I need help removing Trojans and adware.

[dracmik1]

My husband got me a slightly used computer for christmas. After awhile I noticed behavor that sugested maybe spybots or adware.I tried cleaning my pc, but the files I thought I removed keep returning. I believe I have a few download trojans and maybe a virus. My desktop keeps freezing, so does the internet browser. Can some one please help me ? I have included a HJT log and a KAV online log.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:38:19 PM, on 1/28/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\VTTimer.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/update/EARTPX.cab
O16 - DPF: {69F497FB-5082-4EA4-9305-9E19F20A2BFF} (MaxisSimCity3TeleX Control) - http://simcity3000unlimited.ea.com/teleport/simcity/MaxisSimCity3TeleX.cab
O16 - DPF: {BC18E6DF-BE57-4580-93E8-F228F9A133AA} (MaxisSimCity4LotTeleX Control) - http://simcity.ea.com/exchange/lots/teleport/MaxisSimCity4LotTeleX.cab
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab
O16 - DPF: {D3D83E08-54D1-4E9D-8EAF-9F979D139294} (MaxisSimCityScapeTeleX Control) - http://simcity.ea.com/scape/teleport/MaxisSimCityScapeTeleX.cab
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

--
End of file - 3683 bytes
-------------------------------------------------------------------------------



KASPERSKY ONLINE SCANNER REPORT
Tuesday, January 29, 2008 12:12:33 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 29/01/2008
Kaspersky Anti-Virus database records: 535247
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 36223
Number of viruses found: 19
Number of infected objects: 36
Number of suspicious objects: 0
Duration of the scan process: 00:23:43

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\MSHist012008012820080129\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\_restore{FB4992ED-7608-4365-A0CD-D6C0D7DC5E06}\RP73\A0017803.exe Infected: Trojan-Downloader.Win32.Agent.hql skipped
C:\System Volume Information\_restore{FB4992ED-7608-4365-A0CD-D6C0D7DC5E06}\RP74\A0017845.exe Infected: not-a-virus:AdWare.Win32.Agent.co skipped
C:\System Volume Information\_restore{FB4992ED-7608-4365-A0CD-D6C0D7DC5E06}\RP74\A0017858.dll Infected: not-a-virus:AdWare.Win32.PurityScan.gt skipped
C:\System Volume Information\_restore{FB4992ED-7608-4365-A0CD-D6C0D7DC5E06}\RP74\A0017859.exe Infected: not-a-virus:AdWare.Win32.PurityScan.gs skipped
C:\System Volume Information\_restore{FB4992ED-7608-4365-A0CD-D6C0D7DC5E06}\RP74\A0017863.dll Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped
C:\System Volume Information\_restore{FB4992ED-7608-4365-A0CD-D6C0D7DC5E06}\RP75\A0017881.dll Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped
C:\System Volume Information\_restore{FB4992ED-7608-4365-A0CD-D6C0D7DC5E06}\RP75\A0017883.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ebh skipped
C:\System Volume Information\_restore{FB4992ED-7608-4365-A0CD-D6C0D7DC5E06}\RP75\A0017886.exe/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped
C:\System Volume Information\_restore{FB4992ED-7608-4365-A0CD-D6C0D7DC5E06}\RP75\A0017886.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{FB4992ED-7608-4365-A0CD-D6C0D7DC5E06}\RP75\A0017887.exe Infected: Trojan.Win32.Scapur.k skipped
C:\System Volume Information\_restore{FB4992ED-7608-4365-A0CD-D6C0D7DC5E06}\RP77\A0021116.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ebw skipped
C:\System Volume Information\_restore{FB4992ED-7608-4365-A0CD-D6C0D7DC5E06}\RP80\A0027242.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.eby skipped
C:\System Volume Information\_restore{FB4992ED-7608-4365-A0CD-D6C0D7DC5E06}\RP81\A0029345.dll Infected: not-a-virus:AdWare.Win32.PurityScan.gt skipped
C:\System Volume Information\_restore{FB4992ED-7608-4365-A0CD-D6C0D7DC5E06}\RP81\A0029346.exe Infected: not-a-virus:AdWare.Win32.PurityScan.gs skipped
C:\System Volume Information\_restore{FB4992ED-7608-4365-A0CD-D6C0D7DC5E06}\RP83\A0033459.dll Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped
C:\System Volume Information\_restore{FB4992ED-7608-4365-A0CD-D6C0D7DC5E06}\RP83\A0033465.exe Infected: not-a-virus:AdWare.Win32.PurityScan.gs skipped
C:\System Volume Information\_restore{FB4992ED-7608-4365-A0CD-D6C0D7DC5E06}\RP83\A0033466.dll Infected: not-a-virus:AdWare.Win32.PurityScan.gt skipped
C:\System Volume Information\_restore{FB4992ED-7608-4365-A0CD-D6C0D7DC5E06}\RP84\A0035801.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.edw skipped
C:\System Volume Information\_restore{FB4992ED-7608-4365-A0CD-D6C0D7DC5E06}\RP84\A0035812.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{FB4992ED-7608-4365-A0CD-D6C0D7DC5E06}\RP84\A0035812.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{FB4992ED-7608-4365-A0CD-D6C0D7DC5E06}\RP84\A0035812.exe RarSFX: infected - 2 skipped
C:\System Volume Information\_restore{FB4992ED-7608-4365-A0CD-D6C0D7DC5E06}\RP84\A0035846.exe Infected: not-a-virus:AdWare.Win32.PurityScan.gs skipped
C:\System Volume Information\_restore{FB4992ED-7608-4365-A0CD-D6C0D7DC5E06}\RP84\A0035849.exe Infected: Trojan-Downloader.Win32.PurityScan.fj skipped
C:\System Volume Information\_restore{FB4992ED-7608-4365-A0CD-D6C0D7DC5E06}\RP85\A0035853.dll Infected: not-a-virus:AdWare.Win32.PurityScan.gt skipped
C:\System Volume Information\_restore{FB4992ED-7608-4365-A0CD-D6C0D7DC5E06}\RP85\A0035861.dll Infected: not-a-virus:AdWare.Win32.Agent.wx skipped
C:\System Volume Information\_restore{FB4992ED-7608-4365-A0CD-D6C0D7DC5E06}\RP85\A0035868.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.kp skipped
C:\System Volume Information\_restore{FB4992ED-7608-4365-A0CD-D6C0D7DC5E06}\RP85\A0035869.exe Infected: Trojan-Downloader.Win32.Agent.hql skipped
C:\System Volume Information\_restore{FB4992ED-7608-4365-A0CD-D6C0D7DC5E06}\RP85\A0035870.exe Infected: Trojan-Downloader.Win32.Agent.hql skipped
C:\System Volume Information\_restore{FB4992ED-7608-4365-A0CD-D6C0D7DC5E06}\RP85\A0035871.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dlm skipped
C:\System Volume Information\_restore{FB4992ED-7608-4365-A0CD-D6C0D7DC5E06}\RP85\A0035872.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dlm skipped
C:\System Volume Information\_restore{FB4992ED-7608-4365-A0CD-D6C0D7DC5E06}\RP85\A0035873.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dlm skipped
C:\System Volume Information\_restore{FB4992ED-7608-4365-A0CD-D6C0D7DC5E06}\RP85\A0035874.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{FB4992ED-7608-4365-A0CD-D6C0D7DC5E06}\RP85\A0035875.exe Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\System Volume Information\_restore{FB4992ED-7608-4365-A0CD-D6C0D7DC5E06}\RP85\A0035876.exe Infected: Trojan-Downloader.Win32.VB.caw skipped
C:\System Volume Information\_restore{FB4992ED-7608-4365-A0CD-D6C0D7DC5E06}\RP85\A0035877.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{FB4992ED-7608-4365-A0CD-D6C0D7DC5E06}\RP85\A0035877.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{FB4992ED-7608-4365-A0CD-D6C0D7DC5E06}\RP85\change.log Object is locked skipped
C:\WINDOWS\Debug\oakley.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\core.cache.dsk Object is locked skipped
C:\WINDOWS\system32\drivers\fastfatt.sys Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.idx Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

I don't have alot of computer skills, but this looks like a long job to fix and I want to give my thanks for the people who give their time to help others. You guys and gals are angels. :angel:

 

[Shaba]

Hi dracmik1

Rename HijackThis.exe to dracmik1.exe and post back a fresh HijackThis log, please

 

[dracmik1]

I hope i didn't make it worse .

Hi Shaba.

I kind of got frustrated yesterday and tried to fix the problem myself :red:. I ran fundofix.It found 5 files, I selected to delete them.Then it prompted to restart computer, I let it.On restart a message box poped up,

RUNDLL
Error loading C:\WINDOWS\System32\lgcywuph.dll
The specified module could not be found.

My bad if this made the problem worse. I should have calmed down and tried to wait.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:37:28 PM, on 1/30/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\VTTimer.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [c0b833fc] rundll32.exe "C:\WINDOWS\System32\vjpevnmk.dll",b
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky

Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web

Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web

Printing\hpswp_extensions.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Owner\Start

Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) -

http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) -

http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/update/EARTPX.cab
O16 - DPF: {69F497FB-5082-4EA4-9305-9E19F20A2BFF} (MaxisSimCity3TeleX Control) -

http://simcity3000unlimited.ea.com/teleport/simcity/MaxisSimCity3TeleX.cab
O16 - DPF: {BC18E6DF-BE57-4580-93E8-F228F9A133AA} (MaxisSimCity4LotTeleX Control) -

http://simcity.ea.com/exchange/lots/teleport/MaxisSimCity4LotTeleX.cab
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) -

http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab
O16 - DPF: {D3D83E08-54D1-4E9D-8EAF-9F979D139294} (MaxisSimCityScapeTeleX Control) -

http://simcity.ea.com/scape/teleport/MaxisSimCityScapeTeleX.cab
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus

7.0\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common

Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

--
End of file - 3763 bytes

 

[Shaba]

Hi

The formatting of your post is messed up. This is caused by having Word Wrap checked.
1. Click Start > All Programs > Accessories > Notepad
2. On the menu bar in Notepad select Format and click on WordWrap so it appears unchecked.

Rename HijackThis.exe to dracmik1.exe by doing the following;

• Navigate here using Windows Explorer (windows button + E) or My Computer -> Local Disk C: -> C:\Program Files\Trend Micro\HijackThis
• Right-click on the HijackThis.exe
• Choose from the pull-down menu; "Rename"
• And now Rename dracmik1.exe to Scanner.exe
• When you've renamed HijackThis, open HijackThis again.
• Take a fresh HijackThis log (click Do a system scan and save a log file)
• Post the fresh HijackThis log here.

 

[dracmik1]

Hi.

Here's the new scan log, hope I got it right this time.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:41:51 AM, on 1/31/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\VTTimer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\Smart Web Printing\hpswp_clipbook.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\Scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: {a11465fc-dc49-9bb8-38d4-17a573520d31} - {13d02537-5a71-4d83-8bb9-94cdcf56411a} - C:\WINDOWS\System32\oxmcfiyr.dll
O2 - BHO: (no name) - {202CD513-CF79-4A8E-B071-DD115B820218} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {CB175877-76A0-482C-82E3-478FB36F6140} - C:\WINDOWS\System32\awvvt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [c0b833fc] rundll32.exe "C:\WINDOWS\System32\vjpevnmk.dll",b
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/update/EARTPX.cab
O16 - DPF: {69F497FB-5082-4EA4-9305-9E19F20A2BFF} (MaxisSimCity3TeleX Control) - http://simcity3000unlimited.ea.com/teleport/simcity/MaxisSimCity3TeleX.cab
O16 - DPF: {BC18E6DF-BE57-4580-93E8-F228F9A133AA} (MaxisSimCity4LotTeleX Control) - http://simcity.ea.com/exchange/lots/teleport/MaxisSimCity4LotTeleX.cab
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab
O16 - DPF: {D3D83E08-54D1-4E9D-8EAF-9F979D139294} (MaxisSimCityScapeTeleX Control) - http://simcity.ea.com/scape/teleport/MaxisSimCityScapeTeleX.cab
O20 - Winlogon Notify: fccbaww - fccbaww.dll (file missing)
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

--
End of file - 5906 bytes

What ever has my pc is really messing with it. Myweb browser is being hihgjacked.I'm getting all kinds of pop ups. It also freezes and doesn't respond when opened. Some thing is turning all my virus protectors off even spybot S&D.
Thank you for helping me. This problem is driving me nuts.

 

[Shaba]

Hi

We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:

1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.

1. Download combofix from any of these links and save it to Desktop:
Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

If you have problems with Combofix usage, see here

Post:

- a fresh HijackThis log
- combofix report

 

[dracmik1]

Ok here are the 2 new logs.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:20:32 AM, on 1/31/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\VTTimer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\HP\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\Trend Micro\HijackThis\Scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {C3DF0B6D-D3E3-4901-84C3-7B60E86C0D47} - C:\WINDOWS\System32\awvvt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/update/EARTPX.cab
O16 - DPF: {69F497FB-5082-4EA4-9305-9E19F20A2BFF} (MaxisSimCity3TeleX Control) - http://simcity3000unlimited.ea.com/teleport/simcity/MaxisSimCity3TeleX.cab
O16 - DPF: {BC18E6DF-BE57-4580-93E8-F228F9A133AA} (MaxisSimCity4LotTeleX Control) - http://simcity.ea.com/exchange/lots/teleport/MaxisSimCity4LotTeleX.cab
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab
O16 - DPF: {D3D83E08-54D1-4E9D-8EAF-9F979D139294} (MaxisSimCityScapeTeleX Control) - http://simcity.ea.com/scape/teleport/MaxisSimCityScapeTeleX.cab
O20 - Winlogon Notify: fccbaww - fccbaww.dll (file missing)
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

--
End of file - 5475 bytes

 

[dracmik1]

Wouldn't let me post both logs in one post, so here is the combofix log.

ComboFix 08-01-31.5 - Owner 2008-01-31 10:08:30.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.766 [GMT -6:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner\Application Data\SKS~1
C:\Program Files\Common Files\ystem3~1
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\sembly~1
C:\WINDOWS\system32\appatc~1
C:\WINDOWS\system32\AutoRun.inf
C:\WINDOWS\system32\drivers\core.cache(10).dsk
C:\WINDOWS\system32\drivers\core.cache(11).dsk
C:\WINDOWS\system32\drivers\core.cache(12).dsk
C:\WINDOWS\system32\drivers\core.cache(13).dsk
C:\WINDOWS\system32\drivers\core.cache(14).dsk
C:\WINDOWS\system32\drivers\core.cache(15).dsk
C:\WINDOWS\system32\drivers\core.cache(16).dsk
C:\WINDOWS\system32\drivers\core.cache(17).dsk
C:\WINDOWS\system32\drivers\core.cache(18).dsk
C:\WINDOWS\system32\drivers\core.cache(19).dsk
C:\WINDOWS\system32\drivers\core.cache(2).dsk
C:\WINDOWS\system32\drivers\core.cache(20).dsk
C:\WINDOWS\system32\drivers\core.cache(21).dsk
C:\WINDOWS\system32\drivers\core.cache(22).dsk
C:\WINDOWS\system32\drivers\core.cache(23).dsk
C:\WINDOWS\system32\drivers\core.cache(24).dsk
C:\WINDOWS\system32\drivers\core.cache(25).dsk
C:\WINDOWS\system32\drivers\core.cache(26).dsk
C:\WINDOWS\system32\drivers\core.cache(27).dsk
C:\WINDOWS\system32\drivers\core.cache(28).dsk
C:\WINDOWS\system32\drivers\core.cache(29).dsk
C:\WINDOWS\system32\drivers\core.cache(3).dsk
C:\WINDOWS\system32\drivers\core.cache(30).dsk
C:\WINDOWS\system32\drivers\core.cache(31).dsk
C:\WINDOWS\system32\drivers\core.cache(32).dsk
C:\WINDOWS\system32\drivers\core.cache(33).dsk
C:\WINDOWS\system32\drivers\core.cache(34).dsk
C:\WINDOWS\system32\drivers\core.cache(35).dsk
C:\WINDOWS\system32\drivers\core.cache(36).dsk
C:\WINDOWS\system32\drivers\core.cache(37).dsk
C:\WINDOWS\system32\drivers\core.cache(38).dsk
C:\WINDOWS\system32\drivers\core.cache(39).dsk
C:\WINDOWS\system32\drivers\core.cache(4).dsk
C:\WINDOWS\system32\drivers\core.cache(40).dsk
C:\WINDOWS\system32\drivers\core.cache(41).dsk
C:\WINDOWS\system32\drivers\core.cache(42).dsk
C:\WINDOWS\system32\drivers\core.cache(43).dsk
C:\WINDOWS\system32\drivers\core.cache(44).dsk
C:\WINDOWS\system32\drivers\core.cache(45).dsk
C:\WINDOWS\system32\drivers\core.cache(46).dsk
C:\WINDOWS\system32\drivers\core.cache(47).dsk
C:\WINDOWS\system32\drivers\core.cache(5).dsk
C:\WINDOWS\system32\drivers\core.cache(6).dsk
C:\WINDOWS\system32\drivers\core.cache(7).dsk
C:\WINDOWS\system32\drivers\core.cache(8).dsk
C:\WINDOWS\system32\drivers\core.cache(9).dsk
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete
C:\WINDOWS\system32\drivers\sfsync02.sys
C:\WINDOWS\system32\kmnvepjv.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\oxmcfiyr.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\tvvwa.ini
C:\WINDOWS\system32\tvvwa.ini2
C:\WINDOWS\system32\vjpevnmk.dll
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_SFSYNC02
-------\sfsync02


((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-31 )))))))))))))))))))))))))))))))
.

2008-01-31 10:13 . 2008-01-31 10:13 <DIR> d-------- C:\Temp\tn3
2008-01-30 19:51 . 2008-01-30 19:51 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\ieSpell
2008-01-30 19:50 . 2008-01-30 19:50 <DIR> d-------- C:\Program Files\ieSpell
2008-01-29 17:12 . 2008-01-29 21:12 <DIR> d-------- C:\VundoFix Backups
2008-01-28 21:59 . 2008-01-28 21:59 91,492 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-01-28 21:59 . 2008-01-28 21:59 85,860 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-01-28 21:58 . 2008-01-28 21:58 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-01-28 21:58 . 2008-01-31 10:13 1,514,272 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-28 21:58 . 2008-01-31 10:13 169,248 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-01-28 21:58 . 2008-01-31 10:11 21,332 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-28 21:58 . 2008-01-31 10:11 16,892 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-01-28 21:55 . 2008-01-28 21:55 <DIR> d-------- C:\kav
2008-01-28 21:14 . 2008-01-28 21:14 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-28 17:33 . 2008-01-28 17:33 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-28 17:33 . 2008-01-30 17:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-28 11:50 . 2008-01-28 12:44 886 ---hs---- C:\WINDOWS\system32\hkaionfr.ini
2008-01-27 11:46 . 2008-01-28 11:41 826 ---hs---- C:\WINDOWS\system32\anhcaxha.ini
2008-01-27 11:41 . 2008-01-27 11:41 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Smart PC Solutions
2008-01-27 11:41 . 2008-01-27 11:41 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\ErrorSmart
2008-01-27 11:41 . 2008-01-27 11:41 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\BitTorrent
2008-01-27 11:41 . 2008-01-27 11:41 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\5400 Series
2008-01-27 11:41 . 2008-01-27 11:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\5400 Series
2008-01-23 14:36 . 2008-01-26 08:58 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-23 14:36 . 2008-01-23 14:36 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-23 14:05 . 2008-01-27 11:42 <DIR> d-------- C:\Program Files\DivX
2008-01-23 12:51 . 2008-01-23 12:51 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-01-18 20:07 . 2008-01-31 00:39 797 --a------ C:\WINDOWS\wininit.ini
2008-01-17 03:08 . 2008-01-17 03:08 <DIR> d-------- C:\WINDOWS\system32\re9
2008-01-17 03:08 . 2008-01-28 23:26 <DIR> d-------- C:\WINDOWS\system32\kt8
2008-01-17 03:08 . 2008-01-17 22:43 <DIR> d-------- C:\WINDOWS\system32\gz4
2008-01-17 03:08 . 2008-01-28 23:26 <DIR> d-------- C:\WINDOWS\system32\edcA01
2008-01-17 03:08 . 2008-01-28 23:26 <DIR> d-------- C:\WINDOWS\system32\dp2
2008-01-17 03:08 . 2008-01-17 03:08 <DIR> d-------- C:\Temp\Ryuan1
2008-01-17 03:08 . 2008-01-31 10:13 <DIR> d-------- C:\Temp
2008-01-17 03:08 . 2008-01-17 03:08 167,545 --a------ C:\WINDOWS\system32\drivers\core.cache.dsk
2008-01-17 03:08 . 2008-01-17 03:08 86,016 --a------ C:\WINDOWS\system32\drivers\fastfatt.sys
2008-01-16 17:04 . 2008-01-16 17:04 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Media Player Classic
2008-01-16 17:01 . 2008-01-16 17:02 <DIR> d-------- C:\Program Files\MpcStar
2008-01-16 15:48 . 2001-08-17 22:36 8,704 --a--c--- C:\WINDOWS\system32\dllcache\kbdjpn.dll
2008-01-16 15:48 . 2001-08-17 22:36 8,192 --a--c--- C:\WINDOWS\system32\dllcache\kbdkor.dll
2008-01-16 15:48 . 2001-08-17 14:55 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd106.dll
2008-01-16 15:48 . 2001-08-17 14:55 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd101c.dll
2008-01-16 15:48 . 2001-08-17 14:55 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd101b.dll
2008-01-16 15:48 . 2001-08-17 14:55 5,632 --a--c--- C:\WINDOWS\system32\dllcache\kbd103.dll
2008-01-16 15:17 . 2008-01-27 12:03 <DIR> d-------- C:\Downloads
2008-01-11 17:00 . 2008-01-11 17:00 754 --a------ C:\WINDOWS\WORDPAD.INI
2008-01-09 13:06 . 2001-08-17 22:36 8,704 --a------ C:\WINDOWS\system32\kbdjpn.dll
2008-01-09 13:06 . 2001-08-17 22:36 8,192 --a------ C:\WINDOWS\system32\kbdkor.dll
2008-01-09 13:06 . 2001-08-17 14:55 6,144 --a------ C:\WINDOWS\system32\kbd106.dll
2008-01-09 13:06 . 2001-08-17 14:55 6,144 --a------ C:\WINDOWS\system32\kbd101c.dll
2008-01-09 13:06 . 2001-08-17 14:55 6,144 --a------ C:\WINDOWS\system32\kbd101b.dll
2008-01-09 13:06 . 2001-08-17 14:55 5,632 --a------ C:\WINDOWS\system32\kbd103.dll
2008-01-09 11:15 . 2008-01-09 11:15 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Apple Computer
2008-01-07 12:56 . 2008-01-07 12:56 314,704 --a------ C:\WINDOWS\system32\awvvt.dll
2008-01-04 22:59 . 2008-01-05 11:24 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-01-04 00:48 . 2008-01-04 00:48 <DIR> d-------- C:\WINDOWS\MaxSecureBackup
2008-01-03 23:50 . 2008-01-04 00:17 <DIR> d-------- C:\Program Files\RegCleaner
2008-01-03 14:13 . 2008-01-03 14:13 <DIR> d-------- C:\Program Files\Webroot
2007-12-29 12:54 . 2007-12-29 12:54 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\MySpace
2007-12-28 12:10 . 2007-12-28 12:11 26 --a------ C:\WINDOWS\ms_games.ini
2007-12-27 13:35 . 2007-12-28 12:04 <DIR> d-------- C:\Program Files\Microsoft Games
2007-12-27 01:45 . 2007-12-27 17:01 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\HP
2007-12-27 01:35 . 2007-12-27 01:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WEBREG
2007-12-27 01:32 . 2007-12-27 01:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2007-12-27 01:32 . 2007-03-30 09:07 267,864 -ra------ C:\WINDOWS\system32\hpzids01.dll
2007-12-27 01:32 . 2007-03-28 14:01 117,760 --a------ C:\WINDOWS\system32\hpzll5ha.dll
2007-12-27 01:32 . 2007-03-07 22:20 49,920 -ra------ C:\WINDOWS\system32\drivers\HPZid412.sys
2007-12-27 01:32 . 2007-03-07 22:20 16,496 -ra------ C:\WINDOWS\system32\drivers\HPZipr12.sys
2007-12-27 01:31 . 2007-03-17 10:11 675,840 -ra------ C:\WINDOWS\system32\hpowiax3.dll
2007-12-27 01:31 . 2007-03-17 10:11 569,344 -ra------ C:\WINDOWS\system32\hpotscl3.dll
2007-12-27 01:31 . 2007-03-07 22:20 364,544 -ra------ C:\WINDOWS\system32\hppldcoi.dll
2007-12-27 01:31 . 2007-03-07 22:20 309,760 -ra------ C:\WINDOWS\system32\difxapi.dll
2007-12-27 01:31 . 2007-03-17 10:11 303,104 -ra------ C:\WINDOWS\system32\hpovst10.dll
2007-12-27 01:31 . 2007-03-07 22:20 21,568 -ra------ C:\WINDOWS\system32\drivers\HPZius12.sys
2007-12-27 01:29 . 2008-01-11 11:07 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\HPAppData
2007-12-27 01:29 . 2007-12-27 01:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HPSSUPPLY
2007-12-27 01:28 . 2007-12-27 01:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HP Product Assistant
2007-12-27 01:28 . 2007-12-27 17:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HP
2007-12-27 01:27 . 2007-12-27 01:27 <DIR> d-------- C:\Program Files\Hewlett-Packard
2007-12-27 01:27 . 2007-12-27 01:27 <DIR> d-------- C:\Program Files\Common Files\HP
2007-12-27 01:27 . 2007-12-27 01:27 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2007-12-27 01:26 . 2007-12-27 01:26 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-12-27 01:24 . 2007-12-27 01:29 <DIR> d-------- C:\Program Files\HP
2007-12-27 01:23 . 2007-12-27 01:35 141,199 --a------ C:\WINDOWS\hpoins14.dat
2007-12-27 01:23 . 2007-06-05 17:07 2,000 --------- C:\WINDOWS\hpomdl14.dat
2007-12-25 16:49 . 2007-12-25 16:49 <DIR> d-------- C:\WINDOWS\.jagex_cache_32
2007-12-25 00:01 . 2008-01-04 22:57 <DIR> d-------- C:\Program Files\Bird Hunter - Upland
2007-12-24 23:50 . 1999-05-13 02:00 1,064,456 --a------ C:\WINDOWS\system32\MSCOMCTL.OCX
2007-12-24 23:46 . 2007-12-24 23:46 <DIR> d-------- C:\~MSSETUP.T
2007-12-22 17:47 . 2007-12-22 17:47 <DIR> d-------- C:\Program Files\Prima Games
2007-12-21 21:04 . 2007-12-21 21:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-12-20 13:53 . 2007-12-20 13:53 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\RegClean
2007-12-19 22:24 . 2007-05-24 16:57 143,360 --a------ C:\WINDOWS\system32\GetHardDiskNo.dll
2007-12-19 22:24 . 2008-01-04 00:36 63 --a------ C:\WINDOWS\system\SYSRegC.dll
2007-12-19 21:29 . 2007-12-19 22:23 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-19 17:51 . 2007-12-19 17:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trymedia
2007-12-19 12:08 . 2006-11-12 11:39 483,328 --a------ C:\WINDOWS\system32\actskn45.ocx
2007-12-18 23:08 . 2008-01-26 00:59 <DIR> d-------- C:\Program Files\PokerStars
2007-12-18 12:05 . 2003-06-20 12:48 158,720 --a------ C:\WINDOWS\unSpySweeper.exe
2007-12-18 00:44 . 2007-12-18 00:44 219,664 --a------ C:\WINDOWS\system32\klogon.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-31 05:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-23 19:04 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-26 01:17 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-12-19 23:52 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-03 12:57 12,400 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-12-01 22:30 --------- d-----w C:\Program Files\lx_cats
2007-10-31 19:03 245,408 ----a-w C:\WINDOWS\system32\unicows.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0347C33E-8762-4905-BF09-768834316C61}]
2007-03-02 16:52 1298024 -ra------ C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{053F9267-DC04-4294-A72C-58F732D338C0}]
2007-03-02 16:52 177768 -ra------ C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C3DF0B6D-D3E3-4901-84C3-7B60E86C0D47}]
2008-01-07 12:56 314704 --a------ C:\WINDOWS\System32\awvvt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2005-03-07 13:33 53248 C:\WINDOWS\system32\VTTimer.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccbaww]
fccbaww.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\System32\awvvt.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkbMonitor.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NkbMonitor.exe.lnk
backup=C:\WINDOWS\pss\NkbMonitor.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 19:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-12-16 18:05 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Repair Registry Pro]
C:\Program Files\Repair Registry Pro\RepairRegistryPro.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
-ra------ 2006-03-01 02:22 577536 C:\WINDOWS\SOUNDMAN.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Nmabee"=C:\WINDOWS\system32\A?pPatch\?ttrib.exe
"Dhri"="C:\WINDOWS\SEMBLY~1\winlogon.exe" -vt yazb

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
"c0b833fc"=rundll32.exe "C:\WINDOWS\System32\rfnoiakh.dll",b

R0 videX32;videX32;C:\WINDOWS\System32\DRIVERS\videX32.sys [2006-02-22 21:38]
R0 xfilt;VIA SATA IDE Hot-plug Driver;C:\WINDOWS\System32\DRIVERS\xfilt.sys [2006-02-22 21:39]
R1 fastfatt;fastfatt;C:\WINDOWS\System32\drivers\fastfatt.sys [2008-01-17 03:08]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\System32\DRIVERS\klim5.sys [2007-12-13 13:28]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-31 10:13:39
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.1106]
-> C:\WINDOWS\System32\awvvt.dll

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2800.1106]
-> C:\WINDOWS\System32\awvvt.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\System32\VTTimer.exe
.
**************************************************************************
.
Completion time: 2008-01-31 10:14:40 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-31 16:14:35

 

[Shaba]

Hi

Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\drivers\fastfatt.sys
C:\WINDOWS\System32\awvvt.dll

Folder::
C:\WINDOWS\system32\re9
C:\WINDOWS\system32\kt8
C:\WINDOWS\system32\gz4
C:\WINDOWS\system32\edcA01
C:\WINDOWS\system32\dp2
C:\Temp\Ryuan1

Driver::
fastfatt

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C3DF0B6D-D3E3-4901-84C3-7B60E86C0D47}]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccbaww]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Nmabee"=-
"Dhri"="-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"c0b833fc"=-

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

 

[dracmik1]

New logs for you.

ComboFix 08-01-31.5 - Owner 2008-01-31 12:50:52.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.773 [GMT -6:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOWS\System32\awvvt.dll
C:\WINDOWS\system32\drivers\fastfatt.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\System32\awvvt.dll
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\fastfatt.sys
C:\Temp\Ryuan1
C:\Temp\Ryuan1\tepU.log
C:\temp\tn3
C:\WINDOWS\System32\awvvt.dll
C:\WINDOWS\system32\dp2
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\fastfatt.sys
C:\WINDOWS\system32\edcA01
C:\WINDOWS\system32\gz4
C:\WINDOWS\system32\kt8
C:\WINDOWS\system32\re9
C:\WINDOWS\system32\re9\farstadcom2.exe
C:\WINDOWS\system32\tvvwa.ini
C:\WINDOWS\system32\tvvwa.ini2

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_FASTFATT
-------\fastfatt


((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-31 )))))))))))))))))))))))))))))))
.

2008-01-30 19:51 . 2008-01-30 19:51 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\ieSpell
2008-01-30 19:50 . 2008-01-30 19:50 <DIR> d-------- C:\Program Files\ieSpell
2008-01-29 17:12 . 2008-01-29 21:12 <DIR> d-------- C:\VundoFix Backups
2008-01-28 21:59 . 2008-01-31 11:45 91,700 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-01-28 21:59 . 2008-01-28 21:59 85,860 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-01-28 21:58 . 2008-01-28 21:58 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-01-28 21:58 . 2008-01-31 12:54 1,568,032 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-28 21:58 . 2008-01-31 12:53 173,600 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-01-28 21:58 . 2008-01-31 12:53 22,052 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-28 21:58 . 2008-01-31 12:53 17,300 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-01-28 21:55 . 2008-01-28 21:55 <DIR> d-------- C:\kav
2008-01-28 21:14 . 2008-01-28 21:14 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-28 17:33 . 2008-01-28 17:33 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-28 17:33 . 2008-01-31 11:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-28 11:50 . 2008-01-28 12:44 886 --ahs---- C:\WINDOWS\system32\hkaionfr.ini
2008-01-27 11:46 . 2008-01-28 11:41 826 --ahs---- C:\WINDOWS\system32\anhcaxha.ini
2008-01-27 11:41 . 2008-01-27 11:41 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Smart PC Solutions
2008-01-27 11:41 . 2008-01-27 11:41 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\ErrorSmart
2008-01-27 11:41 . 2008-01-27 11:41 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\BitTorrent
2008-01-27 11:41 . 2008-01-27 11:41 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\5400 Series
2008-01-27 11:41 . 2008-01-27 11:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\5400 Series
2008-01-23 14:36 . 2008-01-26 08:58 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-23 14:36 . 2008-01-23 14:36 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-23 14:05 . 2008-01-27 11:42 <DIR> d-------- C:\Program Files\DivX
2008-01-23 12:51 . 2008-01-23 12:51 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-01-18 20:07 . 2008-01-31 00:39 797 --a------ C:\WINDOWS\wininit.ini
2008-01-17 03:08 . 2008-01-31 12:52 <DIR> d-------- C:\Temp
2008-01-16 17:04 . 2008-01-16 17:04 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Media Player Classic
2008-01-16 17:01 . 2008-01-16 17:02 <DIR> d-------- C:\Program Files\MpcStar
2008-01-16 15:48 . 2001-08-17 22:36 8,704 --a--c--- C:\WINDOWS\system32\dllcache\kbdjpn.dll
2008-01-16 15:48 . 2001-08-17 22:36 8,192 --a--c--- C:\WINDOWS\system32\dllcache\kbdkor.dll
2008-01-16 15:48 . 2001-08-17 14:55 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd106.dll
2008-01-16 15:48 . 2001-08-17 14:55 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd101c.dll
2008-01-16 15:48 . 2001-08-17 14:55 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd101b.dll
2008-01-16 15:48 . 2001-08-17 14:55 5,632 --a--c--- C:\WINDOWS\system32\dllcache\kbd103.dll
2008-01-16 15:17 . 2008-01-27 12:03 <DIR> d-------- C:\Downloads
2008-01-11 17:00 . 2008-01-11 17:00 754 --a------ C:\WINDOWS\WORDPAD.INI
2008-01-09 13:06 . 2001-08-17 22:36 8,704 --a------ C:\WINDOWS\system32\kbdjpn.dll
2008-01-09 13:06 . 2001-08-17 22:36 8,192 --a------ C:\WINDOWS\system32\kbdkor.dll
2008-01-09 13:06 . 2001-08-17 14:55 6,144 --a------ C:\WINDOWS\system32\kbd106.dll
2008-01-09 13:06 . 2001-08-17 14:55 6,144 --a------ C:\WINDOWS\system32\kbd101c.dll
2008-01-09 13:06 . 2001-08-17 14:55 6,144 --a------ C:\WINDOWS\system32\kbd101b.dll
2008-01-09 13:06 . 2001-08-17 14:55 5,632 --a------ C:\WINDOWS\system32\kbd103.dll
2008-01-09 11:15 . 2008-01-09 11:15 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Apple Computer
2008-01-04 22:59 . 2008-01-05 11:24 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-01-04 00:48 . 2008-01-04 00:48 <DIR> d-------- C:\WINDOWS\MaxSecureBackup
2008-01-03 23:50 . 2008-01-04 00:17 <DIR> d-------- C:\Program Files\RegCleaner
2008-01-03 14:13 . 2008-01-03 14:13 <DIR> d-------- C:\Program Files\Webroot
2007-12-29 12:54 . 2007-12-29 12:54 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\MySpace
2007-12-28 12:10 . 2007-12-28 12:11 26 --a------ C:\WINDOWS\ms_games.ini
2007-12-27 13:35 . 2007-12-28 12:04 <DIR> d-------- C:\Program Files\Microsoft Games
2007-12-27 01:45 . 2007-12-27 17:01 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\HP
2007-12-27 01:35 . 2007-12-27 01:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WEBREG
2007-12-27 01:32 . 2007-12-27 01:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2007-12-27 01:32 . 2007-03-30 09:07 267,864 -ra------ C:\WINDOWS\system32\hpzids01.dll
2007-12-27 01:32 . 2007-03-28 14:01 117,760 --a------ C:\WINDOWS\system32\hpzll5ha.dll
2007-12-27 01:32 . 2007-03-07 22:20 49,920 -ra------ C:\WINDOWS\system32\drivers\HPZid412.sys
2007-12-27 01:32 . 2007-03-07 22:20 16,496 -ra------ C:\WINDOWS\system32\drivers\HPZipr12.sys
2007-12-27 01:31 . 2007-03-17 10:11 675,840 -ra------ C:\WINDOWS\system32\hpowiax3.dll
2007-12-27 01:31 . 2007-03-17 10:11 569,344 -ra------ C:\WINDOWS\system32\hpotscl3.dll
2007-12-27 01:31 . 2007-03-07 22:20 364,544 -ra------ C:\WINDOWS\system32\hppldcoi.dll
2007-12-27 01:31 . 2007-03-07 22:20 309,760 -ra------ C:\WINDOWS\system32\difxapi.dll
2007-12-27 01:31 . 2007-03-17 10:11 303,104 -ra------ C:\WINDOWS\system32\hpovst10.dll
2007-12-27 01:31 . 2007-03-07 22:20 21,568 -ra------ C:\WINDOWS\system32\drivers\HPZius12.sys
2007-12-27 01:29 . 2008-01-11 11:07 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\HPAppData
2007-12-27 01:29 . 2007-12-27 01:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HPSSUPPLY
2007-12-27 01:28 . 2007-12-27 01:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HP Product Assistant
2007-12-27 01:28 . 2007-12-27 17:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HP
2007-12-27 01:27 . 2007-12-27 01:27 <DIR> d-------- C:\Program Files\Hewlett-Packard
2007-12-27 01:27 . 2007-12-27 01:27 <DIR> d-------- C:\Program Files\Common Files\HP
2007-12-27 01:27 . 2007-12-27 01:27 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2007-12-27 01:26 . 2007-12-27 01:26 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-12-27 01:24 . 2007-12-27 01:29 <DIR> d-------- C:\Program Files\HP
2007-12-27 01:23 . 2007-12-27 01:35 141,199 --a------ C:\WINDOWS\hpoins14.dat
2007-12-27 01:23 . 2007-06-05 17:07 2,000 --------- C:\WINDOWS\hpomdl14.dat
2007-12-25 16:49 . 2007-12-25 16:49 <DIR> d-------- C:\WINDOWS\.jagex_cache_32
2007-12-25 00:01 . 2008-01-04 22:57 <DIR> d-------- C:\Program Files\Bird Hunter - Upland
2007-12-24 23:50 . 1999-05-13 02:00 1,064,456 --a------ C:\WINDOWS\system32\MSCOMCTL.OCX
2007-12-24 23:46 . 2007-12-24 23:46 <DIR> d-------- C:\~MSSETUP.T
2007-12-22 17:47 . 2007-12-22 17:47 <DIR> d-------- C:\Program Files\Prima Games
2007-12-21 21:04 . 2007-12-21 21:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-12-20 13:53 . 2007-12-20 13:53 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\RegClean
2007-12-19 22:24 . 2007-05-24 16:57 143,360 --a------ C:\WINDOWS\system32\GetHardDiskNo.dll
2007-12-19 22:24 . 2008-01-04 00:36 63 --a------ C:\WINDOWS\system\SYSRegC.dll
2007-12-19 21:29 . 2007-12-19 22:23 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-19 17:51 . 2007-12-19 17:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trymedia
2007-12-19 12:08 . 2006-11-12 11:39 483,328 --a------ C:\WINDOWS\system32\actskn45.ocx
2007-12-18 23:08 . 2008-01-26 00:59 <DIR> d-------- C:\Program Files\PokerStars
2007-12-18 12:05 . 2003-06-20 12:48 158,720 --a------ C:\WINDOWS\unSpySweeper.exe
2007-12-18 00:44 . 2007-12-18 00:44 219,664 --a------ C:\WINDOWS\system32\klogon.dll
2007-12-18 00:43 . 2007-12-18 00:43 23,396 --a------ C:\WINDOWS\system32\drivers\klopp.dat
2007-12-16 18:43 . 2002-08-29 03:41 150,528 --a------ C:\WINDOWS\system32\ptpusd.dll
2007-12-16 18:43 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2007-12-16 18:37 . 2007-12-18 14:39 20 ---h----- C:\Documents and Settings\All Users\Application Data\PKP_DLec.DAT
2007-12-16 18:15 . 2007-12-16 18:15 <DIR> d-------- C:\Program Files\PictureProject In Touch Downloader
2007-12-16 18:11 . 2007-12-16 18:11 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Nikon
2007-12-16 18:11 . 2007-12-16 18:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nikon
2007-12-16 18:10 . 2007-12-16 18:10 <DIR> d-------- C:\Program Files\Common Files\muvee Technologies
2007-12-16 18:10 . 2002-12-11 17:34 1,111,040 --a------ C:\WINDOWS\system32\wmsdmoe2.dll
2007-12-16 18:08 . 2007-12-16 18:08 <DIR> d-------- C:\Program Files\Nikon

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-31 05:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-23 19:04 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-26 01:17 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-12-19 23:52 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-03 12:57 12,400 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-12-01 22:30 --------- d-----w C:\Program Files\lx_cats
2007-10-31 19:03 245,408 ----a-w C:\WINDOWS\system32\unicows.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0347C33E-8762-4905-BF09-768834316C61}]
2007-03-02 16:52 1298024 -ra------ C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{053F9267-DC04-4294-A72C-58F732D338C0}]
2007-03-02 16:52 177768 -ra------ C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2005-03-07 13:33 53248 C:\WINDOWS\system32\VTTimer.exe]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkbMonitor.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NkbMonitor.exe.lnk
backup=C:\WINDOWS\pss\NkbMonitor.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 19:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-12-16 18:05 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Repair Registry Pro]
C:\Program Files\Repair Registry Pro\RepairRegistryPro.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
-ra------ 2006-03-01 02:22 577536 C:\WINDOWS\SOUNDMAN.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Dhri"="C:\WINDOWS\SEMBLY~1\winlogon.exe" -vt yazb

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

R0 videX32;videX32;C:\WINDOWS\System32\DRIVERS\videX32.sys [2006-02-22 21:38]
R0 xfilt;VIA SATA IDE Hot-plug Driver;C:\WINDOWS\System32\DRIVERS\xfilt.sys [2006-02-22 21:39]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\System32\DRIVERS\klim5.sys [2007-12-13 13:28]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-31 12:54:11
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\System32\VTTimer.exe
.
**************************************************************************
.
Completion time: 2008-01-31 12:55:20 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-31 18:55:14
ComboFix2.txt 2008-01-31 16:14:41


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:00:47 PM, on 1/31/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\VTTimer.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\Scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/update/EARTPX.cab
O16 - DPF: {69F497FB-5082-4EA4-9305-9E19F20A2BFF} (MaxisSimCity3TeleX Control) - http://simcity3000unlimited.ea.com/teleport/simcity/MaxisSimCity3TeleX.cab
O16 - DPF: {BC18E6DF-BE57-4580-93E8-F228F9A133AA} (MaxisSimCity4LotTeleX Control) - http://simcity.ea.com/exchange/lots/teleport/MaxisSimCity4LotTeleX.cab
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab
O16 - DPF: {D3D83E08-54D1-4E9D-8EAF-9F979D139294} (MaxisSimCityScapeTeleX Control) - http://simcity.ea.com/scape/teleport/MaxisSimCityScapeTeleX.cab
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

--
End of file - 5211 bytes

 

[Shaba]

Hi

Have you uninstalled Kaspersky antivirus or doesn't it just start?

 

[dracmik1]

At first whatever was attacking my computer kept disabling it.Also both Webroot and Spybot S&D would keep getting disabled.For now I have it off when I'm just working on my decktop, then turn it back on when I go online .It is still new to me and I don't think I like it. I'm probably going to change to a better one.I'm also going to install Firefox for web browser and firewall.Can I do that now or should I wait till system is clean ? I don't want to install them ,and have them get corrupted.I don't know how much more we need to do to fix my problems.

 

[Shaba]

Hi

Yes, you install firefox but as for firewall, wait a bit.

Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\hkaionfr.ini
C:\WINDOWS\system32\anhcaxha.ini

Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Dhri"=-

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

 

[dracmik1]

Took me awhile to connect to the internet. I had to repair my network connection. I've read in this forum that that can happen.Here's the 2 logs you requested.

ComboFix 08-01-31.5 - Owner 2008-02-02 10:54:53.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.771 [GMT -6:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOWS\system32\anhcaxha.ini
C:\WINDOWS\system32\hkaionfr.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\anhcaxha.ini
C:\WINDOWS\system32\hkaionfr.ini

.
((((((((((((((((((((((((( Files Created from 2008-01-02 to 2008-02-02 )))))))))))))))))))))))))))))))
.

2008-02-01 19:05 . 2008-02-01 19:44 <DIR> d-------- C:\Program Files\Free Easy Burner
2008-02-01 19:05 . 2006-11-18 10:38 200,704 --a------ C:\WINDOWS\system32\vbalExpBar6.ocx
2008-02-01 19:05 . 1998-07-12 21:00 141,312 --a------ C:\WINDOWS\system32\MSCMCFR.DLL
2008-02-01 19:05 . 2000-10-01 17:00 119,568 --a------ C:\WINDOWS\system32\VB6FR.DLL
2008-02-01 19:05 . 1999-03-25 17:00 101,888 --a------ C:\WINDOWS\system32\VB6STKIT.DLL
2008-02-01 19:05 . 2003-04-18 14:29 44,544 --a------ C:\WINDOWS\system32\msxml4a.dll
2008-02-01 19:05 . 1998-07-13 16:53 44,544 --a------ C:\WINDOWS\system32\GIF89.DLL
2008-02-01 19:05 . 2003-01-26 11:41 40,960 --a------ C:\WINDOWS\system32\SSubTmr6.dll
2008-02-01 19:05 . 1998-07-12 17:00 32,768 --a------ C:\WINDOWS\system32\CMDLGFR.DLL
2008-02-01 19:05 . 1998-07-12 21:00 15,360 --a------ C:\WINDOWS\system32\inetfr.DLL
2008-02-01 09:33 . 2008-02-01 09:33 32,895 --a------ C:\WINDOWS\system32\msratnit.dll
2008-02-01 09:33 . 2008-02-01 22:57 7,156 --a------ C:\WINDOWS\system32\comsatac.dll
2008-01-31 17:43 . 2008-02-01 18:36 73 --a------ C:\WINDOWS\system32\cmnocfg.xml
2008-01-31 17:42 . 2008-02-01 22:32 81,920 --a------ C:\WINDOWS\system32\mscorews.dll
2008-01-31 17:42 . 2008-01-31 17:42 77,421 --a------ C:\winionr.exe
2008-01-31 17:42 . 2008-02-01 22:32 6,869 --a------ C:\WINDOWS\system32\qviexio3.dat
2008-01-30 19:51 . 2008-01-30 19:51 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\ieSpell
2008-01-30 19:50 . 2008-01-30 19:50 <DIR> d-------- C:\Program Files\ieSpell
2008-01-29 17:12 . 2008-01-29 21:12 <DIR> d-------- C:\VundoFix Backups
2008-01-28 21:59 . 2008-01-31 11:45 91,700 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-01-28 21:59 . 2008-01-28 21:59 85,860 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-01-28 21:58 . 2008-01-28 21:58 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-01-28 21:58 . 2008-02-02 10:55 2,290,208 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-28 21:58 . 2008-02-02 10:55 202,016 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-01-28 21:58 . 2008-02-02 10:18 31,220 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-28 21:58 . 2008-02-02 10:18 19,628 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-01-28 21:55 . 2008-01-28 21:55 <DIR> d-------- C:\kav
2008-01-28 21:14 . 2008-01-28 21:14 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-28 17:33 . 2008-01-28 17:33 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-28 17:33 . 2008-02-01 22:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-27 11:41 . 2008-01-27 11:41 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Smart PC Solutions
2008-01-27 11:41 . 2008-01-27 11:41 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\ErrorSmart
2008-01-27 11:41 . 2008-01-27 11:41 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\BitTorrent
2008-01-27 11:41 . 2008-01-27 11:41 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\5400 Series
2008-01-27 11:41 . 2008-01-27 11:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\5400 Series
2008-01-23 14:36 . 2008-01-26 08:58 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-23 14:36 . 2008-01-23 14:36 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-23 14:05 . 2008-01-27 11:42 <DIR> d-------- C:\Program Files\DivX
2008-01-23 12:51 . 2008-01-23 12:51 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-01-18 20:07 . 2008-01-31 00:39 797 --a------ C:\WINDOWS\wininit.ini
2008-01-17 03:08 . 2008-01-31 12:52 <DIR> d-------- C:\Temp
2008-01-16 17:04 . 2008-01-16 17:04 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Media Player Classic
2008-01-16 17:01 . 2008-01-16 17:02 <DIR> d-------- C:\Program Files\MpcStar
2008-01-16 15:48 . 2001-08-17 22:36 8,704 --a--c--- C:\WINDOWS\system32\dllcache\kbdjpn.dll
2008-01-16 15:48 . 2001-08-17 22:36 8,192 --a--c--- C:\WINDOWS\system32\dllcache\kbdkor.dll
2008-01-16 15:48 . 2001-08-17 14:55 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd106.dll
2008-01-16 15:48 . 2001-08-17 14:55 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd101c.dll
2008-01-16 15:48 . 2001-08-17 14:55 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd101b.dll
2008-01-16 15:48 . 2001-08-17 14:55 5,632 --a--c--- C:\WINDOWS\system32\dllcache\kbd103.dll
2008-01-16 15:17 . 2008-01-27 12:03 <DIR> d-------- C:\Downloads
2008-01-11 17:00 . 2008-01-11 17:00 754 --a------ C:\WINDOWS\WORDPAD.INI
2008-01-09 13:06 . 2001-08-17 22:36 8,704 --a------ C:\WINDOWS\system32\kbdjpn.dll
2008-01-09 13:06 . 2001-08-17 22:36 8,192 --a------ C:\WINDOWS\system32\kbdkor.dll
2008-01-09 13:06 . 2001-08-17 14:55 6,144 --a------ C:\WINDOWS\system32\kbd106.dll
2008-01-09 13:06 . 2001-08-17 14:55 6,144 --a------ C:\WINDOWS\system32\kbd101c.dll
2008-01-09 13:06 . 2001-08-17 14:55 6,144 --a------ C:\WINDOWS\system32\kbd101b.dll
2008-01-09 13:06 . 2001-08-17 14:55 5,632 --a------ C:\WINDOWS\system32\kbd103.dll
2008-01-09 11:15 . 2008-01-09 11:15 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Apple Computer
2008-01-04 22:59 . 2008-01-05 11:24 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-01-04 00:48 . 2008-01-04 00:48 <DIR> d-------- C:\WINDOWS\MaxSecureBackup
2008-01-03 23:50 . 2008-01-04 00:17 <DIR> d-------- C:\Program Files\RegCleaner
2008-01-03 14:13 . 2008-01-03 14:13 <DIR> d-------- C:\Program Files\Webroot

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-31 05:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-26 06:59 --------- d-----w C:\Program Files\PokerStars
2008-01-23 19:04 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-11 17:07 --------- d-----w C:\Documents and Settings\Owner\Application Data\HPAppData
2008-01-05 04:57 --------- d-----w C:\Program Files\Bird Hunter - Upland
2007-12-29 18:54 --------- d-----w C:\Documents and Settings\Owner\Application Data\MySpace
2007-12-28 18:04 --------- d-----w C:\Program Files\Microsoft Games
2007-12-27 23:01 --------- d-----w C:\Documents and Settings\Owner\Application Data\HP
2007-12-27 23:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP
2007-12-27 07:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\WEBREG
2007-12-27 07:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2007-12-27 07:29 --------- d-----w C:\Program Files\HP
2007-12-27 07:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\HPSSUPPLY
2007-12-27 07:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP Product Assistant
2007-12-27 07:27 --------- d-----w C:\Program Files\Hewlett-Packard
2007-12-27 07:27 --------- d-----w C:\Program Files\Common Files\HP
2007-12-27 07:27 --------- d-----w C:\Program Files\Common Files\Hewlett-Packard
2007-12-26 01:17 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-12-25 05:46 --------- d-----w C:\Program Files\Maxis
2007-12-22 23:47 --------- d-----w C:\Program Files\Prima Games
2007-12-22 03:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-12-20 19:53 --------- d-----w C:\Documents and Settings\Owner\Application Data\RegClean
2007-12-20 04:23 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-19 23:52 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-19 23:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Trymedia
2007-12-18 20:39 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLec.DAT
2007-12-18 20:39 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLds.DAT
2007-12-18 06:44 219,664 ----a-w C:\WINDOWS\system32\klogon.dll
2007-12-18 06:43 23,396 ----a-w C:\WINDOWS\system32\drivers\klopp.dat
2007-12-17 18:52 --------- d-----w C:\Program Files\PopCap Games
2007-12-17 00:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ultima_T15
2007-12-17 00:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\EnterNHelp
2007-12-17 00:15 --------- d-----w C:\Program Files\PictureProject In Touch Downloader
2007-12-17 00:12 --------- d-----w C:\Program Files\Common Files\Nikon
2007-12-17 00:11 --------- d-----w C:\Documents and Settings\Owner\Application Data\Nikon
2007-12-17 00:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nikon
2007-12-17 00:10 --------- d-----w C:\Program Files\Common Files\muvee Technologies
2007-12-17 00:08 --------- d-----w C:\Program Files\Nikon
2007-12-17 00:05 --------- d-----w C:\Program Files\QuickTime
2007-12-16 23:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-12-15 23:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Cabela's Big Game Hunter - Alaskan Adventure Saves
2007-12-15 04:44 --------- d-----w C:\Program Files\John Deere American Farmer
2007-12-13 19:28 24,592 ----a-w C:\WINDOWS\system32\drivers\klim5.sys
2007-12-08 16:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Cabela's Trophy Bucks Saves
2007-12-03 12:57 12,400 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-12-03 06:40 --------- d-----w C:\Program Files\Activision Value
2007-12-03 06:15 --------- d-----w C:\Documents and Settings\Owner\Application Data\Masque
2007-12-03 03:22 --------- d-----w C:\Program Files\Common Files\DirectX
2007-12-03 02:14 --------- d-----w C:\Program Files\Sierra On-Line
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0347C33E-8762-4905-BF09-768834316C61}]
2007-03-02 16:52 1298024 -ra------ C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{053F9267-DC04-4294-A72C-58F732D338C0}]
2007-03-02 16:52 177768 -ra------ C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2005-03-07 13:33 53248 C:\WINDOWS\system32\VTTimer.exe]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkbMonitor.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NkbMonitor.exe.lnk
backup=C:\WINDOWS\pss\NkbMonitor.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 19:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-12-16 18:05 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Repair Registry Pro]
C:\Program Files\Repair Registry Pro\RepairRegistryPro.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
-ra------ 2006-03-01 02:22 577536 C:\WINDOWS\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

R0 videX32;videX32;C:\WINDOWS\System32\DRIVERS\videX32.sys [2006-02-22 21:38]
R0 xfilt;VIA SATA IDE Hot-plug Driver;C:\WINDOWS\System32\DRIVERS\xfilt.sys [2006-02-22 21:39]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\System32\DRIVERS\klim5.sys [2007-12-13 13:28]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-02 10:56:04
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-02 10:56:35
ComboFix-quarantined-files.txt 2008-02-02 16:56:23
ComboFix2.txt 2008-01-31 18:55:20
ComboFix3.txt 2008-01-31 16:14:41




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:02:03 AM, on 2/2/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\VTTimer.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Owner\Desktop\Scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/update/EARTPX.cab
O16 - DPF: {69F497FB-5082-4EA4-9305-9E19F20A2BFF} (MaxisSimCity3TeleX Control) - http://simcity3000unlimited.ea.com/teleport/simcity/MaxisSimCity3TeleX.cab
O16 - DPF: {BC18E6DF-BE57-4580-93E8-F228F9A133AA} (MaxisSimCity4LotTeleX Control) - http://simcity.ea.com/exchange/lots/teleport/MaxisSimCity4LotTeleX.cab
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab
O16 - DPF: {D3D83E08-54D1-4E9D-8EAF-9F979D139294} (MaxisSimCityScapeTeleX Control) - http://simcity.ea.com/scape/teleport/MaxisSimCityScapeTeleX.cab
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

--
End of file - 5212 bytes

 

[Shaba]

Hi

Re-scan with kaspersky.

Post:

- a fresh HijackThis log
- kaspersky report

 

[dracmik1]

New scan logs.


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, February 02, 2008 12:30:00 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 2/02/2008
Kaspersky Anti-Virus database records: 545991
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 36061
Number of viruses found: 22
Number of infected objects: 44
Number of suspicious objects: 0
Duration of the scan process: 00:33:18

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\00a0_File_Monitoring_eventlog.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\00a2_Web_Monitoring_eventlog.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\detected.idx Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\detected.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\eventlog.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\report.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\MSHist012008020220080203\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Logs\SpySweeperLog.txt Object is locked skipped
C:\QooBox\Quarantine\catchme2008-01-31_125405.23.zip/fastfatt.sys Infected: Rootkit.Win32.Agent.to skipped
C:\QooBox\Quarantine\catchme2008-01-31_125405.23.zip ZIP: infected - 1 skipped
C:\System Volume Information\_restore{FB4992ED-7608-4365-A0CD-D6C0D7DC5E06}\RP73\A0017803.exe Infected: Trojan-Downloader.Win32.Agent.hql skipped
C:\System Volume Information\_restore{FB4992ED-7608-4365-A0CD-D6C0D7DC5E06}\RP74\A0017845.exe Infected: not-a-virus:AdWare.Win32.Agent.co skipped
C:\System Volume Information\_restore{FB4992ED-7608-4365-A0CD-D6C0D7DC5E06}\RP74\A0017858.dll Infected: not-a-virus:AdWare.Win32.PurityScan.gt skipped
C:\System Volume Information\_restore{FB4992ED-7608-4365-A0CD-D6C0D7DC5E06}\RP74\A0017859.exe Infected: not-a-virus:AdWare.Win32.PurityScan.gs skipped
C:\System Volume Information\_restore{FB4992ED-7608-4365-A0CD-D6C0D7DC5E06}\RP74\A0017863.dll Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped
C:\System Volume Information\_restore{FB4992ED-7608-4365-A0CD-D6C0D7DC5E06}\RP75\A0017881.dll Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped
C:\System Volume Information\_restore{FB4992ED-7608-4365-A0CD-D6C0D7DC5E06}\RP75\A0017883.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ebh skipped
C:\System Volume Information\_restore{FB4992ED-7608-4365-A0CD-D6C0D7DC5E06}\RP75\A0017886.exe/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped
C:\System Volume Information\_restore{FB4992ED-7608-4365-A0CD-D6C0D7DC5E06}\RP75\A0017886.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{FB4992ED-7608-4365-A0CD-D6C0D7DC5E06}\RP75\A0017887.exe Infected: Trojan.Win32.Scapur.k skipped
C:\System Volume Information\_restore{FB4992ED-7608-4365-A0CD-D6C0D7DC5E06}\RP77\A0021116.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ebw skipped
C:\System Volume Information\_restore{FB4992ED-7608-4365-A0CD-D6C0D7DC5E06}\RP80\A0027242.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.eby skipped
C:\System Volume Information\_restore{FB4992ED-7608-4365-A0CD-D6C0D7DC5E06}\RP81\A0029345.dll Infected: not-a-virus:AdWare.Win32.PurityScan.gt skipped
C:\System Volume Information\_restore{FB4992ED-7608-4365-A0CD-D6C0D7DC5E06}\RP81\A0029346.exe Infected: not-a-virus:AdWare.Win32.PurityScan.gs skipped
C:\System Volume Information\_restore{FB4992ED-7608-4365-A0CD-D6C0D7DC5E06}\RP83\A0033459.dll Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped
C:\System Volume Information\_restore{FB4992ED-7608-4365-A0CD-D6C0D7DC5E06}\RP83\A0033465.exe Infected: not-a-virus:AdWare.Win32.PurityScan.gs skipped
C:\System Volume Information\_restore{FB4992ED-7608-4365-A0CD-D6C0D7DC5E06}\RP83\A0033466.dll Infected: not-a-virus:AdWare.Win32.PurityScan.gt skipped
C:\System Volume Information\_restore{FB4992ED-7608-4365-A0CD-D6C0D7DC5E06}\RP84\A0035801.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.edw skipped
C:\System Volume Information\_restore{FB4992ED-7608-4365-A0CD-D6C0D7DC5E06}\RP84\A0035812.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{FB4992ED-7608-4365-A0CD-D6C0D7DC5E06}\RP84\A0035812.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{FB4992ED-7608-4365-A0CD-D6C0D7DC5E06}\RP84\A0035812.exe RarSFX: infected - 2 skipped
C:\System Volume Information\_restore{FB4992ED-7608-4365-A0CD-D6C0D7DC5E06}\RP84\A0035846.exe Infected: not-a-virus:AdWare.Win32.PurityScan.gs skipped
C:\System Volume Information\_restore{FB4992ED-7608-4365-A0CD-D6C0D7DC5E06}\RP84\A0035849.exe Infected: Trojan-Downloader.Win32.PurityScan.fj skipped
C:\System Volume Information\_restore{FB4992ED-7608-4365-A0CD-D6C0D7DC5E06}\RP85\A0035853.dll Infected: not-a-virus:AdWare.Win32.PurityScan.gt skipped
C:\System Volume Information\_restore{FB4992ED-7608-4365-A0CD-D6C0D7DC5E06}\RP85\A0035854.dll Infected: not-a-virus:AdWare.Win32.PurityScan.gv skipped
C:\System Volume Information\_restore{FB4992ED-7608-4365-A0CD-D6C0D7DC5E06}\RP85\A0035861.dll Infected: not-a-virus:AdWare.Win32.Agent.wx skipped
C:\System Volume Information\_restore{FB4992ED-7608-4365-A0CD-D6C0D7DC5E06}\RP85\A0035868.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.kp skipped
C:\System Volume Information\_restore{FB4992ED-7608-4365-A0CD-D6C0D7DC5E06}\RP85\A0035869.exe Infected: Trojan-Downloader.Win32.Agent.hql skipped
C:\System Volume Information\_restore{FB4992ED-7608-4365-A0CD-D6C0D7DC5E06}\RP85\A0035870.exe Infected: Trojan-Downloader.Win32.Agent.hql skipped
C:\System Volume Information\_restore{FB4992ED-7608-4365-A0CD-D6C0D7DC5E06}\RP85\A0035871.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dlm skipped
C:\System Volume Information\_restore{FB4992ED-7608-4365-A0CD-D6C0D7DC5E06}\RP85\A0035872.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dlm skipped
C:\System Volume Information\_restore{FB4992ED-7608-4365-A0CD-D6C0D7DC5E06}\RP85\A0035873.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dlm skipped
C:\System Volume Information\_restore{FB4992ED-7608-4365-A0CD-D6C0D7DC5E06}\RP85\A0035874.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{FB4992ED-7608-4365-A0CD-D6C0D7DC5E06}\RP85\A0035875.exe Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\System Volume Information\_restore{FB4992ED-7608-4365-A0CD-D6C0D7DC5E06}\RP85\A0035876.exe Infected: Trojan-Downloader.Win32.VB.caw skipped
C:\System Volume Information\_restore{FB4992ED-7608-4365-A0CD-D6C0D7DC5E06}\RP85\A0035877.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{FB4992ED-7608-4365-A0CD-D6C0D7DC5E06}\RP85\A0035877.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{FB4992ED-7608-4365-A0CD-D6C0D7DC5E06}\RP90\A0042322.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{FB4992ED-7608-4365-A0CD-D6C0D7DC5E06}\RP90\A0042322.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{FB4992ED-7608-4365-A0CD-D6C0D7DC5E06}\RP90\A0042322.exe RarSFX: infected - 2 skipped
C:\System Volume Information\_restore{FB4992ED-7608-4365-A0CD-D6C0D7DC5E06}\RP91\A0043441.exe Infected: not-a-virus:AdWare.Win32.Agent.abj skipped
C:\System Volume Information\_restore{FB4992ED-7608-4365-A0CD-D6C0D7DC5E06}\RP91\change.log Object is locked skipped
C:\WINDOWS\Debug\oakley.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.idx Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\TEMP\cch~57232ff7e.htp Object is locked skipped
C:\WINDOWS\TEMP\cch~5723305c0.htp Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\winionr.exe Infected: not-a-virus:AdWare.Win32.Agent.abj skipped

Scan process completed.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:34:17 PM, on 2/2/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\VTTimer.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\HP\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\Scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: mscorews - {00009E9F-DDD7-AA59-AA7D-AA4B7D6BE000} - C:\WINDOWS\System32\mscorews.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/update/EARTPX.cab
O16 - DPF: {69F497FB-5082-4EA4-9305-9E19F20A2BFF} (MaxisSimCity3TeleX Control) - http://simcity3000unlimited.ea.com/teleport/simcity/MaxisSimCity3TeleX.cab
O16 - DPF: {BC18E6DF-BE57-4580-93E8-F228F9A133AA} (MaxisSimCity4LotTeleX Control) - http://simcity.ea.com/exchange/lots/teleport/MaxisSimCity4LotTeleX.cab
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab
O16 - DPF: {D3D83E08-54D1-4E9D-8EAF-9F979D139294} (MaxisSimCityScapeTeleX Control) - http://simcity.ea.com/scape/teleport/MaxisSimCityScapeTeleX.cab
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

--
End of file - 5598 bytes

 

[Shaba]

Hi

It looks like that you have grabbed a password stealer:

O2 - BHO: mscorews - {00009E9F-DDD7-AA59-AA7D-AA4B7D6BE000} - C:\WINDOWS\System32\mscorews.dll

Open HijackThis, click do a system scan only and checkmark this:

O2 - BHO: mscorews - {00009E9F-DDD7-AA59-AA7D-AA4B7D6BE000} - C:\WINDOWS\System32\mscorews.dll

Close all windows including browser and press fix checked.

Reboot.

Empty this folder:

C:\QooBox\Quarantine\

Delete these:

C:\WINDOWS\System32\mscorews.dll
C:\winionr.exe

Empty Recycle Bin

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

After that, post back a fresh HijackThis log and any other issues that are left.

 

[dracmik1]

I emptied the quarantined folder,ran and deleted O2 - BHO: mscorews - {00009E9F-DDD7-AA59-AA7D-AA4B7D6BE000} - C:\WINDOWS\System32\mscorews.dll. Deleted by hand C:\winionr.exe. I could not find C:\WINDOWS\System32\mscorews.dll. I even unhid everything and did a search for it. I emptied the recycle bin.Will change passwords immediately. Thankfully I don't do any banking online.

The next steps I think are to empty restore of the infected files.Do we also uninstall the programs we are using to clean my pc,after it's clean ? I will update windows and java after computers clean. Any other suggestions ?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:45:18 PM, on 2/2/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\VTTimer.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Documents and Settings\Owner\Desktop\Scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/update/EARTPX.cab
O16 - DPF: {69F497FB-5082-4EA4-9305-9E19F20A2BFF} (MaxisSimCity3TeleX Control) - http://simcity3000unlimited.ea.com/teleport/simcity/MaxisSimCity3TeleX.cab
O16 - DPF: {BC18E6DF-BE57-4580-93E8-F228F9A133AA} (MaxisSimCity4LotTeleX Control) - http://simcity.ea.com/exchange/lots/teleport/MaxisSimCity4LotTeleX.cab
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab
O16 - DPF: {D3D83E08-54D1-4E9D-8EAF-9F979D139294} (MaxisSimCityScapeTeleX Control) - http://simcity.ea.com/scape/teleport/MaxisSimCityScapeTeleX.cab
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

--
End of file - 5236 bytes

Computer is running MUCH better than it was. I can use it and there are no more freezing up. Pop ups are almost gone . Firefox browser should fix that, I hope. Programs don't stop or not start any more.So thats fixed.I realy appreciate all the help you have given me. I would have been lost trying to fix it myself. Thank you .

 

[Shaba]

Hi

That looks good

Still problems?

 

[dracmik1]

Not that I can tell. I haven't given my pc a thourow test run. I'm still picking up ad-ware cookies, but I think that it's due to settings I need to change rather than malware.