Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Anti-spyware Pop-ups/persistent Trojan?


  • This topic is locked This topic is locked
15 replies to this topic

#1 trwprid

trwprid

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:02 PM

Posted 16 February 2008 - 10:22 AM

Okay, I first started noticing problems about four days ago when I was browsing the K.O.L. Wiki. I was getting all sorts of I.E. pop-ups (I don't surf in I.E.) for spyware removal software. Later I noticed that whenever I went to certain sites I'd get a barrage of windows opening regardless of the fact my pop-up blocker was turned on (e.g. banking sites or anywhere else where I'd be accessing sensitive information). Other than those times I wouldn't even know something is wrong.

I've run Ad-Aware three times and there are still at least a couple of malicious threats it can't remove. Bit Defender couldn't remove everything, I've run Stinger, and my usual Anti-Virus program but this bug seems pretty tough to exterminate. Here's a Hajack log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:20:43 AM, on 2/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\EarthLink\EarthLink Protection Control Center\bin\UpdateService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\EarthLink\EarthLink Protection Control Center\bin\ProtectionService.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Common Files\ADS\ADSService.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hphmon06.exe
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Bloglines Notifier\Notifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = my.yahoo.com
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [b4e96d2d] rundll32.exe "C:\WINDOWS\system32\fsemyxwy.dll",b
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [BloglinesNotifier] C:\Program Files\Bloglines Notifier\Notifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Rwss] "C:\WINDOWS\WNSXS~1\wowexec.exe" -vt ndrv
O4 - HKUS\S-1-5-18\..\RunOnce: [TBInfo] iexplore.exe "http://www.earthlink.net/go/elnktoolbarinstall" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [TBInfo] iexplore.exe "http://www.earthlink.net/go/elnktoolbarinstall" (User 'Default user')
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - c:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O18 - Protocol: schmap-help - (no CLSID) - (no file)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ADSService - EarthLink, Inc. - C:\Program Files\Common Files\ADS\ADSService.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AuthFw - Authentium - C:\Program Files\Authentium\Firewall SDK\AuthFw.exe
O23 - Service: Belkin 54g Wireless USB Network Adapter (Belkin 54g Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: EarthLinkSafeConnectAgent - Unknown owner - C:\Program Files\EarthLink\EarthLink Protection Control Center\Sana\Bin\SanaAgent.exe
O23 - Service: ELNK Update Service (ELNKUpdateService) - EarthLink, Inc. - C:\Program Files\EarthLink\EarthLink Protection Control Center\bin\UpdateService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProtectionService - EarthLink, Inc. - C:\Program Files\EarthLink\EarthLink Protection Control Center\bin\ProtectionService.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 8035 bytes


Help?! I'm actually afraid of trying to check the status of my tax refund online.
Tiffany
(the snarky momma)

BC AdBot (Login to Remove)

 


#2 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:10:02 PM

Posted 22 February 2008 - 08:18 AM

Hi, Wellcome to Bleeping Computer Forums!

You might want to save this page on your favorites, so you can find it again when you return.


Please take note of the following:
  • I will be handling your log and helping you, please do not make any system changes yet.
  • The process is not instant. Please continue to review my answers until I tell you that your computer is clean. Be patience.
  • The fixes are specific to your problem and should only be used for this issue on this machine
  • If there's anything that you don't understand, please ask your question(s) before proceeding with the fixes.
  • Please reply to this thread. Do not start a new topic.
Please give me some time to look over your log and I will get back to you as soon as possible.
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#3 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:10:02 PM

Posted 22 February 2008 - 02:26 PM

Hi,

Download ComboFix from Here or Here to your Desktop.
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall.

Extra-Note: Please, DO NOT use ComboFix on your own. It is a very powerful tool designed to deal with sophisticated infections and if something goes wrong or you use it incorrectly, you could possibly lose the use of your computer. It is ONLY meant to be used under the direct supervision of a malware removal specialist.

Regards
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#4 trwprid

trwprid
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:02 PM

Posted 22 February 2008 - 09:25 PM

Thanks, here's the Combofix log:

ComboFix 08-02-22.3 - HP_Administrator 2008-02-22 21:07:14.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.605 [GMT -5:00]
Running from: C:\Documents and Settings\HP_Administrator\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\HP_Administrator\Application Data\ICROSO~1.NET
C:\Documents and Settings\HP_Administrator\Application Data\WinTouch
C:\Documents and Settings\HP_Administrator\Application Data\WinTouch\wintouch.cfg
C:\Documents and Settings\HP_Administrator\Application Data\WinTouch\WTUninstaller.exe
C:\Documents and Settings\HP_Administrator\Application Data\YMANTE~1
C:\Documents and Settings\HP_Administrator\My Documents\SMANTE~1
C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Outerinfo
C:\Program Files\crosof~1
C:\Program Files\inetget2
C:\Program Files\outerinfo
C:\Program Files\Router
C:\Program Files\Router\UnInstall.exe
C:\Program Files\sstem~1
C:\Program Files\Temporary
C:\Program Files\Temporary\InsiDERIns.exe
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\isgTi19
C:\Temp\isgTi19\lPig.log
C:\WINDOWS\b111.exe
C:\WINDOWS\b116.exe
C:\WINDOWS\b138.exe
C:\WINDOWS\b151.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\smante~1
C:\WINDOWS\system32\ac1
C:\WINDOWS\system32\byxxxyw.dll
C:\WINDOWS\system32\cfhkj.ini
C:\WINDOWS\system32\cfhkj.ini2
C:\WINDOWS\system32\clpepsqo.dll
C:\WINDOWS\system32\cnnahrjv.ini
C:\WINDOWS\system32\jjkjrjsp.dll
C:\WINDOWS\system32\jkhfc.dll
C:\WINDOWS\system32\jrmnqdiq.ini
C:\WINDOWS\system32\kcajrjsu.dll
C:\WINDOWS\system32\kjkmp.ini
C:\WINDOWS\system32\kjkmp.ini2
C:\WINDOWS\system32\nGpxx01
C:\WINDOWS\system32\osiwtssx.dll
C:\WINDOWS\system32\oswkeels.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\rkdwiugv.dll
C:\WINDOWS\system32\svvwa.ini
C:\WINDOWS\system32\svvwa.ini2
C:\WINDOWS\system32\toeugyhj.ini
C:\WINDOWS\system32\tsfhbzj.dll
C:\WINDOWS\system32\ufpvnhqd.ini
C:\WINDOWS\system32\urqqnkl.dll
C:\WINDOWS\system32\vturssq.dll
C:\WINDOWS\system32\vuobhlco.ini
C:\WINDOWS\system32\vytorbcm.ini
C:\WINDOWS\system32\wvuusrr.dll
C:\WINDOWS\system32\wxwpvcsl.ini
C:\WINDOWS\system32\wycdd.ini
C:\WINDOWS\system32\wycdd.ini2
C:\WINDOWS\system32\xsstwiso.ini
C:\WINDOWS\system32\ybgmdcmg.dll
C:\WINDOWS\system32\yemnhobd.dll
C:\WINDOWS\system32\yhgopykn.dll
C:\WINDOWS\system32\yybeg.ini
C:\WINDOWS\system32\yybeg.ini2
C:\WINDOWS\wnsxs~1
C:\WINDOWS\wnsxs~1\W?nSxS\
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-01-23 to 2008-02-23 )))))))))))))))))))))))))))))))
.

2008-02-21 21:32 . 2008-02-21 21:32 36,864 --a------ C:\WINDOWS\mrofinu572.exe.tmp
2008-02-21 18:03 . 2008-02-22 20:56 70,860 --a------ C:\WINDOWS\BMb7da5eb1.xml
2008-02-21 18:03 . 2008-02-22 21:07 21 --a------ C:\WINDOWS\pskt.ini
2008-02-17 17:33 . 2008-02-17 17:33 <DIR> d-------- C:\Program Files\xInsIDE
2008-02-16 10:01 . 2008-02-16 10:01 6,144 --ahs---- C:\WINDOWS\system32\Thumbs.db
2008-02-15 23:16 . 2008-02-16 01:01 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-02-15 20:05 . 2008-02-15 20:05 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-15 20:05 . 2008-02-15 20:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-15 17:51 . 2008-02-15 17:51 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-02-14 20:32 . 2008-02-15 17:35 354 --ahs---- C:\WINDOWS\system32\lyutrwfv.ini
2008-02-13 21:14 . 2008-02-16 10:04 10,240 --ahs---- C:\WINDOWS\Thumbs.db
2008-02-12 23:01 . 2008-02-18 10:41 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-12 23:01 . 2008-02-12 23:01 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\SUPERAntiSpyware.com
2008-02-12 23:01 . 2008-02-12 23:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-12 23:00 . 2008-02-15 20:05 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-12 22:37 . 2008-02-13 19:12 3,674 --a------ C:\WINDOWS\system32\tmp.reg
2008-02-12 22:36 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-02-12 22:36 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-02-12 22:36 . 2008-02-08 23:55 85,504 --a------ C:\WINDOWS\system32\VACFix.exe
2008-02-12 22:36 . 2008-02-08 10:37 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-02-12 22:36 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-02-12 22:36 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-02-12 22:36 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-02-12 22:26 . 2008-02-12 22:26 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-12 22:16 . 2008-02-12 22:16 2,185,034 --ahs---- C:\WINDOWS\system32\lhtkvqwd.ini
2008-02-12 20:55 . 2008-02-15 23:08 195 --a------ C:\WINDOWS\wininit.ini
2008-02-12 19:33 . 2008-02-12 19:33 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-12 19:33 . 2008-02-12 22:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-11 20:55 . 2008-02-12 22:10 2,216,701 --ahs---- C:\WINDOWS\system32\ywxymesf.ini
2008-02-11 20:47 . 2008-02-12 20:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2008-02-11 20:43 . 2008-02-13 00:02 <DIR> d-------- C:\WINDOWS\system32\wd11
2008-02-11 20:43 . 2008-02-11 21:01 <DIR> d-------- C:\WINDOWS\system32\vb6
2008-02-11 20:43 . 2008-02-11 20:43 <DIR> d-------- C:\WINDOWS\system32\kp9
2008-02-11 20:43 . 2008-02-22 21:07 <DIR> d-------- C:\Temp
2008-02-04 20:28 . 2008-02-04 20:29 48 --a------ C:\WINDOWS\FileNamesinQueue.ini
2008-01-28 19:57 . 2008-01-28 19:58 <DIR> d-------- C:\Program Files\QuickTime
2008-01-26 22:05 . 2008-02-16 13:26 74 --a------ C:\WINDOWS\TaxACT07.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-23 01:55 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-02-18 21:53 42,030 ----a-w C:\Documents and Settings\HP_Administrator\Application Data\wklnhst.dat
2008-02-16 15:19 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-16 15:17 --------- d-----w C:\Program Files\Java
2008-02-16 15:12 --------- d-----w C:\Program Files\Viewpoint
2008-02-16 15:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-02-16 15:11 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\Yahoo!
2008-02-16 15:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2008-02-12 02:54 --------- d-----w C:\Program Files\Common Files\EarthLink
2008-02-12 02:54 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\EarthLink
2008-02-12 02:16 --------- d-----w C:\Program Files\OpenOffice.org 2.3
2008-02-12 01:53 --------- d-----w C:\Program Files\Microsoft Picture It! 10
2008-02-05 01:26 --------- d-----w C:\Program Files\Rhapsody
2008-01-29 01:00 --------- d-----w C:\Program Files\iTunes
2008-01-29 01:00 --------- d-----w C:\Program Files\iPod
2008-01-27 03:04 --------- d-----w C:\Program Files\2nd Story Software
2008-01-09 20:01 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2008-01-01 00:28 --------- d-----w C:\Program Files\Coupons
2007-12-29 03:21 --------- d-----w C:\Program Files\Common Files\AOL
2007-12-29 02:34 --------- d-----w C:\Program Files\Kiplingers WILLPower
2007-12-24 19:30 101,680 ----a-w C:\Documents and Settings\HP_Administrator\Application Data\GDIPFONTCACHEV1.DAT
2007-04-11 01:21 275,832,704 -c--a-w C:\Documents and Settings\HP_Administrator\AcroPro80_efg.exe
2006-01-30 22:10 33,979,904 -c--a-w C:\Program Files\iPod for Windows 2006-01-10.msi
2006-01-30 22:09 740,864 ----a-w C:\Program Files\1033.MST
2006-01-30 22:09 4,632 ----a-w C:\Program Files\0x0409.ini
2005-08-25 00:27 13,824 ----a-w C:\Documents and Settings\HP_Administrator\atwbxdet.dll
2005-04-02 04:17 0 -csha-w C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BloglinesNotifier"="C:\Program Files\Bloglines Notifier\Notifier.exe" [2004-04-22 12:31 94208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]
"Wvobq"="C:\Program Files\??crosoft\?poolsv.exe" [ ]
"xInsIDE"="C:\Program Files\xInsIDE\xInsIDE.exe" [2008-02-17 17:33 53248]
"Rwss"="C:\WINDOWS\WNSXS~1\wowexec.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-09-29 22:23 4603904]
"nwiz"="nwiz.exe" [2004-09-29 22:23 921600 C:\WINDOWS\system32\nwiz.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 11:01 88209 C:\WINDOWS\AGRSMMSG.exe]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 22:47 57344 C:\WINDOWS\ALCXMNTR.EXE]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 18:04 52736]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-08-21 00:55 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-08-21 00:51 118784]
"HPHUPD06"="c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 20:53 49152]
"HPHmon06"="C:\WINDOWS\system32\hphmon06.exe" [2004-06-07 20:42 659456]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 22:43 233472]
"AlcWzrd"="ALCWZRD.EXE" [2004-07-29 03:34 2551808 C:\WINDOWS\ALCWZRD.EXE]
"VTTimer"="VTTimer.exe" []
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-10-16 18:57 81920]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 23:54 253952]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-05-07 11:19 180269]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-04-17 15:41 196608]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51 39792]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-10 15:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"horydys"="C:\Program Files\ComPlus Applications\horydys77798.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TBInfo"="iexplore.exe" []

C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Startup\
Picture Motion Browser Media Check Tool.lnk - C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2007-05-06 16:58:59 344064]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqnkjg]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"= %windir%\\system32\\sessmgr.exe:@xpsp2res.dll,-22019
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Common Files\\AOL\\1133836627\\ee\\aim6.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"= %windir%\\Network Diagnostic\\xpnetdiag.exe:@xpsp3res.dll,-20000
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\1133836627\\ee\\aolsoftware.exe"=
"C:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"=
"C:\\Program Files\\MSN Messenger\\msncall.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=

R0 GRFILTER;CS NDIS Driver;C:\WINDOWS\system32\drivers\GRFILTER.sys [2007-04-11 09:35]
R2 Belkin 54g Wireless USB Network Adapter Service;Belkin 54g Wireless USB Network Adapter;C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe [2004-03-29 16:08]
R2 GRTdiMon;GR TDI Mon;C:\WINDOWS\system32\Drivers\GRTdiMon.sys [2007-04-11 09:35]
R3 ADSFilter;ADSFilter - (Aluria Filter Driver);C:\WINDOWS\system32\DRIVERS\ADSFilter.sys [2007-08-03 06:35]
R3 ADSMonitor;ADSMonitor - (EarthLink Monitor Driver);C:\WINDOWS\system32\drivers\ADSMonitor.sys [2007-08-03 06:35]
R3 bkn50USB;Belkin 54Mbps Wireless USB Network Adapter;C:\WINDOWS\system32\DRIVERS\rt2500usb.sys [2004-07-16 10:14]
S3 AuthFw;AuthFw;"C:\Program Files\Authentium\Firewall SDK\AuthFw.exe" [2007-04-05 13:02]
S3 EarthLinkSafeConnectDriver;EarthLinkSafeConnectDriver;C:\Program Files\EarthLink\EarthLink Protection Control Center\Sana\Driver\platform_XP\SafeConnectDriver.sys [2007-04-26 09:57]
S3 EarthLinkSafeConnectFilter;EarthLinkSafeConnectFilter;C:\Program Files\EarthLink\EarthLink Protection Control Center\Sana\Driver\platform_XP\SafeConnectFilter.sys [2007-04-26 09:57]
S3 EarthLinkSafeConnectShim;EarthLinkSafeConnectShim;C:\Program Files\EarthLink\EarthLink Protection Control Center\Sana\Driver\platform_XP\SafeConnectShim.sys [2006-10-16 15:33]
S3 PentaxUsb;PENTAX Optio 60 on USB;C:\WINDOWS\system32\DRIVERS\CoachUsb.sys []
S3 PentaxVc;PENTAX Optio 60 Video Capture;C:\WINDOWS\system32\DRIVERS\CoachVc.sys []

.
Contents of the 'Scheduled Tasks' folder
"2007-11-01 13:33:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-23 02:17:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-22 21:15:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\EarthLink\EarthLink Protection Control Center\bin\UpdateService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\EarthLink\EarthLink Protection Control Center\bin\ProtectionService.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Common Files\ADS\ADSService.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-02-22 21:20:56 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-23 02:20:52
.
2008-02-13 05:09:25 --- E O F ---




...and the HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:23:07 PM, on 2/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\EarthLink\EarthLink Protection Control Center\bin\UpdateService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\EarthLink\EarthLink Protection Control Center\bin\ProtectionService.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hphmon06.exe
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Common Files\ADS\ADSService.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Bloglines Notifier\Notifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\xInsIDE\xInsIDE.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = my.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [horydys] C:\Program Files\ComPlus Applications\horydys77798.exe
O4 - HKCU\..\Run: [BloglinesNotifier] C:\Program Files\Bloglines Notifier\Notifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Wvobq] "C:\Program Files\??crosoft\?poolsv.exe"
O4 - HKCU\..\Run: [xInsIDE] C:\Program Files\xInsIDE\xInsIDE.exe
O4 - HKCU\..\Run: [Rwss] "C:\WINDOWS\WNSXS~1\wowexec.exe" -vt yazb
O4 - HKUS\S-1-5-18\..\RunOnce: [TBInfo] iexplore.exe "http://www.earthlink.net/go/elnktoolbarinstall" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [TBInfo] iexplore.exe "http://www.earthlink.net/go/elnktoolbarinstall" (User 'Default user')
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - c:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O18 - Protocol: schmap-help - (no CLSID) - (no file)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ssqnkjg - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ADSService - EarthLink, Inc. - C:\Program Files\Common Files\ADS\ADSService.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AuthFw - Authentium - C:\Program Files\Authentium\Firewall SDK\AuthFw.exe
O23 - Service: Belkin 54g Wireless USB Network Adapter (Belkin 54g Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: EarthLinkSafeConnectAgent - Unknown owner - C:\Program Files\EarthLink\EarthLink Protection Control Center\Sana\Bin\SanaAgent.exe
O23 - Service: ELNK Update Service (ELNKUpdateService) - EarthLink, Inc. - C:\Program Files\EarthLink\EarthLink Protection Control Center\bin\UpdateService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProtectionService - EarthLink, Inc. - C:\Program Files\EarthLink\EarthLink Protection Control Center\bin\ProtectionService.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 8646 bytes
Tiffany
(the snarky momma)

#5 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:10:02 PM

Posted 24 February 2008 - 09:41 AM

Hello,


:thumbsup: I see that Viewpoint is installed. Viewpoint, Viewpoint Manager, Viewpoint Media Player are Viewpoint components which are installed as a side effect of installing other software, most notably AOL and AOL Instant Messenger (AIM). Viewpoint Manager is responsible for managing and updating Viewpoint Media Player€™s components. You can disable this using the Viewpoint Manager Control Panel found in the Windows Control Panel menu. By selecting Disable auto-updating for the Viewpoint Manager -- the player will no longer attempt to check for updates. Anything that is installed without your consent is suspect. Read what Viewpoint says and make your own decision.

To provide a satisfying consumer experience and to operate effectively, the Viewpoint Media Player periodically sends information to servers at Viewpoint. Each installation of the Viewpoint Media Player is identifiable to Viewpoint via a Customer Unique Identifier (CUID), an alphanumeric identifier embedded in the Viewpoint Media Player. The Viewpoint Media Player randomly generates the CUID during installation and uses it to indicate a unique installation of the product. A CUID is never connected to a user's name, email address, or other personal contact information. CUIDs are used for the sole purpose of filtering redundant information. Each of these information exchanges occurs anonymously.


Viewpoint Manager is considered as foistware instead of malware since it is installed without user's approval but doesn't spy or do anything "bad". This may change, read Viewpoint to Plunge Into Adware.
I recommend that you remove the Viewpoint products; however, decide for yourself. To uninstall the the Viewpoint components (Viewpoint, Viewpoint Manager, Viewpoint Media Player):

1. Click Start, point to Settings, and then click Control Panel.
2. In Control Panel, double-click Add or Remove Programs.
3. In Add or Remove Programs, highlight >>Viewpoint component<< , click Remove.
4. Do the same for each Viewpoint component.
5. Also, do the same for: xInsIDE


:wacko: Firstly download: DelDomains.inf
Locate DelDomains.inf right-click and select: Install
Note: you will not see any on-screen action ...
This will remove all entries in the Trusted, Restricted,and Enhanced Security Configuration Zones.
Note once you do this, any previous restricted zone hacks (spywareblaster, ie-spyad, etc) will need to be reapplyed.[/list]


:) Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.


:) Now, close any open browsers.
  • Open notepad and copy/paste the text in the quotebox below into it:
File::
C:\WINDOWS\mrofinu572.exe.tmp
C:\WINDOWS\BMb7da5eb1.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\lyutrwfv.ini
C:\WINDOWS\system32\lhtkvqwd.ini
C:\WINDOWS\system32\ywxymesf.ini
C:\WINDOWS\TaxACT07.ini
Folder::
C:\Program Files\xInsIDE
C:\WINDOWS\system32\wd11
C:\WINDOWS\system32\vb6
C:\WINDOWS\system32\kp9
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Wvobq"=-
"xInsIDE"=-
"Rwss"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlcxMonitor"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqnkjg]
IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!
  • Save this as CFScript.txt, in the same location as ComboFix.exe
    Posted Image
  • Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at "C:\ComboFix.txt". Post them along with a new HijackThis log.
Note:Do not mouseclick combofix's window whilst it's running. That may cause it to stall

:blink: Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows


:) Please click this link-->Jotti
  • When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.
  • C:\Program Files\ComPlus Applications\horydys77798.exe
  • Please post back the results of the scan in your next post.
  • You can try the same at Virustotal: http://www.virustotal.com/

Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#6 trwprid

trwprid
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:02 PM

Posted 24 February 2008 - 06:39 PM

Okay, here's my ComboFix log from step 4:

ComboFix 08-02-22.3 - HP_Administrator 2008-02-24 18:27:55.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.582 [GMT -5:00]
Running from: C:\Documents and Settings\HP_Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\HP_Administrator\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\BMb7da5eb1.xml
C:\WINDOWS\mrofinu572.exe.tmp
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\lhtkvqwd.ini
C:\WINDOWS\system32\lyutrwfv.ini
C:\WINDOWS\system32\ywxymesf.ini
C:\WINDOWS\TaxACT07.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BMb7da5eb1.xml
C:\WINDOWS\mrofinu572.exe.tmp
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\kp9
C:\WINDOWS\system32\kp9\liopud89104.exe
C:\WINDOWS\system32\lhtkvqwd.ini
C:\WINDOWS\system32\lyutrwfv.ini
C:\WINDOWS\system32\vb6
C:\WINDOWS\system32\wd11
C:\WINDOWS\system32\ywxymesf.ini
C:\WINDOWS\TaxACT07.ini

.
((((((((((((((((((((((((( Files Created from 2008-01-24 to 2008-02-24 )))))))))))))))))))))))))))))))
.

2008-02-16 10:01 . 2008-02-16 10:01 6,144 --ahs---- C:\WINDOWS\system32\Thumbs.db
2008-02-15 23:16 . 2008-02-16 01:01 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-02-15 20:05 . 2008-02-15 20:05 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-15 20:05 . 2008-02-15 20:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-15 17:51 . 2008-02-15 17:51 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-02-13 21:14 . 2008-02-16 10:04 10,240 --ahs---- C:\WINDOWS\Thumbs.db
2008-02-12 23:01 . 2008-02-18 10:41 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-12 23:01 . 2008-02-12 23:01 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\SUPERAntiSpyware.com
2008-02-12 23:01 . 2008-02-12 23:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-12 23:00 . 2008-02-15 20:05 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-12 22:37 . 2008-02-13 19:12 3,674 --a------ C:\WINDOWS\system32\tmp.reg
2008-02-12 22:36 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-02-12 22:36 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-02-12 22:36 . 2008-02-08 23:55 85,504 --a------ C:\WINDOWS\system32\VACFix.exe
2008-02-12 22:36 . 2008-02-08 10:37 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-02-12 22:36 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-02-12 22:36 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-02-12 22:36 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-02-12 22:26 . 2008-02-12 22:26 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-12 20:55 . 2008-02-15 23:08 195 --a------ C:\WINDOWS\wininit.ini
2008-02-12 19:33 . 2008-02-12 19:33 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-12 19:33 . 2008-02-12 22:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-11 20:47 . 2008-02-12 20:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2008-02-11 20:43 . 2008-02-22 21:07 <DIR> d-------- C:\Temp
2008-02-04 20:28 . 2008-02-04 20:29 48 --a------ C:\WINDOWS\FileNamesinQueue.ini
2008-01-28 19:57 . 2008-01-28 19:58 <DIR> d-------- C:\Program Files\QuickTime

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-24 23:25 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-02-24 21:35 --------- d-----w C:\Program Files\Viewpoint
2008-02-24 21:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-02-23 18:18 --------- d-----w C:\Program Files\Shutterfly
2008-02-23 18:15 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-18 21:53 42,030 ----a-w C:\Documents and Settings\HP_Administrator\Application Data\wklnhst.dat
2008-02-16 15:19 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-16 15:17 --------- d-----w C:\Program Files\Java
2008-02-16 15:11 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\Yahoo!
2008-02-16 15:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2008-02-12 02:54 --------- d-----w C:\Program Files\Common Files\EarthLink
2008-02-12 02:54 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\EarthLink
2008-02-12 02:16 --------- d-----w C:\Program Files\OpenOffice.org 2.3
2008-02-12 01:53 --------- d-----w C:\Program Files\Microsoft Picture It! 10
2008-02-05 01:26 --------- d-----w C:\Program Files\Rhapsody
2008-01-29 01:00 --------- d-----w C:\Program Files\iTunes
2008-01-29 01:00 --------- d-----w C:\Program Files\iPod
2008-01-27 03:04 --------- d-----w C:\Program Files\2nd Story Software
2008-01-09 20:01 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2008-01-01 00:28 --------- d-----w C:\Program Files\Coupons
2007-12-29 03:21 --------- d-----w C:\Program Files\Common Files\AOL
2007-12-29 02:34 --------- d-----w C:\Program Files\Kiplingers WILLPower
2007-12-24 19:30 101,680 ----a-w C:\Documents and Settings\HP_Administrator\Application Data\GDIPFONTCACHEV1.DAT
2007-12-14 16:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-12-07 02:21 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-04-11 01:21 275,832,704 -c--a-w C:\Documents and Settings\HP_Administrator\AcroPro80_efg.exe
2006-01-30 22:10 33,979,904 -c--a-w C:\Program Files\iPod for Windows 2006-01-10.msi
2006-01-30 22:09 740,864 ----a-w C:\Program Files\1033.MST
2006-01-30 22:09 4,632 ----a-w C:\Program Files\0x0409.ini
2005-08-25 00:27 13,824 ----a-w C:\Documents and Settings\HP_Administrator\atwbxdet.dll
2005-04-02 04:17 0 -csha-w C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BloglinesNotifier"="C:\Program Files\Bloglines Notifier\Notifier.exe" [2004-04-22 12:31 94208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-09-29 22:23 4603904]
"nwiz"="nwiz.exe" [2004-09-29 22:23 921600 C:\WINDOWS\system32\nwiz.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 11:01 88209 C:\WINDOWS\AGRSMMSG.exe]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 18:04 52736]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-08-21 00:55 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-08-21 00:51 118784]
"HPHUPD06"="c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 20:53 49152]
"HPHmon06"="C:\WINDOWS\system32\hphmon06.exe" [2004-06-07 20:42 659456]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 22:43 233472]
"AlcWzrd"="ALCWZRD.EXE" [2004-07-29 03:34 2551808 C:\WINDOWS\ALCWZRD.EXE]
"VTTimer"="VTTimer.exe" []
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-10-16 18:57 81920]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 23:54 253952]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-05-07 11:19 180269]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-04-17 15:41 196608]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-10 15:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"horydys"="C:\Program Files\ComPlus Applications\horydys77798.exe" [ ]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TBInfo"="iexplore.exe" []

C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Startup\
Picture Motion Browser Media Check Tool.lnk - C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2007-05-06 16:58:59 344064]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"= %windir%\\system32\\sessmgr.exe:@xpsp2res.dll,-22019
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Common Files\\AOL\\1133836627\\ee\\aim6.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"= %windir%\\Network Diagnostic\\xpnetdiag.exe:@xpsp3res.dll,-20000
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\1133836627\\ee\\aolsoftware.exe"=
"C:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"=
"C:\\Program Files\\MSN Messenger\\msncall.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=

R0 GRFILTER;CS NDIS Driver;C:\WINDOWS\system32\drivers\GRFILTER.sys [2007-04-11 09:35]
R2 Belkin 54g Wireless USB Network Adapter Service;Belkin 54g Wireless USB Network Adapter;C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe [2004-03-29 16:08]
R2 GRTdiMon;GR TDI Mon;C:\WINDOWS\system32\Drivers\GRTdiMon.sys [2007-04-11 09:35]
R3 ADSFilter;ADSFilter - (Aluria Filter Driver);C:\WINDOWS\system32\DRIVERS\ADSFilter.sys [2007-08-03 06:35]
R3 ADSMonitor;ADSMonitor - (EarthLink Monitor Driver);C:\WINDOWS\system32\drivers\ADSMonitor.sys [2007-08-03 06:35]
R3 bkn50USB;Belkin 54Mbps Wireless USB Network Adapter;C:\WINDOWS\system32\DRIVERS\rt2500usb.sys [2004-07-16 10:14]
S3 AuthFw;AuthFw;"C:\Program Files\Authentium\Firewall SDK\AuthFw.exe" [2007-04-05 13:02]
S3 EarthLinkSafeConnectDriver;EarthLinkSafeConnectDriver;C:\Program Files\EarthLink\EarthLink Protection Control Center\Sana\Driver\platform_XP\SafeConnectDriver.sys [2007-04-26 09:57]
S3 EarthLinkSafeConnectFilter;EarthLinkSafeConnectFilter;C:\Program Files\EarthLink\EarthLink Protection Control Center\Sana\Driver\platform_XP\SafeConnectFilter.sys [2007-04-26 09:57]
S3 EarthLinkSafeConnectShim;EarthLinkSafeConnectShim;C:\Program Files\EarthLink\EarthLink Protection Control Center\Sana\Driver\platform_XP\SafeConnectShim.sys [2006-10-16 15:33]
S3 PentaxUsb;PENTAX Optio 60 on USB;C:\WINDOWS\system32\DRIVERS\CoachUsb.sys []
S3 PentaxVc;PENTAX Optio 60 Video Capture;C:\WINDOWS\system32\DRIVERS\CoachVc.sys []

.
Contents of the 'Scheduled Tasks' folder
"2007-11-01 13:33:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-24 23:27:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-24 18:31:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-24 18:32:00
ComboFix-quarantined-files.txt 2008-02-24 23:31:38
ComboFix2.txt 2008-02-23 02:20:56
.
2008-02-13 05:09:25 --- E O F ---





Now I'm at step 6. I've edited my system settings to be able to see hidden files, but when I browse to C:\Program Files\ComPlus Application\ there are no items there.
Tiffany
(the snarky momma)

#7 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:10:02 PM

Posted 27 February 2008 - 05:15 AM

Hello,


1. Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

2. Now, close any open browsers.
  • Open notepad and copy/paste the text in the quotebox below into it:
Folder::
C:\Program Files\Viewpoint
C:\Documents and Settings\All Users\Application Data\Viewpoint
IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!
  • Save this as CFScript.txt, in the same location as ComboFix.exe
    Posted Image
  • Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at "C:\ComboFix.txt". Post them along with a new HijackThis log.
Note:Do not mouseclick combofix's window whilst it's running. That may cause it to stall


3. Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


4. Please do an online scan with Kaspersky WebScanner

Click on Posted Image

You will be prompted to install an ActiveX component from Kaspersky, Click Posted Image
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on Posted Image
  • Now click on Posted Image
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click Posted Image
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post, along whit a new HijackThis log. Also let me know how i your computer its running.
5. In your next reply, please post:
- A new HijackThis log.
- The results from ComboFix.
- The results from Kaspersky online scanner.
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#8 trwprid

trwprid
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:02 PM

Posted 01 March 2008 - 05:55 PM

Hijack log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:53:18 PM, on 3/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\EarthLink\EarthLink Protection Control Center\bin\UpdateService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\EarthLink\EarthLink Protection Control Center\bin\ProtectionService.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Common Files\ADS\ADSService.exe
C:\WINDOWS\AGRSMMSG.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hphmon06.exe
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Bloglines Notifier\Notifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = my.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [horydys] C:\Program Files\ComPlus Applications\horydys77798.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [BloglinesNotifier] C:\Program Files\Bloglines Notifier\Notifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [TBInfo] iexplore.exe "http://www.earthlink.net/go/elnktoolbarinstall" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [TBInfo] iexplore.exe "http://www.earthlink.net/go/elnktoolbarinstall" (User 'Default user')
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - c:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O18 - Protocol: schmap-help - (no CLSID) - (no file)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ADSService - EarthLink, Inc. - C:\Program Files\Common Files\ADS\ADSService.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AuthFw - Authentium - C:\Program Files\Authentium\Firewall SDK\AuthFw.exe
O23 - Service: Belkin 54g Wireless USB Network Adapter (Belkin 54g Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: EarthLinkSafeConnectAgent - Unknown owner - C:\Program Files\EarthLink\EarthLink Protection Control Center\Sana\Bin\SanaAgent.exe
O23 - Service: ELNK Update Service (ELNKUpdateService) - EarthLink, Inc. - C:\Program Files\EarthLink\EarthLink Protection Control Center\bin\UpdateService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProtectionService - EarthLink, Inc. - C:\Program Files\EarthLink\EarthLink Protection Control Center\bin\ProtectionService.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 8115 bytes



Combofix:

ComboFix 08-02-22.3 - HP_Administrator 2008-03-01 13:51:10.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.633 [GMT -5:00]
Running from: C:\Documents and Settings\HP_Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\HP_Administrator\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Viewpoint
C:\Program Files\Viewpoint

.
((((((((((((((((((((((((( Files Created from 2008-02-01 to 2008-03-01 )))))))))))))))))))))))))))))))
.

2008-02-25 19:35 . 2008-03-01 13:25 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-25 19:35 . 2008-02-25 19:35 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-25 19:32 . 2008-02-25 19:33 <DIR> d-------- C:\Program Files\QuickTime
2008-02-16 10:01 . 2008-02-26 22:53 6,144 --ahs---- C:\WINDOWS\system32\Thumbs.db
2008-02-15 23:16 . 2008-02-16 01:01 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-02-15 20:05 . 2008-02-15 20:05 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-15 20:05 . 2008-02-15 20:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-15 17:51 . 2008-02-15 17:51 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-02-13 21:14 . 2008-02-26 19:08 10,240 --ahs---- C:\WINDOWS\Thumbs.db
2008-02-12 23:01 . 2008-02-18 10:41 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-12 23:01 . 2008-02-12 23:01 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\SUPERAntiSpyware.com
2008-02-12 23:01 . 2008-02-12 23:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-12 23:00 . 2008-02-15 20:05 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-12 22:37 . 2008-02-13 19:12 3,674 --a------ C:\WINDOWS\system32\tmp.reg
2008-02-12 22:36 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-02-12 22:36 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-02-12 22:36 . 2008-02-08 23:55 85,504 --a------ C:\WINDOWS\system32\VACFix.exe
2008-02-12 22:36 . 2008-02-08 10:37 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-02-12 22:36 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-02-12 22:36 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-02-12 22:36 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-02-12 22:26 . 2008-02-12 22:26 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-12 20:55 . 2008-02-15 23:08 195 --a------ C:\WINDOWS\wininit.ini
2008-02-12 19:33 . 2008-02-12 19:33 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-12 19:33 . 2008-02-12 22:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-11 20:47 . 2008-02-12 20:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2008-02-11 20:43 . 2008-02-22 21:07 <DIR> d-------- C:\Temp
2008-02-04 20:28 . 2008-02-04 20:29 48 --a------ C:\WINDOWS\FileNamesinQueue.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-01 18:16 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-02-26 00:34 --------- d-----w C:\Program Files\iTunes
2008-02-26 00:34 --------- d-----w C:\Program Files\iPod
2008-02-23 18:18 --------- d-----w C:\Program Files\Shutterfly
2008-02-23 18:15 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-18 21:53 42,030 ----a-w C:\Documents and Settings\HP_Administrator\Application Data\wklnhst.dat
2008-02-16 15:19 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-16 15:17 --------- d-----w C:\Program Files\Java
2008-02-16 15:11 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\Yahoo!
2008-02-16 15:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2008-02-12 02:54 --------- d-----w C:\Program Files\Common Files\EarthLink
2008-02-12 02:54 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\EarthLink
2008-02-12 02:16 --------- d-----w C:\Program Files\OpenOffice.org 2.3
2008-02-12 01:53 --------- d-----w C:\Program Files\Microsoft Picture It! 10
2008-02-05 01:26 --------- d-----w C:\Program Files\Rhapsody
2008-01-27 03:04 --------- d-----w C:\Program Files\2nd Story Software
2008-01-09 20:01 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2008-01-01 00:28 --------- d-----w C:\Program Files\Coupons
2007-12-24 19:30 101,680 ----a-w C:\Documents and Settings\HP_Administrator\Application Data\GDIPFONTCACHEV1.DAT
2007-12-14 16:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-12-07 02:21 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-04-11 01:21 275,832,704 -c--a-w C:\Documents and Settings\HP_Administrator\AcroPro80_efg.exe
2006-01-30 22:10 33,979,904 -c--a-w C:\Program Files\iPod for Windows 2006-01-10.msi
2006-01-30 22:09 740,864 ----a-w C:\Program Files\1033.MST
2006-01-30 22:09 4,632 ----a-w C:\Program Files\0x0409.ini
2005-08-25 00:27 13,824 ----a-w C:\Documents and Settings\HP_Administrator\atwbxdet.dll
2005-04-02 04:17 0 -csha-w C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BloglinesNotifier"="C:\Program Files\Bloglines Notifier\Notifier.exe" [2004-04-22 12:31 94208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-09-29 22:23 4603904]
"nwiz"="nwiz.exe" [2004-09-29 22:23 921600 C:\WINDOWS\system32\nwiz.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 11:01 88209 C:\WINDOWS\AGRSMMSG.exe]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 18:04 52736]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-08-21 00:55 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-08-21 00:51 118784]
"HPHUPD06"="c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 20:53 49152]
"HPHmon06"="C:\WINDOWS\system32\hphmon06.exe" [2004-06-07 20:42 659456]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 22:43 233472]
"AlcWzrd"="ALCWZRD.EXE" [2004-07-29 03:34 2551808 C:\WINDOWS\ALCWZRD.EXE]
"VTTimer"="VTTimer.exe" []
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-10-16 18:57 81920]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 23:54 253952]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-05-07 11:19 180269]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-04-17 15:41 196608]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"horydys"="C:\Program Files\ComPlus Applications\horydys77798.exe" [ ]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-31 23:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 13:10 267048]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TBInfo"="iexplore.exe" []

C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Startup\
Picture Motion Browser Media Check Tool.lnk - C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2007-05-06 16:58:59 344064]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"= %windir%\\system32\\sessmgr.exe:@xpsp2res.dll,-22019
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Common Files\\AOL\\1133836627\\ee\\aim6.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"= %windir%\\Network Diagnostic\\xpnetdiag.exe:@xpsp3res.dll,-20000
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\1133836627\\ee\\aolsoftware.exe"=
"C:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"=
"C:\\Program Files\\MSN Messenger\\msncall.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R0 GRFILTER;CS NDIS Driver;C:\WINDOWS\system32\drivers\GRFILTER.sys [2007-04-11 09:35]
R2 Belkin 54g Wireless USB Network Adapter Service;Belkin 54g Wireless USB Network Adapter;C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe [2004-03-29 16:08]
R2 GRTdiMon;GR TDI Mon;C:\WINDOWS\system32\Drivers\GRTdiMon.sys [2007-04-11 09:35]
R3 ADSFilter;ADSFilter - (Aluria Filter Driver);C:\WINDOWS\system32\DRIVERS\ADSFilter.sys [2007-08-03 06:35]
R3 ADSMonitor;ADSMonitor - (EarthLink Monitor Driver);C:\WINDOWS\system32\drivers\ADSMonitor.sys [2007-08-03 06:35]
R3 bkn50USB;Belkin 54Mbps Wireless USB Network Adapter;C:\WINDOWS\system32\DRIVERS\rt2500usb.sys [2004-07-16 10:14]
S3 AuthFw;AuthFw;"C:\Program Files\Authentium\Firewall SDK\AuthFw.exe" [2007-04-05 13:02]
S3 EarthLinkSafeConnectDriver;EarthLinkSafeConnectDriver;C:\Program Files\EarthLink\EarthLink Protection Control Center\Sana\Driver\platform_XP\SafeConnectDriver.sys [2007-04-26 09:57]
S3 EarthLinkSafeConnectFilter;EarthLinkSafeConnectFilter;C:\Program Files\EarthLink\EarthLink Protection Control Center\Sana\Driver\platform_XP\SafeConnectFilter.sys [2007-04-26 09:57]
S3 EarthLinkSafeConnectShim;EarthLinkSafeConnectShim;C:\Program Files\EarthLink\EarthLink Protection Control Center\Sana\Driver\platform_XP\SafeConnectShim.sys [2006-10-16 15:33]
S3 PentaxUsb;PENTAX Optio 60 on USB;C:\WINDOWS\system32\DRIVERS\CoachUsb.sys []
S3 PentaxVc;PENTAX Optio 60 Video Capture;C:\WINDOWS\system32\DRIVERS\CoachVc.sys []

*Newly Created Service* - GTNDIS5
.
Contents of the 'Scheduled Tasks' folder
"2007-11-01 13:33:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-01 18:52:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-01 13:53:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-01 13:54:38
ComboFix-quarantined-files.txt 2008-03-01 18:54:24
ComboFix2.txt 2008-02-24 23:32:01
ComboFix3.txt 2008-02-23 02:20:56
.
2008-02-13 05:09:25 --- E O F ---




Kaspersky:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, March 01, 2008 5:52:44 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 1/03/2008
Kaspersky Anti-Virus database records: 592387
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 98883
Number of viruses found: 26
Number of infected objects: 117
Number of suspicious objects: 36
Duration of the scan process: 02:16:36

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\mail.blownfuse.mu.nu\Inbox/[From "Mac" <mac@peskyapostrophe.com>][Date Mon, 06 Jun 2005 20:01:27 -0500]/text/[From "SouthTrust Security Service" <service@southtrust.com>][Date Fri, 17 Jun 2005 20:26:53 +0200]/html Infected: Trojan-Spy.HTML.Paylap.m skipped
C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\mail.blownfuse.mu.nu\Inbox/[From "Mac" <mac@peskyapostrophe.com>][Date Mon, 06 Jun 2005 20:01:27 -0500]/text Infected: Trojan-Spy.HTML.Paylap.m skipped
C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\mail.blownfuse.mu.nu\Inbox/[From "Johnny Huh" <jh@intellectualpoison.com>][Date Tue, 26 Jul 2005 15:00:19 +0000 (UTC)]/text/[From "info@paypal.com" <info@paypal.com>][Date Sun, 06 Nov 2005 03:34:30 -0400]/html Infected: Trojan-Spy.HTML.Paylap.ad skipped
C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\mail.blownfuse.mu.nu\Inbox/[From "Johnny Huh" <jh@intellectualpoison.com>][Date Tue, 26 Jul 2005 15:00:19 +0000 (UTC)]/text Infected: Trojan-Spy.HTML.Paylap.ad skipped
C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\mail.blownfuse.mu.nu\Inbox Mail Berkeley mbox: infected - 4 skipped
C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\pop.earthlink.net\Inbox/[From SaraWilliams@GreenfieldOnline.com][Date 11 Feb 2005 16:59:27 -0500]/UNNAMED/[From "HP/Compaq Rebates" <hp@web-rebates.com>][Date Fri, 11 Feb 2005 16:52:07 -0700]/text/[From "HP/Compaq Rebates" <hp@web-rebates.com>][Date Fri, 11 Feb 2005 17:21:15 -0700]/text/[From "HP/Compaq Rebates" <hp@web-rebates.com>][Date Fri, 11 Feb 2005 17:27:15 -0700]/text/[From Mail Delivery System <Mailer-Daemon@fallback-asp ... /[From emnem87 <emnem87@aol.com>][Date Fri, 11 Feb 2005 19:20:41 -080 ... /html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\pop.earthlink.net\Inbox/[From SaraWilliams@GreenfieldOnline.com][Date 11 Feb 2005 16:59:27 -0500]/UNNAMED/[From "HP/Compaq Rebates" <hp@web-rebates.com>][Date Fri, 11 Feb 2005 16:52:07 -0700]/text/[From "HP/Compaq Rebates" <hp@web-rebates.com>][Date Fri, 11 Feb 2005 17:21:15 -0700]/text/[From "HP/Compaq Rebates" <hp@web-rebates.com>][Date Fri, 11 Feb 2005 17:27:15 -0700]/text/[From Mail Delivery System <Mailer-Daemon@fallback-asp ... /[From emnem87 <emnem87@aol.com>][Date Fri, 11 Feb 2005 19:20:41 -0800]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\pop.earthlink.net\Inbox/[From SaraWilliams@GreenfieldOnline.com][Date 11 Feb 2005 16:59:27 -0500]/UNNAMED/[From "HP/Compaq Rebates" <hp@web-rebates.com>][Date Fri, 11 Feb 2005 16:52:07 -0700]/text/[From "HP/Compaq Rebates" <hp@web-rebates.com>][Date Fri, 11 Feb 2005 17:21:15 -0700]/text/[From "HP/Compaq Rebates" <hp@web-rebates.com>][Date Fri, 11 Feb 2005 17:27:15 -0700]/text/[From Mail Delivery System <Mailer-Daemon@fallback-a ... /[From Jayne876 <Jayne876@aol.com>][Date Fri, 11 Feb 2005 21:27:51 -080 ... /html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\pop.earthlink.net\Inbox/[From SaraWilliams@GreenfieldOnline.com][Date 11 Feb 2005 16:59:27 -0500]/UNNAMED/[From "HP/Compaq Rebates" <hp@web-rebates.com>][Date Fri, 11 Feb 2005 16:52:07 -0700]/text/[From "HP/Compaq Rebates" <hp@web-rebates.com>][Date Fri, 11 Feb 2005 17:21:15 -0700]/text/[From "HP/Compaq Rebates" <hp@web-rebates.com>][Date Fri, 11 Feb 2005 17:27:15 -0700]/text/[From Mail Delivery System <Mailer-Daemon@fallback-a ... /[From Jayne876 <Jayne876@aol.com>][Date Fri, 11 Feb 2005 21:27:51 -0800]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\pop.earthlink.net\Inbox/[From SaraWilliams@GreenfieldOnline.com][Date 11 Feb 2005 16:59:27 -0500]/UNNAMED/[From "HP/Compaq Rebates" <hp@web-rebates.com>][Date Fri, 11 Feb 2005 16:52:07 -0700]/text/[From "HP/Compaq Rebates" <hp@web-rebates.com>][Date Fri, 11 Feb 2005 17:21:15 -0700]/text/[From "HP/Compaq Rebates" <hp@web-rebates.com>][Date Fri, 11 Feb 2005 17:27:15 -0700]/text/[From Mail Delivery System <Mailer-Daemon@fallback-aspen.pas.sa.earthlink.net>][Date Fri, 11 Feb 2005 19:28:18 -0800]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\pop.earthlink.net\Inbox/[From SaraWilliams@GreenfieldOnline.com][Date 11 Feb 2005 16:59:27 -0500]/UNNAMED/[From "HP/Compaq Rebates" <hp@web-rebates.com>][Date Fri, 11 Feb 2005 16:52:07 -0700]/text/[From "HP/Compaq Rebates" <hp@web-rebates.com>][Date Fri, 11 Feb 2005 17:21:15 -0700]/text/[From "HP/Compaq Rebates" <hp@web-rebates.com>][Date Fri, 11 Feb 2005 17:27:15 -0700]/text Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\pop.earthlink.net\Inbox/[From SaraWilliams@GreenfieldOnline.com][Date 11 Feb 2005 16:59:27 -0500]/UNNAMED/[From "HP/Compaq Rebates" <hp@web-rebates.com>][Date Fri, 11 Feb 2005 16:52:07 -0700]/text/[From "HP/Compaq Rebates" <hp@web-rebates.com>][Date Fri, 11 Feb 2005 17:21:15 -0700]/text Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\pop.earthlink.net\Inbox/[From SaraWilliams@GreenfieldOnline.com][Date 11 Feb 2005 16:59:27 -0500]/UNNAMED/[From "HP/Compaq Rebates" <hp@web-rebates.com>][Date Fri, 11 Feb 2005 16:52:07 -0700]/text Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\pop.earthlink.net\Inbox/[From SaraWilliams@GreenfieldOnline.com][Date 11 Feb 2005 16:59:27 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\pop.earthlink.net\Inbox/[From AlWalkerJr <AlWalkerJr@aol.com>][Date Mon, 14 Feb 2005 20:15:17 -0800]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\pop.earthlink.net\Inbox/[From AlWalkerJr <AlWalkerJr@aol.com>][Date Mon, 14 Feb 2005 20:15:17 -0800]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\pop.earthlink.net\Inbox/[From jwbest1 <jwbest1@juno.com>][Date Mon, 14 Feb 2005 21:33:45 -0800]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\pop.earthlink.net\Inbox/[From jwbest1 <jwbest1@juno.com>][Date Mon, 14 Feb 2005 21:33:45 -0800]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\pop.earthlink.net\Inbox/[From vcook48 <vcook48@aol.com>][Date Tue, 15 Feb 2005 07:06:32 -0800]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\pop.earthlink.net\Inbox/[From vcook48 <vcook48@aol.com>][Date Tue, 15 Feb 2005 07:06:32 -0800]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\pop.earthlink.net\Inbox/[From gt98lsh <gt98lsh@aol.com>][Date Tue, 15 Feb 2005 07:25:21 -0800]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\pop.earthlink.net\Inbox/[From gt98lsh <gt98lsh@aol.com>][Date Tue, 15 Feb 2005 07:25:21 -0800]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\pop.earthlink.net\Inbox/[From BCooperMiller <BCooperMiller@aol.com>][Date Tue, 15 Feb 2005 09:30:24 -0800]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\pop.earthlink.net\Inbox/[From BCooperMiller <BCooperMiller@aol.com>][Date Tue, 15 Feb 2005 09:30:24 -0800]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\pop.earthlink.net\Inbox/[From trwprid <trwprid@earthlink.net>][Date Tue, 15 Feb 2005 09:22:46 -0800]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\pop.earthlink.net\Inbox/[From trwprid <trwprid@earthlink.net>][Date Tue, 15 Feb 2005 09:22:46 -0800]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\pop.earthlink.net\Inbox/[From conwayb <conwayb@att.com>][Date Tue, 15 Feb 2005 11:01:23 -0800]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\pop.earthlink.net\Inbox/[From conwayb <conwayb@att.com>][Date Tue, 15 Feb 2005 11:01:23 -0800]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\pop.earthlink.net\Inbox/[From trwprid <trwprid@earthlink.net>][Date Sun, 22 May 2005 19:48:10 -0400]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\pop.earthlink.net\Inbox/[From trwprid <trwprid@earthlink.net>][Date Sun, 22 May 2005 19:48:10 -0400]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\pop.earthlink.net\Inbox/[From MRYRED1 <MRYRED1@aol.com>][Date Sun, 22 May 2005 20:00:55 -0400]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\pop.earthlink.net\Inbox/[From MRYRED1 <MRYRED1@aol.com>][Date Sun, 22 May 2005 20:00:55 -0400]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\pop.earthlink.net\Inbox/[From mcdonnellp <mcdonnellp@BRAGG.ARMY.MIL>][Date Sun, 22 May 2005 20:03:45 -0400]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\pop.earthlink.net\Inbox/[From mcdonnellp <mcdonnellp@BRAGG.ARMY.MIL>][Date Sun, 22 May 2005 20:03:45 -0400]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\pop.earthlink.net\Inbox/[From Onedeadbug <Onedeadbug@aol.com>][Date Sun, 22 May 2005 20:03:49 -0400]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\pop.earthlink.net\Inbox/[From Onedeadbug <Onedeadbug@aol.com>][Date Sun, 22 May 2005 20:03:49 -0400]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\pop.earthlink.net\Inbox/[From Atte3ker <Atte3ker@cme.o>][Date Sat, 17 Dec 2005 19:02:53 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\pop.earthlink.net\Inbox/[From Atte3ker <Atte3ker@cme.o>][Date Sat, 17 Dec 2005 19:02:53 -0500]/UNNAMED/target.scr Infected: Email-Worm.Win32.Klez.h skipped
C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\pop.earthlink.net\Inbox/[From Atte3ker <Atte3ker@cme.o>][Date Sat, 17 Dec 2005 19:02:53 -0500]/UNNAMED Infected: Email-Worm.Win32.Klez.h skipped
C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\pop.earthlink.net\Inbox/[From LNYBABYGIRL1 <LNYBABYGIRL1@aol.com>][Date Sat, 17 Dec 2005 20:26:33 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\pop.earthlink.net\Inbox/[From LNYBABYGIRL1 <LNYBABYGIRL1@aol.com>][Date Sat, 17 Dec 2005 20:26:33 -0500]/UNNAMED/action.exe Infected: Email-Worm.Win32.Klez.h skipped
C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\pop.earthlink.net\Inbox/[From LNYBABYGIRL1 <LNYBABYGIRL1@aol.com>][Date Sat, 17 Dec 2005 20:26:33 -0500]/UNNAMED Infected: Email-Worm.Win32.Klez.h skipped
C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\pop.earthlink.net\Inbox/[From ekgarner <ekgarner@yahoo.com>][Date Sat, 17 Dec 2005 20:44:35 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\pop.earthlink.net\Inbox/[From ekgarner <ekgarner@yahoo.com>][Date Sat, 17 Dec 2005 20:44:35 -0500]/UNNAMED/bo.scr Infected: Email-Worm.Win32.Klez.h skipped
C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\pop.earthlink.net\Inbox/[From ekgarner <ekgarner@yahoo.com>][Date Sat, 17 Dec 2005 20:44:35 -0500]/UNNAMED Infected: Email-Worm.Win32.Klez.h skipped
C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\pop.earthlink.net\Inbox/[From DiRobin <DiRobin@aol.com>][Date Sat, 17 Dec 2005 21:11:24 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\pop.earthlink.net\Inbox/[From DiRobin <DiRobin@aol.com>][Date Sat, 17 Dec 2005 21:11:24 -0500]/UNNAMED/href.scr Infected: Email-Worm.Win32.Klez.h skipped
C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\pop.earthlink.net\Inbox/[From DiRobin <DiRobin@aol.com>][Date Sat, 17 Dec 2005 21:11:24 -0500]/UNNAMED/[From pjones85 <pjones85@hotmail.com>][Date Sat, 17 Dec 2005 23:10:52 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\pop.earthlink.net\Inbox/[From DiRobin <DiRobin@aol.com>][Date Sat, 17 Dec 2005 21:11:24 -0500]/UNNAMED/[From pjones85 <pjones85@hotmail.com>][Date Sat, 17 Dec 2005 23:10:52 -0500]/UNNAMED/target.pif Infected: Email-Worm.Win32.Klez.h skipped
C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\pop.earthlink.net\Inbox/[From DiRobin <DiRobin@aol.com>][Date Sat, 17 Dec 2005 21:11:24 -0500]/UNNAMED/[From pjones85 <pjones85@hotmail.com>][Date Sat, 17 Dec 2005 23:10:52 -0500]/UNNAMED Infected: Email-Worm.Win32.Klez.h skipped
C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\pop.earthlink.net\Inbox/[From DiRobin <DiRobin@aol.com>][Date Sat, 17 Dec 2005 21:11:24 -0500]/UNNAMED Infected: Email-Worm.Win32.Klez.h skipped
C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\pop.earthlink.net\Inbox Mail Berkeley mbox: infected - 10, suspicious - 36 skipped
C:\Documents and Settings\HP_Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\HP_Administrator\Desktop\SmitfraudFix\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\HP_Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\HP_Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\ADS\ARCache.dat Object is locked skipped
C:\Program Files\EarthLink\EarthLink Protection Control Center\logs\Aluria.Framework.Protection.AntiSpyware.SDK2.log Object is locked skipped
C:\Program Files\EarthLink\EarthLink Protection Control Center\logs\Aluria.Framework.Protection.AntiVirus.Authentium.log Object is locked skipped
C:\Program Files\EarthLink\EarthLink Protection Control Center\logs\ELNK.Framework.Protection.AntiVirusRealtime.Authentium.log Object is locked skipped
C:\QooBox\Quarantine\C\Program Files\Router\UnInstall.exe.vir Infected: Trojan-Downloader.Win32.Delf.dlk skipped
C:\QooBox\Quarantine\C\Program Files\Temporary\InsiDERIns.exe.vir Infected: Trojan.Win32.Agent.fow skipped
C:\QooBox\Quarantine\C\WINDOWS\b111.exe.vir Infected: Trojan-Downloader.Win32.Agent.fjv skipped
C:\QooBox\Quarantine\C\WINDOWS\b116.exe.vir Infected: Trojan-Downloader.Win32.Agent.ezc skipped
C:\QooBox\Quarantine\C\WINDOWS\b138.exe.vir Infected: Trojan-Downloader.Win32.Agent.cbx skipped
C:\QooBox\Quarantine\C\WINDOWS\b151.exe.vir Infected: Trojan-Downloader.Win32.Agent.fjn skipped
C:\QooBox\Quarantine\C\WINDOWS\mrofinu572.exe.tmp.vir Infected: Trojan-Downloader.Win32.Agent.jhv skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\byxxxyw.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\clpepsqo.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\jjkjrjsp.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ixf skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\kcajrjsu.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\kp9\liopud89104.exe.vir/data0002 Infected: not-a-virus:AdWare.Win32.TTC.d skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\kp9\liopud89104.exe.vir NSIS: infected - 1 skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\osiwtssx.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ixe skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\oswkeels.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\rkdwiugv.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\tsfhbzj.dll.vir Infected: not-a-virus:AdWare.Win32.PurityScan.gv skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\urqqnkl.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\vturssq.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ybgmdcmg.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\yemnhobd.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\yhgopykn.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\catchme2008-02-22_211450.20.zip/jkhfc.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\catchme2008-02-22_211450.20.zip/wvuusrr.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\catchme2008-02-22_211450.20.zip ZIP: infected - 2 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP857\A0078652.exe Infected: Trojan-Downloader.Win32.Delf.dlk skipped
C:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP857\A0078663.exe Infected: not-a-virus:AdWare.Win32.PurityScan.gw skipped
C:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP857\A0078665.dll Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped
C:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP858\A0079731.exe/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped
C:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP858\A0079731.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP858\A0079732.exe/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped
C:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP858\A0079732.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP859\A0079782.exe Infected: Trojan-Downloader.Win32.Agent.ezc skipped
C:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP859\A0079783.exe Infected: Trojan-Downloader.Win32.Agent.fjn skipped
C:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP860\A0079859.exe Infected: Trojan-Downloader.Win32.Agent.hcm skipped
C:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP861\A0079983.dll Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped
C:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP861\A0079984.exe/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped
C:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP861\A0079984.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP864\A0080203.exe Infected: Trojan-Downloader.Win32.Agent.jal skipped
C:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP866\A0080435.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP866\A0080436.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP866\A0080437.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP866\A0080438.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP866\A0080439.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP866\A0080441.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP866\A0080442.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP866\A0080443.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP866\A0080444.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP866\A0080445.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP866\A0082441.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP866\A0082442.exe Infected: not-a-virus:AdWare.Win32.PurityScan.gw skipped
C:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP866\A0082443.dll Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped
C:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP866\A0083442.exe Infected: Trojan-Downloader.Win32.Agent.jal skipped
C:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP866\A0083463.exe Infected: Trojan-Downloader.Win32.Agent.jal skipped
C:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP866\A0083482.exe Infected: not-a-virus:AdWare.Win32.PurityScan.gw skipped
C:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP866\A0083483.exe Infected: Trojan-Downloader.Win32.PurityScan.fj skipped
C:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP866\A0083484.exe Infected: Trojan-Downloader.Win32.VB.cgu skipped
C:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP866\A0083486.dll Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped
C:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP866\A0083491.exe Infected: Trojan.Win32.Scapur.k skipped
C:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP866\A0083492.exe/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped
C:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP866\A0083492.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP866\A0083493.exe Infected: Trojan-Downloader.Win32.Agent.jal skipped
C:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP866\A0083517.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP867\A0083554.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP868\A0083570.dll Infected: not-a-virus:AdWare.Win32.PurityScan.gv skipped
C:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP868\A0083571.exe Infected: Trojan-Downloader.Win32.Agent.jhv skipped
C:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP868\A0083577.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP868\A0083579.exe Infected: not-a-virus:AdWare.Win32.PurityScan.gw skipped
C:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP868\A0083580.exe Infected: Trojan-Downloader.Win32.PurityScan.fj skipped
C:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP868\A0083581.exe Infected: Trojan-Downloader.Win32.VB.cgu skipped
C:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP868\A0083583.dll Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped
C:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP868\A0083588.exe Infected: Trojan.Win32.Scapur.k skipped
C:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP868\A0083589.exe/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped
C:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP868\A0083589.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP868\A0083590.exe Infected: Trojan-Downloader.Win32.Agent.jhv skipped
C:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP868\A0083612.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP869\A0083631.exe Infected: Trojan-Downloader.Win32.Delf.dlk skipped
C:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP869\A0083632.exe Infected: Trojan.Win32.Agent.fow skipped
C:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP869\A0083635.exe Infected: Trojan-Downloader.Win32.Agent.fjv skipped
C:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP869\A0083636.exe Infected: Trojan-Downloader.Win32.Agent.ezc skipped
C:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP869\A0083637.exe Infected: Trojan-Downloader.Win32.Agent.cbx skipped
C:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP869\A0083638.exe Infected: Trojan-Downloader.Win32.Agent.fjn skipped
C:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP869\A0083639.dll Infected: not-a-virus:AdWare.Win32.PurityScan.gv skipped
C:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP869\A0083640.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP869\A0083641.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP869\A0083642.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ixf skipped
C:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP869\A0083643.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP869\A0083644.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ixe skipped
C:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP869\A0083645.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP869\A0083646.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP869\A0083647.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP869\A0083648.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP869\A0083649.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP869\A0083650.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP869\A0083651.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP869\A0083668.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP869\A0083669.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP869\A0084888.exe Infected: not-a-virus:AdWare.Win32.Agent.afi skipped
C:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP871\A0085897.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.d skipped
C:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP871\A0085897.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP877\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\_restore{55BCF168-B898-45C8-B42E-812AFE89FD32}\RP877\change.log Object is locked skipped

Scan process completed.
Tiffany
(the snarky momma)

#9 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:10:02 PM

Posted 05 March 2008 - 12:29 PM

Hello,

During this steps, please disable your ThunderBird!

( 1 ) Please uninstall any of the following program(s) using Add/Remove Programs if they are present. To do this, go to Start > Settings > Control Panel and double-click on Add/Remove Programs. From within Add/Remove Programs highlight each one and select Remove:

Rabio - "Rabio Search Enhancer", reported to have been installed as part of an adware bundle, without consent and without showing the EULA. Read more here <-


( 2 ) Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE)6 Update 6...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Plattform: "Windows".
  • Select your Language: "English".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u4-windows-i586-p.exe to install the newest version.
( 3 ) Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

( 4 ) Now, close any open browsers.
  • Open notepad and copy/paste the text in the quotebox below into it:
Folder::
C:\Documents and Settings\All Users\Application Data\Rabio
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"horydys"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TBInfo"=-
IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!
  • Save this as CFScript.txt, in the same location as ComboFix.exe
    Posted Image
  • Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at "C:\ComboFix.txt". Post them along with a new HijackThis log.
Note:Do not mouseclick combofix's window whilst it's running. That may cause it to stall


( 5 ) Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


( 6 ) Very Important: Please make sure you have shut down Thunderbird if it is running, and keep them disable and off, during this step!

Now, please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report
( 7 ) Please make a reply here in your thread. I need to see the following reports:
  • ComboFix Log (step n 4)
  • Panda report Log (step n 6)
  • New HijackThis log
Regards
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#10 trwprid

trwprid
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:02 PM

Posted 30 March 2008 - 12:07 PM

ActiveScan:


Incident Status Location

Adware:adware/coolsavings Not disinfected Windows Registry
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\bw8dfgst.Default User\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\bw8dfgst.Default User\cookies.txt[.realmedia.com/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\bw8dfgst.Default User\cookies.txt[server.iad.liveperson.net/]
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\bw8dfgst.Default User\cookies.txt[.target.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\bw8dfgst.Default User\cookies.txt[.overture.com/]
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\bw8dfgst.Default User\cookies.txt[.azjmp.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\bw8dfgst.Default User\cookies.txt[.advertising.com/]
Spyware:Cookie/NewMedia Not disinfected C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\bw8dfgst.Default User\cookies.txt[.anm.co.uk/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\bw8dfgst.Default User\cookies.txt[.atdmt.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\bw8dfgst.Default User\cookies.txt[.perf.overture.com/]
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\bw8dfgst.Default User\cookies.txt[.revenue.net/]
Hacktool:Exploit/iFrame Not disinfected C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\pop.earthlink.net\Inbox[~0000018.~]
Hacktool:Exploit/iFrame Not disinfected C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\pop.earthlink.net\Inbox[~0000018.~][~0000001.~]
Hacktool:Exploit/iFrame Not disinfected C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\pop.earthlink.net\Inbox[~0000019.~]
Hacktool:Exploit/iFrame Not disinfected C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\pop.earthlink.net\Inbox[~0000019.~][~0000001.~]
Hacktool:Exploit/iFrame Not disinfected C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\pop.earthlink.net\Inbox[~0000020.~]
Hacktool:Exploit/iFrame Not disinfected C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\pop.earthlink.net\Inbox[~0000020.~][~0000001.~]
Hacktool:Exploit/iFrame Not disinfected C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\pop.earthlink.net\Inbox[~0000022.~]
Hacktool:Exploit/iFrame Not disinfected C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\pop.earthlink.net\Inbox[~0000022.~][~0000001.~]
Hacktool:Exploit/iFrame Not disinfected C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\pop.earthlink.net\Inbox[~0000023.~]
Hacktool:Exploit/iFrame Not disinfected C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\pop.earthlink.net\Inbox[~0000023.~][~0000001.~]
Hacktool:Exploit/iFrame Not disinfected C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\pop.earthlink.net\Inbox[~0000024.~]
Hacktool:Exploit/iFrame Not disinfected C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\pop.earthlink.net\Inbox[~0000024.~][~0000001.~]
Hacktool:Exploit/iFrame Not disinfected C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\pop.earthlink.net\Inbox[~0000025.~]
Hacktool:Exploit/iFrame Not disinfected C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\pop.earthlink.net\Inbox[~0000025.~][~0000001.~]
Hacktool:Exploit/iFrame Not disinfected C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\pop.earthlink.net\Inbox[~0000067.~]
Hacktool:Exploit/iFrame Not disinfected C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\pop.earthlink.net\Inbox[~0000067.~][~0000001.~]
Hacktool:Exploit/iFrame Not disinfected C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\pop.earthlink.net\Inbox[~0000068.~]
Hacktool:Exploit/iFrame Not disinfected C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\pop.earthlink.net\Inbox[~0000068.~][~0000001.~]
Hacktool:Exploit/iFrame Not disinfected C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\pop.earthlink.net\Inbox[~0000082.~]
Hacktool:Exploit/iFrame Not disinfected C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\pop.earthlink.net\Inbox[~0000082.~][~0000001.~]
Hacktool:Exploit/iFrame Not disinfected C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\pop.earthlink.net\Inbox[~0000087.~]
Hacktool:Exploit/iFrame Not disinfected C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\pop.earthlink.net\Inbox[~0000087.~][~0000001.~]
Hacktool:Exploit/iFrame Not disinfected C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\pop.earthlink.net\Inbox[~0000098.~]
Hacktool:Exploit/iFrame Not disinfected C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\pop.earthlink.net\Inbox[~0000098.~][~0000001.~]
Hacktool:Exploit/iFrame Not disinfected C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\pop.earthlink.net\Inbox[~0000099.~]
Hacktool:Exploit/iFrame Not disinfected C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\pop.earthlink.net\Inbox[~0000099.~][~0000001.~]
Hacktool:Exploit/iFrame Not disinfected C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\pop.earthlink.net\Inbox[~0000106.~]
Hacktool:Exploit/iFrame Not disinfected C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\pop.earthlink.net\Inbox[~0000106.~][~0000001.~]
Hacktool:Exploit/iFrame Not disinfected C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\pop.earthlink.net\Inbox[~0002866.~]
Hacktool:Exploit/iFrame Not disinfected C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\pop.earthlink.net\Inbox[~0002866.~][~0000001.~]
Hacktool:Exploit/iFrame Not disinfected C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\pop.earthlink.net\Inbox[~0002867.~]
Hacktool:Exploit/iFrame Not disinfected C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\pop.earthlink.net\Inbox[~0002867.~][~0000001.~]
Hacktool:Exploit/iFrame Not disinfected C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\pop.earthlink.net\Inbox[~0002868.~]
Hacktool:Exploit/iFrame Not disinfected C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\pop.earthlink.net\Inbox[~0002868.~][~0000001.~]
Hacktool:Exploit/iFrame Not disinfected C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\pop.earthlink.net\Inbox[~0002869.~]
Hacktool:Exploit/iFrame Not disinfected C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\pop.earthlink.net\Inbox[~0002869.~][~0000001.~]
Hacktool:Exploit/iFrame Not disinfected C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\pop.earthlink.net\Inbox[~0007807.~]
Hacktool:Exploit/iFrame Not disinfected C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\pop.earthlink.net\Inbox[~0007807.~][~0000001.~]
Virus:W32/Klez.I Disinfected C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\pop.earthlink.net\Inbox[~0007807.~][target.scr]
Hacktool:Exploit/iFrame Not disinfected C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\pop.earthlink.net\Inbox[~0007812.~]
Hacktool:Exploit/iFrame Not disinfected C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\pop.earthlink.net\Inbox[~0007812.~][~0000001.~]
Virus:W32/Klez.I Disinfected C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\pop.earthlink.net\Inbox[~0007812.~][ACTION.exe]
Hacktool:Exploit/iFrame Not disinfected C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\pop.earthlink.net\Inbox[~0007817.~]
Hacktool:Exploit/iFrame Not disinfected C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\pop.earthlink.net\Inbox[~0007817.~][~0000001.~]
Virus:W32/Klez.I Disinfected C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\pop.earthlink.net\Inbox[~0007817.~][Bo.scr]
Hacktool:Exploit/iFrame Not disinfected C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\pop.earthlink.net\Inbox[~0007818.~]
Hacktool:Exploit/iFrame Not disinfected C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\pop.earthlink.net\Inbox[~0007818.~][~0000001.~]
Virus:W32/Klez.I Disinfected C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\pop.earthlink.net\Inbox[~0007818.~][HREF.scr]
Hacktool:Exploit/iFrame Not disinfected C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\pop.earthlink.net\Inbox[~0007823.~]
Hacktool:Exploit/iFrame Not disinfected C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\pop.earthlink.net\Inbox[~0007823.~][~0000001.~]
Virus:W32/Klez.I Disinfected C:\Documents and Settings\HP_Administrator\Application Data\Thunderbird\Profiles\p3wk1err.default\Mail\pop.earthlink.net\Inbox[~0007823.~][target.pif]
Virus:Trj/Bancos.RQ Not disinfected C:\Documents and Settings\HP_Administrator\Desktop\ComboFix.exe[327882R2FWJFW\pv.cfexe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\HP_Administrator\Desktop\SmitfraudFix\SmitfraudFix\Process.exe
Virus:Trj/Rebooter.J Disinfected C:\Documents and Settings\HP_Administrator\Desktop\SmitfraudFix\SmitfraudFix\Reboot.exe
Potentially unwanted tool:Application/SuperFast Not disinfected C:\Documents and Settings\HP_Administrator\Desktop\SmitfraudFix\SmitfraudFix\restart.exe
Virus:Trj/Bancos.RQ Not disinfected C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\bw8dfgst.Default User\Cache\C2152591d01[327882R2FWJFW\pv.cfexe]
Potentially unwanted tool:Application/KillApp.B Not disinfected C:\hp\bin\KillIt.exe
Adware:Adware/Matcash Not disinfected C:\QooBox\Quarantine\C\Program Files\Router\UnInstall.exe.vir
Virus:Trj/Agent.IBD Disinfected C:\QooBox\Quarantine\C\Program Files\Temporary\InsiDERIns.exe.vir
Virus:Trj/Agent.GXF Disinfected C:\QooBox\Quarantine\C\WINDOWS\b111.exe.vir
Virus:Trj/Downloader.SLD Disinfected C:\QooBox\Quarantine\C\WINDOWS\b116.exe.vir
Virus:Trj/Downloader.PLQ Disinfected C:\QooBox\Quarantine\C\WINDOWS\b138.exe.vir
Adware:Adware/Matcash Not disinfected C:\QooBox\Quarantine\C\WINDOWS\b151.exe.vir
Virus:Trj/Downloader.SSM Disinfected C:\QooBox\Quarantine\C\WINDOWS\mrofinu572.exe.tmp.vir
Spyware:Spyware/Virtumonde Not disinfected C:\QooBox\Quarantine\C\WINDOWS\system32\byxxxyw.dll.vir
Spyware:Spyware/Virtumonde Not disinfected C:\QooBox\Quarantine\C\WINDOWS\system32\clpepsqo.dll.vir
Spyware:Spyware/Virtumonde Not disinfected C:\QooBox\Quarantine\C\WINDOWS\system32\jjkjrjsp.dll.vir
Spyware:Spyware/Virtumonde Not disinfected C:\QooBox\Quarantine\C\WINDOWS\system32\kcajrjsu.dll.vir
Spyware:Spyware/Virtumonde Not disinfected C:\QooBox\Quarantine\C\WINDOWS\system32\osiwtssx.dll.vir
Spyware:Spyware/Virtumonde Not disinfected C:\QooBox\Quarantine\C\WINDOWS\system32\oswkeels.dll.vir
Spyware:Spyware/Virtumonde Not disinfected C:\QooBox\Quarantine\C\WINDOWS\system32\rkdwiugv.dll.vir
Adware:Adware/BraveSentry Not disinfected C:\QooBox\Quarantine\C\WINDOWS\system32\tsfhbzj.dll.vir
Spyware:Spyware/Virtumonde Not disinfected C:\QooBox\Quarantine\C\WINDOWS\system32\urqqnkl.dll.vir
Spyware:Spyware/Virtumonde Not disinfected C:\QooBox\Quarantine\C\WINDOWS\system32\vturssq.dll.vir
Spyware:Spyware/Virtumonde Not disinfected C:\QooBox\Quarantine\C\WINDOWS\system32\ybgmdcmg.dll.vir
Spyware:Spyware/Virtumonde Not disinfected C:\QooBox\Quarantine\C\WINDOWS\system32\yemnhobd.dll.vir
Spyware:Spyware/Virtumonde Not disinfected C:\QooBox\Quarantine\C\WINDOWS\system32\yhgopykn.dll.vir
Spyware:Spyware/Virtumonde Not disinfected C:\QooBox\Quarantine\catchme2008-02-22_211450.20.zip[jkhfc.dll]
Spyware:Spyware/Virtumonde Not disinfected C:\QooBox\Quarantine\catchme2008-02-22_211450.20.zip[wvuusrr.dll]
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe


ComboFix:

ComboFix 08-03-29.1 - HP_Administrator 2008-03-30 10:49:53.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.701 [GMT -4:00]
Running from: C:\Documents and Settings\HP_Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\HP_Administrator\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Rabio
C:\kmd.exe

.
((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-30 )))))))))))))))))))))))))))))))
.

2008-03-29 16:16 . 2007-09-25 00:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-01 15:24 . 2008-03-01 15:24 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-01 15:24 . 2008-03-01 15:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-25 20:35 . 2008-03-30 10:28 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-25 20:35 . 2008-02-25 20:35 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-25 20:32 . 2008-02-25 20:33 <DIR> d-------- C:\Program Files\QuickTime
2008-02-16 11:01 . 2008-02-26 23:53 6,144 --ahs---- C:\WINDOWS\system32\Thumbs.db
2008-02-16 00:16 . 2008-02-16 02:01 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-02-15 21:05 . 2008-02-15 21:05 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-15 21:05 . 2008-02-15 21:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-15 18:51 . 2008-02-15 18:51 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-02-13 22:14 . 2008-03-21 20:32 10,240 --ahs---- C:\WINDOWS\Thumbs.db
2008-02-13 00:01 . 2008-02-18 11:41 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-13 00:01 . 2008-02-13 00:01 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\SUPERAntiSpyware.com
2008-02-13 00:01 . 2008-02-13 00:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-13 00:00 . 2008-02-15 21:05 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-12 23:37 . 2008-02-13 20:12 3,674 --a------ C:\WINDOWS\system32\tmp.reg
2008-02-12 23:36 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-02-12 23:36 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-02-12 23:36 . 2008-02-09 00:55 85,504 --a------ C:\WINDOWS\system32\VACFix.exe
2008-02-12 23:36 . 2008-02-08 11:37 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-02-12 23:36 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-02-12 23:36 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-02-12 23:36 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-02-12 23:26 . 2008-02-12 23:26 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-12 21:55 . 2008-02-16 00:08 195 --a------ C:\WINDOWS\wininit.ini
2008-02-12 20:33 . 2008-02-12 20:33 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-12 20:33 . 2008-02-12 23:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-11 21:43 . 2008-02-22 22:07 <DIR> d-------- C:\Temp
2008-02-04 21:28 . 2008-02-04 21:29 48 --a------ C:\WINDOWS\FileNamesinQueue.ini
2008-02-01 00:13 . 2008-02-01 00:13 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-02-01 00:13 . 2008-02-01 00:13 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-30 14:34 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-03-29 20:16 --------- d-----w C:\Program Files\Java
2008-03-27 02:59 42,030 ----a-w C:\Documents and Settings\HP_Administrator\Application Data\wklnhst.dat
2008-02-26 00:34 --------- d-----w C:\Program Files\iTunes
2008-02-26 00:34 --------- d-----w C:\Program Files\iPod
2008-02-23 18:18 --------- d-----w C:\Program Files\Shutterfly
2008-02-23 18:15 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-16 15:19 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-16 15:11 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\Yahoo!
2008-02-16 15:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2008-02-12 02:54 --------- d-----w C:\Program Files\Common Files\EarthLink
2008-02-12 02:54 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\EarthLink
2008-02-12 02:16 --------- d-----w C:\Program Files\OpenOffice.org 2.3
2008-02-12 01:53 --------- d-----w C:\Program Files\Microsoft Picture It! 10
2008-02-05 01:26 --------- d-----w C:\Program Files\Rhapsody
2008-01-09 20:01 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2007-12-24 19:30 101,680 ----a-w C:\Documents and Settings\HP_Administrator\Application Data\GDIPFONTCACHEV1.DAT
2007-12-14 16:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-12-07 02:21 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-04-11 01:21 275,832,704 -c--a-w C:\Documents and Settings\HP_Administrator\AcroPro80_efg.exe
2006-01-30 22:10 33,979,904 -c--a-w C:\Program Files\iPod for Windows 2006-01-10.msi
2006-01-30 22:09 740,864 ----a-w C:\Program Files\1033.MST
2006-01-30 22:09 4,632 ----a-w C:\Program Files\0x0409.ini
2005-08-25 00:27 13,824 ----a-w C:\Documents and Settings\HP_Administrator\atwbxdet.dll
2005-04-02 04:17 0 -csha-w C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BloglinesNotifier"="C:\Program Files\Bloglines Notifier\Notifier.exe" [2004-04-22 13:31 94208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-09-29 23:23 4603904]
"nwiz"="nwiz.exe" [2004-09-29 23:23 921600 C:\WINDOWS\system32\nwiz.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 12:01 88209 C:\WINDOWS\AGRSMMSG.exe]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 19:04 52736]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-08-21 01:55 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-08-21 01:51 118784]
"HPHUPD06"="c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 21:53 49152]
"HPHmon06"="C:\WINDOWS\system32\hphmon06.exe" [2004-06-07 21:42 659456]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 23:43 233472]
"AlcWzrd"="ALCWZRD.EXE" [2004-07-29 04:34 2551808 C:\WINDOWS\ALCWZRD.EXE]
"VTTimer"="VTTimer.exe" []
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-10-16 19:57 81920]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-15 00:54 253952]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-05-07 12:19 180269]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-04-17 16:41 196608]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-02-01 00:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 14:10 267048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]

C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Startup\
Picture Motion Browser Media Check Tool.lnk - C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2007-05-06 17:58:59 344064]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 14:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 14:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\MSN Messenger\\msncall.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R0 GRFILTER;CS NDIS Driver;C:\WINDOWS\system32\drivers\GRFILTER.sys [2007-04-11 10:35]
R2 Belkin 54g Wireless USB Network Adapter Service;Belkin 54g Wireless USB Network Adapter;C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe [2004-03-29 17:08]
R2 GRTdiMon;GR TDI Mon;C:\WINDOWS\system32\Drivers\GRTdiMon.sys [2007-04-11 10:35]
R3 ADSFilter;ADSFilter - (Aluria Filter Driver);C:\WINDOWS\system32\DRIVERS\ADSFilter.sys [2007-08-03 07:35]
R3 ADSMonitor;ADSMonitor - (EarthLink Monitor Driver);C:\WINDOWS\system32\drivers\ADSMonitor.sys [2007-08-03 07:35]
R3 bkn50USB;Belkin 54Mbps Wireless USB Network Adapter;C:\WINDOWS\system32\DRIVERS\rt2500usb.sys [2004-07-16 11:14]
S3 AuthFw;AuthFw;"C:\Program Files\Authentium\Firewall SDK\AuthFw.exe" [2007-04-05 14:02]
S3 EarthLinkSafeConnectDriver;EarthLinkSafeConnectDriver;C:\Program Files\EarthLink\EarthLink Protection Control Center\Sana\Driver\platform_XP\SafeConnectDriver.sys [2007-04-26 10:57]
S3 EarthLinkSafeConnectFilter;EarthLinkSafeConnectFilter;C:\Program Files\EarthLink\EarthLink Protection Control Center\Sana\Driver\platform_XP\SafeConnectFilter.sys [2007-04-26 10:57]
S3 EarthLinkSafeConnectShim;EarthLinkSafeConnectShim;C:\Program Files\EarthLink\EarthLink Protection Control Center\Sana\Driver\platform_XP\SafeConnectShim.sys [2006-10-16 16:33]
S3 PentaxUsb;PENTAX Optio 60 on USB;C:\WINDOWS\system32\DRIVERS\CoachUsb.sys []
S3 PentaxVc;PENTAX Optio 60 Video Capture;C:\WINDOWS\system32\DRIVERS\CoachVc.sys []

.
Contents of the 'Scheduled Tasks' folder
"2007-11-01 13:33:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-30 14:52:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-30 10:52:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-30 10:52:59
ComboFix-quarantined-files.txt 2008-03-30 14:52:45
ComboFix2.txt 2008-03-01 18:54:39
ComboFix3.txt 2008-02-24 23:32:01
ComboFix4.txt 2008-02-23 02:20:56
Pre-Run: 91,036,147,712 bytes free
Post-Run: 91,022,868,480 bytes free
.
2008-03-13 03:32:05 --- E O F ---


Hijack:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:01:34 PM, on 3/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Common Files\ADS\ADSService.exe
C:\WINDOWS\AGRSMMSG.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hphmon06.exe
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [BloglinesNotifier] C:\Program Files\Bloglines Notifier\Notifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - c:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: schmap-help - (no CLSID) - (no file)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ADSService - EarthLink, Inc. - C:\Program Files\Common Files\ADS\ADSService.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AuthFw - Authentium - C:\Program Files\Authentium\Firewall SDK\AuthFw.exe
O23 - Service: Belkin 54g Wireless USB Network Adapter (Belkin 54g Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: EarthLinkSafeConnectAgent - Unknown owner - C:\Program Files\EarthLink\EarthLink Protection Control Center\Sana\Bin\SanaAgent.exe
O23 - Service: ELNK Update Service (ELNKUpdateService) - EarthLink, Inc. - C:\Program Files\EarthLink\EarthLink Protection Control Center\bin\UpdateService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProtectionService - EarthLink, Inc. - C:\Program Files\EarthLink\EarthLink Protection Control Center\bin\ProtectionService.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 8002 bytes
Tiffany
(the snarky momma)

#11 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:10:02 PM

Posted 04 April 2008 - 09:20 AM

Hi,

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#12 trwprid

trwprid
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:02 PM

Posted 04 April 2008 - 06:35 PM

Thanks for keeping with it - here you go:


Ad-Aware 2007
Adobe Flash Player 9 ActiveX
Adobe Flash Player Plugin
Adobe Reader 8.1.2
Agere Systems PCI Soft Modem
Apple Mobile Device Support
Apple Software Update
Authentium AntiVirus SDK - 2
Belkin 54g USB Network Adapter
BitPim 0.9.10
Bloglines Notifier 3.0
CoffeeCup HTML Editor 2006
Coupon Printer for Windows
Documents To Go
EarthLink Protection Control Center
Flickr Uploadr 2.3
Google Earth
Help and Support Additions
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
HP Deskjet 3840 Series
HP Deskjet Preloaded Printer Drivers
HP Image Zone 4.2.3
HP Image Zone Plus 4.2.3
HP Organize
HP Photosmart Cameras 4.0
HP PSC & OfficeJet 4.0
HP Software Update
HPIZ423
IntelliMover Data Transfer Demo
InterActual Player
InterVideo DiscLabel
InterVideo WinDVD Creator
InterVideo WinDVD Player
iPod for Windows 2005-10-12
Ipswitch WS_FTP LE
iTunes
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java™ 6 Update 2
Java™ 6 Update 3
Kaspersky Online Scanner
LiveReg (Symantec Corporation)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft Encarta Encyclopedia Standard 2005
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2005
Microsoft National Language Support Downlevel APIs
Microsoft Office 97, Professional Edition
Microsoft Picture It! Premium 10
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Streets and Trips 2005
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Word 2002
Microsoft Works
Microsoft Works 2005 Setup Launcher
Microsoft Works Suite Add-in for Microsoft Word
Microsoft WSE 2.0 SP3 Runtime
Mozilla Firefox (2.0.0.13)
Mozilla Thunderbird (2.0.0.12)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
Netflix Movie Viewer
Norton Personal Firewall
Norton WMI Update
NVIDIA Drivers
palmOne
Panda ActiveScan
PC-Doctor for Windows
Photosmart 320,370,7400,8100,8400 Series
Picture Package Music Transfer
PS2
QuickTime
RealPlayer
Rhapsody Player Engine
ScanWizard 5
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB946026)
Shockwave
Sonic Express Labeler
Sonic RecordNow!
Sony Picture Utility
Sony USB Driver
Spybot - Search & Destroy
SUPERAntiSpyware Free Edition
TaxACT 2005
TaxACT 2006
TaxACT 2007
TaxACT North Carolina 2005
TaxACT North Carolina 2006
TaxACT North Carolina 2007
The Sims 2
The Sims 2 Nightlife
The Sims 2 Open For Business
The Sims 2 University
TopStyle (Version 2)
Tropico
Tropico 2: Pirate Cove
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
VIA Rhine-Family Fast Ethernet Adapter
Windows Driver Package - MSN (usbccgp) USB (04/19/2006 1.1.0.2)
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live Messenger
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 10
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB883667
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Yahoo! Messenger
ZeroDay
Tiffany
(the snarky momma)

#13 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:10:02 PM

Posted 08 April 2008 - 09:21 AM

Hello,

I dont see any firewall running on your computer!

I see you still have Norton software on your machine, but i cant see them running. You uninstalled Norton?

Also please tell me why your Authentium Firewall isnt running?

Thanks
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#14 trwprid

trwprid
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:02 PM

Posted 08 April 2008 - 06:16 PM

I really don't have a good answer for that. :thumbsup:

I can't remember uninstalling Norton and I can't remember ever using Authentium. In fact, I'm not sure if I've ever had the full version of Norton on this computer. [It may have come with a a two-month trial (back in 2005) and after that it stopped working.]

I was having some issues getting my wireless connection to work with my Windows and Earthlink firewalls and recall tweaking those a bit, but I can't specifically remember messing with the other two. Terribly unhelpful, I know.
Tiffany
(the snarky momma)

#15 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:10:02 PM

Posted 15 April 2008 - 03:51 AM

Hello,

Please download and save to your desktop the SymNRT.exe
  • Close all programs and double click on the tool.
  • Follow the on-screen instructions.
  • Restart the computer if asked.
  • Then delete the SymNRT.exe tool from your desktop.
  • Open the Program Files folder on your local disk ( normally C: )
  • Find and delete the following folders (if present):
  • C:\Program Files\Symantec - this folder
  • c:\Program Files\Common Files\Symantec Shared - this folder
Then please enable your Authentium Firewall.

Please post a new HijackThis log and let me know how your computer its running now.

Thanks
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users