Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Problems With Outerinfo


  • This topic is locked This topic is locked
14 replies to this topic

#1 braulio0817

braulio0817

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:15 PM

Posted 02 February 2008 - 03:51 PM

I was having problems with the Powered by Oterinfo pop ups. I followed the instructions of this link http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/ step by step, download and run and scan all the programs mentioned there and this is the log from HijackThis so you can check it and let me know if everything is OK.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:41:34 PM, on 2/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Creative\Shared Files\CTDevSrv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Compaq_Owner\Application Data\?racle\?hkntfs.exe
C:\PROGRA~1\SKS~1\wucrtupd.exe
C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
C:\Program Files\Spruce\X_Spruce.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2D5796A2-44E0-4E50-A5A0-80BF1EE3EA73} - (no file)
O2 - BHO: (no name) - {396C45DA-5925-4B33-9049-D4928248EDAF} - (no file)
O2 - BHO: (no name) - {4D0FF471-E7FD-4B8B-AA02-8E413797E5FC} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SpruceBHO - {54DE7259-C729-45B1-BBD8-4BE9B5BD8248} - C:\Program Files\Spruce\Spruce.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: {cb87623e-4e8f-7c38-e814-81b6687595c5} - {5c595786-6b18-418e-83c7-f8e4e32678bc} - C:\WINDOWS\system32\beqmqexd.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Enterprise
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [EPSON Stylus CX5400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE /P19 "EPSON Stylus CX5400" /O6 "USB002" /M "Stylus CX5400"
O4 - HKLM\..\Run: [EPSON Stylus CX5400 (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE /P28 "EPSON Stylus CX5400 (Copy 1)" /O6 "USB002" /M "Stylus CX5400"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [7040994e] rundll32.exe "C:\WINDOWS\system32\iibauino.dll",b
O4 - HKLM\..\RunOnce: [SpybotDeletingA6923] command /c del "C:\WINDOWS\system32\vtsqn.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC974] cmd /c del "C:\WINDOWS\system32\vtsqn.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3554] cmd /c del "C:\WINDOWS\system32\pmkjh.dll_old"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [Wnkjwlx] "C:\Documents and Settings\Compaq_Owner\Application Data\?racle\?hkntfs.exe"
O4 - HKCU\..\Run: [Irib] "C:\PROGRA~1\SKS~1\wucrtupd.exe" -vt ndrv
O4 - HKCU\..\Run: [Vqbh] "C:\Documents and Settings\Compaq_Owner\Application Data\?ppPatch\j?vaw.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Srro] "C:\PROGRA~1\COMMON~1\APPATC~1\arpa.exe" -vt yazb
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Startup: Spruce - Auto Update.lnk = C:\Program Files\Spruce\Spruce.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\lqdsrngk.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Search - ?p=ZKxdm021YYUS
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1165491799421
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/1450/ftp...02/cpbrkpie.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - Winlogon Notify: fccccde - fccccde.dll (file missing)
O20 - Winlogon Notify: mlljk - C:\WINDOWS\system32\mlljk.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: CT Device Query service (CTDevice_Srv) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTDevSrv.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 12648 bytes

BC AdBot (Login to Remove)

 


m

#2 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:09:15 PM

Posted 02 February 2008 - 04:28 PM

Hello braulio0817 and welcome to BC :thumbsup:

My name is SNOWHITE and I will be helping you with your Malware problem.

A guide and tutorial on using ComboFix can be found at the following link http://www.bleepingcomputer.com/combofix/how-to-use-combofix

1. Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
2. Download combofix from one of these links:
Link1
Link2
3. Double click combofix.exe & follow the prompts.
4. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Note:
Combofix should never take more that 20 minutes including the reboot if malware is detected.

If it does, open task-manager > use the processes tab (press ctrl alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.

If that happened we want to know, and also what process you had to end.
Please post back with combofix report and new HijackThis log.

Regards,
SNOWHITE
Posted Image

#3 braulio0817

braulio0817
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:15 PM

Posted 02 February 2008 - 08:08 PM

Hi Snowhite and thank you for the help. :thumbsup:
This is the log by Combofix

ComboFix 08-02.03.1 - Compaq_Owner 2008-02-02 19:50:37.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.405 [GMT -5:00]
Running from: C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\ZINNPR4C\ComboFix[1].exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\5.tmp
C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007
C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007\Data\Abbr
C:\Documents and Settings\All Users\Application Data\winantispyware 2007\Data\ProductCode
C:\Documents and Settings\Compaq_Owner\Application Data\ASKS~1
C:\Documents and Settings\Compaq_Owner\Application Data\FNTS~1
C:\Documents and Settings\Compaq_Owner\Application Data\MANTEC~1
C:\Documents and Settings\Compaq_Owner\Application Data\PPPATC~1
C:\Documents and Settings\Compaq_Owner\Application Data\PPPATC~1\j?vaw.exe
C:\Documents and Settings\Compaq_Owner\Application Data\RACLE~1
C:\Documents and Settings\Compaq_Owner\Application Data\RACLE~1\?hkntfs.exe
C:\Documents and Settings\Compaq_Owner\Application Data\SSTEM~1
C:\Documents and Settings\Compaq_Owner\Application Data\WinAntiSpyware 2007
C:\Documents and Settings\Compaq_Owner\Application Data\WinAntiSpyware 2007\Logs\update.log
C:\Documents and Settings\Compaq_Owner\Application Data\WNSXS~1
C:\Documents and Settings\Compaq_Owner\Application Data\YMANTE~1
C:\Documents and Settings\Compaq_Owner\err.log
C:\Documents and Settings\Compaq_Owner\My Documents\RACLE~1
C:\Documents and Settings\Compaq_Owner\My Documents\SCURIT~1
C:\Documents and Settings\Compaq_Owner\My Documents\SEMBLY~1
C:\Documents and Settings\Compaq_Owner\My Documents\SSTEM3~1
C:\Documents and Settings\Compaq_Owner\My Documents\WNSXS~1
C:\Documents and Settings\Compaq_Owner\Start Menu\Programs\Startup\TA_Start.lnk
C:\Program Files\Common Files\curity~1
C:\Program Files\Common Files\icroso~1.net
C:\Program Files\Common Files\sstem3~1
C:\Program Files\Common Files\winantispyware 2007
C:\Program Files\Common Files\winantispyware 2007\err.log
C:\Program Files\crosof~1
C:\Program Files\fnts~1
C:\Program Files\poolsv
C:\Program Files\ppatch~1
C:\Program Files\sks~1
C:\Program Files\sks~1\??sks\
C:\Program Files\sks~1\wucrtupd.exe
C:\Program Files\smante~1
C:\Program Files\Spruce
C:\Program Files\Spruce\Spruce.dll
C:\Program Files\Spruce\Spruce.dll.intermediate.manifest
C:\Program Files\Spruce\Spruce.exe
C:\Program Files\Spruce\Spruce.info
C:\Program Files\Spruce\Spruce.original
C:\Program Files\Spruce\SpruceRg.dll
C:\Program Files\Spruce\un_SpruceSetup_17737.exe
C:\Program Files\Spruce\un_SpruceSetup_17737.txt
C:\Program Files\Spruce\X_Spruce.exe
C:\Program Files\Spruce\X_Spruce.log
C:\temp\0c2
C:\temp\0c2\tmpRC.log
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\brr
C:\temp\brr\tmpZTF.log
C:\Temp\fse
C:\Temp\fse\tmpZTF.log
C:\temp\iee
C:\WINDOWS\cookies.ini
C:\WINDOWS\pppatc~1
C:\WINDOWS\racle~1
C:\WINDOWS\sks~1
C:\WINDOWS\smbols~1
C:\WINDOWS\sstem~1
C:\WINDOWS\system32\ahnlgsfq.ini
C:\WINDOWS\system32\appatc~1
C:\WINDOWS\system32\B0
C:\WINDOWS\system32\B1
C:\WINDOWS\system32\b10FdUe
C:\WINDOWS\system32\B2
C:\WINDOWS\system32\B5
C:\WINDOWS\system32\beqmqexd.dll
C:\WINDOWS\system32\dbdvsosu.dll
C:\WINDOWS\system32\dcifraca.ini
C:\WINDOWS\system32\dobe~1
C:\WINDOWS\system32\driver
C:\WINDOWS\system32\f02WtR
C:\WINDOWS\system32\fxqxxxss.dll
C:\WINDOWS\system32\hqdwdhiq.ini
C:\WINDOWS\system32\hredhyie.ini
C:\WINDOWS\system32\iibauino.dll
C:\WINDOWS\system32\jfofqwfl.dll
C:\WINDOWS\system32\jhwyxvym.dll
C:\WINDOWS\system32\jxotyjcc.dll
C:\WINDOWS\system32\kjrfxpbd.dll
C:\WINDOWS\system32\kmalprhy.dll
C:\WINDOWS\system32\kuwrmoyj.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\ncjwwcav.ini
C:\WINDOWS\system32\nfpnpsgs.ini
C:\WINDOWS\system32\nqfhtevh.dll
C:\WINDOWS\system32\nqstv.bak1
C:\WINDOWS\system32\nqstv.bak2
C:\WINDOWS\system32\nqstv.ini
C:\WINDOWS\system32\nqstv.ini2
C:\WINDOWS\system32\nqstv.tmp
C:\WINDOWS\system32\o02PrEz
C:\WINDOWS\system32\oebkyqja.ini
C:\WINDOWS\system32\ohpuuoum.ini
C:\WINDOWS\system32\oniuabii.ini
C:\WINDOWS\system32\owhekcsx.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\rxacepfa.dll
C:\WINDOWS\system32\smdricpi.ini
C:\WINDOWS\system32\ssqbgunv.dll
C:\WINDOWS\system32\tbllkqni.dll
C:\WINDOWS\system32\usmqbgbb.dll
C:\WINDOWS\system32\usosvdbd.ini
C:\WINDOWS\system32\uyjjxuvv.ini
C:\WINDOWS\system32\vlftflks.ini
C:\WINDOWS\system32\vycdd.bak1
C:\WINDOWS\system32\vycdd.bak2
C:\WINDOWS\system32\vycdd.ini
C:\WINDOWS\system32\vycdd.ini2
C:\WINDOWS\system32\vycdd.tmp
C:\WINDOWS\system32\wcpisvsu.exe
C:\WINDOWS\system32\win
C:\WINDOWS\system32\wnsxs~1
C:\WINDOWS\system32\xebrdvbg.ini
C:\WINDOWS\system32\xfqlbsym.dll
C:\WINDOWS\system32\xrlpuiki.ini
C:\WINDOWS\system32\xsckehwo.ini
C:\WINDOWS\system32\Y1
C:\WINDOWS\system32\Y2
C:\WINDOWS\system32\yhrplamk.ini
C:\WINDOWS\system32\ymante~1
C:\WINDOWS\system32\ymbols~1
C:\WINDOWS\system32\yyiawqaf.ini
C:\WINDOWS\wnsxs~1
C:\WINDOWS\ystem~1

.
((((((((((((((((((((((((( Files Created from 2008-01-03 to 2008-02-03 )))))))))))))))))))))))))))))))
.

2008-02-02 15:39 . 2008-02-02 15:39 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-01 21:37 . 2008-02-01 22:16 256 --a------ C:\WINDOWS\wininit.ini
2008-02-01 21:02 . 2008-02-01 21:03 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-01 21:02 . 2008-02-01 21:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-01 18:41 . 2008-02-01 18:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-01 18:40 . 2008-02-01 18:40 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-01 17:36 . 2008-02-01 17:36 4,286 --a------ C:\WINDOWS\system32\Jamster.ico
2008-01-30 04:15 . 2005-07-12 17:50 23,304 --a------ C:\WINDOWS\system32\GWFSPIDGen.dll
2008-01-29 07:01 . 2008-01-29 07:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-01-28 23:37 . 2008-01-29 00:36 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-01-27 21:58 . 2008-01-27 21:58 <DIR> d-------- C:\PIRATES OF THE CARIBBEAN 3
2008-01-25 21:47 . 2008-01-25 21:47 <DIR> d-------- C:\RESIDENT_EVIL_EXTINCTION
2008-01-25 01:19 . 2008-01-25 01:19 940,794 --a------ C:\WINDOWS\system32\LoopyMusic.wav
2008-01-25 01:19 . 2008-01-25 01:19 146,650 --a------ C:\WINDOWS\system32\BuzzingBee.wav
2008-01-25 01:18 . 2008-01-25 01:18 <DIR> d-------- C:\WINDOWS\system32\Lang
2008-01-24 06:05 . 2007-10-10 18:55 6,065,664 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-01-24 06:05 . 2007-04-17 04:28 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-01-24 06:05 . 2007-01-08 19:07 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-01-24 06:05 . 2007-10-10 18:55 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-01-24 06:05 . 2007-10-10 18:55 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-01-24 06:05 . 2007-10-10 18:55 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-01-24 06:05 . 2007-10-10 18:55 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-01-24 06:05 . 2007-10-10 18:55 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-01-24 05:50 . 2008-01-29 00:25 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2008-01-24 04:40 . 2007-02-28 04:55 2,182,144 -----c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-01-24 04:40 . 2007-02-28 04:53 2,137,600 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-01-24 04:40 . 2007-02-28 04:15 2,059,392 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-01-24 04:40 . 2007-02-28 04:15 2,017,280 -----c--- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-01-24 04:33 . 2006-08-01 15:02 49,152 --a------ C:\WINDOWS\system32\ChCfg.exe
2008-01-24 04:31 . 2008-01-24 04:33 <DIR> d-------- C:\WINDOWS\system32\RTCOM
2008-01-24 04:28 . 2008-01-24 04:28 <DIR> d-------- C:\Program Files\Realtek
2008-01-24 04:28 . 2007-06-13 14:49 16,377,344 --a------ C:\WINDOWS\RTHDCPL.exe
2008-01-24 04:28 . 2007-03-23 19:19 9,715,200 --a------ C:\WINDOWS\RTLCPL.exe
2008-01-24 04:28 . 2007-06-14 16:41 4,429,312 --a------ C:\WINDOWS\system32\drivers\RtkHDAud.sys
2008-01-24 04:28 . 2006-05-04 16:26 2,808,832 --a------ C:\WINDOWS\alcwzrd.exe
2008-01-24 04:28 . 2007-04-25 16:55 2,162,688 --a------ C:\WINDOWS\MicCal.exe
2008-01-24 04:28 . 2007-05-28 20:39 1,826,816 --a------ C:\WINDOWS\SkyTel.exe
2008-01-24 04:28 . 2007-01-16 10:39 1,191,936 --a------ C:\WINDOWS\RtlUpd.exe
2008-01-24 04:28 . 2006-08-18 06:58 282,624 --a------ C:\WINDOWS\system32\RTSndMgr.cpl
2008-01-24 04:28 . 2006-07-21 16:14 86,016 --a------ C:\WINDOWS\SoundMan.exe
2008-01-24 04:28 . 2005-05-03 18:43 69,632 --a------ C:\WINDOWS\Alcmtr.exe
2008-01-24 04:20 . 2007-01-12 16:54 520,192 --a------ C:\WINDOWS\RtlExUpd.dll
2008-01-24 04:20 . 2008-01-24 04:20 315,392 --a------ C:\WINDOWS\HideWin.exe
2008-01-24 04:18 . 2005-03-16 01:23 13,696 -ra------ C:\WINDOWS\system32\drivers\BIOS.sys
2008-01-24 03:45 . 2008-01-24 03:45 12,598 --a------ C:\WINDOWS\system32\wpa.bak
2008-01-24 02:41 . 2004-08-04 05:00 156,672 --a--c--- C:\WINDOWS\system32\dllcache\winzm.ime
2008-01-24 02:41 . 2004-08-04 05:00 156,672 --a--c--- C:\WINDOWS\system32\dllcache\winsp.ime
2008-01-24 02:41 . 2004-08-04 05:00 156,672 --a--c--- C:\WINDOWS\system32\dllcache\winpy.ime
2008-01-24 02:41 . 2004-08-04 05:00 79,360 --a--c--- C:\WINDOWS\system32\dllcache\winar30.ime
2008-01-24 02:41 . 2004-08-04 05:00 69,120 --a--c--- C:\WINDOWS\system32\dllcache\wingb.ime
2008-01-24 02:41 . 2004-08-04 05:00 65,536 --a--c--- C:\WINDOWS\system32\dllcache\winime.ime
2008-01-24 02:41 . 2004-08-04 05:00 41,600 --a--c--- C:\WINDOWS\system32\dllcache\weitekp9.dll
2008-01-24 02:41 . 2004-08-04 05:00 31,232 --a--c--- C:\WINDOWS\system32\dllcache\weitekp9.sys
2008-01-24 02:41 . 2004-08-04 05:00 28,288 --a--c--- C:\WINDOWS\system32\dllcache\xjis.nls
2008-01-24 02:39 . 2004-08-04 05:00 1,875,968 --a--c--- C:\WINDOWS\system32\dllcache\msir3jp.lex
2008-01-24 02:38 . 2004-08-04 05:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-01-24 02:37 . 2004-05-13 00:39 876,653 --a--c--- C:\WINDOWS\system32\dllcache\fp4awel.dll
2008-01-24 02:34 . 2008-01-24 02:34 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-01-24 02:34 . 2008-01-24 02:34 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-01-24 02:34 . 2008-01-24 02:34 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-01-24 02:34 . 2008-01-24 02:34 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-01-24 02:34 . 2008-01-24 02:34 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-01-24 02:21 . 2001-08-17 12:13 27,165 --a------ C:\WINDOWS\system32\drivers\fetnd5.sys
2008-01-24 02:17 . 2004-08-04 05:00 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2008-01-24 02:17 . 2004-08-04 05:00 24,661 --a--c--- C:\WINDOWS\system32\dllcache\spxcoins.dll
2008-01-24 02:17 . 2004-08-04 05:00 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2008-01-24 02:17 . 2004-08-04 05:00 13,312 --a--c--- C:\WINDOWS\system32\dllcache\irclass.dll
2008-01-24 02:17 . 2008-01-30 06:29 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-01-23 21:05 . 2008-01-23 21:05 <DIR> d-------- C:\WINDOWS\dell
2008-01-21 13:14 . 2008-01-21 13:14 <DIR> d-------- C:\SIMPSONS_WS
2008-01-20 12:24 . 2008-01-20 12:24 <DIR> d-------- C:\Program Files\CCleaner
2008-01-06 17:39 . 2008-01-06 17:42 <DIR> d-------- C:\Program Files\Unlocker
2008-01-03 18:19 . 2008-01-07 15:19 <DIR> d-------- C:\VundoFix Backups

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-03 00:41 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-02-02 19:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Rabio
2008-02-01 23:42 --------- d-----w C:\Program Files\Lavasoft
2008-01-30 11:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-01-28 04:40 159,664 ----a-w C:\Documents and Settings\Compaq_Owner\Application Data\GDIPFONTCACHEV1.DAT
2008-01-28 02:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-01-24 09:28 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-20 16:44 --------- d-----w C:\Program Files\NCH Swift Sound
2008-01-20 16:42 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-20 16:39 --------- d-----w C:\Program Files\Easy Internet signup
2008-01-20 16:35 --------- d-----w C:\Program Files\Common Files\AVSMedia
2008-01-20 16:35 --------- d-----w C:\Program Files\AVSMedia
2007-12-31 21:28 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\Ahead
2003-08-05 16:41 53,248 ----a-w C:\WINDOWS\inf\ap561.exe
2002-11-26 21:24 32,768 ----a-w C:\WINDOWS\inf\Remove561.exe
2002-11-22 20:56 118,784 ----a-w C:\WINDOWS\inf\ShowBmp.exe
2002-10-29 23:07 36,864 ----a-w C:\WINDOWS\inf\Setup8a.exe
2002-10-01 19:43 119,798 ----a-w C:\WINDOWS\inf\spca561.sys
2007-07-19 02:03 1,125,090 --sha-w C:\WINDOWS\system32\mwdynwsm.ini2
2007-08-03 23:50 1,730,899 --sha-w C:\WINDOWS\system32\vvvwa.bak1
2007-08-03 23:50 1,730,339 --sha-w C:\WINDOWS\system32\vvvwa.bak2
2007-08-04 00:17 1,730,821 --sha-w C:\WINDOWS\system32\vvvwa.ini2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-11-06 19:51 3810544]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 09:59 224248]
"Wnkjwlx"="C:\Documents and Settings\Compaq_Owner\Application Data\?racle\?hkntfs.exe" [ ]
"Irib"="C:\PROGRA~1\SKS~1\wucrtupd.exe" [ ]
"Vqbh"="C:\Documents and Settings\Compaq_Owner\Application Data\?ppPatch\j?vaw.exe" [ ]
"Srro"="C:\PROGRA~1\COMMON~1\APPATC~1\arpa.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2004-08-10 09:09 32881]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 18:04 52736]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-08-20 18:51 118784]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 22:02 61440]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-08-10 10:04 180269]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 22:43 233472]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 15:52 48752]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 11:01 88209 C:\WINDOWS\AGRSMMSG.exe]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2006-03-30 08:32 100056]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-08-20 18:55 155648]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 16:47 57344 C:\WINDOWS\ALCXMNTR.EXE]
"EPSON Stylus CX5400"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.exe" [2003-05-26 15:00 99840]
"EPSON Stylus CX5400 (Copy 1)"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.exe" [2003-05-26 15:00 99840]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-16 20:21 28672]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 05:50 155648]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2005-04-17 12:30 85184]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 09:59 224248]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2006-09-07 12:19 15872]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 22:46 57344]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2003-09-12 22:13 98304]
"RTHDCPL"="RTHDCPL.EXE" [2007-06-13 14:49 16377344 C:\WINDOWS\RTHDCPL.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingA6923"="command /c del C:\WINDOWS\system32\vtsqn.dll_old" [ ]
"SpybotDeletingC974"="cmd /c del C:\WINDOWS\system32\vtsqn.dll_old" [ ]
"SpybotDeletingC3554"="cmd /c del C:\WINDOWS\system32\pmkjh.dll_old" [ ]

C:\Documents and Settings\Compaq_Owner\Start Menu\Programs\Startup\
PowerReg SchedulerV2.exe [2005-03-02 09:05:53 256000]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Compaq Connections.lnk - C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe [2004-08-10 10:48:05 16423]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 04:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccccde]
fccccde.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mlljk]
C:\WINDOWS\system32\mlljk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"VTTimer"=VTTimer.exe

R1 BIOS;BIOS;C:\WINDOWS\system32\drivers\BIOS.sys [2005-03-16 01:23]
R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2007-04-07 15:46]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5e868a36-789a-11d9-8555-806d6172696f}]
\Shell\AutoRun\command - E:\start.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-01-16 16:50:31 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-02 21:46:12 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-02 19:53:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-02 19:54:40
ComboFix-quarantined-files.txt 2008-02-03 00:54:04
.
2008-01-31 00:34:22 --- E O F ---


And this is the new log from HijackThis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:07:24 PM, on 2/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Creative\Shared Files\CTDevSrv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Compaq_Owner\Application Data\?racle\?hkntfs.exe
C:\PROGRA~1\SKS~1\wucrtupd.exe
C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2D5796A2-44E0-4E50-A5A0-80BF1EE3EA73} - (no file)
O2 - BHO: (no name) - {396C45DA-5925-4B33-9049-D4928248EDAF} - (no file)
O2 - BHO: (no name) - {4D0FF471-E7FD-4B8B-AA02-8E413797E5FC} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {54DE7259-C729-45B1-BBD8-4BE9B5BD8248} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {5c595786-6b18-418e-83c7-f8e4e32678bc} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Enterprise
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [EPSON Stylus CX5400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE /P19 "EPSON Stylus CX5400" /O6 "USB002" /M "Stylus CX5400"
O4 - HKLM\..\Run: [EPSON Stylus CX5400 (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE /P28 "EPSON Stylus CX5400 (Copy 1)" /O6 "USB002" /M "Stylus CX5400"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\RunOnce: [SpybotDeletingA6923] command /c del "C:\WINDOWS\system32\vtsqn.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC974] cmd /c del "C:\WINDOWS\system32\vtsqn.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3554] cmd /c del "C:\WINDOWS\system32\pmkjh.dll_old"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [Wnkjwlx] "C:\Documents and Settings\Compaq_Owner\Application Data\?racle\?hkntfs.exe"
O4 - HKCU\..\Run: [Irib] "C:\PROGRA~1\SKS~1\wucrtupd.exe" -vt ndrv
O4 - HKCU\..\Run: [Vqbh] "C:\Documents and Settings\Compaq_Owner\Application Data\?ppPatch\j?vaw.exe"
O4 - HKCU\..\Run: [Srro] "C:\PROGRA~1\COMMON~1\APPATC~1\arpa.exe" -vt yazb
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Startup: Spruce - Auto Update.lnk = C:\Program Files\Spruce\Spruce.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - ?p=ZKxdm021YYUS
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1165491799421
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/1450/ftp...02/cpbrkpie.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - Winlogon Notify: fccccde - fccccde.dll (file missing)
O20 - Winlogon Notify: mlljk - C:\WINDOWS\system32\mlljk.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: CT Device Query service (CTDevice_Srv) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTDevSrv.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 11940 bytes

#4 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:09:15 PM

Posted 03 February 2008 - 10:02 AM

Hello braulio0817 :thumbsup:

PLEASE READ THIS POST COMPLETELY, IT MAY MAKE IT EASIER FOR YOU IF YOU COPY AND PASTE THIS POST INTO A NEW TEXT DOCUMENT OR PRINT IT FOR REFERENCE LATER



Please follow the steps below exactly in the order they are written:

Step #1

Open notepad and copy/paste the text in the codebox below into it:

File::
C:\WINDOWS\system32\mwdynwsm.ini2
C:\WINDOWS\system32\vvvwa.bak1
C:\WINDOWS\system32\vvvwa.bak2
C:\WINDOWS\system32\vvvwa.ini2
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\mlljk.dll

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Wnkjwlx"=-
"Irib"=-
"Vqbh"=-
"Srro"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlcxMonitor"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccccde]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mlljk]
IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!


Save this as "CFScript"


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Step #2

- Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only
  • - Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
    http://www.ewido.net/en/download/
    • Install AVG Anti-Spyware by double clicking the installer.
    • Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
    • On the main screen under Your Computer's security.
    • Click on Change state next to Resident shield. It should now change to inactive.
    • Click on Change state next to Automatic updates. It should now change to inactive.
    • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
    • Wait until you see the Update succesfull message.
  • Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

- Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.
- Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

- Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act?
      • Click on Recommended Action and choose Quarantine from the popup menu.
    • Under How to scan?
      • All checkboxes should be ticked.
    • Under Possibly unwanted software:
      • All checkboxes should be ticked.
    • Under Reports:
      • Select Automatically generate report after every scan and uncheck Only if threats were found.
    • Under What to scan?
      • Select Scan every file.
  • Click on the Scan tab.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
  • When the scan has finished, follow the instructions below.
    IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
    • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
    • At the bottom of the window click on the Apply all Actions button. (3)
      Posted Image
  • When done, click the Save Scan Report button. (4)
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.

In your next post please include the following reports:
  • ComboFix report
  • AVG Anti-Spyware report (if available)
  • New HijackThis log (run after AVG Anti-Spyware has finished its work.)
Let me know how the things will go.

Regards,
SNOWHITE
Posted Image

#5 braulio0817

braulio0817
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:15 PM

Posted 03 February 2008 - 03:56 PM

Hi Snowhite:
After the Step #1 of your last reply those are the logs:

ComboFix Log

ComboFix 08-02.03.1 - Compaq_Owner 2008-02-03 15:40:48.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.547 [GMT -5:00]
Running from: C:\Documents and Settings\Compaq_Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Compaq_Owner\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\mlljk.dll
C:\WINDOWS\system32\mwdynwsm.ini2
C:\WINDOWS\system32\vvvwa.bak1
C:\WINDOWS\system32\vvvwa.bak2
C:\WINDOWS\system32\vvvwa.ini2
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\mwdynwsm.ini2
C:\WINDOWS\system32\vvvwa.bak1
C:\WINDOWS\system32\vvvwa.bak2
C:\WINDOWS\system32\vvvwa.ini2

.
((((((((((((((((((((((((( Files Created from 2008-01-03 to 2008-02-03 )))))))))))))))))))))))))))))))
.

2008-02-02 15:39 . 2008-02-02 15:39 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-01 21:37 . 2008-02-01 22:16 256 --a------ C:\WINDOWS\wininit.ini
2008-02-01 21:02 . 2008-02-01 21:03 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-01 21:02 . 2008-02-01 21:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-01 18:41 . 2008-02-01 18:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-01 18:40 . 2008-02-01 18:40 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-01 17:36 . 2008-02-01 17:36 4,286 --a------ C:\WINDOWS\system32\Jamster.ico
2008-01-30 04:15 . 2005-07-12 17:50 23,304 --a------ C:\WINDOWS\system32\GWFSPIDGen.dll
2008-01-29 07:01 . 2008-01-29 07:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-01-28 23:37 . 2008-01-29 00:36 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-01-27 21:58 . 2008-01-27 21:58 <DIR> d-------- C:\PIRATES OF THE CARIBBEAN 3
2008-01-25 21:47 . 2008-01-25 21:47 <DIR> d-------- C:\RESIDENT_EVIL_EXTINCTION
2008-01-25 01:19 . 2008-01-25 01:19 940,794 --a------ C:\WINDOWS\system32\LoopyMusic.wav
2008-01-25 01:19 . 2008-01-25 01:19 146,650 --a------ C:\WINDOWS\system32\BuzzingBee.wav
2008-01-25 01:18 . 2008-01-25 01:18 <DIR> d-------- C:\WINDOWS\system32\Lang
2008-01-24 06:05 . 2007-10-10 18:55 6,065,664 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-01-24 06:05 . 2007-04-17 04:28 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-01-24 06:05 . 2007-01-08 19:07 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-01-24 06:05 . 2007-10-10 18:55 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-01-24 06:05 . 2007-10-10 18:55 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-01-24 06:05 . 2007-10-10 18:55 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-01-24 06:05 . 2007-10-10 18:55 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-01-24 06:05 . 2007-10-10 18:55 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-01-24 05:50 . 2008-01-29 00:25 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2008-01-24 04:40 . 2007-02-28 04:55 2,182,144 -----c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-01-24 04:40 . 2007-02-28 04:53 2,137,600 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-01-24 04:40 . 2007-02-28 04:15 2,059,392 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-01-24 04:40 . 2007-02-28 04:15 2,017,280 -----c--- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-01-24 04:33 . 2006-08-01 15:02 49,152 --a------ C:\WINDOWS\system32\ChCfg.exe
2008-01-24 04:31 . 2008-01-24 04:33 <DIR> d-------- C:\WINDOWS\system32\RTCOM
2008-01-24 04:28 . 2008-01-24 04:28 <DIR> d-------- C:\Program Files\Realtek
2008-01-24 04:28 . 2007-06-13 14:49 16,377,344 --a------ C:\WINDOWS\RTHDCPL.exe
2008-01-24 04:28 . 2007-03-23 19:19 9,715,200 --a------ C:\WINDOWS\RTLCPL.exe
2008-01-24 04:28 . 2007-06-14 16:41 4,429,312 --a------ C:\WINDOWS\system32\drivers\RtkHDAud.sys
2008-01-24 04:28 . 2006-05-04 16:26 2,808,832 --a------ C:\WINDOWS\alcwzrd.exe
2008-01-24 04:28 . 2007-04-25 16:55 2,162,688 --a------ C:\WINDOWS\MicCal.exe
2008-01-24 04:28 . 2007-05-28 20:39 1,826,816 --a------ C:\WINDOWS\SkyTel.exe
2008-01-24 04:28 . 2007-01-16 10:39 1,191,936 --a------ C:\WINDOWS\RtlUpd.exe
2008-01-24 04:28 . 2006-08-18 06:58 282,624 --a------ C:\WINDOWS\system32\RTSndMgr.cpl
2008-01-24 04:28 . 2006-07-21 16:14 86,016 --a------ C:\WINDOWS\SoundMan.exe
2008-01-24 04:28 . 2005-05-03 18:43 69,632 --a------ C:\WINDOWS\Alcmtr.exe
2008-01-24 04:20 . 2007-01-12 16:54 520,192 --a------ C:\WINDOWS\RtlExUpd.dll
2008-01-24 04:20 . 2008-01-24 04:20 315,392 --a------ C:\WINDOWS\HideWin.exe
2008-01-24 04:18 . 2005-03-16 01:23 13,696 -ra------ C:\WINDOWS\system32\drivers\BIOS.sys
2008-01-24 03:45 . 2008-01-24 03:45 12,598 --a------ C:\WINDOWS\system32\wpa.bak
2008-01-24 02:41 . 2004-08-04 05:00 156,672 --a--c--- C:\WINDOWS\system32\dllcache\winzm.ime
2008-01-24 02:41 . 2004-08-04 05:00 156,672 --a--c--- C:\WINDOWS\system32\dllcache\winsp.ime
2008-01-24 02:41 . 2004-08-04 05:00 156,672 --a--c--- C:\WINDOWS\system32\dllcache\winpy.ime
2008-01-24 02:41 . 2004-08-04 05:00 79,360 --a--c--- C:\WINDOWS\system32\dllcache\winar30.ime
2008-01-24 02:41 . 2004-08-04 05:00 69,120 --a--c--- C:\WINDOWS\system32\dllcache\wingb.ime
2008-01-24 02:41 . 2004-08-04 05:00 65,536 --a--c--- C:\WINDOWS\system32\dllcache\winime.ime
2008-01-24 02:41 . 2004-08-04 05:00 41,600 --a--c--- C:\WINDOWS\system32\dllcache\weitekp9.dll
2008-01-24 02:41 . 2004-08-04 05:00 31,232 --a--c--- C:\WINDOWS\system32\dllcache\weitekp9.sys
2008-01-24 02:41 . 2004-08-04 05:00 28,288 --a--c--- C:\WINDOWS\system32\dllcache\xjis.nls
2008-01-24 02:39 . 2004-08-04 05:00 1,875,968 --a--c--- C:\WINDOWS\system32\dllcache\msir3jp.lex
2008-01-24 02:38 . 2004-08-04 05:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-01-24 02:37 . 2004-05-13 00:39 876,653 --a--c--- C:\WINDOWS\system32\dllcache\fp4awel.dll
2008-01-24 02:34 . 2008-01-24 02:34 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-01-24 02:34 . 2008-01-24 02:34 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-01-24 02:34 . 2008-01-24 02:34 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-01-24 02:34 . 2008-01-24 02:34 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-01-24 02:34 . 2008-01-24 02:34 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-01-24 02:21 . 2001-08-17 12:13 27,165 --a------ C:\WINDOWS\system32\drivers\fetnd5.sys
2008-01-24 02:17 . 2004-08-04 05:00 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2008-01-24 02:17 . 2004-08-04 05:00 24,661 --a--c--- C:\WINDOWS\system32\dllcache\spxcoins.dll
2008-01-24 02:17 . 2004-08-04 05:00 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2008-01-24 02:17 . 2004-08-04 05:00 13,312 --a--c--- C:\WINDOWS\system32\dllcache\irclass.dll
2008-01-24 02:17 . 2008-01-30 06:29 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-01-23 21:05 . 2008-01-23 21:05 <DIR> d-------- C:\WINDOWS\dell
2008-01-21 13:14 . 2008-01-21 13:14 <DIR> d-------- C:\SIMPSONS_WS
2008-01-20 12:24 . 2008-01-20 12:24 <DIR> d-------- C:\Program Files\CCleaner
2008-01-06 17:39 . 2008-01-06 17:42 <DIR> d-------- C:\Program Files\Unlocker
2008-01-03 18:19 . 2008-01-07 15:19 <DIR> d-------- C:\VundoFix Backups

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-03 20:23 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-02-02 19:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Rabio
2008-02-01 23:42 --------- d-----w C:\Program Files\Lavasoft
2008-01-30 11:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-01-28 04:40 159,664 ----a-w C:\Documents and Settings\Compaq_Owner\Application Data\GDIPFONTCACHEV1.DAT
2008-01-28 02:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-01-24 09:28 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-20 16:44 --------- d-----w C:\Program Files\NCH Swift Sound
2008-01-20 16:42 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-20 16:39 --------- d-----w C:\Program Files\Easy Internet signup
2008-01-20 16:35 --------- d-----w C:\Program Files\Common Files\AVSMedia
2008-01-20 16:35 --------- d-----w C:\Program Files\AVSMedia
2007-12-31 21:28 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\Ahead
2007-12-30 12:53 6,523 --sha-w C:\WINDOWS\system32\ccbeg.tmp
2007-12-14 16:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2003-08-05 16:41 53,248 ----a-w C:\WINDOWS\inf\ap561.exe
2002-11-26 21:24 32,768 ----a-w C:\WINDOWS\inf\Remove561.exe
2002-11-22 20:56 118,784 ----a-w C:\WINDOWS\inf\ShowBmp.exe
2002-10-29 23:07 36,864 ----a-w C:\WINDOWS\inf\Setup8a.exe
2002-10-01 19:43 119,798 ----a-w C:\WINDOWS\inf\spca561.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{396C45DA-5925-4B33-9049-D4928248EDAF}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4D0FF471-E7FD-4B8B-AA02-8E413797E5FC}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54DE7259-C729-45B1-BBD8-4BE9B5BD8248}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5c595786-6b18-418e-83c7-f8e4e32678bc}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-11-06 19:51 3810544]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 09:59 224248]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2004-08-10 09:09 32881]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 18:04 52736]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-08-20 18:51 118784]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 22:02 61440]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-08-10 10:04 180269]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 22:43 233472]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 15:52 48752]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 11:01 88209 C:\WINDOWS\AGRSMMSG.exe]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2006-03-30 08:32 100056]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-08-20 18:55 155648]
"EPSON Stylus CX5400"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.exe" [2003-05-26 15:00 99840]
"EPSON Stylus CX5400 (Copy 1)"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.exe" [2003-05-26 15:00 99840]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-16 20:21 28672]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 05:50 155648]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2005-04-17 12:30 85184]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 09:59 224248]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2006-09-07 12:19 15872]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 22:46 57344]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2003-09-12 22:13 98304]
"RTHDCPL"="RTHDCPL.EXE" [2007-06-13 14:49 16377344 C:\WINDOWS\RTHDCPL.exe]
"VTTimer"="VTTimer.exe" []

C:\Documents and Settings\Compaq_Owner\Start Menu\Programs\Startup\
PowerReg SchedulerV2.exe [2005-03-02 09:05:53 256000]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Compaq Connections.lnk - C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe [2004-08-10 10:48:05 16423]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 04:01:04 83360]

R1 BIOS;BIOS;C:\WINDOWS\system32\drivers\BIOS.sys [2005-03-16 01:23]
R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2007-04-07 15:46]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5e868a36-789a-11d9-8555-806d6172696f}]
\Shell\AutoRun\command - E:\start.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-01-16 16:50:31 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-03 17:46:12 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-03 15:43:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-03 15:44:34
ComboFix-quarantined-files.txt 2008-02-03 20:44:00
ComboFix2.txt 2008-02-03 15:24:33
ComboFix3.txt 2008-02-03 00:54:40
.
2008-01-31 00:34:22 --- E O F ---

HijackThis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:50:14 PM, on 2/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Creative\Shared Files\CTDevSrv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Messenger\msmsgs.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2D5796A2-44E0-4E50-A5A0-80BF1EE3EA73} - (no file)
O2 - BHO: (no name) - {396C45DA-5925-4B33-9049-D4928248EDAF} - (no file)
O2 - BHO: (no name) - {4D0FF471-E7FD-4B8B-AA02-8E413797E5FC} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {54DE7259-C729-45B1-BBD8-4BE9B5BD8248} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {5c595786-6b18-418e-83c7-f8e4e32678bc} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Enterprise
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [EPSON Stylus CX5400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE /P19 "EPSON Stylus CX5400" /O6 "USB002" /M "Stylus CX5400"
O4 - HKLM\..\Run: [EPSON Stylus CX5400 (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE /P28 "EPSON Stylus CX5400 (Copy 1)" /O6 "USB002" /M "Stylus CX5400"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Wnkjwlx] "C:\Documents and Settings\Compaq_Owner\Application Data\?racle\?hkntfs.exe"
O4 - HKCU\..\Run: [Irib] "C:\PROGRA~1\SKS~1\wucrtupd.exe" -vt ndrv
O4 - HKCU\..\Run: [Vqbh] "C:\Documents and Settings\Compaq_Owner\Application Data\?ppPatch\j?vaw.exe"
O4 - HKCU\..\Run: [Srro] "C:\PROGRA~1\COMMON~1\APPATC~1\arpa.exe" -vt yazb
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Startup: Spruce - Auto Update.lnk = C:\Program Files\Spruce\Spruce.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - ?p=ZKxdm021YYUS
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1165491799421
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/1450/ftp...02/cpbrkpie.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - Winlogon Notify: fccccde - C:\WINDOWS\
O20 - Winlogon Notify: mlljk - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: CT Device Query service (CTDevice_Srv) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTDevSrv.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 11466 bytes

#6 braulio0817

braulio0817
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:15 PM

Posted 03 February 2008 - 06:27 PM

Hi again... :thumbsup:

Now I will post the ComboFix report and the HijackThis log after I completed the step #2. The AVG Anti-Spyware didn't gave me a report. I hope I did everything right and thank you very much for all the help.

ComboFix Report

ComboFix 08-02.03.1 - Compaq_Owner 2008-02-03 18:11:10.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.473 [GMT -5:00]
Running from: C:\Documents and Settings\Compaq_Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-01-03 to 2008-02-03 )))))))))))))))))))))))))))))))
.

2008-02-03 15:59 . 2008-02-03 15:59 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Grisoft
2008-02-03 15:59 . 2008-02-03 15:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-03 15:59 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-02 15:39 . 2008-02-02 15:39 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-01 21:37 . 2008-02-01 22:16 256 --a------ C:\WINDOWS\wininit.ini
2008-02-01 21:02 . 2008-02-01 21:03 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-01 21:02 . 2008-02-01 21:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-01 18:41 . 2008-02-01 18:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-01 18:40 . 2008-02-01 18:40 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-01 17:36 . 2008-02-01 17:36 4,286 --a------ C:\WINDOWS\system32\Jamster.ico
2008-01-30 04:15 . 2005-07-12 17:50 23,304 --a------ C:\WINDOWS\system32\GWFSPIDGen.dll
2008-01-29 07:01 . 2008-01-29 07:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-01-28 23:37 . 2008-01-29 00:36 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-01-27 21:58 . 2008-01-27 21:58 <DIR> d-------- C:\PIRATES OF THE CARIBBEAN 3
2008-01-25 21:47 . 2008-01-25 21:47 <DIR> d-------- C:\RESIDENT_EVIL_EXTINCTION
2008-01-25 01:19 . 2008-01-25 01:19 940,794 --a------ C:\WINDOWS\system32\LoopyMusic.wav
2008-01-25 01:19 . 2008-01-25 01:19 146,650 --a------ C:\WINDOWS\system32\BuzzingBee.wav
2008-01-25 01:18 . 2008-01-25 01:18 <DIR> d-------- C:\WINDOWS\system32\Lang
2008-01-24 06:05 . 2007-10-10 18:55 6,065,664 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-01-24 06:05 . 2007-04-17 04:28 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-01-24 06:05 . 2007-01-08 19:07 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-01-24 06:05 . 2007-10-10 18:55 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-01-24 06:05 . 2007-10-10 18:55 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-01-24 06:05 . 2007-10-10 18:55 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-01-24 06:05 . 2007-10-10 18:55 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-01-24 06:05 . 2007-10-10 18:55 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-01-24 05:50 . 2008-01-29 00:25 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2008-01-24 04:40 . 2007-02-28 04:55 2,182,144 -----c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-01-24 04:40 . 2007-02-28 04:53 2,137,600 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-01-24 04:40 . 2007-02-28 04:15 2,059,392 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-01-24 04:40 . 2007-02-28 04:15 2,017,280 -----c--- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-01-24 04:33 . 2006-08-01 15:02 49,152 --a------ C:\WINDOWS\system32\ChCfg.exe
2008-01-24 04:31 . 2008-01-24 04:33 <DIR> d-------- C:\WINDOWS\system32\RTCOM
2008-01-24 04:28 . 2008-01-24 04:28 <DIR> d-------- C:\Program Files\Realtek
2008-01-24 04:28 . 2007-06-13 14:49 16,377,344 --a------ C:\WINDOWS\RTHDCPL.exe
2008-01-24 04:28 . 2007-03-23 19:19 9,715,200 --a------ C:\WINDOWS\RTLCPL.exe
2008-01-24 04:28 . 2007-06-14 16:41 4,429,312 --a------ C:\WINDOWS\system32\drivers\RtkHDAud.sys
2008-01-24 04:28 . 2006-05-04 16:26 2,808,832 --a------ C:\WINDOWS\alcwzrd.exe
2008-01-24 04:28 . 2007-04-25 16:55 2,162,688 --a------ C:\WINDOWS\MicCal.exe
2008-01-24 04:28 . 2007-05-28 20:39 1,826,816 --a------ C:\WINDOWS\SkyTel.exe
2008-01-24 04:28 . 2007-01-16 10:39 1,191,936 --a------ C:\WINDOWS\RtlUpd.exe
2008-01-24 04:28 . 2006-08-18 06:58 282,624 --a------ C:\WINDOWS\system32\RTSndMgr.cpl
2008-01-24 04:28 . 2006-07-21 16:14 86,016 --a------ C:\WINDOWS\SoundMan.exe
2008-01-24 04:28 . 2005-05-03 18:43 69,632 --a------ C:\WINDOWS\Alcmtr.exe
2008-01-24 04:20 . 2007-01-12 16:54 520,192 --a------ C:\WINDOWS\RtlExUpd.dll
2008-01-24 04:20 . 2008-01-24 04:20 315,392 --a------ C:\WINDOWS\HideWin.exe
2008-01-24 04:18 . 2005-03-16 01:23 13,696 -ra------ C:\WINDOWS\system32\drivers\BIOS.sys
2008-01-24 03:45 . 2008-01-24 03:45 12,598 --a------ C:\WINDOWS\system32\wpa.bak
2008-01-24 02:41 . 2004-08-04 05:00 156,672 --a--c--- C:\WINDOWS\system32\dllcache\winzm.ime
2008-01-24 02:41 . 2004-08-04 05:00 156,672 --a--c--- C:\WINDOWS\system32\dllcache\winsp.ime
2008-01-24 02:41 . 2004-08-04 05:00 156,672 --a--c--- C:\WINDOWS\system32\dllcache\winpy.ime
2008-01-24 02:41 . 2004-08-04 05:00 79,360 --a--c--- C:\WINDOWS\system32\dllcache\winar30.ime
2008-01-24 02:41 . 2004-08-04 05:00 69,120 --a--c--- C:\WINDOWS\system32\dllcache\wingb.ime
2008-01-24 02:41 . 2004-08-04 05:00 65,536 --a--c--- C:\WINDOWS\system32\dllcache\winime.ime
2008-01-24 02:41 . 2004-08-04 05:00 41,600 --a--c--- C:\WINDOWS\system32\dllcache\weitekp9.dll
2008-01-24 02:41 . 2004-08-04 05:00 31,232 --a--c--- C:\WINDOWS\system32\dllcache\weitekp9.sys
2008-01-24 02:41 . 2004-08-04 05:00 28,288 --a--c--- C:\WINDOWS\system32\dllcache\xjis.nls
2008-01-24 02:39 . 2004-08-04 05:00 1,875,968 --a--c--- C:\WINDOWS\system32\dllcache\msir3jp.lex
2008-01-24 02:38 . 2004-08-04 05:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-01-24 02:37 . 2004-05-13 00:39 876,653 --a--c--- C:\WINDOWS\system32\dllcache\fp4awel.dll
2008-01-24 02:34 . 2008-01-24 02:34 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-01-24 02:34 . 2008-01-24 02:34 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-01-24 02:34 . 2008-01-24 02:34 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-01-24 02:34 . 2008-01-24 02:34 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-01-24 02:34 . 2008-01-24 02:34 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-01-24 02:21 . 2001-08-17 12:13 27,165 --a------ C:\WINDOWS\system32\drivers\fetnd5.sys
2008-01-24 02:17 . 2004-08-04 05:00 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2008-01-24 02:17 . 2004-08-04 05:00 24,661 --a--c--- C:\WINDOWS\system32\dllcache\spxcoins.dll
2008-01-24 02:17 . 2004-08-04 05:00 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2008-01-24 02:17 . 2004-08-04 05:00 13,312 --a--c--- C:\WINDOWS\system32\dllcache\irclass.dll
2008-01-24 02:17 . 2008-01-30 06:29 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-01-23 21:05 . 2008-01-23 21:05 <DIR> d-------- C:\WINDOWS\dell
2008-01-21 13:14 . 2008-01-21 13:14 <DIR> d-------- C:\SIMPSONS_WS
2008-01-20 12:24 . 2008-01-20 12:24 <DIR> d-------- C:\Program Files\CCleaner
2008-01-06 17:39 . 2008-01-06 17:42 <DIR> d-------- C:\Program Files\Unlocker
2008-01-03 18:19 . 2008-01-07 15:19 <DIR> d-------- C:\VundoFix Backups

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-03 23:07 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-02-02 19:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Rabio
2008-02-01 23:42 --------- d-----w C:\Program Files\Lavasoft
2008-01-30 11:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-01-28 04:40 159,664 ----a-w C:\Documents and Settings\Compaq_Owner\Application Data\GDIPFONTCACHEV1.DAT
2008-01-28 02:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-01-24 09:28 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-20 16:44 --------- d-----w C:\Program Files\NCH Swift Sound
2008-01-20 16:42 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-20 16:39 --------- d-----w C:\Program Files\Easy Internet signup
2008-01-20 16:35 --------- d-----w C:\Program Files\Common Files\AVSMedia
2008-01-20 16:35 --------- d-----w C:\Program Files\AVSMedia
2007-12-31 21:28 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\Ahead
2007-12-30 12:53 6,523 --sha-w C:\WINDOWS\system32\ccbeg.tmp
2007-12-14 16:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2003-08-05 16:41 53,248 ----a-w C:\WINDOWS\inf\ap561.exe
2002-11-26 21:24 32,768 ----a-w C:\WINDOWS\inf\Remove561.exe
2002-11-22 20:56 118,784 ----a-w C:\WINDOWS\inf\ShowBmp.exe
2002-10-29 23:07 36,864 ----a-w C:\WINDOWS\inf\Setup8a.exe
2002-10-01 19:43 119,798 ----a-w C:\WINDOWS\inf\spca561.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{396C45DA-5925-4B33-9049-D4928248EDAF}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4D0FF471-E7FD-4B8B-AA02-8E413797E5FC}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54DE7259-C729-45B1-BBD8-4BE9B5BD8248}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5c595786-6b18-418e-83c7-f8e4e32678bc}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-11-06 19:51 3810544]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 09:59 224248]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"Wnkjwlx"="C:\Documents and Settings\Compaq_Owner\Application Data\?racle\?hkntfs.exe" [ ]
"Irib"="C:\PROGRA~1\SKS~1\wucrtupd.exe" [ ]
"Vqbh"="C:\Documents and Settings\Compaq_Owner\Application Data\?ppPatch\j?vaw.exe" [ ]
"Srro"="C:\PROGRA~1\COMMON~1\APPATC~1\arpa.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2004-08-10 09:09 32881]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 18:04 52736]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-08-20 18:51 118784]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 22:02 61440]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-08-10 10:04 180269]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 22:43 233472]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 15:52 48752]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 11:01 88209 C:\WINDOWS\AGRSMMSG.exe]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2006-03-30 08:32 100056]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-08-20 18:55 155648]
"EPSON Stylus CX5400"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.exe" [2003-05-26 15:00 99840]
"EPSON Stylus CX5400 (Copy 1)"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.exe" [2003-05-26 15:00 99840]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-16 20:21 28672]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 05:50 155648]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2005-04-17 12:30 85184]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 09:59 224248]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2006-09-07 12:19 15872]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 22:46 57344]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2003-09-12 22:13 98304]
"RTHDCPL"="RTHDCPL.EXE" [2007-06-13 14:49 16377344 C:\WINDOWS\RTHDCPL.exe]
"VTTimer"="VTTimer.exe" []
"AlcxMonitor"="ALCXMNTR.EXE" []

C:\Documents and Settings\Compaq_Owner\Start Menu\Programs\Startup\
PowerReg SchedulerV2.exe [2005-03-02 09:05:53 256000]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Compaq Connections.lnk - C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe [2004-08-10 10:48:05 16423]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 04:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccccde]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mlljk]

R1 BIOS;BIOS;C:\WINDOWS\system32\drivers\BIOS.sys [2005-03-16 01:23]
R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2007-04-07 15:46]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5e868a36-789a-11d9-8555-806d6172696f}]
\Shell\AutoRun\command - E:\start.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-01-16 16:50:31 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-03 17:46:12 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-03 18:13:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156]
-> C:\Program Files\Unlocker\UnlockerHook.dll
-> C:\Program Files\ArcSoft\Software Suite\PhotoImpression 5\share\pihook.dll
.
Completion time: 2008-02-03 18:15:06
ComboFix-quarantined-files.txt 2008-02-03 23:14:32
ComboFix2.txt 2008-02-03 20:44:35
ComboFix3.txt 2008-02-03 15:24:33
ComboFix4.txt 2008-02-03 00:54:40
.
2008-01-31 00:34:22 --- E O F ---


HijackThis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:16:18 PM, on 2/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE
C:\Program Files\Creative\Shared Files\CTDevSrv.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2D5796A2-44E0-4E50-A5A0-80BF1EE3EA73} - (no file)
O2 - BHO: (no name) - {396C45DA-5925-4B33-9049-D4928248EDAF} - (no file)
O2 - BHO: (no name) - {4D0FF471-E7FD-4B8B-AA02-8E413797E5FC} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {54DE7259-C729-45B1-BBD8-4BE9B5BD8248} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {5c595786-6b18-418e-83c7-f8e4e32678bc} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Enterprise
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [EPSON Stylus CX5400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE /P19 "EPSON Stylus CX5400" /O6 "USB002" /M "Stylus CX5400"
O4 - HKLM\..\Run: [EPSON Stylus CX5400 (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE /P28 "EPSON Stylus CX5400 (Copy 1)" /O6 "USB002" /M "Stylus CX5400"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Wnkjwlx] "C:\Documents and Settings\Compaq_Owner\Application Data\?racle\?hkntfs.exe"
O4 - HKCU\..\Run: [Irib] "C:\PROGRA~1\SKS~1\wucrtupd.exe" -vt ndrv
O4 - HKCU\..\Run: [Vqbh] "C:\Documents and Settings\Compaq_Owner\Application Data\?ppPatch\j?vaw.exe"
O4 - HKCU\..\Run: [Srro] "C:\PROGRA~1\COMMON~1\APPATC~1\arpa.exe" -vt yazb
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Startup: Spruce - Auto Update.lnk = C:\Program Files\Spruce\Spruce.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - ?p=ZKxdm021YYUS
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1165491799421
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/1450/ftp...02/cpbrkpie.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - Winlogon Notify: fccccde - C:\WINDOWS\
O20 - Winlogon Notify: mlljk - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: CT Device Query service (CTDevice_Srv) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTDevSrv.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 11621 bytes

#7 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:09:15 PM

Posted 04 February 2008 - 11:37 AM

Hello braulio0817,

Please follow the steps below exactly in the order they are written:

Step #1

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.
  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose "Yes" at the Warning prompt.
  • Expand the "Tools" menu.
  • Click "Resident".
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • In the File menu click "Exit" to exit Spybot Search & Destroy.
Step #2

Please re-open HiJackThis and click on "Do a system scan only". Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {2D5796A2-44E0-4E50-A5A0-80BF1EE3EA73} - (no file)
O2 - BHO: (no name) - {396C45DA-5925-4B33-9049-D4928248EDAF} - (no file)
O2 - BHO: (no name) - {4D0FF471-E7FD-4B8B-AA02-8E413797E5FC} - (no file)
O2 - BHO: (no name) - {54DE7259-C729-45B1-BBD8-4BE9B5BD8248} - (no file)
O2 - BHO: (no name) - {5c595786-6b18-418e-83c7-f8e4e32678bc} - (no file)
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKCU\..\Run: [Wnkjwlx] "C:\Documents and Settings\Compaq_Owner\Application Data\?racle\?hkntfs.exe"
O4 - HKCU\..\Run: [Irib] "C:\PROGRA~1\SKS~1\wucrtupd.exe" -vt ndrv
O4 - HKCU\..\Run: [Vqbh] "C:\Documents and Settings\Compaq_Owner\Application Data\?ppPatch\j?vaw.exe"
O4 - HKCU\..\Run: [Srro] "C:\PROGRA~1\COMMON~1\APPATC~1\arpa.exe" -vt yazb
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Startup: Spruce - Auto Update.lnk = C:\Program Files\Spruce\Spruce.exe
O8 - Extra context menu item: &Search - ?p=ZKxdm021YYUS
O20 - Winlogon Notify: fccccde - C:\WINDOWS\
O20 - Winlogon Notify: mlljk - C:\WINDOWS\


Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

Step #3

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\system32\ccbeg.tmp
    C:\Program Files\Spruce
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    purity
  • Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Step #4

Please do an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:

    o Scan using the following Anti-Virus database:

    + Extended (If available otherwise Standard)

    o Scan Options:

    + Scan Archives
    + Scan Mail Bases

  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Note: This scanner will work with Internet Explorer Only!

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Step #5

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.
What DSS will do:
  • create a new System Restore point in Windows XP and Vista.
  • clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
  • check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.
In your next post please include the following reports:
  • OTMoveIt report
  • Kaspersky report
  • dss scan reports main.txt and extra.txt
Regards,
SNOWHITE
Posted Image

#8 braulio0817

braulio0817
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:15 PM

Posted 06 February 2008 - 06:48 AM

Hi Snowhite:

First this is the OTMoveIt report


C:\WINDOWS\system32\ccbeg.tmp moved successfully.
File/Folder C:\Program Files\Spruce not found.
[Custom Input]
< purity >

OTMoveIt2 v1.0.17 log created on 02052008_182000


Kaspersky report

KASPERSKY ONLINE SCANNER REPORT
Wednesday, February 06, 2008 6:28:42 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 5/02/2008
Kaspersky Anti-Virus database records: 550336


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
E:\
G:\
H:\
I:\
J:\

Scan Statistics
Total number of scanned objects 87357
Number of viruses found 20
Number of infected objects 174
Number of suspicious objects 2
Duration of the scan process 02:03:08

Infected Object Name Virus Name Last Action
C:\12.tmp/stream/data0002 Infected: not-a-virus:Downloader.Win32.Agent.q skipped

C:\12.tmp/stream/data0003 Infected: not-a-virus:AdWare.Win32.Agent.ay skipped

C:\12.tmp/stream Infected: not-a-virus:AdWare.Win32.Agent.ay skipped

C:\12.tmp NSIS: infected - 3 skipped

C:\27.tmp/stream/data0002 Infected: not-a-virus:Downloader.Win32.Agent.q skipped

C:\27.tmp/stream/data0003 Infected: not-a-virus:AdWare.Win32.Agent.ay skipped

C:\27.tmp/stream Infected: not-a-virus:AdWare.Win32.Agent.ay skipped

C:\27.tmp NSIS: infected - 3 skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Yazzle.zip/Yazzle1552OinUninstaller.exe Suspicious: Password-protected-EXE skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Yazzle.zip ZIP: suspicious - 1 skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\00F40000.VBN Infected: Trojan.Win32.Agent.bck skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01480000.VBN Infected: Trojan-Dropper.Win32.Agent.bmk skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02500000.VBN Infected: Trojan.Win32.Agent.aoy skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03DC0000.VBN Infected: Trojan.Win32.BHO.ab skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03DC0001.VBN Infected: Trojan.Win32.BHO.ab skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03DC0004.VBN Infected: Trojan.Win32.Agent.aoy skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\044C0000.VBN Infected: Trojan.Win32.Agent.aoy skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\044C0001.VBN Infected: Trojan-Downloader.Win32.Tiny.id skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06000000.VBN Infected: Trojan.Win32.BHO.ab skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06000001.VBN Infected: Trojan.Win32.BHO.ab skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06000004.VBN Infected: Trojan.Win32.Agent.aoy skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06040000.VBN Infected: Trojan.Win32.Agent.aoy skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06040001.VBN Infected: Trojan-Downloader.Win32.Tiny.id skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06BC0000.VBN Infected: Trojan.Win32.BHO.ab skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06BC0003.VBN Infected: Trojan.Win32.Agent.aoy skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08140000.VBN Infected: Trojan.Win32.BHO.ab skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08140001.VBN Infected: Trojan.Win32.BHO.ab skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08140004.VBN Infected: Trojan.Win32.Agent.aoy skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\082C0000.VBN Infected: not-a-virus:AdWare.Win32.PurityScan.ga skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\087C0000.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09100001.VBN Infected: Trojan-Downloader.Win32.Tiny.id skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B8C0000.VBN Infected: Trojan.Win32.Agent.bck skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BA40000.VBN Infected: Trojan-Dropper.Win32.Agent.bmk skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C540000.VBN Infected: Trojan-Downloader.Win32.Tiny.id skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C7C0000.VBN Infected: not-a-virus:AdWare.Win32.PurityScan.fn skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CCC0000.VBN Infected: Trojan-Dropper.Win32.Agent.bmk skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CCC0001.VBN Infected: not-a-virus:AdWare.Win32.PurityScan.fn skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CCC0002.VBN Infected: Trojan-Downloader.Win32.Tiny.id skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D040000.VBN Infected: not-a-virus:AdWare.Win32.PurityScan.fn skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D040001.VBN Infected: Trojan-Dropper.Win32.Agent.bmk skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D040002.VBN Infected: Trojan-Downloader.Win32.Tiny.id skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D4C0000.VBN Infected: not-a-virus:AdWare.Win32.PurityScan.fn skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DD40000.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.kr skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DD40001.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.kp skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DE00000.VBN Infected: Trojan.Win32.Agent.bck skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DEC0001.VBN Infected: Trojan.Win32.Agent.bck skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DF40000.VBN Infected: Trojan-Dropper.Win32.Agent.bmk skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DF40001.VBN Infected: Trojan-Dropper.Win32.Agent.bmk skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E340000.VBN Infected: Trojan-Dropper.Win32.Agent.bmk skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E540000.VBN Infected: Trojan.Win32.Agent.bck skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E680000.VBN Infected: not-a-virus:AdWare.Win32.PurityScan.fn skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E680001.VBN Infected: Trojan-Dropper.Win32.Agent.bmk skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E680002.VBN Infected: Trojan-Dropper.Win32.Agent.bmk skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E680003.VBN Infected: Trojan-Dropper.Win32.Agent.bmk skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E740000.VBN Infected: Trojan.Win32.Agent.bck skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E940001.VBN Infected: Trojan.Win32.Agent.bck skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E980000.VBN Infected: Trojan-Dropper.Win32.Agent.bmk skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E980001.VBN Infected: Trojan-Downloader.Win32.Tiny.id skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0EA00000.VBN Infected: Trojan.Win32.Agent.bck skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0EA40000.VBN Infected: Trojan-Dropper.Win32.Agent.bmk skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0EA40001.VBN Infected: Trojan.Win32.Agent.bck skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0EAC0000.VBN Infected: Trojan.Win32.Agent.bck skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0EBC0000.VBN Infected: Trojan-Dropper.Win32.Agent.bmk skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0EDC0000.VBN Infected: Trojan-Dropper.Win32.Agent.bmk skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0EE00000.VBN Infected: Trojan-Dropper.Win32.Agent.bmk skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0EE00001.VBN Infected: Trojan-Downloader.Win32.Tiny.id skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0EE40000.VBN Infected: Trojan-Dropper.Win32.Agent.bmk skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0EE80000.VBN Infected: Trojan-Downloader.Win32.Tiny.id skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0EE80001.VBN Infected: Trojan-Downloader.Win32.Tiny.id skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0EF00000.VBN Infected: Trojan-Dropper.Win32.Agent.bmk skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0EF40000.VBN Infected: not-a-virus:AdWare.Win32.PurityScan.fn skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0EF40001.VBN Infected: Trojan-Dropper.Win32.Agent.bmk skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0EF40002.VBN Infected: Trojan-Downloader.Win32.Tiny.id skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F080006.VBN Infected: Trojan.Win32.Agent.bck skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F140000.VBN Infected: Trojan-Dropper.Win32.Agent.bmk skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F240000.VBN Infected: not-a-virus:AdWare.Win32.PurityScan.fn skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F300000.VBN Infected: Trojan-Downloader.Win32.Tiny.id skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F300002.VBN Infected: Trojan.Win32.Agent.bck skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F380000.VBN Infected: not-a-virus:AdWare.Win32.PurityScan.fn skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F380001.VBN Infected: Trojan-Dropper.Win32.Agent.bmk skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F380002.VBN Infected: Trojan-Downloader.Win32.Tiny.id skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F380003.VBN Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F400000.VBN Infected: not-a-virus:AdWare.Win32.PurityScan.fn skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F400001.VBN Infected: Trojan-Downloader.Win32.Tiny.id skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F400002.VBN Infected: Trojan.Win32.Agent.aoy skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F400003.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F400005.VBN Infected: Trojan.Win32.BHO.ab skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F400006.VBN Infected: Trojan.Win32.BHO.ab skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F400009.VBN Infected: Trojan.Win32.Agent.aoy skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F480000.VBN Infected: Trojan-Downloader.Win32.Tiny.id skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F4C0001.VBN Infected: Trojan-Dropper.Win32.Agent.bmk skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F580000.VBN Infected: Trojan.Win32.BHO.ab skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F580001.VBN Infected: Trojan.Win32.BHO.ab skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F700001.VBN Infected: Trojan-Downloader.Win32.Tiny.id skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F780000.VBN Infected: not-a-virus:AdWare.Win32.PurityScan.fn skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F7C0000.VBN Infected: Trojan-Downloader.Win32.Tiny.id skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F840000.VBN Infected: Trojan-Dropper.Win32.Agent.bmk skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F880000.VBN Infected: Trojan-Downloader.Win32.Tiny.id skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F880001.VBN Infected: Trojan-Downloader.Win32.Tiny.id skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F900000.VBN Infected: Trojan-Dropper.Win32.Agent.bmk skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F980000.VBN Infected: Trojan-Dropper.Win32.Agent.bmk skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0FA00000.VBN Infected: Trojan-Downloader.Win32.Tiny.id skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0FAC0000.VBN Infected: Trojan.Win32.BHO.ab skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0FAC0001.VBN Infected: Trojan.Win32.BHO.ab skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0FB00000.VBN Infected: Trojan.Win32.BHO.ab skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0FB00001.VBN Infected: Trojan.Win32.BHO.ab skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0FB00004.VBN Infected: Trojan.Win32.Agent.aoy skipped

C:\Documents and Settings\Compaq_Owner\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped

C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Yahoo\Y!Msgr\merlin.log Object is locked skipped

C:\Documents and Settings\Compaq_Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Compaq_Owner\Local Settings\History\History.IE5\MSHist012008020520080206\index.dat Object is locked skipped

C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\~DFA636.tmp Object is locked skipped

C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\~DFEBB7.tmp Object is locked skipped

C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\~DFEBC4.tmp Object is locked skipped

C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped

C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Compaq_Owner\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Compaq_Owner\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBConfig.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDebug.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDetect.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBNotify.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBRefr.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetDev.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetLoc.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetUsr.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStHash.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStMSI.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBValid.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPPolicy.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStart.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStop.log Object is locked skipped

C:\Program Files\Compaq Connections\6750491\Users\Default\Data\chandir.dat Object is locked skipped

C:\Program Files\Compaq Connections\6750491\Users\Default\Data\chandir.idx Object is locked skipped

C:\Program Files\Compaq Connections\6750491\Users\Default\Data\chn.dat Object is locked skipped

C:\Program Files\Compaq Connections\6750491\Users\Default\Data\chn.idx Object is locked skipped

C:\Program Files\Compaq Connections\6750491\Users\Default\Data\D0000000.FCS Object is locked skipped

C:\Program Files\Compaq Connections\6750491\Users\Default\Data\inuse.txt Object is locked skipped

C:\Program Files\Compaq Connections\6750491\Users\Default\Data\L0000023.FCS Object is locked skipped

C:\Program Files\Compaq Connections\6750491\Users\Default\Data\main.log Object is locked skipped

C:\Program Files\Compaq Connections\6750491\Users\Default\Data\prs.dat Object is locked skipped

C:\Program Files\Compaq Connections\6750491\Users\Default\Data\prs.idx Object is locked skipped

C:\Program Files\Compaq Connections\6750491\Users\Default\Data\prs_die.dat Object is locked skipped

C:\Program Files\Compaq Connections\6750491\Users\Default\Data\prs_die.idx Object is locked skipped

C:\Program Files\Compaq Connections\6750491\Users\Default\Data\prs_dnd.dat Object is locked skipped

C:\Program Files\Compaq Connections\6750491\Users\Default\Data\prs_dnd.idx Object is locked skipped

C:\Program Files\Compaq Connections\6750491\Users\Default\Data\prs_ext.dat Object is locked skipped

C:\Program Files\Compaq Connections\6750491\Users\Default\Data\prs_ext.idx Object is locked skipped

C:\Program Files\Compaq Connections\6750491\Users\Default\Data\prs_rcv.dat Object is locked skipped

C:\Program Files\Compaq Connections\6750491\Users\Default\Data\prs_rcv.idx Object is locked skipped

C:\Program Files\Compaq Connections\6750491\Users\Default\Data\storydb.dat Object is locked skipped

C:\Program Files\Compaq Connections\6750491\Users\Default\Data\storydb.idx Object is locked skipped

C:\Program Files\Symantec AntiVirus\SAVRT\0462NAV~.TMP Object is locked skipped

C:\Program Files\Symantec AntiVirus\SAVRT\0836NAV~.TMP Object is locked skipped

C:\Program Files\TopSearch\ls_update.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.TopSearch.a skipped

C:\Program Files\TopSearch\ls_update.exe/stream/data0003 Infected: not-a-virus:AdWare.Win32.TopSearch.a skipped

C:\Program Files\TopSearch\ls_update.exe/stream Infected: not-a-virus:AdWare.Win32.TopSearch.a skipped

C:\Program Files\TopSearch\ls_update.exe NSIS: infected - 3 skipped

C:\QooBox\Quarantine\C\5.tmp.vir/stream/data0002 Infected: not-a-virus:Downloader.Win32.Agent.q skipped

C:\QooBox\Quarantine\C\5.tmp.vir/stream/data0003 Infected: not-a-virus:AdWare.Win32.Agent.ay skipped

C:\QooBox\Quarantine\C\5.tmp.vir/stream Infected: not-a-virus:AdWare.Win32.Agent.ay skipped

C:\QooBox\Quarantine\C\5.tmp.vir NSIS: infected - 3 skipped

C:\QooBox\Quarantine\C\Documents and Settings\Compaq_Owner\Application Data\RACLE~1\сhkntfs.exe.vir Infected: not-a-virus:AdWare.Win32.PurityScan.gs skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\beqmqexd.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\dbdvsosu.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\fxqxxxss.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.kp skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\iibauino.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\jfofqwfl.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\jhwyxvym.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\jxotyjcc.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\kjrfxpbd.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\kmalprhy.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\nqfhtevh.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\owhekcsx.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\rxacepfa.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\ssqbgunv.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\tbllkqni.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\usmqbgbb.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\xfqlbsym.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP18\A0001542.exe Infected: not-a-virus:AdWare.Win32.PurityScan.gs skipped

C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP31\A0001908.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP32\A0001981.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.edw skipped

C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP32\A0001994.exe Infected: not-a-virus:AdWare.Win32.PurityScan.gs skipped

C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP33\A0002006.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP33\A0002071.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP41\A0002210.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP42\A0002233.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP46\A0003820.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP46\A0003842.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP46\A0003869.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP47\A0003948.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP47\A0003965.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped

C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP47\A0003969.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP47\A0003970.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP47\A0003971.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP47\A0003972.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP49\A0004081.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP49\A0004082.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP49\A0004083.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.kp skipped

C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP49\A0004084.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP49\A0004085.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP49\A0004086.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP49\A0004087.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP49\A0004088.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP49\A0004089.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP49\A0004090.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP49\A0004091.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP49\A0004092.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP49\A0004093.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP49\A0004094.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP49\A0004095.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP49\A0004096.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP51\change.log Object is locked skipped

C:\VundoFix Backups\awtsr.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\VundoFix Backups\awtst.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\VundoFix Backups\ddayw.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\VundoFix Backups\gebcb.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\VundoFix Backups\gebya.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\VundoFix Backups\geebc.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\VundoFix Backups\geedc.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\VundoFix Backups\geede.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\VundoFix Backups\jkhhg.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\VundoFix Backups\jkkll.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\VundoFix Backups\vtsqn.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped

C:\WINDOWS\system32\config\OSession.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

dss scan reports main.txt

Deckard's System Scanner v20071014.68
Run by Compaq_Owner on 2008-02-06 06:40:52
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
52: 2008-02-06 11:40:59 UTC - RP52 - Deckard's System Scanner Restore Point
51: 2008-02-05 21:50:14 UTC - RP51 - System Checkpoint
50: 2008-02-03 20:40:21 UTC - RP50 - ComboFix created restore point
49: 2008-02-03 00:50:20 UTC - RP49 - ComboFix created restore point
48: 2008-02-02 23:42:37 UTC - RP48 - System Checkpoint


-- First Restore Point --
1: 2008-01-24 08:00:20 UTC - RP1 - Software Distribution Service 3.0


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Compaq_Owner.exe) ----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:42:23 AM, on 2/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Creative\Shared Files\CTDevSrv.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Documents and Settings\Compaq_Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Compaq_Owner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Enterprise
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [EPSON Stylus CX5400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE /P19 "EPSON Stylus CX5400" /O6 "USB002" /M "Stylus CX5400"
O4 - HKLM\..\Run: [EPSON Stylus CX5400 (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE /P28 "EPSON Stylus CX5400 (Copy 1)" /O6 "USB002" /M "Stylus CX5400"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1165491799421
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/1450/ftp...02/cpbrkpie.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: CT Device Query service (CTDevice_Srv) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTDevSrv.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 10758 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080205-181551-139 O4 - Startup: PowerReg SchedulerV2.exe
backup-20080205-181551-191 O4 - HKCU\..\Run: [Irib] "C:\PROGRA~1\SKS~1\wucrtupd.exe" -vt ndrv
backup-20080205-181551-194 O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
backup-20080205-181551-372 O2 - BHO: (no name) - {5c595786-6b18-418e-83c7-f8e4e32678bc} - (no file)
backup-20080205-181551-461 O4 - HKCU\..\Run: [Wnkjwlx] "C:\Documents and Settings\Compaq_Owner\Application Data\?racle\?hkntfs.exe"
backup-20080205-181551-485 O8 - Extra context menu item: &Search - ?p=ZKxdm021YYUS
backup-20080205-181551-524 O4 - Startup: Spruce - Auto Update.lnk = C:\Program Files\Spruce\Spruce.exe
backup-20080205-181551-557 O2 - BHO: (no name) - {54DE7259-C729-45B1-BBD8-4BE9B5BD8248} - (no file)
backup-20080205-181551-631 O2 - BHO: (no name) - {4D0FF471-E7FD-4B8B-AA02-8E413797E5FC} - (no file)
backup-20080205-181551-727 O20 - Winlogon Notify: fccccde - C:\WINDOWS\
backup-20080205-181551-851 O2 - BHO: (no name) - {396C45DA-5925-4B33-9049-D4928248EDAF} - (no file)
backup-20080205-181551-853 O4 - HKCU\..\Run: [Srro] "C:\PROGRA~1\COMMON~1\APPATC~1\arpa.exe" -vt yazb
backup-20080205-181551-860 O4 - HKCU\..\Run: [Vqbh] "C:\Documents and Settings\Compaq_Owner\Application Data\?ppPatch\j?vaw.exe"
backup-20080205-181551-872 O2 - BHO: (no name) - {2D5796A2-44E0-4E50-A5A0-80BF1EE3EA73} - (no file)
backup-20080205-181551-969 O20 - Winlogon Notify: mlljk - C:\WINDOWS\

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 BIOS - c:\windows\system32\drivers\bios.sys <Not Verified; BIOSTAR Group; BIOSTAR I/O driver fle>
R1 oreans32 - c:\windows\system32\drivers\oreans32.sys

S0 cercsr6 - c:\windows\system32\drivers\cercsr6.sys <Not Verified; Adaptec, Inc.; Dell RAID Controller>
S0 viaagp1 (VIA AGP Filter) - c:\windows\system32\drivers\viaagp1.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 CTDevice_Srv (CT Device Query service) - c:\program files\creative\shared files\ctdevsrv.exe <Not Verified; Creative Technology Ltd; CTDevSrv Application>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description:
Device ID: PCI\VEN_1106&DEV_5364&SUBSYS_00000000&REV_00\3&2411E6FE&0&05
Manufacturer:
Name:
PNP Device ID: PCI\VEN_1106&DEV_5364&SUBSYS_00000000&REV_00\3&2411E6FE&0&05
Service:


-- Scheduled Tasks -------------------------------------------------------------

2008-02-06 04:46:12 378 --a------ C:\WINDOWS\Tasks\Symantec NetDetect.job
2008-01-16 11:50:31 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-01-06 and 2008-02-06 -----------------------------

2008-02-05 18:24:26 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-05 18:24:25 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-05 18:24:22 0 d-------- C:\WINDOWS\LastGood
2008-02-03 15:59:43 0 d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Grisoft
2008-02-03 15:59:27 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-02 19:49:45 68096 --a------ C:\WINDOWS\system32\zip.exe
2008-02-02 19:49:45 98816 --a------ C:\WINDOWS\system32\sed.exe
2008-02-02 19:49:45 80412 --a------ C:\WINDOWS\system32\grep.exe
2008-02-02 19:49:45 73728 --a------ C:\WINDOWS\system32\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-02-02 15:39:41 0 d-------- C:\Program Files\Trend Micro
2008-02-01 21:02:38 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-01 18:41:59 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-01 18:40:02 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-29 07:01:58 0 d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-01-28 23:37:48 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-01-27 21:58:59 0 d-------- C:\PIRATES OF THE CARIBBEAN 3
2008-01-25 21:47:10 0 d-------- C:\RESIDENT_EVIL_EXTINCTION
2008-01-25 01:18:39 0 d-------- C:\WINDOWS\system32\Lang
2008-01-24 05:50:32 0 d--h----- C:\WINDOWS\msdownld.tmp
2008-01-24 04:33:02 49152 --a------ C:\WINDOWS\system32\ChCfg.exe
2008-01-24 04:31:07 0 d-------- C:\WINDOWS\system32\RTCOM
2008-01-24 04:28:46 0 d-------- C:\Program Files\Realtek
2008-01-24 04:20:37 315392 --a------ C:\WINDOWS\HideWin.exe <Not Verified; Realtek Semiconductor Corp.; HD Audio Hide windows program>
2008-01-24 04:20:36 520192 --a------ C:\WINDOWS\RtlExUpd.dll <Not Verified; Realtek Semiconductor Corp.; RtlExUpd Dynamic Link Library>
2008-01-24 04:18:32 13696 -ra------ C:\WINDOWS\system32\drivers\BIOS.sys <Not Verified; BIOSTAR Group; BIOSTAR I/O driver fle>
2008-01-24 02:45:26 0 d-------- C:\WINDOWS\Prefetch
2008-01-23 21:05:21 0 d-------- C:\WINDOWS\dell
2008-01-21 13:14:45 0 d-------- C:\SIMPSONS_WS
2008-01-20 12:28:30 0 dr-h----- C:\Documents and Settings\Compaq_Owner\Recent
2008-01-20 12:24:15 0 d-------- C:\Program Files\CCleaner


-- Find3M Report ---------------------------------------------------------------

2008-02-05 16:10:41 0 d-------- C:\Program Files\Symantec AntiVirus
2008-02-05 16:09:04 0 d-------- C:\Program Files\Common Files
2008-02-01 18:42:01 0 d-------- C:\Program Files\Lavasoft
2008-01-27 23:40:52 159664 --a------ C:\Documents and Settings\Compaq_Owner\Application Data\GDIPFONTCACHEV1.DAT
2008-01-24 04:28:45 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-01-24 02:33:37 23444 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-01-20 11:44:59 0 d-------- C:\Program Files\NCH Swift Sound
2008-01-20 11:42:15 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-01-20 11:39:01 0 d-------- C:\Program Files\Easy Internet signup
2008-01-20 11:35:15 0 d-------- C:\Program Files\Common Files\AVSMedia
2008-01-20 11:35:01 0 d-------- C:\Program Files\AVSMedia
2007-12-31 16:28:40 0 d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Ahead


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [08/10/2004 09:09 AM]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [05/07/1998 06:04 PM]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [08/20/2004 06:51 PM]
"KBD"="C:\HP\KBD\KBD.EXE" [02/11/2003 10:02 PM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [08/10/2004 10:04 AM]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [04/14/2004 10:43 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [04/08/2005 03:52 PM]
"AGRSMMSG"="AGRSMMSG.exe" [03/04/2005 11:01 AM C:\WINDOWS\AGRSMMSG.exe]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [03/30/2006 08:32 AM]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [08/20/2004 06:55 PM]
"EPSON Stylus CX5400"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.exe" [05/26/2003 03:00 PM]
"EPSON Stylus CX5400 (Copy 1)"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.exe" [05/26/2003 03:00 PM]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [07/16/2002 08:21 PM]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 05:50 AM]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [04/17/2005 12:30 PM]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [06/08/2007 09:59 AM]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [09/07/2006 12:19 PM]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [06/06/2005 10:46 PM]
"PS2"="C:\WINDOWS\system32\ps2.exe" [09/12/2003 10:13 PM]
"RTHDCPL"="RTHDCPL.EXE" [06/13/2007 02:49 PM C:\WINDOWS\RTHDCPL.exe]
"VTTimer"="VTTimer.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [06/29/2007 05:24 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 05:00 AM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 11:24 AM]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [11/06/2007 07:51 PM]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [06/08/2007 09:59 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 10:05:26 PM]
Compaq Connections.lnk - C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe [8/10/2004 10:48:05 AM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 4:01:04 AM]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5e868a36-789a-11d9-8555-806d6172696f}]
AutoRun\command- E:\start.exe




-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

7892 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-02-06 06:43:39 ------------


dss scan reports extra.txt

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Celeron® CPU 2.66GHz
Percentage of Memory in Use: 46%
Physical Memory (total/avail): 958.42 MiB / 512.12 MiB
Pagefile Memory (total/avail): 2314.98 MiB / 1957.38 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1927.46 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 69.86 GiB total, 28 GiB free.
D: is Fixed (FAT32) - 4.66 GiB total, 0.81 GiB free.
E: is CDROM (CDFS)
G: is Removable (FAT)
H: is Removable (No Media)
I: is Removable (No Media)
J: is Removable (No Media)

\\.\PHYSICALDRIVE0 - WDC WD800BB-22JHA0 - 74.53 GiB - 2 partitions
\PARTITION0 - Unknown - 4.66 GiB - D:
\PARTITION1 (bootable) - Installable File System - 69.86 GiB - C:

\\.\PHYSICALDRIVE2 - Generic USB CF Reader USB Device

\\.\PHYSICALDRIVE4 - Generic USB MS Reader USB Device

\\.\PHYSICALDRIVE1 - Generic USB SD Reader USB Device - 243.17 MiB - 1 partition
\PARTITION0 - MS-DOS V4 Huge - 243.2 MiB - G:

\\.\PHYSICALDRIVE3 - Generic USB SM Reader USB Device



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before download.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: Symantec AntiVirus Corporate Edition v10.0.0.359 (Symantec Corporation)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\Compaq Connections\\6750491\\Program\\Compaq Connections.exe"="C:\\Program Files\\Compaq Connections\\6750491\\Program\\Compaq Connections.exe:*:Disabled:Compaq Connections"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Compaq_Owner\Application Data
CLASSPATH=.;C:\Program Files\Java\j2re1.4.2_03\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=YOUR-7008FFA13B
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Compaq_Owner
LOGONSERVER=\\YOUR-7008FFA13B
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;c:\Python22;C:\Program Files\PC-Doctor for Windows\services;C:\Program Files\Common Files\GTK\2.0\bin;C:\Program Files\QuickTime\QTSystem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 3 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0304
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\j2re1.4.2_03\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp
USERDOMAIN=YOUR-7008FFA13B
USERNAME=Compaq_Owner
USERPROFILE=C:\Documents and Settings\Compaq_Owner
windir=C:\WINDOWS
__COMPAT_LAYER=EnableNXShowUI


-- User Profiles ---------------------------------------------------------------

Compaq_Owner (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\PROGRA~1\Yahoo!\Common\unyt.exe
--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{11E83B33-972B-4512-A447-FF0FD0246EE9}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{21B6F79B-2286-4BB0-B1E3-BA6B9498D110}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{23EFDB58-0874-4883-9810-EDA510B19FAE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2BB79C8D-9DCC-4861-8A23-AE1B0B45E2B6}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2BFBC62A-3353-443D-93BE-7AC641D9F342}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{39DA87A1-0B26-4562-A70C-2A6147366E47}\Setup.exe"
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3C1B8CBC-9118-11D7-86D3-00055DF3561E}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{775FFF70-4A8C-4500-908D-3C34DBEB11D5}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{83021AC3-086F-4B77-ACCD-1BD7C9AB211E}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9F765BD0-B900-4EDE-A90B-61C8A9E95C42}\Setup.exe"
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B100B05B-E290-41EF-9366-8BC4C76D7769}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B14F9B26-D695-4C4A-8B11-0FE6CDCC797B}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BAD59025-5B73-4E12-B789-0028C5A573C2}\Setup.exe"
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D3568156-59C3-42DF-A520-2C25B6706C91}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E213C271-AEFA-481D-A9B4-914D88925B8D}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FAD9402A-1A9B-4ABE-A410-393A3622FA5A}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1A99CB37-AEB0-492F-A85A-8A2536D22393}\setup.exe" -l0x9
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
1999 Grolier Multimedia Encyclopedia --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Grolier Interactive\GME99\Uninst.isu"
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0019-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {3EC77D26-799B-4CD8-914F-C1565E796173}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {430971B1-C31E-45DA-81E0-72C095BAB72C}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {F7A31780-33C4-4E39-951A-5EC9B91D7BF1}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {91120000-0019-0000-0000-0000000FF1CE} /uninstall {BEE75E01-DD3F-4D5F-B96C-609E6538D419}
ABBYY FineReader 5.0 Sprint Plus --> MsiExec.exe /X{D1696920-9794-4BBC-8A30-7A88763DE5A2}
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Atmosphere Player for Acrobat and Adobe Reader --> C:\WINDOWS\atmoUn.exe
Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~2\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~2\Install.log
Adobe® Photoshop® Album Starter Edition 3.0 --> MsiExec.exe /I{4BDFD2CE-6329-42E4-9801-9B3D1F10D79B}
Agere Systems PCI Soft Modem --> agrsmdel
Apple Mobile Device Support --> MsiExec.exe /I{3EBD3749-304E-4A4C-9575-C00E5F015217}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
Compaq Connections --> C:\WINDOWS\BWUnin-6.3.2.62.exe -AppId 6750491
Compaq Organize --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D0122362-6333-4DE4-93F6-A5A2F3CC101A}\Setup.exe" UNINSTALL
Creative Media Lite --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1A99CB37-AEB0-492F-A85A-8A2536D22393}\setup.exe" -l0x9 /remove
Creative ZEN Stone User's Guide --> "C:\Program Files\Creative\Creative ZEN Stone\UGRemove.exe" /Product_Name:ZENStoneUG
DVD Decrypter (Remove Only) --> "C:\Program Files\DVD Decrypter\uninstall.exe"
DVD Shrink 3.2 --> "C:\Program Files\DVD Shrink\unins000.exe"
DVDFab Decrypter 3.0.7.2 --> "C:\Program Files\DVDFab Decrypter 3\unins000.exe"
Enciclopedia Microsoft Encarta 2005 --> MsiExec.exe /I{05450040-64A6-4248-A026-9745C1E9E159}
Encyclopaedia Britannica Ready Reference 2004 CD-ROM --> "C:\Program Files\Britannica 2004\Ready Reference CD\UninstallerData\Uninstall Encyclopaedia Britannica Ready Reference 2004 CD-ROM.exe"
EPSON CardMonitor --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{109D28C7-FB38-483A-9C91-001CB59E2699}\Setup.exe" -l0x9 uninst
EPSON Copy Utility --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B69CC1A5-0404-11D6-ABCB-005004C21D30}\setup.exe" -l0x9 ADDREMOVEDLG
EPSON Copy Utility 3 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{67EDD823-135A-4D59-87BD-950616D6E857}\Setup.exe" -l0x9 -UnInstall
EPSON EIC CX5400 --> C:\Program Files\epson\epic\cx5400_e\uninstall.exe
EPSON Photo Print --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{22901BB7-2C57-409E-AF2F-56FFFEA41116}\setup.exe" -l0x9 MyUninstall
EPSON PhotoStarter3.2 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AE704636-ECD0-426C-952E-05B8DABD1949}\Setup.exe" -l0x9 uninst
EPSON Printer Software --> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R
EPSON Scan --> C:\Program Files\epson\escndv\setup\setup.exe /r
EPSON Scan --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0E0131B2-CF18-40D9-A331-60A3746C1204}\SETUP.EXE" -l0x9 UNINSTALL
EPSON Smart Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6C11D561-620B-47DA-A693-4C597F3CDF40}\SETUP.EXE" -l0x9 Uninstall
GraphicView 32 --> C:\PROGRA~1\GRAPHI~1\UNWISE.EXE C:\PROGRA~1\GRAPHI~1\INSTALL.LOG
GTK+ 2.10.6-1 runtime environment --> "C:\Program Files\Common Files\GTK\2.0\setup\unins000.exe"
Help and Support Additions --> C:\PROGRA~1\HELPAN~1\UNWISE.EXE C:\PROGRA~1\HELPAN~1\INSTALL.LOG
High Definition Audio Driver Package - KB888111 --> "C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Intel® Extreme Graphics Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2562
IntelliMover Data Transfer Demo --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{14589F05-C658-4594-9429-D437BA688686}\Setup.exe" -l0x9
InterVideo WinDVD Player --> "C:\Program Files\InstallShield Installation Information\{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}\setup.exe" REMOVEALL
iTunes --> MsiExec.exe /I{B8A204BC-7177-470E-BBDD-47256D05B325}
Java 2 Runtime Environment, SE v1.4.2_03 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142030}
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
KBD --> C:\HP\KBD\KBD.EXE uninstalled
LiveUpdate 2.6 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher 2007 --> MsiExec.exe /X{91120000-0019-0000-0000-0000000FF1CE}
Microsoft Office Publisher 2007 Trial --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall PUBLISHERR /dll OSETUP.DLL
Microsoft Office Publisher MUI (English) 2007 --> MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office XP Professional with FrontPage --> MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Microsoft Picture It! Express 7.0 --> MsiExec.exe /I{369B36BE-3D64-4641-9AEA-808D436FE130}
Microsoft Plus! Digital Media Edition Installer --> MsiExec.exe /X{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}
Microsoft Plus! Photo Story 2 LE --> MsiExec.exe /X{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Web Publishing Wizard 1.52 --> RunDll32 ADVPACK.DLL,LaunchINFSection C:\WINDOWS\INF\wpie4x86.inf,WebPostUninstall
Microsoft Works 7.0 --> MsiExec.exe /I{764D06D8-D8DE-411E-A1C8-D9E9380F8A84}
MSN Music Assistant --> rundll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\msninst.inf,Uninstall
Nero OEM --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
PC-Doctor for Windows --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1F7CCFA3-D926-4882-B2A5-A0217ED25597}\Setup.exe"
Philips PC Camera --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F48C6EA5-3B43-11D6-86A6-0050BA0259A2}\driver.exe" -l0x9 -removeonly
Photo Editor Plus --> C:\WINDOWS\uninst.exe -f"C:\Program Files\Cosmi\Photo Editor Plus\DeIsL1.isu" -c"C:\Program Files\Cosmi\Photo Editor Plus\_ISREG32.DLL"
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
PS2 --> C:\WINDOWS\system32\ps2.exe uninstall
Python 2.2 combined Win32 extensions --> C:\Python22\Lib\SITE-P~1\UNWISE~1.EXE C:\Python22\Lib\SITE-P~1\w32inst.log
Python 2.2.1 --> C:\Python22\UNWISE.EXE C:\Python22\INSTALL.LOG
QuickTime --> MsiExec.exe /I{95A890AA-B3B1-44B6-9C18-A8F7AB3EE7FC}
QuickTime 3.0 --> C:\WINDOWS\uninst.exe -f"C:\Program Files\QuickTime\DeIsL1.isu" -c"C:\WINDOWS\system32\QTUninst.dll
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Realtek High Definition Audio Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -l0x9 -removeonly
ScanToWeb --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EBAE381B-60A6-4863-AA9F-FCAB755BC9E5}\setup.exe" ADDREMOVEDLG
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Shockwave --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Sierra Print Artist 6.0 --> C:\WINDOWS\IsUninst.exe -fC:\SIERRA\PA6\Uninst.isu -c"C:\SIERRA\PA6\PASTP.DLL"
Spruce --> "C:\Program Files\Spruce\un_SpruceSetup_17737.exe"
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Symantec AntiVirus --> MsiExec.exe /I{5A633ED0-E5D7-4D65-AB8D-53ED43510284}
The GIMP 2.2.13 --> "C:\Program Files\GIMP-2.0\unins000.exe"
The Print Shop Premier Edition 5.0 --> C:\WINDOWS\uninst.exe -f"C:\The Print Shop Products\The Print Shop Premier Edition 5.0\DeIsL1.isu" -c"C:\The Print Shop Products\The Print Shop Premier Edition 5.0\psfinst.dll"
The Print Shop PressWriter 1.5 --> C:\WINDOWS\uninst.exe -f"C:\The Print Shop Products\The Print Shop PressWriter 1.5\DeIsL1.isu" -c"C:\The Print Shop Products\The Print Shop PressWriter 1.5\psfinst.dll"
TopSearch --> "C:\Program Files\TopSearch\uninstall.exe"
Unlocker 1.8.5 --> C:\Program Files\Unlocker\uninst.exe
URGE --> MsiExec.exe /I{8BBF6DFD-0AD9-43A7-9FBD-BF065E3866AF}
Webster's World Encyclopedia 2004 --> MsiExec.exe /I{0109A174-C632-11D7-9BE4-00D0B7906A01}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Yahoo! Browser Services --> C:\PROGRA~1\Yahoo!\Common\UNIN_Y~1.EXE /S
Yahoo! Fotos – Carga fácil de fotos 1v7 --> C:\WINDOWS\system32\regsvr32 /u /s "C:\WINDOWS\cache\YDropperE1.dll"
Yahoo! Install Manager --> C:\WINDOWS\system32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
Yahoo! Internet Mail --> C:\WINDOWS\system32\regsvr32 /u /s C:\PROGRA~1\Yahoo!\Common\YMMAPI.dll
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
Yahoo! Search Protection --> C:\PROGRA~1\Yahoo!\SEARCH~1\UNINST~1.EXE
Yahoo! Toolbar --> C:\PROGRA~1\Yahoo!\Common\unyt.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type38434 / Error
Event Submitted/Written: 02/05/2008 09:51:23 PM
Event ID/Source: 51 / Symantec AntiVirus
Event Description:
Security Risk Found!Threat: Adware.Purityscan in File: C:\QooBox\Quarantine\C\Documents and Settings\Compaq_Owner\Application Data\RACLE~1\?hkntfs.exe.vir by: Auto-Protect scan. Action: Terminate Process Required. Action Description:

Event Record #/Type38433 / Error
Event Submitted/Written: 02/05/2008 09:51:20 PM
Event ID/Source: 46 / Symantec AntiVirus
Event Description:
Security Risk Found!Threat: Adware.Purityscan in File: C:\QooBox\Quarantine\C\Documents and Settings\Compaq_Owner\Application Data\RACLE~1\?hkntfs.exe.vir by: Auto-Protect scan. Action: Clean failed : Quarantine failed. Action Description: The file was left unchanged.

Event Record #/Type38432 / Error
Event Submitted/Written: 02/05/2008 09:34:00 PM
Event ID/Source: 5 / Symantec AntiVirus
Event Description:
Threat Found!Threat: Adware.Purityscan in File: C:\QooBox\Quarantine\C\Documents and Settings\Compaq_Owner\Application Data\RACLE~1\?hkntfs.exe.vir by: Auto-Protect scan. Action: Pending Side Effects Analysis. Action Description:

Event Record #/Type38431 / Error
Event Submitted/Written: 02/05/2008 08:39:58 PM
Event ID/Source: 51 / Symantec AntiVirus
Event Description:
Security Risk Found!Threat: Trojan.Vundo in File: C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\SYMANT~1\7.5\APTemp\APQ15BA.tmp by: Auto-Protect scan. Action: Clean failed : Quarantine failed. Action Description: The file was deleted successfully.

Event Record #/Type38430 / Error
Event Submitted/Written: 02/05/2008 08:39:50 PM
Event ID/Source: 46 / Symantec AntiVirus
Event Description:
Security Risk Found!Threat: Trojan.Vundo in File: C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\SYMANT~1\7.5\APTemp\APQ15BA.tmp by: Auto-Protect scan. Action: Clean failed : Quarantine failed. Action Description: The file was deleted successfully.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type46632 / Warning
Event Submitted/Written: 02/06/2008 05:49:06 AM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Event Record #/Type46612 / Error
Event Submitted/Written: 02/05/2008 04:10:16 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
viaagp1

Event Record #/Type46590 / Error
Event Submitted/Written: 02/04/2008 04:38:27 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
viaagp1

Event Record #/Type46585 / Warning
Event Submitted/Written: 02/03/2008 06:21:35 PM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 00E04D62D192. The following
error occurred:
%%121.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Event Record #/Type46580 / Warning
Event Submitted/Written: 02/03/2008 06:14:29 PM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 00E04D62D192. The following
error occurred:
%%121.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.



-- End of Deckard's System Scanner: finished at 2008-02-06 06:43:39 ------------

#9 braulio0817

braulio0817
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:15 PM

Posted 08 February 2008 - 10:38 AM

Hi Snowhite:
Just to let you know that I already post the logs you ask me for. And it looks that the computer is very infected. At least all that Outerinfo pop ups are no longer bothering. I know that you are helping a lot of people at the same time and I want to thank you again for all the effort you are putting in my case. THANKS... :thumbsup:

#10 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:09:15 PM

Posted 10 February 2008 - 11:29 AM

Hi Snowhite:
Just to let you know that I already post the logs you ask me for. And it looks that the computer is very infected. At least all that Outerinfo pop ups are no longer bothering. I know that you are helping a lot of people at the same time and I want to thank you again for all the effort you are putting in my case. THANKS... :thumbsup:

Hello braulio0817 and sorry for the delay. Please follow steps below:

Step #1

Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

TopSearch

Please note any other programs that you don't recognize in that list in your next response


Step #2
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\12.tmp
    C:\27.tmp
    C:\Program Files\TopSearch
    C:\VundoFix Backups
    C:\QooBox
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Step #3

Open Norton AntiVirus by double clicking the 'Shield' icon located in the right hand bottom corner of your computer screen.
Double click the 'View' folder. It is located on the left side of the Norton AntiVirus window. This will expand the folder and display the contents. Click on the 'Quarantine' icon. The right side of the Norton AntiVirus window will now list the contents of your quarantine folder.
Select the item you wish to remove and click on RED 'X' icon to delete it. This will open the 'Take Action' window. Click the 'Start Delete' button to remove the infected file from your computer.
Repeat for any other quarantined files you want to remove.
When you are done removing files, click the 'Exit' button in the bottom left hand corner of the Norton AntiVirus window.

Step #4

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. A malicious site could render Java content under older, vulnerable versions of Sun's software if the user has not removed them. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 4...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Plattform: "Windows".
  • Select your Language: "English".
  • Read the License Agreement and then check the box that says: "Accept License Agreement".
  • Click "Continue".
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.

    Java 2 Runtime Environment, SE v1.4.2_03

  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u4-windows-i586-p.exe to install the newest version.
Step #5


Looking over your log, it seems you don't have any evidence of a third party firewall.

As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access to systems from the outside world. Firewalls protect against hackers and malicious intruders. I want you to download a free firewall NOW from one of these excellent vendors:
[/list]
If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.

Please post back with OTMoveIt report and new HijackThis log.

Regards,
SNOWHITE
Posted Image

#11 braulio0817

braulio0817
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:15 PM

Posted 10 February 2008 - 12:49 PM

Hi Snowhite and thanks for the reply. I followed your instructions and this is what you ask for:

OTMoveIt report

C:\12.tmp moved successfully.
C:\27.tmp moved successfully.
File/Folder C:\Program Files\TopSearch not found.
C:\VundoFix Backups moved successfully.
C:\QooBox\Quarantine\Registry_backups moved successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32 moved successfully.
C:\QooBox\Quarantine\C\WINDOWS moved successfully.
C:\QooBox\Quarantine\C\temp\fse moved successfully.
C:\QooBox\Quarantine\C\temp\brr moved successfully.
C:\QooBox\Quarantine\C\temp\1cb moved successfully.
C:\QooBox\Quarantine\C\temp\0c2 moved successfully.
C:\QooBox\Quarantine\C\temp moved successfully.
C:\QooBox\Quarantine\C\Program Files\Spruce moved successfully.
C:\QooBox\Quarantine\C\Program Files\SKS~1 moved successfully.
C:\QooBox\Quarantine\C\Program Files\Common Files\WinAntiSpyware 2007 moved successfully.
C:\QooBox\Quarantine\C\Program Files\Common Files moved successfully.
C:\QooBox\Quarantine\C\Program Files moved successfully.
C:\QooBox\Quarantine\C\Documents and Settings\Compaq_Owner\Start Menu\Programs\Startup moved successfully.
C:\QooBox\Quarantine\C\Documents and Settings\Compaq_Owner\Start Menu\Programs moved successfully.
C:\QooBox\Quarantine\C\Documents and Settings\Compaq_Owner\Start Menu moved successfully.
C:\QooBox\Quarantine\C\Documents and Settings\Compaq_Owner\Application Data\WinAntiSpyware 2007\Logs moved successfully.
C:\QooBox\Quarantine\C\Documents and Settings\Compaq_Owner\Application Data\WinAntiSpyware 2007 moved successfully.
C:\QooBox\Quarantine\C\Documents and Settings\Compaq_Owner\Application Data\RACLE~1 moved successfully.
C:\QooBox\Quarantine\C\Documents and Settings\Compaq_Owner\Application Data\PPPATC~1 moved successfully.
C:\QooBox\Quarantine\C\Documents and Settings\Compaq_Owner\Application Data moved successfully.
C:\QooBox\Quarantine\C\Documents and Settings\Compaq_Owner moved successfully.
C:\QooBox\Quarantine\C\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007\Data moved successfully.
C:\QooBox\Quarantine\C\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007 moved successfully.
C:\QooBox\Quarantine\C\Documents and Settings\All Users\Application Data moved successfully.
C:\QooBox\Quarantine\C\Documents and Settings\All Users moved successfully.
C:\QooBox\Quarantine\C\Documents and Settings moved successfully.
C:\QooBox\Quarantine\C\ComboFix[1] moved successfully.
C:\QooBox\Quarantine\C\ComboFix moved successfully.
C:\QooBox\Quarantine\C moved successfully.
C:\QooBox\Quarantine moved successfully.
C:\QooBox\BackEnv moved successfully.
C:\QooBox moved successfully.

OTMoveIt2 v1.0.17 log created on 02102008_121105


HijackThis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:45:11 PM, on 2/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Creative\Shared Files\CTDevSrv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\alg.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Enterprise
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [EPSON Stylus CX5400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE /P19 "EPSON Stylus CX5400" /O6 "USB002" /M "Stylus CX5400"
O4 - HKLM\..\Run: [EPSON Stylus CX5400 (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE /P28 "EPSON Stylus CX5400 (Copy 1)" /O6 "USB002" /M "Stylus CX5400"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1165491799421
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/1450/ftp...02/cpbrkpie.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: CT Device Query service (CTDevice_Srv) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTDevSrv.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 11384 bytes

#12 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:09:15 PM

Posted 11 February 2008 - 06:21 PM

Hello braulio0817,

How is the computer running?

Please run this online scan:

Panda ActiveScan
  • Once you are on the Panda site, click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on Local Disks to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the Panda scan report, along with a new HijackThis Log

Regards,
SNOWHITE
Posted Image

#13 braulio0817

braulio0817
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:15 PM

Posted 11 February 2008 - 08:39 PM

Hi Snowhite:
The computer is running really better. Those Outerinfo pop ups already desapear and is running at a very good speed. It has a little pop up here and there but is working really good compared with when you started to help me. Thanks...

Panda scan report


Incident Status Location

Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@247realmedia[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@adrevolver[1].txt
Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@ads.addynamix[1].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@ads.pointroll[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@advertising[2].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@apmebf[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@atdmt[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@atwola[1].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@azjmp[2].txt
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@bluestreak[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@bs.serving-sys[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@doubleclick[1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@fastclick[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@media.adrevolver[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@mediaplex[2].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@overture[2].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@questionmarket[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@realmedia[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@serving-sys[2].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@statcounter[2].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@trafficmp[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@tribalfusion[1].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@www3.addfreestats[1].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@xiti[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@zedo[2].txt
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Compaq_Owner\Desktop\ComboFix.exe[327882R2FWJFW\nircmd.com]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Compaq_Owner\Desktop\ComboFix.exe[327882R2FWJFW\nircmd.cfexe]
Potentially unwanted tool:Application/KillApp.B Not disinfected C:\hp\bin\KillIt.exe
Potentially unwanted tool:Application/PRScheduler Not disinfected C:\Program Files\Trend Micro\HijackThis\backups\backup-20080205-181551-139-PowerReg SchedulerV2.exe
Spyware:spyware/web3000 Not disinfected C:\WINDOWS\hh.ico
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\Nircmd.exe
Virus:Trj/Agent.GMR Disinfected C:\_OTMoveIt\MovedFiles\02102008_121105\12.tmp
Virus:Trj/Agent.GMR Disinfected C:\_OTMoveIt\MovedFiles\02102008_121105\27.tmp
Adware:Adware/Adband Not disinfected C:\_OTMoveIt\MovedFiles\02102008_121105\QooBox\Quarantine\C\5.tmp.vir

HijackThis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:39:03 PM, on 2/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Creative\Shared Files\CTDevSrv.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Enterprise
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [EPSON Stylus CX5400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE /P19 "EPSON Stylus CX5400" /O6 "USB002" /M "Stylus CX5400"
O4 - HKLM\..\Run: [EPSON Stylus CX5400 (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE /P28 "EPSON Stylus CX5400 (Copy 1)" /O6 "USB002" /M "Stylus CX5400"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1165491799421
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/1450/ftp...02/cpbrkpie.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: CT Device Query service (CTDevice_Srv) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTDevSrv.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 11491 bytes

#14 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:09:15 PM

Posted 11 February 2008 - 09:57 PM

braulio0817 your logs are looking good :blink:

Double click OTMoveIt once again and you should see a CleanUp! button, press that button, you may get prompt by your firewall that OTMoveIt tries to contact internet, allow this, a cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes.

NOTE: This will remove some of the tools we used so far, including OTMoveIt.


I will keep your thread open for a couple of days, if the malware problem reappear feel free to post here. Please take time to read my recommendations below, also follow steps from 1 - 7.

Should you have any questions, please feel free to ask. ;)
  • 1.
  • Click start then run, type prefetch then press enter, click edit then select all, (all files will highlight), right click any file, click delete, confirm.


    2.
  • Clean your Cache and Cookies in IE:
    • Close all instances of Outlook Express and Internet Explorer
    • Go to Control Panel > Internet Options > General tab
    • Click the "Delete Cookies" button
    • Next to it, Click the "Delete Files" button
    • When prompted, place a check in: "Delete all offline content", click OK
    3.
  • Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
    • Go to Tools > Options.
    • Click Privacy in the menu on the left side of the Options window.
    • Click the Clear button located to the right of each option (History, Cookies, Cache).
    • Click OK to close the Options window
      Alternatively, you can clear all information stored while browsing by clicking Clear All.
      A confirmation dialog box will be shown before clearing the information.
    4.
  • Clean other Temporary files + Recycle bin
    • Go to start > run and type: cleanmgr and click ok.
    • Let it scan your system for files to remove.
    • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
    • Press OK to remove them.
  • 5.DISABLE THE VIEWING OF SYSTEM FILES
    From Windows Explorer, go to Tools>Folder Options> View tab.
  • Untick - Show hidden files and folder
  • Tick - Hide file extensions for known types
  • Tick - Hide protected operating system files
Click Yes to confirm & then click OK
  • 6.CLEAR & RESET SYSTEM RESTORE'S CACHE - (System Volume Information folder)
    Go to Start >> Run - type control sysdm.cpl,,4 & press Enter
  • Tick on the checkbox - Turn off System Restore on all drives
  • Click Apply
Turn it back 'On' by unticking the same checkbox & click OK
  • 7.SECURING INTERNET EXPLORER
    From within Internet Explorer click on the Tools menu and then click on Internet Options.
  • Select the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Select Custom Level .
  • Change 'Download signed ActiveX controls' to Prompt
  • Change 'Download unsigned ActiveX controls' to Disable
  • Change 'Initialize and script ActiveX controls not marked as safe' to Disable
  • Change 'Installation of desktop items' to Prompt
  • Change 'Launching programs and files in an IFRAME' to Prompt
  • Change 'Navigate sub-frames across different domains' to Prompt
  • When all these changes have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
[*] Select OK to exit the Internet Properties page.
[/list]Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


Secunia Software Inspector
Check for other vulnerable programs running on your PC that are in need of an update.
http://secunia.com/software_inspector
Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.


Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see this link:
Understanding and Using Firewalls



SPYWAREBLASTER
SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites.

Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here:
http://www.bleepingcomputer.com/forums/tutorial49.html


IE-SPYAD
IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here:
http://www.spywarewarrior.com/uiuc/resource.htm


COMODO BOClean
BOClean runs automatically in the background without interfering with your work and kills malwares INSTANTLY the moment they activate without giving them the chance to invade your machine. A tutorial on installing this product can be found here:
http://www.comodo.com/boclean/boclean.html


WINPATROL
Download and install the free version of Winpatrol. A tutorial for this product is located here:
http://www.winpatrol.com/features.html

A-SQUARED Anti-Dialer
This is a free program that provides defense against Dialers, scans the harddisk and provides a permanent background guard protection against new Dialer infections.

"Dialers are small programs that change the Internet access number of a modem-equipped computer to a much more expensive number"

To understand this threat better read this article The Dialer-Problem in Detail. a-squared Anti-Dialer can be downloaded at the following link:
http://download5.emsisoft.com/a2AntiDialerSetup.exe

A-SQUARED Free
This program is completely free of charge for private use, it removes infections of Trojans, Spyware, Adware, Worms, Keyloggers, Rootkits, Dialers and other malicious programs. It can be downloaded at the following link:
http://www.emsisoft.com/en/software/free

SUPERAntiSpyware Home Edition
Another effective program for helping remove some of the more difficult infections.
http://www.superantispyware.com/downloadfile.html
  • More Secure Browser - Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox, and Opera
  • Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.

See these links for more information:

Foistware & How To Avoid It
Browser Hijacking & How to Stop It
Rogue/Suspect Anti-Spyware Products & Web Sites
So how did I get infected in the first place?

Stand Up and Be Counted ---> Posted Image <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.


Happy surfing and stay clean! :thumbsup:


Best regards,
SNOWHITE
Posted Image

#15 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:09:15 PM

Posted 24 February 2008 - 03:51 PM

As the problem here seems to be resolved this topic is now closed.
To get it reopened PM a staff member with the address of this thread.
This applies to the topic starter only, everyone else with similar problems start a new topic.

Glad we could help :thumbsup:
SNOWHITE
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users