Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected Multiple Trojans/malware - Winantivirus, Winsys64.exe, Driver.exe, Sysmon.exe, Vundo


  • This topic is locked This topic is locked
11 replies to this topic

#1 xilew

xilew

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:58 AM

Posted 30 June 2007 - 10:48 AM

Hi, my computer has been infected with multiple viruses. Everytime I start my computer and log on, McAfee On-Accesss Scan detects various viruses, most commonly - winsys64.exe, driver.exe, sysmon32.exe. The antivirus says it has deleted these trojans, but on the next start up of my computer, they come back again, and again. I have also noticed many randomy named .dll files in the C:\\WINDOWS\system32 directory. Files such as jkhhh.dll, fccdcy.dll, xxywwus.dll, etc created when I contracted the virus/es. There is also a file named xpdx in the same directory, which I also believe is malicious.

I have also noticed in the task manager, in the process tab, there is a process called qttask.exe. This is taking up 50 of the CPU, which I believe may be the cause of the lagg.

My computer also takes a long time to shut down now. Before it only takes about 30sec - 1min. Now it takes about 4min. In addition, I am getting constant pop-ups advertising WinAntivirus, which I believe is a major virus hoax. Sometimes, my computer just laggs so hard, it is practically impossible to do anything. At one time, it took nearly 1min to just open the start menu. Not only this, but sometimes things like right mouse click doesn't open the small menu when clicked on desktop. Sometimes, I can't even access 'my computer' or 'windows explorer' or 'task manager' and sometimes, the computer won't even shut down through the start menu.

Finally, when I look at the McAfee On-Accesss Scan progress, it seems to be constantly scanning the file hhhkj.ini in the system32 folder, which is probably the same virus or another.

I have had these problems for nearly a week now, and it has become very frustrating. I have spent hours and hours scanning the computer with programs and online scanners, but have failed to detect the major viruses, sometimes some online scanners just erroring and crashing. Help with fixing these viruses would greatly be appreciated. Thankyou!

I have followed the steps to the Hijackthis log, although, some online scanners didn't work so well (in Housecall, after a 5 hour scan, I couldn't even fix the viruses displayed :thumbsup: ). The following is my latest Hijackthis log. Again, thankyou for any help with my computer!


Logfile of HijackThis v1.99.1
Scan saved at 1:45:23 AM, on 01/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\VM_STI.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\OptusNet DSL Internet\DSC.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\WINDOWS\MXOALDR.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\mgrs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dsl.optusnet.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by OptusNet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - _{00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE USB PC Camera 301P
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [Desktop Service Centre] C:\Program Files\OptusNet DSL Internet\DSC.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [smgr] mgrs.exe
O4 - HKLM\..\Run: [icq.com] rundll32.exe "C:\WINDOWS\system32\vvbubsmh.dll",forkonce
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [Double Desktop Switcher] H:\Stuff\Double Desktop Switcher\DoubleDesktop.exe
O4 - HKCU\..\Run: [Taskbar Hide] C:\Program Files\Taskbar Hide\TaskBar.exe -Start
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: LG SyncManager.lnk = C:\Program Files\LG PC Suite\LG PC Sync\LGSyncManager.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &D&ownload &with BitComet - res://D:\Xile\Xile Wang\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://D:\Xile\Xile Wang\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://D:\Xile\Xile Wang\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: CarbonPoker - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - D:\Xile\Xile Wang\Downloads\Online Poker 2\CarbonPoker\Poker.exe (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/games-intl/au/games4.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Service Client v.3.4) - http://ccon.futuremark.com/global/msc34.cab
O16 - DPF: {EA1B8527-E422-4909-825A-70BE0694F18E} (PortfolioManagerWT ProfileManager Class) - https://online.westpac.com.au/wtoa/wtOtherA...iomanagerwt.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\syiyioly.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB7\webserver\bin\win32\matlabserver.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pacific Image Comm. Fax Server - Unknown owner - C:\SUPERVOC\PROGRAM\PICPMON.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:58 AM

Posted 30 June 2007 - 11:57 AM

Hello xilew,

Welcome to Bleeping Computer :thumbsup:

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 xilew

xilew
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:58 AM

Posted 01 July 2007 - 05:21 AM

Hi teacup61, thankyou very much for helping me with my computer. Here is vundofix.txt and a fresh HiJacktThis log.


VundoFix V6.5.4

Checking Java version...

Java version is 1.4.2.4
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.8
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Java version is 1.5.0.11

Scan started at 7:47:09 PM 01/07/2007

Listing files found while scanning....

C:\windows\system32\fccdcyy.dll
C:\WINDOWS\system32\hhhkj.bak1
C:\WINDOWS\system32\hhhkj.bak2
C:\WINDOWS\system32\hhhkj.ini
C:\windows\system32\hmsbubvv.ini
C:\WINDOWS\system32\jkhhh.dll
C:\WINDOWS\system32\vvbubsmh.dll
C:\WINDOWS\system32\xcnkwupp.dll
C:\WINDOWS\system32\xxywwus.dll

Beginning removal...

Attempting to delete C:\windows\system32\fccdcyy.dll
C:\windows\system32\fccdcyy.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\hhhkj.bak1
C:\WINDOWS\system32\hhhkj.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\hhhkj.bak2
C:\WINDOWS\system32\hhhkj.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\hhhkj.ini
C:\WINDOWS\system32\hhhkj.ini Has been deleted!

Attempting to delete C:\windows\system32\hmsbubvv.ini
C:\windows\system32\hmsbubvv.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\jkhhh.dll
C:\WINDOWS\system32\jkhhh.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vvbubsmh.dll
C:\WINDOWS\system32\vvbubsmh.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\xcnkwupp.dll
C:\WINDOWS\system32\xcnkwupp.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\xxywwus.dll
C:\WINDOWS\system32\xxywwus.dll Has been deleted!

Performing Repairs to the registry.
Done!



Logfile of HijackThis v1.99.1
Scan saved at 8:19:48 PM, on 01/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\VM_STI.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\OptusNet DSL Internet\DSC.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\WINDOWS\MXOALDR.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\mgrs.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dsl.optusnet.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by OptusNet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - _{00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - D:\Xile\Xile Wang\BitComet\tools\BitCometBHO_1.1.2.7.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7C9EB0B0-B1F8-45FB-BFC3-5D5D45A3E8C2} - C:\WINDOWS\system32\jkhhh.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE USB PC Camera 301P
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [Desktop Service Centre] C:\Program Files\OptusNet DSL Internet\DSC.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [smgr] mgrs.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [Double Desktop Switcher] H:\Stuff\Double Desktop Switcher\DoubleDesktop.exe
O4 - HKCU\..\Run: [Taskbar Hide] C:\Program Files\Taskbar Hide\TaskBar.exe -Start
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: LG SyncManager.lnk = C:\Program Files\LG PC Suite\LG PC Sync\LGSyncManager.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &D&ownload &with BitComet - res://D:\Xile\Xile Wang\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://D:\Xile\Xile Wang\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://D:\Xile\Xile Wang\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: CarbonPoker - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - D:\Xile\Xile Wang\Downloads\Online Poker 2\CarbonPoker\Poker.exe (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/games-intl/au/games4.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Service Client v.3.4) - http://ccon.futuremark.com/global/msc34.cab
O16 - DPF: {EA1B8527-E422-4909-825A-70BE0694F18E} (PortfolioManagerWT ProfileManager Class) - https://online.westpac.com.au/wtoa/wtOtherA...iomanagerwt.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winemx32 - winemx32.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\syiyioly.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB7\webserver\bin\win32\matlabserver.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pacific Image Comm. Fax Server - Unknown owner - C:\SUPERVOC\PROGRAM\PICPMON.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:58 AM

Posted 01 July 2007 - 12:30 PM

Hello,

Via Add/Remove Programs, please uninstall/remove all the old versions of Java. These make your computer vulnerable to this type of malware attack. The only one you should have is the latest version, jre1.6.0_01. Reboot your computer when you're done.

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

R3 - URLSearchHook: (no name) - _{00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
O2 - BHO: (no name) - {7C9EB0B0-B1F8-45FB-BFC3-5D5D45A3E8C2} - C:\WINDOWS\system32\jkhhh.dll (file missing)
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/games-intl/au/games4.cab
O20 - Winlogon Notify: winemx32 - winemx32.dll (file missing)
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\syiyioly.exe (file missing)


Close all browsers and other windows except for HijackThis!, and click "Fix checked".

Download the trial version of Spy Sweeper from
Here


Install it using the Standard Install option. (You will be asked for your e-mail address, it is safe to give it. If you receive alerts from your firewall, allow all activities for Spy Sweeper)

You will be prompted to check for updated definitions, please do so.
(This may take several minutes)

Click on Options > Sweep Options and check Sweep all Folders on Selected drives. Check Local Disc C. Under What to Sweep, check every box.

Click on Sweep and allow it to fully scan your system.

When the sweep has finished, click Remove. Click Select All and then Next

From 'Results', select the Session Log tab. Click Save to File and save the log somewhere convenient.

Exit Spy Sweeper.

Restart your computer, and then please copy and paste the SpySweeper log into this thread. Also please let me know how your computer is running now. :thumbsup:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 xilew

xilew
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:58 AM

Posted 02 July 2007 - 03:58 AM

Hi, I have removed all old versions of Java, but after restarting my computer I checked the Java folder in Program Files, and there was still a j2re1.4.2_04 folder, and a jre1.6.0_01 folder. Should I delete the first one? After the Hijackthis fixes, my computer restarted and I think my IE is now running much more smoothly :thumbsup: . Although, IE still seems to be crashing regularly, no warning, whole thing just closes. Sometimes error messages are displayed. I have included screenshots in this post. (Only 2 were taken, the first one I missed but was similar)

I downloaded Spy Sweeper and installed the Spyware package (not the Spyware + AntiVirus package). I then scanned the C drive. All was going well until the scanner stopped at the file C:\windows\system32\drivers\runtime2.sys . It remained on the file for 10min before I decided the program had stalled. I tried stopping the scan, but the computer was frozen and I couldn't open anything (when I opened the start menu I couldn't activate any programs, I couldn't shut down or log off, and when I ctrl/alt/del for task manager, it didn't come up, only a Windows error sound played). I forced shutdown my computer and tried the scan again but the same problem occured. Upon restart, Spy Sweeper produced an Error Log which I have included in this post. Also, when I looked in the C:\windows\system32\drivers\ directory, I couldn't find the file runtime2.sys, even with show hidden files on. (Note: I have noticed that the freezing problem occurs when I leave my computer idle for about 1hour).

Upon restarting the computer, Spy Sweeper detects trojan-zero (sysmon32 and winsys64 came under this) and trojan-downloader.gen (driver.exe came under this). Although I delete them, they show up again on the next restart.

I have also noticed some suspicious files:
-In the C:\WINDOWS directory. There is a exe file named 'mgrs' which is the application McAfee On-Access Scan detects as the cause of one, two or all of these - Winsys64.exe, Driver.exe, Sysmon.exe. Beside mgrs, there is another exe file named 'retadpu1000272'. Both files where created on the day I got the virus.
-In the C:\WINDOWS\Temp directory there is an exe file named 'startdrv' created one day after I got the virus.
-In the C:\WINDOWS\system32 directory the file 'xpdx' is still there (True Sword 4 detected this a 'Constrat Trojan'). Next to this file created at the exactly same time and date (the day I got the virus) is a NLS file named '7_exception'.

I have listed these files as I do not want to touch them in case I do something stupid. Anyway, I really appreciate your advice so far.



date/time : 2007-07-02, 16:37:19, 906ms
computer name : CSIRO-WANG
user name : Xile <admin>
registered owner : X Wang / CSIRO
operating system : Windows XP Service Pack 2 build 2600
system language : English
system up time : 1 hour 52 minutes
program up time : 1 hour 44 minutes
processors : 2x Intel® Pentium® 4 CPU 2.60GHz
physical memory : 14/511 MB (free/total)
free disk space : (C:) 4.43 GB
display mode : 1024x768, 32 bit
process id : $894
allocated memory : 34.03 MB
command line : "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
executable : SpySweeperUI.exe
exec. date/time : 2007-06-21 18:57
version : 5.5.1.3356
madExcept version : 3.0c
callstack crc : $f628568f, $55cfc3c0, $53679faf
exception number : 1
exception class : EReadError
exception message : Error reading btnContextHelp.Left: System Error. Code: 14. Not enough storage is available to complete this operation.

main thread ($898):
004706e2 SpySweeperUI.exe Classes HandleException
004708b9 SpySweeperUI.exe Classes TReader.ReadProperty
00470201 SpySweeperUI.exe Classes TReader.ReadDataInner
004701e3 SpySweeperUI.exe Classes TReader.ReadData
00477141 SpySweeperUI.exe Classes TComponent.ReadState
004ad0c1 SpySweeperUI.exe Controls TControl.ReadState
004b0e79 SpySweeperUI.exe Controls TWinControl.ReadState
0047005b SpySweeperUI.exe Classes TReader.ReadComponent
00470275 SpySweeperUI.exe Classes TReader.ReadDataInner
00471020 SpySweeperUI.exe Classes TReader.ReadRootComponent
0046e2ea SpySweeperUI.exe Classes TStream.ReadComponent
0046a37f SpySweeperUI.exe Classes InternalReadComponentRes
0046a509 SpySweeperUI.exe Classes InitComponent
0046a4cd SpySweeperUI.exe Classes InitComponent
00404b4d SpySweeperUI.exe System 784 @AfterConstruction
00404754 SpySweeperUI.exe System 784 TObject.Create
00404adf SpySweeperUI.exe System 784 @ClassCreate
0076d272 SpySweeperUI.exe MainForm 1470 TfrmMain.ShowFrame
0076d683 SpySweeperUI.exe MainForm 1604 TfrmMain.SetCurrentPage
0077fd5c SpySweeperUI.exe MainForm 7470 TfrmMain.SetPage
0076c5f5 SpySweeperUI.exe MainForm 1254 TfrmMain.actQuarantinedExecute
004776d3 SpySweeperUI.exe Classes TBasicAction.Execute
004be095 SpySweeperUI.exe ActnList TContainedAction.Execute
004bed5c SpySweeperUI.exe ActnList TCustomAction.Execute
0047759f SpySweeperUI.exe Classes TBasicActionLink.Execute
004af9bd SpySweeperUI.exe Controls TControl.Click
0057c3b3 SpySweeperUI.exe te_controls 4089 TTeButton.Click
0057d906 SpySweeperUI.exe te_controls 4600 TTeButton.MouseUp
004afdd8 SpySweeperUI.exe Controls TControl.DoMouseUp
004afe5a SpySweeperUI.exe Controls TControl.WMLButtonUp
004af4cf SpySweeperUI.exe Controls TControl.WndProc
004b3215 SpySweeperUI.exe Controls TWinControl.WndProc
004c56b5 SpySweeperUI.exe Forms TCustomForm.WndProc
00775979 SpySweeperUI.exe MainForm 4378 TfrmMain.WndProc
004af15c SpySweeperUI.exe Controls TControl.Perform
004b29a0 SpySweeperUI.exe Controls TWinControl.MainWndProc
00478394 SpySweeperUI.exe Classes StdWndProc
7e4196c2 USER32.dll DispatchMessageA
004cce20 SpySweeperUI.exe Forms TApplication.ProcessMessage
004cce5a SpySweeperUI.exe Forms TApplication.HandleMessage
004cd07a SpySweeperUI.exe Forms TApplication.Run
00790bbb SpySweeperUI.exe SpySweeperUI 657 initialization

thread $8b8:
7c90eb94 ntdll.dll KiFastSystemCallRet
7c90e9be ntdll.dll NtWaitForSingleObject
7c8025c5 kernel32.dll WaitForSingleObjectEx
7c80252d kernel32.dll WaitForSingleObject

thread $8bc:
7c90eb94 ntdll.dll KiFastSystemCallRet
7c90e9be ntdll.dll NtWaitForSingleObject
7c8025c5 kernel32.dll WaitForSingleObjectEx
7c80252d kernel32.dll WaitForSingleObject

thread $a64 (TErrorEventThread):
7c90eb94 ntdll.dll KiFastSystemCallRet
7c90e9be ntdll.dll NtWaitForSingleObject
7c8025c5 kernel32.dll WaitForSingleObjectEx
7c80252d kernel32.dll WaitForSingleObject
00487650 SpySweeperUI.exe SyncObjs THandleObject.WaitFor
004e32fb SpySweeperUI.exe Errors 1344 TErrorEventThread.Execute
004500f3 SpySweeperUI.exe madExcept HookedTThreadExecute
0047663c SpySweeperUI.exe Classes ThreadProc
0040570c SpySweeperUI.exe System 784 ThreadWrapper
0044ffd5 SpySweeperUI.exe madExcept CallThreadProcSafe
0045003f SpySweeperUI.exe madExcept ThreadExceptFrame
>> created by main thread ($898) at:
0078db5b SpySweeperUI.exe Errors 1379 initialization

thread $ae4 (TVolumeInfoRefresher):
7c90eb94 ntdll.dll KiFastSystemCallRet
7c90e9a9 ntdll.dll NtWaitForMultipleObjects
7c8094dc kernel32.dll WaitForMultipleObjectsEx
7c80a070 kernel32.dll WaitForMultipleObjects
004e49b4 SpySweeperUI.exe VolumeInfo 275 TVolumeInfoRefresher.Execute
004500f3 SpySweeperUI.exe madExcept HookedTThreadExecute
0047663c SpySweeperUI.exe Classes ThreadProc
0040570c SpySweeperUI.exe System 784 ThreadWrapper
0044ffd5 SpySweeperUI.exe madExcept CallThreadProcSafe
0045003f SpySweeperUI.exe madExcept ThreadExceptFrame
>> created by main thread ($898) at:
004e4876 SpySweeperUI.exe VolumeInfo 244 TVolumeInfoRefresher.Create

thread $d48 (TGlobalShutdownThread):
7c90eb94 ntdll.dll KiFastSystemCallRet
7c90e9a9 ntdll.dll NtWaitForMultipleObjects
7c8094dc kernel32.dll WaitForMultipleObjectsEx
7c80a070 kernel32.dll WaitForMultipleObjects
00696456 SpySweeperUI.exe GSThread 110 TGlobalShutdownThread.Execute
004500f3 SpySweeperUI.exe madExcept HookedTThreadExecute
0047663c SpySweeperUI.exe Classes ThreadProc
0040570c SpySweeperUI.exe System 784 ThreadWrapper
0044ffd5 SpySweeperUI.exe madExcept CallThreadProcSafe
0045003f SpySweeperUI.exe madExcept ThreadExceptFrame
>> created by main thread ($898) at:
0069634d SpySweeperUI.exe GSThread 90 TGlobalShutdownThread.Create

thread $db0:
7c90eb94 ntdll.dll KiFastSystemCallRet
7c90e397 ntdll.dll NtReplyWaitReceivePortEx
0044ffd5 SpySweeperUI.exe madExcept CallThreadProcSafe
0045003f SpySweeperUI.exe madExcept ThreadExceptFrame
>> created by main thread ($898) at:
77e8760d RPCRT4.dll

thread $e04:
7c90eb94 ntdll.dll KiFastSystemCallRet
7c90e397 ntdll.dll NtReplyWaitReceivePortEx
0044ffd5 SpySweeperUI.exe madExcept CallThreadProcSafe
0045003f SpySweeperUI.exe madExcept ThreadExceptFrame
>> created by thread $db0 at:
77e8760d RPCRT4.dll

thread $83c:
7c90eb94 ntdll.dll KiFastSystemCallRet
7c90d85a ntdll.dll NtDelayExecution

thread $ad0:
7c90eb94 ntdll.dll KiFastSystemCallRet
7c90e397 ntdll.dll NtReplyWaitReceivePortEx
0044ffd5 SpySweeperUI.exe madExcept CallThreadProcSafe
0045003f SpySweeperUI.exe madExcept ThreadExceptFrame
>> created by thread $db0 at:
77e8760d RPCRT4.dll

thread $1778:
7c90eb94 ntdll.dll KiFastSystemCallRet
7c90d85a ntdll.dll NtDelayExecution
7c8023e7 kernel32.dll SleepEx
7c80244c kernel32.dll Sleep
0044ffd5 SpySweeperUI.exe madExcept CallThreadProcSafe
0045003f SpySweeperUI.exe madExcept ThreadExceptFrame
>> created by main thread ($898) at:
7750cc4a ole32.dll

modules:
00330000 Normaliz.dll 6.0.5441.0 C:\WINDOWS\system32
00340000 wrid.dll C:\Program Files\Webroot\Spy Sweeper
00400000 SpySweeperUI.exe 5.5.1.3356 C:\Program Files\Webroot\Spy Sweeper
02c10000 hhctrl.ocx 5.2.3790.2847 C:\WINDOWS\System32
02f30000 language.dll 5.5.1.3356 C:\Program Files\Webroot\Spy Sweeper
056f0000 SPGRMR.DLL 5.1.2600.2180 C:\WINDOWS\IME
10000000 SKCHUI.DLL 1.0.1038.0 C:\Program Files\Common Files\Microsoft Shared\Ink
20000000 xpsp2res.dll 5.1.2600.2180 C:\WINDOWS\system32
42990000 iertutil.dll 7.0.6000.16473 C:\WINDOWS\system32
42c10000 wininet.dll 7.0.6000.16473 C:\WINDOWS\system32
5ad70000 uxtheme.dll 6.0.2900.2180 C:\WINDOWS\system32
5b0a0000 umdmxfrm.dll 5.1.2600.0 C:\WINDOWS\system32
5b860000 NETAPI32.dll 5.1.2600.2976 C:\WINDOWS\system32
5c2c0000 sptip.dll 5.1.2600.2180 C:\WINDOWS\ime
5cd70000 serwvdrv.dll 5.1.2600.0 C:\WINDOWS\system32
5edd0000 olepro32.dll 5.1.2600.2180 C:\WINDOWS\system32
605d0000 mslbui.dll 5.1.2600.2180 C:\WINDOWS\system32
662b0000 hnetcfg.dll 5.1.2600.2180 C:\WINDOWS\system32
69b10000 msxml4.dll 4.20.9841.0 C:\WINDOWS\system32
71a50000 mswsock.dll 5.1.2600.2180 C:\WINDOWS\system32
71a90000 wshtcpip.dll 5.1.2600.2180 C:\WINDOWS\System32
71aa0000 WS2HELP.dll 5.1.2600.2180 C:\WINDOWS\system32
71ab0000 WS2_32.dll 5.1.2600.2180 C:\WINDOWS\system32
71ad0000 wsock32.dll 5.1.2600.2180 C:\WINDOWS\system32
71b20000 mpr.dll 5.1.2600.2180 C:\WINDOWS\system32
722b0000 sensapi.dll 5.1.2600.2180 C:\WINDOWS\system32
73000000 winspool.drv 5.1.2600.2180 C:\WINDOWS\system32
74720000 MSCTF.dll 5.1.2600.2180 C:\WINDOWS\system32
74c80000 OLEACC.dll 4.2.5406.0 C:\WINDOWS\system32
75290000 wbemcomn.dll 5.1.2600.2180 C:\WINDOWS\System32\wbem
755c0000 msctfime.ime 5.1.2600.2180 C:\WINDOWS\system32
75690000 fastprox.dll 5.1.2600.2180 C:\WINDOWS\System32\wbem
75830000 mstask.dll 5.1.2600.2180 C:\WINDOWS\system32
75e90000 SXS.DLL 5.1.2600.3019 C:\WINDOWS\system32
76080000 MSVCP60.dll 6.2.3104.0 C:\WINDOWS\system32
76380000 msimg32.dll 5.1.2600.2180 C:\WINDOWS\system32
76390000 imm32.dll 5.1.2600.2180 C:\WINDOWS\system32
763b0000 comdlg32.dll 6.0.2900.2180 C:\WINDOWS\system32
76600000 CSCDLL.dll 5.1.2600.2180 C:\WINDOWS\System32
767a0000 NTDSAPI.dll 5.1.2600.2180 C:\WINDOWS\system32
769c0000 USERENV.dll 5.1.2600.2180 C:\WINDOWS\system32
76b40000 winmm.dll 5.1.2600.2180 C:\WINDOWS\system32
76bf0000 PSAPI.dll 5.1.2600.2180 C:\WINDOWS\system32
76d60000 iphlpapi.dll 5.1.2600.2912 C:\WINDOWS\system32
76e80000 rtutils.dll 5.1.2600.2180 C:\WINDOWS\system32
76e90000 rasman.dll 5.1.2600.2180 C:\WINDOWS\system32
76eb0000 tapi32.dll 5.1.2600.2180 C:\WINDOWS\system32
76ee0000 RASAPI32.dll 5.1.2600.2180 C:\WINDOWS\system32
76f20000 DNSAPI.dll 5.1.2600.2938 C:\WINDOWS\system32
76f60000 WLDAP32.dll 5.1.2600.2180 C:\WINDOWS\system32
76fb0000 winrnr.dll 5.1.2600.2180 C:\WINDOWS\System32
76fc0000 rasadhlp.dll 5.1.2600.2938 C:\WINDOWS\system32
76fd0000 CLBCATQ.DLL 2001.12.4414.308 C:\WINDOWS\system32
77050000 COMRes.dll 2001.12.4414.258 C:\WINDOWS\system32
77120000 oleaut32.dll 5.1.2600.2180 C:\WINDOWS\system32
773d0000 comctl32.dll 6.0.2900.2982 C:\WINDOWS\WinSxS\X86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03
774e0000 ole32.dll 5.1.2600.2726 C:\WINDOWS\system32
77920000 SETUPAPI.dll 5.1.2600.2180 C:\WINDOWS\system32
77a20000 cscui.dll 5.1.2600.2180 C:\WINDOWS\System32
77a80000 crypt32.dll 5.131.2600.2180 C:\WINDOWS\system32
77b20000 MSASN1.dll 5.1.2600.2180 C:\WINDOWS\system32
77b40000 appHelp.dll 5.1.2600.2180 C:\WINDOWS\system32
77c00000 version.dll 5.1.2600.2180 C:\WINDOWS\system32
77c10000 msvcrt.dll 7.0.2600.2180 C:\WINDOWS\system32
77c70000 msv1_0.dll 5.1.2600.2180 C:\WINDOWS\system32
77dd0000 ADVAPI32.dll 5.1.2600.2180 C:\WINDOWS\system32
77e70000 RPCRT4.dll 5.1.2600.2180 C:\WINDOWS\system32
77f10000 GDI32.dll 5.1.2600.3099 C:\WINDOWS\system32
77f60000 SHLWAPI.dll 6.0.2900.3020 C:\WINDOWS\system32
77fe0000 Secur32.dll 5.1.2600.2180 C:\WINDOWS\system32
7c800000 kernel32.dll 5.1.2600.3119 C:\WINDOWS\system32
7c900000 ntdll.dll 5.1.2600.2180 C:\WINDOWS\system32
7c9c0000 shell32.dll 6.0.2900.3051 C:\WINDOWS\system32
7d1e0000 msi.dll 3.1.4000.4039 C:\WINDOWS\system32
7e410000 USER32.dll 5.1.2600.3099 C:\WINDOWS\system32

processes:
000 Idle
004 System normal
418 smss.exe normal C:\WINDOWS\system32
458 csrss.exe
474 winlogon.exe high C:\WINDOWS\system32
4a0 services.exe normal C:\WINDOWS\system32
4b4 lsass.exe normal C:\WINDOWS\system32
56c Ati2evxx.exe normal C:\WINDOWS\system32
57c svchost.exe normal C:\WINDOWS\system32
630 svchost.exe
6ac svchost.exe normal C:\WINDOWS\System32
744 svchost.exe
7dc svchost.exe
1b4 spoolsv.exe normal C:\WINDOWS\system32
230 cvpnd.exe normal C:\Program Files\Cisco Systems\VPN Client
2c8 FrameworkService.exe normal C:\Program Files\Network Associates\Common Framework
304 mcshield.exe high C:\Program Files\Network Associates\VirusScan
330 vstskmgr.exe normal C:\Program Files\Network Associates\VirusScan
364 mdm.exe normal C:\Program Files\Common Files\Microsoft Shared\VS7Debug
398 naPrdMgr.exe
074 retrorun.exe normal C:\Program Files\Dantz\Retrospect
5d4 svchost.exe normal C:\WINDOWS\System32
664 SpySweeper.exe normal C:\Program Files\Webroot\Spy Sweeper
438 alg.exe
dbc Ati2evxx.exe normal C:\WINDOWS\system32
e48 ctfmon.exe normal C:\WINDOWS\system32
e50 Explorer.EXE normal C:\WINDOWS
790 PRONoMgr.exe normal C:\Program Files\Intel\NCS\PROSet
2c4 carpserv.exe normal C:\WINDOWS\system32
2fc atiptaxx.exe normal C:\Program Files\ATI Technologies\ATI Control Panel
324 VM_STI.EXE normal C:\WINDOWS
344 type32.exe normal C:\Program Files\Microsoft Hardware\Keyboard
354 DSC.exe normal C:\Program Files\OptusNet DSL Internet
35c SOUNDMAN.EXE normal C:\WINDOWS
520 SHSTAT.EXE normal C:\Program Files\Network Associates\VirusScan
3fc UpdaterUI.exe normal C:\Program Files\Network Associates\Common Framework
42c LVCOMSX.EXE normal C:\WINDOWS\system32
620 LogiTray.exe normal C:\Program Files\Logitech\Video
7d4 OneTouch.exe normal C:\PROGRA~1\Maxtor\OneTouch\Utils
7e8 MXOALDR.EXE normal C:\WINDOWS
818 HPWuSchd2.exe normal C:\Program Files\HP\HP Software Update
824 iTunesHelper.exe normal C:\Program Files\iTunes
848 qttask.exe normal C:\Program Files\QuickTime
87c mgrs.exe normal C:\WINDOWS
888 jusched.exe normal C:\Program Files\Java\jre1.6.0_01\bin
894 SpySweeperUI.exe normal C:\Program Files\Webroot\Spy Sweeper
8cc LogitechDesktopMessenger.exe normal C:\Program Files\Logitech\Desktop Messenger\8876480\Program
8dc FxSvr2.exe normal C:\Program Files\Logitech\Video
8f0 GoogleToolbarNotifier.exe normal C:\Program Files\Google\GoogleToolbarNotifier
0fc iPodService.exe normal C:\Program Files\iPod\bin
b0c ServiceLayer.exe normal C:\Program Files\Common Files\PCSuite\Services
af4 vpngui.exe normal C:\Program Files\Cisco Systems\VPN Client
c6c msimn.exe normal C:\Program Files\Outlook Express
24c IEXPLORE.EXE normal C:\Program Files\Internet Explorer

hardware:
+ Computer
- ACPI Multiprocessor PC
+ Disk drives
- ST380013AS
+ Display adapters
- RADEON 9200 SERIES (driver 8.252.0.0)
- RADEON 9200 SERIES - Secondary (driver 8.252.0.0)
+ DVD/CD-ROM drives
- PIONEER DVD-ROM DVD-121
+ Floppy disk controllers
- Standard floppy disk controller
+ Floppy disk drives
- Floppy disk drive
+ Human Interface Devices
- HID-compliant device
- HID-compliant device
- USB Human Interface Device
- USB Human Interface Device
+ IDE ATA/ATAPI controllers
- Primary IDE Channel
- Secondary IDE Channel
- Standard Dual Channel PCI IDE Controller
+ IEEE 1394 Bus host controllers
- Texas Instruments OHCI Compliant IEEE 1394 Host Controller
+ Imaging devices
- Logitech QuickCam Express (driver 8.2.0.1189)
+ Keyboards
- Microsoft PS/2 Keyboard (IntelliType Pro)
+ Mice and other pointing devices
- Logitech HID-compliant G5 Laser Mouse (driver 2.42.0.0)
+ Modems
- SoftV92 Speakerphone Modem with SmartSP (driver 7.2.0.51)
+ Monitors
- Philips 170S (17inch LCD MONITOR 170S4) (driver 1.0.0.0)
+ Network adapters
- 1394 Net Adapter
- Cisco Systems VPN Adapter (driver 4.0.0.106)
- Hamachi Network Interface (driver 5.9.9.6)
- Intel® PRO/100 VE Network Connection (driver 7.0.26.0)
- MAC Bridge Miniport
+ Ports (COM

Attached Files



#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:58 AM

Posted 03 July 2007 - 11:28 AM

Hello,

Let's run this tool :

If you happen to have another version of ComboFix, please delete it first.

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Keep those descriptions coming! They help, and I appreciate the time you're taking to tell me. :thumbsup:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 xilew

xilew
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:58 AM

Posted 04 July 2007 - 09:39 AM

Hi, ok firstly, before I saw your latest post, I managed to disable qttask.exe from running msconfig and unchecking its startup command. This significantly brought down my CPU to the original level. I then managed to run Spy Sweeper in Safe Mode and it didn't stall and freeze up, although a errorlog was still produced. It removed a lot of trojans and adware and I have included that particular session's log (I also have the other failed stalling session log files, if you need them feel free to ask). After that, I realised random invisivble IE's opening up, showing up in task manager as iexplore.exe. I then tried running Hijackthis and it kept freezing on 023 NT Services. My computer then would never shut down when it arrived at the 'Windows is shutting down' quote. It looked as if I were doomed :flowers: .

Thankfully, I downloaded combofix and ran it. After running it, and restarting my computer, all of these problems went away. I even let qttask.exe run at startup, and magically, it didnt even appear on the processes tab in task manager let alone take up CPU :thumbsup: . Anyway, below is the Spy Sweeper log in safe mode, Combofix log and Hijackthis log.

----------------------------------------------------------------------------------------------------------------------------------------------

6:55 PM: Deletion from quarantine completed. Elapsed time 00:00:00
6:55 PM: Processing: twain-tech
6:55 PM: Processing: Troj/Agent-FVT
6:55 PM: Processing: Troj/Femad-B
6:55 PM: Processing: Troj/Agent-FXL
6:55 PM: Processing: altnet
6:55 PM: Processing: ist istbar
6:55 PM: Processing: bullguard popup ad
6:55 PM: Processing: web-stat cookie
6:55 PM: Processing: upspiral cookie
6:55 PM: Processing: gamespy cookie
6:55 PM: Processing: overture cookie
6:55 PM: Processing: about cookie
6:55 PM: Processing: goclick cookie
6:55 PM: Processing: belnk cookie
6:55 PM: Processing: 66.246.209 cookie
6:55 PM: Processing: toprebates.com cookie
6:55 PM: Processing: offeroptimizer cookie
6:55 PM: Processing: cliks cookie
6:55 PM: Processing: cassava cookie
6:55 PM: Processing: enhance cookie
6:55 PM: Processing: btgrab cookie
6:55 PM: Processing: a cookie
6:55 PM: Processing: atwola cookie
6:55 PM: Processing: abetterinternet cookie
6:55 PM: Processing: 888 cookie
6:55 PM: Processing: tribalfusion cookie
6:55 PM: Processing: tacoda cookie
6:55 PM: Processing: webtrendslive cookie
6:55 PM: Processing: reliablestats cookie
6:55 PM: Processing: partypoker cookie
6:55 PM: Processing: mediaplex cookie
6:55 PM: Processing: redsheriff cookies
6:55 PM: Processing: burstnet cookie
6:55 PM: Processing: atlas dmt cookie
6:55 PM: Processing: cpxinteractive cookie
6:55 PM: Processing: yieldmanager cookie
6:55 PM: Processing: directrevenue-abetterinternet
6:55 PM: Processing: coolwebsearch (cws)
6:55 PM: Processing: cws-aboutblank
6:55 PM: Processing: virtumonde
6:55 PM: Processing: purityscan
6:55 PM: Processing: keenvalue/perfectnav
6:55 PM: Processing: trojan-foop
6:55 PM: Processing: trojan-zero
6:55 PM: Processing: Troj/DwnLdr-GWB
6:55 PM: Deletion from quarantine initiated
6:52 PM: Removal process completed. Elapsed time 00:02:31
6:51 PM: Quarantining All Traces: java byteverify
6:51 PM: Failed to quarantine runtime2.sys
6:51 PM: Failed to quarantine potentially rootkit-masked files
6:51 PM: Warning: QuarantineFile(2): c:\windows\system32\drivers\runtime2.sys - Stream read error
6:51 PM: Quarantining All Traces: potentially rootkit-masked files
6:51 PM: Quarantining All Traces: twain-tech
6:51 PM: Quarantining All Traces: Troj/Agent-FVT
6:51 PM: Quarantining All Traces: trojan-zero
6:51 PM: Quarantining All Traces: Troj/Krepper-G
6:51 PM: Quarantining All Traces: Troj/ByteVeri-K
6:51 PM: Quarantining All Traces: Troj/Femad-B
6:51 PM: Quarantining All Traces: Troj/Agent-FXL
6:51 PM: Quarantining All Traces: Troj/DwnLdr-GWB
6:51 PM: Quarantining All Traces: altnet
6:51 PM: Quarantining All Traces: ist istbar
6:51 PM: Quarantining All Traces: bullguard popup ad
6:51 PM: Quarantining All Traces: web-stat cookie
6:51 PM: Quarantining All Traces: upspiral cookie
6:51 PM: Quarantining All Traces: gamespy cookie
6:51 PM: Quarantining All Traces: overture cookie
6:51 PM: Quarantining All Traces: about cookie
6:51 PM: Quarantining All Traces: goclick cookie
6:51 PM: Quarantining All Traces: belnk cookie
6:51 PM: Quarantining All Traces: 66.246.209 cookie
6:51 PM: Quarantining All Traces: toprebates.com cookie
6:51 PM: Quarantining All Traces: offeroptimizer cookie
6:51 PM: Quarantining All Traces: cliks cookie
6:50 PM: Quarantining All Traces: cassava cookie
6:50 PM: Quarantining All Traces: enhance cookie
6:50 PM: Quarantining All Traces: btgrab cookie
6:50 PM: Quarantining All Traces: a cookie
6:50 PM: Quarantining All Traces: atwola cookie
6:50 PM: Quarantining All Traces: abetterinternet cookie
6:50 PM: Quarantining All Traces: 888 cookie
6:50 PM: Quarantining All Traces: tribalfusion cookie
6:50 PM: Quarantining All Traces: tacoda cookie
6:50 PM: Quarantining All Traces: webtrendslive cookie
6:50 PM: Quarantining All Traces: reliablestats cookie
6:50 PM: Quarantining All Traces: partypoker cookie
6:50 PM: Quarantining All Traces: mediaplex cookie
6:50 PM: Quarantining All Traces: redsheriff cookies
6:50 PM: Quarantining All Traces: burstnet cookie
6:50 PM: Quarantining All Traces: atlas dmt cookie
6:50 PM: Quarantining All Traces: cpxinteractive cookie
6:50 PM: Quarantining All Traces: yieldmanager cookie
6:50 PM: Quarantining All Traces: directrevenue-abetterinternet
6:50 PM: Quarantining All Traces: coolwebsearch (cws)
6:50 PM: Quarantining All Traces: cws-aboutblank
6:50 PM: Quarantining All Traces: virtumonde
6:50 PM: Quarantining All Traces: purityscan
6:50 PM: Quarantining All Traces: keenvalue/perfectnav
6:49 PM: Quarantining All Traces: trojan-foop
6:49 PM: Removal process initiated
6:44 PM: Traces Found: 99
6:44 PM: Custom Sweep has completed. Elapsed time 02:25:01
6:44 PM: File Sweep Complete, Elapsed Time: 02:22:36
6:44 PM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users.windows\application data\spybot - search & destroy\recovery\yazzlesudoku1.zip]
6:44 PM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users.windows\application data\spybot - search & destroy\recovery\nvdialer.zip]
6:44 PM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users.windows\application data\spybot - search & destroy\recovery\callinghomebiz28.zip]
6:44 PM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users.windows\application data\spybot - search & destroy\recovery\callinghomebiz23.zip]
6:44 PM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users.windows\application data\spybot - search & destroy\recovery\callinghomebiz19.zip]
6:44 PM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users.windows\application data\spybot - search & destroy\recovery\callinghomebiz17.zip]
6:44 PM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users.windows\application data\spybot - search & destroy\recovery\callinghomebiz15.zip]
6:44 PM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users.windows\application data\spybot - search & destroy\recovery\callinghomebiz12.zip]
6:44 PM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users.windows\application data\spybot - search & destroy\recovery\callinghomebiz11.zip]
6:44 PM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users.windows\application data\spybot - search & destroy\recovery\callinghomebiz4.zip]
6:44 PM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users.windows\application data\spybot - search & destroy\recovery\callinghomebiz2.zip]
6:44 PM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users.windows\application data\spybot - search & destroy\recovery\callinghomebiz3.zip]
6:44 PM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users.windows\application data\spybot - search & destroy\recovery\callinghomebiz9.zip]
6:43 PM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\program files\adobe\acrobat 7.0\setup files\rdrbig705\enu\data1.cab]
6:42 PM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users.windows\application data\spybot - search & destroy\recovery\sexlist.zip]
6:42 PM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users.windows\application data\spybot - search & destroy\recovery\isearchtechistactivex1.zip]
6:42 PM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users.windows\application data\spybot - search & destroy\recovery\isearchtechistactivex.zip]
6:42 PM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users.windows\application data\spybot - search & destroy\recovery\dyfuca2.zip]
6:42 PM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users.windows\application data\spybot - search & destroy\recovery\dyfuca1.zip]
6:42 PM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users.windows\application data\spybot - search & destroy\recovery\dyfuca.zip]
6:42 PM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users.windows\application data\spybot - search & destroy\recovery\dyfucainternetoptimizer1.zip]
6:42 PM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users.windows\application data\spybot - search & destroy\recovery\dyfucainternetoptimizer.zip]
6:42 PM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users.windows\application data\spybot - search & destroy\recovery\callinghomebiz27.zip]
6:42 PM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users.windows\application data\spybot - search & destroy\recovery\callinghomebiz26.zip]
6:42 PM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users.windows\application data\spybot - search & destroy\recovery\callinghomebiz25.zip]
6:42 PM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users.windows\application data\spybot - search & destroy\recovery\callinghomebiz24.zip]
6:42 PM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users.windows\application data\spybot - search & destroy\recovery\callinghomebiz22.zip]
6:42 PM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users.windows\application data\spybot - search & destroy\recovery\callinghomebiz21.zip]
6:42 PM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users.windows\application data\spybot - search & destroy\recovery\callinghomebiz20.zip]
6:42 PM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users.windows\application data\spybot - search & destroy\recovery\callinghomebiz18.zip]
6:42 PM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users.windows\application data\spybot - search & destroy\recovery\callinghomebiz16.zip]
6:42 PM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users.windows\application data\spybot - search & destroy\recovery\callinghomebiz14.zip]
6:42 PM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users.windows\application data\spybot - search & destroy\recovery\callinghomebiz13.zip]
6:42 PM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users.windows\application data\spybot - search & destroy\recovery\callinghomebiz10.zip]
6:42 PM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users.windows\application data\spybot - search & destroy\recovery\callinghomebiz8.zip]
6:41 PM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users.windows\application data\spybot - search & destroy\recovery\callinghomebiz7.zip]
6:41 PM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users.windows\application data\spybot - search & destroy\recovery\sexlist2.zip]
6:41 PM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users.windows\application data\spybot - search & destroy\recovery\mywaymybar5.zip]
6:41 PM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users.windows\application data\spybot - search & destroy\recovery\mywaymybar4.zip]
6:41 PM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users.windows\application data\spybot - search & destroy\recovery\smitfraudctoolbar4.zip]
6:41 PM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users.windows\application data\spybot - search & destroy\recovery\callinghomebiz6.zip]
6:41 PM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users.windows\application data\spybot - search & destroy\recovery\mywaymybar3.zip]
6:40 PM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users.windows\application data\spybot - search & destroy\recovery\callinghomebiz5.zip]
6:39 PM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users.windows\application data\spybot - search & destroy\recovery\callinghomebiz1.zip]
6:39 PM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users.windows\application data\spybot - search & destroy\recovery\callinghomebiz.zip]
6:39 PM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users.windows\application data\spybot - search & destroy\recovery\altnet.zip]
6:39 PM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users.windows\application data\spybot - search & destroy\recovery\abetterinternet3.zip]
6:39 PM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users.windows\application data\spybot - search & destroy\recovery\abetterinternet2.zip]
6:38 PM: arc.zip-5881bee0-145f9256.zip (ID = 54462)
6:38 PM: arc.zip-5881bee0-145f9256.zip (ID = 0)
6:38 PM: arc.zip-5881bee0-145f9256.zip (ID = 0)
6:38 PM: arc.zip-5881bee0-145f9256.zip (ID = 64824)
6:38 PM: Found Adware: java byteverify
6:38 PM: arc.zip-5881bee0-145f9256.zip (ID = 0)
6:38 PM: Informational: Detected virus Troj/ByteVeri-K in file c:\documents and settings\xile.csiro-wang\application data\sun\java\deployment\cache\javapi\v1.0\jar\arc.zip-5881bee0-145f9256.zip object Worker.class
6:38 PM: Informational: Detected virus Troj/ByteVeri-K in file c:\documents and settings\xile.csiro-wang\application data\sun\java\deployment\cache\javapi\v1.0\jar\arc.zip-5881bee0-145f9256.zip object Beyond.class
6:38 PM: arc.zip-5881bee0-145f9256.zip (ID = 0)
6:38 PM: Informational: Detected virus Troj/Femad-B in file c:\documents and settings\xile.csiro-wang\application data\sun\java\deployment\cache\javapi\v1.0\jar\arc.zip-5881bee0-145f9256.zip object Counter.class
6:38 PM: Informational: Detected virus Troj/Femad-B in file c:\documents and settings\xile.csiro-wang\application data\sun\java\deployment\cache\javapi\v1.0\jar\arc.zip-5881bee0-145f9256.zip object VerifierBug.class
6:36 PM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users.windows\application data\spybot - search & destroy\recovery\smitfraudctoolbar2.zip]
6:36 PM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users.windows\application data\spybot - search & destroy\recovery\yazzlesudoku.zip]
6:36 PM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users.windows\application data\spybot - search & destroy\recovery\virtumonde4.zip]
6:36 PM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users.windows\application data\spybot - search & destroy\recovery\virtumonde3.zip]
6:36 PM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users.windows\application data\spybot - search & destroy\recovery\virtumonde2.zip]
6:36 PM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users.windows\application data\spybot - search & destroy\recovery\abetterinternet1.zip]
6:36 PM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users.windows\application data\spybot - search & destroy\recovery\mywaymybar.zip]
6:35 PM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users.windows\application data\spybot - search & destroy\recovery\mywaymybar2.zip]
6:35 PM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users.windows\application data\spybot - search & destroy\recovery\smitfraudctoolbar3.zip]
6:35 PM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users.windows\application data\spybot - search & destroy\recovery\mywaymybar1.zip]
6:35 PM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users.windows\application data\spybot - search & destroy\recovery\commondialogs.zip]
6:35 PM: Warning: AntiVirus engine for IFO returned [File Corrupted] on [c:\documents and settings\xiaoming\local settings\temporary internet files\content.ie5\w5ergtqz\hdplugin_1015_bundle33v0d12[1].cab]
6:35 PM: Warning: TCompressedFile.GetStreams(2): Stream read error
6:32 PM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users.windows\application data\spybot - search & destroy\recovery\virtumonde.zip]
6:32 PM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users.windows\application data\spybot - search & destroy\recovery\smitfraudc1.zip]
6:32 PM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users.windows\application data\spybot - search & destroy\recovery\smitfraudc.zip]
6:32 PM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users.windows\application data\spybot - search & destroy\recovery\microsoftwindowsiefirewallbypass1.zip]
6:32 PM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users.windows\application data\spybot - search & destroy\recovery\microsoftwindowsiefirewallbypass.zip]
6:32 PM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users.windows\application data\spybot - search & destroy\recovery\solutionssearchassistant1.zip]
6:32 PM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users.windows\application data\spybot - search & destroy\recovery\solutionssearchassistant.zip]
6:32 PM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users.windows\application data\spybot - search & destroy\recovery\virtumonde1.zip]
6:32 PM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users.windows\application data\spybot - search & destroy\recovery\smitfraudctoolbar1.zip]
6:32 PM: Warning: AntiVirus engine for IFO returned [File Corrupted] on [c:\documents and settings\xile\local settings\temporary internet files\content.ie5\w632up6w\swflash[2].cab]
6:32 PM: Warning: TCompressedFile.GetStreams(2): Stream read error
6:32 PM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users.windows\application data\spybot - search & destroy\recovery\abetterinternet.zip]
6:32 PM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users.windows\application data\spybot - search & destroy\recovery\sexlist1.zip]
6:32 PM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users.windows\application data\spybot - search & destroy\recovery\smitfraudctoolbar.zip]
6:32 PM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\all users.windows\application data\spybot - search & destroy\recovery\dyfuca3.zip]
6:32 PM: runtime2.sys (ID = 0)
6:32 PM: Found System Monitor: potentially rootkit-masked files
6:32 PM: twaintec.inf (ID = 81889)
6:32 PM: twaintec.inf (ID = 489675)
6:32 PM: twaintec.inf (ID = 489675)
6:32 PM: Found Adware: twain-tech
6:32 PM: polall1r.inf (ID = 83425)
6:32 PM: btgrab.inf (ID = 83223)
6:32 PM: polall1r.inf (ID = 83425)
6:27 PM: satmat.inf (ID = 488322)
6:27 PM: satmat.ini (ID = 83499)
6:23 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\xile.csiro-wang\ntuser.dat]
6:20 PM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\program files\adobe\acrobat 6.0\reader\messages\enu\rdrmsgenu.pdf]
6:16 PM: bulldownload.exe (ID = 52017)
6:03 PM: ip6fw.sys (ID = 0)
6:03 PM: Found Troj/Agent-FVT: Troj/Agent-FVT
6:01 PM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\documents and settings\xile.csiro-wang\application data\adobe\acrobat\7.0\messages\enu\read0600win_enuadbe0700.pdf]
5:53 PM: Warning: AntiVirus engine for IFO returned [File Corrupted] on [c:\documents and settings\xile\local settings\temporary internet files\content.ie5\w632up6w\halotrialsetup[1].exe]
5:39 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\pagefile.sys]
5:23 PM: Warning: AntiVirus engine for IFO returned [Error Code DFFBFDF0] on [c:\windows\system32\config\software.log]
5:12 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\matlab7\toolbox\rtw\targets\mpc555dk\drivers\src\libsrc\extensions\cmf_flash\general_market_cmf_driver_v3.0.3\mpc555\object_library_driver\demo\output\demo.elf.sqz]
5:06 PM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\program files\lavasoft\ad-aware se personal\skins\ad-aware se default.ask]
5:02 PM: Warning: AntiVirus engine for IFO returned [Error Code DFFBFDF0] on [c:\windows\system32\config\security.log]
5:00 PM: Warning: AntiVirus engine for IFO returned [Error Code DFFBFDF0] on [c:\windows\system32\config\default.log]
4:59 PM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\program files\adobe\acrobat 7.0\reader\messages\rdrmsgsplash.pdf]
4:52 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\windows\system32\config\system]
4:50 PM: winsys64.exe.vir.0 (ID = 560084)
4:50 PM: winsys64.exe.vir (ID = 560084)
4:50 PM: Found Trojan Horse: trojan-zero
4:49 PM: Warning: AntiVirus engine for IFO returned [Error Code DFFBFDF0] on [c:\windows\system32\config\security]
4:49 PM: Error: Failed to create file mapping for file c:\windows\system32\drivers\runtime2.sys, 193.
%1 is not a valid Win32 application
4:48 PM: Warning: Failed to read file "c:\windows\system32\drivers\runtime2.sys". System Error. Code: 193.
4:47 PM: Warning: AntiVirus engine for IFO returned [Error Code DFFBFDF0] on [c:\windows\system32\config\default]
4:44 PM: 7647bb35-5db52903 (ID = 0)
4:44 PM: Found Troj/Krepper-G: Troj/Krepper-G
4:44 PM: 7647bb35-5db52903 (ID = 0)
4:44 PM: 7647bb35-5db52903 (ID = 0)
4:44 PM: Found Troj/ByteVeri-K: Troj/ByteVeri-K
4:44 PM: 7647bb35-5db52903 (ID = 0)
4:44 PM: 7647bb35-5db52903 (ID = 0)
4:44 PM: Found Troj/Femad-B: Troj/Femad-B
4:39 PM: syiyioly.exe.vir (ID = 0)
4:39 PM: Found Troj/Agent-FXL: Troj/Agent-FXL
4:38 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\windows\system32\config\software]
4:37 PM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\program files\adobe\acrobat 7.0\reader\messages\enu\rdrmsgenu.pdf]
4:37 PM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\program files\adobe\acrobat 7.0\reader\websearch\websearchenu.pdf]
4:33 PM: syswin.exe.vir.18 (ID = 0)
4:33 PM: syswin.exe.vir.17 (ID = 0)
4:33 PM: syswin.exe.vir.16 (ID = 0)
4:33 PM: syswin.exe.vir.15 (ID = 0)
4:33 PM: syswin.exe.vir.14 (ID = 0)
4:32 PM: syswin.exe.vir.13 (ID = 0)
4:32 PM: syswin.exe.vir.4 (ID = 0)
4:32 PM: syswin.exe.vir.11 (ID = 0)
4:32 PM: syswin.exe.vir.3 (ID = 0)
4:32 PM: syswin.exe.vir.2 (ID = 0)
4:32 PM: syswin.exe.vir.1 (ID = 0)
4:32 PM: syswin.exe.vir.0 (ID = 0)
4:32 PM: syswin.exe.vir.10 (ID = 0)
4:32 PM: syswin.exe.vir.9 (ID = 0)
4:31 PM: syswin.exe.vir.8 (ID = 0)
4:31 PM: syswin.exe.vir.7 (ID = 0)
4:31 PM: syswin.exe.vir.6 (ID = 0)
4:31 PM: syswin.exe.vir.5 (ID = 0)
4:31 PM: syswin.exe.vir (ID = 0)
4:31 PM: syswin.exe.vir.12 (ID = 0)
4:31 PM: Found Troj/DwnLdr-GWB: Troj/DwnLdr-GWB
4:30 PM: __unin__.exe (ID = 49795)
4:30 PM: Found Adware: altnet
4:28 PM: Warning: AntiVirus engine for IFO returned [File Encrypted] on [c:\program files\adobe\acrobat 7.0\reader\messages\enu\read0600win_enuyhoo0010.pdf]
4:28 PM: istbar.dll (ID = 64606)
4:28 PM: Found Adware: ist istbar
4:25 PM: bullguard (1 subtraces) (ID = 2147490887)
4:25 PM: Found Adware: bullguard popup ad
4:22 PM: Starting File Sweep
4:22 PM: Cookie Sweep Complete, Elapsed Time: 00:00:03
4:22 PM: xiaoming@www.web-stat[2].txt (ID = 3649)
4:22 PM: Found Spy Cookie: web-stat cookie
4:22 PM: xiaoming@www.upspiral[1].txt (ID = 3615)
4:22 PM: xiaoming@upspiral[1].txt (ID = 3614)
4:22 PM: Found Spy Cookie: upspiral cookie
4:22 PM: xiaoming@gamespy[1].txt (ID = 2719)
4:22 PM: Found Spy Cookie: gamespy cookie
4:22 PM: xiaoming@dist.belnk[2].txt (ID = 2293)
4:22 PM: xiaoming@data4.perf.overture[2].txt (ID = 3106)
4:22 PM: xiaoming@data3.perf.overture[2].txt (ID = 3106)
4:22 PM: Found Spy Cookie: overture cookie
4:22 PM: xiaoming@chinesefood.about[1].txt (ID = 2038)
4:22 PM: xiaoming@chineseculture.about[2].txt (ID = 2038)
4:22 PM: Found Spy Cookie: about cookie
4:22 PM: xiaoming@c.goclick[2].txt (ID = 2733)
4:22 PM: Found Spy Cookie: goclick cookie
4:22 PM: xiaoming@belnk[1].txt (ID = 2292)
4:22 PM: Found Spy Cookie: belnk cookie
4:22 PM: xiaoming@atwola[1].txt (ID = 2255)
4:22 PM: xiaoming@66.246.209[2].txt (ID = 1997)
4:22 PM: Found Spy Cookie: 66.246.209 cookie
4:22 PM: bing@www.toprebates[2].txt (ID = 3562)
4:22 PM: Found Spy Cookie: toprebates.com cookie
4:22 PM: bing@offeroptimizer[1].txt (ID = 3087)
4:22 PM: Found Spy Cookie: offeroptimizer cookie
4:22 PM: bing@cliks[1].txt (ID = 2414)
4:22 PM: Found Spy Cookie: cliks cookie
4:22 PM: bing@cassava[1].txt (ID = 2362)
4:22 PM: Found Spy Cookie: cassava cookie
4:22 PM: bing@c.enhance[1].txt (ID = 2614)
4:22 PM: Found Spy Cookie: enhance cookie
4:22 PM: bing@btg.btgrab[1].txt (ID = 2333)
4:22 PM: Found Spy Cookie: btgrab cookie
4:22 PM: bing@a[2].txt (ID = 2027)
4:22 PM: Found Spy Cookie: a cookie
4:22 PM: bing@atwola[2].txt (ID = 2255)
4:22 PM: Found Spy Cookie: atwola cookie
4:22 PM: bing@abetterinternet[1].txt (ID = 2035)
4:22 PM: Found Spy Cookie: abetterinternet cookie
4:22 PM: bing@888[2].txt (ID = 2019)
4:22 PM: bing@888[1].txt (ID = 2019)
4:22 PM: Found Spy Cookie: 888 cookie
4:22 PM: xile@www.burstnet[2].txt (ID = 2337)
4:22 PM: xile@tribalfusion[2].txt (ID = 3589)
4:22 PM: Found Spy Cookie: tribalfusion cookie
4:22 PM: xile@tacoda[1].txt (ID = 6444)
4:22 PM: Found Spy Cookie: tacoda cookie
4:22 PM: xile@statse.webtrendslive[1].txt (ID = 3667)
4:22 PM: Found Spy Cookie: webtrendslive cookie
4:22 PM: xile@stats1.reliablestats[1].txt (ID = 3254)
4:22 PM: Found Spy Cookie: reliablestats cookie
4:22 PM: xile@partypoker[2].txt (ID = 3111)
4:22 PM: Found Spy Cookie: partypoker cookie
4:22 PM: xile@mediaplex[1].txt (ID = 6442)
4:22 PM: Found Spy Cookie: mediaplex cookie
4:22 PM: xile@imrworldwide[2].txt (ID = 2845)
4:22 PM: Found Spy Cookie: redsheriff cookies
4:22 PM: xile@burstnet[1].txt (ID = 2336)
4:22 PM: Found Spy Cookie: burstnet cookie
4:22 PM: xile@atdmt[2].txt (ID = 2253)
4:22 PM: Found Spy Cookie: atlas dmt cookie
4:22 PM: xile@adserving.cpxinteractive[2].txt (ID = 8939)
4:22 PM: Found Spy Cookie: cpxinteractive cookie
4:22 PM: xile@ad.yieldmanager[1].txt (ID = 3751)
4:22 PM: Found Spy Cookie: yieldmanager cookie
4:22 PM: Starting Cookie Sweep
4:22 PM: Registry Sweep Complete, Elapsed Time:00:00:48
4:22 PM: HKU\WRSS_Profile_S-1-5-21-1085031214-1284227242-682003330-1003\software\microsoft\windows\currentversion\ext\stats\{2d2bee6e-3c9a-4d58-b9ec-458edb28d0f6}\ (ID = 1922744)
4:22 PM: HKU\WRSS_Profile_S-1-5-21-1085031214-1284227242-682003330-1004\software\btgrab\ (ID = 145850)
4:22 PM: Found Adware: directrevenue-abetterinternet
4:21 PM: HKU\S-1-5-21-1085031214-1284227242-682003330-1005\software\microsoft\windows\currentversion\ext\stats\{2d2bee6e-3c9a-4d58-b9ec-458edb28d0f6}\ (ID = 1922744)
4:21 PM: Found Adware: coolwebsearch (cws)
4:21 PM: HKU\S-1-5-21-1085031214-1284227242-682003330-1005\software\microsoft\internet explorer\main\ || search page_bak (ID = 774883)
4:21 PM: HKU\S-1-5-21-1085031214-1284227242-682003330-1005\software\microsoft\internet explorer\main\ || search page_bak (ID = 115925)
4:21 PM: Found Adware: cws-aboutblank
4:21 PM: HKLM\software\microsoft\aoprndtws\ (ID = 2128500)
4:21 PM: Found Adware: virtumonde
4:21 PM: HKLM\software\microsoft\windows\currentversion\uninstall\outerinfo\ (ID = 2063030)
4:21 PM: Found Adware: purityscan
4:21 PM: HKLM\system\controlset003\services\ntio256\ (ID = 1702356)
4:21 PM: HKLM\system\currentcontrolset\enum\root\legacy_ntio256\ (ID = 1701678)
4:21 PM: HKLM\system\controlset001\services\ntio256\ (ID = 1701572)
4:21 PM: HKLM\system\currentcontrolset\services\ntio256\ (ID = 1697742)
4:21 PM: HKLM\system\controlset001\enum\root\legacy_ntio256\ (ID = 1685324)
4:21 PM: HKLM\software\perfectnav\ (ID = 129516)
4:21 PM: Found Adware: keenvalue/perfectnav
4:21 PM: Starting Registry Sweep
4:21 PM: Memory Sweep Complete, Elapsed Time: 00:01:23
4:19 PM: Starting Memory Sweep
4:19 PM: HKLM\system\currentcontrolset\services\ntio256\ || imagepath (ID = 1702505)
4:19 PM: Found Trojan Horse: trojan-foop
4:19 PM: Sweep initiated using definitions version 941
4:19 PM: Spy Sweeper 5.5.1.3356 started
4:19 PM: | Start of Session, Wednesday, 4 July 2007 |
***************
4:18 PM: Program Version 5.5.1.3356 Using Spyware Definitions 941
4:18 PM: Informational: Loaded AntiVirus Engine: 2.46.2; SDK Version: 4.18; Virus Definitions: 7/2/2007 4:40:36 PM (GMT)
4:17 PM: Spy Sweeper 5.5.1.3356 started
4:17 PM: | Start of Session, Wednesday, 4 July 2007 |
***************

----------------------------------------------------------------------------------------------------------------------------------------------

"Xile" - 2007-07-04 22:18:47 - ComboFix 07-07-04.4 - Service Pack 2


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\mgrs.exe
C:\WINDOWS\retadpu1000272.exe
C:\WINDOWS\system32\7_exception.nls
C:\WINDOWS\system32\xpdx.sys


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_DOMAINSERVICE
-------\LEGACY_RUNTIME
-------\LEGACY_RUNTIME2
-------\DomainService
-------\runtime
-------\runtime2
-------\xpdx


((((((((((((((((((((((((( Files Created from 2007-06-04 to 2007-07-04 )))))))))))))))))))))))))))))))


2007-07-04 22:02 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-04 16:14 <DIR> d-------- C:\DOCUME~1\NETWOR~1.NTA\APPLIC~1\Webroot
2007-07-02 12:50 23,864 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2007-07-02 12:50 21,816 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2007-07-02 12:50 20,280 --a------ C:\WINDOWS\system32\drivers\SSFS0BB8.sys
2007-07-02 12:50 160,056 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2007-07-02 12:50 1,520,952 --a------ C:\WINDOWS\WRSetup.dll
2007-07-02 12:50 <DIR> d-------- C:\Program Files\Webroot
2007-07-02 12:50 <DIR> d-------- C:\DOCUME~1\XILE~1.CSI\APPLIC~1\Webroot
2007-07-02 12:50 <DIR> d-------- C:\DOCUME~1\LOCALS~1.NTA\APPLIC~1\Webroot
2007-07-02 12:50 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Webroot
2007-07-01 22:51 <DIR> d-------- C:\WINDOWS\pss
2007-07-01 19:47 <DIR> d-------- C:\VundoFix Backups
2007-07-01 19:43 <DIR> d-------- C:\Program Files\VundoFix
2007-06-30 21:23 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-06-30 00:35 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-06-30 00:33 <DIR> d-------- C:\DOCUME~1\XILE~1.CSI\.housecall6.6
2007-06-27 23:38 4,672 --a------ C:\WINDOWS\system32\bwxmthcp.exe
2007-06-26 21:34 <DIR> d-------- C:\DOCUME~1\XILE~1.CSI\APPLIC~1\True Sword
2007-06-26 19:18 <DIR> d-------- C:\DOCUME~1\XILE~1.CSI\APPLIC~1\Uniblue
2007-06-25 23:29 <DIR> d-------- C:\DOCUME~1\XILE~1.CSI\APPLIC~1\GetRightToGo
2007-06-25 23:08 33,536 --a------ C:\WINDOWS\system32\drivers\runtime2.sys
2007-06-25 23:05 <DIR> d-------- C:\quarantine
2007-06-14 09:55 <DIR> d-------- C:\Program Files\Rewind


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-04 02:22:37 -------- d-----w C:\Program Files\Steam
2007-06-14 06:17:43 -------- d-----w C:\DOCUME~1\XILE~1.CSI\APPLIC~1\Xfire
2007-06-14 06:16:30 -------- d-s---w C:\Program Files\Xfire
2007-05-28 11:01:26 -------- d-----w C:\Program Files\HP
2007-05-26 06:57:34 -------- d-----w C:\DOCUME~1\XILE~1.CSI\APPLIC~1\Nokia Multimedia Player
2007-05-26 06:36:38 -------- d-----w C:\Program Files\LG Electronics
2007-05-26 06:34:42 -------- d-----w C:\DOCUME~1\XILE~1.CSI\APPLIC~1\LG Electronics
2007-05-26 06:34:23 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-26 06:34:23 -------- d-----w C:\Program Files\LG PC Suite
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-09 14:09:14 -------- d-----w C:\Program Files\Windows Live Safety Center
2007-05-06 07:41:49 33,856 -c--a-w C:\WINDOWS\system32\GDIPFONTCACHEV1.DAT
2007-05-05 03:46:12 -------- d-----w C:\DOCUME~1\XILE~1.CSI\APPLIC~1\AdobeUM
2007-05-05 01:19:21 33,856 -c--a-w C:\DOCUME~1\XILE~1.CSI\APPLIC~1\GDIPFONTCACHEV1.DAT
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-16 12:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-16 12:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-16 12:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-16 12:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-16 12:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-16 12:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 12:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-16 12:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-05 04:11:07 127,034 ------r C:\WINDOWS\bwUnin-8.1.1.50-8876480SL.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}]
2006-10-26 09:28 440384 --a------ C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-01-12 20:38 63128 --a------ C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{39F7E362-828A-4B5A-BCAF-5B79BFDFEA60}]
2007-02-08 15:04 158272 --a------ D:\Xile\Xile Wang\BitComet\tools\BitCometBHO_1.1.2.7.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
2004-05-12 00:03 744960 --a------ C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}]
2006-10-31 14:29 198136 --a------ C:\Program Files\Yahoo!\Common\yiesrvc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2007-03-14 03:43 501400 --a------ C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
2007-01-19 22:55 2403392 -ra------ c:\program files\google\googletoolbar4.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
2007-06-27 23:35 325048 --a------ C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-03-11 15:24]
"CARPService"="carpserv.exe" [2001-12-23 21:02 C:\WINDOWS\system32\carpserv.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-03-22 21:05]
"IntelliType"="C:\Program Files\Microsoft Hardware\Keyboard\type32.exe" [2002-03-22 14:41]
"POINTER"="point32.exe" []
"Desktop Service Centre"="C:\Program Files\OptusNet DSL Internet\DSC.exe" [2004-09-06 12:50]
"SoundMan"="SOUNDMAN.EXE" [2003-03-27 18:34 C:\WINDOWS\SOUNDMAN.EXE]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2003-09-29 06:10]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2003-09-10 02:11]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2004-10-08 11:31]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2004-10-08 11:24]
"MaxtorOneTouch"="C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe" [2003-05-21 14:30]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 22:46]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-07-22 22:25 C:\WINDOWS\KHALMNPR.Exe]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 22:12]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-06-14 16:24]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2006-06-15 11:36]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-06-21 18:57]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 17:56]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-04-05 14:43]
"Steam"="" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-27 23:35]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]
"Double Desktop Switcher"="H:\Stuff\Double Desktop Switcher\DoubleDesktop.exe" []
"Taskbar Hide"="C:\Program Files\Taskbar Hide\TaskBar.exe" []
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"=0 (0x0)
"NoMovingBands"=0 (0x0)
"NoCloseDragDropBands"=0 (0x0)
"NoSetTaskbar"=0 (0x0)
"NoToolbarsOnTaskbar"=0 (0x0)
"NoSaveSettings"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Usnsvc usnsvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{657bcf61-1585-11dc-92a9-000d610279e6}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
Open(&0)\command- Recycled\ctfmon.exe


**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-04 22:46:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-04 22:49:23 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-04 22:49

--- E O F ---


Combofix quarantined files (included this just incase):


2007-06-25 23:05	  0	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\7_exception.nls.vir
2007-06-25 23:05	  61092	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\xpdx.sys.vir
2007-06-25 23:06	  11776	--a------	C:\Qoobox\Quarantine\C\WINDOWS\mgrs.exe.vir
2007-06-25 23:18	  36855	--a------	C:\Qoobox\Quarantine\C\WINDOWS\retadpu1000272.exe.vir
2007-07-04 22:27	  1148	--a------	C:\Qoobox\Quarantine\Registry_backups\LEGACY_RUNTIME.reg.cf
2007-07-04 22:27	  1214	--a------	C:\Qoobox\Quarantine\Registry_backups\LEGACY_RUNTIME2.reg.cf
2007-07-04 22:27	  2614	--a------	C:\Qoobox\Quarantine\Registry_backups\services_xpdx.reg.cf
2007-07-04 22:27	  2956	--a------	C:\Qoobox\Quarantine\Registry_backups\services_DomainService.reg.cf
2007-07-04 22:27	  750	--a------	C:\Qoobox\Quarantine\Registry_backups\services_runtime.reg.cf
2007-07-04 22:27	  846	--a------	C:\Qoobox\Quarantine\Registry_backups\LEGACY_DOMAINSERVICE.reg.cf
2007-07-04 22:27	  872	--a------	C:\Qoobox\Quarantine\Registry_backups\services_runtime2.reg.cf
2007-07-04 22:30	  294	--a------	C:\Qoobox\Quarantine\catchme.log
2007-07-04 22:30	  59701	--a------	C:\Qoobox\Quarantine\catchme2007-07-04_224638.81.zip


Folder PATH listing
Volume serial number is 4073-3AE8
C:\QOOBOX
\---Quarantine
	|   catchme.log
	|   catchme2007-07-04_224638.81.zip
	|   
	+---C
	|   \---WINDOWS
	|	   |   mgrs.exe.vir
	|	   |   retadpu1000272.exe.vir
	|	   |   
	|	   \---system32
	|			   7_exception.nls.vir
	|			   xpdx.sys.vir
	|			   
	\---Registry_backups
			LEGACY_DOMAINSERVICE.reg.cf
			LEGACY_RUNTIME.reg.cf
			LEGACY_RUNTIME2.reg.cf
			services_DomainService.reg.cf
			services_runtime.reg.cf
			services_runtime2.reg.cf
			services_xpdx.reg.cf

----------------------------------------------------------------------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 12:33:08 AM, on 05/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\OptusNet DSL Internet\DSC.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\LVComsX.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
C:\Program Files\Logitech\Video\AlbumDB2.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dsl.optusnet.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - D:\Xile\Xile Wang\BitComet\tools\BitCometBHO_1.1.2.7.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [PRONoMgr.exe] "C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe"
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [Desktop Service Centre] "C:\Program Files\OptusNet DSL Internet\DSC.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [LogitechVideoRepair] "C:\Program Files\Logitech\Video\ISStart.exe"
O4 - HKLM\..\Run: [LogitechVideoTray] "C:\Program Files\Logitech\Video\LogiTray.exe"
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] "C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] "C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [Double Desktop Switcher] H:\Stuff\Double Desktop Switcher\DoubleDesktop.exe
O4 - HKCU\..\Run: [Taskbar Hide] C:\Program Files\Taskbar Hide\TaskBar.exe -Start
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: LG SyncManager.lnk = C:\Program Files\LG PC Suite\LG PC Sync\LGSyncManager.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &D&ownload &with BitComet - res://D:\Xile\Xile Wang\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://D:\Xile\Xile Wang\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://D:\Xile\Xile Wang\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: CarbonPoker - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - D:\Xile\Xile Wang\Downloads\Online Poker 2\CarbonPoker\Poker.exe (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Service Client v.3.4) - http://ccon.futuremark.com/global/msc34.cab
O16 - DPF: {EA1B8527-E422-4909-825A-70BE0694F18E} (PortfolioManagerWT ProfileManager Class) - https://online.westpac.com.au/wtoa/wtOtherA...iomanagerwt.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB7\webserver\bin\win32\matlabserver.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pacific Image Comm. Fax Server - Unknown owner - C:\SUPERVOC\PROGRAM\PICPMON.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe


One more thing, on the last post, I asked about the j2re1.4.2_04 folder. Should I delete it or not? Anyway, thanks for your advice so far, I really appreciate it!

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:58 AM

Posted 04 July 2007 - 12:14 PM

Hello,

I'm so sorry I didn't answer your question before. Yes, you can delete that folder. It should be empty after the uninstall anyway. :flowers:

SpySweeper and ComboFix did away with a load of garbage! Great job! :thumbsup: Let's tidy up now :

Please delete ComboFix and it's accompanying folder C:\Qoobox

SpySweeper is just a trial, so it's up to you whether you want to keep it for now or not. If not, uninstall it via Add/Remove Programs.

Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

I think you'll like this little cleaner, so keep it if you like to use in your general maintainence.

One last check.....how is it running? Problems still gone?

Regards,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 xilew

xilew
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:58 AM

Posted 05 July 2007 - 09:31 PM

Hi, I've been using my computer the last 2 days and it seems to be back to its original condition again, if not better :thumbsup: . I'm so happy I didn't have to reformat. THANKYOU SO MUCH FOR HELPING!!! I truly respect people like you who give up some time to help other people with their bleeping computers.

One last thing, do you recommend any programs or products (free or not free, not too expensive) that will keep my computer safe from future infection and that will clean infections out of my computer, like for general maintenance? (like the ATF cleaning tool you mentioned)

Anyway, thanks for all your help again,
Xile

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:58 AM

Posted 06 July 2007 - 12:15 PM

Hello,

That's excellent! :thumbsup: You're most welcome for the help, and I thank you for all the time you took describing what was going on to me. It helped so much.

Yes, keep ATF Cleaner. It's SO easy to use, isn't it? I use it on mine all the time. I have a standard speech I post to users for free protection programs, and I'll leave it fully intact, even though you might employ one or more of them already.

Below I have included a number of recommendations on how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously! These few simple steps can stave off the vast majority of spyware problems.

You should definitely maintain a firewall. Some good free firewalls are Kerio, ZoneAlarm, or Outpost
A tutorial on understanding and using firewalls may be found here.

Regularly go to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows, including the latest version of Internet Explorer. This can patch many of the security holes through which attackers can gain access to your computer. You should also turn on the Windows automatic update feature.

In order to protect yourself against spyware, you should consider installing and running the following free programs:

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

IE/Spyad:
It places over 5000 malicious websites and domains in your IE's restricted zone.
IE/Spyad

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

* Avoid illegal sites, because that's where most malware is present.
* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. A lot of free software can bundle other software, including spyware.

Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/

Please make sure to run your antivirus software regularly, and to keep it up-to-date.

Take care!
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 xilew

xilew
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:58 AM

Posted 08 July 2007 - 09:35 AM

Hi, I have installed some of the programs you recommended and they seem to be handy little applications. There was a problem with Spyware Guard though. After installing Spyware Guard, my explorer.exe kept crashing. I Googled the error and it seemed that some other people also had the problem due to the installation of Spyware Guard. So in the end I just unistalled it and things were back to normal.

Anyway, thankyou very much for the advice, it helped me a lot. Thanks again for helping me, and good luck helping other people with their bleeping computers.

Regards,
Xile

#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:58 AM

Posted 11 July 2007 - 10:10 AM

You're most welcome. :thumbsup:

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users