Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please Help: Softhomepage.com


  • This topic is locked This topic is locked
4 replies to this topic

#1 miahdog

miahdog

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:37 PM

Posted 01 May 2008 - 01:39 PM

One of my workers downloaded this crap on my computer. It hijacks my browser and is continually telling me my computer is infected.

here are the logs that were requested:

* Extra:
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Sempron™ Processor 3400+
Percentage of Memory in Use: 66%
Physical Memory (total/avail): 446.48 MiB / 150.93 MiB
Pagefile Memory (total/avail): 1053.72 MiB / 690.53 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1937.56 MiB

C: is Fixed (NTFS) - 48.82 GiB total, 48.16 GiB free.
D: is Fixed (NTFS) - 100.22 GiB total, 88.4 GiB free.
E: is CDROM (CDFS)
F: is Removable (No Media)
G: is Removable (No Media)
H: is Removable (No Media)
I: is Removable (No Media)
J: is CDROM (No Media)
K: is Removable (No Media)

\\.\PHYSICALDRIVE0 - SAMSUNG SP1604N - 149.05 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 48.82 GiB - C:
\PARTITION1 - Extended w/Extended Int 13 - 100.22 GiB - D:

\\.\PHYSICALDRIVE2 - Generic USB CF Reader USB Device

\\.\PHYSICALDRIVE4 - Generic USB MS Reader USB Device

\\.\PHYSICALDRIVE1 - Generic USB SD Reader USB Device

\\.\PHYSICALDRIVE3 - Generic USB SM Reader USB Device

\\.\PHYSICALDRIVE5 - HP PSC 1610 USB Device



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: Avira AntiVir PersonalEdition v8.0.1.15 (Avira GmbH)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"D:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="D:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"D:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="D:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"D:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="D:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"
"D:\\Program Files\\MSN Messenger\\msnmsgr.exe"="D:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"D:\\Program Files\\MSN Messenger\\livecall.exe"="D:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"D:\\Program Files\\uTorrent\\uTorrent.exe"="D:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:µTorrent"
"D:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="D:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"D:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="D:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"D:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="D:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"
"D:\\Program Files\\MSN Messenger\\msnmsgr.exe"="D:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"D:\\Program Files\\MSN Messenger\\livecall.exe"="D:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=D:\Documents and Settings\All Users
APPDATA=D:\Documents and Settings\Sammy\Application Data
CLIENTNAME=Console
CommonProgramFiles=D:\Program Files\Common Files
COMPUTERNAME=COMPANY-9AAEBF6
ComSpec=D:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=D:
HOMEPATH=\Documents and Settings\Sammy
LOGONSERVER=\\COMPANY-9AAEBF6
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=D:\Program Files\Mozilla Firefox;D:\Program Files\Trend Micro\HijackThis;D:\WINDOWS\system32;D:\WINDOWS;D:\WINDOWS\System32\Wbem;D:\Program Files\Common Files\Teleca Shared;D:\Program Files\ATI Technologies\ATI Control Panel
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 47 Stepping 2, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=2f02
ProgramFiles=D:\Program Files
PROMPT=$P$G
RNLOG_BASEKEY=Software\RealNetworks\RealPlayer\6.0\Preferences\BrowserRecordPluginLog
SESSIONNAME=Console
SystemDrive=D:
SystemRoot=D:\WINDOWS
TEMP=D:\DOCUME~1\Sammy\LOCALS~1\Temp
TMP=D:\DOCUME~1\Sammy\LOCALS~1\Temp
USERDOMAIN=COMPANY-9AAEBF6
USERNAME=Sammy
USERPROFILE=D:\Documents and Settings\Sammy
windir=D:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Sammy (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> D:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 D:\WINDOWS\INF\PCHealth.inf
µTorrent --> "D:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
A-one PSP Video Convertor 5.70 --> "D:\Program Files\A-one PSP Video Convertor\unins000.exe"
Adobe Flash Player ActiveX --> D:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
ATI Control Panel --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver --> rundll32 D:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Avira AntiVir Personal – Free Antivirus --> D:\Program Files\Avira\AntiVir PersonalEdition Classic\SETUP.EXE /REMOVE
Azureus Vuze --> D:\Program Files\Azureus\uninstall.exe
DivX Content Uploader --> D:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Web Player --> D:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
Exact Audio Copy PSP Edition 1.0 --> D:\Program Files\Exact Audio Copy PSP Edition\uninst.exe
Gamevance --> D:\Program Files\Gamevance\gvun.exe
getPlus®_ocx --> rundll32.exe advpack.dll,LaunchINFSection D:\WINDOWS\inf\GETPLUSo.INF, DefaultUninstall
HijackThis 2.0.2 --> "D:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "D:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
HP Image Zone 4.7 --> D:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
HP PSC & OfficeJet 4.7 --> "D:\Program Files\HP\Digital Imaging\{342C7C88-D335-4bc2-8CF1-281857629CE2}\setup\hpzscr01.exe" -datfile hposcr05.dat
HP Software Update --> MsiExec.exe /X{64FC0C98-B035-4530-B15D-3D30610B6DF1}
ImgBurn --> "D:\Program Files\ImgBurn\uninstall.exe"
Internet Service --> "D:\Program Files\NetProject\waun.exe"
J2SE Runtime Environment 5.0 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150000}
Kaspersky Online Scanner --> D:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
Microsoft ActiveSync --> MsiExec.exe /I{99052DB7-9592-4522-A558-5417BBAD48EE}
Microsoft Compression Client Pack 1.0 for Windows XP --> "D:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5 --> "D:\WINDOWS\$NtUninstallWdf01005$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Silverlight --> MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "D:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Motorola Driver Installation 3.4.0 --> MsiExec.exe /I{81B3BEF9-5D97-4096-86E9-5B48A5BC32D0}
Mozilla Firefox (2.0.0.14) --> D:\PROGRA~1\Mozilla Firefox\uninstall\helper.exe
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
PowerISO --> "D:\Program Files\PowerISO\uninstall.exe"
PrimoPDF --> "D:\WINDOWS\PrimoPDF4\uninstall.exe" "/U:D:\Program Files\activePDF\PrimoPDF\Uninstall\uninstallPrimoPDF4.xml"
RealPlayer --> D:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Realtek AC'97 Audio --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\Setup.exe" -l0x9 -removeonly
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Windows Defender --> MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
Windows Media Format 11 runtime --> "D:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WinRAR archiver --> D:\Program Files\WinRAR\uninstall.exe
WMWifiRouter --> D:\Program Files\Microsoft ActiveSync\WMWifiRouter\Uninstall.exe WMWifiRouter


-- Application Event Log -------------------------------------------------------

Event Record #/Type632 / Warning
Event Submitted/Written: 05/01/2008 00:45:49 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type627 / Warning
Event Submitted/Written: 05/01/2008 00:32:30 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type626 / Error
Event Submitted/Written: 05/01/2008 00:05:34 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application SpybotSD.exe, version 1.5.2.20, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type625 / Error
Event Submitted/Written: 04/30/2008 04:09:31 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application TeaTimer.exe, version 1.5.2.16, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type620 / Warning
Event Submitted/Written: 04/30/2008 03:24:39 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type4573 / Warning
Event Submitted/Written: 05/01/2008 01:18:35 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%COMPANY-9AAEBF627 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %COMPANY-9AAEBF627 can't undo changes that you allow.

For more information please see the following:
%COMPANY-9AAEBF6275

Scan ID: {6E0E4BB5-C29E-4D84-B531-C88BEC845A96}

User: COMPANY-9AAEBF6\Sammy

Name: %COMPANY-9AAEBF6271

ID: %COMPANY-9AAEBF6272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %COMPANY-9AAEBF6276

Alert Type: %COMPANY-9AAEBF6278

Detection Type: 1.1.1593.02

Event Record #/Type4572 / Warning
Event Submitted/Written: 05/01/2008 01:18:35 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%COMPANY-9AAEBF627 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %COMPANY-9AAEBF627 can't undo changes that you allow.

For more information please see the following:
%COMPANY-9AAEBF6275

Scan ID: {626F0A93-547D-45B8-AF3C-C69B34351234}

User: COMPANY-9AAEBF6\Sammy

Name: %COMPANY-9AAEBF6271

ID: %COMPANY-9AAEBF6272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %COMPANY-9AAEBF6276

Alert Type: %COMPANY-9AAEBF6278

Detection Type: 1.1.1593.02

Event Record #/Type4571 / Warning
Event Submitted/Written: 05/01/2008 01:18:35 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%COMPANY-9AAEBF627 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %COMPANY-9AAEBF627 can't undo changes that you allow.

For more information please see the following:
%COMPANY-9AAEBF6275

Scan ID: {F7D950CB-62B1-4C89-8E77-54349157C4F4}

User: COMPANY-9AAEBF6\Sammy

Name: %COMPANY-9AAEBF6271

ID: %COMPANY-9AAEBF6272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %COMPANY-9AAEBF6276

Alert Type: %COMPANY-9AAEBF6278

Detection Type: 1.1.1593.02

Event Record #/Type4570 / Warning
Event Submitted/Written: 05/01/2008 01:18:35 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%COMPANY-9AAEBF627 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %COMPANY-9AAEBF627 can't undo changes that you allow.

For more information please see the following:
%COMPANY-9AAEBF6275

Scan ID: {B6AC31BF-6963-40C1-811E-6A9F2171E684}

User: COMPANY-9AAEBF6\Sammy

Name: %COMPANY-9AAEBF6271

ID: %COMPANY-9AAEBF6272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %COMPANY-9AAEBF6276

Alert Type: %COMPANY-9AAEBF6278

Detection Type: 1.1.1593.02

Event Record #/Type4569 / Warning
Event Submitted/Written: 05/01/2008 01:18:35 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%COMPANY-9AAEBF627 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %COMPANY-9AAEBF627 can't undo changes that you allow.

For more information please see the following:
%COMPANY-9AAEBF6275

Scan ID: {E4DADB0D-4842-425C-B2F6-29E35675075C}

User: COMPANY-9AAEBF6\Sammy

Name: %COMPANY-9AAEBF6271

ID: %COMPANY-9AAEBF6272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %COMPANY-9AAEBF6276

Alert Type: %COMPANY-9AAEBF6278

Detection Type: 1.1.1593.02



-- End of Deckard's System Scanner: finished at 2008-05-01 13:19:05 ------------

*Main:

Deckard's System Scanner v20071014.68
Run by Sammy on 2008-05-01 13:16:03
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
110: 2008-05-01 17:16:11 UTC - RP145 - Deckard's System Scanner Restore Point
109: 2008-04-30 18:52:52 UTC - RP144 - Windows Defender Checkpoint
108: 2008-04-30 17:54:39 UTC - RP143 - Software Distribution Service 3.0
107: 2008-04-30 17:43:58 UTC - RP142 - Installed Windows Defender
106: 2008-04-29 18:55:21 UTC - RP141 - System Checkpoint


-- First Restore Point --
1: 2008-02-01 23:30:10 UTC - RP36 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 76% (more than 75%).
Total Physical Memory: 447 MiB (512 MiB recommended).


-- HijackThis (run as Sammy.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:18:28 PM, on 5/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Windows Defender\MsMpEng.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
D:\Program Files\NetProject\sbmntr.exe
D:\WINDOWS\ALCXMNTR.EXE
D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
D:\Program Files\Java\jre1.5.0\bin\jusched.exe
D:\Program Files\Gamevance\gamevance32.exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
D:\Program Files\HP\HP Software Update\HPWuSchd2.exe
D:\Program Files\PowerISO\PWRISOVM.EXE
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Java\jre1.5.0\bin\jucheck.exe
D:\Program Files\Windows Defender\MSASCui.exe
D:\Program Files\Microsoft ActiveSync\Wcescomm.exe
D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
D:\Program Files\NetProject\sbsm.exe
D:\PROGRA~1\MICROS~2\rapimgr.exe
D:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
D:\WINDOWS\system32\HPZipm12.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\alg.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
D:\WINDOWS\system32\NOTEPAD.EXE
D:\PROGRA~1\MOZILL~1\FIREFOX.EXE
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Documents and Settings\Sammy\Desktop\dss.exe
D:\PROGRA~1\TRENDM~1\HIJACK~1\Sammy.exe
D:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Gamevance Text - {7370F91F-6994-4595-9949-601FA2261C8D} - D:\Program Files\Gamevance\gvtl.dll
O2 - BHO: (no name) - {7C109800-A5D5-438F-9640-18D17E168B88} - D:\Program Files\NetProject\sbmdl.dll
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [ATIPTA] "D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [Gamevance] D:\Program Files\Gamevance\gamevance32.exe
O4 - HKLM\..\Run: [avgnt] "D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Software Update] "D:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] D:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Defender] "D:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [DW4] "D:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "D:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKLM\..\Policies\Explorer\Run: [start] D:\Program Files\NetProject\sbmntr.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: PalTalk.lnk = D:\Program Files\Paltalk Messenger\paltalk.exe
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - D:\Program Files\Paltalk Messenger\Paltalk.exe (file missing)
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.gateietool.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.gateietool.com/redirect.php (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Web-Based Email Tools - http://email.secureserver.net/Download.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - https://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{30B8F614-EDC9-42C9-975B-34DCAF207844}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{6C98318D-1D17-441F-8464-2244DE199FEF}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O22 - SharedTaskScheduler: enswathes - {4d51e91c-e917-4b7f-89ff-abe471e16927} - D:\WINDOWS\system32\uyhjw.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\HPZipm12.exe

--
End of file - 8754 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 SCDEmu - d:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>
R2 MCSTRM - d:\windows\system32\drivers\mcstrm.sys <Not Verified; RealNetworks, Inc.; RealNetworks Virtual Path Manager® (32-bit)>

S3 w300bus (Sony Ericsson W300 Driver driver (WDM)) - d:\windows\system32\drivers\w300bus.sys <Not Verified; MCCI; Sony Ericsson W300 Driver>
S3 w300mdfl (Sony Ericsson W300 USB WMC Modem Filter) - d:\windows\system32\drivers\w300mdfl.sys <Not Verified; MCCI; Sony Ericsson W300 USB WMC Modem Filter Driver>
S3 w300mdm (Sony Ericsson W300 USB WMC Modem Driver) - d:\windows\system32\drivers\w300mdm.sys <Not Verified; MCCI; Sony Ericsson W300 USB WMC Data Modem>
S3 w300mgmt (Sony Ericsson W300 USB WMC Device Management Drivers (WDM)) - d:\windows\system32\drivers\w300mgmt.sys <Not Verified; MCCI; Sony Ericsson W300 USB WMC Device Management>
S3 w300obex (Sony Ericsson W300 USB WMC OBEX Interface) - d:\windows\system32\drivers\w300obex.sys <Not Verified; MCCI; Sony Ericsson W300 USB WMC OBEX Interface>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 AntiVirScheduler (AntiVir PersonalEdition Classic Scheduler) - "d:\program files\avira\antivir personaledition classic\sched.exe" <Not Verified; Avira GmbH; AntiVir Workstation>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: SM Bus Controller
Device ID: PCI\VEN_1002&DEV_4372&SUBSYS_2A24103C&REV_11\3&61AAA01&0&A0
Manufacturer:
Name: SM Bus Controller
PNP Device ID: PCI\VEN_1002&DEV_4372&SUBSYS_2A24103C&REV_11\3&61AAA01&0&A0
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Simple Communications Controller
Device ID: PCI\VEN_11C1&DEV_048C&SUBSYS_044C11C1&REV_03\4&1C88B56&0&08A4
Manufacturer:
Name: PCI Simple Communications Controller
PNP Device ID: PCI\VEN_11C1&DEV_048C&SUBSYS_044C11C1&REV_03\4&1C88B56&0&08A4
Service:


-- Scheduled Tasks -------------------------------------------------------------

2008-05-01 12:50:09 330 --ah----- D:\WINDOWS\Tasks\MP Scheduled Scan.job


-- Files created between 2008-04-01 and 2008-05-01 -----------------------------

2008-05-01 13:10:54 0 d-------- D:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-01 13:10:53 0 d-------- D:\WINDOWS\system32\Kaspersky Lab
2008-05-01 13:10:51 0 d-------- D:\WINDOWS\LastGood
2008-05-01 12:06:18 0 d-------- D:\Program Files\Trend Micro
2008-05-01 11:44:50 0 d-------- D:\Program Files\Enigma Software Group
2008-04-30 13:44:10 0 d-------- D:\Program Files\Windows Defender
2008-04-30 13:40:27 0 d-------- D:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-04-30 13:12:59 0 d-------- D:\Program Files\NetProject
2008-04-17 12:05:56 0 d-------- D:\Program Files\AskPBar
2008-04-17 12:04:28 0 d-------- D:\Documents and Settings\Sammy\Application Data\Paltalk
2008-04-17 12:04:24 0 d-------- D:\WINDOWS\PaltalkScene
2008-04-17 12:04:24 0 d-------- D:\Program Files\Paltalk Messenger
2008-04-14 16:35:00 0 d-------- D:\Program Files\Mobiola Web Camera 2 for S60 2nd Edition
2008-04-14 15:51:22 0 d-a------ D:\Documents and Settings\All Users\Application Data\TEMP
2008-04-14 15:51:06 114688 --a------ D:\WINDOWS\system32\BTCamVideoSource.dll <Not Verified; Warelex LLC; Mobiola® Video Source>
2008-04-12 11:20:09 0 d-------- D:\WINDOWS\system32\LogFiles
2008-04-12 11:20:09 0 d-------- D:\WINDOWS\system32\drivers\UMDF
2008-04-12 11:16:50 0 d-------- D:\Program Files\Rhapsody
2008-04-12 11:10:17 0 d-------- D:\My Downloads
2008-04-11 20:22:43 4 --a------ D:\WINDOWS\system32\FA7184
2008-04-11 20:22:29 8413 --a------ D:\WINDOWS\system32\drivers\mcstrm.sys <Not Verified; RealNetworks, Inc.; RealNetworks Virtual Path Manager® (32-bit)>
2008-04-11 20:19:16 0 d-------- D:\Program Files\Common Files\xing shared
2008-04-11 20:18:49 0 d-------- D:\Program Files\Common Files\Real
2008-04-11 20:18:47 0 d-------- D:\Documents and Settings\Sammy\Application Data\Real
2008-04-10 10:45:33 0 d-------- D:\Program Files\Microsoft Silverlight
2008-04-07 17:28:18 0 d-------- D:\Documents and Settings\Sammy\Contacts
2008-04-07 17:26:39 0 d-------- D:\Documents and Settings\All Users\Application Data\Windows Live Toolbar
2008-04-07 17:26:26 0 d-------- D:\Program Files\Windows Live Toolbar


-- Find3M Report ---------------------------------------------------------------

2008-04-27 14:13:44 13312 --a-s---- D:\WINDOWS\system32\uyhjw.dll
2008-04-23 09:54:12 0 d-------- D:\Program Files\Windows Media Connect 2
2008-04-18 17:11:54 0 d--h----- D:\Program Files\InstallShield Installation Information
2008-04-16 16:13:13 310 --a------ D:\Documents and Settings\Sammy\Application Data\APUSet.xml
2008-04-16 16:12:31 6051 --a------ D:\Documents and Settings\Sammy\Application Data\PrimoPDFSet.xml
2008-04-11 20:19:16 0 d-------- D:\Program Files\Common Files
2008-03-13 16:37:51 0 d-------- D:\Program Files\Microsoft ActiveSync
2008-03-12 12:52:29 0 d-------- D:\Program Files\activePDF
2008-02-25 19:12:48 68964 --a------ D:\WINDOWS\hpoins05.dat
2008-02-25 14:41:53 26401 --a------ D:\Program Files\razr V3 usb driver.zip
2008-02-25 14:41:37 35682 --a------ D:\Program Files\Razr_V3C_Usb_Driver.zip
2008-02-19 15:42:00 2528 --a------ D:\Documents and Settings\Sammy\Application Data\$_hpcst$.hpc
2008-02-10 14:27:47 1167 --a------ D:\WINDOWS\mozver.dat
2008-02-09 17:15:23 0 --a------ D:\WINDOWS\nsreg.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7370F91F-6994-4595-9949-601FA2261C8D}]
02/09/2008 05:20 PM 225280 --a------ D:\Program Files\Gamevance\gvtl.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7C109800-A5D5-438F-9640-18D17E168B88}]
05/01/2008 12:46 PM 7168 --a------ D:\Program Files\NetProject\sbmdl.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{51D81DD5-55B7-497F-95DB-D356429BB54E}"= D:\Program Files\NetProject\wamdl.dll [04/30/2008 01:23 PM 82944]

[-HKEY_CLASSES_ROOT\CLSID\{51D81DD5-55B7-497F-95DB-D356429BB54E}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlcxMonitor"="ALCXMNTR.EXE" [09/07/2004 02:47 PM D:\WINDOWS\ALCXMNTR.EXE]
"ATIPTA"="D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [08/13/2005 10:05 PM]
"SunJavaUpdateSched"="D:\Program Files\Java\jre1.5.0\bin\jusched.exe" [01/21/2008 07:46 PM]
"Gamevance"="D:\Program Files\Gamevance\gamevance32.exe" [02/09/2008 05:20 PM]
"avgnt"="D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [04/20/2008 01:13 PM]
"Adobe Reader Speed Launcher"="D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 11:16 PM]
"HP Software Update"="D:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [09/13/2004 04:49 PM]
"PWRISOVM.EXE"="D:\Program Files\PowerISO\PWRISOVM.EXE" [01/20/2008 03:05 AM]
"TkBellExe"="D:\Program Files\Common Files\Real\Update_OB\realsched.exe" [04/11/2008 08:18 PM]
"Windows Defender"="D:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 07:20 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DW4"="D:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe" []
"H/PC Connection Agent"="D:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [11/13/2006 02:39 PM]
"MsnMsgr"="D:\Program Files\MSN Messenger\MsnMsgr.exe" []

D:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [11/4/2004 8:28:24 PM]
HP Image Zone Fast Start.lnk - D:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [11/4/2004 8:50:52 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"start"=D:\Program Files\NetProject\sbmntr.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{4d51e91c-e917-4b7f-89ff-abe471e16927}"= D:\WINDOWS\system32\uyhjw.dll [04/27/2008 02:13 PM 13312]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"System"="kdszo.exe"




-- Hosts -----------------------------------------------------------------------

127.0.0.1 mpa.one.microsoft.com
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com

7967 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-05-01 13:19:05 ------------

*Hyjackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:55:33 PM, on 5/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Windows Defender\MsMpEng.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
D:\Program Files\NetProject\sbmntr.exe
D:\WINDOWS\ALCXMNTR.EXE
D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
D:\Program Files\Java\jre1.5.0\bin\jusched.exe
D:\Program Files\Gamevance\gamevance32.exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
D:\Program Files\HP\HP Software Update\HPWuSchd2.exe
D:\Program Files\PowerISO\PWRISOVM.EXE
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Java\jre1.5.0\bin\jucheck.exe
D:\Program Files\Windows Defender\MSASCui.exe
D:\Program Files\Microsoft ActiveSync\Wcescomm.exe
D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
D:\Program Files\NetProject\sbsm.exe
D:\PROGRA~1\MICROS~2\rapimgr.exe
D:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
D:\WINDOWS\system32\HPZipm12.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\wbem\wmiprvse.exe
D:\WINDOWS\System32\alg.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\system32\wscntfy.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
D:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Gamevance Text - {7370F91F-6994-4595-9949-601FA2261C8D} - D:\Program Files\Gamevance\gvtl.dll
O2 - BHO: (no name) - {7C109800-A5D5-438F-9640-18D17E168B88} - D:\Program Files\NetProject\sbmdl.dll
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [ATIPTA] "D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [Gamevance] D:\Program Files\Gamevance\gamevance32.exe
O4 - HKLM\..\Run: [avgnt] "D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Software Update] "D:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] D:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Defender] "D:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [DW4] "D:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "D:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKLM\..\Policies\Explorer\Run: [start] D:\Program Files\NetProject\sbmntr.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: PalTalk.lnk = D:\Program Files\Paltalk Messenger\paltalk.exe
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - D:\Program Files\Paltalk Messenger\Paltalk.exe (file missing)
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.gateietool.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.gateietool.com/redirect.php (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Web-Based Email Tools - http://email.secureserver.net/Download.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - https://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{30B8F614-EDC9-42C9-975B-34DCAF207844}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{6C98318D-1D17-441F-8464-2244DE199FEF}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O22 - SharedTaskScheduler: enswathes - {4d51e91c-e917-4b7f-89ff-abe471e16927} - D:\WINDOWS\system32\uyhjw.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\HPZipm12.exe

--
End of file - 8480 bytes

*Kasper Report:

Thursday, May 01, 2008 3:36:59 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 1/05/2008
Kaspersky Anti-Virus database records: 734395
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\
Scan Statistics
Total number of scanned objects 47469
Number of viruses found 18
Number of infected objects 32
Number of suspicious objects 0
Duration of the scan process 01:02:53

Infected Object Name Virus Name Last Action
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{0F870EE1-800A-4720-8DAA-AD57C2490961}\RP145\change.log Object is locked skipped
D:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
D:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
D:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-04302008-134442.log Object is locked skipped
D:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
D:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
D:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
D:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
D:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
D:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
D:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
D:\Documents and Settings\Sammy\Application Data\$_hpcst$.hpc Object is locked skipped
D:\Documents and Settings\Sammy\Application Data\Mozilla\Firefox\Profiles\2rgfms4x.default\cert8.db Object is locked skipped
D:\Documents and Settings\Sammy\Application Data\Mozilla\Firefox\Profiles\2rgfms4x.default\history.dat Object is locked skipped
D:\Documents and Settings\Sammy\Application Data\Mozilla\Firefox\Profiles\2rgfms4x.default\key3.db Object is locked skipped
D:\Documents and Settings\Sammy\Application Data\Mozilla\Firefox\Profiles\2rgfms4x.default\parent.lock Object is locked skipped
D:\Documents and Settings\Sammy\Application Data\Mozilla\Firefox\Profiles\2rgfms4x.default\search.sqlite Object is locked skipped
D:\Documents and Settings\Sammy\Application Data\Mozilla\Firefox\Profiles\2rgfms4x.default\urlclassifier2.sqlite Object is locked skipped
D:\Documents and Settings\Sammy\Cookies\index.dat Object is locked skipped
D:\Documents and Settings\Sammy\Local Settings\Application Data\ApplicationHistory\hpqgalry.exe.1b552ee2.ini.inuse Object is locked skipped
D:\Documents and Settings\Sammy\Local Settings\Application Data\HP\Digital Imaging\db\administrativeInfo.dbf Object is locked skipped
D:\Documents and Settings\Sammy\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.cdx Object is locked skipped
D:\Documents and Settings\Sammy\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.dbf Object is locked skipped
D:\Documents and Settings\Sammy\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.cdx Object is locked skipped
D:\Documents and Settings\Sammy\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.dbf Object is locked skipped
D:\Documents and Settings\Sammy\Local Settings\Application Data\HP\Digital Imaging\db\CB_Server_Errors.txt Object is locked skipped
D:\Documents and Settings\Sammy\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.cdx Object is locked skipped
D:\Documents and Settings\Sammy\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.dbf Object is locked skipped
D:\Documents and Settings\Sammy\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.cdx Object is locked skipped
D:\Documents and Settings\Sammy\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.dbf Object is locked skipped
D:\Documents and Settings\Sammy\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.fpt Object is locked skipped
D:\Documents and Settings\Sammy\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.cdx Object is locked skipped
D:\Documents and Settings\Sammy\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.dbf Object is locked skipped
D:\Documents and Settings\Sammy\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.cdx Object is locked skipped
D:\Documents and Settings\Sammy\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.dbf Object is locked skipped
D:\Documents and Settings\Sammy\Local Settings\Application Data\HP\Digital Imaging\db\managedFolderTable.dbf Object is locked skipped
D:\Documents and Settings\Sammy\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.cdx Object is locked skipped
D:\Documents and Settings\Sammy\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.dbf Object is locked skipped
D:\Documents and Settings\Sammy\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.cdx Object is locked skipped
D:\Documents and Settings\Sammy\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.dbf Object is locked skipped
D:\Documents and Settings\Sammy\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.cdx Object is locked skipped
D:\Documents and Settings\Sammy\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.dbf Object is locked skipped
D:\Documents and Settings\Sammy\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\Documents and Settings\Sammy\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\Documents and Settings\Sammy\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{B2C75981-1337-40A1-8372-DEC4CE2E3CDB} Object is locked skipped
D:\Documents and Settings\Sammy\Local Settings\Application Data\Mozilla\Firefox\Profiles\2rgfms4x.default\Cache\_CACHE_001_ Object is locked skipped
D:\Documents and Settings\Sammy\Local Settings\Application Data\Mozilla\Firefox\Profiles\2rgfms4x.default\Cache\_CACHE_002_ Object is locked skipped
D:\Documents and Settings\Sammy\Local Settings\Application Data\Mozilla\Firefox\Profiles\2rgfms4x.default\Cache\_CACHE_003_ Object is locked skipped
D:\Documents and Settings\Sammy\Local Settings\Application Data\Mozilla\Firefox\Profiles\2rgfms4x.default\Cache\_CACHE_MAP_ Object is locked skipped
D:\Documents and Settings\Sammy\Local Settings\History\History.IE5\index.dat Object is locked skipped
D:\Documents and Settings\Sammy\Local Settings\History\History.IE5\MSHist012008050120080502\index.dat Object is locked skipped
D:\Documents and Settings\Sammy\Local Settings\Temp\hpodvd09.log Object is locked skipped
D:\Documents and Settings\Sammy\Local Settings\Temp\WCESLog.log Object is locked skipped
D:\Documents and Settings\Sammy\Local Settings\Temp\~DFE730.tmp Object is locked skipped
D:\Documents and Settings\Sammy\Local Settings\Temporary Internet Files\Content.IE5\GHUFKH6B\softhomepage[1].htm Infected: not-virus:Hoax.HTML.Secureinvites.a skipped
D:\Documents and Settings\Sammy\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
D:\Documents and Settings\Sammy\Local Settings\Temporary Internet Files\Content.IE5\K8CRIP78\Download_spyzookasetup1[1].exe Infected: not-a-virus:Downloader.Win32.WinFixer.fs skipped
D:\Documents and Settings\Sammy\Local Settings\Temporary Internet Files\Content.IE5\UJID95MG\WinSpyKillerSetup[1].exe Infected: not-a-virus:Downloader.Win32.Agent.au skipped
D:\Documents and Settings\Sammy\My Documents\My Music\Unknown Artist\Unknown Album (4-25-2008 4-33-57 PM)\kiesha cole remember.mp3 Infected: Trojan-Downloader.WMA.Wimad.n skipped
D:\Documents and Settings\Sammy\NTUSER.DAT Object is locked skipped
D:\Documents and Settings\Sammy\ntuser.dat.LOG Object is locked skipped
D:\Program Files\NetProject\sbmdl.dll Infected: Trojan-Downloader.Win32.Zlob.luv skipped
D:\Program Files\NetProject\sbmntr.exe Infected: Trojan-Downloader.Win32.Zlob.luu skipped
D:\Program Files\NetProject\sbsm.exe Infected: Trojan-Downloader.Win32.Zlob.luz skipped
D:\Program Files\NetProject\scit.exe Infected: not-virus:Hoax.Win32.Gavec.bs skipped
D:\Program Files\NetProject\scu.exe Infected: Trojan-Downloader.Win32.Zlob.luy skipped
D:\Program Files\NetProject\wamdl.dll Infected: Trojan-Downloader.Win32.Zlob.lva skipped
D:\Program Files\NetProject\waun.exe Infected: Trojan-Downloader.Win32.Zlob.lvb skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{0F870EE1-800A-4720-8DAA-AD57C2490961}\RP139\A0016765.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.a skipped
D:\System Volume Information\_restore{0F870EE1-800A-4720-8DAA-AD57C2490961}\RP141\A0017764.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.a skipped
D:\System Volume Information\_restore{0F870EE1-800A-4720-8DAA-AD57C2490961}\RP141\A0017793.exe Infected: not-virus:Hoax.Win32.Renos.bwr skipped
D:\System Volume Information\_restore{0F870EE1-800A-4720-8DAA-AD57C2490961}\RP141\A0017794.dll Infected: Trojan-Downloader.Win32.Zlob.luv skipped
D:\System Volume Information\_restore{0F870EE1-800A-4720-8DAA-AD57C2490961}\RP141\A0017795.exe Infected: Trojan-Downloader.Win32.Zlob.luz skipped
D:\System Volume Information\_restore{0F870EE1-800A-4720-8DAA-AD57C2490961}\RP143\A0017810.exe Infected: not-virus:Hoax.Win32.Renos.bwr skipped
D:\System Volume Information\_restore{0F870EE1-800A-4720-8DAA-AD57C2490961}\RP144\A0017811.exe Infected: Trojan-Downloader.Win32.Zlob.luw skipped
D:\System Volume Information\_restore{0F870EE1-800A-4720-8DAA-AD57C2490961}\RP144\A0017821.dll Infected: Trojan-Downloader.Win32.Zlob.luv skipped
D:\System Volume Information\_restore{0F870EE1-800A-4720-8DAA-AD57C2490961}\RP144\A0017822.exe Infected: Trojan-Downloader.Win32.Zlob.luz skipped
D:\System Volume Information\_restore{0F870EE1-800A-4720-8DAA-AD57C2490961}\RP144\A0017861.dll Infected: Trojan-Downloader.Win32.Zlob.luv skipped
D:\System Volume Information\_restore{0F870EE1-800A-4720-8DAA-AD57C2490961}\RP144\A0017862.exe Infected: Trojan-Downloader.Win32.Zlob.luz skipped
D:\System Volume Information\_restore{0F870EE1-800A-4720-8DAA-AD57C2490961}\RP144\A0017961.dll Infected: Trojan-Downloader.Win32.Zlob.luv skipped
D:\System Volume Information\_restore{0F870EE1-800A-4720-8DAA-AD57C2490961}\RP144\A0017962.exe Infected: Trojan-Downloader.Win32.Zlob.luz skipped
D:\System Volume Information\_restore{0F870EE1-800A-4720-8DAA-AD57C2490961}\RP145\A0017971.exe Infected: Trojan-Downloader.Win32.Zlob.luj skipped
D:\System Volume Information\_restore{0F870EE1-800A-4720-8DAA-AD57C2490961}\RP145\A0017972.exe Infected: Trojan-Downloader.Win32.Zlob.luj skipped
D:\System Volume Information\_restore{0F870EE1-800A-4720-8DAA-AD57C2490961}\RP145\A0017973.exe Infected: Trojan-Downloader.Win32.Zlob.luj skipped
D:\System Volume Information\_restore{0F870EE1-800A-4720-8DAA-AD57C2490961}\RP145\change.log Object is locked skipped
D:\System Volume Information\_restore{0F870EE1-800A-4720-8DAA-AD57C2490961}\RP46\A0007484.exe Infected: not-a-virus:AdWare.Win32.HotBar.ck skipped
D:\System Volume Information\_restore{0F870EE1-800A-4720-8DAA-AD57C2490961}\RP46\A0007490.dll Infected: not-a-virus:AdWare.Win32.HotBar.ck skipped
D:\System Volume Information\_restore{0F870EE1-800A-4720-8DAA-AD57C2490961}\RP46\A0007542.dll Infected: not-a-virus:AdWare.Win32.Shopper.q skipped
D:\System Volume Information\_restore{0F870EE1-800A-4720-8DAA-AD57C2490961}\RP47\A0007599.dll Infected: not-a-virus:AdWare.Win32.HotBar.ck skipped
D:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
D:\WINDOWS\SchedLgU.Txt Object is locked skipped
D:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb Object is locked skipped
D:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log Object is locked skipped
D:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb Object is locked skipped
D:\WINDOWS\SoftwareDistribution\EventCache\{69F9CE21-7E6D-4592-BBE9-DC07848FEAD4}.bin Object is locked skipped
D:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
D:\WINDOWS\Sti_Trace.log Object is locked skipped
D:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
D:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
D:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
D:\WINDOWS\system32\config\default Object is locked skipped
D:\WINDOWS\system32\config\default.LOG Object is locked skipped
D:\WINDOWS\system32\config\SAM Object is locked skipped
D:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
D:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
D:\WINDOWS\system32\config\SECURITY Object is locked skipped
D:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
D:\WINDOWS\system32\config\software Object is locked skipped
D:\WINDOWS\system32\config\software.LOG Object is locked skipped
D:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
D:\WINDOWS\system32\config\system Object is locked skipped
D:\WINDOWS\system32\config\system.LOG Object is locked skipped
D:\WINDOWS\system32\uyhjw.dll Infected: not-virus:Hoax.Win32.Agent.ck skipped
D:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
D:\WINDOWS\wiadebug.log Object is locked skipped
D:\WINDOWS\wiaservc.log Object is locked skipped
D:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.

Edited by miahdog, 01 May 2008 - 02:47 PM.


BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:37 PM

Posted 02 May 2008 - 10:19 PM

Hello miahdog,

NOTE: If you have downloaded SmitfraudFix previously please delete that version and download it again! Also delete C:\rapport.txt

Please download SmitfraudFix

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, double-click SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of the SmitfraudFix report into your next reply along with a new HijackThis log.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 miahdog

miahdog
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:37 PM

Posted 05 May 2008 - 02:55 PM

thank you. it worked!!

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:37 PM

Posted 05 May 2008 - 03:33 PM

Please copy/paste the content of the SmitfraudFix report into your next reply along with a new HijackThis log. The report is located here C:\rapport.txt

There may be remenents still on your computer.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:37 PM

Posted 11 May 2008 - 01:23 PM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact me or a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users