Possible Troj/agent-gzf

Forum Guidelines

Read this topic before posting a log.

DO NOT post a ComboFix log unless requested to.

Only members of the HijackThis Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

Possible Troj/agent-gzf, Need help fixing problem

Options

judibug View Member Profile	May 25 2008, 01:23 AM Post #1
Member Group: Members Posts: 18 Joined: 24-May 08 Member No.: 210,775	I need help! I clicked a link that I obviously shouldn't have on a website and IE closed. When I opened a new window the screen said my security settings were wrong. I went into internet options and reset them. I tried to run Norton but got an error screen saying "unable to start the integrator. Please reboot and try again." I rebooted my computer and got the same errors. Whenever I reboot my IE security settings are changed again and I constantly have a windows explorer error pop up saying "Windows Explorer has encountered a problem and needs to close." I ran an online Panda scan which marked a file suspicious with the name ftp34.dll I googled the problems and found you guys again(needed help a couple years ago). Deckard's System Scanner v20071014.68 Run by Diva on 2008-05-24 19:37:43 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- HijackThis (run as Diva.exe) ------------------------------------------------ Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 7:39:14 PM, on 5/24/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16640) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Documents and Settings\LocalService\cftmon.exe C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\explorer.exe C:\WINDOWS\system32\dwwin.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Documents and Settings\Diva\Desktop\dss.exe C:\DOCUME~1\Diva\Desktop\Diva.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\Diva\cftmon.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\Diva\cftmon.exe O4 - HKUS\S-1-5-18\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\Run: [autoload] C:\Documents and Settings\LocalService\cftmon.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'Default user') O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O16 - DPF: {05E0D4E9-A832-4886-B443-3729E04B3704} (Living Picture Player) - http://www.gamewaredevelopment.co.uk/cab/livingpicturex.cab O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab O16 - DPF: {4CCA4E6B-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/instal...tallMgr_v01.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing) O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe -- End of file - 8062 bytes -- Files created between 2008-04-24 and 2008-05-24 ----------------------------- 2008-05-24 03:04:06 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab 2008-05-24 03:04:03 0 d-------- C:\WINDOWS\system32\Kaspersky Lab 2008-05-24 03:04:02 0 d-------- C:\WINDOWS\LastGood 2008-05-23 19:06:03 0 d-------- C:\Program Files\PCPitstop 2008-05-23 12:03:13 0 d-------- C:\Program Files\Panda Security 2008-05-23 09:16:24 5120 --a------ C:\Documents and Settings\LocalService\ftp34.dll 2008-05-23 09:16:24 34816 --a------ C:\Documents and Settings\LocalService\cftmon.exe 2008-05-23 09:09:45 6640 --a------ C:\Documents and Settings\Diva\mpr.dat 2008-05-23 09:09:44 6640 --a------ C:\Documents and Settings\Diva\mpr2.dat 2008-05-23 09:09:43 5120 --a------ C:\WINDOWS\system32\ftp34.dll 2008-05-23 09:09:42 34816 --a------ C:\WINDOWS\system32\drivers\spools.exe 2008-05-23 09:09:42 5120 --a------ C:\Documents and Settings\Diva\ftp34.dll 2008-05-23 09:09:42 34816 --a------ C:\Documents and Settings\Diva\cftmon.exe 2008-05-17 00:43:01 0 d-------- C:\Documents and Settings\All Users\Application Data\namesuppressed 2008-05-04 14:09:16 0 d-------- C:\Documents and Settings\Diva\Application Data\acccore 2008-05-04 13:58:21 0 d-------- C:\Program Files\Common Files\AOL 2008-05-04 13:58:06 0 d-------- C:\Program Files\AIM6 2008-04-24 13:44:43 0 d-------- C:\gmax 2008-04-24 13:21:50 0 d-------- C:\Documents and Settings\Diva\Application Data\MilkShape 3D 1.x.x -- Find3M Report --------------------------------------------------------------- 2008-05-23 21:59:27 0 d-------- C:\Program Files\Common Files 2008-05-23 15:34:04 0 d-------- C:\Program Files\Common Files\Symantec Shared 2008-05-22 00:17:56 0 d-------- C:\Program Files\Conquer 2.0 2008-05-16 00:47:38 0 d-------- C:\Documents and Settings\Diva\Application Data\uTorrent 2008-05-12 12:59:51 0 d-------- C:\Program Files\CodeTwister 2008-05-12 12:59:04 0 d-------- C:\Program Files\e frontier 2008-05-12 11:44:57 0 d-------- C:\Program Files\CrossDresser2 2008-05-04 13:48:12 0 d-------- C:\Program Files\DivX 2008-04-21 20:58:37 0 d-------- C:\Program Files\Macromedia 2008-04-21 20:23:28 0 d--h----- C:\Program Files\InstallShield Installation Information 2008-04-21 20:18:27 0 d-------- C:\Program Files\BC Divorce Forms 2008-03-25 18:46:46 0 d-------- C:\Documents and Settings\Diva\Application Data\ATI 2008-03-25 18:41:25 0 d-------- C:\Program Files\ATI Technologies 2008-03-25 18:39:50 0 d-------- C:\Program Files\Common Files\ATI Technologies -- Registry Dump --------------------------------------------------------------- Note empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [04/13/2006 02:20 PM] "Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [11/18/2006 12:53 PM] "ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [09/25/2006 09:12 AM] "ntuser"="C:\WINDOWS\system32\drivers\spools.exe" [05/23/2008 09:09 AM] "autoload"="C:\Documents and Settings\Diva\cftmon.exe" [05/23/2008 09:09 AM] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [06/23/2007 10:41 AM] "ntuser"="C:\WINDOWS\system32\drivers\spools.exe" [05/23/2008 09:09 AM] "autoload"="C:\Documents and Settings\Diva\cftmon.exe" [05/23/2008 09:09 AM] [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] "ntuser"=C:\WINDOWS\system32\drivers\spools.exe "autoload"=C:\Documents and Settings\LocalService\cftmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1 -- End of Deckard's System Scanner: finished at 2008-05-24 19:40:16 ------------ Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 7:39:14 PM, on 5/24/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16640) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Documents and Settings\LocalService\cftmon.exe C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\explorer.exe C:\WINDOWS\system32\dwwin.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Documents and Settings\Diva\Desktop\dss.exe C:\DOCUME~1\Diva\Desktop\Diva.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\Diva\cftmon.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\Diva\cftmon.exe O4 - HKUS\S-1-5-18\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\Run: [autoload] C:\Documents and Settings\LocalService\cftmon.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'Default user') O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O16 - DPF: {05E0D4E9-A832-4886-B443-3729E04B3704} (Living Picture Player) - http://www.gamewaredevelopment.co.uk/cab/livingpicturex.cab O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab O16 - DPF: {4CCA4E6B-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/instal...tallMgr_v01.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing) O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe -- End of file - 8062 bytes Saturday, May 24, 2008 7:28:20 PM Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.98.0 Kaspersky Anti-Virus database last update: 24/05/2008 Kaspersky Anti-Virus database records: 799612 Scan Settings Scan using the following antivirus database extended Scan Archives true Scan Mail Bases true Scan Target My Computer C:\ D:\ E:\ Scan Statistics Total number of scanned objects 348923 Number of viruses found 3 Number of infected objects 29 Number of suspicious objects 0 Duration of the scan process 02:38:47 Infected Object Name Virus Name Last Action C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2008-05-24_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped C:\Documents and Settings\Diva\Cookies\index.dat Object is locked skipped C:\Documents and Settings\Diva\Desktop\MY DESKTOP\BURN2\CD24.rar/CrossDresser2.4 - Installer.exe Infected: not-a-virus:FraudTool.Win32.MasterAntiVirus.a skipped C:\Documents and Settings\Diva\Desktop\MY DESKTOP\BURN2\CD24.rar RAR: infected - 1 skipped C:\Documents and Settings\Diva\Desktop\MY DESKTOP\BURN2\CrossDresser3.0-Full-Installer.zip/CrossDresser3.0 Full - Installer.exe Infected: not-a-virus:FraudTool.Win32.MasterAntiVirus.a skipped C:\Documents and Settings\Diva\Desktop\MY DESKTOP\BURN2\CrossDresser3.0-Full-Installer.zip ZIP: infected - 1 skipped C:\Documents and Settings\Diva\Desktop\MY DESKTOP\BURN2\CrossDresser3.0.1-Patch-Installer.zip/CrossDresser3.0.1-Patch-Installer.exe Infected: not-a-virus:FraudTool.Win32.MasterAntiVirus.a skipped C:\Documents and Settings\Diva\Desktop\MY DESKTOP\BURN2\CrossDresser3.0.1-Patch-Installer.zip ZIP: infected - 1 skipped C:\Documents and Settings\Diva\Desktop\MY DESKTOP\poser\Crossdresser new\Renderosity - 58051 - EvilInnocence - CrossDresser2.1 Installer.zip/CrossDresser2.1 Installer.exe Infected: not-a-virus:FraudTool.Win32.MasterAntiVirus.a skipped C:\Documents and Settings\Diva\Desktop\MY DESKTOP\poser\Crossdresser new\Renderosity - 58051 - EvilInnocence - CrossDresser2.1 Installer.zip ZIP: infected - 1 skipped C:\Documents and Settings\Diva\ftp34.dll Infected: Trojan-Downloader.Win32.Small.vrw skipped C:\Documents and Settings\Diva\Local Settings\Application Data\ApplicationHistory\CLI.EXE.c88dbd71.ini.inuse Object is locked skipped C:\Documents and Settings\Diva\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\Diva\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\Diva\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\Diva\Local Settings\History\History.IE5\MSHist012008052420080525\index.dat Object is locked skipped C:\Documents and Settings\Diva\Local Settings\Temp\11101A6.dmp Object is locked skipped C:\Documents and Settings\Diva\Local Settings\Temp\Perflib_Perfdata_10c.dat Object is locked skipped C:\Documents and Settings\Diva\Local Settings\Temp\Perflib_Perfdata_210.dat Object is locked skipped C:\Documents and Settings\Diva\Local Settings\Temp\Perflib_Perfdata_4c8.dat Object is locked skipped C:\Documents and Settings\Diva\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\Diva\My Documents\Downloads\3DHAHomeDesignSE6-dm.exe Infected: not-a-virus:AdWare.Win32.Trymedia.b skipped C:\Documents and Settings\Diva\My Documents\Downloads\Tools\Crossdresser\CrossDresser2.5.1 - Installer\CrossDresser2.5.1 - Installer.exe Infected: not-a-virus:FraudTool.Win32.MasterAntiVirus.a skipped C:\Documents and Settings\Diva\My Documents\Downloads\Tools\Crossdresser\CrossDresser2.5.1 - Installer.zip/CrossDresser2.5.1 - Installer.exe Infected: not-a-virus:FraudTool.Win32.MasterAntiVirus.a skipped C:\Documents and Settings\Diva\My Documents\Downloads\Tools\Crossdresser\CrossDresser2.5.1 - Installer.zip ZIP: infected - 1 skipped C:\Documents and Settings\Diva\NTUSER.DAT Object is locked skipped C:\Documents and Settings\Diva\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\ftp34.dll Infected: Trojan-Downloader.Win32.Small.vrw skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SPPolicy.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SPStart.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SPStop.log Object is locked skipped C:\Program Files\e frontier\Poser 7\CrossDresser2.2 - Installer.exe Infected: not-a-virus:FraudTool.Win32.MasterAntiVirus.a skipped C:\Program Files\e frontier\Poser 7\CrossDresser2.2 - Patch Installer.exe Infected: not-a-virus:FraudTool.Win32.MasterAntiVirus.a skipped C:\Program Files\Norton AntiVirus\AVApp.log Object is locked skipped C:\Program Files\Norton AntiVirus\AVError.log Object is locked skipped C:\Program Files\Norton AntiVirus\AVVirus.log Object is locked skipped C:\RECYCLER\S-1-5-21-73586283-113007714-1801674531-1004\Dc138.0-Full-Installer\CrossDresser3.0 Full - Installer.exe Infected: not-a-virus:FraudTool.Win32.MasterAntiVirus.a skipped C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped C:\System Volume Information\_restore{6146B18D-B7D3-4D71-8B87-856D6722BDF4}\RP597\A0074953.dll Infected: Trojan-Downloader.Win32.Small.vrw skipped C:\System Volume Information\_restore{6146B18D-B7D3-4D71-8B87-856D6722BDF4}\RP597\A0074954.dll Infected: Trojan-Downloader.Win32.Small.vrw skipped C:\System Volume Information\_restore{6146B18D-B7D3-4D71-8B87-856D6722BDF4}\RP597\A0075953.dll Infected: Trojan-Downloader.Win32.Small.vrw skipped C:\System Volume Information\_restore{6146B18D-B7D3-4D71-8B87-856D6722BDF4}\RP597\A0075954.dll Infected: Trojan-Downloader.Win32.Small.vrw skipped C:\System Volume Information\_restore{6146B18D-B7D3-4D71-8B87-856D6722BDF4}\RP597\A0075955.dll Infected: Trojan-Downloader.Win32.Small.vrw skipped C:\System Volume Information\_restore{6146B18D-B7D3-4D71-8B87-856D6722BDF4}\RP597\A0075960.dll Infected: Trojan-Downloader.Win32.Small.vrw skipped C:\System Volume Information\_restore{6146B18D-B7D3-4D71-8B87-856D6722BDF4}\RP597\A0075961.dll Infected: Trojan-Downloader.Win32.Small.vrw skipped C:\System Volume Information\_restore{6146B18D-B7D3-4D71-8B87-856D6722BDF4}\RP597\A0075964.dll Infected: Trojan-Downloader.Win32.Small.vrw skipped C:\System Volume Information\_restore{6146B18D-B7D3-4D71-8B87-856D6722BDF4}\RP597\A0075983.dll Infected: Trojan-Downloader.Win32.Small.vrw skipped C:\System Volume Information\_restore{6146B18D-B7D3-4D71-8B87-856D6722BDF4}\RP597\A0075984.dll Infected: Trojan-Downloader.Win32.Small.vrw skipped C:\System Volume Information\_restore{6146B18D-B7D3-4D71-8B87-856D6722BDF4}\RP597\A0075985.dll Infected: Trojan-Downloader.Win32.Small.vrw skipped C:\System Volume Information\_restore{6146B18D-B7D3-4D71-8B87-856D6722BDF4}\RP597\change.log Object is locked skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\pfirewall.log Object is locked skipped C:\WINDOWS\SoftwareDistribution\EventCache\{65C4673E-71B8-401B-A3D1-604234F055F6}.bin Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\Sti_Trace.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\default Object is locked skipped C:\WINDOWS\system32\config\default.LOG Object is locked skipped C:\WINDOWS\system32\config\Internet.evt Object is locked skipped C:\WINDOWS\system32\config\SAM Object is locked skipped C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SECURITY Object is locked skipped C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\software Object is locked skipped C:\WINDOWS\system32\config\software.LOG Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\system Object is locked skipped C:\WINDOWS\system32\config\system.LOG Object is locked skipped C:\WINDOWS\system32\ftp34.dll Infected: Trojan-Downloader.Win32.Small.vrw skipped C:\WINDOWS\system32\h323log.txt Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\wiadebug.log Object is locked skipped C:\WINDOWS\wiaservc.log Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped Scan process completed.

dan12 View Member Profile	May 25 2008, 04:38 AM Post #2
Member Group: HJT Team Posts: 41 Joined: 16-May 08 From: uk Member No.: 209,356	Hi,judibug, Download SDFix and save it to your Desktop. Double click SDFix.exe and it will extract the files to %systemdrive% (Drive that contains the Windows Directory, typically C:\SDFix) Please then reboot your computer in Safe Mode by doing the following : Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; Instead of Windows loading as normal, the Advanced Options Menu should appear; Select the first option, to run Windows in Safe Mode, then press Enter. Choose your usual account. Open the extracted SDFix folder and double click RunThis.bat to start the script. Type Y to begin the cleanup process. It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot. Press any Key and it will restart the PC. When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons. Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt (Report.txt will also be copied to Clipboard ready for posting back on the forum). Finally paste the contents of the Report.txt back on the forum with a new HijackThis log dan

judibug View Member Profile	May 25 2008, 02:04 PM Post #3
Member Group: Members Posts: 18 Joined: 24-May 08 Member No.: 210,775	Here is the report from SDFIX and a new HijackThis log... SDFix: Version 1.185 Run by Diva on Sun 05/25/2008 at 10:57 AM Microsoft Windows XP [Version 5.1.2600] Running From: C:\SDFix Checking Services : Restoring Windows Registry Values Restoring Windows Default Hosts File Restoring Default Schedule Service Path Rebooting Checking Files : Trojan Files Found: C:\Documents and Settings\Diva\cftmon.exe - Deleted C:\Documents and Settings\LocalService\cftmon.exe - Deleted C:\WINDOWS\system32\drivers\spools.exe - Deleted Removing Temp Files ADS Check : Final Check : catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-05-25 11:42:11 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden services & system hive ... scanning hidden registry entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services : Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe::enabled:@xpsp2res.dll,-22019" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe::Enabled:@xpsp3res.dll,-20000" "C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe::Enabled:Windows Live Messenger 8.0 (Phone)" "C:\\Program Files\\uTorrent\\utorrent.exe"="C:\\Program Files\\uTorrent\\utorrent.exe::Enabled:æTorrent" "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe::Enabled:AOL Loader" "C:\\Program Files\\Curious Labs\\Poser 6\\Poser.exe"="C:\\Program Files\\Curious Labs\\Poser 6\\Poser.exe::Enabled:Poser executable file" "C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe::Enabled:Internet Explorer" "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe::Enabled:Windows Live Messenger 8.1" "C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe::Enabled:Windows Live Messenger 8.1 (Phone)" "C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe::Enabled:Skype" "C:\\Program Files\\e frontier\\Poser 7\\Poser.exe"="C:\\Program Files\\e frontier\\Poser 7\\Poser.exe::Enabled:Poser executable file" "C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe::Enabled:AIM" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe::enabled:@xpsp2res.dll,-22019" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe::Enabled:@xpsp3res.dll,-20000" "C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe::Enabled:Windows Live Messenger 8.0 (Phone)" "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe::Enabled:Windows Live Messenger 8.1" "C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe::Enabled:Windows Live Messenger 8.1 (Phone)" Remaining Files* : File Backups: - C:\SDFix\backups\backups.zip Files with Hidden Attributes : Sat 24 Feb 2007 848 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys" Sat 18 Nov 2006 110,592 A..H. --- "C:\Program Files\Plan3D\Floorplanner\InstallUpdater.dll" Fri 15 Dec 2006 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp" Wed 4 Aug 2004 73,728 A.SH. --- "C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\System\wmplayer.exe" Thu 8 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\385cb67dda0ffd4dea8c0d990dc65796\BIT3.tmp" Tue 25 Mar 2008 12,029,264 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d3894060077e055ab013d5f0ef231efd\BIT1.tmp" Finished! Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:01:58 PM, on 5/25/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16640) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE C:\WINDOWS\System32\svchost.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Documents and Settings\Diva\Desktop\HiJackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O16 - DPF: {05E0D4E9-A832-4886-B443-3729E04B3704} (Living Picture Player) - http://www.gamewaredevelopment.co.uk/cab/livingpicturex.cab O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab O16 - DPF: {4CCA4E6B-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/instal...tallMgr_v01.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing) O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe -- End of file - 7356 bytes

dan12 View Member Profile	May 26 2008, 04:58 AM Post #4
Member Group: HJT Team Posts: 41 Joined: 16-May 08 From: uk Member No.: 209,356	Sorry for delay,trying to keep everyone happy. Optional - VIEWPOINT MANAGER Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546 Additional info:Here I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present. Viewpoint Viewpoint Manager Viewpoint Media Player Viewpoint Toolbar Your call. ___________________ To provide a satisfying consumer experience and to operate effectively, the Viewpoint Media Player periodically sends information to servers at Viewpoint. Each installation of the Viewpoint Media Player is identifiable to Viewpoint via a Customer Unique Identifier (CUID), an alphanumeric identifier embedded in the Viewpoint Media Player. The Viewpoint Media Player randomly generates the CUID during installation and uses it to indicate a unique installation of the product. A CUID is never connected to a user's name, email address, or other personal contact information. CUIDs are used for the sole purpose of filtering redundant information. Each of these information exchanges occurs anonymously.' Make a uninstall list using HijackThis To access the Uninstall Manager you would do the following: 1. Start HijackThis 2. Click on the Config button 3. Click on the Misc Tools button 4. Click on the Open Uninstall Manager button. You will now be presented with a screen similar to the one below: 5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply. Thanks dan

judibug View Member Profile	May 26 2008, 10:02 AM Post #5
Member Group: Members Posts: 18 Joined: 24-May 08 Member No.: 210,775	Here's the list...and no worries on any delays, I'm just so greatful that you guys are here to help... Ad-Aware SE Personal Adobe Flash Player ActiveX Adobe Reader 7.0.8 AIM 6 Alien Skin Eye Candy 5 Impact Alien Skin Eye Candy 5 Nature Alien Skin Eye Candy 5 Textures Alien Skin Xenofex 2.0 ATI - Software Uninstall Utility ATI Catalyst Control Center ATI Display Driver ATI HydraVision ATI Parental Control & Encoder AVIVO Codecs Belarc Advisor 7.2 BVH_VDayContest_Outfit 2.0 BVH_VDayContest_Set 2.0 BVHA3 SheDevil II 2.0 BVHTG ToXic II BVHTG Vampirella 2 BVHV3 ToXic II BVHV3 Vampirella 2 ccCommon Codec Pack - All In 1 6.0.3.0 Conquer 2.0 Corel Paint Shop Pro X Dan Elwell's Broadband Speed Test Dell ResourceCD Eye Candy 4000 Google Toolbar for Internet Explorer Guild Wars HijackThis 2.0.2 Hotfix for Windows Internet Explorer 7 (KB947864) Hotfix for Windows Media Format 11 SDK (KB929399) Hotfix for Windows Media Player 11 (KB939683) Hotfix for Windows XP (KB896344) Hotfix for Windows XP (KB914440) Hotfix for Windows XP (KB915865) Hotfix for Windows XP (KB926239) HP Driver Diagnostics HP Image Zone 4.2 HP PSC & OfficeJet 4.2 HP Software Update IKEA HomePlanner Kitchen Intel® 537EP V9x DF PCI Modem Intel® PRO Network Adapters and Drivers Internet Worm Protection J2SE Runtime Environment 5.0 Update 10 J2SE Runtime Environment 5.0 Update 9 Kaspersky Online Scanner LiveReg (Symantec Corporation) LiveUpdate 3.0 (Symantec Corporation) MAT Pose Edit 3.1.3 beta 3 Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Hotfix (KB928366) Microsoft .NET Framework 2.0 Service Pack 1 Microsoft Base Smart Card Cryptographic Service Provider Package Microsoft Compression Client Pack 1.0 for Windows XP Microsoft Internationalized Domain Names Mitigation APIs Microsoft National Language Support Downlevel APIs Microsoft Office XP Professional with FrontPage Microsoft User-Mode Driver Framework Feature Pack 1.0 Microsoft Visual C++ 2005 Redistributable Microsoft Visual C++ 2005 Redistributable MSXML 4.0 SP2 (KB927978) MSXML 4.0 SP2 (KB936181) namesuppressed Plaid Lite neroxml Norton AntiVirus 2005 Norton AntiVirus 2005 (Symantec Corporation) Norton AntiVirus Help Norton AntiVirus Parent MSI Norton AntiVirus SYMLT MSI Norton WMI Update overland P3dO Explorer (remove only) Paint Shop Pro 7 ESD Panda ActiveScan 2.0 PCPitstop Panda AntiVirus Scan (remove only) Plan3D Plan3D Poser 7 quick3D Professional [shareware] QuickTime Alternative 1.47 Security Update for Windows Internet Explorer 7 (KB928090) Security Update for Windows Internet Explorer 7 (KB929969) Security Update for Windows Internet Explorer 7 (KB931768) Security Update for Windows Internet Explorer 7 (KB933566) Security Update for Windows Internet Explorer 7 (KB937143) Security Update for Windows Internet Explorer 7 (KB938127) Security Update for Windows Internet Explorer 7 (KB939653) Security Update for Windows Internet Explorer 7 (KB942615) Security Update for Windows Internet Explorer 7 (KB944533) Security Update for Windows Media Player (KB911564) Security Update for Windows Media Player 10 (KB917734) Security Update for Windows Media Player 11 (KB936782) Security Update for Windows Media Player 6.4 (KB925398) Security Update for Windows Media Player 9 (KB917734) Security Update for Windows XP (KB893756) Security Update for Windows XP (KB896358) Security Update for Windows XP (KB896423) Security Update for Windows XP (KB896424) Security Update for Windows XP (KB896428) Security Update for Windows XP (KB899587) Security Update for Windows XP (KB899591) Security Update for Windows XP (KB900725) Security Update for Windows XP (KB901017) Security Update for Windows XP (KB901214) Security Update for Windows XP (KB902400) Security Update for Windows XP (KB904706) Security Update for Windows XP (KB905414) Security Update for Windows XP (KB905749) Security Update for Windows XP (KB908519) Security Update for Windows XP (KB911562) Security Update for Windows XP (KB911567) Security Update for Windows XP (KB911927) Security Update for Windows XP (KB912919) Security Update for Windows XP (KB913580) Security Update for Windows XP (KB914388) Security Update for Windows XP (KB914389) Security Update for Windows XP (KB917344) Security Update for Windows XP (KB917422) Security Update for Windows XP (KB917953) Security Update for Windows XP (KB918118) Security Update for Windows XP (KB918439) Security Update for Windows XP (KB919007) Security Update for Windows XP (KB920213) Security Update for Windows XP (KB920214) Security Update for Windows XP (KB920670) Security Update for Windows XP (KB920683) Security Update for Windows XP (KB920685) Security Update for Windows XP (KB921398) Security Update for Windows XP (KB921503) Security Update for Windows XP (KB922616) Security Update for Windows XP (KB922760) Security Update for Windows XP (KB922819) Security Update for Windows XP (KB923191) Security Update for Windows XP (KB923414) Security Update for Windows XP (KB923694) Security Update for Windows XP (KB923789) Security Update for Windows XP (KB923980) Security Update for Windows XP (KB924191) Security Update for Windows XP (KB924270) Security Update for Windows XP (KB924496) Security Update for Windows XP (KB924667) Security Update for Windows XP (KB925486) Security Update for Windows XP (KB925902) Security Update for Windows XP (KB926255) Security Update for Windows XP (KB926436) Security Update for Windows XP (KB927779) Security Update for Windows XP (KB927802) Security Update for Windows XP (KB928255) Security Update for Windows XP (KB928843) Security Update for Windows XP (KB929123) Security Update for Windows XP (KB930178) Security Update for Windows XP (KB931261) Security Update for Windows XP (KB931784) Security Update for Windows XP (KB932168) Security Update for Windows XP (KB933729) Security Update for Windows XP (KB935839) Security Update for Windows XP (KB935840) Security Update for Windows XP (KB936021) Security Update for Windows XP (KB938829) Security Update for Windows XP (KB941202) Security Update for Windows XP (KB941568) Security Update for Windows XP (KB941569) Security Update for Windows XP (KB941644) Security Update for Windows XP (KB941693) Security Update for Windows XP (KB943055) Security Update for Windows XP (KB943460) Security Update for Windows XP (KB943485) Security Update for Windows XP (KB944653) Security Update for Windows XP (KB945553) Security Update for Windows XP (KB946026) Security Update for Windows XP (KB948590) Security Update for Windows XP (KB948881) Security Update for Windows XP (KB950749) Sony USB Driver SPBBC Symantec Symantec Script Blocking Installer SymNet The Tailor 1.61 Uninstall Mystical Update for Windows XP (KB894391) Update for Windows XP (KB898461) Update for Windows XP (KB900485) Update for Windows XP (KB904942) Update for Windows XP (KB908531) Update for Windows XP (KB910437) Update for Windows XP (KB911280) Update for Windows XP (KB916595) Update for Windows XP (KB920342) Update for Windows XP (KB920872) Update for Windows XP (KB922582) Update for Windows XP (KB927891) Update for Windows XP (KB929338) Update for Windows XP (KB930916) Update for Windows XP (KB931836) Update for Windows XP (KB933360) Update for Windows XP (KB936357) Update for Windows XP (KB938828) Update for Windows XP (KB942763) V3 texture 01 Windows Installer 3.1 (KB893803) Windows Internet Explorer 7 Windows Live Messenger Windows Media Format 11 runtime Windows Media Format 11 runtime Windows Media Format SDK Hotfix - KB891122 Windows Media Player 11 Windows Media Player 11 Windows XP Hotfix - KB873339 Windows XP Hotfix - KB885835 Windows XP Hotfix - KB885836 Windows XP Hotfix - KB885884 Windows XP Hotfix - KB886185 Windows XP Hotfix - KB887472 Windows XP Hotfix - KB888302 Windows XP Hotfix - KB890859 Windows XP Hotfix - KB891781 WinRAR archiver WinWay Resume Deluxe

dan12 View Member Profile	May 26 2008, 02:27 PM Post #6
Member Group: HJT Team Posts: 41 Joined: 16-May 08 From: uk Member No.: 209,356	Download OTMoveIt2 by Old Timer and save it to your Desktop. Double-click OTMoveIt2.exe to run it. Copy the lines in the codebox below. CODE C:\Documents and Settings\Diva\Desktop\MY DESKTOP\BURN2\CD24.rar C:\Documents and Settings\Diva\Desktop\MY DESKTOP\BURN2\CrossDresser3.0-Full-Installer.zip C:\Documents and Settings\Diva\Desktop\MY DESKTOP\BURN2\CrossDresser3.0.1-Patch-Installer.zip C:\Documents and Settings\Diva\Desktop\MY DESKTOP\poser\Crossdresser new\Renderosity - 58051 - EvilInnocence - CrossDresser2.1 Installer.zip C:\Documents and Settings\Diva\ftp34.dll C:\Documents and Settings\Diva\My Documents\Downloads\3DHAHomeDesignSE6-dm.exe C:\Documents and Settings\Diva\My Documents\Downloads\Tools\Crossdresser\CrossDresser2.5.1 - Installer\CrossDresser2.5.1 - Installer.exe C:\Documents and Settings\Diva\My Documents\Downloads\Tools\Crossdresser\CrossDresser2.5.1 - Installer.zip C:\Documents and Settings\LocalService\ftp34.dll C:\Program Files\e frontier\Poser 7\CrossDresser2.2 - Installer.exe C:\Program Files\e frontier\Poser 7\CrossDresser2.2 - Patch Installer.exe C:\RECYCLER\S-1-5-21-73586283-113007714-1801674531-1004\Dc138.0-Full-Installer\CrossDresser3.0 Full - Installer.exe C:\WINDOWS\system32\ftp34.dll" Return to OTMoveIt2, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste. Click the red Moveit! button. Copy everything in the Results window (under the green bar), and paste it in your next reply. Close OTMoveIt2 : Malwarebytes' Anti-Malware : Please download Malwarebytes' Anti-Malware to your desktop. Double-click mbam-setup.exe and follow the prompts to install the program. At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware then click Finish. If an update is found, it will download and install the latest version. Once the program has loaded, select Perform full scan, then click Scan. When the scan is complete, click OK, then Show Results to view the results. Be sure that everything is checked, and click Remove Selected. When completed, a log will open in Notepad. please copy and paste the log into your next reply If you accidently close it, the log file is saved here and will be named like this: C:\\Documents and Settings\\Username\\Application Data\\Malwarebytes\\Malwarebytes' Anti-Malware\\Logs\\mbam-log-date (time).txt Note for Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu. Please go to Eset website to perform an online scan. Please use Internet Explorer as it uses ActiveX. Check (tick) this box: YES, I accept the Terms of Use. Click on the Start button next to it. When prompted to run ActiveX. click Yes. You will be asked to install an ActiveX. Click Install. Once installed, the scanner will be initialized. After the scanner is initialized, click Start. Uncheck (untick) Remove found threats box. Check (tick) Scan unwanted applications. Click on Scan. It will start scanning. Please be patient. Once the scan is done, you will find a log in C:\Program Files\esetonlinescanner\log.txt. Please post this log in your next reply. Update Java Runtime Environment (JRE) Your JRE is out of date. The current version is Java Runtime Environment (JRE) 6 Update 6. Click on Start > Control Panel and double click on Add/Remove Programs. Locate J2SE Runtime Environment 5.0 Update 10 and click on Change/Remove to uninstall it. Repeat for these old versions of JRE: J2SE Runtime Environment 5.0 Update 9 Click here to visit Java's website. Scroll down to Java Runtime Environment (JRE) 6 Update 6. Click on Download. Select Windows from the drop-down list for Platform. Select Multi-language from the drop-down list for Language. Check (tick) I agree to the Java SE Runtime Environment 6 License Agreement box and click on Continue. Click on jre-6u6-windows-i586-p.exe link to download it and save this to a convenient location. Run this installation to update your Java. Please include in your next post: otmoveit2 report Malwarebytes log Eset scan report New highjackthis log Thanks dan

judibug View Member Profile	May 26 2008, 09:14 PM Post #7
Member Group: Members Posts: 18 Joined: 24-May 08 Member No.: 210,775	Here are the logs... The first two times I ran OTMoveIt, it threw an error and closed before I could get the log, on the third time I got this log... File/Folder C:\Documents and Settings\Diva\Desktop\MY DESKTOP\BURN2\CD24.rar not found. File/Folder C:\Documents and Settings\Diva\Desktop\MY DESKTOP\BURN2\CrossDresser3.0-Full-Installer.zip not found. File/Folder C:\Documents and Settings\Diva\Desktop\MY DESKTOP\BURN2\CrossDresser3.0.1-Patch-Installer.zip not found. File/Folder C:\Documents and Settings\Diva\Desktop\MY DESKTOP\poser\Crossdresser new\Renderosity - 58051 - EvilInnocence - CrossDresser2.1 Installer.zip not found. File/Folder C:\Documents and Settings\Diva\ftp34.dll not found. File/Folder C:\Documents and Settings\Diva\My Documents\Downloads\3DHAHomeDesignSE6-dm.exe not found. File/Folder C:\Documents and Settings\Diva\My Documents\Downloads\Tools\Crossdresser\CrossDresser2.5.1 - Installer\CrossDresser2.5.1 - Installer.exe not found. File/Folder C:\Documents and Settings\Diva\My Documents\Downloads\Tools\Crossdresser\CrossDresser2.5.1 - Installer.zip not found. File/Folder C:\Documents and Settings\LocalService\ftp34.dll not found. File/Folder C:\Program Files\e frontier\Poser 7\CrossDresser2.2 - Installer.exe not found. File/Folder C:\Program Files\e frontier\Poser 7\CrossDresser2.2 - Patch Installer.exe not found. File/Folder C:\RECYCLER\S-1-5-21-73586283-113007714-1801674531-1004\Dc138.0-Full-Installer\CrossDresser3.0 Full - Installer.exe not found. File/Folder C:\WINDOWS\system32\ftp34.dll not found. OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 05262008_123705 Malwarebytes' Anti-Malware 1.12 Database version: 788 Scan type: Full Scan (C:\\|) Objects scanned: 397961 Time elapsed: 1 hour(s), 56 minute(s), 36 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 1 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CURRENT_USER\Software\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) # version=4 # OnlineScanner.ocx=1.0.0.635 # OnlineScannerDLLA.dll=1, 0, 0, 79 # OnlineScannerDLLW.dll=1, 0, 0, 78 # OnlineScannerUninstaller.exe=1, 0, 0, 49 # vers_standard_module=3132 (20080526) # vers_arch_module=1.064 (20080214) # vers_adv_heur_module=1.064 (20070717) # EOSSerial=0ee01d01f603304abc98a7e5fd765b58 # end=finished # remove_checked=false # unwanted_checked=true # utc_time=2008-05-27 01:08:09 # local_time=2008-05-26 06:08:09 (-0800, Pacific Daylight Time) # country="United States" # osver=5.1.2600 NT Service Pack 2 # scanned=546329 # found=3 # scan_time=11450 C:\_OTMoveIt\MovedFiles\05262008_123518\Documents and Settings\Diva\ftp34.dll a variant of Win32/PSW.Agent.NHG trojan F8D7561F0C474D855C0C37E74077AE8F C:\_OTMoveIt\MovedFiles\05262008_123518\Documents and Settings\LocalService\ftp34.dll a variant of Win32/PSW.Agent.NHG trojan F8D7561F0C474D855C0C37E74077AE8F C:\_OTMoveIt\MovedFiles\05262008_123620\WINDOWS\system32\ftp34.dll a variant of Win32/PSW.Agent.NHG trojan F8D7561F0C474D855C0C37E74077AE8F Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 7:09:02 PM, on 5/26/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16640) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\WINDOWS\system32\msiexec.exe C:\Documents and Settings\Diva\Desktop\HiJackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O16 - DPF: {05E0D4E9-A832-4886-B443-3729E04B3704} (Living Picture Player) - http://www.gamewaredevelopment.co.uk/cab/livingpicturex.cab O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab O16 - DPF: {4CCA4E6B-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/instal...tallMgr_v01.cab O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing) O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe -- End of file - 7368 bytes

dan12 View Member Profile	May 27 2008, 12:33 AM Post #8
Member Group: HJT Team Posts: 41 Joined: 16-May 08 From: uk Member No.: 209,356	I will catch you later as I have to work

dan12 View Member Profile	May 27 2008, 02:17 PM Post #9
Member Group: HJT Team Posts: 41 Joined: 16-May 08 From: uk Member No.: 209,356	Ok, these may well of gone in the first pass you made, as I only have the log for the third attempt. So can you check manually that they have gone, if not delete the files Right click start, In the drop down menu click "Explore" Then navigate to each file\ folder in the left hand pane, which will reveal its content in the right hand pane, highlight file or folder right click and Delete, if present: File/Folder C:\Documents and Settings\Diva\Desktop\MY DESKTOP\BURN2\CD24.rar File/Folder C:\Documents and Settings\Diva\Desktop\MY DESKTOP\BURN2\CrossDresser3.0-Full-Installer.zip File/Folder C:\Documents and Settings\Diva\Desktop\MY DESKTOP\BURN2\CrossDresser3.0.1-Patch-Installer.zip File/Folder C:\Documents and Settings\Diva\Desktop\MY DESKTOP\poser\Crossdresser new\Renderosity - 58051 - EvilInnocence - CrossDresser2.1 Installer.zip File/Folder C:\Documents and Settings\Diva\ftp34.dll File/Folder C:\Documents and Settings\Diva\My Documents\Downloads\3DHAHomeDesignSE6-dm.exe File/Folder C:\Documents and Settings\Diva\My Documents\Downloads\Tools\Crossdresser\CrossDresser2.5.1 - Installer\CrossDresser2.5.1 - Installer.exe File/Folder C:\Documents and Settings\Diva\My Documents\Downloads\Tools\Crossdresser\CrossDresser2.5.1 - Installer.zip File/Folder C:\Documents and Settings\LocalService\ftp34.dll File/Folder C:\Program Files\e frontier\Poser 7\CrossDresser2.2 - Installer.exe File/Folder C:\Program Files\e frontier\Poser 7\CrossDresser2.2 - Patch Installer.exe File/Folder C:\RECYCLER\S-1-5-21-73586283-113007714-1801674531-1004\Dc138.0-Full-Installer\CrossDresser3.0 Full - Installer.exe File/Folder C:\WINDOWS\system32\ftp34.dll let me know how you got on.

judibug View Member Profile	May 27 2008, 03:57 PM Post #10
Member Group: Members Posts: 18 Joined: 24-May 08 Member No.: 210,775	These two files were still there so I deleted them and emptied my recycle bin... File/Folder C:\Program Files\e frontier\Poser 7\CrossDresser2.2 - Installer.exe File/Folder C:\Program Files\e frontier\Poser 7\CrossDresser2.2 - Patch Installer.exe I have not had any more Windows Explorer errors and Norton(although out of date) is working again... My computer still lags at times and I often have to refresh web pages because they won't load the first time(internet explorer can't find page etc)... My main concern is to get rid of the malware or viruses so I can back up my work(I do graphics work and am terrible for backing up regularily) and most likely format for a clean start(new anti-virus of course!) Thanks Judi

dan12 View Member Profile	May 27 2008, 04:05 PM Post #11
Member Group: HJT Team Posts: 41 Joined: 16-May 08 From: uk Member No.: 209,356	I Just want to cleanup some tools used Double click on OTMoveIt2. Click on CleanUp!. You will receive a prompt that it has finished downloaded a list. Click OK. After this, it will prompt you to restart your computer. Please restart your computer. let me know when done

judibug View Member Profile	May 27 2008, 06:03 PM Post #12
Member Group: Members Posts: 18 Joined: 24-May 08 Member No.: 210,775	I did what you asked and rebooted...

dan12 View Member Profile	May 27 2008, 11:44 PM Post #13
Member Group: HJT Team Posts: 41 Joined: 16-May 08 From: uk Member No.: 209,356	Congratulations you are clean! Now that you are clean, please follow these simple steps in order to keep your computer clean and secure: Create a new System Restore Point This is a good time to clear your existing system restore points and establish a new clean restore point: Go to Start > All Programs > Accessories > System Tools > System Restore Select Create a restore point, and Ok it. Next, go to Start > Run and type in cleanmgr Select the More options tab Choose the option to clean up system restore and OK it. This will remove all restore points except the new one you just created. Here are some free programs I recommend that could help you improve your computer's security. Spybot Search and Destroy 1.5.2 Download it from here. Just choose a mirror and off you go. Find here the tutorial on how to use Spybot properly here Find here changes from older version 1.4 here Install Spyware Guard Download it from here Find here the tutorial on how to use Spyware Guard here Install SpyWare Blaster Download it from here Find here the tutorial on how to use Spyware Blaster here Install WinPatrol Download it from here Here you can find information about how WinPatrol works here Install FireTrust SiteHound You can find information and download it from here Install MVPS Hosts File from here The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer. Find Tutorial here : http://www.mvps.org/winhelp2002/hosts.htm Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system. You can use one of these sites to check if any updates are needed for your pc. Secunia Software Inspector F-secure Health Check Visit Microsoft often to get the latest updates for your computer. http://www.update.microsoft.com Please check out Tony Klein's article "How did I get infected in the first place?" Read some information here how to prevent Malware. Stand Up and Be Counted! Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints called Malware Complaints. Please register there first! Then follow the instructions. >> Here << you can see how you can help us. Happy safe surfing! Dan

judibug View Member Profile	May 29 2008, 01:25 AM Post #14
Member Group: Members Posts: 18 Joined: 24-May 08 Member No.: 210,775	Thank you so much!!!

dan12 View Member Profile	May 29 2008, 04:11 AM Post #15
Member Group: HJT Team Posts: 41 Joined: 16-May 08 From: uk Member No.: 209,356	My pleasure

« Next Oldest · HijackThis Logs and Virus/Trojan/Spyware/Malware Removal · Next Newest »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Advertise \| About Us \| Terms of Use \| Privacy Policy \| Contact Us \| Site Map \| Chat \| Tutorials \| Uninstall List \| Virus Removal Guides
Discussion Forums \| The Computer Glossary \| Resources \| RSS Feeds \| Startups \| The File Database \| Malware Removal Guides Archive