Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Smitfraud-c.coreservice


  • This topic is locked This topic is locked
14 replies to this topic

#1 Spied

Spied

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:22 PM

Posted 17 January 2008 - 01:00 AM

I would appreciate assistance with the following problem: Spybot repeatedly detects Smitfraud-C.coreservice (c:\windows\system32\drivers\core.cache.dsk).

I have taken the steps referenced in the "Preparation Guide for use before posting a HijackThis Log."

I also ran SmitFraudFix v2.274.

Here is the HijackThis log.

Thanks in advance.

Spied


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:32:57 PM, on 1/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\BacsTray.exe
C:\WINDOWS\system32\SDClient.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\vptray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: On The Net Search Helper - {4E8F5D76-EF5B-46C8-B35B-C86F8BD6621A} - C:\WINDOWS\system32\memoupps.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {66ABAA8F-BC6F-48B6-9DE7-B12E68726C3B} - C:\WINDOWS\system32\ljjgh.dll (file missing)
O2 - BHO: (no name) - {677e2257-6a6f-4cdf-ac35-5d73e088b748} - C:\WINDOWS\system32\qgdjtbu.dll (file missing)
O2 - BHO: (no name) - {8AEB0C24-2D08-44BF-A757-511054B62143} - C:\Program Files\Internet Explorer\wogesiga83122.dll (file missing)
O2 - BHO: (no name) - {C2DDA919-10FC-731F-DA2F-4BE603810A91} - C:\WINDOWS\system32\lxb.dll (file missing)
O2 - BHO: (no name) - {E1759A31-E627-4758-9562-6899DF36C9C2} - C:\WINDOWS\system32\mljihfd.dll (file missing)
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O2 - BHO: (no name) - {FFE77DD1-4B66-4781-B64B-D024DABDD40B} - C:\Program Files\Internet Explorer\wogesiga4444.dll (file missing)
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [bacstray] BacsTray.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [SCREW DRIVER CLIENT] SDClient.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\\vptray.exe
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Ncao] "C:\PROGRA~1\SEMBLY~1\spool32.exe" -vt yazb
O4 - HKCU\..\Run: [comup] C:\WINDOWS\system32\mobjchku.exe
O4 - HKCU\..\Run: [Uqbciy] "C:\Program Files\??crosoft\n?tepad.exe"
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1200008120834
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cab
O20 - Winlogon Notify: mljihfd - mljihfd.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 8121 bytes

BC AdBot (Login to Remove)

 


#2 silver

silver

  • Members
  • 480 posts
  • OFFLINE
  •  
  • Location:GMT+7
  • Local time:03:22 AM

Posted 22 January 2008 - 02:53 AM

Hi Spied,

Please download ComboFix to your desktop
  • Double click combofix.exe and follow the prompts
  • Note: Do not click ComboFix's window while it's running - it may cause it to stall!
  • If after ComboFix finishes you do not have internet access, then reboot your computer to restore it
  • When finished, it shall produce a log for you, please post it in your next response
Now open HijackThis, select Open the Misc Tools section
Press the Open Uninstall Manager... button, then press Save list...
Save the Uninstall log to your Desktop and include a copy in your next response.
Now press Back and Scan and then Save log to create and save a new HijackThis log.

Once complete, please post the ComboFix report, the uninstall list and a new HijackThis log.
Teacher at Malware Removal University | ASAP & UNITE Member

#3 Spied

Spied
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:22 PM

Posted 23 January 2008 - 01:23 AM

Silver,

Thanks for the help. I really appreciate it.

Spied

Here is the Combofix log:

ComboFix 08-01-23.1 - R 2008-01-22 23:09:56.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.247 [GMT -6:00]
Running from: C:\Documents and Settings\R\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\temp\tn3
C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\SYSTEM32\hgjjl.ini
C:\WINDOWS\SYSTEM32\hgjjl.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\wtssvit32.exe
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_NETWORK_MONITOR


((((((((((((((((((((((((( Files Created from 2007-12-23 to 2008-01-23 )))))))))))))))))))))))))))))))
.

2008-01-22 23:19 . 2008-01-22 23:19 <DIR> d-------- C:\temp\tn3
2008-01-22 23:18 . 2008-01-22 23:18 167,545 --------- C:\WINDOWS\SYSTEM32\DRIVERS\core.cache.dsk
2008-01-22 23:07 . 2004-10-01 00:12 211 --a------ C:\Boot.bak
2008-01-22 23:06 . 2004-08-03 23:00 260,272 --a------ C:\cmldr
2008-01-22 23:04 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-19 21:47 . 2008-01-19 21:47 <DIR> d-------- C:\Program Files\Windows Defender
2008-01-16 14:32 . 2008-01-16 14:32 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-16 02:51 . 2008-01-16 02:52 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-16 01:40 . 2008-01-16 01:47 2,822 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2008-01-16 01:39 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\SYSTEM32\VCCLSID.exe
2008-01-16 01:39 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2008-01-16 01:39 . 2007-12-20 23:11 81,920 --a------ C:\WINDOWS\SYSTEM32\IEDFix.exe
2008-01-16 01:39 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe
2008-01-16 01:39 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2008-01-16 01:39 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\SYSTEM32\WS2Fix.exe
2008-01-11 11:10 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll
2008-01-11 11:10 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll.mui
2008-01-11 09:21 . 2008-01-11 09:21 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-01-11 09:21 . 2008-01-11 09:21 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-01-10 17:07 . 2006-10-04 08:06 1,197,294 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\sysmain.sdb
2008-01-10 17:07 . 2006-10-04 08:06 764,868 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\apph_sp.sdb
2008-01-10 17:07 . 2006-10-04 08:06 217,118 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\apphelp.sdb
2008-01-10 17:06 . 2008-01-10 17:06 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-01-10 17:01 . 2008-01-10 17:01 <DIR> d-------- C:\WINDOWS\SYSTEM32\LogFiles
2008-01-10 17:01 . 2008-01-10 17:03 <DIR> d-------- C:\WINDOWS\SYSTEM32\DRIVERS\UMDF
2008-01-10 15:24 . 2008-01-10 15:24 0 --a------ C:\WINDOWS\VPC32.INI
2008-01-10 13:36 . 2008-01-10 13:36 <DIR> d--h----- C:\WINDOWS\PIF
2008-01-10 11:55 . 2006-09-18 17:55 109,744 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SYMEVENT.SYS
2008-01-10 11:55 . 2006-09-18 17:55 48,816 --a------ C:\WINDOWS\SYSTEM32\S32EVNT1.DLL
2008-01-10 11:53 . 2008-01-22 23:22 <DIR> d-------- C:\Program Files\Symantec AntiVirus
2008-01-10 09:49 . 2008-01-22 23:17 1,701,920 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.dat
2008-01-10 09:49 . 2008-01-22 23:17 20,972 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.idx
2008-01-10 09:47 . 2008-01-10 09:47 <DIR> d-------- C:\Program Files\ZoneAlarmSB
2008-01-10 09:36 . 2007-11-14 16:05 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-01-10 09:36 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\SYSTEM32\SpOrder.dll
2008-01-10 09:36 . 2008-01-10 09:47 4,212 --ah----- C:\WINDOWS\SYSTEM32\zllictbl.dat
2008-01-10 09:34 . 2008-01-22 23:08 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-01-09 16:39 . 2008-01-09 16:39 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-09 16:37 . 2008-01-09 16:37 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-08 17:44 . 2008-01-16 11:16 355 --a------ C:\WINDOWS\wininit.ini
2008-01-08 16:12 . 2008-01-08 16:12 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-01-08 04:55 . 2008-01-08 04:59 <DIR> d-------- C:\quarantine
2008-01-06 09:55 . 2008-01-06 10:02 139,264 --a------ C:\WINDOWS\SYSTEM32\mobjchku .exe
2008-01-06 09:43 . 2008-01-08 14:57 139,264 --a------ C:\WINDOWS\SYSTEM32\mobjchku .exe
2008-01-06 09:43 . 2008-01-08 14:57 114,688 --a------ C:\WINDOWS\SYSTEM32\igfxpers .exe
2008-01-06 09:43 . 2008-01-08 14:56 94,208 --a------ C:\WINDOWS\SYSTEM32\igfxtray .exe
2008-01-06 09:43 . 2008-01-08 14:57 77,824 --a------ C:\WINDOWS\SYSTEM32\hkcmd .exe
2008-01-06 09:43 . 2008-01-08 14:56 28,672 --a------ C:\WINDOWS\SYSTEM32\DSentry .exe
2008-01-06 09:43 . 2008-01-10 09:52 15,360 --a------ C:\WINDOWS\SYSTEM32\ctfmon .exe
2008-01-06 00:12 . 2008-01-06 00:12 <DIR> d-------- C:\WINDOWS\SYSTEM32\winz7
2008-01-06 00:12 . 2008-01-06 11:15 <DIR> d-------- C:\WINDOWS\SYSTEM32\usmvt3
2008-01-06 00:12 . 2008-01-06 09:21 <DIR> d-------- C:\WINDOWS\SYSTEM32\drivr3
2008-01-06 00:12 . 2008-01-08 04:54 <DIR> d-------- C:\WINDOWS\SYSTEM32\comp2
2008-01-06 00:12 . 2008-01-06 00:12 <DIR> d-------- C:\WINDOWS\SYSTEM32\cache3
2008-01-06 00:12 . 2007-12-27 08:37 425,984 --a------ C:\WINDOWS\SYSTEM32\memoupps.dll
2008-01-06 00:12 . 2007-12-11 13:14 151,552 --a------ C:\WINDOWS\SYSTEM32\rushsbso.exe
2008-01-06 00:12 . 2007-12-11 13:14 151,552 --a------ C:\WINDOWS\SYSTEM32\bkmoopob.exe
2008-01-06 00:12 . 2008-01-06 00:12 86,016 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\dmboott.sys
2008-01-06 00:11 . 2008-01-08 05:44 <DIR> d-------- C:\WINDOWS\SYSTEM32\ardCo01

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-21 02:58 --------- d-----w C:\Program Files\Citrix
2008-01-10 21:29 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-10 17:57 --------- d-----w C:\Program Files\Symantec
2008-01-09 21:25 --------- d-----w C:\Program Files\Common Files\AOL
2008-01-09 15:06 --------- d-----w C:\Program Files\QuickTime
2008-01-08 21:20 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-06 19:22 --------- d-----w C:\Program Files\Common Files\Roxio Shared
2008-01-06 19:21 --------- d-----w C:\Program Files\Roxio
2008-01-06 19:06 --------- d-----w C:\Program Files\bb_unlock
2007-12-03 03:41 --------- d-----w C:\Program Files\Google
.
<pre>
----a-w		   368,708 2008-01-08 20:56:52  C:\Program Files\BroadJump\Client Foundation\CFD .exe
----a-w		   228,088 2008-01-06 16:02:07  C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9 .exe
----a-w			52,896 2008-01-10 21:29:06  C:\Program Files\Common Files\Symantec Shared\ccApp .exe
----a-w		 1,694,208 2008-01-07 01:42:39  C:\Program Files\Messenger\msmsgs .exe
----a-w			77,824 2008-01-09 00:59:06  C:\Program Files\QuickTime\qttask  .exe
----a-w			77,824 2008-01-08 11:24:08  C:\Program Files\QuickTime\qttask .exe
----a-w		   684,032 2008-01-08 20:56:49  C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD .exe
----a-w		   125,168 2008-01-10 21:29:17  C:\Program Files\Symantec AntiVirus\VPTray .exe
----a-w		   569,344 2008-01-08 20:56:43  C:\Program Files\Synaptics\SynTP\SynTPEnh .exe
----a-w		   110,592 2008-01-08 20:56:41  C:\Program Files\Synaptics\SynTP\SynTPLpr .exe
----a-w			77,824 2008-01-09 00:59:47  C:\quarantine\C_\Program Files\QuickTime\qttask .exe
----a-w			61,440 2008-01-07 01:42:42  C:\RECYCLER\S-1-5-18\Dc3\kernel .exe
----a-w			15,360 2008-01-10 15:52:07  C:\WINDOWS\SYSTEM32\ctfmon .exe
----a-w			28,672 2008-01-08 20:56:42  C:\WINDOWS\SYSTEM32\DSentry .exe
----a-w			77,824 2008-01-08 20:57:01  C:\WINDOWS\SYSTEM32\hkcmd .exe
----a-w		   114,688 2008-01-08 20:57:05  C:\WINDOWS\SYSTEM32\igfxpers .exe
----a-w			94,208 2008-01-08 20:56:59  C:\WINDOWS\SYSTEM32\igfxtray .exe
----a-w		   139,264 2008-01-06 16:02:45  C:\WINDOWS\SYSTEM32\mobjchku  .exe
----a-w		   139,264 2008-01-08 20:57:17  C:\WINDOWS\SYSTEM32\mobjchku .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4E8F5D76-EF5B-46C8-B35B-C86F8BD6621A}]
2007-12-27 08:37 425984 --a------ C:\WINDOWS\system32\memoupps.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{66ABAA8F-BC6F-48B6-9DE7-B12E68726C3B}]
C:\WINDOWS\system32\ljjgh.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{677e2257-6a6f-4cdf-ac35-5d73e088b748}]
C:\WINDOWS\system32\qgdjtbu.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8AEB0C24-2D08-44BF-A757-511054B62143}]
C:\Program Files\Internet Explorer\wogesiga83122.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C2DDA919-10FC-731F-DA2F-4BE603810A91}]
C:\WINDOWS\system32\lxb.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
2008-01-10 09:47 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FFE77DD1-4B66-4781-B64B-D024DABDD40B}]
C:\Program Files\Internet Explorer\wogesiga4444.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [2008-01-10 09:47 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="1" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"Ncao"="C:\PROGRA~1\SEMBLY~1\spool32.exe" [ ]
"comup"="C:\WINDOWS\system32\mobjchku.exe" [ ]
"Uqbciy"="C:\Program Files\??crosoft\n?tepad.exe" [ ]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 03:40 218032]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-01-08 05:19 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [ ]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [ ]
"bascstray"="BascsTray.exe" []
"bacstray"="BacsTray.exe" [2003-05-14 18:37 98304 C:\WINDOWS\SYSTEM32\BacsTray.exe]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [ ]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [ ]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-06 09:27 77824]
"SCREW DRIVER CLIENT"="SDClient.exe" [2001-08-03 10:56 606208 C:\WINDOWS\SYSTEM32\SDClient.exe]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [ ]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [ ]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [ ]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-10 16:24 52896]
"vptray"="C:\PROGRA~1\SYMANT~1\\vptray.exe" [2008-01-10 16:24 125168]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2003-10-28 23:14:51 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljihfd]
mljihfd.dll

R0 rmedia;Ricoh MediaCard Driver;C:\WINDOWS\system32\DRIVERS\rmedia.sys [2002-12-24 19:52]
R0 sonypvl3;sonypvl3;C:\WINDOWS\system32\drivers\sonypvl3.sys [2004-09-22 10:55]
R1 dmboott;dmboott;C:\WINDOWS\system32\drivers\dmboott.sys [2008-01-06 00:12]
R1 sonypvf3;sonypvf3;C:\WINDOWS\system32\drivers\sonypvf3.sys [2004-11-15 12:55]
R1 sonypvt3;sonypvt3;C:\WINDOWS\system32\drivers\sonypvt3.sys [2004-12-06 13:26]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 15:38]
S1 sonypvd3;Sony DVD Handycam;C:\WINDOWS\system32\DRIVERS\sonypvd3.sys [2004-12-07 14:00]
S3 UsbLock;Secure Usb Connection Driver;C:\Program Files\bb_unlock\usblock.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a17c59d7-01cc-11dc-bc86-000bdbe4b07b}]
\Shell\AutoRun\command - D:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-01-23 05:22:21 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-22 23:22:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-22 23:28:12 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-23 05:28:06
.
2008-01-23 04:58:21 --- E O F ---




Here is the unistall log

d-Aware 2007
AOL Instant Messenger
Broadcom Advanced Control Suite
Broadcom ASF Management Applications
BroadJump Client Foundation
Citrix Program Neighborhood
Conexant D480 MDC V.92 Modem
Corel Applications
CSC Delaware Laws
Dell Solution Center
Dell TrueMobile 1400 Dual Band WLAN Mini-PCI Card
Digital Line Detect
DVDSentry
Easy CD Creator 5 Basic
First Step Guide
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
HP Imaging Device Functions 7.0
HP Photosmart and Deskjet 7.0 Software
ImageMixer EasyStepDVD
Intel® Extreme Graphics 2 Driver
InterVideo WinDVD
Java 2 Runtime Environment, SE v1.4.2
Lexmark Printer Software Uninstall
LiveUpdate 1.6 (Symantec Corporation)
LiveUpdate 3.1 (Symantec Corporation)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 SR-1 Standard
Microsoft User-Mode Driver Framework Feature Pack 1.0
Modem Helper
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
Netflix Movie Viewer
NetWaiting
Picture Package
QuickSet
QuickTime
SBC Yahoo! Applications
ScrewDrivers Client Install(5.5)
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Sony DVD Handycam USB Driver 2
Spybot - Search & Destroy
SpywareBlaster v3.5.1
Symantec AntiVirus
Synaptics Pointing Device Driver
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Windows Defender
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
ZoneAlarm
ZoneAlarm Spy Blocker

Here is the Hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:35:29 PM, on 1/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\BacsTray.exe
C:\WINDOWS\system32\SDClient.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\vptray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: On The Net Search Helper - {4E8F5D76-EF5B-46C8-B35B-C86F8BD6621A} - C:\WINDOWS\system32\memoupps.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {66ABAA8F-BC6F-48B6-9DE7-B12E68726C3B} - C:\WINDOWS\system32\ljjgh.dll (file missing)
O2 - BHO: (no name) - {677e2257-6a6f-4cdf-ac35-5d73e088b748} - C:\WINDOWS\system32\qgdjtbu.dll (file missing)
O2 - BHO: (no name) - {8AEB0C24-2D08-44BF-A757-511054B62143} - C:\Program Files\Internet Explorer\wogesiga83122.dll (file missing)
O2 - BHO: (no name) - {C2DDA919-10FC-731F-DA2F-4BE603810A91} - C:\WINDOWS\system32\lxb.dll (file missing)
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O2 - BHO: (no name) - {FFE77DD1-4B66-4781-B64B-D024DABDD40B} - C:\Program Files\Internet Explorer\wogesiga4444.dll (file missing)
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [bacstray] BacsTray.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SCREW DRIVER CLIENT] SDClient.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\\vptray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Ncao] "C:\PROGRA~1\SEMBLY~1\spool32.exe" -vt yazb
O4 - HKCU\..\Run: [comup] C:\WINDOWS\system32\mobjchku.exe
O4 - HKCU\..\Run: [Uqbciy] "C:\Program Files\??crosoft\n?tepad.exe"
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1200008120834
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cab
O20 - Winlogon Notify: mljihfd - mljihfd.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 8536 bytes

#4 silver

silver

  • Members
  • 480 posts
  • OFFLINE
  •  
  • Location:GMT+7
  • Local time:03:22 AM

Posted 23 January 2008 - 02:49 AM

Hi Spied,

Temporarily disable Windows Defender:
  • Right-click on the Windows Defender icon in the system tray and select Open
  • Click on Tools from the top menu, then press Options
  • Scroll down to Real-time protection options, uncheck Use real-time protection and press Save
  • Close Windows Defender
Check that ComboFix.exe is on your Desktop
  • Then open Notepad: press Start->Run, type notepad and click OK
  • Copy/paste the contents of the below code box into Notepad (or download the copy I have attached):
    File::
    C:\Program Files\BroadJump\Client Foundation\CFD .exe
    C:\WINDOWS\SYSTEM32\mobjchku .exe
    C:\WINDOWS\SYSTEM32\mobjchku  .exe
    C:\WINDOWS\system32\mobjchku.exe
    C:\WINDOWS\system32\memoupps.dll
    C:\WINDOWS\system32\ljjgh.dll
    C:\WINDOWS\system32\qgdjtbu.dll
    C:\WINDOWS\system32\mljihfd.dll
    C:\Program Files\Internet Explorer\wogesiga83122.dll
    C:\Program Files\Internet Explorer\wogesiga4444.dll
    C:\WINDOWS\system32\lxb.dll
    C:\WINDOWS\system32\drivers\core.cache.dsk
    C:\WINDOWS\SYSTEM32\rushsbso.exe
    C:\WINDOWS\SYSTEM32\bkmoopob.exe
    C:\WINDOWS\SYSTEM32\DRIVERS\dmboott.sys
    
    Folder::
    C:\WINDOWS\SYSTEM32\ardCo01
    
    DirLook::
    C:\WINDOWS\SYSTEM32\winz7
    C:\WINDOWS\SYSTEM32\usmvt3
    C:\WINDOWS\SYSTEM32\drivr3
    C:\WINDOWS\SYSTEM32\comp2
    C:\WINDOWS\SYSTEM32\cache3
    C:\WINDOWS\PIF
    
    Driver::
    dmboott
    
    RenV::
    C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9 .exe
    C:\Program Files\Common Files\Symantec Shared\ccApp .exe
    C:\Program Files\Messenger\msmsgs .exe
    C:\Program Files\QuickTime\qttask  .exe
    C:\Program Files\QuickTime\qttask .exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD .exe
    C:\Program Files\Symantec AntiVirus\VPTray .exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh .exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr .exe
    C:\WINDOWS\SYSTEM32\ctfmon .exe
    C:\WINDOWS\SYSTEM32\DSentry .exe
    C:\WINDOWS\SYSTEM32\hkcmd .exe
    C:\WINDOWS\SYSTEM32\igfxpers .exe
    C:\WINDOWS\SYSTEM32\igfxtray .exe
    
    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4E8F5D76-EF5B-46C8-B35B-C86F8BD6621A}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{66ABAA8F-BC6F-48B6-9DE7-B12E68726C3B}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{677e2257-6a6f-4cdf-ac35-5d73e088b748}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8AEB0C24-2D08-44BF-A757-511054B62143}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C2DDA919-10FC-731F-DA2F-4BE603810A91}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FFE77DD1-4B66-4781-B64B-D024DABDD40B}]
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Ncao"=-
    "comup"=-
    "Uqbciy"=-
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljihfd]
  • Save this to your Desktop as CFScript.
    NOTE: I have attached this file for you to download if you prefer.

    Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
Note: Do not click ComboFix's window while it's running - it may cause it to stall!

Once complete, please post the new ComboFix report and a new HijackThis log.

Attached Files


Edited by silver, 23 January 2008 - 02:52 AM.

Teacher at Malware Removal University | ASAP & UNITE Member

#5 Spied

Spied
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:22 PM

Posted 23 January 2008 - 03:31 AM

Here is the new Combofix log:

ComboFix 08-01-23.1 - R 2008-01-23 2:01:37.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.188 [GMT -6:00]
Running from: C:\Documents and Settings\R\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\R\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\Program Files\BroadJump\Client Foundation\CFD .exe
C:\Program Files\Internet Explorer\wogesiga4444.dll
C:\Program Files\Internet Explorer\wogesiga83122.dll
C:\WINDOWS\SYSTEM32\bkmoopob.exe
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\SYSTEM32\DRIVERS\dmboott.sys
C:\WINDOWS\system32\ljjgh.dll
C:\WINDOWS\system32\lxb.dll
C:\WINDOWS\system32\memoupps.dll
C:\WINDOWS\system32\mljihfd.dll
C:\WINDOWS\SYSTEM32\mobjchku .exe
C:\WINDOWS\SYSTEM32\mobjchku .exe
C:\WINDOWS\system32\mobjchku.exe
C:\WINDOWS\system32\qgdjtbu.dll
C:\WINDOWS\SYSTEM32\rushsbso.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\BroadJump\Client Foundation\CFD .exe
C:\temp\tn3
C:\WINDOWS\SYSTEM32\ardCo01
C:\WINDOWS\SYSTEM32\bkmoopob.exe
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\SYSTEM32\DRIVERS\dmboott.sys
C:\WINDOWS\system32\memoupps.dll
C:\WINDOWS\SYSTEM32\mobjchku .exe
C:\WINDOWS\SYSTEM32\mobjchku .exe
C:\WINDOWS\SYSTEM32\rushsbso.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DMBOOTT
-------\dmboott


((((((((((((((((((((((((( Files Created from 2007-12-23 to 2008-01-23 )))))))))))))))))))))))))))))))
.

2008-01-22 23:07 . 2004-10-01 00:12 211 --a------ C:\Boot.bak
2008-01-22 23:06 . 2004-08-03 23:00 260,272 --a------ C:\cmldr
2008-01-22 23:04 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-19 21:47 . 2008-01-19 21:47 <DIR> d-------- C:\Program Files\Windows Defender
2008-01-16 14:32 . 2008-01-16 14:32 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-16 02:51 . 2008-01-16 02:52 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-16 01:40 . 2008-01-16 01:47 2,822 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2008-01-16 01:39 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\SYSTEM32\VCCLSID.exe
2008-01-16 01:39 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2008-01-16 01:39 . 2007-12-20 23:11 81,920 --a------ C:\WINDOWS\SYSTEM32\IEDFix.exe
2008-01-16 01:39 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe
2008-01-16 01:39 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2008-01-16 01:39 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\SYSTEM32\WS2Fix.exe
2008-01-11 11:10 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll
2008-01-11 11:10 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll.mui
2008-01-11 09:21 . 2008-01-11 09:21 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-01-11 09:21 . 2008-01-11 09:21 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-01-10 17:07 . 2006-10-04 08:06 1,197,294 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\sysmain.sdb
2008-01-10 17:07 . 2006-10-04 08:06 764,868 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\apph_sp.sdb
2008-01-10 17:07 . 2006-10-04 08:06 217,118 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\apphelp.sdb
2008-01-10 17:06 . 2008-01-10 17:06 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-01-10 17:01 . 2008-01-10 17:01 <DIR> d-------- C:\WINDOWS\SYSTEM32\LogFiles
2008-01-10 17:01 . 2008-01-10 17:03 <DIR> d-------- C:\WINDOWS\SYSTEM32\DRIVERS\UMDF
2008-01-10 15:24 . 2008-01-10 15:24 0 --a------ C:\WINDOWS\VPC32.INI
2008-01-10 13:36 . 2008-01-10 13:36 <DIR> d--h----- C:\WINDOWS\PIF
2008-01-10 11:55 . 2006-09-18 17:55 109,744 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SYMEVENT.SYS
2008-01-10 11:55 . 2006-09-18 17:55 48,816 --a------ C:\WINDOWS\SYSTEM32\S32EVNT1.DLL
2008-01-10 11:53 . 2008-01-23 02:11 <DIR> d-------- C:\Program Files\Symantec AntiVirus
2008-01-10 09:49 . 2008-01-23 02:08 1,771,552 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.dat
2008-01-10 09:49 . 2008-01-23 02:08 21,812 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.idx
2008-01-10 09:47 . 2008-01-10 09:47 <DIR> d-------- C:\Program Files\ZoneAlarmSB
2008-01-10 09:36 . 2007-11-14 16:05 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-01-10 09:36 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\SYSTEM32\SpOrder.dll
2008-01-10 09:36 . 2008-01-10 09:47 4,212 --ah----- C:\WINDOWS\SYSTEM32\zllictbl.dat
2008-01-10 09:34 . 2008-01-23 02:03 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-01-09 16:39 . 2008-01-09 16:39 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-09 16:37 . 2008-01-09 16:37 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-08 17:44 . 2008-01-16 11:16 355 --a------ C:\WINDOWS\wininit.ini
2008-01-08 16:12 . 2008-01-08 16:12 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-01-08 04:55 . 2008-01-08 04:59 <DIR> d-------- C:\quarantine
2008-01-06 09:43 . 2008-01-08 14:57 114,688 --a------ C:\WINDOWS\SYSTEM32\igfxpers.exe
2008-01-06 09:43 . 2008-01-08 14:56 94,208 --a------ C:\WINDOWS\SYSTEM32\igfxtray.exe
2008-01-06 09:43 . 2008-01-08 14:57 77,824 --a------ C:\WINDOWS\SYSTEM32\hkcmd.exe
2008-01-06 09:43 . 2008-01-08 14:56 28,672 --a------ C:\WINDOWS\SYSTEM32\DSentry.exe
2008-01-06 09:43 . 2008-01-10 09:52 15,360 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\ctfmon.exe
2008-01-06 09:43 . 2008-01-10 09:52 15,360 --a------ C:\WINDOWS\SYSTEM32\ctfmon.exe
2008-01-06 00:12 . 2008-01-06 00:12 <DIR> d-------- C:\WINDOWS\SYSTEM32\winz7
2008-01-06 00:12 . 2008-01-06 11:15 <DIR> d-------- C:\WINDOWS\SYSTEM32\usmvt3
2008-01-06 00:12 . 2008-01-06 09:21 <DIR> d-------- C:\WINDOWS\SYSTEM32\drivr3
2008-01-06 00:12 . 2008-01-08 04:54 <DIR> d-------- C:\WINDOWS\SYSTEM32\comp2
2008-01-06 00:12 . 2008-01-06 00:12 <DIR> d-------- C:\WINDOWS\SYSTEM32\cache3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-23 08:09 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-23 08:01 --------- d-----w C:\Program Files\QuickTime
2008-01-21 02:58 --------- d-----w C:\Program Files\Citrix
2008-01-10 17:57 --------- d-----w C:\Program Files\Symantec
2008-01-09 21:25 --------- d-----w C:\Program Files\Common Files\AOL
2008-01-08 21:20 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-06 19:22 --------- d-----w C:\Program Files\Common Files\Roxio Shared
2008-01-06 19:21 --------- d-----w C:\Program Files\Roxio
2008-01-06 19:06 --------- d-----w C:\Program Files\bb_unlock
2007-12-03 03:41 --------- d-----w C:\Program Files\Google
.
<pre>
----a-w			77,824 2008-01-09 00:59:47  C:\quarantine\C_\Program Files\QuickTime\qttask .exe
----a-w			61,440 2008-01-07 01:42:42  C:\RECYCLER\S-1-5-18\Dc3\kernel .exe
</pre>


(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\WINDOWS\PIF ----


---- Directory of C:\WINDOWS\SYSTEM32\cache3 ----

2008-01-05 15:48 126976 --a------ C:\WINDOWS\SYSTEM32\cache3\vumpedll23.exe

---- Directory of C:\WINDOWS\SYSTEM32\comp2 ----


---- Directory of C:\WINDOWS\SYSTEM32\drivr3 ----


---- Directory of C:\WINDOWS\SYSTEM32\usmvt3 ----


---- Directory of C:\WINDOWS\SYSTEM32\winz7 ----

2008-01-03 13:12 157189 --a------ C:\WINDOWS\SYSTEM32\winz7\yazdrvedll3.exe


((((((((((((((((((((((((((((( snapshot@2008-01-22_23.27.29.95 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-23 05:05:10 1,413,120 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-23 08:00:36 1,413,120 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-23 05:05:10 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-23 08:00:37 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-23 05:05:10 1,413,120 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-23 08:00:37 1,413,120 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-23 05:05:11 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-23 08:00:37 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-23 05:05:12 5,382,144 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-23 08:00:38 5,382,144 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
- 2008-01-23 05:05:12 86,016 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-23 08:00:38 86,016 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
2008-01-10 09:47 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [2008-01-10 09:47 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="1" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-01-10 09:52 15360]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 03:40 218032]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-01-06 19:42 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2008-01-08 14:56 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2008-01-08 14:56 569344]
"bascstray"="BascsTray.exe" []
"bacstray"="BacsTray.exe" [2003-05-14 18:37 98304 C:\WINDOWS\SYSTEM32\BacsTray.exe]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2008-01-08 14:56 28672]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2008-01-08 14:56 684032]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-08 05:24 77824]
"SCREW DRIVER CLIENT"="SDClient.exe" [2001-08-03 10:56 606208 C:\WINDOWS\SYSTEM32\SDClient.exe]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2008-01-08 14:56 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2008-01-08 14:57 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2008-01-08 14:57 114688]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-10 15:29 52896]
"vptray"="C:\PROGRA~1\SYMANT~1\\vptray.exe" [2008-01-10 15:29 125168]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2003-10-28 23:14:51 24576]

R0 rmedia;Ricoh MediaCard Driver;C:\WINDOWS\system32\DRIVERS\rmedia.sys [2002-12-24 19:52]
R0 sonypvl3;sonypvl3;C:\WINDOWS\system32\drivers\sonypvl3.sys [2004-09-22 10:55]
R1 sonypvf3;sonypvf3;C:\WINDOWS\system32\drivers\sonypvf3.sys [2004-11-15 12:55]
R1 sonypvt3;sonypvt3;C:\WINDOWS\system32\drivers\sonypvt3.sys [2004-12-06 13:26]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 15:38]
S1 sonypvd3;Sony DVD Handycam;C:\WINDOWS\system32\DRIVERS\sonypvd3.sys [2004-12-07 14:00]
S3 UsbLock;Secure Usb Connection Driver;C:\Program Files\bb_unlock\usblock.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a17c59d7-01cc-11dc-bc86-000bdbe4b07b}]
\Shell\AutoRun\command - D:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-01-23 08:13:19 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-23 02:13:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-23 2:20:06 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-23 08:19:58
ComboFix2.txt 2008-01-23 05:28:12
.
2008-01-23 04:58:21 --- E O F ---








Here is the new Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:23:53 AM, on 1/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\BacsTray.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\SDClient.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\vptray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [bacstray] BacsTray.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SCREW DRIVER CLIENT] SDClient.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\\vptray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1200008120834
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 7717 bytes

#6 silver

silver

  • Members
  • 480 posts
  • OFFLINE
  •  
  • Location:GMT+7
  • Local time:03:22 AM

Posted 23 January 2008 - 04:03 AM

Hi Spied,

Your log looks a lot better, and your machine may be running normally now but we have some further steps to take before you are clean.

Please open Start->Control Panel->Add/Remove Programs, look down the list for this and remove it:

Java 2 Runtime Environment, SE v1.4.2

These are out of date and now a security risk, you can get the latest update (version 6 update 4) from here

You have Viewpoint Media Player installed on your system. This program is not malware but it is foistware in that it is usually installed without the user's knowledge or approval, and for this reason I recommend you remove it. If you actually use this program, I recommend you try using safe and free alternatives such as VLC Media Player.
To remove, open these on the list and remove them:

Viewpoint Manager (Remove Only)
Viewpoint Media Player


You have ZoneAlarm Spy Blocker installed on your system which uses the Ask search engine. This program is not malware, but it may report on your surfing behavior and is considered undesirable, see here and here for more information. If you actually use this program, consider a safe alternative such as Google Toolbar.
I recommend you remove this program, to do so find this on the list and remove it:

ZoneAlarm Spy Blocker



Please download OTMoveIt2 by OldTimer to your Desktop (right-click the link, select Save Target As..., select your Desktop and press Save)
  • Double-click OTMoveIt2.exe to start the program.
  • Copy the lines in the OTMoveIt file list below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    OTMoveIt Standard List:
    C:\WINDOWS\SYSTEM32\winz7
    C:\WINDOWS\SYSTEM32\usmvt3
    C:\WINDOWS\SYSTEM32\drivr3
    C:\WINDOWS\SYSTEM32\comp2
    C:\WINDOWS\SYSTEM32\cache3
    C:\PROGRA~1\SEMBLY~1\spool32.exe
  • Return to OTMoveIt2, right click in the "Paste Standard List of Files/Folders to Move" window (under the light blue bar) and choose Paste.
  • Then copy the file path below to the clipboard by highlighting it and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    OTMoveIt Custom List:
    C:\Program Files\??crosoft /u
  • Return to OTMoveIt2, right click in the "Paste Custom List Of Files/Patterns To Move" window (under the yellow bar) and choose Paste.
  • Then click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.


Then, please do an online scan with Kaspersky:
Open Kaspersky Online Scanner in Internet Explorer using this link:
http://www.kaspersky.com/kos/eng/partner/d...kavwebscan.html
  • Click Accept and the web scanner will begin to load
  • If a yellow warning bar appears at the top of the browser, click it and choose Install ActiveX Control
  • You will be prompted to install an ActiveX component from Kaspersky, click Install
  • If you are prompted about another ActiveX control called Kaspersky Online Scanner GUI part then allow it to be installed also.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT and then Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • The program will start to scan your system.
  • Once the scan is complete, click on the Save as Text button and save the file to your desktop
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license is accepted, reset to 100%.


Once complete, please post the OTMoveIt report, the Kaspersky report and a new HijackThis log.
Teacher at Malware Removal University | ASAP & UNITE Member

#7 Spied

Spied
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:22 PM

Posted 23 January 2008 - 10:33 AM

Silver,

Thank you. My computer does appear to be running normally. Here are the logs that you requested.

Thanks again,

Spied

OTM Log

C:\WINDOWS\SYSTEM32\winz7 moved successfully.
C:\WINDOWS\SYSTEM32\usmvt3 moved successfully.
C:\WINDOWS\SYSTEM32\drivr3 moved successfully.
C:\WINDOWS\SYSTEM32\comp2 moved successfully.
C:\WINDOWS\SYSTEM32\cache3 moved successfully.
File/Folder C:\PROGRA~1\SEMBLY~1\spool32.exe not found.
[Custom Input]
< C:\Program Files\??crosoft /u >
File/Folder C:\Program Files\??crosoft not found.

OTMoveIt2 v1.0.14 log created on 01232008_032658


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, January 23, 2008 9:25:53 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 23/01/2008
Kaspersky Anti-Virus database records: 527915
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\

Scan Statistics:
Total number of scanned objects: 59293
Number of viruses found: 10
Number of infected objects: 33
Number of suspicious objects: 2
Duration of the scan process: 05:36:05

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\2c92730d816b63a67dd79a81e0649ed9_7b71fbce-dff3-42c2-9259-d2367eb8daa9 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6d645da0be33b19433375a37d7551786_7b71fbce-dff3-42c2-9259-d2367eb8daa9 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-01192008-214723.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WebBuyingAssistant.zip/v1.8.6/wbuninst.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WebBuyingAssistant.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\00AC001F.VBN/b122.exe Infected: Trojan-Downloader.Win32.Agent.haq skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\00AC001F.VBN ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\00AC001F.VBN CryptZ: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\00AC0020.VBN/b122.exe Infected: Trojan-Downloader.Win32.Agent.haq skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\00AC0020.VBN ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\00AC0020.VBN CryptZ: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08780000\4FFDD32E.VBN Infected: not-a-virus:AdWare.Win32.PurityScan.gq skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08E00001\4FE7A509.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.diu skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A100001.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.diu skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A100002\4F969B74.VBN Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A840000\4F87B7BD.VBN Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A840001\4F87B7CB.VBN Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A840002\4F87B7D7.VBN Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B040000\4F86AFCD.VBN Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B040001\4F878DBF.VBN Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B040002\4F878DCC.VBN Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D200000.VBN Infected: not-a-virus:AdWare.Win32.PurityScan.gq skipped
C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Richard\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Richard\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Richard\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Richard\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Richard\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Richard\Local Settings\History\History.IE5\MSHist012008012320080124\index.dat Object is locked skipped
C:\Documents and Settings\Richard\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Richard\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Richard\ntuser.dat Object is locked skipped
C:\Documents and Settings\Richard\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBConfig.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDebug.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDetect.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBNotify.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBRefr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg2.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetDev.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetLoc.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetUsr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMNot.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMReg.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMRSt.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStHash.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStMSI.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBValid.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPPolicy.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStart.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStop.log Object is locked skipped
C:\Program Files\Symantec AntiVirus\SAVRT\0402NAV~.TMP Object is locked skipped
C:\Program Files\Symantec AntiVirus\SAVRT\0698NAV~.TMP Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\memoupps.dll.vir Infected: not-a-virus:AdWare.Win32.BHO.si skipped
C:\QooBox\Quarantine\catchme2008-01-23_ 21235.42.zip/dmboott.sys Infected: Rootkit.Win32.Agent.to skipped
C:\QooBox\Quarantine\catchme2008-01-23_ 21235.42.zip ZIP: infected - 1 skipped
C:\quarantine\C_\Program Files\kernel\kernel.exe Infected: Trojan-Downloader.Win32.Adload.pn skipped
C:\RECYCLER\S-1-5-18\Dc3\kernel .exe Infected: Trojan-Downloader.Win32.Adload.pn skipped
C:\RECYCLER\S-1-5-18\Dc3\kernel.exe Infected: Trojan-Downloader.Win32.Adload.pn skipped
C:\RECYCLER\S-1-5-18\Dc3390.tmp/memob_4.2.dll Infected: not-a-virus:AdWare.Win32.BHO.si skipped
C:\RECYCLER\S-1-5-18\Dc3390.tmp ZIP: infected - 1 skipped
C:\RECYCLER\S-1-5-18\Dc6\kernInstall.exe Infected: Trojan-Downloader.Win32.Agent.haq skipped
C:\SDFix\backups\backups.zip/backups/fsoby.html Infected: Trojan-Clicker.HTML.IFrame.dn skipped
C:\SDFix\backups\backups.zip ZIP: infected - 1 skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1\A0000060.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1\A0000060.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1\A0000060.exe RarSFX: infected - 2 skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1\A0000068.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP10\change.log Object is locked skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP9\A0001530.dll Infected: not-a-virus:AdWare.Win32.BHO.si skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\Internet Logs\X300.ldb Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{0BA12DB8-C90B-4721-85C2-BEB338F8AB54}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Internet.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.dat Object is locked skipped
C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.idx Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\ZLT05ad9.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT05adc.TMP Object is locked skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:26:35 AM, on 1/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\BacsTray.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\SDClient.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\vptray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [bacstray] BacsTray.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SCREW DRIVER CLIENT] SDClient.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\\vptray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1200008120834
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 7123 bytes

#8 silver

silver

  • Members
  • 480 posts
  • OFFLINE
  •  
  • Location:GMT+7
  • Local time:03:22 AM

Posted 23 January 2008 - 08:23 PM

Hi Spied,

That looks pretty good and I'm glad to hear things are running better. Some important final steps:

Clean Spybots quarantined files:
Open Spybot - Search & Destroy
Select Recovery from the menu on the left side
Select the relevant item(s) and choose Purge selected items
Close Spybot - Search & Destroy

Also, please clean your Symantec Antivirus quarantine area


Clean up with OTMoveIt2:
  • Double-click OTMoveIt2.exe to start the program.
  • Close all other programs apart from OTMoveIt as this step will require a reboot
  • On the OTMoveIt main screen, press the CleanUp! button
  • Say Yes to the prompt and then allow the program to reboot your computer.

Create a new, clean System Restore point which you can use in case of future system problems:
Press Start->All Programs->Accessories->System Tools->System Restore
Select Create a restore point, then Next, type a name like All Clean then press the Create button and once it's done press Close

Now remove old, infected System Restore points:
Next click Start->Run and type cleanmgr in the box and press OK
Ensure the boxes for Recycle Bin, Temporary Files and Temporary Internet Files are checked, you can choose to check other boxes if you wish but they are not required.
Select the More Options tab, under System Restore press Clean up... and say Yes to the prompt
Press OK and Yes to confirm


Re-enable Windows Defender real-time protection:
  • Right-click on the Windows Defender icon in the system tray and select Open
  • Click on Tools from the top menu, then press Options
  • Scroll down to Real-time protection options, check Use real-time protection and press Save
  • Close Windows Defender


If all of the above went well, I think your machine is now clean of malware :thumbsup: here are some tips to help you keep it that way:

Operating system vulnerabilities can easily be exploited by malware so please ensure your operating system is automatically kept up to date by using Windows Update:
Go to Start->Control Panel->Automatic Updates
Select Automatic and select a suitable schedule

You have good protection software installed however please ensure it is kept up to date. Check that your antivirus and antispyware programs are set to automatically update themselves daily, and that your firewall is the latest version.

Consider a custom hosts file such as MVPS HOSTS. This custom hosts file effectively blocks a wide range of unwanted ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.
For information on how to download and install, please read this tutorial by WinHelp2002
Note: Be sure to follow the instructions to disable the DNS Client service before installing a custom hosts file.

Please take care when downloading programs. One of the easiest ways to be infected is to download freeware/shareware programs which come laden with malware - this includes allowing websites to install browser plug-ins orActiveX controls. Before downloading, it is crucial to check whether the source is reputable.
One way to check is to use McAfee SiteAdvisor. Copy the domain name into the space provided and SiteAdvisor will give you a report on the website which can help you decide if it is safe. They also have a toolbar for IE and Firefox which adds this functionality to your browser.

Download and install the free version of WinPatrol. This program protects your computer in a variety of ways and will work well with your existing security software. Have a look at this tutorial to help you get started with the program.

Find out more about how to prevent infection in the future
http://forum.malwareremoval.com/viewtopic.php?p=33687

Please post back to let me know that you have read this, and if there are any further issues.
Teacher at Malware Removal University | ASAP & UNITE Member

#9 Spied

Spied
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:22 PM

Posted 30 January 2008 - 01:12 AM

Silver,

Appologies for the delay in responding. All seems well with my computer. Thanks again for all of your help.

One item of potential concern: Kaspersky continues to detect a virus in:

C:\RECYCLER\S-1-5-18\Dc3\kernel .exe Infected: Trojan-Downloader.Win32.Adload.pn skipped
C:\RECYCLER\S-1-5-18\Dc3\kernel.exe Infected: Trojan-Downloader.Win32.Adload.pn skipped

Anything need to be done about those files?

Thanks,

Spied

#10 silver

silver

  • Members
  • 480 posts
  • OFFLINE
  •  
  • Location:GMT+7
  • Local time:03:22 AM

Posted 30 January 2008 - 01:21 AM

Hi Spied,

Those are files in the Recycle Bin, to clean them simply right-click your Recycle Bin and choose Empty Recycle Bin.
If after doing this they are detected again please let me know and we will take further action.
Teacher at Malware Removal University | ASAP & UNITE Member

#11 Spied

Spied
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:22 PM

Posted 30 January 2008 - 01:26 AM

Hi Silver,

Thanks for the quick reply. I have emptied the recyle bin from "Recycle Bin" and "Disk Clean-up" and the files still pop up as being infected.

Spied

#12 silver

silver

  • Members
  • 480 posts
  • OFFLINE
  •  
  • Location:GMT+7
  • Local time:03:22 AM

Posted 30 January 2008 - 02:15 AM

Please try this next:

Next press Start->Run, copy/paste the following command into the box and press OK:

cmd /c del /q /f "C:\RECYCLER\S-1-5-18\Dc3\kernel*.*"


Please let me know if those files are still detected.
Teacher at Malware Removal University | ASAP & UNITE Member

#13 silver

silver

  • Members
  • 480 posts
  • OFFLINE
  •  
  • Location:GMT+7
  • Local time:03:22 AM

Posted 03 February 2008 - 08:19 PM

Any luck?
Teacher at Malware Removal University | ASAP & UNITE Member

#14 Spied

Spied
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:22 PM

Posted 04 February 2008 - 12:05 AM

Silver,

Yes, thanks-files are gone. All scans are now clean.

Thanks again for all of the help.

I really appreciate it,

Best regards,

Spied

#15 silver

silver

  • Members
  • 480 posts
  • OFFLINE
  •  
  • Location:GMT+7
  • Local time:03:22 AM

Posted 04 February 2008 - 02:37 AM

Glad to hear it and you're most welcome :thumbsup:





Since this issue appears to be resolved, this topic has been closed.

If you are the topic starter and need this topic reopened, please PM a staff member with a link to this thread and we will reopen it for you. Anyone else who needs assistance should begin a new topic.
Teacher at Malware Removal University | ASAP & UNITE Member




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users