Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus Lop Found


  • Please log in to reply
9 replies to this topic

#1 luiben

luiben

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 06 April 2008 - 11:13 AM

I hope someone could help me. I noticed a few days ago Firefox was running very slow and crashing. AVG virus program tells me there is a virus lop found and it's unsealable. the next the when AVG is run again it appears with the same message.



-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, April 06, 2008 4:05:01 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 6/04/2008
Kaspersky Anti-Virus database records: 686632

-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 69006
Number of viruses found: 11
Number of infected objects: 54
Number of suspicious objects: 49
Duration of the scan process: 01:22:14

Infected Object Name / Virus Name / Last Action
C:\Deckard\System Scanner\backup\DOCUME~1\LUISGO~1\LOCALS~1\Temp\ICD1.tmp\Toolbar_cobrand.EXE/WISE0080.BIN Infected: not-a-virus:AdWare.Win32.Dogpile.a skipped
C:\Deckard\System Scanner\backup\DOCUME~1\LUISGO~1\LOCALS~1\Temp\ICD1.tmp\Toolbar_cobrand.EXE/WISE0081.BIN Infected: not-a-virus:AdWare.Win32.Dogpile.a skipped
C:\Deckard\System Scanner\backup\DOCUME~1\LUISGO~1\LOCALS~1\Temp\ICD1.tmp\Toolbar_cobrand.EXE WiseSFX: infected - 2 skipped
C:\Deckard\System Scanner\backup\WINDOWS\Downloaded Program Files\Toolbar_cobrand.EXE/WISE0080.BIN Infected: not-a-virus:AdWare.Win32.Dogpile.a skipped
C:\Deckard\System Scanner\backup\WINDOWS\Downloaded Program Files\Toolbar_cobrand.EXE/WISE0081.BIN Infected: not-a-virus:AdWare.Win32.Dogpile.a skipped
C:\Deckard\System Scanner\backup\WINDOWS\Downloaded Program Files\Toolbar_cobrand.EXE WiseSFX: infected - 2 skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-12082006-081526.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NewDotNet.zip/newdotnet6_38.dll Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NewDotNet.zip/newdotnet7_22.dll Infected: not-a-virus:AdWare.Win32.NewDotNet.i skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NewDotNet.zip ZIP: infected - 2 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NewDotNet1.zip/NDNuninstall6_38.exe Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NewDotNet1.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SpyBanker1.zip/services.exe Infected: Trojan-Spy.Win32.Banker.bar skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SpyBanker1.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WhenUSaveNow2.zip/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WhenUSaveNow2.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WhenUSaveNow3.zip/SaveUninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.m skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WhenUSaveNow3.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WhenUSaveNow7.zip/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WhenUSaveNow7.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WhenUWeatherCast3.zip/Uninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.f skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WhenUWeatherCast3.zip/Weather.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ay skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WhenUWeatherCast3.zip ZIP: infected - 2 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Yazzle.zip/Yazzle1549OinUninstaller.exe/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Yazzle.zip/Yazzle1549OinUninstaller.exe Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Yazzle.zip ZIP: infected - 2 skipped
C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LUIS GOYENECHE\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LUIS GOYENECHE\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Deleted Items.dbx/[From "eBay Member: tsw02" <member@ebay.com>][Date Mon, 13 Jun 2005 16:04:55 -0700]/text Infected: Trojan-Spy.HTML.Bayfraud.ib skipped
C:\Documents and Settings\LUIS GOYENECHE\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Deleted Items.dbx/[From hadzfam@hotmail.com][Date Tue, 05 Apr 2005 17:23:38 -0700]/UNNAMED/text Infected: Trojan-Spy.HTML.Bayfraud.ib skipped
C:\Documents and Settings\LUIS GOYENECHE\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Deleted Items.dbx/[From hadzfam@hotmail.com][Date Tue, 05 Apr 2005 17:23:38 -0700]/UNNAMED Infected: Trojan-Spy.HTML.Bayfraud.ib skipped
C:\Documents and Settings\LUIS GOYENECHE\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Deleted Items.dbx/[From eBay <intl.support@ebay.com>][Date Sat, 04 Jun 2005 09:31:23 +0300]/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\LUIS GOYENECHE\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Deleted Items.dbx/[From "eBay Member: essiefreddie" <member@ebay.com>][Date Sun, 05 Jun 2005 15:42:57 -0700]/UNNAMED/text Infected: Trojan-Spy.HTML.Bayfraud.ib skipped
C:\Documents and Settings\LUIS GOYENECHE\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Deleted Items.dbx/[From "eBay Member: essiefreddie" <member@ebay.com>][Date Sun, 05 Jun 2005 15:42:57 -0700]/UNNAMED Infected: Trojan-Spy.HTML.Bayfraud.ib skipped
C:\Documents and Settings\LUIS GOYENECHE\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Deleted Items.dbx/[From "eBay Member: essiefreddie" <member@ebay.com>][Date Sun, 05 Jun 2005 15:43:07 -0700]/UNNAMED/text Infected: Trojan-Spy.HTML.Bayfraud.ib skipped
C:\Documents and Settings\LUIS GOYENECHE\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Deleted Items.dbx/[From "eBay Member: essiefreddie" <member@ebay.com>][Date Sun, 05 Jun 2005 15:43:07 -0700]/UNNAMED Infected: Trojan-Spy.HTML.Bayfraud.ib skipped
C:\Documents and Settings\LUIS GOYENECHE\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Deleted Items.dbx/[From PayPal <security@paypal.com>][Date Tue, 07 Jun 2005 02:53:07 +0300]/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\LUIS GOYENECHE\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Deleted Items.dbx/[From "eBay Member: awesomemikes" <member@ebay.com>][Date Sat, 04 Jun 2005 13:19:13 -0700]/UNNAMED/text Infected: Trojan-Spy.HTML.Bayfraud.ib skipped
C:\Documents and Settings\LUIS GOYENECHE\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Deleted Items.dbx/[From "eBay Member: awesomemikes" <member@ebay.com>][Date Sat, 04 Jun 2005 13:19:13 -0700]/UNNAMED Infected: Trojan-Spy.HTML.Bayfraud.ib skipped
C:\Documents and Settings\LUIS GOYENECHE\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Deleted Items.dbx/[From "eBay Member: tsw02" <member@ebay.com>][Date Mon, 13 Jun 2005 16:04:55 -0700]/UNNAMED/text Infected: Trojan-Spy.HTML.Bayfraud.ib skipped
C:\Documents and Settings\LUIS GOYENECHE\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Deleted Items.dbx/[From "eBay Member: tsw02" <member@ebay.com>][Date Mon, 13 Jun 2005 16:04:55 -0700]/UNNAMED Infected: Trojan-Spy.HTML.Bayfraud.ib skipped
C:\Documents and Settings\LUIS GOYENECHE\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Deleted Items.dbx/[From eBay Account Support <support@ebay.com>][Date Fri, 10 Jun 2005 07:25:15 -0700]/UNNAMED/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\LUIS GOYENECHE\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Deleted Items.dbx/[From eBay Account Support <support@ebay.com>][Date Fri, 10 Jun 2005 07:25:15 -0700]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\LUIS GOYENECHE\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Deleted Items.dbx/[From "eBay Member: marlene9170" <member@ebay.com>][Date Fri, 10 Jun 2005 21:46:35 -0700]/UNNAMED/text Infected: Trojan-Spy.HTML.Bayfraud.ib skipped
C:\Documents and Settings\LUIS GOYENECHE\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Deleted Items.dbx/[From "eBay Member: marlene9170" <member@ebay.com>][Date Fri, 10 Jun 2005 21:46:35 -0700]/UNNAMED Infected: Trojan-Spy.HTML.Bayfraud.ib skipped
C:\Documents and Settings\LUIS GOYENECHE\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Deleted Items.dbx/[From SouthTrust <onlinebanking@SouthTrust.com>][Date Mon, 13 Jun 2005 18:41:37 +0300]/UNNAMED/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\LUIS GOYENECHE\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Deleted Items.dbx/[From SouthTrust <onlinebanking@SouthTrust.com>][Date Mon, 13 Jun 2005 18:41:37 +0300]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\LUIS GOYENECHE\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Deleted Items.dbx/[From service@eBay.com][Date Sun, 19 Jun 2005 07:19:45 -0700]/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\LUIS GOYENECHE\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Deleted Items.dbx/[From "eBay Member: tsw02" <member@ebay.com>][Date Mon, 13 Jun 2005 16:04:55 -0700]/UNNAMED/text Infected: Trojan-Spy.HTML.Bayfraud.ib skipped
C:\Documents and Settings\LUIS GOYENECHE\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Deleted Items.dbx/[From "eBay Member: tsw02" <member@ebay.com>][Date Mon, 13 Jun 2005 16:04:55 -0700]/UNNAMED Infected: Trojan-Spy.HTML.Bayfraud.ib skipped
C:\Documents and Settings\LUIS GOYENECHE\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Deleted Items.dbx/[From eBay Account Support <support@ebay.com>][Date Fri, 10 Jun 2005 07:25:15 -0700]/UNNAMED/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\LUIS GOYENECHE\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Deleted Items.dbx/[From eBay Account Support <support@ebay.com>][Date Fri, 10 Jun 2005 07:25:15 -0700]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\LUIS GOYENECHE\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Deleted Items.dbx/[From "eBay Member: marlene9170" <member@ebay.com>][Date Fri, 10 Jun 2005 21:46:35 -0700]/UNNAMED/text Infected: Trojan-Spy.HTML.Bayfraud.ib skipped
C:\Documents and Settings\LUIS GOYENECHE\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Deleted Items.dbx/[From "eBay Member: marlene9170" <member@ebay.com>][Date Fri, 10 Jun 2005 21:46:35 -0700]/UNNAMED Infected: Trojan-Spy.HTML.Bayfraud.ib skipped
C:\Documents and Settings\LUIS GOYENECHE\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Deleted Items.dbx/[From SouthTrust <onlinebanking@SouthTrust.com>][Date Mon, 13 Jun 2005 18:41:37 +0300]/UNNAMED/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\LUIS GOYENECHE\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Deleted Items.dbx/[From SouthTrust <onlinebanking@SouthTrust.com>][Date Mon, 13 Jun 2005 18:41:37 +0300]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\LUIS GOYENECHE\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Deleted Items.dbx/[From service@eBay.com][Date Sun, 19 Jun 2005 07:19:45 -0700]/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\LUIS GOYENECHE\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Deleted Items.dbx/[From eBay Customer Support <aw-verify@eBay.com>][Date Sat, 30 Apr 2005 17:55:07 +0900]/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\LUIS GOYENECHE\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Deleted Items.dbx/[From "eBay Member: figurinefan" <member@ebay.com>][Date Thu, 05 May 2005 11:10:41 -0700]/UNNAMED/text Infected: Trojan-Spy.HTML.Bayfraud.ib skipped
C:\Documents and Settings\LUIS GOYENECHE\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Deleted Items.dbx/[From "eBay Member: figurinefan" <member@ebay.com>][Date Thu, 05 May 2005 11:10:41 -0700]/UNNAMED Infected: Trojan-Spy.HTML.Bayfraud.ib skipped
C:\Documents and Settings\LUIS GOYENECHE\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Deleted Items.dbx/[From PayPal <clientnotification@PayPal.com>][Date Sat, 14 May 2005 18:19:19 +0300]/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\LUIS GOYENECHE\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Deleted Items.dbx/[From "intl.support@eBay.com" <intl.support@eBay.com>][Date Sat, 14 May 2005 22:10:26 +0300]/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\LUIS GOYENECHE\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Deleted Items.dbx/[From "eBay Member: len61258" <member@ebay.com>][Date Wed, 15 Jun 2005 11:25:00 -0700]/UNNAMED/text Infected: Trojan-Spy.HTML.Bayfraud.ib skipped
C:\Documents and Settings\LUIS GOYENECHE\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Deleted Items.dbx/[From "eBay Member: len61258" <member@ebay.com>][Date Wed, 15 Jun 2005 11:25:00 -0700]/UNNAMED Infected: Trojan-Spy.HTML.Bayfraud.ib skipped
C:\Documents and Settings\LUIS GOYENECHE\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Deleted Items.dbx/[From intl.support@ebay.com][Date Tue, 24 May 2005 03:09:54 +0000 (GMT)]/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\LUIS GOYENECHE\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Deleted Items.dbx/[From eBay <intl.support@ebay.com>][Date Thu, 26 May 2005 00:48:37 +0300]/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\LUIS GOYENECHE\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Deleted Items.dbx/[From eBay <intl.support@ebay.com>][Date Mon, 30 May 2005 00:33:59 +0300]/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\LUIS GOYENECHE\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Deleted Items.dbx/[From intl.support@ebay.com][Date Mon, 16 May 2005 07:14:33 +0000 (GMT)]/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\LUIS GOYENECHE\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Deleted Items.dbx/[From "intl.support@ebay.com" <intl.support@ebay.com>][Date Wed, 01 Jun 2005 23:22:26 +0300]/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\LUIS GOYENECHE\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Deleted Items.dbx Mail MS Outlook 5: infected - 21, suspicious - 20 skipped
C:\Documents and Settings\LUIS GOYENECHE\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Inbox.dbx/[From knaeppchen@freenet.de][Date Sat, 16 Apr 2005 12:36:14 -0700]/UNNAMED/text Infected: Trojan-Spy.HTML.Bayfraud.ib skipped
C:\Documents and Settings\LUIS GOYENECHE\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Inbox.dbx/[From knaeppchen@freenet.de][Date Sat, 16 Apr 2005 12:36:14 -0700]/UNNAMED Infected: Trojan-Spy.HTML.Bayfraud.ib skipped
C:\Documents and Settings\LUIS GOYENECHE\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Inbox.dbx/[From suzanne_jones7@hotmail.com][Date Thu, 05 May 2005 14:15:04 -0700]/UNNAMED/text Infected: Trojan-Spy.HTML.Bayfraud.ib skipped
C:\Documents and Settings\LUIS GOYENECHE\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Inbox.dbx/[From suzanne_jones7@hotmail.com][Date Thu, 05 May 2005 14:15:04 -0700]/UNNAMED Infected: Trojan-Spy.HTML.Bayfraud.ib skipped
C:\Documents and Settings\LUIS GOYENECHE\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Inbox.dbx/[From andrewsarticles@hotmail.com][Date Fri, 06 May 2005 02:27:48 -0700]/UNNAMED/text Infected: Trojan-Spy.HTML.Bayfraud.ib skipped
C:\Documents and Settings\LUIS GOYENECHE\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Inbox.dbx/[From andrewsarticles@hotmail.com][Date Fri, 06 May 2005 02:27:48 -0700]/UNNAMED Infected: Trojan-Spy.HTML.Bayfraud.ib skipped
C:\Documents and Settings\LUIS GOYENECHE\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Inbox.dbx Mail MS Outlook 5: infected - 6 skipped
C:\Documents and Settings\LUIS GOYENECHE\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Sent Items.dbx/[From "CRUCIALPRODUCTS" <crucialproducts@tampabay.rr.com>][Date Tue, 31 May 2005 13:16:23 -0400]/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\LUIS GOYENECHE\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Sent Items.dbx/[From "CRUCIALPRODUCTS" <crucialproducts@tampabay.rr.com>][Date Tue, 31 May 2005 13:17:08 -0400]/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\LUIS GOYENECHE\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Sent Items.dbx/[From "CRUCIALPRODUCTS" <crucialproducts@tampabay.rr.com>][Date Tue, 31 May 2005 13:24:16 -0400]/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\LUIS GOYENECHE\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Sent Items.dbx/[From intl.support@ebay.com=20][Date Tue, 31 May 2005 17:11:45 -0400]/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\LUIS GOYENECHE\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Sent Items.dbx/[From "CRUCIALPRODUCTS" <crucialproducts@tampabay.rr.com>][Date Wed, 1 Jun 2005 19:44:14 -0400]/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\LUIS GOYENECHE\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Sent Items.dbx/[From eBay=20][Date Sat, 4 Jun 2005 08:07:55 -0400]/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\LUIS GOYENECHE\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Sent Items.dbx/[From PayPal=20][Date Mon, 6 Jun 2005 20:22:01 -0400]/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\LUIS GOYENECHE\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Sent Items.dbx/[From a foreign IP address.=20][Date Sun, 19 Jun 2005 15:25:06 -0400]/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\LUIS GOYENECHE\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Sent Items.dbx/[From "CRUCIALPRODUCTS" <crucialproducts@tampabay.rr.com>][Date Thu, 3 Feb 2005 17:57:04 -0500]/UNNAMED/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\LUIS GOYENECHE\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Sent Items.dbx/[From "CRUCIALPRODUCTS" <crucialproducts@tampabay.rr.com>][Date Thu, 3 Feb 2005 17:57:04 -0500]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\LUIS GOYENECHE\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Sent Items.dbx/[From "CRUCIALPRODUCTS" <crucialproducts@tampabay.rr.com>][Date Wed, 9 Feb 2005 20:21:41 -0500]/UNNAMED/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\LUIS GOYENECHE\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Sent Items.dbx/[From "CRUCIALPRODUCTS" <crucialproducts@tampabay.rr.com>][Date Wed, 9 Feb 2005 20:21:41 -0500]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\LUIS GOYENECHE\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Sent Items.dbx/[From "CRUCIALPRODUCTS" <crucialproducts@tampabay.rr.com>][Date Mon, 14 Feb 2005 20:57:31 -0500]/UNNAMED/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\LUIS GOYENECHE\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Sent Items.dbx/[From "CRUCIALPRODUCTS" <crucialproducts@tampabay.rr.com>][Date Mon, 14 Feb 2005 20:57:31 -0500]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\LUIS GOYENECHE\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Sent Items.dbx/[From "CRUCIALPRODUCTS" <crucialproducts@tampabay.rr.com>][Date Thu, 3 Feb 2005 17:57:04 -0500]/UNNAMED/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\LUIS GOYENECHE\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Sent Items.dbx/[From "CRUCIALPRODUCTS" <crucialproducts@tampabay.rr.com>][Date Thu, 3 Feb 2005 17:57:04 -0500]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\LUIS GOYENECHE\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Sent Items.dbx/[From "CRUCIALPRODUCTS" <crucialproducts@tampabay.rr.com>][Date Wed, 9 Feb 2005 20:21:41 -0500]/UNNAMED/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\LUIS GOYENECHE\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Sent Items.dbx/[From "CRUCIALPRODUCTS" <crucialproducts@tampabay.rr.com>][Date Wed, 9 Feb 2005 20:21:41 -0500]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\LUIS GOYENECHE\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Sent Items.dbx/[From "CRUCIALPRODUCTS" <crucialproducts@tampabay.rr.com>][Date Mon, 14 Feb 2005 20:57:31 -0500]/UNNAMED/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\LUIS GOYENECHE\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Sent Items.dbx/[From "CRUCIALPRODUCTS" <crucialproducts@tampabay.rr.com>][Date Mon, 14 Feb 2005 20:57:31 -0500]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\LUIS GOYENECHE\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Sent Items.dbx/[From "CRUCIALPRODUCTS" <crucialproducts@tampabay.rr.com>][Date Fri, 18 Feb 2005 19:02:55 -0500]/UNNAMED/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\LUIS GOYENECHE\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Sent Items.dbx/[From "CRUCIALPRODUCTS" <crucialproducts@tampabay.rr.com>][Date Fri, 18 Feb 2005 19:02:55 -0500]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\LUIS GOYENECHE\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Sent Items.dbx/[From "CRUCIALPRODUCTS" <crucialproducts@tampabay.rr.com>][Date Sat, 30 Apr 2005 09:04:04 -0400]/UNNAMED/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\LUIS GOYENECHE\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Sent Items.dbx/[From "CRUCIALPRODUCTS" <crucialproducts@tampabay.rr.com>][Date Sat, 30 Apr 2005 09:04:04 -0400]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\LUIS GOYENECHE\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Sent Items.dbx/[From "Erin Anderson, HOME" <erinanderson@tampabay.rr.com>][Date Sat, 14 May 2005 11:50:17 -0400]/UNNAMED/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\LUIS GOYENECHE\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Sent Items.dbx/[From "Erin Anderson, HOME" <erinanderson@tampabay.rr.com>][Date Sat, 14 May 2005 11:50:17 -0400]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\LUIS GOYENECHE\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Sent Items.dbx/[From "CRUCIALPRODUCTS" <crucialproducts@tampabay.rr.com>][Date Sat, 14 May 2005 15:56:03 -0400]/UNNAMED/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\LUIS GOYENECHE\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Sent Items.dbx/[From "CRUCIALPRODUCTS" <crucialproducts@tampabay.rr.com>][Date Sat, 14 May 2005 15:56:03 -0400]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\LUIS GOYENECHE\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Sent Items.dbx Mail MS Outlook 5: suspicious - 28 skipped
C:\Documents and Settings\LUIS GOYENECHE\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\LUIS GOYENECHE\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LUIS GOYENECHE\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LUIS GOYENECHE\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{00BA1475-1E3B-477E-A29E-9E819A2864CC} Object is locked skipped
C:\Documents and Settings\LUIS GOYENECHE\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LUIS GOYENECHE\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\LUIS GOYENECHE\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LUIS GOYENECHE\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LUIS GOYENECHE\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Grisoft\AVG Free\avg7log.log Object is locked skipped
C:\Program Files\Grisoft\AVG Free\avg7log.log.lck Object is locked skipped
C:\Program Files\RSSoft\debug.log Object is locked skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1747\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\pfirewall.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{33435756-0835-4070-887D-F9FC03003B64}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Internet.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.









Deckard's System Scanner v20071014.68
Run by LUIS on 2008-04-06 11:53:00
Computer is in Normal Mode.

--------------------------------------------------------------------------------[/b]


-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
106: 2008-04-06 15:53:15 UTC - RP1746 - Deckard's System Scanner Restore Point
105: 2008-04-06 14:57:13 UTC - RP1745 - Windows Defender Checkpoint
104: 2008-04-06 01:03:26 UTC - RP1744 - Spybot-S&D Spyware removal
103: 2008-04-05 19:41:48 UTC - RP1743 - System Checkpoint
102: 2008-04-04 19:00:54 UTC - RP1742 - Windows Defender Checkpoint


-- First Restore Point --
1: 2008-01-08 10:10:23 UTC - RP1641 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 511 MiB (512 MiB recommended).


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-04-06 11:57:44
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\SYSTEM32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\SYSTEM32\services.exe
C:\WINDOWS\SYSTEM32\lsass.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Grisoft\AVG Free\avgamsvr.exe
C:\Program Files\Grisoft\AVG Free\avgupsvc.exe
C:\WINDOWS\SYSTEM32\nvsvc32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\SYSTEM32\rundll32.exe
C:\WINDOWS\SYSTEM32\ctfmon.exe
C:\Program Files\Brother\ControlCenter3\BrccMCtl.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Brother\Brmfcmon\BrMfcMon.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Documents and Settings\LUIS GOYENECHE\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.dogpile.com/info.dogpl.toolbar/...orms/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.dogpile.com/info.dogpl.toolbar/...orms/search.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (file missing)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO.dll
O2 - BHO: (no name) - {3FECA576-7AD2-4E11-A6AD-6B59D4FB5DB9} - C:\WINDOWS\system32\vturpno.dll (file missing)
O2 - BHO: (no name) - {430A657E-DB29-4FD1-B386-796B3A54AF75} - C:\WINDOWS\SYSTEM32\sstqo.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar2.dll
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SansaDispatch] C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [BM479d78df] Rundll32.exe "C:\WINDOWS\system32\kffqaump.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Location Finder] "C:\Program Files\Microsoft Location Finder\LocationFinder.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: APC UPS Status.lnk = C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download all videos using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: Download link using &BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O15 - Trusted Zone: https://turbotax.com (HKCU)
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr.com/install/download/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get/shock...director/sw.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://download.microsoft.com/download/b/e...heckControl.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} () - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} () - http://install.wildtangent.com/ActiveLaunc...iveLauncher.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc3.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-36.cab
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} () - http://www.sidestep.com/get/k42037/sb02a.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1164401105406
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.companion....bio5_3_16_0.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O18 - Protocol: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} - C:\Program Files\Microsoft ActiveSync\aatp.dll (file missing)
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: vturpno - C:\WINDOWS\system32\vturpno.dll (file missing)
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG Free\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG Free\avgupsvc.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\SYSTEM32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sansa Updater Service (SansaService) - Unknown owner - C:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: - http://entimg.msn.com

--
End of file - 13865 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 agp440 (Intel AGP Bus Filter) - c:\windows\\systemroot\system32\drivers\agp440.sys (file missing)
R0 prohlp02 (StarForce Protection Helper Driver v2) - c:\windows\system32\drivers\prohlp02.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfhlp01 (StarForce Protection Helper Driver) - c:\windows\system32\drivers\sfhlp01.sys <Not Verified; Protection Technology; StarForce Protection System>
R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R1 prodrv06 (StarForce Protection Environment Driver v6) - c:\windows\system32\drivers\prodrv06.sys <Not Verified; Protection Technology; StarForce Protection System>
R2 MCSTRM - c:\windows\system32\drivers\mcstrm.sys <Not Verified; RealNetworks, Inc.; RealNetworks Virtual Path Manager® (32-bit)>
R3 aeaudio - c:\windows\system32\drivers\aeaudio.sys <Not Verified; Andrea Electronics Corporation; Andrea Audio Driver>
R3 smwdm - c:\windows\system32\drivers\smwdm.sys <Not Verified; Analog Devices, Inc.; SoundMAX Digital Audio Driver>

S0 VOBID - c:\windows\system32\drivers\vobid.sys (file missing)
S1 oreans32 - c:\windows\system32\drivers\oreans32.sys (file missing)
S3 iAimTV2 - c:\windows\system32\drivers\watv03nt.sys (file missing)
S3 ldiskl - c:\docume~1\luisgo~1\locals~1\temp\ldiskl.sys (file missing)
S3 P2k (Motorola USB Device) - c:\windows\system32\drivers\p2k.sys <Not Verified; Motorola Inc; P2k Driver>
S3 PalmUSBD - c:\windows\system32\drivers\palmusbd.sys (file missing)
S3 SDDMI2 - c:\windows\system32\ddmi2.sys (file missing)
S3 usbsermpt (Motorola USB Modem Driver for MPT) - c:\windows\system32\drivers\usbsermpt.sys <Not Verified; Microsoft Corporation; Microsoft® Windows ® 2000 Operating System>
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 SansaService (Sansa Updater Service) - c:\program files\sandisk\sansa updater\sansasvr.exe
R2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97B-E325-11CE-BFC1-08002BE10318}
Description: SCSI/RAID Host Controller
Device ID: ROOT\VOBID\0001
Manufacturer: Unknown Manufacturer
Name: SCSI/RAID Host Controller
PNP Device ID: ROOT\VOBID\0001
Service: VOBID

Class GUID:
Description:
Device ID: ROOT\*PNP0501\1_0_17_0_0_0
Manufacturer:
Name:
PNP Device ID: ROOT\*PNP0501\1_0_17_0_0_0
Service:


-- Scheduled Tasks -------------------------------------------------------------

2008-04-06 11:50:49 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job
2008-04-06 04:00:00 346 --a------ C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job
2008-04-06 03:43:00 452 --a------ C:\WINDOWS\Tasks\PPv5Scan_Daily as LUIS GOYENECHE at 3 43 AM.job
2008-03-15 13:32:00 640 --a------ C:\WINDOWS\Tasks\ .job


-- Files created between 2008-03-06 and 2008-04-06 -----------------------------

2008-04-06 11:22:39 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-06 11:22:33 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-06 10:53:01 0 d-------- C:\Program Files\RSSoft
2008-04-06 10:51:00 106 --a------ C:\delete.bat
2008-04-06 05:49:01 87104 --a------ C:\WINDOWS\system32\kffqaump.dll
2008-04-05 05:46:15 87104 --a------ C:\WINDOWS\system32\nnkpasqh.dll
2008-04-04 05:46:33 88640 --a------ C:\WINDOWS\system32\kghejksc.dll
2008-04-03 05:43:48 88640 --a------ C:\WINDOWS\system32\crtqihbi.dll
2008-04-02 05:43:15 88128 --a------ C:\WINDOWS\system32\hwmgfimc.dll
2008-03-30 17:40:15 327968 --ahs---- C:\WINDOWS\system32\oqtss.ini2
2008-03-30 17:40:08 268288 --a------ C:\WINDOWS\system32\sstqo.dll
2008-03-21 20:42:56 0 d-------- C:\33ddaf30a72cb0952a62e52c


-- Find3M Report ---------------------------------------------------------------

2008-03-27 20:51:10 0 d-------- C:\Documents and Settings\LUIS GOYENECHE\Application Data\Adobe
2008-03-01 00:03:49 0 d-------- C:\Documents and Settings\LUIS GOYENECHE\Application Data\Move Networks


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3FECA576-7AD2-4E11-A6AD-6B59D4FB5DB9}]
C:\WINDOWS\system32\vturpno.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{430A657E-DB29-4FD1-B386-796B3A54AF75}]
03/30/2008 05:40 PM 268288 --a------ C:\WINDOWS\system32\sstqo.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [02/04/2004 11:37 AM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [12/21/2007 06:00 AM]
"nwiz"="nwiz.exe" [02/04/2004 11:37 AM C:\WINDOWS\SYSTEM32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [02/04/2004 11:37 AM]
"eTrustPPAP"="C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPActiveDetection.exe" []
"CAVRID"="C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe" []
"CaAvTray"="C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe" []
"BCMSMMSG"="BCMSMMSG.exe" [08/29/2003 04:59 AM C:\WINDOWS\BCMSMMSG.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [10/25/2006 07:58 PM]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [07/30/2007 05:15 PM]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 07:20 PM]
"SansaDispatch"="C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe" [05/02/2007 07:00 PM]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [10/14/2003 11:22 AM]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [03/17/2005 03:25 PM]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [03/17/2005 03:45 PM]
"BrMfcWnd"="C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" [03/28/2006 04:48 PM]
"SetDefPrt"="C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe" [01/26/2005 07:02 PM]
"ControlCenter3"="C:\Program Files\Brother\ControlCenter3\brctrcen.exe" [04/10/2006 03:58 PM]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 05:25 AM]
"BM479d78df"="C:\WINDOWS\system32\kffqaump.dll" [04/06/2008 05:49 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 03:56 AM]
"Microsoft Location Finder"="C:\Program Files\Microsoft Location Finder\LocationFinder.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Picasa Media Detector"=C:\Program Files\Picasa2\PicasaMediaDetector.exe

C:\Documents and Settings\LUIS GOYENECHE\Start Menu\Programs\Startup\
DESKTOP.INI [9/3/2002 11:00:00 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 10:05:26 PM]
APC UPS Status.lnk - C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe [9/22/2006 2:11:23 PM]
DESKTOP.INI [9/3/2002 11:00:00 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{3FECA576-7AD2-4E11-A6AD-6B59D4FB5DB9}"= C:\WINDOWS\system32\vturpno.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vturpno]
vturpno.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\sstqo

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
"C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Red Swoosh]
C:\Program Files\RSSoft\RedSwoosh.exe /S

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zone Labs Client]
"C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"vsmon"=2 (0x2)
"VETMSGNT"=2 (0x2)
"PACSPTISVR"=3 (0x3)
"ose"=3 (0x3)
"iPodService"=3 (0x3)
"IDriverT"=3 (0x3)
"CAISafe"=2 (0x2)
"Bonjour Service"=2 (0x2)
"SPTISRV"=3 (0x3)
"iPod Service"=3 (0x3)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ad6bafec-e1ec-11d9-91f2-000cf1924e8f}]
AutoRun\command- F:\SafeGuard\Windows\SafeGuard20.exe




-- End of Deckard's System Scanner: finished at 2008-04-06 11:58:55 ------------

Edited by luiben, 06 April 2008 - 03:17 PM.


BC AdBot (Login to Remove)

 


#2 katana

katana

    MRU Expert


  • Members
  • 170 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Manchester (UK)
  • Local time:07:29 AM

Posted 12 April 2008 - 06:39 AM

Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:
1. If you don't know, stop and ask! Don't keep going on.
2. Please reply to this thread. Do not start a new topic.
3. Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)

If you can do those three things, everything should go smoothly :D

----------------------------------------------------------------------------------------

Download and Run ComboFix (by sUBs)
Please visit this webpage for instructions for downloading and running ComboFix:

Bleeping Computer ComboFix Tutorial

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.


Installed Programs

Please could you give me a list of the programs that are installed.
  • Start HijackThis
  • Click on the Misc Tools button
  • Click on the Open Uninstall Manager button.
You will see a list with the programs installed in your computer.
Click on save list button and specify where you would like to save this file.
When you press Save button a notepad will open with the contents of that file.
Simply copy and paste the contents of that notepad into your next post.
Posted Image

#3 luiben

luiben
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 12 April 2008 - 08:35 AM

thank you for all your help.

here are the logs as requested.

ComboFix 08-04-11.8 - LUIS GOYENECHE 2008-04-12 9:05:18.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.143 [GMT -4:00]
Running from: C:\Documents and Settings\LUIS GOYENECHE\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM479d78df.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\components
C:\WINDOWS\system32\hwmgfimc.dll
C:\WINDOWS\system32\kghejksc.dll
C:\WINDOWS\system32\pac.txt

.
((((((((((((((((((((((((( Files Created from 2008-03-12 to 2008-04-12 )))))))))))))))))))))))))))))))
.

2008-04-08 18:54 . 2008-04-08 18:54 129 --a------ C:\WINDOWS\SYSTEM32\MRT.INI
2008-04-06 18:51 . 2008-04-08 20:06 <DIR> d-------- C:\VundoFix Backups
2008-04-06 11:52 . 2008-04-06 11:52 <DIR> d-------- C:\Deckard
2008-04-06 11:22 . 2008-04-06 11:22 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-04-06 11:22 . 2008-04-06 11:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-06 10:51 . 2008-04-07 21:46 530 --a------ C:\delete.bat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-12 12:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-04-08 23:32 --------- d-----w C:\Documents and Settings\LUIS GOYENECHE\Application Data\AVG7
2008-04-07 22:46 --------- d-----w C:\Program Files\BitComet
2008-03-01 04:03 --------- d-----w C:\Documents and Settings\LUIS GOYENECHE\Application Data\Move Networks
2006-09-22 01:07 24,192 ----a-w C:\Documents and Settings\LUIS GOYENECHE\usbsermptxp.sys
2006-09-22 01:07 22,768 ----a-w C:\Documents and Settings\LUIS GOYENECHE\usbsermpt.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{833DC872-527D-4DC5-8A4F-41AB896C7C4A}]
C:\WINDOWS\system32\sstqo.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-12-21 06:00 579072]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-02-04 11:37 2899968]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58 282624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-25 05:00 219136]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vturpno]
vturpno.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
--a------ 2003-08-29 04:59 122880 C:\WINDOWS\BCMSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
C:\Program Files\BitTorrent\bittorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrMfcWnd]
-ra------ 2006-03-28 16:48 622592 C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CaAvTray]
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CAVRID]
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter3]
--a------ 2006-04-10 15:58 61440 C:\Program Files\Brother\ControlCenter3\brctrcen.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 03:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eTrustPPAP]
C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPActiveDetection.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a------ 2007-07-30 17:15 1836544 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
--a------ 2005-03-17 15:45 40960 C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-10-30 10:36 256576 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Location Finder]
C:\Program Files\Microsoft Location Finder\LocationFinder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2004-02-04 11:37 2899968 C:\WINDOWS\System32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2004-02-04 11:37 46080 C:\WINDOWS\System32\NvMcTray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2004-02-04 11:37 782336 C:\WINDOWS\SYSTEM32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
--a------ 2005-03-17 15:25 57393 C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-10-25 19:58 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Red Swoosh]
C:\Program Files\RSSoft\RedSwoosh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SansaDispatch]
--a------ 2007-05-02 19:00 55368 C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefPrt]
--a------ 2005-01-26 19:02 49152 C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
-ra------ 2003-10-14 11:22 155648 C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2004-02-12 10:14 151597 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zone Labs Client]
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"vsmon"=2 (0x2)
"VETMSGNT"=2 (0x2)
"PACSPTISVR"=3 (0x3)
"ose"=3 (0x3)
"iPodService"=3 (0x3)
"IDriverT"=3 (0x3)
"CAISafe"=2 (0x2)
"Bonjour Service"=2 (0x2)
"SPTISRV"=3 (0x3)
"iPod Service"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9420:TCP"= 9420:TCP:Red Swoosh
"5000:UDP"= 5000:UDP:Red Swoosh

R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]
R3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\DRIVERS\BrScnUsb.sys [2004-10-15 13:50]
S0 VOBID;VOBID;C:\WINDOWS\system32\DRIVERS\vobid.sys []
S1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys []
S3 ldiskl;ldiskl;C:\DOCUME~1\LUISGO~1\LOCALS~1\Temp\ldiskl.sys []
S3 RimSerPort;RIM Virtual Serial Port;C:\WINDOWS\system32\DRIVERS\RimSerial.sys [2006-06-30 17:10]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ad6bafec-e1ec-11d9-91f2-000cf1924e8f}]
\Shell\AutoRun\command - F:\SafeGuard\Windows\SafeGuard20.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-03-15 17:32:00 C:\WINDOWS\Tasks\ .job"
- C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\8.‘|˙˙˙˙2.‘|«
"2008-04-12 13:12:53 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-04-12 07:43:00 C:\WINDOWS\Tasks\PPv5Scan_Daily as LUIS GOYENECHE at 3 43 AM.job"
- C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\ppv5consumercl.exe
"2008-04-12 08:00:00 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-12 09:15:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\SYSTEM32\nvsvc32.exe
C:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\SYSTEM32\wscntfy.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
.
**************************************************************************
.
Completion time: 2008-04-12 9:18:56 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-12 13:18:50
Pre-Run: 46,470,197,248 bytes free
Post-Run: 46,379,626,496 bytes free
.
2008-04-12 07:04:24 --- E O F ---



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:28:22 AM, on 4/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\LUIS GOYENECHE\Desktop\Anti Virus Spy Programs\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.dogpile.com/info.dogpl.toolbar/...orms/search.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.dogpile.com/info.dogpl.toolbar/...orms/search.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.dogpile.com/info.dogpl.toolbar/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (file missing)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {833DC872-527D-4DC5-8A4F-41AB896C7C4A} - C:\WINDOWS\system32\sstqo.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: APC UPS Status.lnk = ?
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr.com/install/download/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/ActiveLaunc...iveLauncher.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-36.cab
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://www.sidestep.com/get/k42037/sb02a.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1164401105406
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.companion....bio5_3_16_0.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: vturpno - vturpno.dll (file missing)
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sansa Updater Service (SansaService) - Unknown owner - C:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: (no name) - http://entimg.msn.com

--
End of file - 8631 bytes

Hijack this installed programs:


ABBYY FineReader 6.0 Sprint
Adobe Reader 7.0.9
Adobe Shockwave Player
AVG Anti-Spyware 7.5
Brother MFL-Pro Suite
DivX Content Uploader
DivX Web Player
Google Desktop
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Player 11 (KB939683)
Kaspersky Online Scanner
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Office Professional Edition 2003
Mozilla Firefox (2.0.0.13)
PaperPort
PSP Video 9 2.25
Sansa Updater
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Spybot - Search & Destroy 1.4
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)

#4 katana

katana

    MRU Expert


  • Members
  • 170 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Manchester (UK)
  • Local time:07:29 AM

Posted 12 April 2008 - 09:28 AM

Custom CFScript
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    File::
    C:\delete.bat
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NewDotNet.zip
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NewDotNet1.zip
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SpyBanker1.zip
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WhenUSaveNow2.zip
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WhenUSaveNow3.zip
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WhenUSaveNow7.zip
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WhenUWeatherCast3.zip
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Yazzle.zip
    
    Folder::
    C:\VundoFix Backups
    C:\Deckard\System Scanner\backup
    Driver::
    VOBID
    oreans32
    ldiskl
    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{833DC872-527D-4DC5-8A4F-41AB896C7C4A}]
    
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "Picasa Media Detector"=-
    
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vturpno]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CaAvTray]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CAVRID]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eTrustPPAP]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Location Finder]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Red Swoosh]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zone Labs Client]
    
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "9420:TCP"=-
    "5000:UDP"=-
    ADS::
  • Save this as CFScript.txt and place it on your desktop.


    Posted Image


  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

There look to be a lot of infected E-Mails in Outlook Express, they all appear to be from 2005 ?
You will have to remove them via Outlook

C:\Documents and Settings\~\Outlook Express\Inbox.dbx
/[From knaeppchen@freenet.de][Date Sat, 16 Apr 2005 12:36:14 -0700]
/[From suzanne_jones7@hotmail.com][Date Thu, 05 May 2005 14:15:04 -0700]
/[From andrewsarticles@hotmail.com][Date Fri, 06 May 2005 02:27:48 -0700]


C:\Documents and Settings\~\Outlook Express\Sent Items.dbx
/[From CRUCIALPRODUCTS <crucialproducts@tampabay.rr.com>][Date Tue, 31 May 2005 13:16:23 -0400]
/[From CRUCIALPRODUCTS <crucialproducts@tampabay.rr.com>][Date Tue, 31 May 2005 13:17:08 -0400]
/[From CRUCIALPRODUCTS <crucialproducts@tampabay.rr.com>][Date Tue, 31 May 2005 13:24:16 -0400]
/[From intl.support@ebay.com=20][Date Tue, 31 May 2005 17:11:45 -0400]
/[From CRUCIALPRODUCTS <crucialproducts@tampabay.rr.com>][Date Wed, 1 Jun 2005 19:44:14 -0400]
/[From eBay=20][Date Sat, 4 Jun 2005 08:07:55 -0400]
/[From PayPal=20][Date Mon, 6 Jun 2005 20:22:01 -0400]
/[From a foreign IP address.=20][Date Sun, 19 Jun 2005 15:25:06 -0400]
/[From CRUCIALPRODUCTS <crucialproducts@tampabay.rr.com>][Date Thu, 3 Feb 2005 17:57:04 -0500]
/[From CRUCIALPRODUCTS <crucialproducts@tampabay.rr.com>][Date Wed, 9 Feb 2005 20:21:41 -0500]
/[From CRUCIALPRODUCTS <crucialproducts@tampabay.rr.com>][Date Mon, 14 Feb 2005 20:57:31 -0500]
/[From CRUCIALPRODUCTS <crucialproducts@tampabay.rr.com>][Date Fri, 18 Feb 2005 19:02:55 -0500]
/[From CRUCIALPRODUCTS <crucialproducts@tampabay.rr.com>][Date Sat, 30 Apr 2005 09:04:04 -0400]
/[From Erin Anderson, HOME <erinanderson@tampabay.rr.com>][Date Sat, 14 May 2005 11:50:17 -0400]
/[From CRUCIALPRODUCTS <crucialproducts@tampabay.rr.com>][Date Sat, 14 May 2005 15:56:03 -0400]

C:\Documents and Settings\~\Outlook Express\Deleted Items.dbx
/[From eBay Member: tsw02 <member@ebay.com>][Date Mon, 13 Jun 2005 16:04:55 -0700]
/[From hadzfam@hotmail.com][Date Tue, 05 Apr 2005 17:23:38 -0700]
/[From eBay <intl.support@ebay.com>][Date Sat, 04 Jun 2005 09:31:23 +0300]
/[From eBay Member: essiefreddie <member@ebay.com>][Date Sun, 05 Jun 2005 15:42:57 -0700]
/[From eBay Member: essiefreddie <member@ebay.com>][Date Sun, 05 Jun 2005 15:43:07 -0700]
/[From PayPal <security@paypal.com>][Date Tue, 07 Jun 2005 02:53:07 +0300]
/[From eBay Member: awesomemikes <member@ebay.com>][Date Sat, 04 Jun 2005 13:19:13 -0700]
/[From eBay Account Support <support@ebay.com>][Date Fri, 10 Jun 2005 07:25:15 -0700]
/[From eBay Member: marlene9170 <member@ebay.com>][Date Fri, 10 Jun 2005 21:46:35 -0700]
/[From SouthTrust <onlinebanking@SouthTrust.com>][Date Mon, 13 Jun 2005 18:41:37 +0300]
/[From service@eBay.com][Date Sun, 19 Jun 2005 07:19:45 -0700]
/[From eBay Customer Support <aw-verify@eBay.com>][Date Sat, 30 Apr 2005 17:55:07 +0900]
/[From eBay Member: figurinefan <member@ebay.com>][Date Thu, 05 May 2005 11:10:41 -0700]
/[From PayPal <clientnotification@PayPal.com>][Date Sat, 14 May 2005 18:19:19 +0300]
/[From intl.support@eBay.com <intl.support@eBay.com>][Date Sat, 14 May 2005 22:10:26 +0300]
/[From eBay Member: len61258 <member@ebay.com>][Date Wed, 15 Jun 2005 11:25:00 -0700]
/[From intl.support@ebay.com][Date Tue, 24 May 2005 03:09:54 +0000 (GMT)]
/[From eBay <intl.support@ebay.com>][Date Thu, 26 May 2005 00:48:37 +0300]
/[From eBay <intl.support@ebay.com>][Date Mon, 30 May 2005 00:33:59 +0300]
/[From intl.support@ebay.com][Date Mon, 16 May 2005 07:14:33 +0000 (GMT)]
/[From intl.support@ebay.com <intl.support@ebay.com>][Date Wed, 01 Jun 2005 23:22:26 +0300]



Active Scan
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
Please go to this site Link >> ActiveScan << LINK
  • Cclick the Scan Now button
  • Follow the prompts to install the Active X if necessary
  • Go and make a cup of tea/coffee/beverage of your choice and watch some TV :thumbsup:
  • When the scan is finished, a report will be generated
  • Next to Scan Details click the small Save button and save the report to your desktop.
  • Please post the report in your reply.

Logs/Information to Post in Reply
Please post the following logs/Information in your reply
  • Combofix log
  • Active Scan Log
  • How are things running now ?


----------------------------------------------------------- ----------------------------------------------------------- -----------------------------------------------------------

Update Adobe Acrobat Reader

There is a newer version of Adobe Acrobat Reader available.
  • Please go to this link Adobe Acrobat Reader Download Link
  • Click Download
  • On the right Untick Adobe Phototshop Album Starter Edition if you do not wish to include this in the installation.
  • Click the Continue button
  • Click Run, and click Run again
  • Next click the Install Now button and follow the on screen prompts

Posted Image

#5 luiben

luiben
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 12 April 2008 - 07:37 PM

Things seem to be running alot faster, thank you.

Here are the logs are advised. Please let me know what else I need to do?

Thank you,

Luis





ComboFix 08-04-11.8 - LUIS GOYENECHE 2008-04-12 10:52:54.2 - NTFSx86
Running from: C:\Documents and Settings\LUIS GOYENECHE\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\LUIS GOYENECHE\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\VundoFix Backups
C:\VundoFix Backups\crtqihbi.dll.bad
C:\VundoFix Backups\oqtss.ini.bad
C:\VundoFix Backups\oqtss.ini2.bad

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_LDISKL
-------\Service_ldiskl
-------\Service_oreans32
-------\Service_VOBID


((((((((((((((((((((((((( Files Created from 2008-03-12 to 2008-04-12 )))))))))))))))))))))))))))))))
.

2008-04-08 18:54 . 2008-04-08 18:54 129 --a------ C:\WINDOWS\SYSTEM32\MRT.INI
2008-04-06 11:52 . 2008-04-06 11:52 <DIR> d-------- C:\Deckard
2008-04-06 11:22 . 2008-04-06 11:22 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-04-06 11:22 . 2008-04-06 11:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-06 10:51 . 2008-04-07 21:46 530 --a------ C:\delete.bat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-12 13:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-04-08 23:32 --------- d-----w C:\Documents and Settings\LUIS GOYENECHE\Application Data\AVG7
2008-04-07 22:46 --------- d-----w C:\Program Files\BitComet
2008-03-01 04:03 --------- d-----w C:\Documents and Settings\LUIS GOYENECHE\Application Data\Move Networks
2006-09-22 01:07 24,192 ----a-w C:\Documents and Settings\LUIS GOYENECHE\usbsermptxp.sys
2006-09-22 01:07 22,768 ----a-w C:\Documents and Settings\LUIS GOYENECHE\usbsermpt.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-12-21 06:00 579072]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-02-04 11:37 2899968]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58 282624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-25 05:00 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
--a------ 2003-08-29 04:59 122880 C:\WINDOWS\BCMSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrMfcWnd]
-ra------ 2006-03-28 16:48 622592 C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter3]
--a------ 2006-04-10 15:58 61440 C:\Program Files\Brother\ControlCenter3\brctrcen.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 03:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a------ 2007-07-30 17:15 1836544 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
--a------ 2005-03-17 15:45 40960 C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-10-30 10:36 256576 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2004-02-04 11:37 2899968 C:\WINDOWS\System32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2004-02-04 11:37 46080 C:\WINDOWS\System32\NvMcTray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2004-02-04 11:37 782336 C:\WINDOWS\SYSTEM32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
--a------ 2005-03-17 15:25 57393 C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-10-25 19:58 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SansaDispatch]
--a------ 2007-05-02 19:00 55368 C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefPrt]
--a------ 2005-01-26 19:02 49152 C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
-ra------ 2003-10-14 11:22 155648 C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2004-02-12 10:14 151597 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"vsmon"=2 (0x2)
"VETMSGNT"=2 (0x2)
"PACSPTISVR"=3 (0x3)
"ose"=3 (0x3)
"iPodService"=3 (0x3)
"IDriverT"=3 (0x3)
"CAISafe"=2 (0x2)
"Bonjour Service"=2 (0x2)
"SPTISRV"=3 (0x3)
"iPod Service"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]
R3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\DRIVERS\BrScnUsb.sys [2004-10-15 13:50]
S3 RimSerPort;RIM Virtual Serial Port;C:\WINDOWS\system32\DRIVERS\RimSerial.sys [2006-06-30 17:10]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ad6bafec-e1ec-11d9-91f2-000cf1924e8f}]
\Shell\AutoRun\command - F:\SafeGuard\Windows\SafeGuard20.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-03-15 17:32:00 C:\WINDOWS\Tasks\ .job"
- C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\8.‘|˙˙˙˙2.‘|«
"2008-04-12 15:01:16 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-04-12 07:43:00 C:\WINDOWS\Tasks\PPv5Scan_Daily as LUIS GOYENECHE at 3 43 AM.job"
- C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\ppv5consumercl.exe
"2008-04-12 08:00:00 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-12 11:00:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\SYSTEM32\nvsvc32.exe
C:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\SYSTEM32\wscntfy.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
.
**************************************************************************
.
Completion time: 2008-04-12 11:03:53 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-12 15:03:47
ComboFix2.txt 2008-04-12 13:18:57
Pre-Run: 46,384,254,976 bytes free
Post-Run: 46,370,492,416 bytes free
.
2008-04-12 07:04:24 --- E O F ---















;***********************************************************************************************************************************************************************************
ANALYSIS: 2008-04-12 20:34:22
PROTECTIONS: 1
MALWARE: 40
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
AVG 7.5.519 7.5.519 No Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00035753 adware/sidestep Adware No 0 Yes No hkey_local_machine\software\microsoft\code store database\distribution units\{640b39c1-d713-464f-92c3-75bd972b95ee}
00122512 Adware/Startpage.CFE Adware No 0 Yes No C:\Deckard\System Scanner\20080407213725\backup\DOCUME~1\LUISGO~1\LOCALS~1\Temp\twc\installer\bin\AddFavorites.vbs
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\LUIS GOYENECHE\Application Data\Mozilla\Firefox\Profiles\aiy5tjc0.Luis\cookies.txt[.trafficmp.com/]
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\LUIS GOYENECHE\Application Data\Mozilla\Firefox\Profiles\aiy5tjc0.Luis\cookies.txt[.trafficmp.com/]
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\LUIS GOYENECHE\Application Data\Mozilla\Firefox\Profiles\aiy5tjc0.Luis\cookies.txt[.trafficmp.com/]
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\LUIS GOYENECHE\Application Data\Mozilla\Firefox\Profiles\aiy5tjc0.Luis\cookies.txt[.trafficmp.com/]
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\LUIS GOYENECHE\Application Data\Mozilla\Firefox\Profiles\aiy5tjc0.Luis\cookies.txt[.trafficmp.com/]
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\LUIS GOYENECHE\Application Data\Mozilla\Firefox\Profiles\aiy5tjc0.Luis\cookies.txt[.atdmt.com/]
00145405 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\LUIS GOYENECHE\Application Data\Mozilla\Firefox\Profiles\aiy5tjc0.Luis\cookies.txt[.247realmedia.com/]
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\LUIS GOYENECHE\Application Data\Mozilla\Firefox\Profiles\aiy5tjc0.Luis\cookies.txt[.tribalfusion.com/]
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\LUIS GOYENECHE\Application Data\Mozilla\Firefox\Profiles\aiy5tjc0.Luis\cookies.txt[.tribalfusion.com/]
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\LUIS GOYENECHE\Application Data\Mozilla\Firefox\Profiles\aiy5tjc0.Luis\cookies.txt[.tribalfusion.com/]
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\LUIS GOYENECHE\Application Data\Mozilla\Firefox\Profiles\aiy5tjc0.Luis\cookies.txt[.tribalfusion.com/]
00145745 Cookie/OfferOptimizer TrackingCookie No 0 Yes No C:\Deckard\System Scanner\20080407213725\backup\DOCUME~1\LUISGO~1\LOCALS~1\Temp\Cookies\luis goyeneche@offeroptimizer[2].txt
00149116 Cookie/Ccbill TrackingCookie No 0 Yes No C:\Deckard\System Scanner\20080407213725\backup\DOCUME~1\LUISGO~1\LOCALS~1\Temp\Cookies\luis goyeneche@ccbill[1].txt
00152401 Cookie/Belnk TrackingCookie No 0 Yes No C:\Deckard\System Scanner\20080407213725\backup\DOCUME~1\LUISGO~1\LOCALS~1\Temp\Cookies\luis goyeneche@belnk[1].txt
00159564 Cookie/WUpd TrackingCookie No 0 Yes No C:\Documents and Settings\LUIS GOYENECHE\Application Data\Mozilla\Firefox\Profiles\aiy5tjc0.Luis\cookies.txt[.revenue.net/]
00162730 Cookie/Belnk TrackingCookie No 0 Yes No C:\Deckard\System Scanner\20080407213725\backup\DOCUME~1\LUISGO~1\LOCALS~1\Temp\Cookies\luis goyeneche@dist.belnk[2].txt
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\LUIS GOYENECHE\Application Data\Mozilla\Firefox\Profiles\aiy5tjc0.Luis\cookies.txt[.com.com/]
00167704 Cookie/Xiti TrackingCookie No 0 Yes No C:\Documents and Settings\LUIS GOYENECHE\Application Data\Mozilla\Firefox\Profiles\aiy5tjc0.Luis\cookies.txt[.xiti.com/]
00167749 Cookie/Toplist TrackingCookie No 0 Yes No C:\Deckard\System Scanner\20080407213725\backup\DOCUME~1\LUISGO~1\LOCALS~1\Temp\Cookies\luis goyeneche@toplist[1].txt
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\LUIS GOYENECHE\Application Data\Mozilla\Firefox\Profiles\aiy5tjc0.Luis\cookies.txt[.statcounter.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\LUIS GOYENECHE\Application Data\Mozilla\Firefox\Profiles\aiy5tjc0.Luis\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\LUIS GOYENECHE\Application Data\Mozilla\Firefox\Profiles\aiy5tjc0.Luis\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\LUIS GOYENECHE\Application Data\Mozilla\Firefox\Profiles\aiy5tjc0.Luis\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\LUIS GOYENECHE\Application Data\Mozilla\Firefox\Profiles\aiy5tjc0.Luis\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\LUIS GOYENECHE\Application Data\Mozilla\Firefox\Profiles\aiy5tjc0.Luis\cookies.txt[ad.yieldmanager.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\LUIS GOYENECHE\Application Data\Mozilla\Firefox\Profiles\aiy5tjc0.Luis\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\LUIS GOYENECHE\Application Data\Mozilla\Firefox\Profiles\aiy5tjc0.Luis\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\LUIS GOYENECHE\Application Data\Mozilla\Firefox\Profiles\aiy5tjc0.Luis\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\LUIS GOYENECHE\Application Data\Mozilla\Firefox\Profiles\aiy5tjc0.Luis\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\LUIS GOYENECHE\Application Data\Mozilla\Firefox\Profiles\aiy5tjc0.Luis\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\LUIS GOYENECHE\Application Data\Mozilla\Firefox\Profiles\aiy5tjc0.Luis\cookies.txt[.serving-sys.com/]
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\LUIS GOYENECHE\Application Data\Mozilla\Firefox\Profiles\aiy5tjc0.Luis\cookies.txt[.bs.serving-sys.com/]
00168097 Cookie/BurstBeacon TrackingCookie No 0 Yes No C:\Documents and Settings\LUIS GOYENECHE\Application Data\Mozilla\Firefox\Profiles\aiy5tjc0.Luis\cookies.txt[www.burstbeacon.com/]
00168109 Cookie/Adtech TrackingCookie No 0 Yes No C:\Documents and Settings\LUIS GOYENECHE\Application Data\Mozilla\Firefox\Profiles\aiy5tjc0.Luis\cookies.txt[.adtech.de/]
00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\LUIS GOYENECHE\Application Data\Mozilla\Firefox\Profiles\aiy5tjc0.Luis\cookies.txt[server.iad.liveperson.net/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\LUIS GOYENECHE\Application Data\Mozilla\Firefox\Profiles\aiy5tjc0.Luis\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\LUIS GOYENECHE\Application Data\Mozilla\Firefox\Profiles\aiy5tjc0.Luis\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\LUIS GOYENECHE\Application Data\Mozilla\Firefox\Profiles\aiy5tjc0.Luis\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\LUIS GOYENECHE\Application Data\Mozilla\Firefox\Profiles\aiy5tjc0.Luis\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\LUIS GOYENECHE\Application Data\Mozilla\Firefox\Profiles\aiy5tjc0.Luis\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\LUIS GOYENECHE\Cookies\luis_goyeneche@advertising[1].txt
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\LUIS GOYENECHE\Application Data\Mozilla\Firefox\Profiles\aiy5tjc0.Luis\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\LUIS GOYENECHE\Application Data\Mozilla\Firefox\Profiles\aiy5tjc0.Luis\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\LUIS GOYENECHE\Application Data\Mozilla\Firefox\Profiles\aiy5tjc0.Luis\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\LUIS GOYENECHE\Application Data\Mozilla\Firefox\Profiles\aiy5tjc0.Luis\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\LUIS GOYENECHE\Application Data\Mozilla\Firefox\Profiles\aiy5tjc0.Luis\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\LUIS GOYENECHE\Application Data\Mozilla\Firefox\Profiles\aiy5tjc0.Luis\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\LUIS GOYENECHE\Application Data\Mozilla\Firefox\Profiles\aiy5tjc0.Luis\cookies.txt[.ads.pointroll.com/]
00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\LUIS GOYENECHE\Application Data\Mozilla\Firefox\Profiles\aiy5tjc0.Luis\cookies.txt[.overture.com/]
00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\LUIS GOYENECHE\Application Data\Mozilla\Firefox\Profiles\aiy5tjc0.Luis\cookies.txt[.overture.com/]
00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\LUIS GOYENECHE\Application Data\Mozilla\Firefox\Profiles\aiy5tjc0.Luis\cookies.txt[.overture.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\LUIS GOYENECHE\Application Data\Mozilla\Firefox\Profiles\aiy5tjc0.Luis\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\LUIS GOYENECHE\Application Data\Mozilla\Firefox\Profiles\aiy5tjc0.Luis\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\LUIS GOYENECHE\Application Data\Mozilla\Firefox\Profiles\aiy5tjc0.Luis\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\LUIS GOYENECHE\Application Data\Mozilla\Firefox\Profiles\aiy5tjc0.Luis\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\LUIS GOYENECHE\Application Data\Mozilla\Firefox\Profiles\aiy5tjc0.Luis\cookies.txt[.realmedia.com/]
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\LUIS GOYENECHE\Application Data\Mozilla\Firefox\Profiles\aiy5tjc0.Luis\cookies.txt[.questionmarket.com/]
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\LUIS GOYENECHE\Application Data\Mozilla\Firefox\Profiles\aiy5tjc0.Luis\cookies.txt[.questionmarket.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\LUIS GOYENECHE\Application Data\Mozilla\Firefox\Profiles\aiy5tjc0.Luis\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\LUIS GOYENECHE\Application Data\Mozilla\Firefox\Profiles\jfs3f1ch.default\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\LUIS GOYENECHE\Application Data\Mozilla\Firefox\Profiles\aiy5tjc0.Luis\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\LUIS GOYENECHE\Application Data\Mozilla\Firefox\Profiles\aiy5tjc0.Luis\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\LUIS GOYENECHE\Application Data\Mozilla\Firefox\Profiles\aiy5tjc0.Luis\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\LUIS GOYENECHE\Application Data\Mozilla\Firefox\Profiles\aiy5tjc0.Luis\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\LUIS GOYENECHE\Application Data\Mozilla\Firefox\Profiles\aiy5tjc0.Luis\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\LUIS GOYENECHE\Application Data\Mozilla\Firefox\Profiles\aiy5tjc0.Luis\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\LUIS GOYENECHE\Application Data\Mozilla\Firefox\Profiles\aiy5tjc0.Luis\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\LUIS GOYENECHE\Application Data\Mozilla\Firefox\Profiles\jfs3f1ch.default\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\LUIS GOYENECHE\Application Data\Mozilla\Firefox\Profiles\jfs3f1ch.default\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\LUIS GOYENECHE\Application Data\Mozilla\Firefox\Profiles\jfs3f1ch.default\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\LUIS GOYENECHE\Cookies\luis_goyeneche@go[1].txt
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\LUIS GOYENECHE\Application Data\Mozilla\Firefox\Profiles\jfs3f1ch.default\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Deckard\System Scanner\20080407213725\backup\DOCUME~1\LUISGO~1\LOCALS~1\Temp\Cookies\luis goyeneche@go[3].txt
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Deckard\System Scanner\20080407213725\backup\DOCUME~1\LUISGO~1\LOCALS~1\Temp\Cookies\luis goyeneche@go[2].txt
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\LUIS GOYENECHE\Application Data\Mozilla\Firefox\Profiles\jfs3f1ch.default\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\LUIS GOYENECHE\Application Data\Mozilla\Firefox\Profiles\jfs3f1ch.default\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\LUIS GOYENECHE\Application Data\Mozilla\Firefox\Profiles\jfs3f1ch.default\cookies.txt[.go.com/]
00199984 Cookie/Searchportal TrackingCookie No 0 Yes No C:\Documents and Settings\LUIS GOYENECHE\Application Data\Mozilla\Firefox\Profiles\aiy5tjc0.Luis\cookies.txt[searchportal.information.com/]
00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\LUIS GOYENECHE\Application Data\Mozilla\Firefox\Profiles\aiy5tjc0.Luis\cookies.txt[.target.com/]
00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Deckard\System Scanner\20080407213725\backup\DOCUME~1\LUISGO~1\LOCALS~1\Temp\Cookies\luis goyeneche@target[1].txt
00207862 Cookie/did-it TrackingCookie No 0 Yes No C:\Documents and Settings\LUIS GOYENECHE\Application Data\Mozilla\Firefox\Profiles\aiy5tjc0.Luis\cookies.txt[.did-it.com/]
00207862 Cookie/did-it TrackingCookie No 0 Yes No C:\Documents and Settings\LUIS GOYENECHE\Application Data\Mozilla\Firefox\Profiles\aiy5tjc0.Luis\cookies.txt[.did-it.com/]
00207862 Cookie/did-it TrackingCookie No 0 Yes No C:\Documents and Settings\LUIS GOYENECHE\Application Data\Mozilla\Firefox\Profiles\aiy5tjc0.Luis\cookies.txt[.did-it.com/]
00269129 spyware/dogpile Spyware No 1 Yes No HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search\SearchAssistant
00286732 Cookie/Cgi-bin TrackingCookie No 0 Yes No C:\Deckard\System Scanner\20080407213725\backup\DOCUME~1\LUISGO~1\LOCALS~1\Temp\Cookies\luis goyeneche@cgi-bin[2].txt
00286736 Cookie/Cgi-bin TrackingCookie No 0 Yes No C:\Deckard\System Scanner\20080407213725\backup\DOCUME~1\LUISGO~1\LOCALS~1\Temp\Cookies\luis goyeneche@cgi-bin[3].txt
01176994 Bck/VB.XB Virus/Trojan No 0 No No C:\Documents and Settings\LUIS GOYENECHE\Desktop\ComboFix.exe[327882R2FWJFW\nircmd.cfexe]
01176994 Bck/VB.XB Virus/Trojan No 0 No No C:\Documents and Settings\LUIS GOYENECHE\Local Settings\Application Data\Mozilla\Firefox\Profiles\aiy5tjc0.Luis\Cache\C2152591d01[327882R2FWJFW\nircmd.cfexe]
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000003.EXE
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0000083.EXE
01606636 Cookie/Adserver TrackingCookie No 0 Yes No C:\Documents and Settings\LUIS GOYENECHE\Application Data\Mozilla\Firefox\Profiles\aiy5tjc0.Luis\cookies.txt[.adserver.easyad.info/]
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0000078.sys
02912167 Spyware/Virtumonde Spyware No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\kghejksc.dll.vir
02912307 Spyware/Virtumonde Spyware No 1 Yes No C:\QooBox\Quarantine\C\VundoFix Backups\crtqihbi.dll.bad.vir
02912308 Spyware/Virtumonde Spyware No 1 Yes No C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\hwmgfimc.dll.vir
;===================================================================================================================================================================================
SUSPECTS
Sent Location s
;===================================================================================================================================================================================
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description s
;===================================================================================================================================================================================
;===================================================================================================================================================================================

#6 katana

katana

    MRU Expert


  • Members
  • 170 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Manchester (UK)
  • Local time:07:29 AM

Posted 13 April 2008 - 07:37 AM

Congratulations your logs look clean :thumbsup:

Let's see if I can help you keep it that way

First lets tidy up

  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the /U, it needs to be there.
  • Posted Image
You can also delete any logs we have produced, and empty your Recycle bin.




The following is some info to help you stay safe and clean.
( Vista users must ensure that any programs are Vista compatible BEFORE installing )

You may already have some of the following programs, but I include the full list for the benefit of all the other people who will be reading this thread in the future.

Online Scanners
I would recommend a scan at one or more of the following sites at least once a month.

http://www.pandasecurity.com/activescan
http://www.kaspersky.com/kos/eng/partner/7...kavwebscan.html

!!! Make sure that all your programs are updated !!!
Secunia Software Inspector does all the work for you, .... see HERE for details

AntiSpyware
  • AntiSpyware is not the same thing as Antivirus.
    Different AntiSpyware programs detect different things, so in this case it is recommended that you have more than one.
    You should only have one running all the time, the other/s should be used "on demand" on a regular basis.
    Most of the programs in this list have a free (for Home Users ) and paid versions,
    it is worth paying for one and having "realtime" protection, unless you intend to do a manual scan often.
  • Spybot - Search & Destroy <<< A must have program
    • It includes host protection and registry protection
    • A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
  • MalwareBytes Anti-malware <<< A New and effective program
  • a-squared Free <<< A good "realtime" or "on demand" scanner
  • AVG Anti-Spyware 7.5 <<< A good "on demand" scanner
  • superantispyware <<< A good "realtime" or "on demand" scanner
Prevention
  • These programs don't detect malware, they help stop it getting on your machine in the first place.
    Each does a different job, so you can have more than one
  • Winpatrol
    • An excellent startup manager and then some !!
    • Notifies you if programs are added to startup
    • Allows delayed startup
    • A must have addition
  • SpywareBlaster 4.0
    • SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
  • SpywareGuard 2.2
    • SpywareGuard provides real-time protection against spyware.
    • Not required if you have other "realtime" antispyware or Winpatrol
  • ZonedOut
    • Formerly known as IE-SPYAD, adds a long list of sites and domains associated with known advertisers and marketers to the Restricted sites zone of Internet Explorer.
  • MVPS HOSTS
    • This little program packs a powerful punch as it blocks ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.
    • For information on how to download and install, please read this tutorial by WinHelp2002.
    • Not required if you are using other host file protections
Internet Browsers
  • Microsoft has worked hard to make IE.7 a more secure browser, unfortunately whilst it is still the leading browser of choice it will always be under attack from the bad guys.
    Using a different web browser can help stop malware getting on your machine.
    • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
    • Change the Download signed ActiveX controls to Prompt
    • Change the Download unsigned ActiveX controls to Disable
    • Change the Initialise and script ActiveX controls not marked as safe to Disable
    • Change the Installation of desktop items to Prompt
    • Change the Launching programs and files in an IFRAME to Prompt
    • Change the Navigate sub-frames across different domains to Prompt
    • When all these settings have been made, click on the OK button.
    • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.
If you are still using IE6 then either update, or get one of the following.
  • FireFox
    • With many addons available that make customization easy this is a very popular choice
    • NoScript and AdBlockPlus addons are essential
  • Opera
    • Another popular alternative
  • Netscape
    • Another popular alternative
    • Also has Addons available
[/list]Cleaning Temporary Internet Files and Tracking Cookies
  • Temporary Internet Files are mainly the files that are downloaded when you open a web page.
    Unfortunately, if the site you visit is of a dubious nature or has been hacked, they can also be an entry point for malware.
    It is a good idea to empty the Temporary Internet Files folder on a regular basis.

    Tracking Cookies are files that websites use to monitor which sites you visit and how often.
    A lot of Antispyware scanners pick up these tracking cookies and flag them as unwanted.
    CAUTION :- If you delete all your cookies you will lose any autologin information for sites that you visit, and will need your passwords

    Both of these can be cleaned manually, but a quicker option is to use a program
  • ATF Cleaner
    • Free and very simple to use
  • CCleaner
    • Free and very flexible, you can chose which cookies to keep
Also PLEASE read this article.....So How Did I Get Infected In The First Place

The last and most important thing I can tell you is UPDATE.
If you don't update your security programs (Antivirus, Antispyware even Windows) then you are at risk.
Malware changes on a day to day basis. You should update every week at the very least.

If you follow this advice then (with a bit of luck) you will never have to hear from me again :blink:


If you could post back one more time to let me know everything is OK, then I can have this thread archived.

Happy surfing K'
Posted Image

#7 luiben

luiben
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 13 April 2008 - 09:17 AM

I ran a AVG complete check this morning (see test results below). What do these files mean:

C:\WINDOWS\system32\kernel32.dll Change Changed
C:\WINDOWS\system32\user32.dll Change Changed
C:\WINDOWS\system32\shell32.dll Change Changed
C:\WINDOWS\system32\ntoskrnl.exe Change Changed
C:\WINDOWS\system32\drivers\etc\hosts Change Changed


Why does AVG find them every time it runs a check and appears to move them?

General properties
Report name Complete Test
Start time 4/13/2008 8:00
End time 4/13/2008 8:40:42 AM (total: 40:35.8 Min)
Launch method Scanning launched by scheduler
Scanning result No threats found
Report status Scanning completed successfully

Object summary
Scanned 64401
Threats Found 0
Cleaned 0
Moved to vault 0
Deleted 0
Errors 0

C:\WINDOWS\system32\kernel32.dll Change Changed
C:\WINDOWS\system32\user32.dll Change Changed
C:\WINDOWS\system32\shell32.dll Change Changed
C:\WINDOWS\system32\ntoskrnl.exe Change Changed
C:\WINDOWS\system32\drivers\etc\hosts Change Changed

#8 katana

katana

    MRU Expert


  • Members
  • 170 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Manchester (UK)
  • Local time:07:29 AM

Posted 13 April 2008 - 10:00 AM

It is common for those files to appear, if you want to stop them then please have a look at the AVG instructions
http://forum.grisoft.cz/freeforum/read.php...6,backpage=,sv=
Posted Image

#9 luiben

luiben
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 13 April 2008 - 01:36 PM

Katana you are the man!!! (I'm assuming you are a man).

thanks for everything...........I thought of reformatting my hard drive before you help out.

#10 katana

katana

    MRU Expert


  • Members
  • 170 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Manchester (UK)
  • Local time:07:29 AM

Posted 13 April 2008 - 02:30 PM

Katana you are the man!!! (I'm assuming you are a man).

thanks for everything...........I thought of reformatting my hard drive before you help out.


Yes, I am a man :blink:

Reformatting is a last resort, we don't like to be beaten :thumbsup:

Glad to be of service,

Stay safe

K'
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users