Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hi. Need Help. Logo File Uploaded


  • This topic is locked This topic is locked
9 replies to this topic

#1 esper

esper

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:11:54 PM

Posted 15 May 2009 - 04:21 AM

Hi Everyone.

Like most people arriving here I need help with my pc. It's been infected with some weird looking .exe files that are multiplying in my C:\ directory. I've used Hijackthis before on other computers but this time I can't see who/what is the culprit that is creating these rogue files. Any help would be appreciated.

Esper.

Here is the log file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:08:06, on 15/05/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Pantone\hueyPRO\hueyPROTray.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\Canon\EOS Utility\WFTPairing\WFTPairing.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Canon\EOS Utility\WFTPairing\EOSUPNPSV.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\STOPzilla!\SZOptions.exe
C:\Program Files\Common Files\iS3\Anti-Spyware\SZScanner.exe
C:\Program Files\Grisoft\AVG Anti-Rootkit Free\avgarkt.exe
C:\Program Files\Grisoft\AVG Anti-Rootkit Free\vYdFqsLTn.exe
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
C:\Documents and Settings\Mark\Desktop\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
c:\LOv912.exe
c:\LOv912.exe
c:\LOv912.exe
c:\rd1mq.exe
c:\egxLFL.exe
c:\rd1mq.exe
c:\egxLFL.exe
c:\rd1mq.exe
c:\LOv912.exe
c:\egxLFL.exe
c:\egxLFL.exe
c:\rd1mq.exe
c:\rd1mq.exe
c:\egxLFL.exe
c:\LOv912.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.co.uk/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SITEguard BHO - {1827766B-9F49-4854-8034-F6EE26FCB1EC} - C:\Program Files\STOPzilla!\SZSG.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\STOPzilla!\SZSG.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [MsnHost] c:\LOv912.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [MsnLoad] c:\LOv912.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [MsnConvert] c:\LOv912.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [MsnMessendger] c:\LOv912.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [MsnHost] c:\LOv912.exe (User 'Default user')
O4 - Startup: WFTPairing.lnk = C:\Program Files\Canon\EOS Utility\WFTPairing\WFTPairing.exe
O4 - Global Startup: hueyPROTray.lnk = C:\Program Files\Pantone\hueyPRO\hueyPROTray.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: CarboniteService - Carbonite, Inc. (www.carbonite.com) - C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 11154 bytes

BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:54 PM

Posted 15 May 2009 - 06:25 AM

Hi esper,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.
  • Go to start > Run copy/paste the following lines one by one in the run box and click OK after each line.

    cmd /c dir /o:d /a "C:\" > "%userprofile%\desktop\log1.txt"
    cmd /c dir /a /s C:\WINDOWS\tasks >> "%userprofile%\desktop\log1.txt"


    A log1.txt file will be created on your desktop. Please post the content to your reply.

  • Please make a program list with Hijackthis:
  • Open HijackThis and click Open the Misc Tools section.
  • Click "Open Uninstall Manager"
  • Click "Save List" (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.


#3 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:54 AM

Posted 15 May 2009 - 06:27 AM

<<< post deleted >>>

Edited by miekiemoes, 15 May 2009 - 06:57 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#4 esper

esper
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:11:54 PM

Posted 15 May 2009 - 07:54 AM

Hi Farbar

Thanks for replying.

The log1.txt file is as follows:

Volume in drive C has no label.
Volume Serial Number is 3887-7906

Directory of C:\

03/08/2004 23:00 260,272 cmldr
12/08/2004 14:25 47,564 NTDETECT.COM
14/10/2007 19:35 0 IO.SYS
14/10/2007 19:35 0 CONFIG.SYS
14/10/2007 19:35 0 MSDOS.SYS
14/10/2007 19:35 0 AUTOEXEC.BAT
15/10/2007 02:04 <DIR> DELL
15/10/2007 22:15 27,262,976 VIRTPART.DAT
09/11/2007 02:23 4,096 VSNAP.IDX
19/11/2007 20:56 <DIR> Documents and Settings
09/03/2008 13:33 <DIR> DVDVideoSoft
21/09/2008 08:47 250,048 ntldr
17/11/2008 03:28 <DIR> NVIDIA
01/12/2008 04:26 <DIR> System Volume Information
18/12/2008 23:26 <DIR> DFU
17/02/2009 02:15 <DIR> keygens
12/05/2009 16:39 210 Boot.bak
15/05/2009 01:40 <DIR> temp
15/05/2009 12:12 <DIR> Program Files
15/05/2009 12:31 2,145,386,496 pagefile.sys
15/05/2009 12:38 180 xXVQD4.bat
15/05/2009 12:38 48 PT2YUsPQ.txt
15/05/2009 12:38 272,896 MrB.exe
15/05/2009 12:47 201 Uk4L.bat
15/05/2009 12:47 53 R9kI.txt
15/05/2009 12:47 6,946 cJ4u.bat
15/05/2009 12:47 272,896 U1bdtjfz.exe
15/05/2009 12:49 178 Mz4.bat
15/05/2009 12:49 48 i3us1h.txt
15/05/2009 12:49 6,946 GrAeuzL.bat
15/05/2009 12:49 272,896 UKu.exe
15/05/2009 12:50 183 J5e.bat
15/05/2009 12:50 49 FNH7lQ.txt
15/05/2009 12:50 6,946 PC7Lo.bat
15/05/2009 12:50 272,896 uyvY.exe
15/05/2009 13:08 198 j3CYly.bat
15/05/2009 13:08 52 Y9kXoP.txt
15/05/2009 13:08 6,946 OUb.bat
15/05/2009 13:08 272,896 mwkhSGa.exe
15/05/2009 13:09 <DIR> cmdcons
15/05/2009 13:09 281 boot.ini
15/05/2009 13:41 <DIR> WINDOWS
15/05/2009 13:44 21,245 ComboFix.txt
15/05/2009 13:44 <DIR> Qoobox
15/05/2009 13:44 <DIR> ComboFix
15/05/2009 13:46 185 fxDs.bat
15/05/2009 13:46 49 GD8LqpdP.txt
15/05/2009 13:46 6,946 Dyy0DE.bat
15/05/2009 13:46 272,896 hswy.exe
15/05/2009 13:47 <DIR> RECYCLER
15/05/2009 13:49 48 SFT.txt
15/05/2009 13:49 175 fPOSfRer.bat
15/05/2009 13:49 6,946 vRZCWr4S.bat
15/05/2009 13:49 272,896 Jqd.exe
40 File(s) 2,175,186,783 bytes
14 Dir(s) 15,779,721,216 bytes free
Volume in drive C has no label.
Volume Serial Number is 3887-7906

Directory of C:\WINDOWS\tasks

15/05/2009 13:49 <DIR> .
15/05/2009 13:49 <DIR> ..
22/04/2009 18:50 284 AppleSoftwareUpdate.job
15/05/2009 13:49 362 At1.job
15/05/2009 13:49 362 At10.job
15/05/2009 13:49 362 At11.job
15/05/2009 13:49 362 At12.job
15/05/2009 13:49 362 At13.job
15/05/2009 13:49 362 At14.job
15/05/2009 13:49 362 At15.job
15/05/2009 13:49 362 At16.job
15/05/2009 13:49 362 At17.job
15/05/2009 13:49 362 At18.job
15/05/2009 13:49 362 At19.job
15/05/2009 13:49 362 At2.job
15/05/2009 13:49 362 At20.job
15/05/2009 13:49 362 At21.job
15/05/2009 13:49 362 At22.job
15/05/2009 13:49 362 At23.job
15/05/2009 13:49 362 At24.job
15/05/2009 13:49 362 At25.job
15/05/2009 13:49 362 At26.job
15/05/2009 13:49 362 At27.job
15/05/2009 13:49 362 At28.job
15/05/2009 13:49 362 At29.job
15/05/2009 13:49 362 At3.job
15/05/2009 13:49 362 At30.job
15/05/2009 13:49 362 At31.job
15/05/2009 13:49 362 At32.job
15/05/2009 13:49 362 At33.job
15/05/2009 13:49 362 At34.job
15/05/2009 13:49 362 At35.job
15/05/2009 13:49 362 At36.job
15/05/2009 13:49 362 At37.job
15/05/2009 13:49 362 At38.job
15/05/2009 13:49 362 At39.job
15/05/2009 13:49 362 At4.job
15/05/2009 13:49 362 At40.job
15/05/2009 13:49 362 At41.job
15/05/2009 13:49 362 At42.job
15/05/2009 13:49 362 At43.job
15/05/2009 13:49 362 At44.job
15/05/2009 13:49 362 At45.job
15/05/2009 13:49 362 At46.job
15/05/2009 13:49 362 At47.job
15/05/2009 13:49 362 At48.job
15/05/2009 13:49 362 At49.job
15/05/2009 13:49 362 At5.job
15/05/2009 13:49 362 At50.job
15/05/2009 13:49 362 At51.job
15/05/2009 13:49 362 At52.job
15/05/2009 13:49 362 At53.job
15/05/2009 13:49 362 At54.job
15/05/2009 13:49 362 At55.job
15/05/2009 13:49 362 At56.job
15/05/2009 13:49 362 At57.job
15/05/2009 13:49 362 At58.job
15/05/2009 13:49 362 At59.job
15/05/2009 13:49 362 At6.job
15/05/2009 13:49 362 At60.job
15/05/2009 13:49 362 At61.job
15/05/2009 13:49 362 At62.job
15/05/2009 13:49 362 At63.job
15/05/2009 13:49 362 At64.job
15/05/2009 13:49 362 At65.job
15/05/2009 13:49 362 At66.job
15/05/2009 13:49 362 At67.job
15/05/2009 13:49 362 At68.job
15/05/2009 13:49 362 At69.job
15/05/2009 13:49 362 At7.job
15/05/2009 13:49 362 At70.job
15/05/2009 13:49 362 At71.job
15/05/2009 13:49 362 At72.job
15/05/2009 13:49 362 At73.job
15/05/2009 13:49 362 At74.job
15/05/2009 13:49 362 At75.job
15/05/2009 13:49 362 At76.job
15/05/2009 13:49 362 At77.job
15/05/2009 13:49 362 At78.job
15/05/2009 13:49 362 At79.job
15/05/2009 13:49 362 At8.job
15/05/2009 13:49 362 At80.job
15/05/2009 13:49 362 At81.job
15/05/2009 13:49 362 At82.job
15/05/2009 13:49 362 At83.job
15/05/2009 13:49 362 At84.job
15/05/2009 13:49 362 At85.job
15/05/2009 13:49 362 At86.job
15/05/2009 13:49 362 At87.job
15/05/2009 13:49 362 At88.job
15/05/2009 13:49 362 At89.job
15/05/2009 13:49 362 At9.job
15/05/2009 13:49 362 At90.job
15/05/2009 13:49 362 At91.job
15/05/2009 13:49 362 At92.job
15/05/2009 13:49 362 At93.job
15/05/2009 13:49 362 At94.job
15/05/2009 13:49 362 At95.job
15/05/2009 13:49 362 At96.job
12/08/2004 14:23 65 desktop.ini
15/05/2009 13:44 6 SA.DAT
99 File(s) 35,107 bytes

Total Files Listed:
99 File(s) 35,107 bytes
2 Dir(s) 15,779,733,504 bytes free

-----------

The uninstall_list.txt file reads like this:

Add or Remove Adobe Creative Suite 3 Design Premium
Add or Remove Adobe Creative Suite 3 Master Collection
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe After Effects CS3
Adobe After Effects CS3 Presets
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe BridgeTalk Plugin CS3
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color Common Settings
Adobe Color EU Recommended Settings
Adobe Color JA Extra Settings
Adobe Color NA Extra Settings
Adobe Contribute CS3
Adobe Creative Suite 3 Design Premium
Adobe Creative Suite 3 Master Collection
Adobe Default Language CS3
Adobe Device Central CS3
Adobe Dreamweaver CS3
Adobe Encore CS3
Adobe Encore CS3 Codecs
Adobe ExtendScript Toolkit 2
Adobe ExtendScript Toolkit 2
Adobe Extension Manager CS3
Adobe Flash CS3
Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Flash Video Encoder
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Illustrator CS3
Adobe InDesign CS3
Adobe InDesign CS3 Icon Handler
Adobe Linguistics CS3
Adobe MotionPicture Color Files
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Photoshop Lightroom 2.3
Adobe Premiere Pro CS3
Adobe Premiere Pro CS3 Functional Content
Adobe Premiere Pro CS3 Third Party Content
Adobe Setup
Adobe Setup
Adobe Setup
Adobe Setup
Adobe SING CS3
Adobe Soundbooth CS3
Adobe Soundbooth CS3 Codecs
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe Version Cue CS3 Server {ko_KR}
Adobe Video Profiles
Adobe WAS CS3
Adobe WinSoft Linguistics Plugin
Adobe XMP DVA Panels CS3
Adobe XMP Panels CS3
Advanced Font Viewer 5.0
AGEIA PhysX v7.09.13
AHV content for Acrobat and Flash
AnyDVD
Apple Mobile Device Support
Apple Software Update
Audacity 1.2.6
AVG Anti-Rootkit Free
AVS DVDMenu Editor 1.2.1.19
AVS Video Tools 5.6
Bonjour
BookSmart™ 1.9.9 1.9.9
Bulk Rename Utility 2, 3, 4, 1
Canon Camera Access Library
Canon Camera Support Core Library
Canon Camera Window DC_DV 5 for ZoomBrowser EX
Canon Camera Window DC_DV 6 for ZoomBrowser EX
Canon Camera Window MC 6 for ZoomBrowser EX
Canon EOS 5D WIA Driver
Canon EOS-1Ds Mark II WIA Driver
CANON iMAGE GATEWAY Task for ZoomBrowser EX
Canon Internet Library for ZoomBrowser EX
Canon RAW Codec
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities Digital Photo Professional 3.0
Canon Utilities EOS Utility
Canon Utilities Original Data Security Tools
Canon Utilities PhotoStitch
Canon Utilities Picture Style Editor
Canon Utilities WFT-E1/E2 Utility
Canon Utilities ZoomBrowser EX
Carbonite
CloneDVD2
Critical Update for Windows Media Player 11 (KB959772)
DriveImage XML (Private Edition)
DxO Optics Pro v4.0
EPSON Printer Software
EPSON Scan
Exact Audio Copy 0.99pb4
Expression 3.3 Preview
FileZilla Client 3.2.2.1
FLAC 1.2.1b (remove only)
Focus Magic 3.02
FontNav
Free 3GP Video Converter version 2.5
Free DVD Decrypter version 1.3
Free Video to iPhone Converter version 2.1
Free Video to iPod Converter version 2.5
GpsBabelWrapper
GSAK 7.2.0.126 (Final)
HandBrake 0.9.3
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
hueyPRO 1.5.0
ImageMagick 6.4.5-2 Q16 (2008-11-15)
Img2gps v2.81
ImmerVision PURE TOOLS
Intel® PRO Network Adapters and Drivers
Intel® PROSet for Wired Connections
InterVideo WinDVD 8
iPhone FileExplorer 1.4
iTunes
Java™ 6 Update 13
Java™ 6 Update 3
Java™ 6 Update 5
Java™ 6 Update 7
Loxley Designer PRO 2.0.0
Malwarebytes' Anti-Malware
Memory-Map OS Edition Version 5
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0 Service Pack 1
Microsoft .NET Framework 3.5
Microsoft .NET Framework 3.5
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.0.10)
Mozilla Sunbird (0.9)
Mozilla Thunderbird (2.0.0.21)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6.0 Parser (KB933579)
Nero 7 Ultra Edition
neroxml
Noise Ninja 2 (Standalone Version)
NVIDIA Drivers
OpenOffice.org 3.0
Panorama Tools
Paragon Drive Copy 8.0 Personal Special Edition
PDF Settings
PE Builder 3.1.10a
PhotoFrame Pro 3.1
Photosynth
PL-2303 USB-to-Serial
PTDD Partition Table Doctor 3.5
PTGui 8.1.2
QuickTime
RealPlayer
REALVIZ Stitcher Unlimited 5.5
Registry Mechanic 7.0
RoboGEO v5.2.0
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB963027)
Skype™ 3.8
Sothink SWF Decompiler
SoundMAX
SpeechRedist
Spybot - Search & Destroy
Steam
STOPzilla
System Requirements Lab
TeraCopy 2.0 beta 4
The VR Worx
Uninstall 1.0.0.1
Unlocker 1.8.5
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
VC 9.0 Runtime
Wacom Tablet Driver
Windows Imaging Component
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Media Player Firefox Plugin
Windows Presentation Foundation
Windows XP Service Pack 3
WinRAR archiver
WinSCP 4.1.8
xGPS Manager 1.0
Xvid 1.1.3 final uninstall
ZoneAlarm Pro

#5 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:54 PM

Posted 15 May 2009 - 08:44 AM

Hi again,

You seem to have already tried many things like Unlocker and ComboFix (I suppose without supervision).
Please make sure you upload the requested files before running the fix.
  • We would like to take a closer look at the following files:
    • C:\UKu.exe
      C:\J5e.bat
      C:\FNH7lQ.txt
      C:\PC7Lo.bat
      C:\uyvY.exe
    • Zip them first, to do that:
      • Go to the C drive.
      • Hold down the Ctrl key and select the files one by one until you have selected all of them.
      • Right-click one of the selected file and select Send To from the Context menu => select Compressed (zip) Folder
      • Click Yes to any prompt. A zip file will be created in the same directory the files are located.
    • Click on this link: http://www.bleepingcomputer.com/submit-malware.php?channel=8
    • Click Browse... and navigate to the zip file and highlight it to select.
    • Click Open.
    • Copy the link to this topic in the appropriate box.
    • Click Send File.
  • Please delete the following folder as it might contain infected files:

    C:\keygens

  • Please download the OTMoveIt3 by OldTimer.
    • Save it to your desktop.
    • Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
    • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      :Processes
      explorer.exe
      :Files
      c:\windows\Tasks\At*.job
      c:\*.exe
      c:\*.bat
      C:\PT2YUsPQ.txt
      c:\R9kI.txt
      c:\i3us1h.txt
      c:\FNH7lQ.txt
      c:\Y9kXoP.txt
      c:\GD8LqpdP.txt
      :Reg
      [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run]
      "Msn"=-
      "MsnHost"=-
      "MsnLoad"=-
      "MsnConvert"=-
      "MsnMessendger"=-
      [HKEY_CURRENT_USER\software\microsoft\windows\Currentversion\policies\explorer\Run]
      "Msn"=-
      "MsnHost"=-
      "MsnLoad"=-
      "MsnConvert"=-
      "MsnMessendger"=-
      [HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run]
      "Msn"=-
      "MsnHost"=-
      "MsnLoad"=-
      "MsnConvert"=-
      "MsnMessendger"=-
      [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
      "Msn"=-
      "MsnHost"=-
      "MsnLoad"=-
      "MsnConvert"=-
      "MsnMessendger"=-
      :Commands
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
    • Click the red Moveit! button.
    • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
    • Close OTMoveIt3
    Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

  • We need to see the log of ComboFix. Please go to start -> Run.
    • Copy and paste the bold line in the run-box and click OK: c:\combofix.txt
    • A text file opens up, copy and paste the content to your reply.
  • Please copy and paste a fresh Hijackthis log to your reply.
Please include in your next reply:
  • The log of OTMoveIt3.
  • The Combofix log.
  • A fresh Hijackthis log.
  • Any comment or feedback about how it went.


#6 esper

esper
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:11:54 PM

Posted 15 May 2009 - 09:37 AM

Hi

The content of the OTMoveIt3 file is:

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== FILES ==========
c:\windows\Tasks\At1.job moved successfully.
c:\windows\Tasks\At10.job moved successfully.
c:\windows\Tasks\At11.job moved successfully.
c:\windows\Tasks\At12.job moved successfully.
c:\windows\Tasks\At13.job moved successfully.
c:\windows\Tasks\At14.job moved successfully.
c:\windows\Tasks\At15.job moved successfully.
c:\windows\Tasks\At16.job moved successfully.
c:\windows\Tasks\At17.job moved successfully.
c:\windows\Tasks\At18.job moved successfully.
c:\windows\Tasks\At19.job moved successfully.
c:\windows\Tasks\At2.job moved successfully.
c:\windows\Tasks\At20.job moved successfully.
c:\windows\Tasks\At21.job moved successfully.
c:\windows\Tasks\At22.job moved successfully.
c:\windows\Tasks\At23.job moved successfully.
c:\windows\Tasks\At24.job moved successfully.
c:\windows\Tasks\At25.job moved successfully.
c:\windows\Tasks\At26.job moved successfully.
c:\windows\Tasks\At27.job moved successfully.
c:\windows\Tasks\At28.job moved successfully.
c:\windows\Tasks\At29.job moved successfully.
c:\windows\Tasks\At3.job moved successfully.
c:\windows\Tasks\At30.job moved successfully.
c:\windows\Tasks\At31.job moved successfully.
c:\windows\Tasks\At32.job moved successfully.
c:\windows\Tasks\At33.job moved successfully.
c:\windows\Tasks\At34.job moved successfully.
c:\windows\Tasks\At35.job moved successfully.
c:\windows\Tasks\At36.job moved successfully.
c:\windows\Tasks\At37.job moved successfully.
c:\windows\Tasks\At38.job moved successfully.
c:\windows\Tasks\At39.job moved successfully.
c:\windows\Tasks\At4.job moved successfully.
c:\windows\Tasks\At40.job moved successfully.
c:\windows\Tasks\At41.job moved successfully.
c:\windows\Tasks\At42.job moved successfully.
c:\windows\Tasks\At43.job moved successfully.
c:\windows\Tasks\At44.job moved successfully.
c:\windows\Tasks\At45.job moved successfully.
c:\windows\Tasks\At46.job moved successfully.
c:\windows\Tasks\At47.job moved successfully.
c:\windows\Tasks\At48.job moved successfully.
c:\windows\Tasks\At49.job moved successfully.
c:\windows\Tasks\At5.job moved successfully.
c:\windows\Tasks\At50.job moved successfully.
c:\windows\Tasks\At51.job moved successfully.
c:\windows\Tasks\At52.job moved successfully.
c:\windows\Tasks\At53.job moved successfully.
c:\windows\Tasks\At54.job moved successfully.
c:\windows\Tasks\At55.job moved successfully.
c:\windows\Tasks\At56.job moved successfully.
c:\windows\Tasks\At57.job moved successfully.
c:\windows\Tasks\At58.job moved successfully.
c:\windows\Tasks\At59.job moved successfully.
c:\windows\Tasks\At6.job moved successfully.
c:\windows\Tasks\At60.job moved successfully.
c:\windows\Tasks\At61.job moved successfully.
c:\windows\Tasks\At62.job moved successfully.
c:\windows\Tasks\At63.job moved successfully.
c:\windows\Tasks\At64.job moved successfully.
c:\windows\Tasks\At65.job moved successfully.
c:\windows\Tasks\At66.job moved successfully.
c:\windows\Tasks\At67.job moved successfully.
c:\windows\Tasks\At68.job moved successfully.
c:\windows\Tasks\At69.job moved successfully.
c:\windows\Tasks\At7.job moved successfully.
c:\windows\Tasks\At70.job moved successfully.
c:\windows\Tasks\At71.job moved successfully.
c:\windows\Tasks\At72.job moved successfully.
c:\windows\Tasks\At73.job moved successfully.
c:\windows\Tasks\At74.job moved successfully.
c:\windows\Tasks\At75.job moved successfully.
c:\windows\Tasks\At76.job moved successfully.
c:\windows\Tasks\At77.job moved successfully.
c:\windows\Tasks\At78.job moved successfully.
c:\windows\Tasks\At79.job moved successfully.
c:\windows\Tasks\At8.job moved successfully.
c:\windows\Tasks\At80.job moved successfully.
c:\windows\Tasks\At81.job moved successfully.
c:\windows\Tasks\At82.job moved successfully.
c:\windows\Tasks\At83.job moved successfully.
c:\windows\Tasks\At84.job moved successfully.
c:\windows\Tasks\At85.job moved successfully.
c:\windows\Tasks\At86.job moved successfully.
c:\windows\Tasks\At87.job moved successfully.
c:\windows\Tasks\At88.job moved successfully.
c:\windows\Tasks\At89.job moved successfully.
c:\windows\Tasks\At9.job moved successfully.
c:\windows\Tasks\At90.job moved successfully.
c:\windows\Tasks\At91.job moved successfully.
c:\windows\Tasks\At92.job moved successfully.
c:\windows\Tasks\At93.job moved successfully.
c:\windows\Tasks\At94.job moved successfully.
c:\windows\Tasks\At95.job moved successfully.
c:\windows\Tasks\At96.job moved successfully.
c:\a0z.exe moved successfully.
c:\aW08zTYj.exe moved successfully.
c:\DJPFBJK.exe moved successfully.
c:\eUMDyg.exe moved successfully.
c:\hswy.exe moved successfully.
c:\Jqd.exe moved successfully.
c:\MrB.exe moved successfully.
c:\mwkhSGa.exe moved successfully.
c:\U1bdtjfz.exe moved successfully.
c:\UKu.exe moved successfully.
c:\uosXq3BD.exe moved successfully.
c:\uyvY.exe moved successfully.
c:\XcGX.exe moved successfully.
c:\AUTOEXEC.BAT moved successfully.
c:\cJ4u.bat moved successfully.
c:\cU2Xn.bat moved successfully.
c:\dMXUX.bat moved successfully.
c:\Dyy0DE.bat moved successfully.
c:\F1UF5aV2.bat moved successfully.
c:\fPOSfRer.bat moved successfully.
c:\fxDs.bat moved successfully.
c:\GrAeuzL.bat moved successfully.
c:\IX1AB1K.bat moved successfully.
c:\j3CYly.bat moved successfully.
c:\J5e.bat moved successfully.
c:\JJ0N.bat moved successfully.
c:\KavS.bat moved successfully.
c:\Mz4.bat moved successfully.
c:\nbPWk.bat moved successfully.
c:\NLcMt.bat moved successfully.
c:\OUb.bat moved successfully.
c:\PC7Lo.bat moved successfully.
c:\rjnjViW3.bat moved successfully.
c:\UEYsJ.bat moved successfully.
c:\Uk4L.bat moved successfully.
c:\USph.bat moved successfully.
c:\vRZCWr4S.bat moved successfully.
c:\Wzl6EsK.bat moved successfully.
c:\xXVQD4.bat moved successfully.
C:\PT2YUsPQ.txt moved successfully.
c:\R9kI.txt moved successfully.
c:\i3us1h.txt moved successfully.
c:\FNH7lQ.txt moved successfully.
c:\Y9kXoP.txt moved successfully.
c:\GD8LqpdP.txt moved successfully.
========== REGISTRY ==========
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\\Msn deleted successfully.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\\MsnHost deleted successfully.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\\MsnLoad deleted successfully.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\\MsnConvert deleted successfully.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\\MsnMessendger deleted successfully.
Registry value HKEY_CURRENT_USER\software\microsoft\windows\Currentversion\policies\explorer\Run\\Msn not found.
Registry value HKEY_CURRENT_USER\software\microsoft\windows\Currentversion\policies\explorer\Run\\MsnHost not found.
Registry value HKEY_CURRENT_USER\software\microsoft\windows\Currentversion\policies\explorer\Run\\MsnLoad not found.
Registry value HKEY_CURRENT_USER\software\microsoft\windows\Currentversion\policies\explorer\Run\\MsnConvert not found.
Registry value HKEY_CURRENT_USER\software\microsoft\windows\Currentversion\policies\explorer\Run\\MsnMessendger not found.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\Msn not found.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\MsnHost not found.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\MsnLoad not found.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\MsnConvert not found.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\MsnMessendger not found.
Registry value HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\\Msn not found.
Registry value HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\\MsnHost not found.
Registry value HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\\MsnLoad not found.
Registry value HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\\MsnConvert not found.
Registry value HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\\MsnMessendger not found.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\Mark\LOCALS~1\Temp\etilqs_aftiFFna5wx77UVtGPmn scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Mark\LOCALS~1\Temp\~DF349D.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Mark\LOCALS~1\Temp\~DFFD62.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\Mark\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
User's Temporary Internet Files folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\hsperfdata_LOCAL SERVICE\3612 scheduled to be deleted on reboot.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\3B17BPWW\33t[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_104.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_708.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\ZLT023cd.TMP scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\Mark\Local Settings\Application Data\Mozilla\Firefox\Profiles\v798lmas.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Mark\Local Settings\Application Data\Mozilla\Firefox\Profiles\v798lmas.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Mark\Local Settings\Application Data\Mozilla\Firefox\Profiles\v798lmas.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Mark\Local Settings\Application Data\Mozilla\Firefox\Profiles\v798lmas.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Mark\Local Settings\Application Data\Mozilla\Firefox\Profiles\v798lmas.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Mark\Local Settings\Application Data\Mozilla\Firefox\Profiles\v798lmas.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 05152009_145430

Files moved on Reboot...
File C:\DOCUME~1\Mark\LOCALS~1\Temp\etilqs_aftiFFna5wx77UVtGPmn not found!
C:\DOCUME~1\Mark\LOCALS~1\Temp\~DF349D.tmp moved successfully.
C:\DOCUME~1\Mark\LOCALS~1\Temp\~DFFD62.tmp moved successfully.
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temp\hsperfdata_LOCAL SERVICE\3612 scheduled to be moved on reboot.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\3B17BPWW\33t[1].htm moved successfully.
File C:\WINDOWS\temp\Perflib_Perfdata_104.dat not found!
File C:\WINDOWS\temp\Perflib_Perfdata_708.dat not found!
C:\WINDOWS\temp\ZLT023cd.TMP moved successfully.
C:\Documents and Settings\Mark\Local Settings\Application Data\Mozilla\Firefox\Profiles\v798lmas.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\Mark\Local Settings\Application Data\Mozilla\Firefox\Profiles\v798lmas.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\Mark\Local Settings\Application Data\Mozilla\Firefox\Profiles\v798lmas.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\Mark\Local Settings\Application Data\Mozilla\Firefox\Profiles\v798lmas.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\Mark\Local Settings\Application Data\Mozilla\Firefox\Profiles\v798lmas.default\urlclassifier3.sqlite moved successfully.
C:\Documents and Settings\Mark\Local Settings\Application Data\Mozilla\Firefox\Profiles\v798lmas.default\XUL.mfl moved successfully.

--------------------------

The Combofix log read like this:

ComboFix 09-05-14.06 - Mark 15/05/2009 13:24.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2558.1595 [GMT 1:00]
Running from: c:\documents and settings\Mark\Desktop\ComboFix.exe
FW: ZoneAlarm Pro Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((( Files Created from 2009-04-15 to 2009-05-15 )))))))))))))))))))))))))))))))
.

2009-05-15 12:08 . 2009-05-15 12:08 272896 ----a-w C:\mwkhSGa.exe
2009-05-15 12:08 . 2009-05-15 12:08 6946 ----a-w C:\OUb.bat
2009-05-15 12:08 . 2009-05-15 12:08 198 ----a-w C:\j3CYly.bat
2009-05-15 11:50 . 2009-05-15 11:50 272896 ----a-w C:\uyvY.exe
2009-05-15 11:50 . 2009-05-15 11:50 6946 ----a-w C:\PC7Lo.bat
2009-05-15 11:50 . 2009-05-15 11:50 183 ----a-w C:\J5e.bat
2009-05-15 11:49 . 2009-05-15 11:49 272896 ----a-w C:\UKu.exe
2009-05-15 11:49 . 2009-05-15 11:49 6946 ----a-w C:\GrAeuzL.bat
2009-05-15 11:49 . 2009-05-15 11:49 178 ----a-w C:\Mz4.bat
2009-05-15 11:47 . 2009-05-15 11:47 272896 ----a-w C:\U1bdtjfz.exe
2009-05-15 11:47 . 2009-05-15 11:47 6946 ----a-w C:\cJ4u.bat
2009-05-15 11:47 . 2009-05-15 11:47 201 ----a-w C:\Uk4L.bat
2009-05-15 11:38 . 2009-05-15 11:38 272896 ----a-w C:\MrB.exe
2009-05-15 11:38 . 2009-05-15 11:38 180 ----a-w C:\xXVQD4.bat
2009-05-15 11:12 . 2009-05-15 11:12 -------- d-----w c:\documents and settings\All Users\Application Data\Avg7
2009-05-15 08:36 . 2009-05-15 08:36 -------- d-----w c:\documents and settings\All Users\Application Data\SITEguard
2009-05-15 08:35 . 2009-05-15 08:35 -------- d-----w c:\program files\STOPzilla!
2009-05-15 08:35 . 2009-05-15 08:35 -------- d-----w c:\program files\Common Files\iS3
2009-05-15 08:35 . 2009-05-15 11:38 -------- d-----w c:\documents and settings\All Users\Application Data\STOPzilla!
2009-05-14 23:44 . 2009-05-14 23:45 4212 ---ha-w c:\windows\system32\zllictbl.dat
2009-05-14 23:43 . 2008-10-09 12:25 1221008 ----a-w c:\windows\system32\zpeng25.dll
2009-05-14 23:43 . 2009-05-15 00:07 -------- d-----w c:\windows\system32\ZoneLabs
2009-05-14 23:43 . 2009-05-14 23:43 -------- d-----w c:\program files\Zone Labs
2009-05-14 23:42 . 2009-05-15 11:45 -------- d-----w c:\windows\Internet Logs
2009-05-14 23:15 . 2009-05-15 11:23 -------- d-----w c:\program files\Enigma Software Group
2009-05-13 14:28 . 2009-05-13 14:28 17408 ----a-r c:\windows\system32\SZIO5.dll
2009-05-13 14:27 . 2009-05-13 14:27 294912 ----a-r c:\windows\system32\SZBase5.dll
2009-05-13 14:27 . 2009-05-13 14:27 540672 ----a-r c:\windows\system32\SZComp5.dll
2009-05-12 14:29 . 2009-05-12 15:22 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-12 14:29 . 2009-05-12 15:22 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-05-12 13:52 . 2007-01-18 12:00 3968 ----a-w c:\windows\system32\drivers\AvgArCln.sys
2009-05-12 13:13 . 2009-05-12 13:13 61328 ----a-r c:\windows\system32\drivers\SZKG.sys
2009-05-12 01:16 . 2009-05-12 23:35 -------- d-----w c:\documents and settings\All Users\Application Data\PC Tools
2009-05-12 00:31 . 2009-05-12 00:31 -------- d-----w c:\documents and settings\Mark\Application Data\Malwarebytes
2009-05-12 00:31 . 2009-04-06 14:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-12 00:31 . 2009-04-06 14:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-12 00:31 . 2009-05-12 00:31 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-12 00:31 . 2009-05-12 00:31 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-12 00:16 . 2009-05-12 00:16 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\Mozilla
2009-05-11 10:07 . 2009-05-11 10:07 -------- d--h--w c:\windows\PIF
2009-05-10 23:54 . 2009-05-10 23:54 -------- d-----w c:\documents and settings\Mark\Application Data\Loxley Designer PRO
2009-05-10 23:53 . 2009-05-10 23:54 -------- d-----w c:\program files\Loxley Designer PRO
2009-05-04 11:27 . 2004-03-05 11:52 8876032 ----a-w c:\windows\system32\FocusMag.dll
2009-05-04 11:27 . 2009-05-04 11:27 -------- d-----w c:\program files\Focus Magic
2009-05-01 23:44 . 2009-05-02 22:18 -------- d-----w c:\windows\SxsCaPendDel
2009-05-01 23:34 . 2009-05-01 23:34 -------- d-----w c:\documents and settings\Mark\Application Data\SharePod
2009-05-01 12:25 . 2009-05-01 12:25 -------- d-----w c:\documents and settings\Mark\Application Data\Kernel Ost to Pst (Evaluation Version)
2009-04-29 15:04 . 2009-04-29 15:04 -------- d-----w c:\program files\iPod
2009-04-29 15:04 . 2009-04-29 15:05 -------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-04-29 13:55 . 2009-05-01 23:45 -------- d-----w c:\program files\Tansee iPhone Transfer Photo
2009-04-28 23:18 . 2009-04-28 23:18 -------- d-----w c:\documents and settings\Mark\Application Data\CopyTransPhoto
2009-04-28 23:17 . 2009-04-28 23:17 -------- d-----w c:\documents and settings\Mark\Application Data\CopyTransControlCenter
2009-04-28 22:48 . 2009-04-28 22:48 -------- d-----w c:\documents and settings\Mark\Local Settings\Application Data\tcbackup
2009-04-22 19:11 . 2009-04-22 19:12 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-22 19:04 . 2009-03-26 14:23 1900544 ----a-w c:\windows\system32\usbaaplrc.dll
2009-04-20 22:31 . 2009-04-20 22:31 -------- d-----w c:\program files\1am Studios
2009-04-20 20:41 . 2009-04-20 20:41 -------- d-----w c:\documents and settings\Mark\Application Data\OpenOffice.org
2009-04-20 20:36 . 2009-04-20 20:36 -------- d-----w c:\program files\JRE
2009-04-20 20:36 . 2009-04-20 20:36 -------- d-----w c:\program files\OpenOffice.org 3
2009-04-16 23:05 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-16 23:05 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-16 23:05 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-16 23:05 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-16 23:05 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 23:05 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 23:05 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 23:05 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-16 23:05 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-16 23:03 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-16 23:03 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-15 11:32 . 2007-10-15 00:37 251 ----a-w c:\windows\system32\tablet.dat
2009-05-15 11:31 . 2009-05-15 11:31 240 ----a-w c:\windows\system32\drivers\kgpcpy.cfg
2009-05-15 09:25 . 2008-07-30 01:06 -------- d-----w c:\program files\Mozilla Thunderbird
2009-05-15 00:43 . 2007-10-15 01:12 1324 ----a-w c:\windows\system32\d3d9caps.dat
2009-05-12 23:50 . 2008-11-17 00:53 -------- d-----w c:\program files\Steam
2009-05-12 23:37 . 2007-11-15 23:06 -------- d-----w c:\program files\Unreal Tournament 3 Demo
2009-04-29 15:05 . 2008-11-10 01:09 -------- d-----w c:\program files\iTunes
2009-04-29 15:04 . 2008-09-24 12:57 -------- d-----w c:\program files\Common Files\Apple
2009-04-29 13:49 . 2007-10-17 12:19 -------- d-----w c:\program files\Real
2009-04-22 19:09 . 2007-11-10 22:40 -------- d-----w c:\program files\QuickTime
2009-04-22 19:02 . 2007-11-29 15:05 -------- d-----w c:\program files\Bonjour
2009-04-20 22:33 . 2007-10-14 23:46 64096 ----a-w c:\documents and settings\Mark\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-03 23:37 . 2007-10-18 19:17 -------- d-----w c:\program files\Java
2009-04-01 00:41 . 2008-02-23 22:43 -------- d-----w c:\program files\Canon
2009-03-31 23:04 . 2009-03-31 23:04 -------- d-----w c:\program files\WinSCP
2009-03-30 10:06 . 2009-03-30 10:06 -------- d-----w c:\program files\Microsoft Silverlight
2009-03-27 10:27 . 2009-03-27 01:26 -------- d-----w c:\program files\xGPS Manager
2009-03-27 09:56 . 2009-03-27 09:56 126976 ----a-r c:\windows\system32\IS3HTUI5.dll
2009-03-27 09:55 . 2009-03-27 09:55 393216 ----a-r c:\windows\system32\IS3DBA5.dll
2009-03-27 09:55 . 2009-03-27 09:55 372736 ----a-r c:\windows\system32\IS3UI5.dll
2009-03-27 09:55 . 2009-03-27 09:55 61440 ----a-r c:\windows\system32\IS3Hks5.dll
2009-03-27 09:54 . 2009-03-27 09:54 23040 ----a-r c:\windows\system32\IS3XDat5.dll
2009-03-27 09:54 . 2009-03-27 09:54 221184 ----a-r c:\windows\system32\IS3Win325.dll
2009-03-27 09:54 . 2009-03-27 09:54 94208 ----a-r c:\windows\system32\IS3Inet5.dll
2009-03-27 09:53 . 2009-03-27 09:53 90112 ----a-r c:\windows\system32\IS3Svc5.dll
2009-03-27 09:50 . 2009-03-27 09:50 716800 ----a-r c:\windows\system32\IS3Base5.dll
2009-03-26 14:23 . 2008-11-10 01:08 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-03-19 15:32 . 2007-10-16 21:14 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-17 22:59 . 2007-10-26 12:13 -------- d-----w c:\program files\Unlocker
2009-03-09 04:19 . 2008-12-07 05:38 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 14:22 . 2004-08-12 13:26 284160 ----a-w c:\windows\system32\pdh.dll
2009-02-28 14:24 . 2009-02-28 12:27 1023 ----a-w c:\windows\fnerr.dat
2009-02-20 08:10 . 2004-08-12 13:33 666112 ----a-w c:\windows\system32\wininet.dll
2009-02-20 08:10 . 2004-08-12 13:19 81920 ----a-w c:\windows\system32\ieencode.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@="{95A27763-F62A-4114-9072-E81D87DE3B68}"
[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2008-10-09 15:52 579728 ----a-r c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2008-10-09 15:52 579728 ----a-r c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2008-10-09 15:52 579728 ----a-r c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AnyDVD"="c:\program files\SlySoft\AnyDVD\AnyDVD.exe" [2007-06-05 1379016]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-03-12 153136]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-07 21633320]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2006-09-07 15872]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 623992]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-10-09 981904]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-10-07 1630208]

[HKEY_USERS\.DEFAULT\software\microsoft\windows\Currentversion\policies\explorer\Run]
"Msn"="c:\mwkhSGa.exe" [2009-05-15 272896]
"MsnHost"="c:\mwkhSGa.exe" [2009-05-15 272896]
"MsnLoad"="c:\mwkhSGa.exe" [2009-05-15 272896]
"MsnConvert"="c:\mwkhSGa.exe" [2009-05-15 272896]
"MsnMessendger"="c:\mwkhSGa.exe" [2009-05-15 272896]

c:\documents and settings\Mark\Start Menu\Programs\Startup\
WFTPairing.lnk - c:\program files\Canon\EOS Utility\WFTPairing\WFTPairing.exe [2007-2-13 671744]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
hueyPROTray.lnk - c:\program files\Pantone\hueyPRO\hueyPROTray.exe [2007-10-27 1081344]
TabUserW.exe.lnk - c:\windows\system32\WTablet\TabUserW.exe [2007-10-15 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-16 19:35 87352 ----a-w c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /r \??\M:\0autocheck autochk *

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\InterVideo\\DVD8\\WinDVD.exe"=
"c:\\Program Files\\BitTorrent_DNA\\dna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\Adobe\\Adobe Dreamweaver CS3\\Dreamweaver.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\xGPS Manager\\xGPSManager.exe"=
"c:\\Program Files\\Windows NT\\hypertrm.exe"=
"c:\\Program Files\\1am Studios\\iPhone FileExplorer 1.4\\IPhoneFileExplorer.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R0 hotcore;hotcore;c:\windows\system32\drivers\hotcore.sys [07/02/2009 00:28 30820]
R0 szkg5;szkg;c:\windows\system32\drivers\SZKG.sys [12/05/2009 14:13 61328]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [31/03/2009 23:59 47640]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys --> c:\program files\LogMeIn\x86\RaInfo.sys [?]
S3 pctplsg;pctplsg;\??\c:\windows\system32\drivers\pctplsg.sys --> c:\windows\system32\drivers\pctplsg.sys [?]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
.
Contents of the 'Scheduled Tasks' folder

2009-04-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 11:34]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
LSP: c:\program files\Common Files\iS3\Anti-Spyware\iS3lsp.dll
FF - ProfilePath - c:\documents and settings\Mark\Application Data\Mozilla\Firefox\Profiles\v798lmas.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1361345&SearchSource=3&q=
FF - prefs.js: browser.search.selectedEngine - The_Pirate_Bay Customized Web Search
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1361345&SearchSource=2&q=
FF - component: c:\documents and settings\Mark\Application Data\Mozilla\Firefox\Profiles\v798lmas.default\extensions\{3b56bcc7-54e5-44a2-9b44-66c3ef58c13e}\components\nstidy.dll
FF - component: c:\documents and settings\Mark\Application Data\Mozilla\Firefox\Profiles\v798lmas.default\extensions\{62760FD6-B943-48C9-AB09-F99C6FE96088}\platform\WINNT\components\EbayAccessService.dll
FF - component: c:\documents and settings\Mark\Application Data\Mozilla\Firefox\Profiles\v798lmas.default\extensions\{62760FD6-B943-48C9-AB09-F99C6FE96088}\platform\WINNT\components\EbayFormSubmitObserver.dll
FF - component: c:\documents and settings\Mark\Application Data\Mozilla\Firefox\Profiles\v798lmas.default\extensions\{a33fa729-d155-4b23-842b-2c665ecabdb6}\components\FFAlert.dll
FF - component: c:\documents and settings\Mark\Application Data\Mozilla\Firefox\Profiles\v798lmas.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\Mark\Application Data\Mozilla\Firefox\Profiles\v798lmas.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Photosynth\Tech Preview\nppsynth.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-15 13:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-725345543-329068152-2147145749-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:90,1e,59,3e,ff,19,67,54,c7,5c,12,7e,47,22,4c,b2,f3,d2,d7,66,f3,48,d9,
ef,af,a2,a8,54,99,72,c3,db,5d,88,09,1a,2e,d0,f8,66,e5,35,d5,a6,27,5d,15,fb,\
"??"=hex:c3,81,f5,83,44,2e,9c,c3,2e,b9,5f,8c,d6,f6,50,fd

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:ae,93,6d,36,61,38,62,c5,e2,40,3b,d0,a7,d1,23,42,ac,c5,65,95,a7,
85,f7,20,54,a3,43,2b,53,b6,5b,91,20,10,79,23,9f,43,bd,51,4d,01,6a,36,a2,f2,\

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:ae,93,6d,36,61,38,62,c5,e2,40,3b,d0,a7,d1,23,42,ac,c5,65,95,a7,
85,f7,20,54,a3,43,2b,53,b6,5b,91,20,10,79,23,9f,43,bd,51,4d,01,6a,36,a2,f2,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(760)
c:\windows\system32\LMIinit.dll

- - - - - - - > 'lsass.exe'(816)
c:\program files\Common Files\iS3\Anti-Spyware\iS3lsp.dll

- - - - - - - > 'explorer.exe'(1644)
c:\windows\system32\tabhook.dll
c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\LMIRfsClientNP.dll
.
Completion time: 2009-05-15 13:44
ComboFix-quarantined-files.txt 2009-05-15 12:44

Pre-Run: 15,708,913,664 bytes free
Post-Run: 15,768,227,840 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

275 --- E O F --- 2009-05-13 02:02

--------------------------

The latest Hijackthis file read like this:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:31:43, on 15/05/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Pantone\hueyPRO\hueyPROTray.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\Canon\EOS Utility\WFTPairing\WFTPairing.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Canon\EOS Utility\WFTPairing\EOSUPNPSV.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Mark\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SITEguard BHO - {1827766B-9F49-4854-8034-F6EE26FCB1EC} - C:\Program Files\STOPzilla!\SZSG.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\STOPzilla!\SZSG.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: WFTPairing.lnk = C:\Program Files\Canon\EOS Utility\WFTPairing\WFTPairing.exe
O4 - Global Startup: hueyPROTray.lnk = C:\Program Files\Pantone\hueyPRO\hueyPROTray.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: CarboniteService - Carbonite, Inc. (www.carbonite.com) - C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 9407 bytes


--------------------------

Upon rebooting (as part of OTMoveIt3.exe) StopZilla identiifed a number of entries for "Catchme" spyware. I got it to clean out the entries and then the log file for OTMoveIt3 popped up.) There are some .txt files leftover in the C:\ folder from the .exe's and .bat's that have been removed but no new fresh ones so far. Looking cautiously good.

Esper.

#7 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:54 PM

Posted 15 May 2009 - 10:32 AM

Well done and thanks for uploading the files and the feedback. :thumbup2:

Those harmless text file leftovers could be removed.

Please keep the Teatimer disabled until we are done.
  • Open a notepad (Start > Run and type in Notepad ) make sure the wordwrap under Format menu is not selected.
    Copy and paste the text in code box into it.

    REGEDIT4
    
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    "BootExecute"=hex(7):61,75,74,6f,63,68,65,63,6b,20,61,75,74,6f,63,68,6b,20,2a,\
    00,00
    • Save the file to the desktop as regfix.reg
    • Make sure the Save as type field says All files.
    • Locate regfix.reg on the desktop and double-click on it and confirm.
    • A window pops up asking if you are sure to add the file to the registry. Click Yes.
    • You get another window popup saying that regfix.reg successfully added to the registry.
    Note: You have to turn off any registry protector software you have in order the changes to be taken place.

  • Open your Malwarebytes' Anti-Malware, first update it, run a "quick scan", let reboot if needed and copy/paste the log to your reply.

    Note: The logs are saved by default under the Logs tab. If the log did not automatically open you can obtain the latest log from there.

  • You have the latest version of Java (version 6 update 13) and it is good. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components:
    Click "start" and then "Control Panel" icon.
    Doubleclick the "Add or Remove Programs" icon
    A list of programs installed will be "populated" this may take a bit of time.
    Uninstall the following by clicking on the following entries and selecting "remove":

    Java™ 6 Update 3
    Java™ 6 Update 5
    Java™ 6 Update 7


  • AVG 7 is outdated and no more supported. You need to download AVG 8 stet up file, uninstall AVG 7 and then install AVG 8. But I don't see its entry on the Add/Remove list. Try to find the installer (start -> All Programs -> AVG -> There should be the shortcut to the uninstaller). Otherwise you have to look for it in the AVG folder in C:\Program Files and run it from there.


    Visit http://free.avg.com/download?prd=afe to download AVG 8 setup file to your desktop. Don't install it yet.
    • Now uninstall AVG 7.
    • Reboot.
    • Double click the downloaded setup file to Install AVG 8 then update it.
    • On the left side click Computer scanner and select Scan whole computer.
    • When the scan finished under Result Overview tap at the end of scan result click Export overview to file
    • Select File Type: All files Name:scan.txt and save it on your desktop.
    • Under Warnings tap press Remove all unhealed infections. Then close the application.
    • Copy/paste the content of scan.txt located on your desktop to your reply.
  • Please copy and paste a fresh Hijackthis log to your reply for a final review and tell me how is the computer running.
Please include in your next reply:
  • The log of MBAM.
  • The AVG 8 log.
  • A fresh Hijackthis log.
  • Any comment or feedback about how it went.


#8 esper

esper
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:11:54 PM

Posted 15 May 2009 - 10:54 AM

Thanks again for the help.

I'm going to split this reply over two messages (as AVG 8 is going to be quite sometime doing the scan....) :)

The Malwarebytes didn't pick anything up and the log read as follows:

Malwarebytes' Anti-Malware 1.36
Database version: 2135
Windows 5.1.2600 Service Pack 3

15/05/2009 16:46:33
mbam-log-2009-05-15 (16-46-33).txt

Scan type: Quick Scan
Objects scanned: 87092
Time elapsed: 4 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

I've removed the version os Java you specified so I'll post the AVG log and a fresh Hijackthis once it's complete.

All looking good, :thumbup2:

Esper.

#9 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:54 PM

Posted 18 May 2009 - 04:06 PM

Are you still there Esper?

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:54 PM

Posted 21 May 2009 - 05:43 PM

This thread will now be closed as the issue seems to be resolved.

If you need this topic reopened, please send me a PM and I will reopen it for you. Include the address of this thread in your request.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users