:\Documents and Settings\Lance\Application Data\uTorrent
2008-03-29 02:02 --------- d-----w C:\Program Files\Symantec
2008-03-29 02:01 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-03-29 02:01 8,014 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-03-29 02:01 48,768 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-03-29 02:01 110,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-15 04:50 14,969 ----a-w C:\Program Files\Common Files\jyzutex.inf
2008-03-14 22:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-03-14 22:21 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-14 22:10 --------- d-----w C:\Program Files\Viewpoint
2008-03-14 22:10 --------- d-----w C:\Program Files\AIM6
2008-03-14 22:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-03-11 02:50 --------- d-----w C:\Program Files\InterActual
2008-03-10 05:57 --------- d-----w C:\Program Files\BrainSchool
2008-03-03 18:50 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-03 07:54 --------- d-----w C:\Program Files\AnMing
2008-03-03 07:53 --------- d-----w C:\Program Files\InterVideo
2008-03-03 07:52 --------- d-----w C:\Documents and Settings\Lance\Application Data\InterVideo
2008-03-03 07:51 --------- d-----w C:\Program Files\Graboid
2008-03-03 07:33 --------- d-----w C:\Program Files\GoldMinerVegas_at
2008-03-03 07:33 --------- d-----w C:\Program Files\AOL Games
2008-03-03 03:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Trymedia
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-22 21:58 --------- d-----w C:\Program Files\iWin.com
2008-02-22 20:21 --------- d-----w C:\Program Files\iPod
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-15 20:32 --------- d-----w C:\Program Files\QuickTime
2008-02-01 05:34 3,955,352 ----a-w C:\Program Files\FLV PlayerRCATSetup.exe
2008-02-01 05:33 737,280 ----a-w C:\WINDOWS\iun6002.exe
2008-02-01 05:33 411,248 ----a-w C:\Program Files\FLV PlayerRCSetup.exe
2008-01-30 05:32 2,293,848 ----a-w C:\Program Files\FLV PlayerFCSetup.exe
2007-01-11 09:23 774,144 ----a-w C:\Program Files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-14 18:50 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"MoneyAgent"="c:\Program Files\Microsoft Money\System\mnyexpr.exe" [2002-07-17 13:00 200767]
"Aim6"="" []
"ppjocuug"="C:\WINDOWS\system32\gjankbmz.exe" [2008-03-26 13:29 94208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [2002-06-11 17:14 28672 C:\WINDOWS\system32\Ati2mdxx.exe]
"AtiPTA"="atiptaxx.exe" [2002-06-11 17:56 286720 C:\WINDOWS\system32\atiptaxx.exe]
"CARPService"="carpserv.exe" [2003-05-21 15:35 4608 C:\WINDOWS\system32\carpserv.exe]
"PreloadApp"="c:\hp\drivers\printers\photosmart\hphprld.exe" [2001-12-12 09:05 36864]
"srmclean"="C:\Cpqs\Scom\srmclean.exe" [2001-07-24 15:34 36864]
"Display Settings"="C:\Program Files\HPQ\Notebook Utilities\hptasks.exe" [2002-08-15 09:26 45056]
"QT4HPOT"="C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.EXE" [2002-10-14 11:57 98304]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2002-09-09 16:42 126976]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2002-09-09 16:41 557056]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2002-10-23 15:19 176197]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"ISLP2STA.EXE"="ISLP2STA.exe" []
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 01:56 110592 C:\WINDOWS\system32\bthprops.cpl]
"Viewbar"="C:\Documents and Settings\Lance\Desktop\Viewbar\AGLOCO Viewbar\Viewbar.exe" [ ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-13 06:27 185632]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-02-01 00:13 385024]
"iTunesHelper"="C:\Lance\iTunes\iTunesHelper.exe" [2008-02-19 14:10 267048]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-12-20 12:29 125632]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 19:38 52840]
"SNM"="C:\Program Files\SpyNoMore\SNM.exe" [ ]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\LimeWire\\LimeWire.exe"=
"C:\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\Program Files\Symantec AntiVirus\rtvscan.exe"= C:\Program Files\Symantec AntiVirus\rtvscan.exe:128.187.21.147/255.255.255.255,128.187.21.148/255.255.255.255:Enabled:VirusScan(rtvscan.exe)
"C:\\Lance\\iTunes\\iTunes.exe"=


.
Contents of the 'Scheduled Tasks' folder
"2008-02-22 20:10:11 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-14 08:00:03 C:\WINDOWS\Tasks\B2F706A595C48321.job"
- c:\docume~1\lance\applic~1\flapname\Second Surf Trust.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-14 11:30:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????3?0?1?6??`???? ?X#B?????????????l|B? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-04-14 11:38:33 - machine was rebooted [Lance]
ComboFix-quarantined-files.txt 2008-04-14 17:37:53

Pre-Run: 10,246,189,056 bytes free
Post-Run: 10,223,312,896 bytes free
.
2008-04-09 19:00:53 --- E O F ---

#4 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 14 April 2008 - 12:35 PM

Hi

We now suggest that you install the Windows Recovery Console. The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System, which in your case is SP2

XP Media Centre is based upon XP Professional

Posted Image


Download the file & save it as it's originally named, next to ComboFix.exe.

Posted Image

Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.

Please do not reboot your machine until we have reviewed the log.
You too could train to help others- Join the Classroom

Posted Image


Posted Image

Posted Image

#5 RockiesInOctober

RockiesInOctober

    New Member

  • New Member
  • Pip
  • 13 posts

Posted 14 April 2008 - 01:10 PM

Thanks again! Here it is; WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

#6 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 14 April 2008 - 01:18 PM

Hi

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back in your next reply.

You too could train to help others- Join the Classroom

Posted Image


Posted Image

Posted Image

#7 RockiesInOctober

RockiesInOctober

    New Member

  • New Member
  • Pip
  • 13 posts

Posted 15 April 2008 - 11:44 PM

Sorry for the delayed response... I've been kinda busy. Thanks for still looking at this!



SDFix: Version 1.171
Run by Lance on 2008-04-15 at 23:11

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\914351~1 - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1353.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-15 23:26:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00179a2b1613]
"0016dbd6ff1f"=hex:4f,c3,34,fb,c5,73,86,55,ff,be,64,88,92,b0,df,56
"0016cef2d1e0"=hex:6f,63,0a,4c,44,62,e5,bb,31,75,d8,32,b3,e6,b1,92
"0016dbbe1180"=hex:41,8d,49,c1,17,f3,c3,5e,18,c3,05,2a,3d,4a,a3,d6
"0017d54c1a71"=hex:32,b7,be,9d,96,6a,ab,28,0e,d7,eb,1e,af,11,f0,24
"08007bca39f6"=hex:7b,2d,16,3d,53,c1,7a,0c,eb,7c,9d,ff,a8,af,37,27
"08007be80959"=hex:8c,90,4b,a8,54,76,85,71,81,eb,4a,ba,fc,2b,e5,84
"0012370a8284"=hex:fe,4e,3c,88,07,2f,33,8e,91,c3,d9,c2,55,6b,2b,30
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\00179a2b1613]
"0016dbd6ff1f"=hex:4f,c3,34,fb,c5,73,86,55,ff,be,64,88,92,b0,df,56
"0016cef2d1e0"=hex:6f,63,0a,4c,44,62,e5,bb,31,75,d8,32,b3,e6,b1,92
"0016dbbe1180"=hex:41,8d,49,c1,17,f3,c3,5e,18,c3,05,2a,3d,4a,a3,d6
"0017d54c1a71"=hex:32,b7,be,9d,96,6a,ab,28,0e,d7,eb,1e,af,11,f0,24
"08007bca39f6"=hex:7b,2d,16,3d,53,c1,7a,0c,eb,7c,9d,ff,a8,af,37,27
"08007be80959"=hex:8c,90,4b,a8,54,76,85,71,81,eb,4a,ba,fc,2b,e5,84
"0012370a8284"=hex:fe,4e,3c,88,07,2f,33,8e,91,c3,d9,c2,55,6b,2b,30

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"appinit_dlls"=""

scanning hidden files ...


scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 3


Remaining Services :



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\LimeWire\\LimeWire.exe"="C:\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\AIM\\aim.exe"="C:\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:æTorrent"
"C:\\Program Files\\Symantec AntiVirus\\rtvscan.exe"="C:\\Program Files\\Symantec AntiVirus\\rtvscan.exe:128.187.21.147/255.255.255.255,128.187.21.148/255.255.255.255:Enabled:VirusScan(rtvscan.exe)"
"C:\\Lance\\iTunes\\iTunes.exe"="C:\\Lance\\iTunes\\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Wed 22 Jun 2005 45,568 A.SHR --- "C:\Program Files\Replay Converter\cygz.dll"
Sat 15 Mar 2008 1,366,923 ..SH. --- "C:\WINDOWS\system32\dbvywlsh.tmp"
Mon 2 Oct 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sun 29 Oct 2006 510 A..H. --- "C:\Program Files\InterActual\InterActual Player\itiD7.tmp"
Sun 6 Aug 2000 28,738 A..HR --- "C:\WINDOWS\Office\MSDE2000\SQLRESLD.DLL"
Thu 7 Dec 2006 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Mon 12 Feb 2007 3,096,576 A..H. --- "C:\Documents and Settings\Lance\Application Data\U3\temp\Launchpad Removal.exe"
Mon 2 Oct 2006 4,348 ...H. --- "C:\Documents and Settings\Lance\My Documents\My Music\License Backup\drmv1key.bak"
Mon 2 Oct 2006 20 A..H. --- "C:\Documents and Settings\Lance\My Documents\My Music\License Backup\drmv1lic.bak"
Sat 9 Sep 2006 312 A.SH. --- "C:\Documents and Settings\Lance\My Documents\My Music\License Backup\drmv2key.bak"

Finished!

#8 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 16 April 2008 - 03:53 AM

Hi

Go to http://virusscan.jotti.org
Copy the following line into the white textbox:
C:\WINDOWS\system32\dbvywlsh.tmp
Click Submit.
Please post the results of this scan to this thread.
You too could train to help others- Join the Classroom

Posted Image


Posted Image

Posted Image

#9 RockiesInOctober

RockiesInOctober

    New Member

  • New Member
  • Pip
  • 13 posts

Posted 16 April 2008 - 03:33 PM

Here are my results: Scan taken on 16 Apr 2008 21:29:50 (GMT) A-Squared Found nothing AntiVir Found nothing ArcaVir Found nothing Avast Found nothing AVG Antivirus Found nothing BitDefender Found nothing ClamAV Found nothing CPsecure Found nothing Dr.Web Found nothing F-Prot Antivirus Found nothing F-Secure Anti-Virus Found nothing Fortinet Found nothing Ikarus Found nothing Kaspersky Anti-Virus Found nothing NOD32 Found nothing Norman Virus Control Found nothing Panda Antivirus Found nothing Sophos Antivirus Found nothing VirusBuster Found nothing VBA32 Found nothing

#10 RockiesInOctober

RockiesInOctober

    New Member

  • New Member
  • Pip
  • 13 posts

Posted 16 April 2008 - 03:35 PM

I don't know if you needed this too so..... Last file scanned at least one scanner reported something about: waun.exe (MD5: f906f92bf98ebbbf35e1ffc83920318f, size: 10240 bytes), detected by: Scanner Malware name A-Squared X AntiVir X ArcaVir X Avast X AVG Antivirus X BitDefender Trojan.Peed.Gen ClamAV X CPsecure X Dr.Web X F-Prot Antivirus X F-Secure Anti-Virus Trojan-Downloader.Win32.Zlob.lgz Fortinet X Ikarus Trojan-Downloader.Zlob.ABNI Kaspersky Anti-Virus Trojan-Downloader.Win32.Zlob.lgz NOD32 Win32/TrojanDownloader.Zlob.BUN Norman Virus Control X Panda Antivirus X Sophos Antivirus X VirusBuster X VBA32 X

    Advertisements

Register to Remove


#11 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 16 April 2008 - 03:52 PM

Hi

Not sure why that happens, the bottom section, but it's not needed.

Remember to disconnect from the Internet before carrying out the next instruction, and to save the following script before you do.


Open Notepad - it must be Notepad, not Wordpad.
Copy the text below in the code box by highlighting all the text with your mouse and pressing Ctrl+C

KillAll::

File::
C:\Documents and Settings\Lance\DesktopTrojan.Win32.BlackBird.exe
C:\Documents and Settings\Lance\DesktopFWebdEditor.exe
C:\Documents and Settings\Lance\Desktopfwebd.exe
C:\Documents and Settings\Lance\Desktopfkwp2.0.exe
C:\Documents and Settings\Lance\Desktopfkwp1.5.exe
C:\Documents and Settings\Lance\Desktopfilemanagerclient.exe
C:\Documents and Settings\Lance\DesktopEditorFKWP2.0.exe
C:\Documents and Settings\Lance\DesktopEditorFKWP1.5.exe
C:\WINDOWS\system32\gjankbmz.exe
C:\xmp.bat
C:\WINDOWS\system32\dbvywlsh.tmp
C:\WINDOWS\kuvaleg.exe
C:\Documents and Settings\All Users\Application Data\arobi.com
C:\Documents and Settings\All Users\Application Data\edudap.vbs
C:\WINDOWS\hivypowit.sys
C:\WINDOWS\system32\hywivozi.scr
C:\Program Files\Common Files\asisixica.dat
C:\WINDOWS\system32\qukebit.dl
C:\Program Files\Common Files\usuparago.pif
C:\WINDOWS\pedemewo.com
C:\Documents and Settings\All Users\Application Data\xygygupiju.scr
C:\WINDOWS\ziruzy.ban
C:\WINDOWS\ivedyre.vbs
C:\WINDOWS\ygytuko.exe
C:\Documents and Settings\All Users\Application Data\sikixylume.bat
C:\Program Files\Common Files\ofilygez.scr
C:\WINDOWS\VPC32.INI
C:\WINDOWS\system32\kutumuduqo.scr
C:\WINDOWS\system32\xavibyzad.scr
C:\WINDOWS\system32\unifeby.pif
C:\Documents and Settings\All Users\Application Data\bufuvuzyca.exe
C:\WINDOWS\xohizuz.lib
C:\Documents and Settings\Lance\Application Data\ulymodukal.sys
C:\WINDOWS\xelave.dll
C:\Documents and Settings\All Users\Application Data\exeh.scr
C:\Documents and Settings\All Users\Application Data\kipotegu.sys
C:\WINDOWS\system32\emuk._sy
C:\Documents and Settings\All Users\Application Data\ideqeres.bat
C:\WINDOWS\elym._dl
C:\Program Files\Common Files\esejebenan.dll
C:\WINDOWS\eciraxenil._sy
C:\WINDOWS\avyruz.dat
C:\p2hhr.bat
C:\914351546
C:\Program Files\Common Files\jyzutex.inf
C:\WINDOWS\Tasks\B2F706A595C48321.job
 
Folder::
C:\Program Files\XoftSpySE
C:\temp\ext45874
C:\Documents and Settings\All Users\Application Data\gfarcjyv
C:\Documents and Settings\Lance\Desktop\Viewbar
c:\docume~1\lance\applic~1\flapname

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ppjocuug"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Viewbar"=-

Go to the Notepad window and click Edit > Paste
Then click File > Save
Name the file "CFScript.txt" (including the quotes)
Save the file to your Desktop

Posted Image


Refering to the picture above, drag CFScript into ComboFix.exe


Please do an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:

      + Extended(If available otherwise Standard)
    • Scan Options:

      + Scan Archives
      + Scan Mail Bases
  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

With the exception of Internet Explorer, which is needed for the Kaspersky Scan, keep ALL programs closed until the scan is complete. This includes your anti-virus. Once you have installed the Scanner, and the updated definitions, you can disconnect from the Internet.Re-enable the anti-virus before reconnecting to the Internet.


In your next reply post:
ComboFix.txt
Kaspersky report
New HijackThis log taken after the above scan has run

You too could train to help others- Join the Classroom

Posted Image


Posted Image

Posted Image

#12 RockiesInOctober

RockiesInOctober

    New Member

  • New Member
  • Pip
  • 13 posts

Posted 17 April 2008 - 02:12 PM

That scan took quite a long time, but here are my three reports of Combofix, Kaspersky, and Hijackthis... thanks again!


COMBOFIX:


ComboFix 08-04-13.3 - Lance 2008-04-16 15:59:16.2 - NTFSx86
Running from: C:\Documents and Settings\Lance\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Lance\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\914351546
C:\Documents and Settings\All Users\Application Data\arobi.com
C:\Documents and Settings\All Users\Application Data\bufuvuzyca.exe
C:\Documents and Settings\All Users\Application Data\edudap.vbs
C:\Documents and Settings\All Users\Application Data\exeh.scr
C:\Documents and Settings\All Users\Application Data\ideqeres.bat
C:\Documents and Settings\All Users\Application Data\kipotegu.sys
C:\Documents and Settings\All Users\Application Data\sikixylume.bat
C:\Documents and Settings\All Users\Application Data\xygygupiju.scr
C:\Documents and Settings\Lance\Application Data\ulymodukal.sys
C:\Documents and Settings\Lance\DesktopEditorFKWP1.5.exe
C:\Documents and Settings\Lance\DesktopEditorFKWP2.0.exe
C:\Documents and Settings\Lance\Desktopfilemanagerclient.exe
C:\Documents and Settings\Lance\Desktopfkwp1.5.exe
C:\Documents and Settings\Lance\Desktopfkwp2.0.exe
C:\Documents and Settings\Lance\Desktopfwebd.exe
C:\Documents and Settings\Lance\DesktopFWebdEditor.exe
C:\Documents and Settings\Lance\DesktopTrojan.Win32.BlackBird.exe
C:\p2hhr.bat
C:\Program Files\Common Files\asisixica.dat
C:\Program Files\Common Files\esejebenan.dll
C:\Program Files\Common Files\jyzutex.inf
C:\Program Files\Common Files\ofilygez.scr
C:\Program Files\Common Files\usuparago.pif
C:\WINDOWS\avyruz.dat
C:\WINDOWS\eciraxenil._sy
C:\WINDOWS\elym._dl
C:\WINDOWS\hivypowit.sys
C:\WINDOWS\ivedyre.vbs
C:\WINDOWS\kuvaleg.exe
C:\WINDOWS\pedemewo.com
C:\WINDOWS\system32\dbvywlsh.tmp
C:\WINDOWS\system32\emuk._sy
C:\WINDOWS\system32\gjankbmz.exe
C:\WINDOWS\system32\hywivozi.scr
C:\WINDOWS\system32\kutumuduqo.scr
C:\WINDOWS\system32\qukebit.dl
C:\WINDOWS\system32\unifeby.pif
C:\WINDOWS\system32\xavibyzad.scr
C:\WINDOWS\Tasks\B2F706A595C48321.job
C:\WINDOWS\VPC32.INI
C:\WINDOWS\xelave.dll
C:\WINDOWS\xohizuz.lib
C:\WINDOWS\ygytuko.exe
C:\WINDOWS\ziruzy.ban
C:\xmp.bat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\lance\applic~1\flapname
c:\docume~1\lance\applic~1\flapname\4374416B
C:\Documents and Settings\All Users\Application Data\arobi.com
C:\Documents and Settings\All Users\Application Data\bufuvuzyca.exe
C:\Documents and Settings\All Users\Application Data\edudap.vbs
C:\Documents and Settings\All Users\Application Data\exeh.scr
C:\Documents and Settings\All Users\Application Data\gfarcjyv
C:\Documents and Settings\All Users\Application Data\ideqeres.bat
C:\Documents and Settings\All Users\Application Data\kipotegu.sys
C:\Documents and Settings\All Users\Application Data\sikixylume.bat
C:\Documents and Settings\All Users\Application Data\xygygupiju.scr
C:\Documents and Settings\Lance\Application Data\ulymodukal.sys
C:\Documents and Settings\Lance\Desktopblackbird.jpg
C:\Documents and Settings\Lance\DesktopEditorFKWP1.5.exe
C:\Documents and Settings\Lance\DesktopEditorFKWP2.0.exe
C:\Documents and Settings\Lance\Desktopfilemanagerclient.exe
C:\Documents and Settings\Lance\Desktopfkwp1.5.exe
C:\Documents and Settings\Lance\Desktopfkwp2.0.exe
C:\Documents and Settings\Lance\Desktopfwebd.exe
C:\Documents and Settings\Lance\DesktopFWebdEditor.exe
C:\Documents and Settings\Lance\DesktopTrojan.Win32.BlackBird.exe
C:\Documents and Settings\Lance\Local Settings\Temporary Internet Files\domegurelo.lib
C:\Documents and Settings\Lance\Local Settings\Temporary Internet Files\josaviryr._dl
C:\p2hhr.bat
C:\Program Files\Common Files\asisixica.dat
C:\Program Files\Common Files\esejebenan.dll
C:\Program Files\Common Files\jyzutex.inf
C:\Program Files\Common Files\ofilygez.scr
C:\Program Files\Common Files\usuparago.pif
C:\Program Files\XoftSpySE
C:\Program Files\XoftSpySE\xAutoUpdate.dll
C:\temp\ext45874
C:\temp\ext45874\install.exe
C:\temp\ext45874\install.res.1033.dll
C:\WINDOWS\avyruz.dat
C:\WINDOWS\eciraxenil._sy
C:\WINDOWS\elym._dl
C:\WINDOWS\hivypowit.sys
C:\WINDOWS\ivedyre.vbs
C:\WINDOWS\kuvaleg.exe
C:\WINDOWS\pedemewo.com
C:\WINDOWS\system32\dbvywlsh.tmp
C:\WINDOWS\system32\emuk._sy
C:\WINDOWS\system32\gjankbmz.exe
C:\WINDOWS\system32\hywivozi.scr
C:\WINDOWS\system32\kutumuduqo.scr
C:\WINDOWS\system32\qukebit.dl
C:\WINDOWS\system32\unifeby.pif
C:\WINDOWS\system32\xavibyzad.scr
C:\WINDOWS\Tasks\B2F706A595C48321.job
C:\WINDOWS\VPC32.INI
C:\WINDOWS\xelave.dll
C:\WINDOWS\xohizuz.lib
C:\WINDOWS\ygytuko.exe
C:\WINDOWS\ziruzy.ban
C:\xmp.bat

.
((((((((((((((((((((((((( Files Created from 2008-03-16 to 2008-04-16 )))))))))))))))))))))))))))))))
.

2008-04-15 23:08 . 2008-04-15 23:08 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-15 23:01 . 2008-04-15 23:39 <DIR> d-------- C:\SDFix
2008-04-12 19:27 . 2008-04-12 19:27 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-09 12:56 . 2008-04-09 12:56 197 --a------ C:\WINDOWS\system32\MRT.INI
2008-03-28 21:47 . 2008-03-28 21:47 3,908 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-28 09:03 . 2008-04-16 16:01 <DIR> d-------- C:\temp
2008-03-28 01:35 . 2008-03-28 01:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-28 01:34 . 2008-04-12 19:32 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-03-28 01:34 . 2008-04-12 19:32 <DIR> d-------- C:\Documents and Settings\Lance\Application Data\SUPERAntiSpyware.com
2008-03-28 00:36 . 2008-03-28 00:36 1,152 --a------ C:\WINDOWS\system32\windrv.sys
2008-03-27 23:54 . 2008-03-27 23:54 <DIR> d-------- C:\Documents and Settings\Lance\Application Data\Ludia
2008-03-27 23:52 . 2008-03-27 23:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ludia
2008-03-27 23:50 . 2008-03-27 23:50 <DIR> d-------- C:\Program Files\Trymedia
2008-03-21 16:14 . 2008-03-21 16:16 <DIR> d-------- C:\Program Files\Gold Miner Vegas
2008-03-19 12:16 . 2008-03-19 12:16 <DIR> d-------- C:\Program Files\ReflexiveArcade

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-16 22:11 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-04-14 05:08 --------- d--h--w C:\Documents and Settings\Lance\Application Data\Move Networks
2008-04-14 04:32 --------- d-----w C:\Program Files\Yahoo!
2008-04-13 01:59 --------- d-----w C:\Program Files\Introduction to Accounting
2008-04-10 09:28 --------- d-----w C:\Documents and Settings\Lance\Application Data\U3
2008-03-31 18:32 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-29 04:13 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-29 04:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-29 02:28 --------- d-----w C:\Documents and Settings\Lance\Application Data\uTorrent
2008-03-29 02:02 --------- d-----w C:\Program Files\Symantec
2008-03-29 02:01 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-03-29 02:01 8,014 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-03-29 02:01 110,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-03-28 06:35 --------- d-----w C:\Program Files\Common Files\Download Manager
2008-03-19 18:22 --------- d-----w C:\Program Files\PopCap Games
2008-03-15 05:38 --------- d-----w C:\Documents and Settings\Lance\Application Data\Malwarebytes
2008-03-15 05:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-14 22:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-03-14 22:21 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-14 22:10 --------- d-----w C:\Program Files\Viewpoint
2008-03-14 22:10 --------- d-----w C:\Program Files\AIM6
2008-03-14 22:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-03-14 08:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\PopCap
2008-03-11 02:50 --------- d-----w C:\Program Files\InterActual
2008-03-10 05:57 --------- d-----w C:\Program Files\BrainSchool
2008-03-03 18:50 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-03 07:54 --------- d-----w C:\Program Files\AnMing
2008-03-03 07:53 --------- d-----w C:\Program Files\InterVideo
2008-03-03 07:52 --------- d-----w C:\Documents and Settings\Lance\Application Data\InterVideo
2008-03-03 07:51 --------- d-----w C:\Program Files\Graboid
2008-03-03 07:33 --------- d-----w C:\Program Files\GoldMinerVegas_at
2008-03-03 07:33 --------- d-----w C:\Program Files\AOL Games
2008-03-03 03:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Trymedia
2008-02-22 21:58 --------- d-----w C:\Program Files\iWin.com
2008-02-22 20:21 --------- d-----w C:\Program Files\iPod
2008-02-01 05:34 3,955,352 ----a-w C:\Program Files\FLV PlayerRCATSetup.exe
2008-02-01 05:33 737,280 ----a-w C:\WINDOWS\iun6002.exe
2008-02-01 05:33 411,248 ----a-w C:\Program Files\FLV PlayerRCSetup.exe
2008-01-30 05:32 2,293,848 ----a-w C:\Program Files\FLV PlayerFCSetup.exe
2007-01-11 09:23 774,144 ----a-w C:\Program Files\RngInterstitial.dll
.

((((((((((((((((((((((((((((( snapshot@2008-04-14_11.37.25.74 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-14 17:27:12 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-16 22:08:20 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-15 17:38:48 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-04-16 05:08:16 4,546,560 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-04-16 05:08:16 184,320 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-04-15 17:38:48 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-04-16 05:08:09 4,546,560 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2008-04-16 05:08:09 184,320 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-14 18:50 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"MoneyAgent"="c:\Program Files\Microsoft Money\System\mnyexpr.exe" [2002-07-17 13:00 200767]
"Aim6"="" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [2002-06-11 17:14 28672 C:\WINDOWS\system32\Ati2mdxx.exe]
"AtiPTA"="atiptaxx.exe" [2002-06-11 17:56 286720 C:\WINDOWS\system32\atiptaxx.exe]
"CARPService"="carpserv.exe" [2003-05-21 15:35 4608 C:\WINDOWS\system32\carpserv.exe]
"PreloadApp"="c:\hp\drivers\printers\photosmart\hphprld.exe" [2001-12-12 09:05 36864]
"srmclean"="C:\Cpqs\Scom\srmclean.exe" [2001-07-24 15:34 36864]
"Display Settings"="C:\Program Files\HPQ\Notebook Utilities\hptasks.exe" [2002-08-15 09:26 45056]
"QT4HPOT"="C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.EXE" [2002-10-14 11:57 98304]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2002-09-09 16:42 126976]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2002-09-09 16:41 557056]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2002-10-23 15:19 176197]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"ISLP2STA.EXE"="ISLP2STA.exe" []
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 01:56 110592 C:\WINDOWS\system32\bthprops.cpl]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-13 06:27 185632]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-02-01 00:13 385024]
"iTunesHelper"="C:\Lance\iTunes\iTunesHelper.exe" [2008-02-19 14:10 267048]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-12-20 12:29 125632]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 19:38 52840]
"SNM"="C:\Program Files\SpyNoMore\SNM.exe" [ ]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\LimeWire\\LimeWire.exe"=
"C:\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\Program Files\Symantec AntiVirus\rtvscan.exe"= C:\Program Files\Symantec AntiVirus\rtvscan.exe:128.187.21.147/255.255.255.255,128.187.21.148/255.255.255.255:Enabled:VirusScan(rtvscan.exe)
"C:\\Lance\\iTunes\\iTunes.exe"=

R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 15:38]
R3 CALIAUD;Conexant AMC 3D ENVIRONMENTAL AUDIO;C:\WINDOWS\system32\drivers\caliaud.sys [2002-11-05 09:04]
R3 CALIHALA;CALIHALA;C:\WINDOWS\system32\drivers\calihal.sys [2002-11-05 09:04]
R3 DP83815;National Semiconductor Corp. DP83815/816 NDIS 5.0 Miniport Driver;C:\WINDOWS\system32\DRIVERS\DP83815.SYS [2002-08-28 18:00]
S3 AR5523;Atheros USB Wireless Network Adapter Service;C:\WINDOWS\system32\DRIVERS\ar5523.sys [2005-06-08 13:15]
S3 ATHFMWDL;Atheros USB Wireless Adapter Bootloader driver;C:\WINDOWS\system32\Drivers\ATHFMWDL.sys [2005-06-08 13:18]
S3 ISLP2;Intersil 802.11 Wireless LAN Driver;C:\WINDOWS\system32\DRIVERS\islp2nds.sys [2002-10-03 18:07]
S3 WLP92B;3Com 3CRWE62092B Wireless LAN PC Card;C:\WINDOWS\system32\DRIVERS\wlp92bf.sys [2002-08-27 07:28]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-22 20:10:11 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-16 16:10:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????3?0?1?6??P???? ?X#B?????????????l|B? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-04-16 16:22:22 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-16 22:21:32
ComboFix2.txt 2008-04-14 17:38:34

Pre-Run: 10,722,119,680 bytes free
Post-Run: 10,708,115,456 bytes free
.
2008-04-09 19:00:53 --- E O F ---





KASPERSKY:


KASPERSKY ONLINE SCANNER REPORT
2008-04-17 14:06
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 17/04/2008
Kaspersky Anti-Virus database records: 712233
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
C:\
D:\
Scan Statistics
Total number of scanned objects 90260
Number of viruses found 29
Number of infected objects 62
Number of suspicious objects 0
Duration of the scan process 04:09:56

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F880000\4F8EE136.VBN Infected: Trojan-Downloader.Win32.FraudLoad.x skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F880001\4F8EE1A8.VBN Infected: not-a-virus:FraudTool.Win32.UltimateDefender.cm skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F880002\4F8EE1BE.VBN Infected: Trojan.Win32.Agent.giy skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F880004\4F8EE33E.VBN Infected: Trojan-Downloader.Win32.FraudLoad.x skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F880005\4F8EE368.VBN Infected: Trojan-Downloader.Win32.FraudLoad.x skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F880006\4F8EE393.VBN Infected: Trojan-Downloader.Win32.FraudLoad.x skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F880007\4F8EE3E9.VBN Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F880008\4F8EE429.VBN Infected: Trojan-Downloader.Win32.FraudLoad.x skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F880009\4F8EE46F.VBN Infected: Trojan-Downloader.Win32.FraudLoad.x skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F88000A\4F8EE498.VBN Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F88000B\4F8EE4D6.VBN Infected: Trojan-Downloader.Win32.FraudLoad.x skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F88000C\4F8EE512.VBN Infected: Trojan-Downloader.Win32.FraudLoad.x skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F88000D\4F8EE548.VBN Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F88000E\4F8EE5A3.VBN Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F88000F\4F8EE5F6.VBN Infected: Trojan-Dropper.Win32.Agent.qfy skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F880010\4F8EE623.VBN Infected: Trojan-Downloader.Win32.Small.svi skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F880011\4F8EE681.VBN Infected: Trojan-Downloader.Win32.Small.svi skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F880012\4F8EE6AC.VBN Infected: Trojan-Downloader.Win32.Small.svi skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F880013\4F8EE6DA.VBN Infected: Trojan-Downloader.Win32.Small.svi skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F880014\4F8EEBD9.VBN Infected: not-a-virus:AdWare.Win32.Vapsup.dco skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F880016\4F8EF45A.VBN Infected: not-a-virus:AdWare.Win32.Vapsup.dcn skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F880017\4F8EFB86.VBN Infected: not-a-virus:AdWare.Win32.Vapsup.dcp skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F880018\4F8F00C1.VBN Infected: not-a-virus:AdWare.Win32.Vapsup.dcq skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F880019\4F8F012E.VBN Infected: Packed.Win32.Monder.gen skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F88001A\4F8F058B.VBN Infected: not-a-virus:AdWare.Win32.Vapsup.dcr skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F88001C\4F8F0629.VBN Infected: Backdoor.Win32.Prosti.dr skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F88001D\4F8F0642.VBN Infected: Packed.Win32.Monder.gen skipped
C:\Documents and Settings\Lance\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.30292 Infected: Trojan-Downloader.Win32.Agent.lfo skipped
C:\Documents and Settings\Lance\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.90287 Infected: Trojan-Downloader.Win32.Agent.lsw skipped
C:\Documents and Settings\Lance\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Lance\Desktop\Online Stuff\MyFunCardsSetup2.2.60.11-2.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.cb skipped
C:\Documents and Settings\Lance\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Lance\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Lance\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Lance\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Lance\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Lance\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBConfig.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDebug.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDetect.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBNotify.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBRefr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg2.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetDev.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetLoc.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetUsr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMNot.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMReg.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMRSt.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStHash.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStMSI.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBValid.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPPolicy.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStart.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStop.log Object is locked skipped
C:\Program Files\Symantec AntiVirus\SAVRT\0118NAV~.TMP Object is locked skipped
C:\Program Files\Symantec AntiVirus\SAVRT\0869NAV~.TMP Object is locked skipped
C:\QooBox\Quarantine\C\Program Files\ContextTool\ContextTool-1.dll.vir Infected: not-a-virus:AdWare.Win32.Agent.vm skipped
C:\QooBox\Quarantine\C\Program Files\ContextTool\ContextTool-3.dll.vir Infected: not-a-virus:AdWare.Win32.Agent.vm skipped
C:\QooBox\Quarantine\C\WINDOWS\Web\def.htm.vir Infected: not-virus:Hoax.HTML.Secureinvites.c skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP590\A0040788.exe Infected: not-a-virus:AdWare.Win32.Agent.jb skipped
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP617\A0043689.exe Infected: not-a-virus:AdTool.Win32.Zango.j skipped
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP618\A0043698.dll Infected: not-a-virus:AdWare.Win32.HotBar.ck skipped
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP622\A0046741.exe Infected: not-a-virus:AdWare.Win32.Megap.a skipped
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP622\A0046743.exe/adblastdemo.exe Infected: not-a-virus:AdWare.Win32.Megap.a skipped
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP622\A0046743.exe Vise: infected - 1 skipped
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP624\A0047770.dll Infected: not-a-virus:AdWare.Win32.AdMedia.g skipped
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP629\A0048779.exe/data.rar/crack.exe Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP629\A0048779.exe/data.rar/keygen.exe Infected: Trojan-Downloader.Win32.Small.iui skipped
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP629\A0048779.exe/data.rar/serial.exe Infected: Trojan-Downloader.Win32.Small.swa skipped
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP629\A0048779.exe/data.rar Infected: Trojan-Downloader.Win32.Small.swa skipped
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP629\A0048779.exe RarSFX: infected - 4 skipped
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP630\A0048795.exe/data0000.bin/data0008 Infected: not-a-virus:AdWare.Win32.AdMedia.g skipped
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP630\A0048795.exe/data0000.bin Infected: not-a-virus:AdWare.Win32.AdMedia.g skipped
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP630\A0048795.exe EmbeddedEXE: infected - 2 skipped
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP630\A0048796.exe Infected: Trojan-Downloader.Win32.Small.gkk skipped
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP630\A0048799.exe Infected: Trojan-Downloader.Win32.Small.iui skipped
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP631\A0049162.sys Infected: not-a-virus:FraudTool.Win32.UltimateDefender.cm skipped
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP631\A0049165.sys Infected: not-a-virus:FraudTool.Win32.UltimateDefender.cm skipped
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP631\A0052349.dll Infected: Trojan-Downloader.Win32.Agent.lsw skipped
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP635\A0053747.exe Infected: not-a-virus:Downloader.Win32.WinFixer.fs skipped
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP638\A0053933.exe Infected: Trojan-Downloader.Win32.Obfuscated.fi skipped
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP640\A0055107.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP640\A0055107.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP640\A0055107.exe RarSFX: infected - 2 skipped
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP640\A0055115.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP640\A0055196.exe Infected: not-a-virus:Downloader.Win32.WinFixer.fs skipped
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP642\A0055343.dll Infected: not-a-virus:AdWare.Win32.Agent.vm skipped
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP642\A0055344.dll Infected: not-a-virus:AdWare.Win32.Agent.vm skipped
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP644\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{4241BB2E-2BEC-4F36-B5F8-11D1DFC2CE6A}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.





HIJACKTHIS:

Logfile of HijackThis v1.99.1
Scan saved at 14:09, on 2008-04-17
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\carpserv.exe
C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Lance\iTunes\iTunesHelper.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://store.presari...t...c02&lc=0409
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [ISLP2STA.EXE] ISLP2STA.EXE START
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Lance\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\mnyexpr.exe"
O8 - Extra context menu item: &Search - http://edits.mywebse...arch.jhtml?p=ZU
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\AIM\AIM.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Advisor - {1FBE245E-D937-4600-BD20-8407CA92EA83} - C:\Program Files\COMPAQ\Compaq Advisor\bin\rbaLauncher.exe (file missing) (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
O16 - DPF: {02A2D714-433E-46E4-B217-7C3B3FAF8EAE} (ScrabbleCubes Control) - http://www.worldwinn...rabblecubes.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akama...ex/qtplugin.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {18C3FD15-74F6-4280-9C98-3590C966B7B8} (SkillGam Control) - http://www.worldwinn...am/skillgam.cab
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://www.worldwinn...GamesLoader.cab
O16 - DPF: {58FC4C77-71C2-4972-A8CD-78691AD85158} (BJA Control) - http://www.worldwinn...jattack/bja.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...O/GAME_UNO1.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} (Bejeweled Control) - http://www.worldwinn...d/bejeweled.cab
O16 - DPF: {6C6FE41A-0DA6-42A1-9AD8-792026B2B2A7} (FreeCell Control) - http://www.worldwinn...ll/freecell.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - http://www.worldwinn...jo/wordmojo.cab
O16 - DPF: {97438FE9-D361-4279-BA82-98CC0877A717} (Cubis Control) - http://www.worldwinn...cubis/cubis.cab
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} (Hangman Control) - http://www.worldwinn...man/hangman.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {C738EA53-97C2-441B-AC52-DFBC597BCBE5} (Chess Control) - http://www.worldwinn...chess/chess.cab
O16 - DPF: {C93C1C34-CEA9-49B1-9046-040F59E0E0D8} (Paint Control) - http://www.worldwinn...paint/paint.cab
O16 - DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} (FamilyFeud Control) - http://www.worldwinn.../familyfeud.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://signin3.valu...OCX/flashax.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

#13 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 17 April 2008 - 02:41 PM

Hi

First of all, you need to empty the Norton Quarantine.
See here

Then open Malwarebytes Antimalware and select Quarantine then Delete All

Then update Malwarebytes Anti-Malware.


You need to delete this file
C:\Documents and Settings\Lance\Desktop\Online Stuff\MyFunCardsSetup2.2.60.11-2.exe


  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the x and the /u, it needs to be there.

    Posted Image


I see that Viewpoint is installed. Viewpoint, Viewpoint Manager, Viewpoint Media Player are Viewpoint components which are installed as a side effect of installing other software, most notably AOL and AOL Instant Messenger (AIM). Viewpoint Manager is responsible for managing and updating Viewpoint Media Player’s components. You can disable this using the Viewpoint Manager Control Panel found in the Windows Control Panel menu. By selecting Disable auto‑updating for the Viewpoint Manager ‑‑ the player will no longer attempt to check for updates. Anything that is installed without your consent is suspect. Read what Viewpoint says and make your own decision.

To provide a satisfying consumer experience and to operate effectively, the Viewpoint Media Player periodically sends information to servers at Viewpoint. Each installation of the Viewpoint Media Player is identifiable to Viewpoint via a Customer Unique Identifier (CUID), an alphanumeric identifier embedded in the Viewpoint Media Player. The Viewpoint Media Player randomly generates the CUID during installation and uses it to indicate a unique installation of the product. A CUID is never connected to a user's name, email address, or other personal contact information. CUIDs are used for the sole purpose of filtering redundant information. Each of these information exchanges occurs anonymously.

Viewpoint Manager is considered as foistware instead of malware since it is installed without user's approval but doesn't spy or do anything "bad". This may change, read Viewpoint to Plunge Into Adware.
I recommend that you remove the Viewpoint products; however, decide for yourself. To uninstall the the Viewpoint components (Viewpoint, Viewpoint Manager, Viewpoint Media Player):
  • Click Start, point to Settings, and then click Control Panel.
  • In Control Panel, double-click Add or Remove Programs.
  • In Add or Remove Programs, highlight Viewpoint Manager Service, click Remove.
  • Do the same for each Viewpoint component.


Finally, run a Full Scan with MBAM and post the resultant log with a new Hijackthis log.
You too could train to help others- Join the Classroom

Posted Image


Posted Image

Posted Image

#14 RockiesInOctober

RockiesInOctober

    New Member

  • New Member
  • Pip
  • 13 posts

Posted 17 April 2008 - 05:36 PM

Here are my mbam and hijackthis logs:



MBAM:


Malwarebytes' Anti-Malware 1.11
Database version: 642

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 114764
Time elapsed: 1 hour(s), 18 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{000000da-0786-4633-87c6-1aa7a4429ef1} (Fake.Dropped.Malware) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9dd4258a-7138-49c4-8d34-587879a5c7a4} (Fake.Dropped.Malware) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b8c0220d-763d-49a4-95f4-61dfdec66ee6} (Fake.Dropped.Malware) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c3bcc488-1ae7-11d4-ab82-0010a4ec2338} (Fake.Dropped.Malware) -> No action taken.
HKEY_CLASSES_ROOT\pornpro.pornpro_bho (Adware.PlayaZ) -> No action taken.
HKEY_CLASSES_ROOT\pornpro.pornpro_bho.1 (Adware.PlayaZ) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Lance\Desktop\DesktopLightningInstall.exe (Trojan.Downloader) -> No action taken.
C:\WINDOWS\Search And Destroy Setup Log.txt (Rogue.SearchAndDestroy) -> No action taken.






HIJACKTHIS:


Logfile of HijackThis v1.99.1
Scan saved at 17:35, on 2008-04-17
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\carpserv.exe
C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Lance\iTunes\iTunesHelper.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://store.presari...t...c02&lc=0409
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [ISLP2STA.EXE] ISLP2STA.EXE START
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Lance\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\mnyexpr.exe"
O8 - Extra context menu item: &Search - http://edits.mywebse...arch.jhtml?p=ZU
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\AIM\AIM.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Advisor - {1FBE245E-D937-4600-BD20-8407CA92EA83} - C:\Program Files\COMPAQ\Compaq Advisor\bin\rbaLauncher.exe (file missing) (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
O16 - DPF: {02A2D714-433E-46E4-B217-7C3B3FAF8EAE} (ScrabbleCubes Control) - http://www.worldwinn...rabblecubes.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akama...ex/qtplugin.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {18C3FD15-74F6-4280-9C98-3590C966B7B8} (SkillGam Control) - http://www.worldwinn...am/skillgam.cab
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://www.worldwinn...GamesLoader.cab
O16 - DPF: {58FC4C77-71C2-4972-A8CD-78691AD85158} (BJA Control) - http://www.worldwinn...jattack/bja.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...O/GAME_UNO1.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} (Bejeweled Control) - http://www.worldwinn...d/bejeweled.cab
O16 - DPF: {6C6FE41A-0DA6-42A1-9AD8-792026B2B2A7} (FreeCell Control) - http://www.worldwinn...ll/freecell.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - http://www.worldwinn...jo/wordmojo.cab
O16 - DPF: {97438FE9-D361-4279-BA82-98CC0877A717} (Cubis Control) - http://www.worldwinn...cubis/cubis.cab
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} (Hangman Control) - http://www.worldwinn...man/hangman.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {C738EA53-97C2-441B-AC52-DFBC597BCBE5} (Chess Control) - http://www.worldwinn...chess/chess.cab
O16 - DPF: {C93C1C34-CEA9-49B1-9046-040F59E0E0D8} (Paint Control) - http://www.worldwinn...paint/paint.cab
O16 - DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} (FamilyFeud Control) - http://www.worldwinn.../familyfeud.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://signin3.valu...OCX/flashax.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

#15 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 18 April 2008 - 04:29 AM

Hmm, wonder why MBAM took no action?

Navigate to and delete the following files and/or folders (if they are present):

Files:
C:\Documents and Settings\Lance\Desktop\SDFix
C:\Documents and Settings\Lance\Desktop\DesktopLightningInstall.exe

Folders:
C:\SDFix


Warning.Please note that this fix is specific for this poster and should not be used by anyone else:

1.Backup Your Registry with ERUNT

  • Please use the following link and scroll down to ERUNT and download it.
    Here
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.

Click Erunt.exe to backup your registry to the folder of your choice.


2. Please do this:
  • Copy the contents of the Code Box below to Notepad.
  • Name the file as fix.reg
  • Change the Save as Type to All Files
  • and Save it on the desktop
REGEDIT4 

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{000000da-0786-4633-87c6-1aa7a4429ef1}]

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9dd4258a-7138-49c4-8d34-587879a5c7a4}]

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b8c0220d-763d-49a4-95f4-61dfdec66ee6}]

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c3bcc488-1ae7-11d4-ab82-0010a4ec2338}]

[-HKEY_CLASSES_ROOT\pornpro.pornpro_bho]

[-HKEY_CLASSES_ROOT\pornpro.pornpro_bho.1]

Make sure there are NO blank lines before REGEDIT4

Then double-click on the fix.reg file, and when it prompts to merge say yes.

Then post another HijackThis log.
You too could train to help others- Join the Classroom

Posted Image


Posted Image

Posted Image

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users