command service and smitfraud removal help

**yohohohowo** · 2007-05-23, 07:22

spybot cannot remove these 2 problems. i did the online virus scan. i could not find any kind of log file. but i copyied and pasted the results.

Scan Results: 36420 files scanned. 1 virus was detected.

File Infection Status Path
uq.exe Win32/Matcash.W cannot cure C:\Program Files\Creative\Creative NOMAD Jukebox Zen Xtra\NOMAD Explorer\

then i rebooted in safemode, ran spybot, and it seemed to get rid of the smitfraud problem. but i'm not sure. then i loaded windows regularly and ran hijackthis. here's my logfile.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 1:13:19 AM, on 5/23/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\SMANTE~1\winword.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Documents and Settings\Administrator\My Documents\?ymbols\?ttrib.exe
C:\WINDOWS\System32\wuauclt.exe
C:\hijackthis\HiJackThis_v2.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...ch/search.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {E2791816-D2D8-DC79-8A0B-FEADAFB072C7} - C:\WINDOWS\System32\penuf.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Ncao] "C:\WINDOWS\SMANTE~1\winword.exe" -vt ndrv
O4 - HKCU\..\Run: [Gqeip] "C:\Documents and Settings\Administrator\My Documents\?ymbols\?ttrib.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AOL DSL Setup.lnk = D:\INSTALL.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.gocyberlink.com/winxp/CheckDVD.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/180cdc5e...p/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1176993639125
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor...fo/webscan.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/instal...sinstaller.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {EC8C56B1-D027-4AB2-AF63-F845CCEE59B5} - https://billmanager.aol.com/billmana...oginHelper.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TmV4Z2VuZXJhdGlvbiBMYWI\command.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

--
End of file - 6777 bytes

let me know what i need to do, and thank you in advance for your help.

-wojtek

**Shaba** · 2007-05-26, 20:22

Hi yohohohowo

1. Download combofix from one of these links:
Link1
Link2
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Post:

- a fresh HijackThis log
- combofix report

**yohohohowo** · 2007-05-27, 00:04

my computer's been acting very strangely in the past few days. my page file seems to max out quickly and programs stop loading unless i reboot. i've tried uninstalling a lot of programs i'm not using at all.

here's my new hijackthis log:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 5:57:20 PM, on 5/26/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\hijackthis\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...ch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AOL DSL Setup.lnk = D:\INSTALL.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.gocyberlink.com/winxp/CheckDVD.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/180cdc5e...p/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1176993639125
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor...fo/webscan.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/instal...sinstaller.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {EC8C56B1-D027-4AB2-AF63-F845CCEE59B5} - https://billmanager.aol.com/billmana...oginHelper.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

--
End of file - 6121 bytes

--------------------------------------------------------------

and here is my combofix log

"Administrator" - 2007-05-26 17:48:50 Service Pack 1
ComboFix 07-05.26.3.V - Running from: "C:\Documents and Settings\Administrator\Desktop\"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

"C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe"
"C:\Program Files\Common Files\Yazzle1275OinAdmin.exe"
"C:\Program Files\Common Files\Yazzle1275OinUninstaller.exe"
"C:\WINDOWS\system32\alt.exe.exe"
"C:\WINDOWS\system32\pee.exe.exe"
"C:\WINDOWS\retadpu72.exe"
"C:\WINDOWS\system32\wnsapiisv32.exe"
"C:\18756003.exe"
"C:\WINDOWS\system32\svcp.csv"
"C:\WINDOWS\system32\winsub.xml"
"C:\WINDOWS\b136.exe"
"C:\WINDOWS\system32\wsnpoem\audio.dll"
"C:\WINDOWS\system32\wsnpoem\video.dll"
"C:\WINDOWS\system32\rpcc.dll"
"C:\WINDOWS\system32\ntos.exe"
C:\WINDOWS\system32\wsnpoem
"C:\WINDOWS\system32\wincom32.sys"
"C:\WINDOWS\system32\windev-36af-46e9.sys"
"C:\WINDOWS\system32\windev-peers.ini"

Purity Folders:

C:\WINDOWS\system32\CURITY~1
C:\DOCUME~1\ADMINI~1\APPLIC~1\SSEMBL~1
C:\DOCUME~1\ADMINI~1\MYDOCU~1\YMBOLS~1

((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_CMDSERVICE
-------\LEGACY_CORE
-------\LEGACY_NETWORK_MONITOR
-------\cmdService
-------\windev-36af-46e9

((((((((((((((((((((((((((((((( Files Created from 2007-04-26 to 2007-05-26 ))))))))))))))))))))))))))))))))))

2007-05-26 13:22 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-05-26 11:35 <DIR> d-------- C:\WINDOWS\system32\çasks
2007-05-26 03:15 133,654 --a------ C:\WINDOWS\system32\alt.exe
2007-05-23 00:31 <DIR> d-------- C:\hijackthis
2007-05-22 20:08 <DIR> d-------- C:\WINDOWS\LogFiles
2007-05-21 22:35 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Lavasoft
2007-05-21 22:34 <DIR> d-------- C:\Program Files\Lavasoft
2007-05-21 22:34 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-05-21 00:08 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-05-21 00:06 <DIR> d-------- C:\Program Files\CCleaner
2007-05-17 00:32 <DIR> d-------- C:\Program Files\Full Tilt Poker
2007-05-14 22:14 19,520 --a------ C:\WINDOWS\system32\E3e6v6t2.exe
2007-05-09 21:08 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Opera
2007-05-01 23:37 <DIR> d-------- C:\WINDOWS\wkwf
2007-05-01 23:37 <DIR> d-------- C:\Program Files\Common Files\wkwf
2007-05-01 23:22 <DIR> d--hs---- C:\WINDOWS\TmV4Z2VuZXJhdGlvbiBMYWI
2007-04-30 21:57 <DIR> d-------- C:\Program Files\eMusic Download Manager
2007-04-30 01:58 <DIR> d-------- C:\Program Files\AVSMedia
2007-04-30 01:35 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\AVSMedia
2007-04-30 01:33 524,288 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-04-30 01:33 413,760 --a------ C:\WINDOWS\system32\mpg4c32.dll
2007-04-30 01:33 261,632 --a------ C:\WINDOWS\system32\mcdvd_32.dll
2007-04-30 01:33 139,264 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-04-30 01:33 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2007-04-30 01:33 <DIR> d-------- C:\Program Files\Common Files\AVSMedia
2007-04-30 00:23 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\CoreCodec
2007-04-30 00:22 <DIR> d-------- C:\Program Files\Haali
2007-04-30 00:22 <DIR> d-------- C:\Program Files\CoreCodec

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-26 17:12:35 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-26 15:19:33 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\uTorrent
2007-05-26 07:26:49 -------- d-----w C:\Program Files\QuickTime
2007-05-26 07:26:47 -------- d-----w C:\Program Files\Microsoft IntelliType Pro
2007-05-26 07:26:47 -------- d-----w C:\Program Files\Microsoft IntelliPoint
2007-05-26 07:26:47 -------- d-----w C:\Program Files\Messenger
2007-05-26 07:26:37 -------- d-----w C:\Program Files\DVD Shrink
2007-05-26 07:26:37 -------- d-----w C:\Program Files\DVD Decrypter
2007-05-26 07:26:32 -------- d-----w C:\Program Files\Common Files\AOL
2007-05-26 07:25:41 -------- d-----w C:\Program Files\America Online 9.0a
2007-05-26 07:25:41 -------- d-----w C:\Program Files\America Online 9.0
2007-05-24 21:53:16 -------- d-----w C:\Program Files\utorrent
2007-05-20 18:27:43 -------- d-----w C:\Program Files\Google
2007-05-08 01:16:44 2,922 ----a-w C:\WINDOWS\mozver.dat
2007-04-26 00:33:58 -------- d-----w C:\Program Files\McAfee.com
2007-04-21 00:50:00 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\DivX
2007-04-20 17:02:12 -------- d-----w C:\Program Files\The Rosetta Stone
2007-04-20 13:16:00 -------- d-----w C:\Program Files\DivX
2007-04-19 22:49:49 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\Propellerhead Software
2007-04-19 22:33:11 233,472 ----a-w C:\WINDOWS\system32\REX Shared Library.dll
2007-04-19 22:33:11 225,280 ----a-w C:\WINDOWS\system32\ReWire.dll
2007-04-17 23:29:49 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\Google
2007-04-17 12:23:44 -------- d-----w C:\Program Files\WordBiz
2007-04-17 03:42:54 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\Ahead
2007-04-15 22:01:03 -------- d-----w C:\Program Files\Creative
2007-04-15 17:40:49 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2007-04-15 01:55:12 -------- d-----w C:\Program Files\Common Files\LightScribe
2007-04-14 22:03:53 -------- d-----w C:\Program Files\Ahead
2007-04-14 22:01:24 -------- d-----w C:\Program Files\Common Files\Nero
2007-04-14 21:59:39 -------- d-----w C:\Program Files\Common Files\Ahead
2007-04-10 23:25:29 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\U3
2007-03-27 07:55:57 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-03-27 07:55:48 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-03-27 07:55:31 129,784 ------w C:\WINDOWS\system32\pxafs.dll
2007-03-27 07:55:31 116,472 ------w C:\WINDOWS\system32\PxCpyI64.exe
2007-03-27 07:55:23 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-03-27 07:55:23 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-03-27 07:49:07 73,728 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-03-27 07:49:07 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-03-27 07:49:05 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-03-27 07:49:03 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-03-27 07:49:02 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-03-27 07:49:02 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-03-27 07:49:02 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-03-27 07:49:02 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-03-27 07:48:59 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-03-27 07:48:58 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-03-27 07:48:58 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-03-27 07:48:58 639,066 ----a-w C:\WINDOWS\system32\DivX.dll
2007-03-26 22:06:48 -------- d-----w C:\Program Files\Common Files\Adobe Systems Shared
2005-07-29 20:24:26 472 --sha-r C:\WINDOWS\TmV4Z2VuZXJhdGlvbiBMYWI\nApbtZpRtrL1x35Sv21gsqK.vbs

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-11-03 14:17]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar2.dll [2007-01-19 23:55]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"diagent"="C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 02:01]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-01-24 22:00]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe" [2004-02-22 23:44]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-09-30 12:43]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-02-21 20:02]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2003-07-16 12:20]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-04-17 08:18]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=

Contents of the 'Scheduled Tasks' folder
2007-05-25 04:00:30 C:\WINDOWS\tasks\At1.job
2007-05-26 13:00:31 C:\WINDOWS\tasks\At10.job
2007-05-26 14:00:33 C:\WINDOWS\tasks\At11.job
2007-05-26 15:00:31 C:\WINDOWS\tasks\At12.job
2007-05-26 16:13:28 C:\WINDOWS\tasks\At13.job
2007-05-26 17:01:29 C:\WINDOWS\tasks\At14.job
2007-05-26 18:00:31 C:\WINDOWS\tasks\At15.job
2007-05-26 19:00:30 C:\WINDOWS\tasks\At16.job
2007-05-26 20:00:33 C:\WINDOWS\tasks\At17.job
2007-05-26 21:00:31 C:\WINDOWS\tasks\At18.job
2007-05-25 22:00:30 C:\WINDOWS\tasks\At19.job
2007-05-25 05:00:30 C:\WINDOWS\tasks\At2.job
2007-05-25 23:00:30 C:\WINDOWS\tasks\At20.job
2007-05-26 00:00:31 C:\WINDOWS\tasks\At21.job
2007-05-26 01:01:24 C:\WINDOWS\tasks\At22.job
2007-05-25 02:00:30 C:\WINDOWS\tasks\At23.job
2007-05-26 03:00:30 C:\WINDOWS\tasks\At24.job
2007-05-25 06:00:30 C:\WINDOWS\tasks\At3.job
2007-05-25 07:00:30 C:\WINDOWS\tasks\At4.job
2007-05-26 08:00:31 C:\WINDOWS\tasks\At5.job
2007-05-26 09:00:31 C:\WINDOWS\tasks\At6.job
2007-05-26 10:00:31 C:\WINDOWS\tasks\At7.job
2007-05-26 11:00:31 C:\WINDOWS\tasks\At8.job
2007-05-26 12:00:31 C:\WINDOWS\tasks\At9.job

********************************************************************

catchme 0.3.681 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-26 17:53:28
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

********************************************************************

Completion time: 2007-05-26 17:54:33 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-26 17:54

--- E O F ---

i also tried downloading Service Pack 2 today. but my system froze up.

thanks again,
wojtek

**Shaba** · 2007-05-27, 11:02

Hi

Please don't attempt installing service pack 2 until you're clean.

Please download delcmdservice (by Marckie), and save it to your Desktop.
http://users.telenet.be/marcvn/tools/delcmdservice.zip

Unzip the content to your Desktop (a folder named delcmdservice)
Double-click on the delcmdservice folder
Double-click on delreg.bat to launch the tool
When the tool has finished, please reboot your computer.

Make you hidden and system files visible -> http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Delete these:

C:\WINDOWS\system32\çasks
C:\WINDOWS\system32\alt.exe
C:\WINDOWS\system32\E3e6v6t2.exe
C:\WINDOWS\wkwf
C:\Program Files\Common Files\wkwf
C:\WINDOWS\TmV4Z2VuZXJhdGlvbiBMYWI

Empty Recycle Bin

Re-run combofix.

Post:

- a fresh HijackThis log
- combofix report

**yohohohowo** · 2007-05-27, 17:05

i could not find this file to delete.

C:\WINDOWS\system32\çasks

the only thing resembling it was the tasks folder, but i wasn't going to just delete those assuming you made a typo. also when i ran the delreg.bat file. it was over in about .25 sec. i want to make sure that was normal.

here's my new hijackthis.log

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:58:18 AM, on 5/27/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\WINDOWS\system32\notepad.exe
C:\hijackthis\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...ch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AOL DSL Setup.lnk = D:\INSTALL.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.gocyberlink.com/winxp/CheckDVD.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/180cdc5e...p/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1176993639125
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor...fo/webscan.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/instal...sinstaller.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {EC8C56B1-D027-4AB2-AF63-F845CCEE59B5} - https://billmanager.aol.com/billmana...oginHelper.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

--
End of file - 6089 bytes

And here is my new combofix.txt

"Administrator" - 2007-05-27 10:49:12 Service Pack 1
ComboFix 07-05.26.3.V - Running from: "C:\Documents and Settings\Administrator\Desktop\"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

"C:\WINDOWS\system32\wincom32.ini"

((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_WINCOM32

((((((((((((((((((((((((((((((( Files Created from 2007-04-27 to 2007-05-27 ))))))))))))))))))))))))))))))))))

2007-05-26 17:54 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-05-26 13:22 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-05-26 11:35 <DIR> d-------- C:\WINDOWS\system32\çasks
2007-05-23 00:31 <DIR> d-------- C:\hijackthis
2007-05-22 20:08 <DIR> d-------- C:\WINDOWS\LogFiles
2007-05-21 22:35 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Lavasoft
2007-05-21 22:34 <DIR> d-------- C:\Program Files\Lavasoft
2007-05-21 22:34 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-05-21 00:08 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-05-21 00:06 <DIR> d-------- C:\Program Files\CCleaner
2007-05-17 00:32 <DIR> d-------- C:\Program Files\Full Tilt Poker
2007-05-09 21:08 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Opera
2007-05-01 23:37 <DIR> d-------- C:\Program Files\Common Files\wkwf
2007-04-30 21:57 <DIR> d-------- C:\Program Files\eMusic Download Manager
2007-04-30 01:58 <DIR> d-------- C:\Program Files\AVSMedia
2007-04-30 01:35 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\AVSMedia
2007-04-30 01:33 524,288 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-04-30 01:33 413,760 --a------ C:\WINDOWS\system32\mpg4c32.dll
2007-04-30 01:33 261,632 --a------ C:\WINDOWS\system32\mcdvd_32.dll
2007-04-30 01:33 139,264 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-04-30 01:33 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2007-04-30 01:33 <DIR> d-------- C:\Program Files\Common Files\AVSMedia
2007-04-30 00:23 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\CoreCodec
2007-04-30 00:22 <DIR> d-------- C:\Program Files\Haali
2007-04-30 00:22 <DIR> d-------- C:\Program Files\CoreCodec

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-26 17:12:35 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-26 15:19:33 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\uTorrent
2007-05-26 07:26:49 -------- d-----w C:\Program Files\QuickTime
2007-05-26 07:26:47 -------- d-----w C:\Program Files\Microsoft IntelliType Pro
2007-05-26 07:26:47 -------- d-----w C:\Program Files\Microsoft IntelliPoint
2007-05-26 07:26:47 -------- d-----w C:\Program Files\Messenger
2007-05-26 07:26:37 -------- d-----w C:\Program Files\DVD Shrink
2007-05-26 07:26:37 -------- d-----w C:\Program Files\DVD Decrypter
2007-05-26 07:26:32 -------- d-----w C:\Program Files\Common Files\AOL
2007-05-26 07:25:41 -------- d-----w C:\Program Files\America Online 9.0a
2007-05-26 07:25:41 -------- d-----w C:\Program Files\America Online 9.0
2007-05-24 21:53:16 -------- d-----w C:\Program Files\utorrent
2007-05-20 18:27:43 -------- d-----w C:\Program Files\Google
2007-05-08 01:16:44 2,922 ----a-w C:\WINDOWS\mozver.dat
2007-04-26 00:33:58 -------- d-----w C:\Program Files\McAfee.com
2007-04-21 00:50:00 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\DivX
2007-04-20 17:02:12 -------- d-----w C:\Program Files\The Rosetta Stone
2007-04-20 13:16:00 -------- d-----w C:\Program Files\DivX
2007-04-19 22:49:49 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\Propellerhead Software
2007-04-19 22:33:11 233,472 ----a-w C:\WINDOWS\system32\REX Shared Library.dll
2007-04-19 22:33:11 225,280 ----a-w C:\WINDOWS\system32\ReWire.dll
2007-04-17 23:29:49 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\Google
2007-04-17 12:23:44 -------- d-----w C:\Program Files\WordBiz
2007-04-17 03:42:54 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\Ahead
2007-04-15 22:01:03 -------- d-----w C:\Program Files\Creative
2007-04-15 17:40:49 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2007-04-15 01:55:12 -------- d-----w C:\Program Files\Common Files\LightScribe
2007-04-14 22:03:53 -------- d-----w C:\Program Files\Ahead
2007-04-14 22:01:24 -------- d-----w C:\Program Files\Common Files\Nero
2007-04-14 21:59:39 -------- d-----w C:\Program Files\Common Files\Ahead
2007-04-10 23:25:29 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\U3
2007-03-27 07:55:57 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-03-27 07:55:48 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-03-27 07:55:31 129,784 ------w C:\WINDOWS\system32\pxafs.dll
2007-03-27 07:55:31 116,472 ------w C:\WINDOWS\system32\PxCpyI64.exe
2007-03-27 07:55:23 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-03-27 07:55:23 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-03-27 07:49:07 73,728 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-03-27 07:49:07 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-03-27 07:49:05 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-03-27 07:49:03 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-03-27 07:49:02 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-03-27 07:49:02 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-03-27 07:49:02 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-03-27 07:49:02 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-03-27 07:48:59 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-03-27 07:48:58 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-03-27 07:48:58 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-03-27 07:48:58 639,066 ----a-w C:\WINDOWS\system32\DivX.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-11-03 14:17]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar2.dll [2007-01-19 23:55]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"diagent"="C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 02:01]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-01-24 22:00]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe" [2004-02-22 23:44]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-09-30 12:43]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-02-21 20:02]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2003-07-16 12:20]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-04-17 08:18]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=

Contents of the 'Scheduled Tasks' folder
2007-05-25 04:00:30 C:\WINDOWS\tasks\At1.job
2007-05-26 13:00:31 C:\WINDOWS\tasks\At10.job
2007-05-26 14:00:33 C:\WINDOWS\tasks\At11.job
2007-05-26 15:00:31 C:\WINDOWS\tasks\At12.job
2007-05-26 16:13:28 C:\WINDOWS\tasks\At13.job
2007-05-26 17:01:29 C:\WINDOWS\tasks\At14.job
2007-05-26 18:00:31 C:\WINDOWS\tasks\At15.job
2007-05-26 19:00:30 C:\WINDOWS\tasks\At16.job
2007-05-26 20:00:33 C:\WINDOWS\tasks\At17.job
2007-05-26 21:00:31 C:\WINDOWS\tasks\At18.job
2007-05-26 22:01:23 C:\WINDOWS\tasks\At19.job
2007-05-25 05:00:30 C:\WINDOWS\tasks\At2.job
2007-05-26 23:00:30 C:\WINDOWS\tasks\At20.job
2007-05-27 00:00:30 C:\WINDOWS\tasks\At21.job
2007-05-26 01:01:24 C:\WINDOWS\tasks\At22.job
2007-05-27 02:00:30 C:\WINDOWS\tasks\At23.job
2007-05-27 03:00:30 C:\WINDOWS\tasks\At24.job
2007-05-27 06:00:30 C:\WINDOWS\tasks\At3.job
2007-05-25 07:00:30 C:\WINDOWS\tasks\At4.job
2007-05-26 08:00:31 C:\WINDOWS\tasks\At5.job
2007-05-27 09:00:30 C:\WINDOWS\tasks\At6.job
2007-05-26 10:00:31 C:\WINDOWS\tasks\At7.job
2007-05-26 11:00:31 C:\WINDOWS\tasks\At8.job
2007-05-26 12:00:31 C:\WINDOWS\tasks\At9.job

********************************************************************

catchme 0.3.681 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-27 10:54:55
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

********************************************************************

Completion time: 2007-05-27 10:55:53 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-27 10:55
C:\ComboFix2.txt ... 2007-05-26 17:54

--- E O F ---

also. is there a way to get rid of AOL and anything resembling it.

**Shaba** · 2007-05-27, 17:09

Hi

Yes, that bat shouldn't take long.

Open HijackThis, click do a system scan only and checkmark these:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...ch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/180cdc5e...p/RdxIE601.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/instal...sinstaller.cab

Close all windows including browser and press fix checked.

Copy text below to Notepad and save it as remfolders.bat (save it as all files, *.*)

@ECHO OFF
attrib -r -h C:\WINDOWS\system32\çasks\*.*
del /a /f /q C:\WINDOWS\system32\çasks\*.*
RD /s /q "C:\WINDOWS\system32\çasks"
attrib -r -h C:\Program Files\Common Files\wkwf\*.*
del /a /f /q C:\Program Files\Common Files\wkwf\*.*
RD /s /q "C:\Program Files\Common Files\wkwf"

It should look like this ->

Doubleclick remfolders.bat; black dos windows will flash, that's normal.

(In case you are unsure how to create a bat file, take a look here with screenshots.)

Re-run combofix

To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.

You will now be presented with a screen similar to the one below:

5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.

Post:

- a fresh HijackThis log
- combofix report
- uninstall list

**yohohohowo** · 2007-05-27, 18:34

new hijackthis.log

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 12:31:27 PM, on 5/27/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\hijackthis\HiJackThis_v2.exe
C:\WINDOWS\System32\notepad.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AOL DSL Setup.lnk = D:\INSTALL.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.gocyberlink.com/winxp/CheckDVD.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1176993639125
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor...fo/webscan.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {EC8C56B1-D027-4AB2-AF63-F845CCEE59B5} - https://billmanager.aol.com/billmana...oginHelper.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

--
End of file - 5760 bytes

------------------------------------
new combofix.txt

"Administrator" - 2007-05-27 11:53:05 Service Pack 1
ComboFix 07-05.26.3.V - Running from: "C:\Documents and Settings\Administrator\Desktop\"

((((((((((((((((((((((((((((((( Files Created from 2007-04-27 to 2007-05-27 ))))))))))))))))))))))))))))))))))

2007-05-26 17:54 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-05-26 13:22 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-05-23 00:31 <DIR> d-------- C:\hijackthis
2007-05-22 20:08 <DIR> d-------- C:\WINDOWS\LogFiles
2007-05-21 22:35 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Lavasoft
2007-05-21 22:34 <DIR> d-------- C:\Program Files\Lavasoft
2007-05-21 22:34 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-05-21 00:08 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-05-21 00:06 <DIR> d-------- C:\Program Files\CCleaner
2007-05-17 00:32 <DIR> d-------- C:\Program Files\Full Tilt Poker
2007-05-09 21:08 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Opera
2007-04-30 21:57 <DIR> d-------- C:\Program Files\eMusic Download Manager
2007-04-30 01:58 <DIR> d-------- C:\Program Files\AVSMedia
2007-04-30 01:35 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\AVSMedia
2007-04-30 01:33 524,288 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-04-30 01:33 413,760 --a------ C:\WINDOWS\system32\mpg4c32.dll
2007-04-30 01:33 261,632 --a------ C:\WINDOWS\system32\mcdvd_32.dll
2007-04-30 01:33 139,264 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-04-30 01:33 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2007-04-30 01:33 <DIR> d-------- C:\Program Files\Common Files\AVSMedia
2007-04-30 00:23 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\CoreCodec
2007-04-30 00:22 <DIR> d-------- C:\Program Files\Haali
2007-04-30 00:22 <DIR> d-------- C:\Program Files\CoreCodec

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-26 17:12:35 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-26 15:19:33 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\uTorrent
2007-05-26 07:26:49 -------- d-----w C:\Program Files\QuickTime
2007-05-26 07:26:47 -------- d-----w C:\Program Files\Microsoft IntelliType Pro
2007-05-26 07:26:47 -------- d-----w C:\Program Files\Microsoft IntelliPoint
2007-05-26 07:26:47 -------- d-----w C:\Program Files\Messenger
2007-05-26 07:26:37 -------- d-----w C:\Program Files\DVD Shrink
2007-05-26 07:26:37 -------- d-----w C:\Program Files\DVD Decrypter
2007-05-26 07:26:32 -------- d-----w C:\Program Files\Common Files\AOL
2007-05-26 07:25:41 -------- d-----w C:\Program Files\America Online 9.0a
2007-05-26 07:25:41 -------- d-----w C:\Program Files\America Online 9.0
2007-05-24 21:53:16 -------- d-----w C:\Program Files\utorrent
2007-05-20 18:27:43 -------- d-----w C:\Program Files\Google
2007-05-08 01:16:44 2,922 ----a-w C:\WINDOWS\mozver.dat
2007-04-26 00:33:58 -------- d-----w C:\Program Files\McAfee.com
2007-04-21 00:50:00 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\DivX
2007-04-20 17:02:12 -------- d-----w C:\Program Files\The Rosetta Stone
2007-04-20 13:16:00 -------- d-----w C:\Program Files\DivX
2007-04-19 22:49:49 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\Propellerhead Software
2007-04-19 22:33:11 233,472 ----a-w C:\WINDOWS\system32\REX Shared Library.dll
2007-04-19 22:33:11 225,280 ----a-w C:\WINDOWS\system32\ReWire.dll
2007-04-17 23:29:49 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\Google
2007-04-17 12:23:44 -------- d-----w C:\Program Files\WordBiz
2007-04-17 03:42:54 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\Ahead
2007-04-15 22:01:03 -------- d-----w C:\Program Files\Creative
2007-04-15 17:40:49 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2007-04-15 01:55:12 -------- d-----w C:\Program Files\Common Files\LightScribe
2007-04-14 22:03:53 -------- d-----w C:\Program Files\Ahead
2007-04-14 22:01:24 -------- d-----w C:\Program Files\Common Files\Nero
2007-04-14 21:59:39 -------- d-----w C:\Program Files\Common Files\Ahead
2007-04-10 23:25:29 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\U3
2007-03-27 07:55:57 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-03-27 07:55:48 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-03-27 07:55:31 129,784 ------w C:\WINDOWS\system32\pxafs.dll
2007-03-27 07:55:31 116,472 ------w C:\WINDOWS\system32\PxCpyI64.exe
2007-03-27 07:55:23 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-03-27 07:55:23 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-03-27 07:49:07 73,728 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-03-27 07:49:07 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-03-27 07:49:05 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-03-27 07:49:03 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-03-27 07:49:02 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-03-27 07:49:02 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-03-27 07:49:02 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-03-27 07:49:02 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-03-27 07:48:59 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-03-27 07:48:58 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-03-27 07:48:58 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-03-27 07:48:58 639,066 ----a-w C:\WINDOWS\system32\DivX.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-11-03 14:17]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar2.dll [2007-01-19 23:55]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"diagent"="C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 02:01]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-01-24 22:00]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe" [2004-02-22 23:44]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-09-30 12:43]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-02-21 20:02]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2003-07-16 12:20]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-04-17 08:18]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=

Contents of the 'Scheduled Tasks' folder
2007-05-25 04:00:30 C:\WINDOWS\tasks\At1.job
2007-05-26 13:00:31 C:\WINDOWS\tasks\At10.job
2007-05-26 14:00:33 C:\WINDOWS\tasks\At11.job
2007-05-27 15:00:00 C:\WINDOWS\tasks\At12.job
2007-05-26 16:13:28 C:\WINDOWS\tasks\At13.job
2007-05-26 17:01:29 C:\WINDOWS\tasks\At14.job
2007-05-26 18:00:31 C:\WINDOWS\tasks\At15.job
2007-05-26 19:00:30 C:\WINDOWS\tasks\At16.job
2007-05-26 20:00:33 C:\WINDOWS\tasks\At17.job
2007-05-26 21:00:31 C:\WINDOWS\tasks\At18.job
2007-05-26 22:01:23 C:\WINDOWS\tasks\At19.job
2007-05-25 05:00:30 C:\WINDOWS\tasks\At2.job
2007-05-26 23:00:30 C:\WINDOWS\tasks\At20.job
2007-05-27 00:00:30 C:\WINDOWS\tasks\At21.job
2007-05-26 01:01:24 C:\WINDOWS\tasks\At22.job
2007-05-27 02:00:30 C:\WINDOWS\tasks\At23.job
2007-05-27 03:00:30 C:\WINDOWS\tasks\At24.job
2007-05-27 06:00:30 C:\WINDOWS\tasks\At3.job
2007-05-25 07:00:30 C:\WINDOWS\tasks\At4.job
2007-05-26 08:00:31 C:\WINDOWS\tasks\At5.job
2007-05-27 09:00:30 C:\WINDOWS\tasks\At6.job
2007-05-26 10:00:31 C:\WINDOWS\tasks\At7.job
2007-05-26 11:00:31 C:\WINDOWS\tasks\At8.job
2007-05-26 12:00:31 C:\WINDOWS\tasks\At9.job

********************************************************************

catchme 0.3.681 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-27 11:54:31
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

********************************************************************

Completion time: 2007-05-27 11:55:15
C:\ComboFix-quarantined-files.txt ... 2007-05-27 11:54
C:\ComboFix2.txt ... 2007-05-27 10:55
C:\ComboFix3.txt ... 2007-05-26 17:54

--- E O F ---

-------------------------------

uninstall list

Ad-Aware SE Personal
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Download Manager 1.2 (Remove Only)
Adobe Flash Player ActiveX
Adobe Help Center 1.0
Adobe Photoshop Album 2.0 Starter Edition
Adobe Photoshop CS2
Adobe Reader 6.0.1
Adobe Stock Photos 1.0
AOL Uninstaller
ATI Control Panel
ATI Display Driver
ATI DVD Decoder 2.2.0.0
ATI Multimedia Center 8.1.0.0
Broadcom 440x 10/100 Integrated Controller
CCleaner (remove only)
Creative Jukebox Driver
DAO
Dell ResourceCD
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
DVD Decrypter (Remove Only)
DVD Shrink 3.2
Full Tilt Poker
Google Toolbar for Internet Explorer
HijackThis 2.0.0
HydraVision
Intel(R) Extreme Graphics Driver
Java 2 Runtime Environment, SE v1.4.2_04
Microsoft Data Access Components KB870669
MSN Music Assistant
Nero Suite
QuickBooks Pro Edition 2004
QuickTime
RealPlayer
Sony Picture Utility
Sony USB Driver
Sound Blaster Live!
Spybot - Search & Destroy 1.4
The Rosetta Stone
Update for Windows XP (KB898461)
Windows Installer 3.1 (KB893803)
Windows Media Encoder 9 Series
Windows Media Encoder 9 Series
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player Hotfix [See Q828026 for more information]
Windows XP Hotfix - KB823182
Windows XP Hotfix - KB824105
Windows XP Hotfix - KB824141
Windows XP Hotfix - KB825119
Windows XP Hotfix - KB826939
Windows XP Hotfix - KB828028
Windows XP Hotfix - KB828035
Windows XP Hotfix - KB828741
Windows XP Hotfix - KB833987
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB837001
Windows XP Hotfix - KB839645
Windows XP Hotfix - KB840315
Windows XP Hotfix - KB840374
Windows XP Hotfix - KB840987
Windows XP Hotfix - KB841356
Windows XP Hotfix - KB841533
Windows XP Hotfix - KB841873
Windows XP Hotfix - KB842773
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB871250
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB873376
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB891711
Windows XP Hotfix - KB891781
Windows XP Hotfix (SP2) Q819696
WinRAR archiver
WordBiz version 1.8
Yahoo! Address AutoComplete
Yahoo! extras
Yahoo! Internet Mail
Yahoo! Messenger

**Shaba** · 2007-05-27, 18:56

Hi

Uninstall this via add/remove programs:

AOL Uninstaller (that will uninstall all AOL stuff)

Please do an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:

o Scan using the following Anti-Virus database:

+ Extended (If available otherwise Standard)

o Scan Options:

+ Scan Archives
+ Scan Mail Bases
Click OK
Now under select a target to scan select My Computer
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button
Save the file to your desktop.
Copy and paste that information in your next post.

Post:

- a fresh HijackThis log
- kaspersky report

**yohohohowo** · 2007-05-27, 20:52

here's my new hijackthis.log

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 2:51:01 PM, on 5/27/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\hijackthis\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AOL DSL Setup.lnk = D:\INSTALL.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.gocyberlink.com/winxp/CheckDVD.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1176993639125
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor...fo/webscan.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {EC8C56B1-D027-4AB2-AF63-F845CCEE59B5} - https://billmanager.aol.com/billmana...oginHelper.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

--
End of file - 5860 bytes

and here's the kaspersky report

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, May 27, 2007 2:49:37 PM
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 27/05/2007
Kaspersky Anti-Virus database records: 330575
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 39494
Number of viruses found: 13
Number of infected objects: 25
Number of suspicious objects: 0
Duration of the scan process: 00:27:04

Infected Object Name / Virus Name / Last Action
C:\62.tmp Infected: Packed.Win32.Tibs.y skipped
C:\65.tmp Infected: Trojan-Spy.Win32.Bancos.aam skipped
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\aolstderr.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\aolstdout.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\cache.db Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\server.lock Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Creative\Creative NOMAD Jukebox Zen Xtra\NOMAD Explorer\xz.exe/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\Program Files\Creative\Creative NOMAD Jukebox Zen Xtra\NOMAD Explorer\xz.exe NSIS: infected - 1 skipped
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe Infected: Virus.Win32.Grum.a skipped
C:\QooBox\Quarantine\C\18756003.exe.vir Infected: Trojan-Downloader.Win32.Agent.bmg skipped
C:\QooBox\Quarantine\C\Program Files\Common Files\Yazzle1275OinAdmin.exe.vir Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\QooBox\Quarantine\C\WINDOWS\b136.exe.vir/stream/data0002 Infected: Trojan-Dropper.Win32.Agent.bfr skipped
C:\QooBox\Quarantine\C\WINDOWS\b136.exe.vir/stream/data0004 Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\QooBox\Quarantine\C\WINDOWS\b136.exe.vir/stream Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\QooBox\Quarantine\C\WINDOWS\b136.exe.vir NSIS: infected - 3 skipped
C:\QooBox\Quarantine\C\WINDOWS\retadpu72.exe.vir Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\alt.exe.exe.vir Infected: Packed.Win32.Tibs.y skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\pee.exe.exe.vir Infected: Packed.Win32.Tibs.y skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\rpcc.dll.vir Infected: Trojan-Proxy.Win32.Dlena.cq skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\wincom32.sys.vir Infected: Packed.Win32.Tibs.w skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\windev-36af-46e9.sys.vir Infected: Packed.Win32.Tibs.ab skipped
C:\WINDOWS\b103.exe/stream/data0002 Infected: Trojan-Downloader.Win32.TSUpdate.o skipped
C:\WINDOWS\b103.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\WINDOWS\b103.exe/stream Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\WINDOWS\b103.exe NSIS: infected - 3 skipped
C:\WINDOWS\b104.exe/stream/data0002 Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\WINDOWS\b104.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\WINDOWS\b104.exe/stream Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\WINDOWS\b104.exe NSIS: infected - 3 skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\oakley.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

**Shaba** · 2007-05-28, 08:08

Hi

Empty this folder:

C:\QooBox\Quarantine

Delete these:

C:\62.tmp
C:\65.tmp
C:\Program Files\Creative\Creative NOMAD Jukebox Zen Xtra\NOMAD Explorer\xz.exe
C:\WINDOWS\b103.exe
C:\WINDOWS\b104.exe

Empty Recycle Bin

Re-scan with kaspersky

Post:

- a fresh HijackThis log
- kaspersky report

Thread: command service and smitfraud removal help

Thread Tools

Display

command service and smitfraud removal help

Posting Permissions