Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Trojan.32/virtumonde.o, Backdoor, Etc...


  • This topic is locked This topic is locked
13 replies to this topic

#1 skyfuser

skyfuser

  • Members
  • 470 posts
  • OFFLINE
  •  
  • Location:California
  • Local time:12:29 AM

Posted 23 November 2007 - 08:10 PM

Hi, this is my first time (and hopefully last time) on here posting a Hijack Log. I hope you will help me soon, Windows firewall says that it's blocking my IP from accessing the California government documents site and teacherweb.com so I want to get rid of it before the hacker can do more harm. I also have a major semester project on here, and if I don't get it in safe and sound I'm going to flunk....

I tried doing everything to get rid of 3 specific problems, but they just rebooted the whole computer before deletion was successful. I don't know what sites the computer accessed, because my little sister frequently gets on it to play games, and I can't tell if they're malicious or harmless because the history, cookies, and temporary internet files are deleted every night.

I've copied down these info, if they're of any help: (note: list not complete, the trojans are all in temporary internet files)

Trojan.32/Virtumonde.O:
process:
pid:236
regkey:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\BootService
runkey:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\BootService
file:
C:\WINDOWS\system32\__c00249F5.dat

Trojan.32/Virtumonde.O:
file:
C:\WINDOWS\system32\__c00DAB5C.dat

Trojan.32/Virtumonde.O:
process:
pid:644
regkey:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\BootService
runkey:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\BootService
file:
C:\Documents and Settings\YZ\Local Settings\Temp\__c00EBDA4.dat

Backdoor:Win32/Zonebac.B
C:\WINDOWS\Temp\ja.exe->(UPX)
C:\WINDOWS\Temp\ja.exe

The sites that firewall blocked:
dof.ca.gov
134.186.77.85
TCP Port 445



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:51:09 PM, on 11/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\toshiba\ivp\ism\pinger.exe
C:\toshiba\sysstability\tsyssmon.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BitTorrent_DNA\dna.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {0048795E-698A-4E61-BE03-6BC959EE8D4B} - C:\WINDOWS\system32\cryptu.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: EWPBrowseObject Class - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [TSysSMon] c:\toshiba\sysstability\tsyssmon.exe /detect
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\BitTorrent_DNA\dna.exe"
O4 - HKLM\..\Policies\Explorer\Run: [Alexa] C:\WINDOWS\System32\qproecss.exe
O4 - HKLM\..\Policies\Explorer\Run: [Ver] 2006.10.10
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: SmartUI.lnk = ?
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1172881892437
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) -
O16 - DPF: {87056D28-9730-4A47-B9F9-7E890B62C58A} (WildfireActiveXHost Class) - http://www.gamehouse.com/games/tumblebugs/axhost.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://www.shockwave.com/content/cinematyc...inematycoon.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O20 - Winlogon Notify: __c00425C6 - C:\WINDOWS\system32\__c00425C6.dat
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 8462 bytes
"If a man is offered a fact which goes against his instincts, he will scrutinize it closely, and unless the evidence is overwhelming, he will refuse to believe it. If, on the other hand, he is offered something which affords a reason for acting in accordance to his instincts, he will accept it even on the slightest evidence. The origin of myths is explained in this way." - Bertrand Russell

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:29 AM

Posted 25 November 2007 - 08:01 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum skyfuser :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

Disable Windows Defender's real-time protection,as it may interfere.
* Open Microsoft Windows Defender. Click Start>All Programs>Windows Defender.
* Click on 'Tools'>'Options'.
* Under 'Real-time protection options', unselect the 'Turn on real-time protection' check box
* Click 'Save'.


Download SDFix.exe and save it to your desktop:
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

* Double click on SDFix on your desktop,and install the fix to C:\

Please then reboot your computer into Safe Mode by doing the following:

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, a menu with options should appear;
* Select the first option, to run Windows in Safe Mode, then press "Enter".
* Choose your usual account.

* In Safe Mode,go to and open the C:\SDFix folder,then double click on RunThis.bat to start the script.
* Type Y to begin the script.
* It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* Your system will take longer that normal to restart as the fixtool will be running and removing files.
* When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
* Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt into your next reply.


If you have previously downloaded ComboFix,please delete that version now.
Now download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Disconnect from the Internet.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.
*Note*
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#3 skyfuser

skyfuser
  • Topic Starter

  • Members
  • 470 posts
  • OFFLINE
  •  
  • Location:California
  • Local time:12:29 AM

Posted 25 November 2007 - 03:27 PM

Hi, RichieUK, thanks a million for helping me! :thumbsup:

Here's the SDFix Report:

SDFix: Version 1.115

Run by rule #1KL on Sun 11/25/2007 at 11:10 AM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

No Trojan Files Found





Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-25 11:21:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\hQ\x00fcb]
"\xcd\x2039\xed\x2039T\x20ac\xf3`"=dword:00000001
"\xcd\x2039\xed\x2039\x201c\x008feQ"=dword:00000001
"\20\x90\20n\x00d0c:y"=dword:00000001
"\26Y\1x\x00d0c:y"=dword:00000001
"\x00d2czz<h"=dword:00000000
"IQ\ah\xdf\x8d\x8f\x2013"=dword:00000001
"<SPACE>"=dword:00000001
"<ENTER>"=dword:00000000
"FC Input"=dword:00000000
"FC aid"=dword:00000000
"GB/GBK"=dword:00000000

scanning hidden files ...

C:\Documents and Settings\rule #1KL\Local Settings\Temporary Internet Files\Content.IE5\AFODA5QN\home.sina[1].: 56348 bytes hidden from API

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 1


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk"
"C:\\Program Files\\BitTorrent_DNA\\dna.exe"="C:\\Program Files\\BitTorrent_DNA\\dna.exe:*:Enabled:BitTorrent DNA"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Documents and Settings\\CL\\Program Files\\BitTorrent_DNA\\dna.exe"="C:\\Documents and Settings\\CL\\Program Files\\BitTorrent_DNA\\dna.exe:*:Enabled:BitTorrent DNA"
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files:
---------------


Files with Hidden Attributes:

Mon 7 Oct 2002 49,223 A..H. --- "C:\Program Files\America Online 8.0\aolphx.exe"
Mon 7 Oct 2002 36,939 A..H. --- "C:\Program Files\America Online 8.0\aoltray.exe"
Mon 7 Oct 2002 40,960 A..H. --- "C:\Program Files\America Online 8.0\RBM.exe"
Mon 7 Oct 2002 233,539 A..H. --- "C:\Program Files\America Online 8.0\waol.exe"
Mon 7 Oct 2002 49,223 A..H. --- "C:\Program Files\America Online 8.0a\aolphx.exe"
Mon 7 Oct 2002 36,939 A..H. --- "C:\Program Files\America Online 8.0a\aoltray.exe"
Mon 7 Oct 2002 40,960 A..H. --- "C:\Program Files\America Online 8.0a\RBM.exe"
Mon 7 Oct 2002 233,539 A..H. --- "C:\Program Files\America Online 8.0a\waol.exe"
Tue 21 Nov 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Tue 21 Nov 2006 401 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv10.bak"
Mon 7 Oct 2002 49,225 A..H. --- "C:\Program Files\America Online 8.0\COMIT\cswitch.exe"
Mon 7 Oct 2002 49,225 A..H. --- "C:\Program Files\America Online 8.0a\COMIT\cswitch.exe"
Tue 7 Feb 2006 299,008 A..H. --- "C:\Program Files\Canon\MP Navigator 3.0\Maint.exe"
Mon 19 Dec 2005 61,440 A..H. --- "C:\Program Files\Canon\MP Navigator 3.0\uinstrsc.dll"
Thu 6 Sep 2007 19,456 ...H. --- "C:\Documents and Settings\CL\Local Settings\Temp\~WRL0003.tmp"
Fri 7 Sep 2007 19,456 ...H. --- "C:\Documents and Settings\CL\Local Settings\Temp\~WRL0004.tmp"
Sat 15 Sep 2007 19,456 ...H. --- "C:\Documents and Settings\CL\Local Settings\Temp\~WRL0005.tmp"
Wed 3 Oct 2007 24,576 ...H. --- "C:\Documents and Settings\CL\Local Settings\Temp\~WRL0006.tmp"
Sat 6 Oct 2007 19,456 ...H. --- "C:\Documents and Settings\CL\Local Settings\Temp\~WRL0007.tmp"
Mon 8 Oct 2007 19,456 ...H. --- "C:\Documents and Settings\CL\Local Settings\Temp\~WRL0008.tmp"
Fri 12 Oct 2007 19,456 ...H. --- "C:\Documents and Settings\CL\Local Settings\Temp\~WRL0009.tmp"
Sun 14 Oct 2007 19,456 ...H. --- "C:\Documents and Settings\CL\Local Settings\Temp\~WRL0010.tmp"
Sun 28 Oct 2007 19,456 ...H. --- "C:\Documents and Settings\CL\Local Settings\Temp\~WRL0011.tmp"
Sat 13 Oct 2007 19,456 ...H. --- "C:\Documents and Settings\CL\Local Settings\Temp\~WRL0256.tmp"
Sat 15 Sep 2007 19,456 ...H. --- "C:\Documents and Settings\CL\Local Settings\Temp\~WRL0262.tmp"
Sun 28 Oct 2007 19,456 ...H. --- "C:\Documents and Settings\CL\Local Settings\Temp\~WRL0265.tmp"
Tue 30 Oct 2007 20,992 ...H. --- "C:\Documents and Settings\CL\Local Settings\Temp\~WRL0395.tmp"
Wed 17 Oct 2007 20,480 ...H. --- "C:\Documents and Settings\CL\Local Settings\Temp\~WRL0564.tmp"
Sat 8 Sep 2007 19,456 ...H. --- "C:\Documents and Settings\CL\Local Settings\Temp\~WRL0863.tmp"
Mon 29 Oct 2007 19,456 ...H. --- "C:\Documents and Settings\CL\Local Settings\Temp\~WRL1162.tmp"
Wed 17 Oct 2007 20,992 ...H. --- "C:\Documents and Settings\CL\Local Settings\Temp\~WRL1222.tmp"
Wed 14 Nov 2007 22,528 ...H. --- "C:\Documents and Settings\CL\Local Settings\Temp\~WRL1263.tmp"
Thu 4 Oct 2007 19,456 ...H. --- "C:\Documents and Settings\CL\Local Settings\Temp\~WRL1303.tmp"
Wed 3 Oct 2007 24,576 ...H. --- "C:\Documents and Settings\CL\Local Settings\Temp\~WRL1331.tmp"
Thu 4 Oct 2007 19,456 ...H. --- "C:\Documents and Settings\CL\Local Settings\Temp\~WRL1422.tmp"
Sun 14 Oct 2007 19,456 ...H. --- "C:\Documents and Settings\CL\Local Settings\Temp\~WRL1455.tmp"
Mon 29 Oct 2007 19,456 ...H. --- "C:\Documents and Settings\CL\Local Settings\Temp\~WRL1580.tmp"
Sat 13 Oct 2007 19,456 ...H. --- "C:\Documents and Settings\CL\Local Settings\Temp\~WRL1609.tmp"
Tue 30 Oct 2007 19,456 ...H. --- "C:\Documents and Settings\CL\Local Settings\Temp\~WRL1670.tmp"
Sat 8 Sep 2007 19,456 ...H. --- "C:\Documents and Settings\CL\Local Settings\Temp\~WRL1786.tmp"
Sun 28 Oct 2007 19,456 ...H. --- "C:\Documents and Settings\CL\Local Settings\Temp\~WRL1940.tmp"
Sat 13 Oct 2007 19,456 ...H. --- "C:\Documents and Settings\CL\Local Settings\Temp\~WRL1991.tmp"
Mon 29 Oct 2007 19,456 ...H. --- "C:\Documents and Settings\CL\Local Settings\Temp\~WRL2046.tmp"
Sun 28 Oct 2007 19,456 ...H. --- "C:\Documents and Settings\CL\Local Settings\Temp\~WRL2424.tmp"
Sun 28 Oct 2007 19,456 ...H. --- "C:\Documents and Settings\CL\Local Settings\Temp\~WRL2848.tmp"
Sat 6 Oct 2007 19,456 ...H. --- "C:\Documents and Settings\CL\Local Settings\Temp\~WRL2985.tmp"
Wed 3 Oct 2007 28,160 ...H. --- "C:\Documents and Settings\CL\Local Settings\Temp\~WRL3055.tmp"
Sun 16 Sep 2007 19,968 ...H. --- "C:\Documents and Settings\CL\Local Settings\Temp\~WRL3110.tmp"
Sat 13 Oct 2007 19,968 ...H. --- "C:\Documents and Settings\CL\Local Settings\Temp\~WRL3117.tmp"
Sat 13 Oct 2007 20,992 ...H. --- "C:\Documents and Settings\CL\Local Settings\Temp\~WRL3165.tmp"
Thu 4 Oct 2007 19,456 ...H. --- "C:\Documents and Settings\CL\Local Settings\Temp\~WRL3199.tmp"
Fri 12 Oct 2007 19,456 ...H. --- "C:\Documents and Settings\CL\Local Settings\Temp\~WRL3237.tmp"
Sun 16 Sep 2007 19,968 ...H. --- "C:\Documents and Settings\CL\Local Settings\Temp\~WRL3269.tmp"
Mon 29 Oct 2007 19,456 ...H. --- "C:\Documents and Settings\CL\Local Settings\Temp\~WRL3353.tmp"
Sat 13 Oct 2007 19,456 ...H. --- "C:\Documents and Settings\CL\Local Settings\Temp\~WRL3373.tmp"
Fri 12 Oct 2007 19,456 ...H. --- "C:\Documents and Settings\CL\Local Settings\Temp\~WRL3747.tmp"
Sun 28 Oct 2007 19,456 ...H. --- "C:\Documents and Settings\CL\Local Settings\Temp\~WRL3939.tmp"
Sat 13 Oct 2007 19,456 ...H. --- "C:\Documents and Settings\CL\Local Settings\Temp\~WRL3961.tmp"
Fri 21 Sep 2007 19,456 ...H. --- "C:\Documents and Settings\CL\Local Settings\Temp\~WRL4056.tmp"
Sun 14 Oct 2007 19,456 ...H. --- "C:\Documents and Settings\CL\Local Settings\Temp\~WRL4058.tmp"
Tue 20 Mar 2007 19,968 ...H. --- "C:\Documents and Settings\YZ\Local Settings\Temp\~WRL0004.tmp"
Wed 7 Mar 2007 33,280 ...H. --- "C:\Documents and Settings\YZ\Local Settings\Temp\~WRL0005.tmp"
Mon 23 Jul 2007 19,456 ...H. --- "C:\Documents and Settings\YZ\Local Settings\Temp\~WRL0006.tmp"
Tue 20 Mar 2007 21,504 ...H. --- "C:\Documents and Settings\YZ\Local Settings\Temp\~WRL0417.tmp"
Mon 23 Jul 2007 20,480 ...H. --- "C:\Documents and Settings\YZ\Local Settings\Temp\~WRL0513.tmp"
Mon 23 Jul 2007 19,968 ...H. --- "C:\Documents and Settings\YZ\Local Settings\Temp\~WRL1581.tmp"
Wed 7 Mar 2007 19,968 ...H. --- "C:\Documents and Settings\YZ\Local Settings\Temp\~WRL1838.tmp"
Fri 24 Jan 2003 1,206 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\ccReg.reg"
Fri 24 Jan 2003 12,368 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\CommonClient.reg"
Sat 16 Dec 2006 10,678 A..H. --- "C:\Program Files\Microsoft Office\Office\Shortcut Bar\Off1.tmp"
Wed 20 Dec 2006 10,678 A..H. --- "C:\Program Files\Microsoft Office\Office\Shortcut Bar\Off2.tmp"
Fri 22 Dec 2006 10,678 A..H. --- "C:\Program Files\Microsoft Office\Office\Shortcut Bar\Off4.tmp"
Thu 21 Dec 2006 10,678 A..H. --- "C:\Program Files\Microsoft Office\Office\Shortcut Bar\Off78.tmp"
Tue 16 Oct 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\8361ae28fcfac79271825a6b2935fdb6\BIT17.tmp"
Fri 4 Oct 2002 106,496 A..H. --- "C:\Program Files\Common Files\aolshare\shell\us\shellext.dll"
Sun 14 Oct 2007 19,968 ...H. --- "C:\Documents and Settings\CL\Desktop\Chang\Mission San Jose High School\Hou\~WRL0001.tmp"
Fri 12 Oct 2007 19,456 ...H. --- "C:\Documents and Settings\CL\Desktop\Chang\Mission San Jose High School\Hou\~WRL1678.tmp"
Wed 14 Nov 2007 22,016 ...H. --- "C:\Documents and Settings\CL\Desktop\Chang\Mission San Jose High School\Waller\~WRL0003.tmp"
Fri 12 Oct 2007 19,456 ...H. --- "C:\Documents and Settings\CL\Desktop\Chang\Mission San Jose High School\Waller\~WRL2650.tmp"
Mon 23 Jul 2007 20,992 ...H. --- "C:\Documents and Settings\YZ\Desktop\Resume\Resume 00\some templates for comm\~WRL1227.tmp"
Mon 23 Jul 2007 20,992 ...H. --- "C:\Documents and Settings\YZ\Desktop\Resume\Resume 00\some templates for comm\~WRL2851.tmp"
Mon 23 Jul 2007 21,504 ...H. --- "C:\Documents and Settings\YZ\Desktop\Resume\Resume 00\some templates for comm\~WRL4063.tmp"

Finished!





Here's the ComboFix report:
ComboFix 07-11-19.3 - rule #1KL 2007-11-25 11:43:49.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.74 [GMT -8:00]
Running from: C:\Documents and Settings\rule #1KL\Desktop\ComboFix.exe
* Created a new restore point
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\__c00425C6.dat
C:\WINDOWS\system32\cryptu.dll
C:\WINDOWS\system32\drivers\wmkafawr.dat
C:\xcrashdump.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_AFAWUCXJ
-------\afawucxj


((((((((((((((((((((((((( Files Created from 2007-10-25 to 2007-11-25 )))))))))))))))))))))))))))))))
.

2007-11-25 11:09 <DIR> d-------- C:\WINDOWS\ERUNT
2007-11-24 23:03 <DIR> d-------- C:\Program Files\Lavasoft
2007-11-24 23:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-24 23:00 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-23 22:51 <DIR> d-------- C:\FileASSASSIN
2007-11-23 19:52 174,199 ---hs---- C:\WINDOWS\system32\2878E00c__.ini
2007-11-23 16:49 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-23 09:42 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-11-23 09:19 <DIR> d-------- C:\Documents and Settings\rule #1KL\.housecall6.6
2007-11-23 00:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-22 22:33 174,199 ---hs---- C:\WINDOWS\system32\5F94200c__.ini
2007-11-21 12:33 <DIR> d-------- C:\Program Files\mIRC
2007-11-21 12:33 <DIR> d-------- C:\Documents and Settings\rule #1KL\Application Data\mIRC
2007-11-20 20:17 174,199 ---hs---- C:\WINDOWS\system32\C321F00c__.ini
2007-11-20 19:16 3,446 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-20 19:16 0 --a------ C:\WINDOWS\system32\tmp.txt
2007-11-20 18:35 174,199 ---hs---- C:\WINDOWS\system32\C5BAD00c__.ini
2007-11-20 18:21 <DIR> d-------- C:\Documents and Settings\rule #1KL\Application Data\PC Tools
2007-11-20 18:15 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-11-20 14:31 174,199 ---hs---- C:\WINDOWS\system32\7B1FD00c__.ini
2007-11-20 14:31 83,968 --a------ C:\WINDOWS\system32\cryptu.1
2007-11-19 20:53 <DIR> d-------- C:\Program Files\MyPodcast Recorder
2007-11-19 02:59 5,174 --a------ C:\WINDOWS\system32\nppt9x.vxd
2007-11-19 02:59 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys
2007-11-19 01:16 <DIR> d-------- C:\Program Files\9Dragons
2007-11-18 19:13 <DIR> d-------- C:\Program Files\Audacity
2007-11-18 13:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-11-17 17:25 <DIR> d-------- C:\Program Files\Windows Defender
2007-11-10 00:26 <DIR> d-------- C:\Program Files\7-Zip
2007-11-10 00:05 <DIR> d-------- C:\Program Files\BitTorrent_DNA
2007-11-10 00:05 <DIR> d-------- C:\Program Files\BitTorrent
2007-11-10 00:05 <DIR> d-------- C:\Documents and Settings\rule #1KL\Application Data\BitTorrent DNA
2007-11-10 00:05 <DIR> d-------- C:\Documents and Settings\rule #1KL\Application Data\BitTorrent
2007-10-25 10:26 53,248 --a------ C:\WINDOWS\bdoscandel.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-25 20:05 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-23 08:28 --------- d-----w C:\Program Files\Scansoft
2007-11-23 08:26 --------- d-----w C:\Program Files\Common Files\scansoft shared
2007-11-23 08:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\ScanSoft
2007-11-23 08:21 --------- d-----w C:\Program Files\Google
2007-11-23 06:11 --------- d-----w C:\Documents and Settings\CL\Application Data\BitTorrent DNA
2007-11-21 02:50 --------- d-----w C:\Program Files\Microsoft Works
2007-11-10 06:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2007-10-02 02:01 --------- d-----w C:\Documents and Settings\CL\Application Data\GetRightToGo
2003-01-24 17:59 32 --sha-w C:\WINDOWS\{2E5ED30A-E68D-4A3E-B4C6-F8CA7DF01216}.dat
2003-01-24 17:59 32 --sha-w C:\WINDOWS\system32\{40D2B39D-B201-44BD-8752-A0E24513C747}.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 08:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56]
"BitTorrent DNA"="C:\Program Files\BitTorrent_DNA\dna.exe" [2007-11-10 00:05]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2002-12-13 07:22]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2002-12-13 07:10]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2002-03-30 06:40]
"CeEPOWER"="C:\Program Files\TOSHIBA\Power Management\CePMTray.exe" [2003-01-15 17:24]
"CeEKEY"="C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe" [2003-01-14 15:52]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2002-12-13 12:47]
"ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [2002-12-13 12:47]
"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [2002-11-25 10:23]
"ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [2002-08-20 10:29]
"TPNF"="C:\Program Files\TOSHIBA\TouchPad\TPTray.exe" [2003-01-22 17:23]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2002-10-17 13:21]
"TSysSMon"="c:\toshiba\sysstability\tsyssmon.exe" [2002-12-17 14:23]
"PaperPort PTD"="C:\Program Files\Scansoft\PaperPort\pptd40nt.exe" [2002-08-12 10:33]
"IndexSearch"="C:\Program Files\Scansoft\PaperPort\IndexSearch.exe" [2002-08-12 11:07]
"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2006-08-23 23:38]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-03 21:31]
"MSPY2002"="C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe" [2002-08-29 04:00]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2002-08-29 04:00]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2002-08-29 04:00]
"CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [2006-03-21 17:30]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2006-10-26 19:48]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Find Fast.lnk - C:\Program Files\Microsoft Office\Office\FINDFAST.EXE [1997-07-11]
Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE [1997-07-11]
SmartUI.lnk - C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe [2002-08-12 10:00:40]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00425C6]
C:\WINDOWS\system32\__c00425C6.dat

R1 SrvcEKIOMngr;SrvcEKIOMngr;C:\WINDOWS\system32\Drivers\EKIoMngr.sys
R1 SrvcEPIOMngr;SrvcEPIOMngr;C:\WINDOWS\system32\Drivers\EPIoMngr.sys
R1 SrvcSSIOMngr;SrvcSSIOMngr;C:\WINDOWS\system32\Drivers\SSIoMngr.sys
R1 SrvcTPIOMngr;SrvcTPIOMngr;C:\WINDOWS\system32\Drivers\TPIoMngr.sys
R3 EPOWER;Compal E-POWER Driver;C:\WINDOWS\system32\Drivers\hkdrv.sys
S3 brfilt;Brother MFC Filter Driver;C:\WINDOWS\system32\Drivers\Brfilt.sys
S3 brparimg;Brother Multi Function Parallel Image driver;C:\WINDOWS\system32\DRIVERS\BrParImg.sys
S3 BrParWdm;Brother WDM Parallel Driver;C:\WINDOWS\system32\Drivers\BrParwdm.sys
S3 BrSerWDM;Brother Serial driver;C:\WINDOWS\system32\Drivers\BrSerWdm.sys
S3 BrUsbMdm;Brother MFC USB Fax Only Modem;C:\WINDOWS\system32\Drivers\BrUsbMdm.sys
S3 BrUsbScn;Brother MFC USB Scanner driver;C:\WINDOWS\system32\Drivers\BrUsbScn.sys
S3 wlags48b;Wireless LAN PCCard Driver;C:\WINDOWS\system32\DRIVERS\wlags48b.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-11-25 20:06:41 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2007-11-24 04:18:19 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NAVW32.exeG/task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca
"2007-11-19 03:18:54 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-25 12:05:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-25 12:14:01 - machine was rebooted
.
--- E O F ---




And finally, the HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:20:24 PM, on 11/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\toshiba\sysstability\tsyssmon.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BitTorrent_DNA\dna.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: EWPBrowseObject Class - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [TSysSMon] c:\toshiba\sysstability\tsyssmon.exe /detect
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\BitTorrent_DNA\dna.exe"
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: SmartUI.lnk = ?
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1172881892437
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) -
O16 - DPF: {87056D28-9730-4A47-B9F9-7E890B62C58A} (WildfireActiveXHost Class) - http://www.gamehouse.com/games/tumblebugs/axhost.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://www.shockwave.com/content/cinematyc...inematycoon.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O20 - Winlogon Notify: __c00425C6 - C:\WINDOWS\system32\__c00425C6.dat (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 8392 bytes
"If a man is offered a fact which goes against his instincts, he will scrutinize it closely, and unless the evidence is overwhelming, he will refuse to believe it. If, on the other hand, he is offered something which affords a reason for acting in accordance to his instincts, he will accept it even on the slightest evidence. The origin of myths is explained in this way." - Bertrand Russell

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:29 AM

Posted 25 November 2007 - 04:09 PM

Make sure Windows Defender is still disabled.

Please download OTMoveIt by OldTimer:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe

Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths inside the quote box below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'):

C:\WINDOWS\system32\2878E00c__.ini
C:\WINDOWS\system32\5F94200c__.ini
C:\WINDOWS\system32\C321F00c__.ini
C:\WINDOWS\system32\C5BAD00c__.ini
C:\WINDOWS\system32\7B1FD00c__.ini
C:\WINDOWS\system32\cryptu.1
C:\WINDOWS\{2E5ED30A-E68D-4A3E-B4C6-F8CA7DF01216}.dat
C:\WINDOWS\system32\{40D2B39D-B201-44BD-8752-A0E24513C747}.dat

Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button Posted Image

Copy everything on the 'Results' window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'), and paste it into your next reply.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes.


Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1
Do not run it just yet.

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,exit SuperAntiSpyware.
Do not run it just yet.

You might want to print/copy the following as you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O20 - Winlogon Notify: __c00425C6 - C:\WINDOWS\system32\__c00425C6.dat (file missing)

Exit Hijackthis.

Now double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.
Click 'Exit' on the Main menu to close the program.

Now Start SuperAntiSpyware.
On the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.
Also post a new Hijackthis log,let me know how your pc is running now.

Posted Image
Posted Image

#5 skyfuser

skyfuser
  • Topic Starter

  • Members
  • 470 posts
  • OFFLINE
  •  
  • Location:California
  • Local time:12:29 AM

Posted 25 November 2007 - 09:48 PM

HJT Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:44:07 PM, on 11/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\toshiba\ivp\ism\pinger.exe
C:\toshiba\sysstability\tsyssmon.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BitTorrent_DNA\dna.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: EWPBrowseObject Class - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [TSysSMon] c:\toshiba\sysstability\tsyssmon.exe /detect
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\BitTorrent_DNA\dna.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: SmartUI.lnk = ?
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1172881892437
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) -
O16 - DPF: {87056D28-9730-4A47-B9F9-7E890B62C58A} (WildfireActiveXHost Class) - http://www.gamehouse.com/games/tumblebugs/axhost.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://www.shockwave.com/content/cinematyc...inematycoon.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 8521 bytes





SUPERAntiSpyware Scan Log:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/25/2007 at 06:16 PM

Application Version : 3.9.1008

Core Rules Database Version : 3259
Trace Rules Database Version: 1270

Scan type : Complete Scan
Total Scan Time : 01:07:57

Memory items scanned : 187
Memory threats detected : 0
Registry items scanned : 4444
Registry threats detected : 0
File items scanned : 29264
File threats detected : 0


OTMoveIt:
CC:\WINDOWS\system32\2878E00c__.ini moved successfully.
C:\WINDOWS\system32\5F94200c__.ini moved successfully.
C:\WINDOWS\system32\C321F00c__.ini moved successfully.
C:\WINDOWS\system32\C5BAD00c__.ini moved successfully.
C:\WINDOWS\system32\7B1FD00c__.ini moved successfully.
C:\WINDOWS\system32\cryptu.1 moved successfully.
C:\WINDOWS\{2E5ED30A-E68D-4A3E-B4C6-F8CA7DF01216}.dat moved successfully.
C:\WINDOWS\system32\{40D2B39D-B201-44BD-8752-A0E24513C747}.dat moved successfully.

Created on 11/25/2007 16:35:46




My PC is loading really fast now, there's barely any lag!
And I must say, thank you for helping! You don't know how much this means to me!
"If a man is offered a fact which goes against his instincts, he will scrutinize it closely, and unless the evidence is overwhelming, he will refuse to believe it. If, on the other hand, he is offered something which affords a reason for acting in accordance to his instincts, he will accept it even on the slightest evidence. The origin of myths is explained in this way." - Bertrand Russell

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:29 AM

Posted 26 November 2007 - 08:27 AM

Your log is clean :thumbsup:
If all's ok,please do the following:

Click on Start/Run,copy and paste ComboFix /u into the 'Open:' space,then press Ok.

Posted Image

Please double-click OTMoveIt.exe to run it.
Click on the 'Cleanup' button Posted Image
When you do this a text file named cleanup.txt will be downloaded from the internet.
If you get a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet you should allow it to do so.
When the 'Confirm' box appears click 'Yes'.
Restart your pc when prompted.

Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

You should take the time to read and follow the information found in the links below,to help you prevent any possible future infections and stay safe and secure while online:

Simple and easy ways to keep your computer safe and secure on the Internet:
http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/

How to prevent Malware:
http://users.telenet.be/bluepatchy/miekiem...prevention.html

So how did I get infected in the first place:
http://forums.spybot.info/showthread.php?t=279

Malware Cleanup Programs and Preventative Procedures:
http://russelltexas.com/malware/allclear.htm
Posted Image
Posted Image

#7 skyfuser

skyfuser
  • Topic Starter

  • Members
  • 470 posts
  • OFFLINE
  •  
  • Location:California
  • Local time:12:29 AM

Posted 26 November 2007 - 10:21 AM

I ran Spybout Seach and Destroy last night, and for some reason I found 6 entries. 4 of them were new ones, but there was another Virtumonde. Is that normal?
School note. If not, I will follow the instructions above. THANK YOU SOOO MUCH!! :D:D:D
"If a man is offered a fact which goes against his instincts, he will scrutinize it closely, and unless the evidence is overwhelming, he will refuse to believe it. If, on the other hand, he is offered something which affords a reason for acting in accordance to his instincts, he will accept it even on the slightest evidence. The origin of myths is explained in this way." - Bertrand Russell

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:29 AM

Posted 26 November 2007 - 10:42 AM

* Open SpyBot, check for and get any updates available.
* Close all browsers, check for problems and fix everything found in red.
* Then on the toolbar menu select Mode and switch to Advanced mode, on the left lower down select Tools, and View Report, ensure all the options are selected near the bottom except:
* Uncheck[ ] do not report disabled or known legitimate Items.
* uncheck[ ] Include a list of services in report.
* Uncheck[ ] Include uninstall list in report.
* Now select (near the top) View Report.
* Press Export in the save in box,save the report to your desktop.
Copy and paste the entire contents of that report in your next reply.
Posted Image
Posted Image

#9 skyfuser

skyfuser
  • Topic Starter

  • Members
  • 470 posts
  • OFFLINE
  •  
  • Location:California
  • Local time:12:29 AM

Posted 26 November 2007 - 08:32 PM

Sorry I took so long to reply. I had to go to school. When I came home, I ran Spybot again while I did my homework. When I came back I found another cookie tracker...
Here's the log. And just for the sake of it, I think I should say that I'm still suspicious that there's another malicious hidden program. Ever since I found the trojan, whenever I log on an infected account, there's a sound like when you plug the USB in the pc and a beep comes up. An yellow and reddish icon comes up (not completely sure) and then immediately vanishes. I'm not sure... maybe it's harmless? Thanks!



--- Spybot - Search & Destroy version: 1.5 (build: 20070830) ---

2007-08-31 blindman.exe (1.0.0.6)
2007-08-31 SDMain.exe (1.0.0.4)
2007-08-31 SDUpdate.exe (1.0.6.4)
2007-08-31 SDWinSec.exe (1.0.0.8)
2007-08-31 SpybotSD.exe (1.5.1.15)
2007-08-31 TeaTimer.exe (1.5.0.9)
2007-11-23 unins000.exe (51.46.0.0)
2007-08-31 Update.exe (1.4.0.5)
2007-08-31 advcheck.dll (1.5.3.0)
2007-04-02 aports.dll (2.1.0.0)
2007-04-02 DelZip179.dll (1.79.5.3)
2007-08-31 SDHelper.dll (1.5.0.8)
2007-08-31 Tools.dll (2.1.2.0)
2007-11-21 Includes\Cookies.sbi
2007-10-31 Includes\Dialer.sbi
2007-11-21 Includes\DialerC.sbi
2007-11-07 Includes\Hijackers.sbi
2007-11-21 Includes\HijackersC.sbi
2007-10-04 Includes\Keyloggers.sbi
2007-11-21 Includes\KeyloggersC.sbi
2004-11-29 Includes\LSP.sbi
2007-11-07 Includes\Malware.sbi
2007-11-21 Includes\MalwareC.sbi
2007-10-24 Includes\PUPS.sbi
2007-11-21 Includes\PUPSC.sbi
2007-11-21 Includes\Revision.sbi
2007-05-30 Includes\Security.sbi
2007-11-21 Includes\SecurityC.sbi
2007-11-07 Includes\Spybots.sbi
2007-11-21 Includes\SpybotsC.sbi
2007-11-06 Includes\Tracks.uti
2007-11-14 Includes\Trojans.sbi
2007-11-21 Includes\TrojansC.sbi
2008-12-24 Plugins\TCPIPAddress.dll


--- System information ---
Windows XP (Build: 2600) Service Pack 2 (5.1.2600)
/ Internet Explorer 6 / SP1: Windows XP Hotfix - KB918439
/ Internet Explorer 6 / SP1: Windows XP Hotfix - KB918899
/ Internet Explorer 6 / SP1: Windows XP Hotfix - KB925486
/ MSXML4SP2: FIX: ASP stops responding when calling Response.Redirect to another server using msxml4 sp2
/ MSXML4SP2: Security update for MSXML4 SP2 (KB936181)
/ Outlook Express 6 / SP1: Windows XP Hotfix - KB911567
/ Step By Step Interactive Training / SP2: Security Update for Step By Step Interactive Training (KB898458)
/ Step By Step Interactive Training / SP2: Security Update for Step By Step Interactive Training (KB923723)
/ Windows Media Player 6.4: Security Update for Windows Media Player 6.4 (KB925398)
/ Windows Media Player 8: Security Update for Windows Media Player 8 (KB917734)
/ Windows Media Player 9: Security Update for Windows Media Player 9 (KB917734)
/ Windows Media Player 9: Security Update for Windows Media Player 9 (KB936782)
/ Windows XP: Security Update for Windows XP (KB923689)
/ Windows XP / SP2: Windows XP Service Pack 2
/ Windows XP / SP3: Windows XP Hotfix - KB873339
/ Windows XP / SP3: Windows XP Hotfix - KB885835
/ Windows XP / SP3: Windows XP Hotfix - KB885836
/ Windows XP / SP3: Windows XP Hotfix - KB886185
/ Windows XP / SP3: Windows XP Hotfix - KB887472
/ Windows XP / SP3: Windows XP Hotfix - KB888302
/ Windows XP / SP3: Security Update for Windows XP (KB890046)
/ Windows XP / SP3: Windows XP Hotfix - KB890859
/ Windows XP / SP3: Windows XP Hotfix - KB891781
/ Windows XP / SP3: Security Update for Windows XP (KB893756)
/ Windows XP / SP3: Windows Installer 3.1 (KB893803)
/ Windows XP / SP3: Security Update for Windows XP (KB896358)
/ Windows XP / SP3: Security Update for Windows XP (KB896423)
/ Windows XP / SP3: Security Update for Windows XP (KB896424)
/ Windows XP / SP3: Security Update for Windows XP (KB896428)
/ Windows XP / SP3: Update for Windows XP (KB898461)
/ Windows XP / SP3: Security Update for Windows XP (KB899587)
/ Windows XP / SP3: Security Update for Windows XP (KB899591)
/ Windows XP / SP3: Update for Windows XP (KB900485)
/ Windows XP / SP3: Security Update for Windows XP (KB900725)
/ Windows XP / SP3: Security Update for Windows XP (KB901017)
/ Windows XP / SP3: Security Update for Windows XP (KB901190)
/ Windows XP / SP3: Security Update for Windows XP (KB901214)
/ Windows XP / SP3: Security Update for Windows XP (KB902400)
/ Windows XP / SP3: Security Update for Windows XP (KB904706)
/ Windows XP / SP3: Security Update for Windows XP (KB905414)
/ Windows XP / SP3: Security Update for Windows XP (KB905749)
/ Windows XP / SP3: Security Update for Windows XP (KB908519)
/ Windows XP / SP3: Update for Windows XP (KB908531)
/ Windows XP / SP3: Update for Windows XP (KB910437)
/ Windows XP / SP3: Update for Windows XP (KB911280)
/ Windows XP / SP3: Security Update for Windows XP (KB911562)
/ Windows XP / SP3: Security Update for Windows XP (KB911927)
/ Windows XP / SP3: Security Update for Windows XP (KB912919)
/ Windows XP / SP3: Security Update for Windows XP (KB913580)
/ Windows XP / SP3: Security Update for Windows XP (KB914388)
/ Windows XP / SP3: Security Update for Windows XP (KB914389)
/ Windows XP / SP3: Update for Windows XP (KB916595)
/ Windows XP / SP3: Security Update for Windows XP (KB917344)
/ Windows XP / SP3: Security Update for Windows XP (KB917422)
/ Windows XP / SP3: Security Update for Windows XP (KB917953)
/ Windows XP / SP3: Security Update for Windows XP (KB918118)
/ Windows XP / SP3: Security Update for Windows XP (KB919007)
/ Windows XP / SP3: Security Update for Windows XP (KB920213)
/ Windows XP / SP3: Security Update for Windows XP (KB920670)
/ Windows XP / SP3: Security Update for Windows XP (KB920683)
/ Windows XP / SP3: Security Update for Windows XP (KB920685)
/ Windows XP / SP3: Update for Windows XP (KB920872)
/ Windows XP / SP3: Security Update for Windows XP (KB921398)
/ Windows XP / SP3: Security Update for Windows XP (KB921503)
/ Windows XP / SP3: Security Update for Windows XP (KB921883)
/ Windows XP / SP3: Update for Windows XP (KB922582)
/ Windows XP / SP3: Security Update for Windows XP (KB922616)
/ Windows XP / SP3: Security Update for Windows XP (KB922819)
/ Windows XP / SP3: Security Update for Windows XP (KB923191)
/ Windows XP / SP3: Security Update for Windows XP (KB923414)
/ Windows XP / SP3: Security Update for Windows XP (KB923694)
/ Windows XP / SP3: Security Update for Windows XP (KB923980)
/ Windows XP / SP3: Security Update for Windows XP (KB924191)
/ Windows XP / SP3: Security Update for Windows XP (KB924270)
/ Windows XP / SP3: Security Update for Windows XP (KB924496)
/ Windows XP / SP3: Security Update for Windows XP (KB924667)
/ Windows XP / SP3: Security Update for Windows XP (KB925902)
/ Windows XP / SP3: Security Update for Windows XP (KB926255)
/ Windows XP / SP3: Security Update for Windows XP (KB926436)
/ Windows XP / SP3: Security Update for Windows XP (KB927779)
/ Windows XP / SP3: Security Update for Windows XP (KB927802)
/ Windows XP / SP3: Update for Windows XP (KB927891)
/ Windows XP / SP3: Security Update for Windows XP (KB928090)
/ Windows XP / SP3: Security Update for Windows XP (KB928255)
/ Windows XP / SP3: Security Update for Windows XP (KB928843)
/ Windows XP / SP3: Security Update for Windows XP (KB929123)
/ Windows XP / SP3: Update for Windows XP (KB929338)
/ Windows XP / SP3: Security Update for Windows XP (KB929969)
/ Windows XP / SP3: Security Update for Windows XP (KB930178)
/ Windows XP / SP3: Update for Windows XP (KB930916)
/ Windows XP / SP3: Security Update for Windows XP (KB931261)
/ Windows XP / SP3: Security Update for Windows XP (KB931768)
/ Windows XP / SP3: Security Update for Windows XP (KB931784)
/ Windows XP / SP3: Update for Windows XP (KB931836)
/ Windows XP / SP3: Security Update for Windows XP (KB932168)
/ Windows XP / SP3: Update for Windows XP (KB933360)
/ Windows XP / SP3: Security Update for Windows XP (KB933566)
/ Windows XP / SP3: Security Update for Windows XP (KB933729)
/ Windows XP / SP3: Security Update for Windows XP (KB935839)
/ Windows XP / SP3: Security Update for Windows XP (KB935840)
/ Windows XP / SP3: Security Update for Windows XP (KB936021)
/ Windows XP / SP3: Update for Windows XP (KB936357)
/ Windows XP / SP3: Security Update for Windows XP (KB937143)
/ Windows XP / SP3: Security Update for Windows XP (KB938127)
/ Windows XP / SP3: Update for Windows XP (KB938828)
/ Windows XP / SP3: Security Update for Windows XP (KB938829)
/ Windows XP / SP3: Security Update for Windows XP (KB939653)
/ Windows XP / SP3: Security Update for Windows XP (KB941202)
/ Windows XP / SP3: Security Update for Windows XP (KB943460)


--- Startup entries list ---
Located: HK_LM:Run, Apoint
command: C:\Program Files\Apoint2K\Apoint.exe
file: C:\Program Files\Apoint2K\Apoint.exe
size: 122880
MD5: 463CC20884829898B493172FC23C9923

Located: HK_LM:Run, CanonMyPrinter
command: C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
file: C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
size: 1191936
MD5: 480F12DF2E5CB14DB0D1675F2066D7AC

Located: HK_LM:Run, ccApp
command: "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
file: C:\Program Files\Common Files\Symantec Shared\ccApp.exe
size: 54512
MD5: 32FFF093C6633DBAD5798CECC2CC5DE1

Located: HK_LM:Run, ccRegVfy
command: "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
file: C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
size: 58616
MD5: 8A282DF83631C368F0961E739EAF28C8

Located: HK_LM:Run, CeEKEY
command: C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
file: C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
size: 561152
MD5: 2516E6BC0700DD3E5B5B3D1D7C29A396

Located: HK_LM:Run, CeEPOWER
command: C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
file: C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
size: 102400
MD5: 04D091DCFE01F7AD8E9FB971BEFF4ADD

Located: HK_LM:Run, ezShieldProtector for Px
command: C:\WINDOWS\System32\ezSP_Px.exe
file: C:\WINDOWS\System32\ezSP_Px.exe
size: 40960
MD5: 2849ED071A0D83406BDA342AA767F24E

Located: HK_LM:Run, HotKeysCmds
command: C:\WINDOWS\System32\hkcmd.exe
file: C:\WINDOWS\System32\hkcmd.exe
size: 114688
MD5: AE81897FFA0C963F8DAB0C990B1B5576

Located: HK_LM:Run, IgfxTray
command: C:\WINDOWS\System32\igfxtray.exe
file: C:\WINDOWS\System32\igfxtray.exe
size: 155648
MD5: E79D6D7E0389C3E459D28D9E0E6F4547

Located: HK_LM:Run, IMJPMIG8.1
command: "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
file: C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE
size: 208952
MD5: 7BBE4CF421AECC7F0226EDD75F12079F

Located: HK_LM:Run, IndexSearch
command: C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
file: C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
size: 36864
MD5: B5BC9306C84BAD6200CA5699F5602DC5

Located: HK_LM:Run, LtMoh
command: C:\Program Files\ltmoh\Ltmoh.exe
file: C:\Program Files\ltmoh\Ltmoh.exe
size: 172032
MD5: 3A4098369AE2595928F9EAEB912843B9

Located: HK_LM:Run, MSPY2002
command: C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
file: C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe
size: 59392
MD5: 1B17E09C1223F6D17336D2DD7A1AF4F4

Located: HK_LM:Run, PaperPort PTD
command: C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
file: C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
size: 45108
MD5: CCDC00F353963E9E7DD839817B89D593

Located: HK_LM:Run, PHIME2002A
command: C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
file: C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE
size: 455168
MD5: 024DC0F68DF5FD6AE9DD82DFBAF479D6

Located: HK_LM:Run, PHIME2002ASync
command: C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
file: C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE
size: 455168
MD5: 024DC0F68DF5FD6AE9DD82DFBAF479D6

Located: HK_LM:Run, Pinger
command: c:\toshiba\ivp\ism\pinger.exe /run
file: c:\toshiba\ivp\ism\pinger.exe
size: 159744
MD5: 2ED75D44E1BC39227500B9E3735AA4D5

Located: HK_LM:Run, TPNF
command: C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
file: C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
size: 45056
MD5: A0E3A861F1C36A75FCAAA2B7C4D1400F

Located: HK_LM:Run, TSysSMon
command: c:\toshiba\sysstability\tsyssmon.exe /detect
file: c:\toshiba\sysstability\tsyssmon.exe
size: 49152
MD5: 75CB80925558B65DA240588FB5E385EA

Located: HK_LM:Run, Zone Labs Client
command: "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
file: C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
size: 968696
MD5: 71514E2C74D554F5902DC184046ECA3B

Located: HK_CU:Run, DWQueuedReporting
where: .DEFAULT...
command: "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
file:
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_CU:Run, BitTorrent DNA
where: S-1-5-21-3751955114-1256477988-4104225912-1006...
command: "C:\Documents and Settings\CL\Program Files\BitTorrent_DNA\dna.exe"
file: C:\Documents and Settings\CL\Program Files\BitTorrent_DNA\dna.exe
size: 284992
MD5: D20313DF4EAA8F1F8D1C578CE6DF3996

Located: HK_CU:Run, ctfmon.exe
where: S-1-5-21-3751955114-1256477988-4104225912-1006...
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 24232996A38C0B0CF151C2140AE29FC8

Located: HK_CU:Run, googletalk
where: S-1-5-21-3751955114-1256477988-4104225912-1006...
command: "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
file: C:\Program Files\Google\Google Talk\googletalk.exe
size: 3739648
MD5: BCD9CBF0621F9A6767276A2E0BF1DD15

Located: HK_CU:Run, MSMSGS
where: S-1-5-21-3751955114-1256477988-4104225912-1006...
command: "C:\Program Files\Messenger\msmsgs.exe" /background
file: C:\Program Files\Messenger\msmsgs.exe
size: 1694208
MD5: 74E6E96C6F0E2ECA4EDBB7F7A468F259

Located: HK_CU:Run, SpybotSD TeaTimer
where: S-1-5-21-3751955114-1256477988-4104225912-1006...
command: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
file: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 1460560
MD5: B7D4586BFC0DD6C3BE7DCCC252A3E97E

Located: HK_CU:Run, swg
where: S-1-5-21-3751955114-1256477988-4104225912-1006...
command: C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
file:
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_CU:Run, Yahoo! Pager
where: S-1-5-21-3751955114-1256477988-4104225912-1006...
command: "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
file:
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_CU:Run, DWQueuedReporting
where: S-1-5-18...
command: "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
file:
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: Startup (common), Microsoft Find Fast.lnk
where: C:\Documents and Settings\All Users\Start Menu\Programs\Startup...
command: C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
file: C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
size: 111376
MD5: BAD8C3ECD192E3131F7AC0A876A0880C

Located: Startup (common), Office Startup.lnk
where: C:\Documents and Settings\All Users\Start Menu\Programs\Startup...
command: C:\Program Files\Microsoft Office\Office\OSA.EXE
file: C:\Program Files\Microsoft Office\Office\OSA.EXE
size: 51984
MD5: D06276D4CAD46CDCEABEFDEB1A0D3C0D

Located: Startup (common), SmartUI.lnk
where: C:\Documents and Settings\All Users\Start Menu\Programs\Startup...
command: C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe
file: C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe
size: 1568768
MD5: 7893E209A13B52651560FAB999614FF2

Located: WinLogon, !SASWinLogon
command: C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
file: C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, crypt32chain
command: crypt32.dll
file: crypt32.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, cryptnet
command: cryptnet.dll
file: cryptnet.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, cscdll
command: cscdll.dll
file: cscdll.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, igfxcui
command: igfxsrvc.dll
file: igfxsrvc.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, ScCertProp
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, Schedule
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, SensLogn
command: WlNotify.dll
file: WlNotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, termsrv
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, WgaLogon
command: WgaLogon.dll
file: WgaLogon.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, wlballoon
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!



--- Browser helper object list ---
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: AcroIEHlprObj Class
description: Adobe Acrobat reader
classification: Legitimate
known filename: AcroIEhelper.ocx<br>AcroIEhelper.dll
info link: http://www.adobe.com/products/acrobat/readstep2.html
info source: TonyKlein
Path: C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\
Long name: AcroIEHelper.ocx
Short name: ACROIE~1.OCX
Date (created): 1/13/2003 5:06:28 PM
Date (last access): 11/26/2007 4:28:04 PM
Date (last write): 3/2/2001 12:02:04 PM
Filesize: 37808
Attributes: archive
MD5: 8394ABFC1BE196A62C9F532511936DF7
CRC32: 71D6E350
Version: 1.0.0.1

{53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Spybot-S&D IE Protection
description: Spybot-S&D IE Browser plugin
classification: Legitimate
known filename: SDhelper.dll
info link: http://spybot.eon.net.au/
info source: Patrick M. Kolla
Path: C:\PROGRA~1\SPYBOT~1\
Long name: SDHelper.dll
Short name:
Date (created): 11/23/2007 12:46:38 AM
Date (last access): 11/26/2007 4:43:08 PM
Date (last write): 8/31/2007 4:46:14 PM
Filesize: 1122128
Attributes: archive
MD5: B8958471DAA4481E93B03DF8F991DD6E
CRC32: 35E35F14
Version: 1.5.0.8

{68F9551E-0411-48E4-9AAF-4BC42A6A46BE} (EWPBrowseObject Class)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: EWPBrowseObject Class
Path: C:\Program Files\Canon\Easy-WebPrint\
Long name: EWPBrowseLoader.dll
Short name: EWPBRO~1.DLL
Date (created): 11/27/2006 6:58:42 PM
Date (last access): 11/26/2007 4:28:04 PM
Date (last write): 4/18/2006 7:04:14 PM
Filesize: 34304
Attributes: archive
MD5: F2D73150EBFC69C577BB384212527596
CRC32: 47AEBFE3
Version: 2.6.3.0

{BDF3E430-B101-42AD-A544-FADC6B084872} (CNavExtBho Class)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: CNavExtBho Class
description: Norton Antivirus
classification: Legitimate
known filename: NavShExt.dll
info link: http://www.symantec.com/nav/nav_9xnt/
info source: TonyKlein
Path: C:\Program Files\Norton AntiVirus\
Long name: NAVShExt.dll
Short name:
Date (created): 12/16/2002 5:02:30 PM
Date (last access): 11/26/2007 4:31:34 PM
Date (last write): 12/16/2002 5:02:30 PM
Filesize: 111784
Attributes: archive
MD5: 305C1A6AB7E5828E532961E98024633D
CRC32: 4AAA6FFA
Version: 9.6.0.2



--- ActiveX list ---
DirectAnimation Java Classes (DirectAnimation Java Classes)
DPF name: DirectAnimation Java Classes
CLSID name:
Installer:
Codebase: file://C:\WINDOWS\Java\classes\dajava.cab
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\dajava.cab
info link:
info source: Patrick M. Kolla

Microsoft XML Parser for Java (Microsoft XML Parser for Java)
DPF name: Microsoft XML Parser for Java
CLSID name:
Installer:
Codebase: file://C:\WINDOWS\Java\classes\xmldso.cab
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\xmldso.cab
info link:
info source: Patrick M. Kolla

{166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control)
DPF name:
CLSID name: Shockwave ActiveX Control
Installer: C:\WINDOWS\Downloaded Program Files\erma.inf
Codebase: http://download.macromedia.com/pub/shockwa...director/sw.cab
description: Macromedia ShockWave Flash Player 7
classification: Legitimate
known filename: SWDIR.DLL
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\System32\macromed\Director\
Long name: SwDir.dll
Short name:
Date (created): 11/17/2006 9:52:40 PM
Date (last access): 11/26/2007 7:53:16 AM
Date (last write): 9/3/2006 11:10:30 PM
Filesize: 54960
Attributes: archive
MD5: EB271B21EA6104B7C6946EF32D558C91
CRC32: CEC4E0C2
Version: 10.1.4.20

{17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool)
DPF name:
CLSID name: Windows Genuine Advantage Validation Tool
Installer: C:\WINDOWS\Downloaded Program Files\LegitCheckControl.inf
Codebase: http://go.microsoft.com/fwlink/?linkid=39204
description:
classification: Legitimate
known filename: LegitCheckControl.DLL
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\system32\
Long name: LegitCheckControl.DLL
Short name: LEGITC~1.DLL
Date (created): 5/17/2006 11:23:38 AM
Date (last access): 11/26/2007 5:05:30 PM
Date (last write): 10/11/2007 2:12:48 PM
Filesize: 1468968
Attributes: archive
MD5: FC6680B6D4812D017109518AC07DED0E
CRC32: 4DC7C79C
Version: 1.7.59.1

{215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6)
DPF name:
CLSID name: Trend Micro ActiveX Scan Agent 6.6
Installer: C:\WINDOWS\Downloaded Program Files\hcImpl.inf
Codebase: http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
description:
classification: Legitimate
known filename: Housecall_ActiveX.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\Downloaded Program Files\
Long name: Housecall_ActiveX.dll
Short name: HOUSEC~1.DLL
Date (created): 9/21/2007 3:53:44 PM
Date (last access): 11/26/2007 7:44:04 AM
Date (last write): 9/21/2007 3:53:44 PM
Filesize: 385536
Attributes: archive
MD5: 10A86AB325CA1E17ADD3F0C39A081C9E
CRC32: E6322AD1
Version: 6.51.0.1025

{6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)
DPF name:
CLSID name: WUWebControl Class
Installer: C:\WINDOWS\Downloaded Program Files\wuweb.inf
Codebase: http://update.microsoft.com/windowsupdate/...b?1172881892437
description:
classification: Legitimate
known filename: wuweb.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\system32\
Long name: wuweb.dll
Short name:
Date (created): 5/26/2005 4:19:32 AM
Date (last access): 11/26/2007 4:16:56 PM
Date (last write): 7/30/2007 6:19:28 PM
Filesize: 203096
Attributes: archive
MD5: 5C9A003E7C6BA03F04DC2D9C82A7E6E0
CRC32: E29E0153
Version: 7.0.6000.381

{69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control)
DPF name:
CLSID name: GameLauncher Control
Installer:
Codebase:
Path: C:\WINDOWS\DOWNLO~1\
Long name: GameLauncher.ocx
Short name: GAMELA~1.OCX
Date (created): 9/1/2006 1:40:16 AM
Date (last access): 11/26/2007 7:44:04 AM
Date (last write): 9/1/2006 1:40:16 AM
Filesize: 42720
Attributes: archive
MD5: 32F2B88BAAF2CDCF925247AFE019ADA1
CRC32: CE64F32A
Version: 1.0.0.4

{87056D28-9730-4A47-B9F9-7E890B62C58A} (WildfireActiveXHost Class)
DPF name:
CLSID name: WildfireActiveXHost Class
Installer: C:\WINDOWS\Downloaded Program Files\axhost.inf
Codebase: http://www.gamehouse.com/games/tumblebugs/axhost.cab
description:
classification: Legitimate
known filename: axhost.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\DOWNLO~1\
Long name: axhost.dll
Short name:
Date (created): 8/11/2005 2:14:28 PM
Date (last access): 11/26/2007 3:57:00 PM
Date (last write): 8/11/2005 2:14:28 PM
Filesize: 188416
Attributes: archive
MD5: 75E81EBAE9C002D3DFACA493F9431944
CRC32: 7D227E8C
Version: 1.0.0.2

{A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class)
DPF name:
CLSID name: ScorchPlugin Class
Installer: C:\WINDOWS\Downloaded Program Files\setup.inf
Codebase: http://www.sibelius.com/download/software/...tiveXPlugin.cab
description:
classification: Legitimate
known filename: NPSibelius.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\Downloaded Program Files\
Long name: NPSibelius.dll
Short name: NPSIBE~1.DLL
Date (created): 9/5/2006 5:06:14 PM
Date (last access): 11/26/2007 3:57:00 PM
Date (last write): 9/5/2006 5:06:14 PM
Filesize: 4100096
Attributes: archive
MD5: 1309FCE77DAB483C49ED3151746DA3BC
CRC32: 333360C0
Version: 4.1.4.1

{BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner)
DPF name:
CLSID name: a-squared Scanner
Installer:
Codebase: http://ax.emsisoft.com/asquared.cab
description:
classification: Legitimate
known filename: axscan.ocx
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\DOWNLO~1\
Long name: asquared.ocx
Short name:
Date (created): 7/2/2007 3:44:26 PM
Date (last access): 11/26/2007 7:44:04 AM
Date (last write): 7/2/2007 3:44:26 PM
Filesize: 941688
Attributes: archive
MD5: 1E80F3093FA93340A61174AB5F371457
CRC32: E2D562DD
Version: 3.0.0.3

{D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object)
DPF name:
CLSID name: Shockwave Flash Object
Installer: C:\WINDOWS\Downloaded Program Files\swflash.inf
Codebase: http://download.macromedia.com/pub/shockwa...ash/swflash.cab
description: Macromedia Shockwave Flash Player
classification: Legitimate
known filename:
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\System32\Macromed\Flash\
Long name: Flash9b.ocx
Short name:
Date (created): 11/9/2006 2:46:28 PM
Date (last access): 11/26/2007 3:04:52 PM
Date (last write): 11/9/2006 2:46:28 PM
Filesize: 2262648
Attributes: readonly archive
MD5: F3B3EE66CA76C94510555ABE9D00A353
CRC32: A51F3CB4
Version: 9.0.28.0

{D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control)
DPF name:
CLSID name: TikGames Online Control
Installer: C:\WINDOWS\Downloaded Program Files\gpcontrol.inf
Codebase: http://www.shockwave.com/content/cinematyc...inematycoon.cab
description:
classification: Legitimate
known filename: gpcontrol.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\Downloaded Program Files\
Long name: gpcontrol.dll
Short name: GPCONT~1.DLL
Date (created): 12/1/2005 12:49:06 PM
Date (last access): 11/26/2007 3:57:00 PM
Date (last write): 12/1/2005 12:49:06 PM
Filesize: 278528
Attributes: archive
MD5: 35BD60DB11E72FBD930A5CDE6335F51C
CRC32: EB5469B1
Version: 1.0.2.14

{DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object)
DPF name:
CLSID name: PopCapLoader Object
Installer: C:\WINDOWS\Downloaded Program Files\popcaploader.inf
Codebase: http://www.popcap.com/games/popcaploader_v6.cab
description:
classification: Legitimate
known filename: POPCAPLOADER.DLL
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\Downloaded Program Files\
Long name: popcaploader.dll



--- Process list ---
PID: 0 ( 0) [System]
PID: 348 ( 0) \SystemRoot\System32\smss.exe
size: 50688
PID: 516 ( 0) \??\C:\WINDOWS\system32\csrss.exe
size: 6144
PID: 540 ( 0) \??\C:\WINDOWS\System32\winlogon.exe
size: 502272
PID: 584 ( 0) C:\WINDOWS\system32\services.exe
size: 108032
MD5: C6CE6EEC82F187615D1002BB3BB50ED4
PID: 596 ( 0) C:\WINDOWS\system32\lsass.exe
size: 13312
MD5: 84885F9B82F4D55C6146EBF6065D75D2
PID: 736 ( 0) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 812 ( 0) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 872 ( 0) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 960 ( 0) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1008 ( 0) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1020 ( 0) C:\WINDOWS\system32\ZoneLabs\vsmon.exe
size: 75768
MD5: A9062968DF9419FA45ACF044B4D9F5AC
PID: 1164 ( 0) C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
size: 587096
MD5: 25F8546FD40E40EC5A2A23AECAE4FDCA
PID: 1248 ( 0) C:\WINDOWS\system32\spoolsv.exe
size: 57856
MD5: DA81EC57ACD4CDC3D4C51CF3D409AF9F
PID: 1404 ( 0) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1428 ( 0) C:\WINDOWS\wanmpsvc.exe
size: 65536
MD5: 909F2DC0DA7F57D229A05EE90647B2C3
PID: 1556 ( 0) C:\WINDOWS\system32\BRMFRSMG.EXE
size: 32256
MD5: EAE7A53581A0ACA26FDDAA40CAF7BD62
PID: 280 ( 0) C:\WINDOWS\System32\alg.exe
size: 44544
MD5: F1958FBF86D5C004CF19A5951A9514B7
PID: 744 ( 0) C:\WINDOWS\system32\wscntfy.exe
size: 13824
MD5: 49911DD39E023BB6C45E4E436CFBD297
PID: 1604 ( 0) C:\WINDOWS\Explorer.EXE
size: 1033216
MD5: 97BD6515465659FF8F3B7BE375B2EA87
PID: 1784 ( 0) C:\WINDOWS\system32\wuauclt.exe
size: 53080
MD5: F3E9065EB617A7E3A832A7976BFA021B
PID: 2000 ( 0) C:\WINDOWS\System32\igfxtray.exe
size: 155648
MD5: E79D6D7E0389C3E459D28D9E0E6F4547
PID: 2008 ( 0) C:\WINDOWS\System32\hkcmd.exe
size: 114688
MD5: AE81897FFA0C963F8DAB0C990B1B5576
PID: 160 ( 0) C:\Program Files\Apoint2K\Apoint.exe
size: 122880
MD5: 463CC20884829898B493172FC23C9923
PID: 204 ( 0) C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
size: 102400
MD5: 04D091DCFE01F7AD8E9FB971BEFF4ADD
PID: 216 ( 0) C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
size: 561152
MD5: 2516E6BC0700DD3E5B5B3D1D7C29A396
PID: 1888 ( 0) C:\Program Files\ltmoh\Ltmoh.exe
size: 172032
MD5: 3A4098369AE2595928F9EAEB912843B9
PID: 1716 ( 0) C:\WINDOWS\System32\ezSP_Px.exe
size: 40960
MD5: 2849ED071A0D83406BDA342AA767F24E
PID: 1184 ( 0) C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
size: 45056
MD5: A0E3A861F1C36A75FCAAA2B7C4D1400F
PID: 460 ( 0) C:\toshiba\ivp\ism\pinger.exe
size: 159744
MD5: 2ED75D44E1BC39227500B9E3735AA4D5
PID: 1876 ( 0) C:\toshiba\sysstability\tsyssmon.exe
size: 49152
MD5: 75CB80925558B65DA240588FB5E385EA
PID: 928 ( 0) C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
size: 45108
MD5: CCDC00F353963E9E7DD839817B89D593
PID: 1280 ( 0) C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
size: 968696
MD5: 71514E2C74D554F5902DC184046ECA3B
PID: 800 ( 0) C:\Program Files\Apoint2K\Apntex.exe
size: 32768
MD5: F7E39E84313445D360A26CDD96CC173B
PID: 1760 ( 0) C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
size: 1191936
MD5: 480F12DF2E5CB14DB0D1675F2066D7AC
PID: 1920 ( 0) C:\Program Files\Messenger\msmsgs.exe
size: 1694208
MD5: 74E6E96C6F0E2ECA4EDBB7F7A468F259
PID: 936 ( 0) C:\Program Files\Google\Google Talk\googletalk.exe
size: 3739648
MD5: BCD9CBF0621F9A6767276A2E0BF1DD15
PID: 2064 ( 0) C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 24232996A38C0B0CF151C2140AE29FC8
PID: 2080 ( 0) C:\Documents and Settings\CL\Program Files\BitTorrent_DNA\dna.exe
size: 284992
MD5: D20313DF4EAA8F1F8D1C578CE6DF3996
PID: 2124 ( 0) C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 1460560
MD5: B7D4586BFC0DD6C3BE7DCCC252A3E97E
PID: 2160 ( 0) C:\Program Files\Microsoft Office\Office\OSA.EXE
size: 51984
MD5: D06276D4CAD46CDCEABEFDEB1A0D3C0D
PID: 2168 ( 0) C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe
size: 1568768
MD5: 7893E209A13B52651560FAB999614FF2
PID: 2408 ( 0) C:\WINDOWS\system32\wuauclt.exe
size: 53080
MD5: F3E9065EB617A7E3A832A7976BFA021B
PID: 2588 ( 0) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
size: 4943184
MD5: C92780F50B8BB7A89E919585916494A9


--- Browser start & search pages list ---
Spybot - Search & Destroy browser pages report, 11/26/2007 5:21:16 PM

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.google.com
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar
http://www.google.com/ie
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://google.com/
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://www.google.com/ie
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\@
http://www.google.com/search?q=%s
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
C:\windows\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm


--- Winsock Layered Service Provider list ---
Protocol 0: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 1: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 2: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 3: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 4: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 5: MSAFD NetBIOS [\Device\NetBT_Tcpip_{27DD2C3F-DA8A-4E05-883A-79FA80075BBB}] SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 6: MSAFD NetBIOS [\Device\NetBT_Tcpip_{27DD2C3F-DA8A-4E05-883A-79FA80075BBB}] DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 7: MSAFD NetBIOS [\Device\NetBT_Tcpip_{536E4201-B473-4D64-A546-8196A00E6925}] SEQPACKET 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 8: MSAFD NetBIOS [\Device\NetBT_Tcpip_{536E4201-B473-4D64-A546-8196A00E6925}] DATAGRAM 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 9: MSAFD NetBIOS [\Device\NetBT_Tcpip_{B2817010-77B3-4587-BCDD-CA674B9FDBB3}] SEQPACKET 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 10: MSAFD NetBIOS [\Device\NetBT_Tcpip_{B2817010-77B3-4587-BCDD-CA674B9FDBB3}] DATAGRAM 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 11: MSAFD NetBIOS [\Device\NetBT_Tcpip_{05623A9B-1F42-4B8E-A255-A1510AB2FA63}] SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 12: MSAFD NetBIOS [\Device\NetBT_Tcpip_{05623A9B-1F42-4B8E-A255-A1510AB2FA63}] DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 13: MSAFD NetBIOS [\Device\NetBT_Tcpip_{3CB77FFF-BF1D-4A64-B3FC-4C73D6E55A8D}] SEQPACKET 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 14: MSAFD NetBIOS [\Device\NetBT_Tcpip_{3CB77FFF-BF1D-4A64-B3FC-4C73D6E55A8D}] DATAGRAM 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Namespace Provider 0: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP

Namespace Provider 1: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS

Namespace Provider 2: Network Location Awareness (NLA) Namespace
GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: NLA-Namespace
"If a man is offered a fact which goes against his instincts, he will scrutinize it closely, and unless the evidence is overwhelming, he will refuse to believe it. If, on the other hand, he is offered something which affords a reason for acting in accordance to his instincts, he will accept it even on the slightest evidence. The origin of myths is explained in this way." - Bertrand Russell

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:29 AM

Posted 27 November 2007 - 04:47 AM

I don't see anything suspicious.

If you have previously downloaded ComboFix,please delete that version now.
Now download Combofix again and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Disconnect from the Internet.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.
*Note*
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

Run this online virus/spyware scan using Internet Explorer:
Kaspersky WebScanner
Next click Kaspersky Online Scanner
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files.
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Standard
Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:
Select My Computer
This will start the program and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste the contents of that file into your next reply.

Also post a new Hijackthis log.
Posted Image
Posted Image

#11 skyfuser

skyfuser
  • Topic Starter

  • Members
  • 470 posts
  • OFFLINE
  •  
  • Location:California
  • Local time:12:29 AM

Posted 27 November 2007 - 10:06 PM

Hi again, Richie. Sorry I took a while, my little sister came on to play games again-.-
Anyways, here's the ComboFix log:

ComboFix 07-11-19.4 - CL 2007-11-27 16:47:34.3 - NTFSx86
Running from: C:\Documents and Settings\CL\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-28 )))))))))))))))))))))))))))))))
.

2007-11-25 18:54 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-11-25 16:41 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-11-25 16:41 <DIR> d-------- C:\Documents and Settings\rule #1KL\Application Data\SUPERAntiSpyware.com
2007-11-25 16:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-25 15:53 <DIR> d-------- C:\Program Files\GPL MPEG Decoder
2007-11-25 15:45 <DIR> d-------- C:\Documents and Settings\rule #1KL\Application Data\RadLight Company
2007-11-25 15:44 <DIR> d-------- C:\Program Files\RadLight Company
2007-11-25 11:09 <DIR> d-------- C:\WINDOWS\ERUNT
2007-11-24 23:03 <DIR> d-------- C:\Program Files\Lavasoft
2007-11-24 23:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-24 23:00 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-23 22:51 <DIR> d-------- C:\FileASSASSIN
2007-11-23 16:49 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-23 09:42 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-11-23 09:19 <DIR> d-------- C:\Documents and Settings\rule #1KL\.housecall6.6
2007-11-23 00:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-21 12:33 <DIR> d-------- C:\Documents and Settings\rule #1KL\Application Data\mIRC
2007-11-20 19:16 3,446 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-20 18:21 <DIR> d-------- C:\Documents and Settings\rule #1KL\Application Data\PC Tools
2007-11-20 18:15 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-11-19 20:53 <DIR> d-------- C:\Program Files\MyPodcast Recorder
2007-11-19 02:59 5,174 --a------ C:\WINDOWS\system32\nppt9x.vxd
2007-11-19 02:59 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys
2007-11-18 19:13 <DIR> d-------- C:\Program Files\Audacity
2007-11-18 13:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-11-10 00:26 <DIR> d-------- C:\Program Files\7-Zip
2007-11-10 00:05 <DIR> d-------- C:\Program Files\BitTorrent_DNA
2007-11-10 00:05 <DIR> d-------- C:\Program Files\BitTorrent
2007-11-10 00:05 <DIR> d-------- C:\Documents and Settings\rule #1KL\Application Data\BitTorrent DNA
2007-11-10 00:05 <DIR> d-------- C:\Documents and Settings\rule #1KL\Application Data\BitTorrent

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-28 00:44 --------- d-----w C:\Documents and Settings\CL\Application Data\BitTorrent DNA
2007-11-27 01:16 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-23 08:28 --------- d-----w C:\Program Files\Scansoft
2007-11-23 08:26 --------- d-----w C:\Program Files\Common Files\scansoft shared
2007-11-23 08:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\ScanSoft
2007-11-23 08:21 --------- d-----w C:\Program Files\Google
2007-11-21 02:50 --------- d-----w C:\Program Files\Microsoft Works
2007-11-10 06:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2007-10-25 18:26 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2007-10-02 02:01 --------- d-----w C:\Documents and Settings\CL\Application Data\GetRightToGo
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 08:24]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 13:22]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" []
"BitTorrent DNA"="C:\Documents and Settings\CL\Program Files\BitTorrent_DNA\dna.exe" [2007-09-18 19:52]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" []
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2002-12-13 07:22]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2002-12-13 07:10]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2002-03-30 06:40]
"CeEPOWER"="C:\Program Files\TOSHIBA\Power Management\CePMTray.exe" [2003-01-15 17:24]
"CeEKEY"="C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe" [2003-01-14 15:52]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2002-12-13 12:47]
"ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [2002-12-13 12:47]
"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [2002-11-25 10:23]
"ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [2002-08-20 10:29]
"TPNF"="C:\Program Files\TOSHIBA\TouchPad\TPTray.exe" [2003-01-22 17:23]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2002-10-17 13:21]
"TSysSMon"="c:\toshiba\sysstability\tsyssmon.exe" [2002-12-17 14:23]
"PaperPort PTD"="C:\Program Files\Scansoft\PaperPort\pptd40nt.exe" [2002-08-12 10:33]
"IndexSearch"="C:\Program Files\Scansoft\PaperPort\IndexSearch.exe" [2002-08-12 11:07]
"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2006-08-23 23:38]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-03 21:31]
"MSPY2002"="C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe" [2002-08-29 04:00]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2002-08-29 04:00]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2002-08-29 04:00]
"CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [2006-03-21 17:30]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Find Fast.lnk - C:\Program Files\Microsoft Office\Office\FINDFAST.EXE [1997-07-11]
Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE [1997-07-11]
SmartUI.lnk - C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe [2002-08-12 10:00:40]

[hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R1 SrvcEKIOMngr;SrvcEKIOMngr;C:\WINDOWS\system32\Drivers\EKIoMngr.sys
R1 SrvcEPIOMngr;SrvcEPIOMngr;C:\WINDOWS\system32\Drivers\EPIoMngr.sys
R1 SrvcSSIOMngr;SrvcSSIOMngr;C:\WINDOWS\system32\Drivers\SSIoMngr.sys
R1 SrvcTPIOMngr;SrvcTPIOMngr;C:\WINDOWS\system32\Drivers\TPIoMngr.sys
R3 EPOWER;Compal E-POWER Driver;C:\WINDOWS\system32\Drivers\hkdrv.sys
S3 brfilt;Brother MFC Filter Driver;C:\WINDOWS\system32\Drivers\Brfilt.sys
S3 brparimg;Brother Multi Function Parallel Image driver;C:\WINDOWS\system32\DRIVERS\BrParImg.sys
S3 BrParWdm;Brother WDM Parallel Driver;C:\WINDOWS\system32\Drivers\BrParwdm.sys
S3 BrSerWDM;Brother Serial driver;C:\WINDOWS\system32\Drivers\BrSerWdm.sys
S3 BrUsbMdm;Brother MFC USB Fax Only Modem;C:\WINDOWS\system32\Drivers\BrUsbMdm.sys
S3 BrUsbScn;Brother MFC USB Scanner driver;C:\WINDOWS\system32\Drivers\BrUsbScn.sys
S3 wlags48b;Wireless LAN PCCard Driver;C:\WINDOWS\system32\DRIVERS\wlags48b.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-11-24 04:18:19 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NAVW32.exeG/task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca
"2007-11-19 03:18:54 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-27 16:50:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-27 16:52:44
C:\ComboFix2.txt ... 2007-11-27 15:11
C:\ComboFix3.txt ... 2007-11-25 12:14
.
--- E O F ---



Kaspersky log:


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, November 27, 2007 6:48:46 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 28/11/2007
Kaspersky Anti-Virus database records: 437934
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 43913
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 01:21:51

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\CL\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\CL\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\CL\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\CL\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\CL\Local Settings\History\History.IE5\MSHist012007112720071128\index.dat Object is locked skipped
C:\Documents and Settings\CL\Local Settings\temp\Perflib_Perfdata_3a8.dat Object is locked skipped
C:\Documents and Settings\CL\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\CL\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\CL\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{C1CCD08C-8F31-41E2-AD90-3EC48D37B729}\RP23\change.log Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\callcont.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\gdi32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\h323.tsp Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\h323msp.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\helpctr.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\ipnathlp.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\lsasrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\mf3216.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\msasn1.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\msgina.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\mst120.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\netapi32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\nmcom.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\rtcdll.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\schannel.dll Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\OWNER-WAM9O2STK.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\Prefetch\layout.ini Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\ZLT0022e.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT00234.TMP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.



And finally, the HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:01:41 PM, on 11/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\BRMFRSMG.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\toshiba\ivp\ism\pinger.exe
C:\toshiba\sysstability\tsyssmon.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\CL\Program Files\BitTorrent_DNA\dna.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshiba.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: EWPBrowseObject Class - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [TSysSMon] c:\toshiba\sysstability\tsyssmon.exe /detect
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Documents and Settings\CL\Program Files\BitTorrent_DNA\dna.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: SmartUI.lnk = ?
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1172881892437
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) -
O16 - DPF: {87056D28-9730-4A47-B9F9-7E890B62C58A} (WildfireActiveXHost Class) - http://www.gamehouse.com/games/tumblebugs/axhost.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://www.shockwave.com/content/cinematyc...inematycoon.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 9020 bytes




Overall, pc performance is much better, but Internet Explorer's homepage shows that it has to take longer to detect proxy settings than it used to. Otherwise, it's perfect! :D Thanks!
"If a man is offered a fact which goes against his instincts, he will scrutinize it closely, and unless the evidence is overwhelming, he will refuse to believe it. If, on the other hand, he is offered something which affords a reason for acting in accordance to his instincts, he will accept it even on the slightest evidence. The origin of myths is explained in this way." - Bertrand Russell

#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:29 AM

Posted 28 November 2007 - 08:16 AM

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O16 - DPF: {87056D28-9730-4A47-B9F9-7E890B62C58A} (WildfireActiveXHost Class) - http://www.gamehouse.com/games/tumblebugs/axhost.cab

Your log is clean :thumbsup:
If all's ok,please do the following:

Click on Start/Run,copy and paste ComboFix /u into the 'Open:' space,then press Ok.

Posted Image

Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

You should take the time to read and follow the information found in the links below,to help you prevent any possible future infections and stay safe and secure while online:

Simple and easy ways to keep your computer safe and secure on the Internet:
http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/

How to prevent Malware:
http://users.telenet.be/bluepatchy/miekiem...prevention.html

So how did I get infected in the first place:
http://forums.spybot.info/showthread.php?t=279

Malware Cleanup Programs and Preventative Procedures:
http://russelltexas.com/malware/allclear.htm

Overall, pc performance is much better, but Internet Explorer's homepage shows that it has to take longer to detect proxy settings than it used to.

You might want to start a new topic here regarding the above issue:
Networking:
http://www.bleepingcomputer.com/forums/f/21/networking/
Posted Image
Posted Image

#13 skyfuser

skyfuser
  • Topic Starter

  • Members
  • 470 posts
  • OFFLINE
  •  
  • Location:California
  • Local time:12:29 AM

Posted 28 November 2007 - 07:15 PM

Ok Richie I'll take your word for it =] Thank you so much for helping me! *tears of joy*
I will make a donation someday... parents won't allow it now. But I will remember what you and bleepingcomputer did for me!!
Once again, thank you!! :thumbsup:
"If a man is offered a fact which goes against his instincts, he will scrutinize it closely, and unless the evidence is overwhelming, he will refuse to believe it. If, on the other hand, he is offered something which affords a reason for acting in accordance to his instincts, he will accept it even on the slightest evidence. The origin of myths is explained in this way." - Bertrand Russell

#14 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:29 AM

Posted 29 November 2007 - 07:10 AM

You're welcome :thumbsup:

This thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
If you should have a new issue, please start a new topic.
This applies only to the original topic starter.
Everyone else please begin a New Topic.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users