Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Smitfraud-c And Virtumonde Infection. Help!


  • This topic is locked This topic is locked
27 replies to this topic

#1 gilmourfam

gilmourfam

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 24 December 2007 - 09:36 AM

Please analyze this hj log and tell me where to start to get rid of this. I have ran vundo fix and it doesn't seem to have done anything (but in Spybot S and D it changed the file from one that was a registry key changer to a tracking cookie?). I also get a lot lot lot of pop ups, most of which say winfixer 2007 or Powered by Zedo. Please help me. I'm going crazy here. Here's the log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:26:49 AM, on 12/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Sophos\Remote Update\cachemgr.exe
c:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\Dell\QuickSet\quickset .exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr .exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD .exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Cox\Applications\app\start .exe
C:\WINDOWS\System32\lxcecoms.exe
C:\Program Files\Lexmark 4300 Series\lxcemon .exe
C:\Program Files\Lexmark 4300 Series\ezprint .exe
C:\WINDOWS\winshow .exe
C:\Program Files\Napster\napster .exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection .exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
C:\Program Files\Cox\Applications\app\Console.exe
C:\Program Files\Sophos\Remote Update\imonitor.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MySpace\IM\MySpaceIM .exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\MySpace\IM\MySpaceIM .exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/def.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
F3 - REG:win.ini: load=C:\WINDOWS\system32\byvvv.exe
O3 - Toolbar: Cox Popup Blocker - {2C0A5F28-48D8-408B-9172-9C6121025BCE} - C:\Program Files\Cox\Applications\App\popupbho01.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\System32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset .exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [ZCfgSvc.exe] C:\WINDOWS\System32\ZCfgSvc.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [ESP] C:\Program Files\Cox\Applications\app\start.exe
O4 - HKLM\..\Run: [LXCECATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxcemon.exe] "C:\Program Files\Lexmark 4300 Series\lxcemon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 4300 Series\ezprint.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [winshow] "C:\WINDOWS\winshow .exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [OuterinfoUpdate] "C:\Program Files\Outerinfo\OuterinfoUpdate.exe"
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.8.6\webbuying.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Remote Update Monitor.lnk = C:\Program Files\Sophos\Remote Update\imonitor.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} (CNavigationManager Object) - http://www3.authentium.com/cssrelease/bin/wizard.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/ActiveLaunc...iveLauncher.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1128534431706
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1128534422873
O16 - DPF: {74CAD4F9-5085-4F13-8CD5-7F96F4D0B768} (ImageGear ActiveX-12) - https://rod.sedgwickcounty.org/inc/imgearv1.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/luxr/default/mjolauncher.cab
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/ActiveX/...loadcontrol.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/bingame/shpo/default/shapo.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Sophos Cache Manager (CacheMgr) - SOPHOS Plc - C:\Program Files\Sophos\Remote Update\cachemgr.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\System32\cusrvc.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - c:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lxce_device - Lexmark International, Inc. - C:\WINDOWS\System32\lxcecoms.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

--
End of file - 11704 bytes

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:43 AM

Posted 24 December 2007 - 09:46 AM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

Please download ComboFix and save it to your desktop.
Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 gilmourfam

gilmourfam
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 24 December 2007 - 10:49 AM

I ran combofix. Here is the log.

ComboFix 07-12-21.4 - Lacy 2007-12-24 9:28:47.1 - NTFSx86
Running from: C:\Documents and Settings\Lacy\Local Settings\Temporary Internet Files\Content.IE5\SHI7GPYJ\ComboFix[1].exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data.\winantispyware 2007
C:\Documents and Settings\All Users\Application Data.\winantispyware 2007\Data\Abbr
C:\Documents and Settings\All Users\Application Data.\winantispyware 2007\Data\ProductCode
C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007\Data\Abbr
C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007\Data\ProductCode
C:\Documents and Settings\Lacy\Application Data\SSTEM~1
C:\Documents and Settings\Lacy\Application Data\WinAntiSpyware 2007
C:\Documents and Settings\Lacy\Application Data\WinAntiSpyware 2007\Logs\update.log
C:\Documents and Settings\Lacy\err.log
C:\Documents and Settings\Lacy\Start Menu\Programs\Outerinfo
C:\Documents and Settings\Lacy\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\Lacy\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Program Files\Common Files\winantispyware 2007
C:\Program Files\Common Files\WinAntiSpyware 2007\err.log
C:\Program Files\Common Files\winantispyware 2007\uwas7cw.exe
C:\temp\0b9
C:\temp\0b9\tmpTF.log
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\iee
C:\temp\iee\tmpZTF.log
C:\temp\tn3
C:\WINDOWS\system32\bvleaty.dll
C:\WINDOWS\system32\byvvv.dll
C:\WINDOWS\system32\d1
C:\WINDOWS\system32\d1\svr121dll3.exe
C:\WINDOWS\system32\drivers\fopn.sys
C:\WINDOWS\system32\g9
C:\WINDOWS\system32\j2
C:\WINDOWS\system32\j2\xebmbrpl6.exe
C:\WINDOWS\system32\o02PrEz
C:\WINDOWS\system32\o02PrEz\o02PrEz1065.exe
C:\WINDOWS\system32\o9
C:\WINDOWS\system32\o9\parreo83122.exe
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\vtusssp.dll
C:\WINDOWS\system32\vvvyb.ini
C:\WINDOWS\system32\vvvyb.ini2
C:\WINDOWS\system32\win
C:\WINDOWS\system32\winnb58.dll
C:\WINDOWS\system32\wnsapisv32.exe
C:\WINDOWS\system32\x1
C:\WINDOWS\system32\x1\roblcidr31z.exe
C:\WINDOWS\system32\X2
C:\WINDOWS\system32\X2\mwspasrt83122.exe
C:\WINDOWS\system32\X3
C:\WINDOWS\system32\X3\w73r.exe
C:\WINDOWS\system32\X4
C:\WINDOWS\system32\X4\wen22.exe
C:\WINDOWS\system32\X9
C:\WINDOWS\tk58.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_CORE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_FOPN
-------\LEGACY_NETWORK_MONITOR


((((((((((((((((((((((((( Files Created from 2007-11-24 to 2007-12-24 )))))))))))))))))))))))))))))))
.

2007-12-24 09:20 . 2007-12-24 09:20 36,352 --a------ C:\WINDOWS\winshow .exe
2007-12-24 08:26 . 2007-12-24 08:26 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-23 19:36 . 2007-12-24 09:12 376,320 --a------ C:\WINDOWS\winshow .exe
2007-12-23 16:37 . 2007-12-23 16:37 <DIR> d-------- C:\Program Files\Sun
2007-12-23 16:37 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-23 16:32 . 2007-12-23 16:32 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-23 10:08 . 2007-12-24 09:30 337,920 --a------ C:\WINDOWS\system32\byvvv.exe
2007-12-23 08:45 . 2007-12-23 19:36 376,320 --a------ C:\WINDOWS\winshow .exe
2007-12-22 09:46 . 2007-12-22 09:46 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-22 09:46 . 2007-12-22 09:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-22 08:44 . 2007-12-23 08:44 32,859 --a------ C:\WINDOWS\system32\dpmw32 .exe
2007-12-21 19:59 . 2007-12-23 08:42 639,040 --a------ C:\WINDOWS\system32\ZCfgSvc .exe
2007-12-21 18:54 . 2007-12-21 18:54 39,936 --a------ C:\WINDOWS\17PHolmes1000106.exe
2007-12-21 18:52 . 2007-12-21 18:52 <DIR> d-------- C:\WINDOWS\system32\ardCo02
2007-12-21 18:52 . 2007-12-21 18:53 <DIR> d-------- C:\Temp\cEeer12
2007-12-21 18:35 . 2007-12-21 18:35 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-21 18:35 . 2007-12-21 18:35 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-04 19:55 . 2007-12-04 19:55 <DIR> d-------- C:\Program Files\WinGlucofacts Professional 3.03
2007-12-04 19:55 . 2007-12-04 19:55 8 --a------ C:\WINDOWS\system32\WIN.INI
2007-12-04 19:55 . 2007-12-04 19:55 8 --a------ C:\WINDOWS\system32\SYSTEM.INI
2007-12-04 19:55 . 2007-12-04 19:55 8 --a------ C:\WINDOWS\system32\PROTOCOL.INI
2007-11-26 21:08 . 2007-11-26 21:08 <DIR> d-------- C:\Program Files\ASA

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-24 15:44 --------- d-----w C:\Program Files\QuickTime
2007-12-24 15:44 --------- d-----w C:\Program Files\Lexmark 4300 Series
2007-12-24 15:44 --------- d-----w C:\Program Files\iTunes
2007-12-24 15:43 --------- d-----w C:\Program Files\Lexmark Fax Solutions
2007-12-24 15:43 --------- d-----w C:\Program Files\Dell AIO Printer A920
2007-12-24 15:42 15,360 ----a-w C:\WINDOWS\system32\ctfmon .exe
2007-12-24 15:41 334,336 ----a-w C:\WINDOWS\system32\byvvv.dll
2007-12-24 15:17 --------- d-----w C:\Program Files\Napster
2007-12-24 15:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Napster
2007-12-23 22:37 --------- d-----w C:\Program Files\Java
2007-12-22 21:56 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-22 17:35 --------- d-----w C:\Program Files\Lx_cats
2007-11-27 04:02 --------- d-----w C:\Program Files\GroundSchool
2007-11-16 02:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 23:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-07-10 00:49 246 ----a-w C:\Program Files\Common Files\lavuk949
2007-07-09 23:08 70,144 ----a-w C:\Program Files\Common Files\lavuk949.dll
2007-07-09 11:58 70,144 ----a-w C:\Program Files\Common Files\lavuk586.dll
2007-07-08 14:56 70,144 ----a-w C:\Program Files\Common Files\lavuk557.dll
2007-07-07 15:09 70,144 ----a-w C:\Program Files\Common Files\lavuk93.dll
2007-07-06 23:27 70,144 ----a-w C:\Program Files\Common Files\lavuk977.dll
2007-07-06 22:51 70,144 ----a-w C:\Program Files\Common Files\lavuk534.dll
2007-07-06 19:46 70,144 ----a-w C:\Program Files\Common Files\lavuk476.dll
2007-07-05 22:24 70,144 ----a-w C:\Program Files\Common Files\lavuk.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{163AF8FD-E78A-4F92-805C-07A5AF15FA3E}]
C:\WINDOWS\system32\efedd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2E9D4C81-9F27-4c14-B804-7B0F6BC88A4F}]
C:\Program Files\Outerinfo\Outerinfo.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{306F3E8B-D117-AE9C-1A63-FE8DCA26D0CE}]
C:\WINDOWS\system32\koscras.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{69A30844-BEF7-4DA5-9350-6497FA9DE90E}]
2007-12-24 09:41 334336 --a------ C:\WINDOWS\system32\byvvv.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-12-24 09:42]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2007-12-24 09:43]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-12-24 09:43]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-12-24 09:44]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NDPS"="C:\WINDOWS\System32\dpmw32.exe" []
"NWTRAY"="NWTRAY.EXE" [2002-03-12 11:37 C:\WINDOWS\system32\nwtray.exe]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 01:56 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2004-10-26 11:01 C:\WINDOWS\system32\nwiz.exe]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset .exe" [2007-12-24 09:43]
"Dell AIO Printer A920"="C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe" [2007-12-24 09:43]
"FaxCenterServer"="C:\Program Files\Lexmark Fax Solutions\fm3032.exe" [2007-12-24 09:43]
"SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [2007-12-24 09:44]
"ZCfgSvc.exe"="C:\WINDOWS\System32\ZCfgSvc.exe" []
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2007-12-24 09:44]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-24 09:44]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [2007-12-24 09:44]
"ESP"="C:\Program Files\Cox\Applications\app\start.exe" [2007-12-24 09:44]
"LXCECATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll" [2005-07-20 12:46]
"lxcemon.exe"="C:\Program Files\Lexmark 4300 Series\lxcemon.exe" [2007-12-24 09:44]
"EzPrint"="C:\Program Files\Lexmark 4300 Series\ezprint.exe" [2007-12-24 09:44]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-12-24 09:44]
"NapsterShell"="C:\Program Files\Napster\napster.exe" []
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-12-24 09:44]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-12-24 09:44]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-12-24 09:43]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Remote Update Monitor.lnk - C:\Program Files\Sophos\Remote Update\imonitor.exe [2005-10-05 12:33:49]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
C:\WINDOWS\System32\LgNotify.dll 2005-07-05 00:33 188482 C:\WINDOWS\system32\LgNotify.dll

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=C:\WINDOWS\system32\byvvv.exe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwv1_0 C:\WINDOWS\system32\byvvv

R3 PCX500;Cisco Wireless LAN Adapters Driver;C:\WINDOWS\system32\DRIVERS\pcx500.sys [2002-08-28 21:59]
S3 NAL;Nal Service ;C:\WINDOWS\System32\Drivers\iqvw32.sys [2002-11-22 19:01]

.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-24 09:41:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\WINDOWS\system32\byvvv.dll
.
Completion time: 2007-12-24 9:46:41 - machine was rebooted
.
2007-12-22 14:01:14 --- E O F ---

#4 gilmourfam

gilmourfam
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 24 December 2007 - 10:51 AM

I also tried to remove Zedo by going to Start, Search for core.sys and deleting it, finding core.cache.dsk and delting it, and looking for the Core folder in the HKEY registry. The core file wasn't in the HKEY registry, but I found core.sys and core.cache.dsk and delted them.

#5 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:43 AM

Posted 24 December 2007 - 11:15 AM

There's still a bunch of stuff there we need to get rid of.

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.


File::
C:\WINDOWS\winshow .exe
C:\WINDOWS\system32\byvvv.exe
C:\WINDOWS\system32\dpmw32 .exe
C:\WINDOWS\system32\byvvv.dll
C:\Program Files\Common Files\lavuk949
C:\Program Files\Common Files\lavuk949.dll
C:\Program Files\Common Files\lavuk586.dll
C:\Program Files\Common Files\lavuk557.dll
C:\Program Files\Common Files\lavuk93.dll
C:\Program Files\Common Files\lavuk977.dll
C:\Program Files\Common Files\lavuk534.dll
C:\Program Files\Common Files\lavuk476.dll
C:\Program Files\Common Files\lavuk.dll

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.


=================


It looks like you have a very serious infection.
Lets run an F-Secure online scan for Viruses, Spyware and RootKits:
  • Go to http://support.f-secure.com/enu/home/ols.shtml
  • Scroll to the bottom of the page and click the Start scanning button. A window will pop up.
  • Allow the Active X control to be installed on your computer, then click the Accept button
  • Click Full System Scan and allow the components to download and the scan to complete.
  • If malware is found, check Submit samples to F-Secure then select Automatic cleaning
  • When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report)
  • Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post
If Automatic cleaning with Submit samples hangs, click Cancel, then New Scan
  • When the cleaning option is presented, Uncheck Submit samples to F-Secure
  • Click Automatic cleaning
  • When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report)
  • Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post
Notes:
  • This scan will only work with Internet Explorer
  • You must have administrator rights to run this scan
  • This scan can take several hours, so please be patient

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#6 gilmourfam

gilmourfam
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 24 December 2007 - 12:05 PM

Here's the Hijack this log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:02:55 AM, on 12/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Sophos\Remote Update\cachemgr.exe
c:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr .exe
C:\Program Files\Dell\QuickSet\quickset .exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD .exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\QuickTime\qttask .exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Lexmark 4300 Series\lxcemon .exe
C:\Program Files\Lexmark 4300 Series\ezprint .exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection .exe
C:\WINDOWS\system32\ctfmon .exe
C:\WINDOWS\System32\lxcecoms.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Sophos\Remote Update\imonitor.exe
C:\Program Files\MySpace\IM\MySpaceIM .exe
C:\Program Files\MySpace\IM\MySpaceIM .exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
F3 - REG:win.ini: load=C:\WINDOWS\system32\byvvv.exe
O3 - Toolbar: Cox Popup Blocker - {2C0A5F28-48D8-408B-9172-9C6121025BCE} - C:\Program Files\Cox\Applications\App\popupbho01.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\System32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset .exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [ZCfgSvc.exe] C:\WINDOWS\System32\ZCfgSvc.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [ESP] C:\Program Files\Cox\Applications\app\start.exe
O4 - HKLM\..\Run: [LXCECATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxcemon.exe] "C:\Program Files\Lexmark 4300 Series\lxcemon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 4300 Series\ezprint.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Remote Update Monitor.lnk = C:\Program Files\Sophos\Remote Update\imonitor.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} (CNavigationManager Object) - http://www3.authentium.com/cssrelease/bin/wizard.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/ActiveLaunc...iveLauncher.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1128534431706
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1128534422873
O16 - DPF: {74CAD4F9-5085-4F13-8CD5-7F96F4D0B768} (ImageGear ActiveX-12) - https://rod.sedgwickcounty.org/inc/imgearv1.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/luxr/default/mjolauncher.cab
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/ActiveX/...loadcontrol.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/bingame/shpo/default/shapo.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Sophos Cache Manager (CacheMgr) - SOPHOS Plc - C:\Program Files\Sophos\Remote Update\cachemgr.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\System32\cusrvc.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - c:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lxce_device - Lexmark International, Inc. - C:\WINDOWS\System32\lxcecoms.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

--
End of file - 10885 bytes


Here is the combo fix log


ComboFix 07-12-21.4 - Lacy 2007-12-24 10:46:35.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.211 [GMT -6:00]
Running from: C:\Documents and Settings\Lacy\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Lacy\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\Program Files\Common Files\lavuk.dll
C:\Program Files\Common Files\lavuk476.dll
C:\Program Files\Common Files\lavuk534.dll
C:\Program Files\Common Files\lavuk557.dll
C:\Program Files\Common Files\lavuk586.dll
C:\Program Files\Common Files\lavuk93.dll
C:\Program Files\Common Files\lavuk949
C:\Program Files\Common Files\lavuk949.dll
C:\Program Files\Common Files\lavuk977.dll
C:\WINDOWS\system32\byvvv.dll
C:\WINDOWS\system32\byvvv.exe
C:\WINDOWS\system32\dpmw32 .exe
C:\WINDOWS\winshow .exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Common Files\lavuk.dll
C:\Program Files\Common Files\lavuk476.dll
C:\Program Files\Common Files\lavuk534.dll
C:\Program Files\Common Files\lavuk557.dll
C:\Program Files\Common Files\lavuk586.dll
C:\Program Files\Common Files\lavuk93.dll
C:\Program Files\Common Files\lavuk949
C:\Program Files\Common Files\lavuk949.dll
C:\Program Files\Common Files\lavuk977.dll
C:\WINDOWS\system32\byvvv.dll
C:\WINDOWS\system32\byvvv.exe
C:\WINDOWS\system32\dpmw32 .exe
C:\WINDOWS\system32\vvvyb.ini
C:\WINDOWS\system32\vvvyb.ini2

.
((((((((((((((((((((((((( Files Created from 2007-11-24 to 2007-12-24 )))))))))))))))))))))))))))))))
.

2007-12-24 09:42 . 2007-12-24 10:56 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2007-12-24 09:20 . 2007-12-24 09:20 36,352 --a------ C:\WINDOWS\winshow .exe
2007-12-24 08:26 . 2007-12-24 08:26 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-23 19:36 . 2007-12-24 09:12 376,320 --a------ C:\WINDOWS\winshow .exe
2007-12-23 16:37 . 2007-12-23 16:37 <DIR> d-------- C:\Program Files\Sun
2007-12-23 16:37 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-23 16:32 . 2007-12-23 16:32 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-23 08:45 . 2007-12-23 19:36 376,320 --a------ C:\WINDOWS\winshow .exe
2007-12-22 09:46 . 2007-12-22 09:46 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-22 09:46 . 2007-12-22 09:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-21 19:59 . 2007-12-23 08:42 639,040 --a------ C:\WINDOWS\system32\ZCfgSvc .exe
2007-12-21 18:54 . 2007-12-21 18:54 39,936 --a------ C:\WINDOWS\17PHolmes1000106.exe
2007-12-21 18:52 . 2007-12-21 18:52 <DIR> d-------- C:\WINDOWS\system32\ardCo02
2007-12-21 18:52 . 2007-12-21 18:53 <DIR> d-------- C:\Temp\cEeer12
2007-12-21 18:35 . 2007-12-21 18:35 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-21 18:35 . 2007-12-21 18:35 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-04 19:55 . 2007-12-04 19:55 <DIR> d-------- C:\Program Files\WinGlucofacts Professional 3.03
2007-12-04 19:55 . 2007-12-04 19:55 8 --a------ C:\WINDOWS\system32\WIN.INI
2007-12-04 19:55 . 2007-12-04 19:55 8 --a------ C:\WINDOWS\system32\SYSTEM.INI
2007-12-04 19:55 . 2007-12-04 19:55 8 --a------ C:\WINDOWS\system32\PROTOCOL.INI
2007-11-26 21:08 . 2007-11-26 21:08 <DIR> d-------- C:\Program Files\ASA

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-24 16:55 334,336 ----a-w C:\WINDOWS\system32\byvvv.dll
2007-12-24 16:55 --------- d-----w C:\Program Files\QuickTime
2007-12-24 16:48 --------- d-----w C:\Program Files\Lexmark Fax Solutions
2007-12-24 16:48 --------- d-----w C:\Program Files\Lexmark 4300 Series
2007-12-24 16:48 --------- d-----w C:\Program Files\iTunes
2007-12-24 16:48 --------- d-----w C:\Program Files\Dell AIO Printer A920
2007-12-24 15:17 --------- d-----w C:\Program Files\Napster
2007-12-24 15:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Napster
2007-12-23 22:37 --------- d-----w C:\Program Files\Java
2007-12-22 21:56 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-22 17:35 --------- d-----w C:\Program Files\Lx_cats
2007-11-27 04:02 --------- d-----w C:\Program Files\GroundSchool
2007-11-16 02:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 23:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
.

((((((((((((((((((((((((((((( snapshot@2007-12-24_ 9.44.53.80 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-12-24 16:54:23 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_73c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{163AF8FD-E78A-4F92-805C-07A5AF15FA3E}]
C:\WINDOWS\system32\efedd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2E9D4C81-9F27-4c14-B804-7B0F6BC88A4F}]
C:\Program Files\Outerinfo\Outerinfo.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{306F3E8B-D117-AE9C-1A63-FE8DCA26D0CE}]
C:\WINDOWS\system32\koscras.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A1A772E0-09DE-41CC-A2FE-3F9308701E3B}]
2007-12-24 10:55 334336 --a------ C:\WINDOWS\system32\byvvv.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-12-24 10:47]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2007-12-24 10:56]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-12-24 10:48]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-12-24 10:58]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NDPS"="C:\WINDOWS\System32\dpmw32.exe" []
"NWTRAY"="NWTRAY.EXE" [2002-03-12 11:37 C:\WINDOWS\system32\nwtray.exe]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 01:56 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2004-10-26 11:01 C:\WINDOWS\system32\nwiz.exe]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset .exe" [2007-12-24 10:58]
"Dell AIO Printer A920"="C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe" [2007-12-24 10:58]
"FaxCenterServer"="C:\Program Files\Lexmark Fax Solutions\fm3032.exe" [2007-12-24 10:58]
"SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [2007-12-24 10:58]
"ZCfgSvc.exe"="C:\WINDOWS\System32\ZCfgSvc.exe" []
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2007-12-24 10:58]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-24 10:58]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [2007-12-24 10:58]
"ESP"="C:\Program Files\Cox\Applications\app\start.exe" [2007-12-24 10:58]
"LXCECATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll" [2005-07-20 12:46]
"lxcemon.exe"="C:\Program Files\Lexmark 4300 Series\lxcemon.exe" [2007-12-24 10:58]
"EzPrint"="C:\Program Files\Lexmark 4300 Series\ezprint.exe" [2007-12-24 10:58]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-12-24 10:58]
"NapsterShell"="C:\Program Files\Napster\napster.exe" []
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-12-24 10:58]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-12-24 10:58]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-12-24 10:48]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Remote Update Monitor.lnk - C:\Program Files\Sophos\Remote Update\imonitor.exe [2005-10-05 12:33:49]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
C:\WINDOWS\System32\LgNotify.dll 2005-07-05 00:33 188482 C:\WINDOWS\system32\LgNotify.dll

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=C:\WINDOWS\system32\byvvv.exe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwv1_0 C:\WINDOWS\system32\byvvv

R3 PCX500;Cisco Wireless LAN Adapters Driver;C:\WINDOWS\system32\DRIVERS\pcx500.sys [2002-08-28 21:59]
S3 NAL;Nal Service ;C:\WINDOWS\System32\Drivers\iqvw32.sys [2002-11-22 19:01]

.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-24 10:54:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

I am getting ready to do the Secure F Scan now. Will post the results when it's done.

#7 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:43 AM

Posted 24 December 2007 - 12:09 PM

Ok, sounds good. Post back when it finishes. I'll be around for another couple hours, then I'll catch up to you later tonight.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#8 gilmourfam

gilmourfam
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 24 December 2007 - 03:20 PM

Here is the F-Secure online scan log. What do I do next??

Scanning Report
Monday, December 24, 2007 11:12:55 - 14:18:19
Computer name: USER-ZNJAJHG4AL
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\


--------------------------------------------------------------------------------

Result: 328 malware found
PurityScan (spyware)
System (Disinfected)
Tracking Cookie (spyware)
System (Disinfected)
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
Trojan-Downloader.Win32.VB.bvj (virus)
C:\WINDOWS\WINSHOW .EXE (Renamed & Submitted)
Trojan.Win32.Agent.aoy (virus)
C:\WINDOWS\SYSTEM32\CYJCSPUN.EXE (Renamed & Submitted)
C:\WINDOWS\SYSTEM32\GRNEUUIH.EXE (Renamed & Submitted)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 42251
System: 5632
Not scanned: 2
Actions:
Disinfected: 2
Renamed: 3
Deleted: 0
None: 323
Submitted: 3
Files not scanned:
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure AVP: 7.0.171, 2007-12-24
F-Secure Blacklight: 1.0.64
F-Secure Draco: 1.0.35, 0597-150-72
F-Secure Libra: 2.4.2, 2007-12-20
F-Secure Orion: 1.2.37, 2007-12-24
F-Secure Pegasus: 1.19.0, 2007-11-18
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB BAT LNK ANI AVB CEO CMD LSP MAP MHT MIF PDF PHP POT WMF NWS TAR TGZ WSF ZL? {* ZIP JAR ARJ LZH TAR TGZ GZ CAB RAR BZ2 HQXSWF
Use Advanced heuristics

#9 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:43 AM

Posted 24 December 2007 - 10:02 PM

Many of your startup files have become infected. We'll try to disinfect them, but you should know that this is only successful part of the time and you may have reinstall some of these programs. But we'll try to disinfect them first.

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.


File::
C:\WINDOWS\system32\byvvv.dll
C:\WINDOWS\system32\efedd.dll
C:\WINDOWS\system32\koscras.dll
C:\WINDOWS\system32\byvvv.exe

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{163AF8FD-E78A-4F92-805C-07A5AF15FA3E}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2E9D4C81-9F27-4c14-B804-7B0F6BC88A4F}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{306F3E8B-D117-AE9C-1A63-FE8DCA26D0CE}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"=-
"MSMSGS"=-
"MySpaceIM"=-
"YSearchProtection"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NDPS"=-
"Dell QuickSet"=-
"Dell AIO Printer A920"=-
"FaxCenterServer"=-
"SsAAD.exe"=-
"PRONoMgr.exe"=-
"iTunesHelper"=-
"QuickTime Task"=-
"ESP"=-
"lxcemon.exe"=-
"EzPrint"=-
"Adobe Reader Speed Launcher"=-
"YSearchProtection"=-
"SunJavaUpdateSched"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"=-
[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=-
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.


==============


Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, in the menu, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
Please post this log from the DrWeb scan also.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#10 gilmourfam

gilmourfam
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 25 December 2007 - 02:05 AM

Okay. Here is the Combo fix log first. AFter the CFScript.

ComboFix 07-12-21.4 - Lacy 2007-12-25 0:21:46.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.168 [GMT -6:00]
Running from: C:\Documents and Settings\Lacy\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Lacy\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\byvvv.dll
C:\WINDOWS\system32\byvvv.exe
C:\WINDOWS\system32\efedd.dll
C:\WINDOWS\system32\koscras.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\byvvv.dll
C:\WINDOWS\system32\byvvv.exe
C:\WINDOWS\system32\vvvyb.ini
C:\WINDOWS\system32\vvvyb.ini2

.
((((((((((((((((((((((((( Files Created from 2007-11-25 to 2007-12-25 )))))))))))))))))))))))))))))))
.

2007-12-24 09:42 . 2007-12-24 10:56 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2007-12-24 09:20 . 2007-12-24 09:20 36,352 --a------ C:\WINDOWS\WINSHOW .0XE
2007-12-24 08:26 . 2007-12-24 08:26 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-23 19:36 . 2007-12-24 09:12 376,320 --a------ C:\WINDOWS\winshow .exe
2007-12-23 16:37 . 2007-12-23 16:37 <DIR> d-------- C:\Program Files\Sun
2007-12-23 16:37 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-23 16:32 . 2007-12-23 16:32 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-23 08:45 . 2007-12-23 19:36 376,320 --a------ C:\WINDOWS\winshow .exe
2007-12-22 09:46 . 2007-12-22 09:46 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-22 09:46 . 2007-12-22 09:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-21 19:59 . 2007-12-23 08:42 639,040 --a------ C:\WINDOWS\system32\ZCfgSvc .exe
2007-12-21 18:54 . 2007-12-21 18:54 39,936 --a------ C:\WINDOWS\17PHolmes1000106.exe
2007-12-21 18:52 . 2007-12-21 18:52 <DIR> d-------- C:\WINDOWS\system32\ardCo02
2007-12-21 18:52 . 2007-12-21 18:53 <DIR> d-------- C:\Temp\cEeer12
2007-12-21 18:35 . 2007-12-21 18:35 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-21 18:35 . 2007-12-21 18:35 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-04 19:55 . 2007-12-04 19:55 <DIR> d-------- C:\Program Files\WinGlucofacts Professional 3.03
2007-12-04 19:55 . 2007-12-04 19:55 8 --a------ C:\WINDOWS\system32\WIN.INI
2007-12-04 19:55 . 2007-12-04 19:55 8 --a------ C:\WINDOWS\system32\SYSTEM.INI
2007-12-04 19:55 . 2007-12-04 19:55 8 --a------ C:\WINDOWS\system32\PROTOCOL.INI
2007-11-26 21:08 . 2007-11-26 21:08 <DIR> d-------- C:\Program Files\ASA

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-25 06:22 --------- d-----w C:\Program Files\QuickTime
2007-12-25 06:22 --------- d-----w C:\Program Files\Lexmark Fax Solutions
2007-12-25 06:22 --------- d-----w C:\Program Files\Lexmark 4300 Series
2007-12-25 06:22 --------- d-----w C:\Program Files\iTunes
2007-12-25 06:22 --------- d-----w C:\Program Files\Dell AIO Printer A920
2007-12-24 15:17 --------- d-----w C:\Program Files\Napster
2007-12-24 15:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Napster
2007-12-23 22:37 --------- d-----w C:\Program Files\Java
2007-12-22 21:56 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-22 17:35 --------- d-----w C:\Program Files\Lx_cats
2007-11-27 04:02 --------- d-----w C:\Program Files\GroundSchool
2007-11-16 02:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
.

((((((((((((((((((((((((((((( snapshot@2007-12-24_ 9.44.53.80 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-05-07 22:38:46 500,120 ----a-w C:\WINDOWS\Downloaded Program Files\daas_s.dll
+ 2007-05-07 22:39:00 192,920 ----a-w C:\WINDOWS\Downloaded Program Files\fsauc.dll
+ 2007-05-07 22:39:24 254,360 ----a-w C:\WINDOWS\Downloaded Program Files\fscax.dll
+ 2007-12-25 06:30:23 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_738.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NWTRAY"="NWTRAY.EXE" [2002-03-12 11:37 C:\WINDOWS\system32\nwtray.exe]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 01:56 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2004-10-26 11:01 C:\WINDOWS\system32\nwiz.exe]
"ZCfgSvc.exe"="C:\WINDOWS\System32\ZCfgSvc.exe" []
"LXCECATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll" [2005-07-20 12:46]
"NapsterShell"="C:\Program Files\Napster\napster.exe" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Remote Update Monitor.lnk - C:\Program Files\Sophos\Remote Update\imonitor.exe [2005-10-05 12:33:49]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
C:\WINDOWS\System32\LgNotify.dll 2005-07-05 00:33 188482 C:\WINDOWS\system32\LgNotify.dll

R3 PCX500;Cisco Wireless LAN Adapters Driver;C:\WINDOWS\system32\DRIVERS\pcx500.sys [2002-08-28 21:59]
S3 NAL;Nal Service ;C:\WINDOWS\System32\Drivers\iqvw32.sys [2002-11-22 19:01]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b424ff70-d00a-11da-9b2a-0040964318f5}]
\Shell\AutoRun\command - E:\setupSNK.exe

.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-25 00:30:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-25 0:32:32 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-24 11:00
C:\ComboFix3.txt ... 2007-12-24 10:45
.
2007-12-22 14:01:14 --- E O F ---


Now here is the DRweb fix log

msmsgs.exe;c:\program files\messenger;Trojan.Virtumod.253;Deleted.;
popcaploader.dll;c:\windows\downloaded program files;Program.PopcapLoader;Incurable.Deleted.;



THat's it. Now what should I do?

#11 gilmourfam

gilmourfam
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 25 December 2007 - 02:05 AM

Okay. Here is the Combo fix log first. AFter the CFScript.

ComboFix 07-12-21.4 - Lacy 2007-12-25 0:21:46.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.168 [GMT -6:00]
Running from: C:\Documents and Settings\Lacy\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Lacy\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\byvvv.dll
C:\WINDOWS\system32\byvvv.exe
C:\WINDOWS\system32\efedd.dll
C:\WINDOWS\system32\koscras.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\byvvv.dll
C:\WINDOWS\system32\byvvv.exe
C:\WINDOWS\system32\vvvyb.ini
C:\WINDOWS\system32\vvvyb.ini2

.
((((((((((((((((((((((((( Files Created from 2007-11-25 to 2007-12-25 )))))))))))))))))))))))))))))))
.

2007-12-24 09:42 . 2007-12-24 10:56 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2007-12-24 09:20 . 2007-12-24 09:20 36,352 --a------ C:\WINDOWS\WINSHOW .0XE
2007-12-24 08:26 . 2007-12-24 08:26 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-23 19:36 . 2007-12-24 09:12 376,320 --a------ C:\WINDOWS\winshow .exe
2007-12-23 16:37 . 2007-12-23 16:37 <DIR> d-------- C:\Program Files\Sun
2007-12-23 16:37 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-23 16:32 . 2007-12-23 16:32 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-23 08:45 . 2007-12-23 19:36 376,320 --a------ C:\WINDOWS\winshow .exe
2007-12-22 09:46 . 2007-12-22 09:46 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-22 09:46 . 2007-12-22 09:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-21 19:59 . 2007-12-23 08:42 639,040 --a------ C:\WINDOWS\system32\ZCfgSvc .exe
2007-12-21 18:54 . 2007-12-21 18:54 39,936 --a------ C:\WINDOWS\17PHolmes1000106.exe
2007-12-21 18:52 . 2007-12-21 18:52 <DIR> d-------- C:\WINDOWS\system32\ardCo02
2007-12-21 18:52 . 2007-12-21 18:53 <DIR> d-------- C:\Temp\cEeer12
2007-12-21 18:35 . 2007-12-21 18:35 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-21 18:35 . 2007-12-21 18:35 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-04 19:55 . 2007-12-04 19:55 <DIR> d-------- C:\Program Files\WinGlucofacts Professional 3.03
2007-12-04 19:55 . 2007-12-04 19:55 8 --a------ C:\WINDOWS\system32\WIN.INI
2007-12-04 19:55 . 2007-12-04 19:55 8 --a------ C:\WINDOWS\system32\SYSTEM.INI
2007-12-04 19:55 . 2007-12-04 19:55 8 --a------ C:\WINDOWS\system32\PROTOCOL.INI
2007-11-26 21:08 . 2007-11-26 21:08 <DIR> d-------- C:\Program Files\ASA

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-25 06:22 --------- d-----w C:\Program Files\QuickTime
2007-12-25 06:22 --------- d-----w C:\Program Files\Lexmark Fax Solutions
2007-12-25 06:22 --------- d-----w C:\Program Files\Lexmark 4300 Series
2007-12-25 06:22 --------- d-----w C:\Program Files\iTunes
2007-12-25 06:22 --------- d-----w C:\Program Files\Dell AIO Printer A920
2007-12-24 15:17 --------- d-----w C:\Program Files\Napster
2007-12-24 15:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Napster
2007-12-23 22:37 --------- d-----w C:\Program Files\Java
2007-12-22 21:56 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-22 17:35 --------- d-----w C:\Program Files\Lx_cats
2007-11-27 04:02 --------- d-----w C:\Program Files\GroundSchool
2007-11-16 02:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
.

((((((((((((((((((((((((((((( snapshot@2007-12-24_ 9.44.53.80 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-05-07 22:38:46 500,120 ----a-w C:\WINDOWS\Downloaded Program Files\daas_s.dll
+ 2007-05-07 22:39:00 192,920 ----a-w C:\WINDOWS\Downloaded Program Files\fsauc.dll
+ 2007-05-07 22:39:24 254,360 ----a-w C:\WINDOWS\Downloaded Program Files\fscax.dll
+ 2007-12-25 06:30:23 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_738.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NWTRAY"="NWTRAY.EXE" [2002-03-12 11:37 C:\WINDOWS\system32\nwtray.exe]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 01:56 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2004-10-26 11:01 C:\WINDOWS\system32\nwiz.exe]
"ZCfgSvc.exe"="C:\WINDOWS\System32\ZCfgSvc.exe" []
"LXCECATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll" [2005-07-20 12:46]
"NapsterShell"="C:\Program Files\Napster\napster.exe" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Remote Update Monitor.lnk - C:\Program Files\Sophos\Remote Update\imonitor.exe [2005-10-05 12:33:49]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
C:\WINDOWS\System32\LgNotify.dll 2005-07-05 00:33 188482 C:\WINDOWS\system32\LgNotify.dll

R3 PCX500;Cisco Wireless LAN Adapters Driver;C:\WINDOWS\system32\DRIVERS\pcx500.sys [2002-08-28 21:59]
S3 NAL;Nal Service ;C:\WINDOWS\System32\Drivers\iqvw32.sys [2002-11-22 19:01]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b424ff70-d00a-11da-9b2a-0040964318f5}]
\Shell\AutoRun\command - E:\setupSNK.exe

.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-25 00:30:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-25 0:32:32 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-24 11:00
C:\ComboFix3.txt ... 2007-12-24 10:45
.
2007-12-22 14:01:14 --- E O F ---


Now here is the DRweb fix log

msmsgs.exe;c:\program files\messenger;Trojan.Virtumod.253;Deleted.;
popcaploader.dll;c:\windows\downloaded program files;Program.PopcapLoader;Incurable.Deleted.;



THat's it. Now what should I do?

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:43 AM

Posted 25 December 2007 - 04:57 PM

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
Also post a new hijackthis log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 gilmourfam

gilmourfam
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 25 December 2007 - 07:34 PM

Here is the Super anti spyware log


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/25/2007 at 06:25 PM

Application Version : 3.9.1008

Core Rules Database Version : 3368
Trace Rules Database Version: 1365

Scan type : Complete Scan
Total Scan Time : 00:55:17

Memory items scanned : 362
Memory threats detected : 0
Registry items scanned : 6731
Registry threats detected : 0
File items scanned : 42072
File threats detected : 329

Adware.Tracking Cookie
C:\Documents and Settings\Lacy\Cookies\lacy@s.clickability[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@qnsr[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@adopt.hbmediapro[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@ads.pointroll[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@atdmt[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@questionmarket[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@revsci[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@ads.neowin[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@cgi-bin[7].txt
C:\Documents and Settings\Lacy\Cookies\lacy@specificclick[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@zedo[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@ecnext.advertserve[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@icc.intellisrv[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@laws.lp.findlaw[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@overture[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@bluestreak[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@adv.webmd[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@findlaw[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@server3.web-stat[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@dist.belnk[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@adopt.specificclick[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@www.jamster[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@1.primaryads[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@www.findlaw[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@ads.adbrite[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@realmedia[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@adopt.euroclick[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@maxserving[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@bannerspace[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@ads.kansan[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@data3.perf.overture[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@ads.realtechnetwork[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@petfinder[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@advertising[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@ads.cnn[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@mediaplex[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@belnk[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@2o7[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@ath.belnk[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@stats01.pointshop[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@ads.monster[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@adlegend[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@pathfinder[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@atwola[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@aj.petfinder[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@exitexchange[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@nextag[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@doubleclick[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@trafficclub[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@freecodesource.advertserve[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@stats.adbrite[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@ads.lasvegas[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@www.screensavers[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@ads.addesktop[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@kanoodle[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@clicktracks.webmetro[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@www.burstbeacon[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@adv.medscape[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@media.adrevolver[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@jamster[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@www.findarticles[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@adknowledge[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@media.hotels[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@ad[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@adrevolver[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@www.rowise[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@ads.belointeractive[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@login.tracking101[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@www.precisioncounter[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@ig[3].txt
C:\Documents and Settings\Lacy\Cookies\lacy@data4.perf.overture[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@partner2profit[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@cts.metricsdirect[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@ads.active[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@tremor.adbureau[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@tacoda[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@ads.expedia[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@cgi-bin[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@www.clickseva[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@vhost.oddcast[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@admarketplace[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@cgi-bin[6].txt
C:\Documents and Settings\Lacy\Cookies\lacy@LPBofA1[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@adrevolver[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@partypoker[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@ads.as4x.tmcs[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@ads.cc214142[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@72874171[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@www.ksrevenue[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@adecn[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@statse.webtrendslive[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@mb[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@static.spafinder[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@accountfinder.bankofamerica[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@ads.hairboutique[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@55962995[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@tracking.foxnews[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@nichollsvi.tripod[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@ads.cartoonnetwork[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@www.clickmanage[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@eas.apm.emediate[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@homestore.122.2o7[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@a.websponsors[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@74613876[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@40715998[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@seventeen[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@m1.webstats4u[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@search.petfinder[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@spafinder[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@data1.perf.overture[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@count.trackula[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@anad.tacoda[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@mycounter.tinycounter[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@hits.clickandtrack[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@sexualityandu[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@blizzardtracker[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@www.elitesupplements[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@data2.perf.overture[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@html[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@65491434[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@ads.as4x.tmcs.ticketmaster[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@www.seventeen[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@ad.yieldx[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@www.attorney-mediators[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@financialcontent.advertserve[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@track.websitetrafficreport[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@polls.clickability[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@stats.nasd[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@52796521[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@sitestat.mayoclinic[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@screensavers[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@i.screensavers[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@anat.tacoda[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@sales.liveperson[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@yadro[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@bannerads.wedalert[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@html[4].txt
C:\Documents and Settings\Lacy\Cookies\lacy@www.mediate[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@ads.cartoonnetworkya[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@xiti[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@www.statsync[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@ads2.ljworld[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@www.tomtracker[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@www.findlocaldoctor[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@www.windowsmedia[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@v7.stats.load[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@cgi-bin[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@h.starware[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@ads.realmedia.com[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@digitalmediaclassifieds[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@cgi.ebay[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@try.screensavers[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@banners.nbcupromotes[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@countercentral[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@search.ksrevenue[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@5155829[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@pt.crossmediaservices[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@list[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@ads.traderonline[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@66702201[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@mediapromoter[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@www.apartmentfinder[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@clickondetroit[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@counter.inkfrog[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@online[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@image.masterstats[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@collective-media[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@ads.toonamijetstream[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@cgi-bin[8].txt
C:\Documents and Settings\Lacy\Cookies\lacy@42942561[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@richmedia.yahoo[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@stats.manticoretechnology[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@20688223[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@1070548007[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@popularscreensavers[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@www.mediationnetwork[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@mediate[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@boatsvillenetwork.advertserve[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@findarticles[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@ad.nicoclub[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@clicktracks.aristotle[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@statsync[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@www.mlsfinder[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@www.clickondetroit[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@stats.crossmediaservices[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@ads.us.e-planning[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@track.cbs[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@www.sublimemedia[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@1068381490[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@main[3].txt
C:\Documents and Settings\Lacy\Cookies\lacy@media.mtvnservices[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@ticketsnow[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@www.popunderserver[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@ads.revsci[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@lynxtrack[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@ads.associatedcontent[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@1071332492[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@media.medhelp[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@www.ticketsnow[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@1063536729[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@azjmp[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@1062467930[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@33091091[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@smiley00.tripod[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@spamblockerutility[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@track.bestbuy[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@arbitrack[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@p[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@medtrackalert[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@aff.primaryads[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@ads.tripod.lycos.co[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@windowsmedia[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@georgemonroephilbeck[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@clicksor[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@trafficdashboard[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@mediatraffic[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@ads.gametap[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@ads.adgarden[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@ads.engineseeker[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@1057551302[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@adsrevenue[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@publishers.clickbooth[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@eyewonder[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@ads.mediamayhemcorp[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@primedia.us.intellitxt[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@1067429866[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@7396344[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@crackle[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@service.tremormedia[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@cz8.clickzs[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@1070767430[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@1062982621[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@counter.auctionworks[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@1071151395[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@5.go.globaladsales[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@femalecompanions[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@1.affiliateclicks[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@19357552[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@1058792214[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@media6degrees[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@fs10.fusestats[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@1070355984[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@stats.sphere[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@stats.clicktracks[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@shortmedia.us.intellitxt[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@crossmediaservices[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@90044751[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@protect.spyguardpro[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@a[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@login.revenueloop[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@ads.financialcontent[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@42933768[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@server.lon.liveperson[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@www.advertyz[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@banner.tattomedia[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@banner[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@Stats[1].txt
C:\Documents and Settings\Lacy\Cookies\lacy@Stats[2].txt
C:\Documents and Settings\Lacy\Cookies\lacy@Stats[3].txt
C:\Documents and Settings\Lacy\Cookies\lacy@Stats[4].txt

Adware.180solutions/Search Assistant
C:\PROGRAM FILES\YAHOO!\YPSR\QUARANTINE\PPQ4C.TMP\MEDIAGATEWAY.EXE
C:\PROGRAM FILES\YAHOO!\YPSR\QUARANTINE\PPQ5B.TMP

Trojan.ZQuest
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\COMMON FILES\LAVUK.DLL.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\COMMON FILES\LAVUK476.DLL.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\COMMON FILES\LAVUK534.DLL.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\COMMON FILES\LAVUK557.DLL.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\COMMON FILES\LAVUK586.DLL.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\COMMON FILES\LAVUK93.DLL.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\COMMON FILES\LAVUK949.DLL.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\COMMON FILES\LAVUK977.DLL.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5D2A7D02-C79A-44BF-8BF3-A8D419988BCF}\RP269\A0113030.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5D2A7D02-C79A-44BF-8BF3-A8D419988BCF}\RP282\A0120741.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5D2A7D02-C79A-44BF-8BF3-A8D419988BCF}\RP282\A0120742.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5D2A7D02-C79A-44BF-8BF3-A8D419988BCF}\RP282\A0120743.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5D2A7D02-C79A-44BF-8BF3-A8D419988BCF}\RP282\A0120744.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5D2A7D02-C79A-44BF-8BF3-A8D419988BCF}\RP282\A0120745.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5D2A7D02-C79A-44BF-8BF3-A8D419988BCF}\RP282\A0120746.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5D2A7D02-C79A-44BF-8BF3-A8D419988BCF}\RP282\A0120747.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5D2A7D02-C79A-44BF-8BF3-A8D419988BCF}\RP282\A0120748.DLL

Unclassified.Unknown Origin
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\BVLEATY.DLL.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5D2A7D02-C79A-44BF-8BF3-A8D419988BCF}\RP270\A0114118.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5D2A7D02-C79A-44BF-8BF3-A8D419988BCF}\RP270\A0115116.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5D2A7D02-C79A-44BF-8BF3-A8D419988BCF}\RP277\A0120516.DLL

Trojan.Downloader-Gen/TaLDrv
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\J2\XEBMBRPL6.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5D2A7D02-C79A-44BF-8BF3-A8D419988BCF}\RP277\A0120522.EXE

Trojan.Downloader-Gen/BundleBase
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\O02PREZ\O02PREZ1065.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5D2A7D02-C79A-44BF-8BF3-A8D419988BCF}\RP277\A0120528.EXE
C:\WINDOWS\SYSTEM32\ARDCO02\ARDCO021099.EXE

Trojan.Unknown Origin
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\O9\PARREO83122.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\WNSAPISV32.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5D2A7D02-C79A-44BF-8BF3-A8D419988BCF}\RP270\A0114119.VBS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5D2A7D02-C79A-44BF-8BF3-A8D419988BCF}\RP270\A0114120.VBS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5D2A7D02-C79A-44BF-8BF3-A8D419988BCF}\RP277\A0120515.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5D2A7D02-C79A-44BF-8BF3-A8D419988BCF}\RP277\A0120523.EXE

Adware.Vundo Variant
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\VTUSSSP.DLL.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5D2A7D02-C79A-44BF-8BF3-A8D419988BCF}\RP277\A0120517.DLL
C:\VUNDOFIX BACKUPS\ETSIHPAK.DLL.BAD
C:\VUNDOFIX BACKUPS\OXCEAIDE.DLL.BAD
C:\VUNDOFIX BACKUPS\VTUSSSP.DLL.BAD
C:\VUNDOFIX BACKUPS\WATYRQIT.DLL.BAD

Adware.Mirar/NetNucleus
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\WINNB58.DLL.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5D2A7D02-C79A-44BF-8BF3-A8D419988BCF}\RP277\A0120530.DLL

Adware.Adservs
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\X1\ROBLCIDR31Z.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5D2A7D02-C79A-44BF-8BF3-A8D419988BCF}\RP270\A0115115.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5D2A7D02-C79A-44BF-8BF3-A8D419988BCF}\RP277\A0120524.EXE

Trojan.ZQuest-Installer
C:\QOOBOX\QUARANTINE\C\WINDOWS\TK58.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5D2A7D02-C79A-44BF-8BF3-A8D419988BCF}\RP277\A0120531.EXE

Adware.WebBuying Assistant-Installer
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5D2A7D02-C79A-44BF-8BF3-A8D419988BCF}\RP269\A0114089.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5D2A7D02-C79A-44BF-8BF3-A8D419988BCF}\RP269\A0114100.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5D2A7D02-C79A-44BF-8BF3-A8D419988BCF}\RP270\A0114123.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5D2A7D02-C79A-44BF-8BF3-A8D419988BCF}\RP270\A0114124.EXE

Trojan.NetMon/DNSChange
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5D2A7D02-C79A-44BF-8BF3-A8D419988BCF}\RP270\A0114121.EXE

Adware.Vundo/Traff-2
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5D2A7D02-C79A-44BF-8BF3-A8D419988BCF}\RP272\A0118138.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5D2A7D02-C79A-44BF-8BF3-A8D419988BCF}\RP272\A0118140.EXE
C:\VUNDOFIX BACKUPS\AMDGNBRC.EXE.BAD
C:\VUNDOFIX BACKUPS\KESNWMAG.EXE.BAD

Adware.Vundo-Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5D2A7D02-C79A-44BF-8BF3-A8D419988BCF}\RP272\A0118139.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5D2A7D02-C79A-44BF-8BF3-A8D419988BCF}\RP277\A0120536.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5D2A7D02-C79A-44BF-8BF3-A8D419988BCF}\RP279\A0120639.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5D2A7D02-C79A-44BF-8BF3-A8D419988BCF}\RP282\A0120740.DLL

Trojan.Rootkit-TnCore/Installer
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5D2A7D02-C79A-44BF-8BF3-A8D419988BCF}\RP277\A0120527.EXE

Adware.eZula
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5D2A7D02-C79A-44BF-8BF3-A8D419988BCF}\RP283\A0120834.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5D2A7D02-C79A-44BF-8BF3-A8D419988BCF}\RP283\A0120835.EXE
C:\WINDOWS\SYSTEM32\CYJCSPUN.0XE
C:\WINDOWS\SYSTEM32\GRNEUUIH.0XE

Trojan.Downloader-Gen/Blah
C:\VUNDOFIX BACKUPS\KHFFEEF.DLL.BAD

Trojan.Downloader-Gen/HitItQuitIt
C:\VUNDOFIX BACKUPS\MLJKIJK.DLL.BAD
C:\VUNDOFIX BACKUPS\OPNOOPQ.DLL.BAD

Trojan.Unclassified/17PHolmes
C:\WINDOWS\17PHOLMES1000106.EXE




Here is the HJT log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:33:37 PM, on 12/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Sophos\Remote Update\cachemgr.exe
c:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sophos\Remote Update\imonitor.exe
C:\WINDOWS\System32\lxcecoms.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AuthPopupBHO01.cBHO - {3C7195F6-D788-4D50-BA72-2EE212EDAC78} - C:\Program Files\Cox\Applications\App\popupbho01.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Cox Popup Blocker - {2C0A5F28-48D8-408B-9172-9C6121025BCE} - C:\Program Files\Cox\Applications\App\popupbho01.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [ZCfgSvc.exe] C:\WINDOWS\System32\ZCfgSvc.exe
O4 - HKLM\..\Run: [LXCECATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Remote Update Monitor.lnk = C:\Program Files\Sophos\Remote Update\imonitor.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} (CNavigationManager Object) - http://www3.authentium.com/cssrelease/bin/wizard.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/ActiveLaunc...iveLauncher.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1128534431706
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1128534422873
O16 - DPF: {74CAD4F9-5085-4F13-8CD5-7F96F4D0B768} (ImageGear ActiveX-12) - https://rod.sedgwickcounty.org/inc/imgearv1.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/luxr/default/mjolauncher.cab
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/ActiveX/...loadcontrol.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/bingame/shpo/default/shapo.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Sophos Cache Manager (CacheMgr) - SOPHOS Plc - C:\Program Files\Sophos\Remote Update\cachemgr.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\System32\cusrvc.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - c:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lxce_device - Lexmark International, Inc. - C:\WINDOWS\System32\lxcecoms.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe


End of file - 9143 bytes


Man, I had a lot of stuff. What next?

#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:43 AM

Posted 26 December 2007 - 08:17 AM

Yeah, but most of what it found was already quarantined. And it didn't take care of the one that I wanted.
Let's run this online virus scan.


Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report along with a new combofix log.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#15 gilmourfam

gilmourfam
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 27 December 2007 - 08:31 AM

Here is the Combo fix log

ComboFix 07-12-21.4 - Lacy 2007-12-27 7:15:16.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.215 [GMT -6:00]
Running from: C:\Documents and Settings\Lacy\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\byvvv.dll
C:\WINDOWS\system32\vvvyb.ini
C:\WINDOWS\system32\vvvyb.ini2

.
((((((((((((((((((((((((( Files Created from 2007-11-27 to 2007-12-27 )))))))))))))))))))))))))))))))
.

2007-12-26 21:23 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2007-12-26 21:21 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\cwuaprpkwldh.sys
2007-12-26 21:09 . 2007-12-26 22:29 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-12-26 21:09 . 2007-12-26 21:09 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2007-12-26 21:09 . 2007-12-26 21:09 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-12-26 21:09 . 2007-12-26 21:09 1,406 --a------ C:\WINDOWS\system32\Help.ico
2007-12-25 21:04 . 2007-12-27 07:15 337,920 --a------ C:\WINDOWS\system32\byvvv.exe
2007-12-25 17:28 . 2007-12-26 22:05 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-12-25 17:28 . 2007-12-25 17:28 <DIR> d-------- C:\Documents and Settings\Lacy\Application Data\SUPERAntiSpyware.com
2007-12-25 17:28 . 2007-12-25 17:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-25 00:56 . 2007-12-25 00:56 <DIR> d-------- C:\Documents and Settings\Lacy\DoctorWeb
2007-12-24 09:42 . 2007-12-26 21:01 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2007-12-24 09:20 . 2007-12-24 09:20 36,352 --a------ C:\WINDOWS\WINSHOW .0XE
2007-12-24 08:26 . 2007-12-24 08:26 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-23 19:36 . 2007-12-24 09:12 376,320 --a------ C:\WINDOWS\winshow .exe
2007-12-23 16:37 . 2007-12-23 16:37 <DIR> d-------- C:\Program Files\Sun
2007-12-23 16:37 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-23 16:32 . 2007-12-23 16:32 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-23 08:45 . 2007-12-23 19:36 376,320 --a------ C:\WINDOWS\winshow .exe
2007-12-22 09:46 . 2007-12-22 09:46 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-22 09:46 . 2007-12-22 09:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-21 19:59 . 2007-12-23 08:42 639,040 --a------ C:\WINDOWS\system32\ZCfgSvc .exe
2007-12-21 18:52 . 2007-12-25 18:27 <DIR> d-------- C:\WINDOWS\system32\ardCo02
2007-12-21 18:52 . 2007-12-21 18:53 <DIR> d-------- C:\Temp\cEeer12
2007-12-04 19:55 . 2007-12-04 19:55 <DIR> d-------- C:\Program Files\WinGlucofacts Professional 3.03
2007-12-04 19:55 . 2007-12-04 19:55 8 --a------ C:\WINDOWS\system32\WIN.INI
2007-12-04 19:55 . 2007-12-04 19:55 8 --a------ C:\WINDOWS\system32\SYSTEM.INI
2007-12-04 19:55 . 2007-12-04 19:55 8 --a------ C:\WINDOWS\system32\PROTOCOL.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-27 03:52 --------- d-----w C:\Program Files\Common Files\Command Software
2007-12-25 23:27 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-25 06:22 --------- d-----w C:\Program Files\QuickTime
2007-12-25 06:22 --------- d-----w C:\Program Files\Lexmark Fax Solutions
2007-12-25 06:22 --------- d-----w C:\Program Files\Lexmark 4300 Series
2007-12-25 06:22 --------- d-----w C:\Program Files\iTunes
2007-12-25 06:22 --------- d-----w C:\Program Files\Dell AIO Printer A920
2007-12-24 15:17 --------- d-----w C:\Program Files\Napster
2007-12-24 15:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Napster
2007-12-23 22:37 --------- d-----w C:\Program Files\Java
2007-12-22 21:56 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-22 17:35 --------- d-----w C:\Program Files\Lx_cats
2007-11-27 04:02 --------- d-----w C:\Program Files\GroundSchool
2007-11-27 03:08 --------- d-----w C:\Program Files\ASA
2007-11-16 02:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
.

((((((((((((((((((((((((((((( snapshot@2007-12-24_ 9.44.53.80 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-08-24 14:28:54 141,424 ----a-w C:\WINDOWS\Downloaded Program Files\asinst.dll
+ 2007-05-07 22:38:46 500,120 ----a-w C:\WINDOWS\Downloaded Program Files\daas_s.dll
+ 2007-05-07 22:39:00 192,920 ----a-w C:\WINDOWS\Downloaded Program Files\fsauc.dll
+ 2007-05-07 22:39:24 254,360 ----a-w C:\WINDOWS\Downloaded Program Files\fscax.dll
+ 2007-12-25 23:28:07 29,696 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF11.exe
+ 2007-12-25 23:28:07 18,944 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2007-12-25 23:28:07 65,024 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2007-03-29 15:20:50 110,592 ----a-w C:\WINDOWS\system32\ActiveScan\as.dll
+ 2006-10-05 22:15:26 233,472 ----a-w C:\WINDOWS\system32\ActiveScan\ascontrol.dll
+ 2005-06-03 20:03:18 96,256 ----a-w C:\WINDOWS\system32\ActiveScan\asmdat.dll
+ 2003-08-01 17:00:16 36,864 ----a-w C:\WINDOWS\system32\ActiveScan\certdll.dll
+ 2005-05-20 19:42:44 86,016 ----a-w C:\WINDOWS\system32\ActiveScan\instlsp.dll
+ 2007-11-12 15:46:18 26,112 ----a-w C:\WINDOWS\system32\ActiveScan\JID.dll
+ 2006-02-17 00:20:20 4,608 ----a-w C:\WINDOWS\system32\ActiveScan\memvfile.dll
+ 2005-10-26 00:08:32 348,160 ----a-w C:\WINDOWS\system32\ActiveScan\msvcr71.dll
+ 2007-11-26 17:10:36 61,440 ----a-w C:\WINDOWS\system32\ActiveScan\NanoWrapper.dll
+ 2004-05-04 21:01:02 139,264 ----a-w C:\WINDOWS\system32\ActiveScan\pavaleas.dll
+ 2006-07-14 19:04:10 45,056 ----a-w C:\WINDOWS\system32\ActiveScan\pavdr.exe
+ 2006-04-10 16:50:02 159,832 ----a-w C:\WINDOWS\system32\ActiveScan\pavexcom.dll
+ 2006-02-14 19:05:38 94,208 ----a-w C:\WINDOWS\system32\ActiveScan\pavinas.dll
+ 2006-02-17 00:35:38 180,224 ----a-w C:\WINDOWS\system32\ActiveScan\pavoe.dll
+ 2006-10-05 22:15:38 122,880 ----a-w C:\WINDOWS\system32\ActiveScan\pavpz.dll
+ 2007-06-04 17:31:52 57,344 ----a-w C:\WINDOWS\system32\ActiveScan\pavsddl.dll
+ 2006-06-30 20:13:38 8,704 ----a-w C:\WINDOWS\system32\ActiveScan\pfdnnt.exe
+ 2004-02-04 20:08:42 49,152 ----a-w C:\WINDOWS\system32\ActiveScan\port32.dll
+ 2007-10-30 16:04:14 36,864 ----a-w C:\WINDOWS\system32\ActiveScan\Prescan.dll
+ 2006-08-01 19:23:10 69,632 ----a-w C:\WINDOWS\system32\ActiveScan\pscpu.dll
+ 2007-11-21 16:00:06 376,832 ----a-w C:\WINDOWS\system32\ActiveScan\pskahk.dll
+ 2007-10-31 19:05:06 32,768 ----a-w C:\WINDOWS\system32\ActiveScan\PSKAHKPRESCAN.dll
+ 2006-08-17 17:38:14 10,752 ----a-w C:\WINDOWS\system32\ActiveScan\pskalloc.dll
+ 2006-09-04 17:49:54 61,440 ----a-w C:\WINDOWS\system32\ActiveScan\pskas.dll
+ 2006-08-18 14:46:18 779,264 ----a-w C:\WINDOWS\system32\ActiveScan\pskavs.dll
+ 2007-03-26 20:25:34 417,792 ----a-w C:\WINDOWS\system32\ActiveScan\pskcmp.dll
+ 2006-08-09 16:42:24 90,112 ----a-w C:\WINDOWS\system32\ActiveScan\pskfss.dll
+ 2006-07-19 16:55:58 208,896 ----a-w C:\WINDOWS\system32\ActiveScan\pskhtml.dll
+ 2006-01-20 22:57:00 9,728 ----a-w C:\WINDOWS\system32\ActiveScan\pskmas.dll
+ 2006-05-17 15:50:12 14,336 ----a-w C:\WINDOWS\system32\ActiveScan\pskmdfs.dll
+ 2006-08-16 16:58:12 33,280 ----a-w C:\WINDOWS\system32\ActiveScan\pskpack.dll
+ 2006-06-30 20:42:36 266,240 ----a-w C:\WINDOWS\system32\ActiveScan\pskscs.dll
+ 2006-08-17 20:33:14 62,976 ----a-w C:\WINDOWS\system32\ActiveScan\pskutil.dll
+ 2006-08-08 19:13:10 13,312 ----a-w C:\WINDOWS\system32\ActiveScan\pskvfile.dll
+ 2006-08-18 14:53:08 69,632 ----a-w C:\WINDOWS\system32\ActiveScan\pskvfs.dll
+ 2006-08-18 14:49:50 167,936 ----a-w C:\WINDOWS\system32\ActiveScan\pskvm.dll
+ 2007-10-18 15:30:16 105,472 ----a-w C:\WINDOWS\system32\ActiveScan\psnahk.dll
+ 2007-11-23 20:29:08 10,752 ----a-w C:\WINDOWS\system32\ActiveScan\psndsk.dll
+ 2007-10-18 15:30:38 42,496 ----a-w C:\WINDOWS\system32\ActiveScan\psnflg.dll
+ 2007-10-30 17:19:22 98,304 ----a-w C:\WINDOWS\system32\ActiveScan\psnglknt.dll
+ 2007-08-22 14:52:00 20,272 ----a-w C:\WINDOWS\system32\ActiveScan\psnhsh.dll
+ 2007-11-12 21:49:34 11,776 ----a-w C:\WINDOWS\system32\ActiveScan\psnjidsign.dll
+ 2007-08-22 14:52:04 76,080 ----a-w C:\WINDOWS\system32\ActiveScan\psnkrnl.dll
+ 2007-08-22 14:52:06 21,296 ----a-w C:\WINDOWS\system32\ActiveScan\psnmem.dll
+ 2007-10-04 21:26:28 28,672 ----a-w C:\WINDOWS\system32\ActiveScan\PsnPen.dll
+ 2007-10-23 17:40:10 86,016 ----a-w C:\WINDOWS\system32\ActiveScan\psntuc.dll
+ 2007-05-24 17:27:36 27,136 ----a-w C:\WINDOWS\system32\ActiveScan\PSNXprs.dll
+ 2007-04-18 23:16:04 353,840 ----a-w C:\WINDOWS\system32\ActiveScan\psscan.dll
+ 2007-01-22 20:42:48 35,328 ----a-w C:\WINDOWS\system32\ActiveScan\rawvfile.dll
+ 2007-06-08 15:44:36 8,576 ----a-w C:\WINDOWS\system32\ActiveScan\RKPavProc.sys
+ 2007-06-05 16:56:40 44,928 ----a-w C:\WINDOWS\system32\ActiveScan\sdthook.sys
+ 1997-09-18 12:12:32 9,488 ----a-w C:\WINDOWS\system32\ActiveScan\sporder.dll
+ 2006-02-28 23:23:40 69,632 ----a-w C:\WINDOWS\system32\ActiveScan\tcpvfile.dll
+ 2007-09-17 15:14:08 126,976 ----a-w C:\WINDOWS\system32\ActiveScan\Tucan.dll
+ 2006-08-02 18:39:06 73,728 ----a-w C:\WINDOWS\system32\asuninst.exe
- 2007-12-01 20:03:57 61,660 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2007-12-27 04:34:20 61,660 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-12-01 20:03:57 401,652 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-12-27 04:34:20 401,652 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2003-03-26 00:53:50 11,776 ----a-w C:\WINDOWS\system32\ZPORT4AS.dll
+ 2007-12-27 13:24:30 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_738.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NWTRAY"="NWTRAY.EXE" [2002-03-12 11:37 C:\WINDOWS\system32\nwtray.exe]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 01:56 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2004-10-26 11:01 C:\WINDOWS\system32\nwiz.exe]
"ZCfgSvc.exe"="C:\WINDOWS\System32\ZCfgSvc.exe" []
"LXCECATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll" [2005-07-20 12:46]
"NapsterShell"="C:\Program Files\Napster\napster.exe" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Remote Update Monitor.lnk - C:\Program Files\Sophos\Remote Update\imonitor.exe [2005-10-05 12:33:49]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
C:\WINDOWS\System32\LgNotify.dll 2005-07-05 00:33 188482 C:\WINDOWS\system32\LgNotify.dll

R3 PCX500;Cisco Wireless LAN Adapters Driver;C:\WINDOWS\system32\DRIVERS\pcx500.sys [2002-08-28 21:59]
S3 NAL;Nal Service ;C:\WINDOWS\System32\Drivers\iqvw32.sys [2002-11-22 19:01]
S3 SDTHOOK;SDTHOOK;C:\WINDOWS\system32\DRIVERS\SDTHOOK.sys [2007-06-05 10:56]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b424ff70-d00a-11da-9b2a-0040964318f5}]
\Shell\AutoRun\command - E:\setupSNK.exe

.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-27 07:24:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-27 7:26:39 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-25 00:32
C:\ComboFix3.txt ... 2007-12-24 11:00
.
2007-12-22 14:01:14 --- E O F ---




Here is the Activescan log


Incident Status Location

Dialer:dialer.su Not disinfected hkey_local_machine\software\microsoft\windows\currentversion\uninstall\Switch
Possible Virus. Not disinfected C:\DELL\drivers\R60362\Setup.exe
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Lacy\Cookies\lacy@adrevolver[1].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Lacy\Cookies\lacy@ads.pointroll[1].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Lacy\Cookies\lacy@advertising[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Lacy\Cookies\lacy@atdmt[2].txt
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Lacy\Cookies\lacy@did-it[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Lacy\Cookies\lacy@doubleclick[1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Lacy\Cookies\lacy@fastclick[2].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Lacy\Cookies\lacy@go[2].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Lacy\Cookies\lacy@mediaplex[2].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Lacy\Cookies\lacy@overture[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Lacy\Cookies\lacy@perf.overture[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Lacy\Cookies\lacy@questionmarket[1].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Lacy\Cookies\lacy@server.iad.liveperson[1].txt
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Lacy\Cookies\lacy@statse.webtrendslive[2].txt
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Lacy\Cookies\lacy@target[2].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Lacy\Cookies\lacy@trafficmp[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Lacy\Cookies\lacy@tribalfusion[2].txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Lacy\Cookies\lacy@web.tickle[2].txt
Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\Lacy\Cookies\lacy@www.myaffiliateprogram[1].txt
Spyware:Cookie/Buydomains Not disinfected C:\Documents and Settings\Lacy\Cookies\lacy@www47.buydomains[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Lacy\Cookies\lacy@zedo[2].txt
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Lacy\Desktop\ComboFix.exe[nircmd.exe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Lacy\Desktop\ComboFix.exe[nircmd.cfexe]
Possible Virus. Not disinfected C:\Program Files\FaxTools\Install\Setup.exe
Possible Virus. Not disinfected C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\Setup.exe
Possible Virus. Not disinfected C:\Program Files\InstallShield Installation Information\{F45298E5-0083-426F-A668-1A2C5F04B8A0}\Setup.exe
Spyware:Cookie/Advertising Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1.tmp
Spyware:Cookie/Bfast Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq10.tmp
Spyware:Cookie/Bluestreak Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq11.tmp
Spyware:Cookie/DomainSponsor Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq13.tmp
Spyware:Cookie/Doubleclick Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq14.tmp
Spyware:Cookie/Falkag Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq16.tmp
Spyware:Cookie/Hitbox Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq18.tmp
Spyware:Cookie/WUpd Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq19.tmp
Spyware:Cookie/Advertising Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1A.tmp
Spyware:Cookie/Casalemedia Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1D.tmp
Spyware:Cookie/Mediaplex Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1E.tmp
Spyware:Cookie/QuestionMarket Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1F.tmp
Spyware:Cookie/FastClick Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2.tmp
Spyware:Cookie/Statcounter Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq20.tmp
Spyware:Cookie/Tradedoubler Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq21.tmp
Spyware:Cookie/Valueclick Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq22.tmp
Spyware:Cookie/WebtrendsLive Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq23.tmp
Spyware:Cookie/Bluestreak Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq24.tmp
Spyware:Cookie/Casalemedia Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq25.tmp
Spyware:Cookie/CentrPort Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq26.tmp
Spyware:Cookie/Maxserving Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq28.tmp
Spyware:Cookie/Zedo Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2B.tmp
Spyware:Cookie/Bfast Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2C.tmp
Spyware:Cookie/Serving-sys Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2D.tmp
Spyware:Cookie/DomainSponsor Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2E.tmp
Spyware:Cookie/Hitslink Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3.tmp
Spyware:Cookie/Serving-sys Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq30.tmp
Spyware:Cookie/RealMedia Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq31.tmp
Spyware:Cookie/WUpd Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq32.tmp
Spyware:Cookie/Falkag Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq33.tmp
Spyware:Cookie/Findwhat Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq34.tmp
Spyware:Cookie/Adviva Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq37.tmp
Spyware:Cookie/BurstNet Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq38.tmp
Spyware:Cookie/Hitbox Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq39.tmp
Spyware:Cookie/Statcounter Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3A.tmp
Spyware:Cookie/Advertising Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3C.tmp
Spyware:Cookie/Atlas DMT Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3D.tmp
Spyware:Cookie/Bridgetrack Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3E.tmp
Spyware:Cookie/Zedo Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4.tmp
Spyware:Cookie/Doubleclick Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq40.tmp
Spyware:Cookie/Mediaplex Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq42.tmp
Spyware:Cookie/QuestionMarket Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq43.tmp
Spyware:Cookie/Advertising Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq44.tmp
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq45.tmp
Spyware:Cookie/Tribalfusion Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq47.tmp
Spyware:Cookie/Com.com Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq48.tmp
Spyware:Cookie/bravenetA Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4B.tmp
Spyware:Cookie/Humanclick Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq53.tmp
Spyware:Cookie/RealMedia Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq57.tmp
Spyware:Cookie/YieldManager Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq59.tmp
Spyware:Cookie/Com.com Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq60.tmp
Spyware:Cookie/Bilbo.counted Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq68.tmp
Spyware:Cookie/SpyLog Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6A.tmp
Spyware:Cookie/BurstNet Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6F.tmp
Spyware:Cookie/CentrPort Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq7.tmp
Spyware:Cookie/Bridgetrack Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq70.tmp
Spyware:Cookie/Hitbox Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq73.tmp
Spyware:Cookie/FastClick Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq74.tmp
Spyware:Cookie/Maxserving Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq76.tmp
Spyware:Cookie/RealMedia Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq77.tmp
Spyware:Cookie/Serving-sys Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq78.tmp
Spyware:Cookie/Tradedoubler Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq79.tmp
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq7A.tmp
Spyware:Cookie/Tribalfusion Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq7B.tmp
Spyware:Cookie/Valueclick Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq7C.tmp
Spyware:Cookie/WebtrendsLive Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq7D.tmp
Spyware:Cookie/Adserver Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq7E.tmp
Spyware:Cookie/Belnk Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq83.tmp
Spyware:Cookie/Belnk Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq84.tmp
Spyware:Cookie/PointRoll Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq86.tmp
Spyware:Cookie/888 Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq87.tmp
Spyware:Cookie/Humanclick Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq88.tmp
Spyware:Cookie/Atlas DMT Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq9B.tmp
Spyware:Cookie/RealMedia Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppqD.tmp
Possible Virus. Not disinfected C:\Program Files\Yahoo! Games\Diner Dash 2\dinerdash2.exe
Potentially unwanted tool:Application/DriveCleaner Not disinfected C:\qoobox\Quarantine\C\Program Files\Common Files\WinAntiSpyware 2007\uwas7cw.exe.vir
Potentially unwanted tool:Application/WinAntivirus Not disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\drivers\FOPN.sys.vir
Adware:Adware/TTC Not disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\X2\mwspasrt83122.exe.vir
Adware:Adware/Yazzle Not disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\X3\w73r.exe.vir
Virus:Trj/Downloader.MDW Disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\X4\wen22.exe.vir
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\efedd.dll.bad
Adware:Adware/VirusAlarma Not disinfected C:\WINDOWS\WINSHOW .0XE


What next?

BTW, thanks for all you have done. This is really a lengthy process and I appreciate your responses. I am a beginner at this.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users