Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Going Spyware Crazy


  • Please log in to reply
28 replies to this topic

#1 ydbird

ydbird

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Long Island, NY
  • Local time:09:04 AM

Posted 22 April 2007 - 01:16 AM

9:28 PM 4/21/2007Logfile of HijackThis v1.99.1
Scan saved at 9:27:50 PM, on 4/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\msdrv.exe
C:\WINDOWS\msdrv.exe
C:\WINDOWS\system32\S3Tray2.exe
C:\WINDOWS\system32\s3hotkey.exe
C:\WINDOWS\updater.exe
C:\WINDOWS\system32\wuauclt.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\owinnodv.exe
C:\WINDOWS\elitemediapop.exe
C:\WINDOWS\system32\micro1\b9.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Kasia Sawicz\Desktop\PC Repair\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wapp.verizon.net/bookmarks/bmredir....&bm=ms_home
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O2 - BHO: (no name) - {33161E98-0A6C-4d3c-BD62-3A7D56137F52} - (no file)
O2 - BHO: VPNS System - {366B2151-E1C7-44a3-86A3-E5686C2A3D2F} - C:\WINDOWS\iedrives.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: 0 - {5ACE21A1-2B14-4354-8F92-8C3DCC2C7936} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Root.CERT - {D6EAC4ED-2842-4FB6-A8B4-B1A300A1F2F9} - C:\DOCUME~1\ALLUSE~1\APPLIC~1\root\root.dll
O2 - BHO: (no name) - {F0342425-1792-4F9C-9ADE-6BCAFB615293} - C:\Program Files\Common Files\quso.dll
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [{ZN}] C:\WINDOWS\system32\micro1\eno36.exe SKY003
O4 - HKLM\..\Run: [win3208841710697] C:\WINDOWS\win3208841710697.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 20
O4 - HKLM\..\Run: [sys09417106978] C:\WINDOWS\sys09417106978.exe
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [S3Hotkey] s3hotkey.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\updater.exe 61A847B5BBF72810358B2B27128065E9C084320161C4661227A755E9C2933154389A
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [ms03106978417] C:\WINDOWS\ms03106978417.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\owinnodv.exe SKY001
O4 - HKLM\..\Run: [bantool] C:\WINDOWS\system32\micro1\b9.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\dlslpg.exe reg_run
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [elitemedia] C:\WINDOWS\elitemediapop.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [LDM] C:\Program Files\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\micro1\eno36.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\owinnodv.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O10 - Broken Internet access because of LSP provider 'abcdefgh.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O15 - Trusted Zone: *.elitemediagroup.net
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon...DSL/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/67/install/gtdownls.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{F2418A47-C702-44F7-A074-2B87AE62D4D7}: NameServer = ,
O20 - Winlogon Notify: A3dxq - C:\WINDOWS\system32\a3dxq.dll (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: tQMznGUJSv - {18DC8C23-B276-2689-3585-3AB6560448E3} - (no file)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

BC AdBot (Login to Remove)

 


#2 Rahina

Rahina

    Security Helper


  • Members
  • 681 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:04 PM

Posted 22 April 2007 - 01:54 PM

Hello ydbird! Welcome to The Forums.

My name is Rahina Rescue and I will be handling your log to help you get cleaned up.

Please give me some time to look it over and I will get back to you as soon as possible.
[ Antivirus ] [ Firewall ] [ Spywareblaster ] [ Malwarebytes Anti-Malware ] [ Windows update ] [ Firefox ] [ WinPatrol ] [ ATF Cleaner ]

If i have helped you, donate to help me continue helping others. Posted Image
Posted Image Posted Image

#3 Rahina

Rahina

    Security Helper


  • Members
  • 681 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:04 PM

Posted 23 April 2007 - 04:32 AM

Hello again :thumbsup:

Step #1

We Have to move Hijackthis to it's own folder because In it's current location, we'll lose both the program and the backups it creates. These backups are important in case we need to restore any 'fixed' entry(s) later

Click START>My Computer >right click Local Disk (usually (C:) for most people)>Explore.
Right click an open area in the main panel.
Select New > Folder.
Type in HJT & press Enter

Now We have Created C:\HJT\ folder. Put your HijackThis.exe there.

Step #2
  • Please download LSPFix
  • Run the LSPFix.exe that you have just finished downloading.
  • Check the I know what I'm doing box.
  • In the Keep box you should see one or more instances of abcdefgh.dll
  • Select every instance of abcdefgh.dll and move each one to the Remove box by clicking the >> button.
  • When you are done click Finish>>.
Step #3

Please download Combofix to your desktop.
  • Double click on Combofix.exe & follow the prompts.
  • When finished, it shall produce a log for you. Post that log & a fresh HJT log in your next reply
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Step #4

Download the latest version of Java Runtime Environment (JRE) 6

Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement".
The page will refresh.

Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.

Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download to install the newest version.

Step #5

In Your next reply to this thread please post the following logfiles:
  • Combofix.txt
  • Hijackthis Logfile

[ Antivirus ] [ Firewall ] [ Spywareblaster ] [ Malwarebytes Anti-Malware ] [ Windows update ] [ Firefox ] [ WinPatrol ] [ ATF Cleaner ]

If i have helped you, donate to help me continue helping others. Posted Image
Posted Image Posted Image

#4 ydbird

ydbird
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Long Island, NY
  • Local time:09:04 AM

Posted 23 April 2007 - 04:41 PM

Hello Rahina Rescue, it is a pleasure to meet you.

Thank you for your help.

I have followed your instructions and have posted the logs.

9:28 PM 4/21/2007Logfile of HijackThis v1.99.1
Scan saved at 9:27:50 PM, on 4/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\msdrv.exe
C:\WINDOWS\msdrv.exe
C:\WINDOWS\system32\S3Tray2.exe
C:\WINDOWS\system32\s3hotkey.exe
C:\WINDOWS\updater.exe
C:\WINDOWS\system32\wuauclt.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\owinnodv.exe
C:\WINDOWS\elitemediapop.exe
C:\WINDOWS\system32\micro1\b9.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Kasia Sawicz\Desktop\PC Repair\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wapp.verizon.net/bookmarks/bmredir....&bm=ms_home
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O2 - BHO: (no name) - {33161E98-0A6C-4d3c-BD62-3A7D56137F52} - (no file)
O2 - BHO: VPNS System - {366B2151-E1C7-44a3-86A3-E5686C2A3D2F} - C:\WINDOWS\iedrives.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: 0 - {5ACE21A1-2B14-4354-8F92-8C3DCC2C7936} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Root.CERT - {D6EAC4ED-2842-4FB6-A8B4-B1A300A1F2F9} - C:\DOCUME~1\ALLUSE~1\APPLIC~1\root\root.dll
O2 - BHO: (no name) - {F0342425-1792-4F9C-9ADE-6BCAFB615293} - C:\Program Files\Common Files\quso.dll
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [{ZN}] C:\WINDOWS\system32\micro1\eno36.exe SKY003
O4 - HKLM\..\Run: [win3208841710697] C:\WINDOWS\win3208841710697.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 20
O4 - HKLM\..\Run: [sys09417106978] C:\WINDOWS\sys09417106978.exe
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [S3Hotkey] s3hotkey.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\updater.exe 61A847B5BBF72810358B2B27128065E9C084320161C4661227A755E9C2933154389A
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [ms03106978417] C:\WINDOWS\ms03106978417.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\owinnodv.exe SKY001
O4 - HKLM\..\Run: [bantool] C:\WINDOWS\system32\micro1\b9.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\dlslpg.exe reg_run
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [elitemedia] C:\WINDOWS\elitemediapop.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [LDM] C:\Program Files\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\micro1\eno36.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\owinnodv.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O10 - Broken Internet access because of LSP provider 'abcdefgh.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O15 - Trusted Zone: *.elitemediagroup.net
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon...DSL/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/67/install/gtdownls.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{F2418A47-C702-44F7-A074-2B87AE62D4D7}: NameServer = ,
O20 - Winlogon Notify: A3dxq - C:\WINDOWS\system32\a3dxq.dll (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: tQMznGUJSv - {18DC8C23-B276-2689-3585-3AB6560448E3} - (no file)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


"Kasia Sawicz" - 07-04-22 18:49:00 Service Pack 2
ComboFix 07-04-21.2V - Running from: C:\Documents and Settings\Kasia Sawicz\Desktop\


((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log )))))))))))))))))))))))))))))))))))))))))))))))))))


* * * PRE-RUN - Filepaths extracted from the Registry * * * * * * * * * * * * * * * * * * * * * *


O4 - HKLM\...\Run C:\WINDOWS\system32\dlslpg.exe


* * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * * * * * * * * * * * * * * *



DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO


((((((((((((((((((((((((((((((( Files Created from 2007-03-22 to 2007-04-22 ))))))))))))))))))))))))))))))))))


2007-04-22 17:46 91,648 --a------ C:\WINDOWS\system32\dlslpg.exe
2007-04-22 17:46 46,080 --a------ C:\WINDOWS\system32\gssssjf.dll
2007-04-22 12:50 <DIR> d-------- C:\DOCUME~1\KASIAS~1\APPLIC~1\Comodo
2007-04-22 12:50 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Comodo
2007-04-22 12:19 <DIR> d-------- C:\Program Files\Comodo
2007-04-21 09:56 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-04-21 00:19 10,240 --a------ C:\WINDOWS\system32\bjaja.dll
2007-04-18 16:04 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-04-18 16:03 <DIR> d-------- C:\Program Files\CCleaner
2007-04-15 22:34 10,920 --a------ C:\aolconnfix.exe
2007-04-12 13:50 135,432 --a------ C:\WINDOWS\system32\abcdefgh.dll
2007-04-12 12:55 931 --a------ C:\WINDOWS\system32\winpfz32.sys
2007-04-12 12:21 91,849 --a------ C:\WINDOWS\system32\inst.exe
2007-04-12 12:16 184,443 --a------ C:\WINDOWS\system32\owinnodv.exe
2007-04-12 11:58 91,849 --a------ C:\WINDOWS\inst.exe
2007-04-12 11:50 88,367 --a------ C:\WINDOWS\itpb_3.exe
2007-04-12 11:50 133,829 --a------ C:\WINDOWS\itpb_7.exe
2007-04-12 11:49 72,320 --a------ C:\WINDOWS\system32\drivers\core.sys
2007-04-12 11:49 105,434 --a------ C:\WINDOWS\VTTC.exe
2007-04-12 11:49 <DIR> d-------- C:\WINDOWS\system32\micro1
2007-04-09 15:09 1 --a------ C:\WINDOWS\system32\ps.dat
2007-04-09 13:04 184,320 --a------ C:\WINDOWS\win3208841710697.exe
2007-04-09 13:04 184,320 --a------ C:\WINDOWS\sys09417106978.exe
2007-04-09 13:04 184,320 --a------ C:\WINDOWS\ms03106978417.exe
2007-04-09 08:54 85,960 --a------ C:\WINDOWS\sammy.exe
2007-04-06 15:27 139,264 --a------ C:\Program Files\Common Files\quso.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

Rootkit driver pe386 is present. A rootkit scan is required
Rootkit driver pe386 is present. ... attempting disinfection
msguard ...... driver unloaded successfully.
ADS removed - system32: deleted 80888 bytes in 1 streams.

2007-04-22 17:48 -------- d-------- C:\Program Files\symantec antivirus
2007-04-22 17:46 18944 --a------ C:\WINDOWS\system32\obmbanx.exe
2007-04-22 02:01 351 --a------ C:\WINDOWS\trirp.dll
2007-04-21 10:19 -------- d-------- C:\Program Files\quicktime
2007-04-21 10:14 -------- d-------- C:\Program Files\ltcufrt
2007-04-21 09:51 -------- d-------- C:\Program Files\myway
2007-04-20 22:00 -------- d-------- C:\Program Files\microsoft home publishing 2000
2007-03-16 08:20 -------- d-------- C:\DOCUME~1\KASIAS~1\APPLIC~1\viewpoint
2007-03-13 11:54 -------- d-------- C:\Program Files\verizon
2007-03-02 01:49 9 --a------ C:\WINDOWS\offnm.dat


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F} C:\PROGRA~1\SPYBOT~1\SDHelper.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
{7C554162-8CB7-45A4-B8F4-8EA1C75885F9} C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
{D6EAC4ED-2842-4FB6-A8B4-B1A300A1F2F9} C:\DOCUME~1\ALLUSE~1\APPLIC~1\root\root.dll
{F0342425-1792-4F9C-9ADE-6BCAFB615293} C:\Program Files\Common Files\quso.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"{ZN}"="C:\\WINDOWS\\system32\\micro1\\eno36.exe SKY003"
"win3208841710697"="C:\\WINDOWS\\win3208841710697.exe"
"Tpwrtray"="TPWRTRAY.EXE"
"TFNF5"="TFNF5.exe"
"TFncKy"="TFncKy.exe /Type 20"
"sys09417106978"="C:\\WINDOWS\\sys09417106978.exe"
"S3TRAY2"="S3Tray2.exe"
"S3Hotkey"="s3hotkey.exe"
"Pinger"="c:\\toshiba\\ivp\\ism\\pinger.exe /run"
"ms03106978417"="C:\\WINDOWS\\ms03106978417.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"bantool"="C:\\WINDOWS\\system32\\micro1\\b9.exe"
"COMODO Firewall Pro"="\"C:\\Program Files\\Comodo\\Firewall\\CPF.exe\" /background"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"LDM"="C:\\Program Files\\Desktop Messenger\\8876480\\Program\\BackWeb-8876480.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"mrtcli"="C:\\WINDOWS\\system32\\mrtcli.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"uimz"="C:\\PROGRA~1\\COMMON~1\\uimz\\uimzm.exe"
"mrtcli"="C:\\WINDOWS\\system32\\mrtcli.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"\\1.exe"="C:\\DOCUME~1\\ALLUSE~1\\APPLIC~1\\Tools\\1.exe"
"msdrvctrl"="C:\\WINDOWS\\msdrvctrl.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
"\\1.exe"="C:\\DOCUME~1\\ALLUSE~1\\APPLIC~1\\Tools\\1.exe"
"asycli"="C:\\WINDOWS\\system32\\asycli.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\Run]
"mrtcli"="C:\\WINDOWS\\system32\\mrtcli.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"tQMznGUJSv"="{18DC8C23-B276-2689-3585-3AB6560448E3}"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0nwprovau\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Kasia Sawicz^Start Menu^Programs^Startup^Think-Adz.lnk]
"path"="C:\\Documents and Settings\\Kasia Sawicz\\Start Menu\\Programs\\Startup\\Think-Adz.lnk"
"backup"="C:\\WINDOWS\\pss\\Think-Adz.lnkStartup"
"location"="Startup"
"command"="C:\\WINDOWS\\system32\\owinnodv.exe SKY001"
"item"="Think-Adz"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\elitemedia]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="elitemediapop"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\elitemediapop.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ink Monitor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="InkMonitor"
"hkey"="HKLM"
"command"="C:\\Program Files\\EPSON\\Ink Monitor\\InkMonitor.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RealPlay"
"hkey"="HKLM"
"command"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0


********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-04-22 18:57:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 07-04-22 19:01:00 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 07-04-22 19:01


01-08-23 22:00	  119384	--a------	C:\Qoobox\Quarantine\C\Program Files\DeskAlerts\notify.wav.vir
03-02-20 21:38	  52224	--a------	C:\Qoobox\Quarantine\C\WINDOWS\NDNuninstall4_80.exe.vir
03-06-01 23:02	  44544	--a------	C:\Qoobox\Quarantine\C\WINDOWS\NDNuninstall4_88.exe.vir
03-09-16 16:59	  49664	--a------	C:\Qoobox\Quarantine\C\WINDOWS\NDNuninstall5_40.exe.vir
03-10-12 23:36	  49664	--a------	C:\Qoobox\Quarantine\C\WINDOWS\NDNuninstall5_48.exe.vir
04-02-09 23:37	  49664	--a------	C:\Qoobox\Quarantine\C\WINDOWS\NDNuninstall5_64.exe.vir
04-03-09 18:19	  49664	--a------	C:\Qoobox\Quarantine\C\WINDOWS\NDNuninstall6_10.exe.vir
04-04-05 08:48	  49664	--a------	C:\Qoobox\Quarantine\C\WINDOWS\NDNuninstall6_22.exe.vir
05-01-30 05:59	  62976	--a------	C:\Qoobox\Quarantine\C\Program Files\Windows AdStatus\WinStatComm.dll.vir
05-12-08 09:22	  0	--a--c---	C:\Qoobox\Quarantine\C\WINDOWS\timessquare1.dat.vir
05-12-08 09:23	  53248	--a------	C:\Qoobox\Quarantine\C\inrh9400.exe.vir
05-12-13 08:39	  23936	--a------	C:\Qoobox\Quarantine\C\31145.exe.vir
06-01-20 18:17	  57344	--a------	C:\Qoobox\Quarantine\C\WINDOWS\elitemediapop.exe.vir
06-01-20 18:18	  319294	--a--c---	C:\Qoobox\Quarantine\C\WINDOWS\YOINSI.exe.vir
06-01-25 13:46	  10752	--a------	C:\Qoobox\Quarantine\C\WINDOWS\winsysupd3.exe.vir
06-01-25 13:46	  352	--a--c---	C:\Qoobox\Quarantine\C\WINDOWS\winsysupd1.dat.vir
06-01-25 13:46	  46476	--a--c---	C:\Qoobox\Quarantine\C\WINDOWS\winsysban3.exe.vir
06-02-01 20:56	  219080	--a--c---	C:\Qoobox\Quarantine\C\WINDOWS\pf78.exe.vir
06-02-04 11:21	  32768	--a------	C:\Qoobox\Quarantine\C\WINDOWS\eliteunstall.exe.vir
06-08-29 03:24	  156	--a------	C:\Qoobox\Quarantine\C\Program Files\DeskAlerts\title_back.gif.vir
06-09-28 18:58	  1722	--a------	C:\Qoobox\Quarantine\C\Program Files\DeskAlerts\save_button.gif.vir
06-09-28 18:58	  1796	--a------	C:\Qoobox\Quarantine\C\Program Files\DeskAlerts\cancel_button.gif.vir
06-11-13 17:23	  179	--a------	C:\Qoobox\Quarantine\C\Program Files\DeskAlerts\history.html.vir
06-11-14 21:08	  4856	--a------	C:\Qoobox\Quarantine\C\Program Files\DeskAlerts\hs_search.bmp.vir
06-11-14 21:13	  4856	--a------	C:\Qoobox\Quarantine\C\Program Files\DeskAlerts\hs_delete.bmp.vir
06-11-30 23:25	  1925	--a------	C:\Qoobox\Quarantine\C\Program Files\DeskAlerts\options.html.vir
06-12-23 00:59	  7734	--a------	C:\Qoobox\Quarantine\C\Program Files\DeskAlerts\icons.bmp.vir
07-01-26 10:29	  18	--a------	C:\Qoobox\Quarantine\C\Program Files\DeskAlerts\version.txt.vir
07-02-08 11:35	  5334	--a------	C:\Qoobox\Quarantine\C\Program Files\DeskAlerts\mbclose.bmp.vir
07-02-08 12:00	  58	--a------	C:\Qoobox\Quarantine\C\Program Files\DeskAlerts\mblogo.bmp.vir
07-02-20 01:30	  229	--a------	C:\Qoobox\Quarantine\C\Program Files\DeskAlerts\deskbar.crc.vir
07-02-20 01:30	  475136	--a------	C:\Qoobox\Quarantine\C\Program Files\DeskAlerts\deskbar.dll.vir
07-02-20 01:30	  4798	--a------	C:\Qoobox\Quarantine\C\Program Files\DeskAlerts\basis.xml.vir
07-02-20 01:30	  717	--a------	C:\Qoobox\Quarantine\C\Program Files\DeskAlerts\deskbar.inf.vir
07-03-08 03:22	  1	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\bund1\temp.txt.vir
07-03-15 10:46	  57344	--a------	C:\Qoobox\Quarantine\C\WINDOWS\uni_eh10.exe.vir
07-03-21 08:53	  340936	--a------	C:\Qoobox\Quarantine\C\WINDOWS\funnies.exe.vir
07-04-06 16:49	  53248	--a------	C:\Qoobox\Quarantine\C\WINDOWS\111uninst.exe.vir
07-04-12 11:49	  704805	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\bund1\ClientBundle1.exe.vir
07-04-12 11:50	  0	--a------	C:\Qoobox\Quarantine\C\Program Files\DeskAlerts\Cache\045b4f7adac10e512896af2a0470f433.xml.vir
07-04-12 11:50	  1044480	--a------	C:\Qoobox\Quarantine\C\WINDOWS\cfg32.exe.vir
07-04-12 11:50	  105434	--a------	C:\Qoobox\Quarantine\C\WINDOWS\TTC.exe.vir
07-04-12 11:50	  18	--a------	C:\Qoobox\Quarantine\C\Program Files\DeskAlerts\newversion.txt.vir
07-04-12 11:51	  696320	--a------	C:\Qoobox\Quarantine\C\WINDOWS\cfg32a.exe.vir
07-04-12 11:53	  829237	--a------	C:\Qoobox\Quarantine\C\DOCUME~1\KASIAS~1\APPLIC~1\Dxcknwrd.dll.vir
07-04-12 11:56	  44544	--a------	C:\Qoobox\Quarantine\C\WINDOWS\updater.exe.vir
07-04-12 11:56	  91849	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\inst.exe.exe.vir
07-04-12 11:56	  96969	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\zup.exe.exe.vir
07-04-12 11:58	  3	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\pfxzmtsmt.dll.vir
07-04-12 11:58	  3	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\pfxzmtsmtspm.dll.vir
07-04-12 11:58	  3	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\sfxzmtforum.dll.vir
07-04-12 11:58	  3	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\sfxzmtsmt.dll.vir
07-04-12 11:58	  3	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\sfxzmtsmtspm.dll.vir
07-04-12 11:58	  3	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\sfxzmtwbmail.dll.vir
07-04-12 11:58	  48	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\pfxzmtaim.dll.vir
07-04-12 11:58	  48	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\pfxzmtforum.dll.vir
07-04-12 11:58	  48	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\pfxzmtgtal.dll.vir
07-04-12 11:58	  48	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\pfxzmticq.dll.vir
07-04-12 11:58	  48	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\pfxzmtwbmail.dll.vir
07-04-12 11:58	  48	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\pfxzmtymsg.dll.vir
07-04-12 13:28	  28	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\qvx5gamet2.exe.vir
07-04-12 13:32	  32768	--a------	C:\Qoobox\Quarantine\C\WINDOWS\msdrvctrl.exe.vir
07-04-12 13:32	  32768	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\msdrives\msdrvctrl.exe.vir
07-04-12 13:32	  69120	--a------	C:\Qoobox\Quarantine\C\WINDOWS\msdrv.exe.vir
07-04-12 13:32	  69120	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\msdrives\msdrv.exe.vir
07-04-12 13:32	  69632	--a------	C:\Qoobox\Quarantine\C\WINDOWS\iedrives.dll.vir
07-04-12 13:32	  69632	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\msdrives\iedrives.dll.vir
07-04-12 17:03	  12364	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\vexga5me3.exe.vir
07-04-12 17:03	  1632	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\vexga8me6.exe.vir
07-04-12 17:03	  18944	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\vexga4me1.exe.vir
07-04-12 17:03	  6857	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\vexg4am1et2.exe.vir
07-04-12 17:04	  1632	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\qvxga7met4.exe.vir
07-04-15 01:58	  28	--a------	C:\Qoobox\Quarantine\C\DOCUME~1\KASIAS~1\APPLIC~1\Dxccwrd.dll.vir
07-04-15 01:58	  57	--a------	C:\Qoobox\Quarantine\C\DOCUME~1\KASIAS~1\APPLIC~1\Dxcuknwrd.dll.vir
07-04-15 14:18	  32595	--a------	C:\Qoobox\Quarantine\C\DOCUME~1\KASIAS~1\APPLIC~1\Microsoft\60787.dat.vir
07-04-15 14:39	  112	--a------	C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Documents\Settings\desktop.ini.vir
07-04-20 21:48	  0	--a------	C:\Qoobox\Quarantine\C\DOCUME~1\KASIAS~1\APPLIC~1\Install.dat.vir
07-04-22 14:21	  0	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\msdrives\BIT3F.tmp.vir
07-04-22 14:22	  0	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\msdrives\BIT3.tmp.vir
07-04-22 14:23	  0	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\msdrives\BIT9.tmp.vir
07-04-22 14:25	  0	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\msdrives\BIT483.tmp.vir
07-04-22 14:31	  0	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\msdrives\BIT48.tmp.vir
07-04-22 18:20	  1268	--a------	C:\Qoobox\Quarantine\Registry_backups\LEGACY_DRIVERPP.reg.cf
07-04-22 18:20	  2730	--a------	C:\Qoobox\Quarantine\Registry_backups\services_driverpp.reg.cf
07-04-22 18:20	  870	--a------	C:\Qoobox\Quarantine\Registry_backups\LEGACY_NETWORK_MONITOR.reg.cf
07-04-22 18:20	  876	--a------	C:\Qoobox\Quarantine\Registry_backups\LEGACY_WINCOM32.reg.cf
07-04-22 18:20	  958	--a------	C:\Qoobox\Quarantine\Registry_backups\LEGACY_WINDOWS_OVERLAY_COMPONENTS.reg.cf


Folder PATH listing
Volume serial number is 18DC-8C22
C:\QOOBOX
\---Quarantine
	+---C
	|   |   31145.exe.vir
	|   |   inrh9400.exe.vir
	|   |   
	|   +---Documents and Settings
	|   |   \---All Users
	|   |	   \---Documents
	|   |		   \---Settings
	|   |				   desktop.ini.vir
	|   |				   
	|   +---DOCUME~1
	|   |   \---KASIAS~1
	|   |	   \---APPLIC~1
	|   |		   |   Dxccwrd.dll.vir
	|   |		   |   Dxcknwrd.dll.vir
	|   |		   |   Dxcuknwrd.dll.vir
	|   |		   |   Install.dat.vir
	|   |		   |   
	|   |		   \---Microsoft
	|   |				   60787.dat.vir
	|   |				   
	|   +---Program Files
	|   |   +---DeskAlerts
	|   |   |   |   basis.xml.vir
	|   |   |   |   cancel_button.gif.vir
	|   |   |   |   deskbar.crc.vir
	|   |   |   |   deskbar.dll.vir
	|   |   |   |   deskbar.inf.vir
	|   |   |   |   history.html.vir
	|   |   |   |   hs_delete.bmp.vir
	|   |   |   |   hs_search.bmp.vir
	|   |   |   |   icons.bmp.vir
	|   |   |   |   mbclose.bmp.vir
	|   |   |   |   mblogo.bmp.vir
	|   |   |   |   newversion.txt.vir
	|   |   |   |   notify.wav.vir
	|   |   |   |   options.html.vir
	|   |   |   |   save_button.gif.vir
	|   |   |   |   title_back.gif.vir
	|   |   |   |   version.txt.vir
	|   |   |   |   
	|   |   |   \---Cache
	|   |   |		   045b4f7adac10e512896af2a0470f433.xml.vir
	|   |   |		   
	|   |   \---Windows AdStatus
	|   |		   WinStatComm.dll.vir
	|   |		   
	|   \---WINDOWS
	|	   |   111uninst.exe.vir
	|	   |   cfg32.exe.vir
	|	   |   cfg32a.exe.vir
	|	   |   elitemediapop.exe.vir
	|	   |   eliteunstall.exe.vir
	|	   |   funnies.exe.vir
	|	   |   iedrives.dll.vir
	|	   |   msdrv.exe.vir
	|	   |   msdrvctrl.exe.vir
	|	   |   NDNuninstall4_80.exe.vir
	|	   |   NDNuninstall4_88.exe.vir
	|	   |   NDNuninstall5_40.exe.vir
	|	   |   NDNuninstall5_48.exe.vir
	|	   |   NDNuninstall5_64.exe.vir
	|	   |   NDNuninstall6_10.exe.vir
	|	   |   NDNuninstall6_22.exe.vir
	|	   |   pf78.exe.vir
	|	   |   timessquare1.dat.vir
	|	   |   TTC.exe.vir
	|	   |   uni_eh10.exe.vir
	|	   |   updater.exe.vir
	|	   |   winsysban3.exe.vir
	|	   |   winsysupd1.dat.vir
	|	   |   winsysupd3.exe.vir
	|	   |   YOINSI.exe.vir
	|	   |   
	|	   \---system32
	|		   |   inst.exe.exe.vir
	|		   |   pfxzmtaim.dll.vir
	|		   |   pfxzmtforum.dll.vir
	|		   |   pfxzmtgtal.dll.vir
	|		   |   pfxzmticq.dll.vir
	|		   |   pfxzmtsmt.dll.vir
	|		   |   pfxzmtsmtspm.dll.vir
	|		   |   pfxzmtwbmail.dll.vir
	|		   |   pfxzmtymsg.dll.vir
	|		   |   qvx5gamet2.exe.vir
	|		   |   qvxga7met4.exe.vir
	|		   |   sfxzmtforum.dll.vir
	|		   |   sfxzmtsmt.dll.vir
	|		   |   sfxzmtsmtspm.dll.vir
	|		   |   sfxzmtwbmail.dll.vir
	|		   |   vexg4am1et2.exe.vir
	|		   |   vexga4me1.exe.vir
	|		   |   vexga5me3.exe.vir
	|		   |   vexga8me6.exe.vir
	|		   |   zup.exe.exe.vir
	|		   |   
	|		   +---bund1
	|		   |	   ClientBundle1.exe.vir
	|		   |	   temp.txt.vir
	|		   |	   
	|		   \---msdrives
	|				   BIT3.tmp.vir
	|				   BIT3F.tmp.vir
	|				   BIT48.tmp.vir
	|				   BIT483.tmp.vir
	|				   BIT9.tmp.vir
	|				   iedrives.dll.vir
	|				   msdrv.exe.vir
	|				   msdrvctrl.exe.vir
	|				   
	\---Registry_backups
			LEGACY_DRIVERPP.reg.cf
			LEGACY_NETWORK_MONITOR.reg.cf
			LEGACY_WINCOM32.reg.cf
			LEGACY_WINDOWS_OVERLAY_COMPONENTS.reg.cf
			services_driverpp.reg.cf


#5 Rahina

Rahina

    Security Helper


  • Members
  • 681 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:04 PM

Posted 23 April 2007 - 04:46 PM

Could you please post a Fresh Hijackthis log now :thumbsup:
[ Antivirus ] [ Firewall ] [ Spywareblaster ] [ Malwarebytes Anti-Malware ] [ Windows update ] [ Firefox ] [ WinPatrol ] [ ATF Cleaner ]

If i have helped you, donate to help me continue helping others. Posted Image
Posted Image Posted Image

#6 ydbird

ydbird
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Long Island, NY
  • Local time:09:04 AM

Posted 23 April 2007 - 04:52 PM

I apologize I forgot I moved the HJT folder.


Logfile of HijackThis v1.99.1
Scan saved at 17:32, on 07-04-23
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\win3208841710697.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\sys09417106978.exe
C:\WINDOWS\system32\S3Tray2.exe
C:\WINDOWS\system32\s3hotkey.exe
C:\toshiba\ivp\ism\pinger.exe
C:\WINDOWS\ms03106978417.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\micro1\b9.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wapp.verizon.net/bookmarks/bmredir....&bm=ms_home
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O2 - BHO: (no name) - {33161E98-0A6C-4d3c-BD62-3A7D56137F52} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: 0 - {5ACE21A1-2B14-4354-8F92-8C3DCC2C7936} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Root.CERT - {D6EAC4ED-2842-4FB6-A8B4-B1A300A1F2F9} - C:\DOCUME~1\ALLUSE~1\APPLIC~1\root\root.dll
O2 - BHO: (no name) - {F0342425-1792-4F9C-9ADE-6BCAFB615293} - C:\Program Files\Common Files\quso.dll
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [{ZN}] C:\WINDOWS\system32\micro1\eno36.exe SKY003
O4 - HKLM\..\Run: [win3208841710697] C:\WINDOWS\win3208841710697.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 20
O4 - HKLM\..\Run: [sys09417106978] C:\WINDOWS\sys09417106978.exe
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [S3Hotkey] s3hotkey.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [ms03106978417] C:\WINDOWS\ms03106978417.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [bantool] C:\WINDOWS\system32\micro1\b9.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\dlslpg.exe reg_run
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [LDM] C:\Program Files\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\micro1\eno36.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon...DSL/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/67/install/gtdownls.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{F2418A47-C702-44F7-A074-2B87AE62D4D7}: NameServer = ,
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: tQMznGUJSv - {18DC8C23-B276-2689-3585-3AB6560448E3} - (no file)
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#7 Rahina

Rahina

    Security Helper


  • Members
  • 681 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:04 PM

Posted 24 April 2007 - 05:14 AM

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, DSS will open two Notepads: main.txt and extra.txt
  • Use Save As to save both Notepad files to your Desktop and post them in your next reply.

[ Antivirus ] [ Firewall ] [ Spywareblaster ] [ Malwarebytes Anti-Malware ] [ Windows update ] [ Firefox ] [ WinPatrol ] [ ATF Cleaner ]

If i have helped you, donate to help me continue helping others. Posted Image
Posted Image Posted Image

#8 ydbird

ydbird
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Long Island, NY
  • Local time:09:04 AM

Posted 24 April 2007 - 07:03 AM

Here are the logs you requested.

Deckard's System Scanner v20070423.42
Run by Kasia Sawicz on 2007-04-24 at 07:35:13
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2007-04-24 11:35:16 UTC - RP1 - System Checkpoint


Backed up registry hives.

Performed disk cleanup.


-- HijackThis (run as Kasia Sawicz.exe) ----------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 07:37, on 07-04-24
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\S3Tray2.exe
C:\WINDOWS\system32\s3hotkey.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\micro1\b9.exe
C:\WINDOWS\system32\dlslpg.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Kasia Sawicz\Desktop\dss.exe
C:\HJT\Kasia Sawicz.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wapp.verizon.net/bookmarks/bmredir....&bm=ms_home
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O2 - BHO: (no name) - {33161E98-0A6C-4d3c-BD62-3A7D56137F52} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: 0 - {5ACE21A1-2B14-4354-8F92-8C3DCC2C7936} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Root.CERT - {D6EAC4ED-2842-4FB6-A8B4-B1A300A1F2F9} - C:\DOCUME~1\ALLUSE~1\APPLIC~1\root\root.dll
O2 - BHO: (no name) - {F0342425-1792-4F9C-9ADE-6BCAFB615293} - C:\Program Files\Common Files\quso.dll
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [{ZN}] C:\WINDOWS\system32\micro1\eno36.exe SKY003
O4 - HKLM\..\Run: [win3208841710697] C:\WINDOWS\win3208841710697.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 20
O4 - HKLM\..\Run: [sys09417106978] C:\WINDOWS\sys09417106978.exe
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [S3Hotkey] s3hotkey.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [ms03106978417] C:\WINDOWS\ms03106978417.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [bantool] C:\WINDOWS\system32\micro1\b9.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\dlslpg.exe reg_run
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [LDM] C:\Program Files\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\micro1\eno36.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: tnin.exe
O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon...DSL/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/67/install/gtdownls.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{F2418A47-C702-44F7-A074-2B87AE62D4D7}: NameServer = ,
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: tQMznGUJSv - {18DC8C23-B276-2689-3585-3AB6560448E3} - (no file)
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


-- HijackThis Fixed Entries (C:\HJT\backups\) ----------------------------------

backup-20050423-220201-582 O2 - BHO: (no name) - {93FD03BB-BE2C-90D0-AFDC-EEA007E4254F} - C:\WINDOWS\apigx.dll
backup-20050423-220201-989 R3 - Default URLSearchHook is missing
backup-20050601-164114-209 O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
backup-20050601-164114-429 O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
backup-20050601-164114-699 R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
backup-20050602-174842-640 R3 - Default URLSearchHook is missing

-- File Associations -----------------------------------------------------------

.js - JSFile - DefaultIcon - C:\Program Files\Macromedia\Dreamweaver MX\Dreamweaver.exe,2
.js - JSFile - shell\open\command - "C:\Program Files\Macromedia\Dreamweaver MX\Dreamweaver.exe" "%1"


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 TVALD (Toshiba ACPI-Based Value Added Logical Device Driver) - c:\windows\system32\drivers\tvald.sys <Not Verified; Toshiba Corporation; Toshiba ACPI-Compliant Value Added Logical Device; V2, 0, 0; V2, 0, 0>
R0 TVALG (Toshiba Value Added Logical and General Purpose Device Driver) - c:\windows\system32\drivers\tvalg.sys <Not Verified; TOSHIBA Corporation; TOSHIBA Value Added Logical and General Purpose Device Driver; 2, 0, 0, 7; 2, 0, 0, 7>
R1 core - c:\windows\system32\drivers\core.sys
R2 SVKP - c:\windows\system32\svkp.sys <Not Verified; AntiCracking; SVKP driver for NT; 1.00; 4.00>
R3 ApfiltrService (Alps Pointing-device Filter Driver) - c:\windows\system32\drivers\apfiltr.sys <Verified; Alps Electric Co., Ltd.; Alps Touch Pad Driver for Windows 2000/XP; 5.3.1.140; 5.3.1.140>
R3 CBTNDIS5 (CBTNDIS5 NDIS Protocol Driver) - c:\windows\system32\cbtndis5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows; 5.03.16.55; 5.03.16.55>
R3 MxlW2k - c:\windows\system32\drivers\mxlw2k.sys <Not Verified; MusicMatch, Inc.; MusicMatch Access Layer; 1.0.1.109; 1.0.1.109>
R3 odysseyIM4 (Odyssey Network Agent Miniport) - c:\windows\system32\drivers\odysseyim4.sys <Verified; Funk Software, Inc.; Odyssey; 4.00.0.1020; 2.74.0.1020>
R3 S3SSavage - c:\windows\system32\drivers\s3ssavm.sys <Verified; S3 Graphics, Inc.; S3 Graphics SuperSavage Miniport; 6.13.10.1266-12.90.66; 6.13.10.1266-12.90.66>
R3 SMCIRDA (SMC IrCC Miniport Device Driver) - c:\windows\system32\drivers\smcirda.sys <Verified; SMC; Fast Infrared Miniport Driver; 5.1.2500.0; 5.1.2500.0>
R3 TOSHIBASoftModem (TOSHIBA Software Modem) - c:\windows\system32\drivers\ltsm.sys <Verified; LT; TOSHIBA SoftModem Driver; 3.1.100 09/26/2001 20:12:19; 3.1.100 09/26/2001 20:12:19>
R3 tsdhd (TOSHIBA SD Card Host Controller Driver) - c:\windows\system32\drivers\tsdhd.sys <Not Verified; TOSHIBA Corporation; SD Card Driver Set; 1, 1, 1, 0; 1, 2, 8, 20404>
R3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys <Verified; America Online, Inc.; Wan Miniport (ATW); 7.8.0.0; 7.8.0.0>
R3 WDM_YAMAHAAC97 (YAMAHA AC-XG Audio Device) - c:\windows\system32\drivers\yacxg.sys <Verified; YAMAHA CORPORATION; YAMAHA AC-XG WDM; 6.13.10.2152; 6.13.10.2152>

S1 delprot - c:\windows\system32\drivers\delprot.sys (file missing)
S2 windev-31c9-6a65 - c:\windows\system32\windev-31c9-6a65.sys (file missing)
S3 ac97intc (Intel® 82801 Audio Driver Install Service (WDM)) - c:\windows\system32\drivers\ac97intc.sys <Verified; Intel Corporation; Intel® Integrated Controller Hub Audio Driver; 5.10.3523; 5.10.3523 built by: WinDDK>
S3 BCM43XX (Wireless-G Notebook Adapter with SpeedBooster Driver) - c:\windows\system32\drivers\bcmwl5.sys <Verified; Broadcom Corporation; Broadcom 802.11 Network Adapter wireless driver; 3.100.64.0; 3.100.64.0 built by: WinDDK>
S3 pciSd - c:\windows\system32\drivers\tossdpci.sys <Not Verified; TOSHIBA; Toshiba SD Memory Driver; 1.00.04.20107; 1.00.04.20107>
S3 TBiosDrv - c:\windows\system32\drivers\tbiosdrv.sys
S3 wlluc48 (Wireless LAN PC Card Driver) - c:\windows\system32\drivers\wlluc48.sys <Verified; Lucent Technologies; ORiNOCO Driver for Windows.; 7.43.0.9; 7.43.0.9>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 EPSONStatusAgent2 (EPSON Printer Status Agent2) - c:\program files\common files\epson\ebapi\sagent2.exe <Not Verified; SEIKO EPSON CORPORATION; EPSON Bidirectional Printer; 1, 0, 0, 0; 2, 3, 0, 0>
R2 NICSer_WPC54G - c:\program files\linksys\wireless-g notebook adapter\nicserv.exe

S3 SavRoam - "c:\program files\symantec antivirus\savroam.exe" <Verified; symantec; Symantec SAVRoam; 1.5.0.0; 1.5.0.0>
S3 Symantec AntiVirus - "c:\program files\symantec antivirus\rtvscan.exe" <Verified; Symantec Corporation; Symantec AntiVirus; 9.0.1.1000; 9.0.1.1000>


-- Files created between 2007-03-24 and 2007-04-24 -----------------------------

2007-04-23 18:43:14 0 dr-h----- C:\Documents and Settings\Kasia Sawicz\Recent
2007-04-23 17:19:26 0 d-------- C:\Program Files\Common Files\Java
2007-04-23 17:01:28 0 d-------- C:\HJT
2007-04-22 19:20:04 46080 --a------ C:\WINDOWS\system32\gssssjf.dll
2007-04-22 17:46:50 91648 --a------ C:\WINDOWS\system32\dlslpg.exe
2007-04-22 12:50:13 0 d-------- C:\Documents and Settings\Kasia Sawicz\Application Data\Comodo
2007-04-22 12:50:09 0 d-------- C:\Documents and Settings\All Users\Application Data\Comodo
2007-04-22 12:19:51 0 d-------- C:\Program Files\Comodo
2007-04-21 09:56:17 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-04-21 00:19:40 10240 --a------ C:\WINDOWS\system32\bjaja.dll
2007-04-18 16:04:44 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-04-18 16:03:48 0 d-------- C:\Program Files\CCleaner
2007-04-15 22:34:38 10920 --a------ C:\aolconnfix.exe <Verified; ; AOL ConnFix Utility; 2.0.0.1; 2.0.0.1>
2007-04-12 13:50:44 135432 --a------ C:\WINDOWS\system32\abcdefgh.dll
2007-04-12 12:55:36 931 --a------ C:\WINDOWS\system32\winpfz32.sys
2007-04-12 12:21:09 91849 --a------ C:\WINDOWS\system32\inst.exe
2007-04-12 12:16:13 184443 --a------ C:\WINDOWS\system32\owinnodv.exe
2007-04-12 11:58:36 91849 --a------ C:\WINDOWS\inst.exe
2007-04-12 11:57:40 1 --a------ C:\WINDOWS\system32\kr_done1
2007-04-12 11:50:30 133829 --a------ C:\WINDOWS\itpb_7.exe
2007-04-12 11:50:28 88367 --a------ C:\WINDOWS\itpb_3.exe
2007-04-12 11:49:59 105434 --a------ C:\WINDOWS\VTTC.exe
2007-04-12 11:49:32 72320 --a------ C:\WINDOWS\system32\drivers\core.sys
2007-04-12 11:49:22 0 d-------- C:\WINDOWS\system32\micro1
2007-04-09 15:09:57 1 --a------ C:\WINDOWS\system32\ps.dat
2007-04-09 13:04:23 184320 --a------ C:\WINDOWS\win3208841710697.exe <Not Verified; ; ase; 1.00.0040; 1.00.0040>
2007-04-09 13:04:23 184320 --a------ C:\WINDOWS\sys09417106978.exe <Not Verified; ; ase; 1.00.0040; 1.00.0040>
2007-04-09 13:04:23 184320 --a------ C:\WINDOWS\ms03106978417.exe <Not Verified; ; ase; 1.00.0040; 1.00.0040>
2007-04-09 08:54:26 85960 --a------ C:\WINDOWS\sammy.exe
2007-04-06 15:27:01 139264 --a------ C:\Program Files\Common Files\quso.dll


-- Find3M Report ---------------------------------------------------------------

2007-04-24 07:32:39 18944 --a------ C:\WINDOWS\system32\obmbanx.exe
2007-04-23 18:47:00 426 --a------ C:\WINDOWS\trirp.dll
2007-04-23 17:20:28 0 d-------- C:\Program Files\Java
2007-04-22 17:48:04 0 d-------- C:\Program Files\Symantec AntiVirus
2007-04-21 11:06:55 0 d-------- C:\Documents and Settings\Kasia Sawicz\Application Data\MSN6
2007-04-21 10:19:01 0 d-------- C:\Program Files\QuickTime
2007-04-21 10:14:44 0 d-------- C:\Program Files\Ltcufrt
2007-04-21 10:12:22 0 d-------- C:\Program Files\Common Files\sysdir
2007-04-21 10:10:16 0 d-------- C:\Program Files\Apoint2K
2007-04-21 09:51:17 0 d-------- C:\Program Files\MyWay
2007-04-20 22:00:18 0 d-------- C:\Program Files\Microsoft Home Publishing 2000
2007-04-15 22:35:35 0 d-------- C:\Program Files\America Online 7.0
2007-03-16 08:20:47 0 d-------- C:\Documents and Settings\Kasia Sawicz\Application Data\Viewpoint
2007-03-13 11:54:24 0 d-------- C:\Program Files\verizon
2007-03-13 10:30:50 0 d-------- C:\Program Files\Common Files\SupportSoft
2007-03-02 01:49:21 9 --a------ C:\WINDOWS\offnm.dat


-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F} C:\PROGRA~1\SPYBOT~1\SDHelper.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
{7C554162-8CB7-45A4-B8F4-8EA1C75885F9} C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
{D6EAC4ED-2842-4FB6-A8B4-B1A300A1F2F9} C:\DOCUME~1\ALLUSE~1\APPLIC~1\root\root.dll
{F0342425-1792-4F9C-9ADE-6BCAFB615293} C:\Program Files\Common Files\quso.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"{ZN}"="C:\\WINDOWS\\system32\\micro1\\eno36.exe SKY003"
"win3208841710697"="C:\\WINDOWS\\win3208841710697.exe"
"Tpwrtray"="TPWRTRAY.EXE"
"TFNF5"="TFNF5.exe"
"TFncKy"="TFncKy.exe /Type 20"
"sys09417106978"="C:\\WINDOWS\\sys09417106978.exe"
"S3TRAY2"="S3Tray2.exe"
"S3Hotkey"="s3hotkey.exe"
"Pinger"="c:\\toshiba\\ivp\\ism\\pinger.exe /run"
"ms03106978417"="C:\\WINDOWS\\ms03106978417.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"bantool"="C:\\WINDOWS\\system32\\micro1\\b9.exe"
"COMODO Firewall Pro"="\"C:\\Program Files\\Comodo\\Firewall\\CPF.exe\" /background"
"winsync"="C:\\WINDOWS\\system32\\dlslpg.exe reg_run"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"LDM"="C:\\Program Files\\Desktop Messenger\\8876480\\Program\\BackWeb-8876480.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"mrtcli"="C:\\WINDOWS\\system32\\mrtcli.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"uimz"="C:\\PROGRA~1\\COMMON~1\\uimz\\uimzm.exe"
"mrtcli"="C:\\WINDOWS\\system32\\mrtcli.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"\\1.exe"="C:\\DOCUME~1\\ALLUSE~1\\APPLIC~1\\Tools\\1.exe"
"msdrvctrl"="C:\\WINDOWS\\msdrvctrl.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
"\\1.exe"="C:\\DOCUME~1\\ALLUSE~1\\APPLIC~1\\Tools\\1.exe"
"asycli"="C:\\WINDOWS\\system32\\asycli.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\Run]
"mrtcli"="C:\\WINDOWS\\system32\\mrtcli.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"tQMznGUJSv"="{18DC8C23-B276-2689-3585-3AB6560448E3}"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0nwprovau\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Kasia Sawicz^Start Menu^Programs^Startup^Think-Adz.lnk]
"path"="C:\\Documents and Settings\\Kasia Sawicz\\Start Menu\\Programs\\Startup\\Think-Adz.lnk"
"backup"="C:\\WINDOWS\\pss\\Think-Adz.lnkStartup"
"location"="Startup"
"command"="C:\\WINDOWS\\system32\\owinnodv.exe SKY001"
"item"="Think-Adz"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\elitemedia]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="elitemediapop"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\elitemediapop.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ink Monitor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="InkMonitor"
"hkey"="HKLM"
"command"="C:\\Program Files\\EPSON\\Ink Monitor\\InkMonitor.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RealPlay"
"hkey"="HKLM"
"command"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0



-- End of Deckard's System Scanner: finished at 2007-04-24 at 07:38:25 ---------



Deckard's System Scanner v20070423.42
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 Mobile CPU 1.70GHz
Percentage of Memory in Use: 46%
Physical Memory (total/avail): 511.36 MiB / 274.48 MiB
Pagefile Memory (total/avail): 863.03 MiB / 671.27 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1973.48 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 27.95 GiB total, 17.67 GiB free.
D: is CDROM (No Media)
E: is Removable (FAT)


-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FW: COMODO Firewall Pro v2.3.035 (COMODO) Disabled
AV: Symantec AntiVirus Corporate Edition v9.0.1.1000 (Symantec Corporation)


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Kasia Sawicz\Application Data
CLASSPATH=C:\Program Files\JavaSoft\JRE\1.3.1_04\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=OWNER-KASIA
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Kasia Sawicz
LOGONSERVER=\\OWNER-KASIA
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0204
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\JavaSoft\JRE\1.3.1_04\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\KASIAS~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\KASIAS~1\LOCALS~1\Temp
USERDOMAIN=OWNER-KASIA
USERNAME=Kasia Sawicz
USERPROFILE=C:\Documents and Settings\Kasia Sawicz
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Kasia Sawicz (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{01083175-01CC-42AA-9090-81DD0F88F28F}\Setup.exe" -l0x9 --AddRemove
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Photoshop 7.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop 7.0\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop 7.0\Uninst.dll"
ALPS Touch Pad Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}\setup.exe" UNINSTALL
America Online --> C:\Program Files\Common Files\aolshare\Aolunins_us.exe
AOL Explorer --> C:\Program Files\Common Files\AOL\1125701168\ee\services\browser\ver1_1_1043\uninst.exe
AOL Instant Messenger --> C:\Program Files\AIM95\uninstll.exe -LOG= C:\Program Files\AIM95\install.log -OEM=
AOL Toolbar 2.0 --> "C:\Program Files\AOL\AOL Toolbar 2.0\uninstall.exe"
Canon Camera Window for ZoomBrowser EX --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{093625E3-7B87-49D3-AA53-AD0FCFABAF49}
Canon PhotoRecord --> C:\WINDOWS\IsUninst.exe -fC:\PROGRA~1\Canon\PhotoRecord\Uninst.isu -c"C:\PROGRA~1\Canon\PhotoRecord\Program\uninstdll.dll"
Canon Utilities File Viewer Utility 1.2 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{EF0DD8B7-471C-463B-A298-6066C2FABAF5}
Canon Utilities PhotoStitch 3.1 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{03CDDD00-BD57-4326-9480-4C74449AF597}
Canon Utilities RemoteCapture 2.7 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{BEB03A1A-1EB6-48EB-9985-8B97315EE5C0}
Canon Utilities ZoomBrowser EX --> MsiExec.exe /X{C1D76D7A-F3BB-47EA-A746-5B1E2FFC1DF2}
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
COMODO Firewall Pro --> C:\Program Files\Comodo\Firewall\fwconfig.exe -uninstalln
EPSON Online Reference Guide --> C:\Program Files\epson\guide\uninstall.exe
EPSON Printer Software --> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /r
Film Factory --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\EPSON Software\Film Factory\Uninst.isu"
Google Talk (remove only) --> "C:\Program Files\Google\Google Talk\uninstall.exe"
HijackThis 1.99.1 --> C:\Documents and Settings\Kasia Sawicz\Desktop\PC Repair\hijackthis\HijackThis.exe /uninstall
ImageStation Easy Upload Tools --> C:\Program Files\Easy Upload Tools\UninstallHelper\UninstallHelper.exe
Ink Monitor --> C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe -U
Intel® PRO Ethernet Adapter and Software --> Prounstl.exe
InterActual Player --> C:\Program Files\InterActual\InterActual Player\inuninst.exe
InterVideo WinDVD --> "C:\Program Files\InstallShield Installation Information\{C1939820-A945-11D4-86F6-0001031E5712}\setup.exe" REMOVEALL
iPod for Windows 2005-03-23 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{44A537A5-859C-43A6-8285-C0668142A090} /l1033
iPod Update 2004-04-28 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{E6696A8C-C55A-405C-AFEB-F3880A8BAA45} /l1033
iTunes --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{872653C6-5DDC-488B-B7C2-CF9E4D9335E5} /l1033
Java™ SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
LimeWire --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{7F99416F-B410-487A-8288-ECC1263E23E7}
LimeWire 4.10.9 --> "C:\Program Files\LimeWire\LimeWire 4.2.4\uninstall.exe"
Logitech Desktop Messenger --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{900B1197-53F5-4F46-A882-2CFFFE2EEDCB}\setup.exe" -l0x9 UNINSTALL /L9
Logitech MouseWare 9.42 .1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5809E7CF-4DCF-11D4-9875-00105ACE7734}\setup.exe" -l0x9 -l0009 UNINSTALL
Logitech Resource Center --> C:\PROGRA~1\RESOUR~1\rem\UNWISE.EXE /s C:\PROGRA~1\RESOUR~1\rem\INSTALL.LOG
Logitech User's Guide --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CBE0FCA1-4E95-11D4-9875-00105ACE7734}\Setup.exe" -l0x9 UNINSTALL
Macromedia Dreamweaver MX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8B4AB829-DFD3-436D-B808-D9733D76C590}\Setup.exe" -l0x9 mmUninstall
Macromedia Extension Manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A5BA14E0-7384-11D4-BAE7-00409631A2C8}\setup.exe" -l0x9 mmUninstall
Microsoft Encarta Encyclopedia 2000 --> "C:\Program Files\Microsoft Encarta\Encarta Encyclopedia 2000\unee2000.exe" /uninstall
Microsoft Home Publishing 2000 --> MsiExec.exe /I{9E266E6A-3A1E-11D3-A3E4-00C04F7989D8}
Microsoft Office XP Standard for Students and Teachers --> MsiExec.exe /I{913D0409-6000-11D3-8CFE-0050048383C9}
Microsoft Picture It! Express 2000 --> MsiExec.exe /I{A586D09E-1D2C-11D3-9A6B-00105A98B681}
Microsoft Works 2000 --> MsiExec.exe /I{56364334-9530-11D2-BFFC-00C04FA329AA}
Microsoft Works 2000 Setup Launcher --> C:\Program Files\Microsoft Works Suite 2000\Setup\Launcher.exe D:\
MUSICMATCH Jukebox --> C:\PROGRA~1\MUSICM~1\MUSICM~1\unmatch.exe
myTunes Redux 1.0 --> "C:\Program Files\myTunes Redux\unins000.exe"
Odyssey Client --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{99D42EC7-652B-4819-B3E6-6450C815E03F}
Panda ActiveScan --> C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan
Quicken 2001 New User Edition --> C:\quickenw\WINNT\Intuit\UNWISE.EXE C:\quickenw\WINNT\Intuit\INSTALL.LOG
QuickTime --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{3868A8EE-5051-4DB0-8DF6-4F4B8A98D083} /l1033
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Symantec AntiVirus --> MsiExec.exe /I{848AC794-8B81-440A-81AE-6474337DB527}
Toshiba Access --> C:\PROGRA~1\TOSHIB~1\UNWISE.EXE C:\PROGRA~1\TOSHIB~1\INSTALL.LOG
TOSHIBA Console --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3CF0858D-1AC5-4308-9DE7-AD15288A8BDC}\Setup.exe" -uninst
TOSHIBA Controls --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A6690C0E-B96E-4F0F-A8EB-D5B332454AC6}\Setup.exe"
TOSHIBA Power Saver --> TPWRDEL.EXE
TOSHIBA Software Modem --> Tosmreg -U
Toshiba Software Upgrades --> C:\toshiba\ivp\swupdate\UNWISE.EXE C:\toshiba\ivp\swupdate\INSTALL.LOG
Toshiba System Stability Program --> C:\toshiba\SYSSTA~1\UNWISE.EXE C:\toshiba\SYSSTA~1\INSTALL.LOG
Toshiba Tbiosdrv Driver --> C:\PROGRA~1\Toshiba\TOSHIB~1\UNWISE.EXE C:\PROGRA~1\Toshiba\TOSHIB~1\INSTALL.LOG
TOSHIBA TouchPad On/Off Utility V2.01.01 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\TOSHIBA\TouchED\Uninst.isu" -c"C:\Program Files\TOSHIBA\TouchED\tpedinst.dll"
TOSHIBA Utilities --> tutildel.exe
Toshiba WinXP Registration --> C:\WINDOWS\uninst.exe -f"C:\Program Files\DataLode\Toshiba WinXP Registration\DeIsL1.isu" -c"C:\Program Files\DataLode\Toshiba WinXP Registration\_ISREG32.DLL"
Wireless-G Notebook Adapter --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2A2EDF5F-F3C6-4919-AE34-C08A71AD034A}\Setup.exe" -l0x9
Word in Works Suite add-in --> MsiExec.exe /I{0DB93918-2A77-11D3-805A-00C04FA329AA}
YAMAHA AC-XG WDM --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3663DDE0-D8AE-11D3-9850-00C04F7AC096}\setup.exe" maintenance


-- End of Deckard's System Scanner: finished at 2007-04-24 at 07:38:25 ---------

#9 Rahina

Rahina

    Security Helper


  • Members
  • 681 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:04 PM

Posted 25 April 2007 - 01:41 PM

Hello Again :thumbsup:

Step #1

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

Download AVG Anti-Spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program
  • Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close AVG Anti-Spyware, Do Not run a scan just yet, we will later.

Please go Here to see how to show hidden files in windows.

Step #2

Download CWShredder to its own folder.

Open CWShredder.exe and click the Check For Update button.
After downloading any necessary updated, please close the program.

Step #3

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please open HiJackThis and scan. Check the boxes next to all the entries listed below

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - _{8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O2 - BHO: (no name) - {33161E98-0A6C-4d3c-BD62-3A7D56137F52} - (no file)
O2 - BHO: 0 - {5ACE21A1-2B14-4354-8F92-8C3DCC2C7936} - (no file)
O2 - BHO: Root.CERT - {D6EAC4ED-2842-4FB6-A8B4-B1A300A1F2F9} - C:\DOCUME~1\ALLUSE~1\APPLIC~1\root\root.dll
O2 - BHO: (no name) - {F0342425-1792-4F9C-9ADE-6BCAFB615293} - C:\Program Files\Common Files\quso.dll
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O4 - HKLM\..\Run: [{ZN}] C:\WINDOWS\system32\micro1\eno36.exe SKY003
O4 - HKLM\..\Run: [win3208841710697] C:\WINDOWS\win3208841710697.exe
O4 - HKLM\..\Run: [sys09417106978] C:\WINDOWS\sys09417106978.exe
O4 - HKLM\..\Run: [ms03106978417] C:\WINDOWS\ms03106978417.exe
O4 - HKLM\..\Run: [bantool] C:\WINDOWS\system32\micro1\b9.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\dlslpg.exe reg_run
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\micro1\eno36.exe
O4 - Global Startup: tnin.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O21 - SSODL: tQMznGUJSv - {18DC8C23-B276-2689-3585-3AB6560448E3} - (no file)


Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis

Step #4

Now run CWShredder again, by doubling clicking on the program you downloaded earlier.
Click "Fix" and then "Next", let it fix everything it asks about.

Step #5

Next, Please open up Notepad and copy all of the items in the code box below.
Change the "Save As Type" to "All Files". Save it as fixthis.bat on your Desktop

@echo off
attrib -s -r -h "C:\Program Files\Common Files\quso.dll"
del /q "C:\Program Files\Common Files\quso.dll"
attrib -s -r -h "C:\WINDOWS\win3208841710697.exe"
del /q "C:\WINDOWS\win3208841710697.exe"
attrib -s -r -h "C:\WINDOWS\sys09417106978.exe"
del /q "C:\WINDOWS\sys09417106978.exe"
attrib -s -r -h "C:\WINDOWS\ms03106978417.exe"
del /q "C:\WINDOWS\ms03106978417.exe"
attrib -s -r -h "C:\WINDOWS\system32\dlslpg.exe"
del /q "C:\WINDOWS\system32\dlslpg.exe"
attrib -s -r -h "C:\WINDOWS\system32\gssssjf.dll"
del /q "C:\WINDOWS\system32\gssssjf.dll"
attrib -s -r -h "C:\WINDOWS\system32\bjaja.dll"
del /q "C:\WINDOWS\system32\bjaja.dll"
attrib -s -r -h "C:\WINDOWS\system32\abcdefgh.dll"
del /q "C:\WINDOWS\system32\abcdefgh.dll"
attrib -s -r -h "C:\WINDOWS\system32\winpfz32.sys"
del /q "C:\WINDOWS\system32\winpfz32.sys"
attrib -s -r -h "C:\WINDOWS\system32\inst.exe"
del /q "C:\WINDOWS\system32\inst.exe"
attrib -s -r -h "C:\WINDOWS\inst.exe"
del /q "C:\WINDOWS\inst.exe"
attrib -s -r -h "C:\WINDOWS\itpb_7.exe"
del /q "C:\WINDOWS\itpb_7.exe"
attrib -s -r -h "C:\WINDOWS\itpb_3.exe"
del /q "C:\WINDOWS\itpb_3.exe"
attrib -s -r -h "C:\WINDOWS\VTTC.exe"
del /q "C:\WINDOWS\VTTC.exe"
attrib -s -r -h "C:\WINDOWS\sammy.exe"
del /q "C:\WINDOWS\sammy.exe"
attrib -s -r -h "C:\WINDOWS\VTTC.exe"
del /q "C:\WINDOWS\VTTC.exe"
attrib -s -r -h "C:\WINDOWS\offnm.dat"
del /q "C:\WINDOWS\offnm.dat"
attrib -r -h C:\Program Files\Ebates_MoeMoneyMaker\*.*
del /a /f /q C:\Program Files\Ebates_MoeMoneyMaker\*.*
RD /s /q "C:\Program Files\Ebates_MoeMoneyMaker"
attrib -r -h C:\Program Files\MyWay\*.*
del /a /f /q C:\Program Files\MyWay\*.*
RD /s /q "C:\Program Files\MyWay"
attrib -r -h C:\Documents and Settings\Kasia Sawicz\Application Data\Viewpoint\*.*
del /a /f /q C:\Documents and Settings\Kasia Sawicz\Application Data\Viewpoint\*.*
RD /s /q "C:\Documents and Settings\Kasia Sawicz\Application Data\Viewpoint"
attrib -r -h C:\Documents and Settings\All Users\Application Data\root\*.*
del /a /f /q C:\Documents and Settings\All Users\Application Data\root\*.*
RD /s /q "C:\Documents and Settings\All Users\Application Data\root"
attrib -r -h C:\WINDOWS\system32\micro1\*.*
del /a /f /q C:\WINDOWS\system32\micro1\*.*
RD /s /q "C:\WINDOWS\system32\micro1"
attrib -r -h C:\WINDOWS\system32\kr_done1\*.*
del /a /f /q C:\WINDOWS\system32\kr_done1i\*.*
RD /s /q "C:\WINDOWS\system32\kr_done1"
quit

double click on fixthis.bat.
A window will open and close this is normal.

Step #6

IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
  • Launch AVG Anti-Spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close AVG Anti-Spyware and reboot your system back into Normal Mode and post the results of the AVG Anti-Spyware report scan.
Step #7

Go to Virustotal
Copy the following to the box next to "Browse" button:
  • C:\WINDOWS\system32\obmbanx.exe
Click on Send, Wait for the scan to end.

Go to Virustotal
Copy the following to the box next to "Browse" button:
  • C:\WINDOWS\trirp.dl
Click on Send, Wait for the scan to end.

Go to Virustotal
Copy the following to the box next to "Browse" button:
  • C:\WINDOWS\system32\owinnodv.exe
Click on Send, Wait for the scan to end.

Step #8

Now, Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please Search for the file below, delete it (if present):

tnin.exe

Step #9

Please download VundoFix.exe to your desktop
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Step #10

Download GMER Unzip it to the desktop.

Open the program and click on the Rootkit tab.
Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
Click on Scan.
When the scan has run click Copy and paste the results (if any) into this thread.

Step #11

In your next Reply Please post the following logfiles:
  • AVG Anti-Spyware
  • Vundofix.txt
  • GMER.txt
  • Virustotal Results
  • Hijackthis Logfile

[ Antivirus ] [ Firewall ] [ Spywareblaster ] [ Malwarebytes Anti-Malware ] [ Windows update ] [ Firefox ] [ WinPatrol ] [ ATF Cleaner ]

If i have helped you, donate to help me continue helping others. Posted Image
Posted Image Posted Image

#10 ydbird

ydbird
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Long Island, NY
  • Local time:09:04 AM

Posted 25 April 2007 - 11:27 PM

Here are some of the logs you asked for. HJT and AVG produced the following:

Logfile of HijackThis v1.99.1
Scan saved at 00:02, on 07-04-26
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\S3Tray2.exe
C:\WINDOWS\system32\s3hotkey.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wapp.verizon.net/bookmarks/bmredir....&bm=ms_home
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 20
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [S3Hotkey] s3hotkey.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [ms03106978417] C:\WINDOWS\ms03106978417.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [elitemedia] C:\WINDOWS\elitemediapop.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\owinnodv.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon...DSL/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/67/install/gtdownls.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F2418A47-C702-44F7-A074-2B87AE62D4D7}: NameServer = ,
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 22:08 07-04-25

+ Scan result:



C:\QooBox\Quarantine\C\WINDOWS\iedrives.dll.vir -> Adware.Agent : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\msdrv.exe.vir -> Adware.Agent : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\msdrvctrl.exe.vir -> Adware.Agent : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\system32\msdrives\iedrives.dll.vir -> Adware.Agent : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\system32\msdrives\msdrv.exe.vir -> Adware.Agent : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\system32\msdrives\msdrvctrl.exe.vir -> Adware.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{859B7B5B-86FA-4D06-84B6-26AE0D80388A}\RP0\A0000012.dll -> Adware.Agent : Cleaned with backup (quarantined).
HKU\S-1-5-21-1602489464-1203752577-514352727-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{01EB5130-FC0C-4D75-B9CE-4801B1B854F5} -> Adware.Begin2Search : Cleaned with backup (quarantined).
HKU\S-1-5-21-1602489464-1203752577-514352727-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{98640C3B-0699-4D51-ADB4-A6FC48ACB966} -> Adware.Begin2Search : Cleaned with backup (quarantined).
C:\Program Files\Common Files\sysdir\thin-75-1-x-x.exe -> Adware.BetterInternet : Cleaned with backup (quarantined).
C:\WINDOWS\gdrgqy.exe -> Adware.BetterInternet : Cleaned with backup (quarantined).
C:\WINDOWS\system32\thin-75-1-x-x.exe -> Adware.BetterInternet : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\cfg32.exe.vir -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\cfg32a.exe.vir -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINDOWS\stub_mma3.exe -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1602489464-1203752577-514352727-500\Dc3.exe -> Adware.DealHelper : Cleaned with backup (quarantined).
C:\WINDOWS\system32\Uninstaller.exe -> Adware.DealHelper : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dun.exe -> Adware.DealHelper : Cleaned with backup (quarantined).
C:\WINDOWS\system32\version.exe -> Adware.DealHelper : Cleaned with backup (quarantined).
HKU\S-1-5-21-1602489464-1203752577-514352727-1004\Software\DelFin -> Adware.Delfin : Cleaned with backup (quarantined).
HKU\S-1-5-21-1602489464-1203752577-514352727-1004\Software\DelFin\PromulGate -> Adware.Delfin : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\eliteunstall.exe.vir -> Adware.EliteMedia : Cleaned with backup (quarantined).
C:\WINDOWS\JUSTIN2.exe -> Adware.EZula : Cleaned with backup (quarantined).
C:\Documents and Settings\All Users\Application Data\Log\1004.exe -> Adware.FastFind : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{3E4563A4-2A9B-4912-BE38-906A0CB702CC} -> Adware.FastFind : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{EEBA788A-C268-492A-B7FE-42C2B6C553D4} -> Adware.FastFind : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3E4563A4-2A9B-4912-BE38-906A0CB702CC} -> Adware.FastFind : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EEBA788A-C268-492A-B7FE-42C2B6C553D4} -> Adware.FastFind : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3E4563A4-2A9B-4912-BE38-906A0CB702CC} -> Adware.FastFind : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EEBA788A-C268-492A-B7FE-42C2B6C553D4} -> Adware.FastFind : Cleaned with backup (quarantined).
HKU\S-1-5-21-1602489464-1203752577-514352727-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3E4563A4-2A9B-4912-BE38-906A0CB702CC} -> Adware.FastFind : Cleaned with backup (quarantined).
HKU\S-1-5-21-1602489464-1203752577-514352727-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EEBA788A-C268-492A-B7FE-42C2B6C553D4} -> Adware.FastFind : Cleaned with backup (quarantined).
HKU\S-1-5-21-1602489464-1203752577-514352727-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{39C78B50-7E98-4AA0-B007-D83114EA6E0F} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1602489464-1203752577-514352727-1004\Software\_hsrb -> Adware.HotBar : Cleaned with backup (quarantined).
HKU\S-1-5-21-1602489464-1203752577-514352727-1004\Software\_hsrb\kkws -> Adware.HotBar : Cleaned with backup (quarantined).
HKU\S-1-5-21-1602489464-1203752577-514352727-1004\Software\_hsrb\ppops -> Adware.HotBar : Cleaned with backup (quarantined).
HKU\S-1-5-21-1602489464-1203752577-514352727-1004\Software\_hsrb\ssites -> Adware.HotBar : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dsktrf.dll -> Adware.HotSearchBar : Cleaned with backup (quarantined).
HKU\S-1-5-21-1602489464-1203752577-514352727-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{285B5CCD-C3F0-4EB6-9632-7D0A3C3AF824} -> Adware.iLookup : Cleaned with backup (quarantined).
C:\Program Files\Common Files\sysdir\ODQ6ODoxMg.exe -> Adware.ISearch : Cleaned with backup (quarantined).
C:\WINDOWS\isrvs\isearch.xpi/chrome/isearch.jar/content/isearch/isearch.js -> Adware.ISearch : Cleaned with backup (quarantined).
C:\WINDOWS\system32\ODQ6ODoxMg.exe -> Adware.ISearch : Cleaned with backup (quarantined).
HKLM\SYSTEM\CurrentControlSet\Services\delprot -> Adware.iSearch : Cleaned with backup (quarantined).
HKLM\SYSTEM\CurrentControlSet\Services\delprot\Enum -> Adware.iSearch : Cleaned with backup (quarantined).
HKLM\SYSTEM\CurrentControlSet\Services\delprot\Security -> Adware.iSearch : Cleaned with backup (quarantined).
HKU\S-1-5-21-1602489464-1203752577-514352727-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} -> Adware.Isearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\PerfectNav -> Adware.KeenValue : Cleaned with backup (quarantined).
HKLM\SOFTWARE\PerfectNav\BHO -> Adware.KeenValue : Cleaned with backup (quarantined).
HKLM\SOFTWARE\PerfectNav\BHO\HomePage -> Adware.KeenValue : Cleaned with backup (quarantined).
HKLM\SOFTWARE\PerfectNav\BHO\RedirectURLS -> Adware.KeenValue : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8B6DA27E-7F64-4694-8F8F-DC87AB8C6B22} -> Adware.LinkMaker : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8B6DA27E-7F64-4694-8F8F-DC87AB8C6B22} -> Adware.LinkMaker : Cleaned with backup (quarantined).
HKU\S-1-5-21-1602489464-1203752577-514352727-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8B6DA27E-7F64-4694-8F8F-DC87AB8C6B22} -> Adware.LinkMaker : Cleaned with backup (quarantined).
C:\WINDOWS\isrvs\bak\ffisearch.exe -> Adware.MDH : Cleaned with backup (quarantined).
C:\Documents and Settings\All Users\Application Data\Bin\4003.exe -> Adware.MediaBack : Cleaned with backup (quarantined).
C:\Documents and Settings\All Users\Application Data\Log\log.dll -> Adware.MediaBack : Cleaned with backup (quarantined).
C:\Documents and Settings\All Users\Application Data\Tools\bak\1.exe -> Adware.MediaBack : Cleaned with backup (quarantined).
C:\Documents and Settings\All Users\Application Data\Tools\tools.dll -> Adware.MediaBack : Cleaned with backup (quarantined).
C:\Documents and Settings\Kasia Sawicz\Desktop\Unused Desktop Shortcuts\aimfix_quarantine\28139_1.exe.bak -> Adware.MediaBack : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\NDNuninstall4_80.exe.vir -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\NDNuninstall4_88.exe.vir -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\NDNuninstall5_40.exe.vir -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\NDNuninstall5_48.exe.vir -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\NDNuninstall5_64.exe.vir -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\NDNuninstall6_10.exe.vir -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\NDNuninstall6_22.exe.vir -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{859B7B5B-86FA-4D06-84B6-26AE0D80388A}\RP0\A0000024.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\WINDOWS\system32\P2P Networking(2)\P2P Networking(2).exe -> Adware.P2PNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{859B7B5B-86FA-4D06-84B6-26AE0D80388A}\RP0\A0000017.exe -> Adware.Relevant : Cleaned with backup (quarantined).
C:\Documents and Settings\Kasia Sawicz\Desktop\zippy3.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\Program Files\DeskAlerts\deskbar.dll.vir -> Adware.Softomate : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\funnies.exe.vir -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{859B7B5B-86FA-4D06-84B6-26AE0D80388A}\RP0\A0000026.exe -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\HJT\backups\backup-20070425-201539-202.dll -> Adware.TTC : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{859B7B5B-86FA-4D06-84B6-26AE0D80388A}\RP0\A0000002.dll -> Adware.TTC : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Adware.WebRebates : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\res -> Adware.WebSearch : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\Program Files\Windows AdStatus\WinStatComm.dll.vir -> Adware.WinAD : Cleaned with backup (quarantined).
C:\m234t.exe -> Adware.WinAD : Cleaned with backup (quarantined).
C:\WINDOWS\system32\protect1.exe -> Adware.WinComm : Cleaned with backup (quarantined).
C:\Program Files\Windows TaskAd -> Adware.WinTaskAd : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{859B7B5B-86FA-4D06-84B6-26AE0D80388A}\RP0\A0000028.exe -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\WINDOWS\system32\owinnodv.exe -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\Documents and Settings\Kasia Sawicz\Desktop\NTEK51.exe -> Adware.ZQuest : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{859B7B5B-86FA-4D06-84B6-26AE0D80388A}\RP0\A0000025.exe -> Adware.ZQuest : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\31145.exe.vir -> Downloader.Adload.j : Cleaned with backup (quarantined).
C:\dsl197.exe -> Downloader.Adload.j : Cleaned with backup (quarantined).
C:\WINDOWS\system32\bak\lsasss.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\system32\vexga5me3.exe.vir -> Downloader.Agent.bls : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\updater.exe.vir -> Downloader.Agent.bls : Cleaned with backup (quarantined).
C:\Program Files\Common Files\sysdir\cxtpls_loader.exe -> Downloader.Apropo.r : Cleaned with backup (quarantined).
C:\Program Files\Common Files\sysdir\istinstall_157756.exe -> Downloader.IstBar : Cleaned with backup (quarantined).
C:\WINDOWS\system32\istinstall_157756.exe -> Downloader.IstBar : Cleaned with backup (quarantined).
C:\WINDOWS\system32\PreInstaller_p1.exe -> Downloader.Keenval.o : Cleaned with backup (quarantined).
C:\HJT\backups\backup-20070425-201539-542-tnin.exe -> Downloader.Qoologic.ac : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{859B7B5B-86FA-4D06-84B6-26AE0D80388A}\RP0\A0000005.exe -> Downloader.Qoologic.ac : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{859B7B5B-86FA-4D06-84B6-26AE0D80388A}\RP0\A0000009.exe -> Downloader.Qoologic.ac : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{859B7B5B-86FA-4D06-84B6-26AE0D80388A}\RP0\A0000010.dll -> Downloader.Qoologic.ac : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{859B7B5B-86FA-4D06-84B6-26AE0D80388A}\RP0\A0000011.dll -> Downloader.Qoologic.ac : Cleaned with backup (quarantined).
C:\WINDOWS\system32\__delete_on_reboot__d_l_s_l_p_g_._e_x_e_ -> Downloader.Qoologic.ac : Cleaned with backup (quarantined).
C:\WINDOWS\system32\__delete_on_reboot__g_s_s_s_s_j_f_._d_l_l_ -> Downloader.Qoologic.ac : Cleaned with backup (quarantined).
C:\WINDOWS\system32\bak\dlslpg.exe -> Downloader.Qoologic.ac : Cleaned with backup (quarantined).
C:\WINDOWS\system32\obmbanx.exe -> Downloader.Qoologic.ac : Cleaned with backup (quarantined).
C:\WINDOWS\system32\vpkpu.dat -> Downloader.Qoologic.ac : Cleaned with backup (quarantined).
C:\Documents and Settings\Kasia Sawicz\Desktop\Unused Desktop Shortcuts\aimfix_quarantine\697_wuauclt.dll.bak -> Downloader.Qoologic.ae : Cleaned with backup (quarantined).
C:\WINDOWS\mvtiyl.exe -> Downloader.Small : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\inrh9400.exe.vir -> Downloader.Small.bke : Cleaned with backup (quarantined).
C:\WINDOWS\htwfdr.exe -> Downloader.Small.bmx : Cleaned with backup (quarantined).
C:\HJT\backups\backup-20070425-201540-536.inf -> Downloader.Small.rl : Cleaned with backup (quarantined).
C:\WINDOWS\system32\TVM_B542.EXE -> Downloader.Small.wk : Cleaned with backup (quarantined).
C:\WINDOWS\system32\TVM_B5_42.EXE -> Downloader.Small.wk : Cleaned with backup (quarantined).
C:\Program Files\Common Files\uimz\uimzd\vocabulary -> Downloader.TSUpdate.j : Cleaned with backup (quarantined).
C:\WINDOWS\stub_110_4_0_4_0.exe -> Downloader.TSUpdate.o : Cleaned with backup (quarantined).
C:\WINDOWS\survv.exe -> Downloader.VB.dm : Cleaned with backup (quarantined).
C:\WINDOWS\bak\biqdnpe.exe -> Downloader.VB.hj : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\uni_eh10.exe.vir -> Downloader.VB.tw : Cleaned with backup (quarantined).
C:\WINDOWS\system32\11yf05fg.exe -> Dropper.Small.sc : Cleaned with backup (quarantined).
C:\Documents and Settings\All Users\Application Data\Tools\4002.exe -> Hijacker.Small : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\winsysupd3.exe.vir -> Hijacker.StartPage.ahg : Cleaned with backup (quarantined).
C:\Documents and Settings\Kasia Sawicz\Local Settings\Temporary Internet Files\Content.IE5\GHIJKLMN\hh[1].htm -> Not-A-Virus.Exploit.JS.ADODB.Stream.t : Cleaned with backup (quarantined).
C:\Documents and Settings\Kasia Sawicz\Local Settings\Temporary Internet Files\Content.IE5\8TEBGDQF\portal[3].htm -> Not-A-Virus.Exploit.MhtRedir : Cleaned with backup (quarantined).
C:\Documents and Settings\Kasia Sawicz\Local Settings\Temporary Internet Files\Content.IE5\8TEBGDQF\portal[4].htm -> Not-A-Virus.Exploit.MhtRedir : Cleaned with backup (quarantined).
C:\Documents and Settings\Kasia Sawicz\Local Settings\Temporary Internet Files\Content.IE5\8TEBGDQF\portal[5].htm -> Not-A-Virus.Exploit.MhtRedir : Cleaned with backup (quarantined).
C:\Documents and Settings\Kasia Sawicz\Local Settings\Temporary Internet Files\Content.IE5\8TEBGDQF\portal[6].htm -> Not-A-Virus.Exploit.MhtRedir : Cleaned with backup (quarantined).
C:\Documents and Settings\Kasia Sawicz\Local Settings\Temporary Internet Files\Content.IE5\ERSHKT6L\portal[1].htm -> Not-A-Virus.Exploit.MhtRedir : Cleaned with backup (quarantined).
C:\Documents and Settings\Kasia Sawicz\Local Settings\Temporary Internet Files\Content.IE5\ERSHKT6L\portal[2].htm -> Not-A-Virus.Exploit.MhtRedir : Cleaned with backup (quarantined).
C:\Documents and Settings\Kasia Sawicz\Local Settings\Temporary Internet Files\Content.IE5\GHIJKLMN\portal[1].htm -> Not-A-Virus.Exploit.MhtRedir : Cleaned with backup (quarantined).
C:\Documents and Settings\Kasia Sawicz\Local Settings\Temporary Internet Files\Content.IE5\GHIJKLMN\portal[2].htm -> Not-A-Virus.Exploit.MhtRedir : Cleaned with backup (quarantined).
C:\Documents and Settings\Kasia Sawicz\Local Settings\Temporary Internet Files\Content.IE5\GHIJKLMN\portal[3].htm -> Not-A-Virus.Exploit.MhtRedir : Cleaned with backup (quarantined).
C:\Documents and Settings\Kasia Sawicz\Local Settings\Temporary Internet Files\Content.IE5\LABRPZ91\portal[1].htm -> Not-A-Virus.Exploit.MhtRedir : Cleaned with backup (quarantined).
C:\Documents and Settings\Kasia Sawicz\Local Settings\Temporary Internet Files\Content.IE5\LABRPZ91\portal[4].htm -> Not-A-Virus.Exploit.MhtRedir : Cleaned with backup (quarantined).
C:\Documents and Settings\Kasia Sawicz\Local Settings\Temporary Internet Files\Content.IE5\LABRPZ91\portal[5].htm -> Not-A-Virus.Exploit.MhtRedir : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\system32\vexga4me1.exe.vir -> Proxy.Xorpix.ar : Cleaned with backup (quarantined).
C:\WINDOWS\system32\drivers\core.sys -> Rootkit.Agent.eq : Cleaned with backup (quarantined).
C:\Documents and Settings\Kasia Sawicz\Cookies\kasia sawicz@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Kasia Sawicz\Cookies\kasia sawicz@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Kasia Sawicz\Cookies\kasia sawicz@msnservices.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Kasia Sawicz\Cookies\kasia sawicz@aavalue[2].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\Kasia Sawicz\Cookies\kasia sawicz@arn.aavalue[2].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\Kasia Sawicz\Cookies\kasia sawicz@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Kasia Sawicz\Cookies\kasia sawicz@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\Kasia Sawicz\Cookies\kasia sawicz@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Kasia Sawicz\Cookies\kasia sawicz@enhance[1].txt -> TrackingCookie.Enhance : Cleaned.
C:\Documents and Settings\Kasia Sawicz\Cookies\kasia sawicz@findwhat[1].txt -> TrackingCookie.Findwhat : Cleaned.
C:\Documents and Settings\Kasia Sawicz\Cookies\kasia sawicz@hypertracker[1].txt -> TrackingCookie.Hypertracker : Cleaned.
C:\Documents and Settings\LocalService\Cookies\system@ads.realcastmedia[2].txt -> TrackingCookie.Realcastmedia : Cleaned.
C:\Documents and Settings\LocalService\Cookies\system@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\Kasia Sawicz\Cookies\kasia sawicz@statse.webtrendslive[1].txt -> TrackingCookie.Webtrendslive : Cleaned.
C:\Documents and Settings\LocalService\Cookies\system@yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Kasia Sawicz\Cookies\kasia sawicz@zedo[2].txt -> TrackingCookie.Zedo : Cleaned.
C:\Documents and Settings\Kasia Sawicz\Desktop\fr2.exe -> Trojan.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{859B7B5B-86FA-4D06-84B6-26AE0D80388A}\RP0\A0000019.exe -> Trojan.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{859B7B5B-86FA-4D06-84B6-26AE0D80388A}\RP0\A0000030.exe -> Trojan.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{859B7B5B-86FA-4D06-84B6-26AE0D80388A}\RP0\A0000027.exe -> Trojan.Bantool : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\elitemediapop.exe.vir -> Trojan.LowZones.am : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\YOINSI.exe.vir -> Trojan.Scapur.k : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\system32\qvxga7met4.exe.vir -> Trojan.Small : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\system32\vexga8me6.exe.vir -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\S2FzaWEgU2F3aWN6\mZIWuqH0oZIauqhd.vbs -> Trojan.Small : Cleaned with backup (quarantined).
C:\Program Files\Ltcufrt\bak\Vbyd.exe -> Trojan.Small.cy : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\111uninst.exe.vir -> Trojan.VB.tg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{859B7B5B-86FA-4D06-84B6-26AE0D80388A}\RP0\A0000006.exe -> Trojan.VB.tg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{859B7B5B-86FA-4D06-84B6-26AE0D80388A}\RP0\A0000007.exe -> Trojan.VB.tg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{859B7B5B-86FA-4D06-84B6-26AE0D80388A}\RP0\A0000008.exe -> Trojan.VB.tg : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\system32\vexg4am1et2.exe.vir -> Worm.Zhelatin.ct : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\system32\zup.exe.exe.vir -> Worm.Zhelatin.ct : Cleaned with backup (quarantined).


::Report end


Vundo scan didnt find any infection and generated no report.


Virustotal results with each file was:
0 bytes size received / Se ha recibido un archivo vacio

Gmer.txt was never generated because half way through scan I got BSOD with error msg:

stopped 0x0000008E,0xC0000005,0x00650072,0xF3C50CF0,0x00000000


I hope we can clear some of this up you have done a great job this far. I also can not install windows updates because of BSOD .

Hope to hear from you soon and thanks.

#11 Rahina

Rahina

    Security Helper


  • Members
  • 681 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:04 PM

Posted 26 April 2007 - 08:48 AM

We still have few things to do.

Step #1

Now you can clean AVG's Quarantine:
  • Open AVG Anti-Spyware
  • Click Infections
  • Click Quarantine tab
  • Click Select all
  • Click Remove finally
  • Close the program
Step #2

Download FindAWF.exe to download and save it to your desktop.
  • Double-click on the FindAWF.exe file to run it.
  • It will open a command prompt and ask you to "Press any key to continue".
  • Press any key and the FindAWF tool will begin scanning your computer for the infected AWF files and the backups the trojan created.
  • It may take a few minutes to complete so be patient.
When it is complete, it will open a text file in notepad called AWF.txt which will automatically be saved to your desktop or whatever location you ran the file from.
Come back here to this thread and copy and paste the contents of the AWF.txt file in your next reply.

Step #3

Please download Qoofix by Rubber Ducky to your desktop.
  • Right click on the Qoofix folder, and choose "Extract All". Extract Qoofix to your C: drive
  • Close all windows and programs, including internet windows.
  • Go to C:\Qoofix and open the folder, then double click on Qoofix.exe
  • Click Begin Removal and wait for the scan to finish
  • If Qoofix finds an infection, select yes to restart your computer
  • You will now find a log from this tool, located at C:\Qoofix\Qoofix Logfile.txt Copy and paste the contents of that report into your next reply here.
Step #4

Please open HiJackThis and scan. Check the boxes next to all the entries listed below

O4 - HKLM\..\Run: [ms03106978417] C:\WINDOWS\ms03106978417.exe
O4 - HKLM\..\Run: [elitemedia] C:\WINDOWS\elitemediapop.exe


Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis

Step #5

Please download the OTMoveIt.
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\ms03106978417.exe

  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Step #6

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.2. Restart your computer.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.

System Restore will now be active again.

Step #7
  • Open HijackThis
  • Click Config
  • Click Misc Tools
  • Click "Open Uninstall Manager"
  • Click "Save List" (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.
In your next reply post these logs:
  • AWF.txt
  • Qoofix.txt
  • Hijackthis Log

[ Antivirus ] [ Firewall ] [ Spywareblaster ] [ Malwarebytes Anti-Malware ] [ Windows update ] [ Firefox ] [ WinPatrol ] [ ATF Cleaner ]

If i have helped you, donate to help me continue helping others. Posted Image
Posted Image Posted Image

#12 ydbird

ydbird
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Long Island, NY
  • Local time:09:04 AM

Posted 26 April 2007 - 06:41 PM

Rahina,

I have followed the steps that you have given me. The logs are as follows:


Find AWF report by noahdfear ©2006


bak folders found
~~~~~~~~~~~



Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~



end of report


I also got a message that said : system file not suitable for ms-dos and windows applications.


Qoofix v1.04 by http://www.malwarebytes.org
Scan started on [07-04-26] at [18:30:35]
-------------------------------------------------------------
No malicious modules found!
-------------------------------------------------------------
No Qoologic infected files found!
-------------------------------------------------------------
Scan COMPLETED SUCCESSFULLY on [07-04-26] at [18:31:58]

Note: Some registry keys may have been removed.


HJT did not display files that you listed.

File/Folder C:\WINDOWS\ms03106978417.exe not found.

Created on 04-26-2007 19:35:39

Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Flash Player 9 ActiveX
Adobe Photoshop 7.0
ALPS Touch Pad Driver
America Online
AOL Explorer
AOL Instant Messenger
AOL Toolbar 2.0
AVG Anti-Spyware 7.5
Canon Camera Window for ZoomBrowser EX
Canon PhotoRecord
Canon Utilities File Viewer Utility 1.2
Canon Utilities PhotoStitch 3.1
Canon Utilities RemoteCapture 2.7
Canon Utilities ZoomBrowser EX
CCleaner (remove only)
COMODO Firewall Pro
EPSON Online Reference Guide
EPSON Printer Software
Film Factory
Google Talk (remove only)
HijackThis 1.99.1
ImageStation Easy Upload Tools
Ink Monitor
Intel® PRO Ethernet Adapter and Software
InterActual Player
InterVideo WinDVD
iPod for Windows 2005-03-23
iPod Update 2004-04-28
iTunes
Java™ SE Runtime Environment 6 Update 1
LimeWire
LimeWire 4.10.9
Logitech Desktop Messenger
Logitech MouseWare 9.42 .1
Logitech Resource Center
Logitech User's Guide
Macromedia Dreamweaver MX
Macromedia Extension Manager
Microsoft Encarta Encyclopedia 2000
Microsoft Home Publishing 2000
Microsoft Office XP Standard for Students and Teachers
Microsoft Picture It! Express 2000
Microsoft Works 2000
Microsoft Works 2000 Setup Launcher
MUSICMATCH Jukebox
myTunes Redux 1.0
Odyssey Client
Panda ActiveScan
Quicken 2001 New User Edition
QuickTime
RealPlayer
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928843)
Spybot - Search & Destroy 1.4
Symantec AntiVirus
Toshiba Access
TOSHIBA Console
TOSHIBA Controls
TOSHIBA Power Saver
TOSHIBA Software Modem
Toshiba Software Upgrades
Toshiba System Stability Program
Toshiba Tbiosdrv Driver
TOSHIBA TouchPad On/Off Utility V2.01.01
TOSHIBA Utilities
Toshiba WinXP Registration
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Watson
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Live OneCare safety scanner
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
Wireless-G Notebook Adapter
Word in Works Suite add-in
YAMAHA AC-XG WDM

Logfile of HijackThis v1.99.1
Scan saved at 18:37, on 07-04-26
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\S3Tray2.exe
C:\WINDOWS\system32\s3hotkey.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566...&bm=ms_home
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566...age=about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [S3Hotkey] s3hotkey.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\owinnodv.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - https://activatemydsl.verizon.net/sdcCommon...DSL/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/67/install/gtdownls.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F2418A47-C702-44F7-A074-2B87AE62D4D7}: NameServer = ,
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Thank you again for your patience

#13 Rahina

Rahina

    Security Helper


  • Members
  • 681 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:04 PM

Posted 28 April 2007 - 03:30 PM

Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!
  • Follow the Instruction Here for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.

[ Antivirus ] [ Firewall ] [ Spywareblaster ] [ Malwarebytes Anti-Malware ] [ Windows update ] [ Firefox ] [ WinPatrol ] [ ATF Cleaner ]

If i have helped you, donate to help me continue helping others. Posted Image
Posted Image Posted Image

#14 ydbird

ydbird
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Long Island, NY
  • Local time:09:04 AM

Posted 28 April 2007 - 05:28 PM

I am trying to run the online scanner but, I keep getting an error message
to shut down scanner and browser and try again

#15 Rahina

Rahina

    Security Helper


  • Members
  • 681 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:04 PM

Posted 29 April 2007 - 04:09 AM

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

[ Antivirus ] [ Firewall ] [ Spywareblaster ] [ Malwarebytes Anti-Malware ] [ Windows update ] [ Firefox ] [ WinPatrol ] [ ATF Cleaner ]

If i have helped you, donate to help me continue helping others. Posted Image
Posted Image Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users