Hello!

I would appreciate any help. I believe I am infected with a trojan virus (or at least infected with something). My computer has been running really slow lately for no apparent reason, and my gmail account's password was changed (and the security question was changed). I only access my gmail account from this computer, and it was not a very easy password, so I am guessing someone used a trojan and/or keylogger on my computer. Recently, when I transfered a program using my thumbdrive to a different computer, the computer's antivirus program said the file was infected with a trojan (I do not remember which one) and deleted it.

Hopefully this information will be useful-- and thank you in advance for any help!

(1) I ran the eTrust online virus scanner, but it did not find any viruses.

Scan Results: Scan Completed. 119910 files scanned. No viruses found.

File Infection Status Path
- No Infections

(2) I have run the BitDefender 10 "deep system scan" and this is what was found:

Summary:

C:\Documents and Settings\dreamraped inc\Local Settings\Application Data\Identities\{20FAE63E-B247-4941-A5C5-18B93D10E525}\Microsoft\Outlook Express\Inbox.dbx=>(message 467)=>[Subject: FW: Thanks for your registration][Date: Mon, 14 Nov 2005 21:17:48 -0500]=>(MIME part)=>reg_text.zip=>Reg-List-Dat_Packer2.exe Infected: Win32.Sober.V@mm
C:\Documents and Settings\dreamraped inc\Local Settings\Application Data\Identities\{20FAE63E-B247-4941-A5C5-18B93D10E525}\Microsoft\Outlook Express\Inbox.dbx=>(message 467)=>[Subject: FW: Thanks for your registration][Date: Mon, 14 Nov 2005 21:17:48 -0500]=>(MIME part)=>reg_text.zip=>Reg-List-Dat_Packer2.exe Deleted
C:\Documents and Settings\dreamraped inc\Local Settings\Application Data\Identities\{20FAE63E-B247-4941-A5C5-18B93D10E525}\Microsoft\Outlook Express\Inbox.dbx=>(message 467)=>[Subject: FW: Thanks for your registration][Date: Mon, 14 Nov 2005 21:17:48 -0500]=>(MIME part)=>reg_text.zip Archive repacking successfully completed (actions successfully applied)
C:\Documents and Settings\dreamraped inc\Local Settings\Application Data\Identities\{20FAE63E-B247-4941-A5C5-18B93D10E525}\Microsoft\Outlook Express\Inbox.dbx=>(message 467)=>[Subject: FW: Thanks for your registration][Date: Mon, 14 Nov 2005 21:17:48 -0500]=>(MIME part) Archive repacking successfully completed (actions successfully applied)
C:\Documents and Settings\dreamraped inc\Local Settings\Application Data\Identities\{20FAE63E-B247-4941-A5C5-18B93D10E525}\Microsoft\Outlook Express\Inbox.dbx=>(message 467) Archive repacking successfully completed (actions successfully applied)
C:\Documents and Settings\dreamraped inc\Local Settings\Application Data\Identities\{20FAE63E-B247-4941-A5C5-18B93D10E525}\Microsoft\Outlook Express\Inbox.dbx Archive repacking has failed (marked actions not taken)
D:\achtung\LaoScript\DeadAIM_4.5.rar=>Deadaim_4.5\aim553595.exe=>wise0038=>wise0008 Detected: Adware.AWS.A
D:\achtung\LaoScript\DeadAIM_4.5.rar=>Deadaim_4.5\aim553595.exe=>wise0038=>wise0008 Disinfection failed
D:\achtung\LaoScript\DeadAIM_4.5.rar=>Deadaim_4.5\aim553595.exe=>wise0038=>wise0008 Move failed
E:\System Volume Information\_restore{CCCDBBBC-A956-41D7-A99C-28913F29BF02}\RP1200\A0072743.exe=>(Inno Installer o)=>(Inno Module 1) Detected: Application.Sniffer.Advanfer.B
E:\System Volume Information\_restore{CCCDBBBC-A956-41D7-A99C-28913F29BF02}\RP1200\A0072743.exe=>(Inno Installer o)=>(Inno Module 1) Disinfection failed
E:\System Volume Information\_restore{CCCDBBBC-A956-41D7-A99C-28913F29BF02}\RP1200\A0072743.exe=>(Inno Installer o)=>(Inno Module 1) Move failed
E:\System Volume Information\_restore{CCCDBBBC-A956-41D7-A99C-28913F29BF02}\RP1200\A0072744.exe=>(Inno Installer o)=>(Inno Module 1) Infected: Trojan.Pws.Icqinfo.A
E:\System Volume Information\_restore{CCCDBBBC-A956-41D7-A99C-28913F29BF02}\RP1200\A0072744.exe=>(Inno Installer o)=>(Inno Module 1) Disinfection failed
E:\System Volume Information\_restore{CCCDBBBC-A956-41D7-A99C-28913F29BF02}\RP1200\A0072744.exe=>(Inno Installer o)=>(Inno Module 1) Move failed
E:\System Volume Information\_restore{CCCDBBBC-A956-41D7-A99C-28913F29BF02}\RP1200\A0072745.exe=>(ZIP Sfx o)=>SERV-U32.EXE Detected: Spyware.Server.Serv.U.25.E
E:\System Volume Information\_restore{CCCDBBBC-A956-41D7-A99C-28913F29BF02}\RP1200\A0072745.exe=>(ZIP Sfx o)=>SERV-U32.EXE Disinfection failed



(3) This is the "merijin" Highjack This log:

Logfile of HijackThis v1.99.1
Scan saved at 8:11:18 PM, on 7/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\Softwin\BITDEF~2\bdmcon.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\torrents\utorrent.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Soft4Ever\looknstop\looknstop.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Softwin\BITDEF~2\bdlite.exe
C:\Hijack This\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {02DCA195-602B-4B1F-83FF-381B7E804BDB} - C:\WINDOWS\system32\HDBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~2\bdmcon.exe
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [Look 'n' Stop] "C:\Program Files\Soft4Ever\looknstop\looknstop.exe" -auto
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [µTorrent] "C:\torrents\utorrent.exe"
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Download All Files by HiDownload - C:\PROGRA~1\HIDOWN~1\HDGetAll.htm
O8 - Extra context menu item: Download by HiDownload - C:\PROGRA~1\HIDOWN~1\HDGet.htm
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - C:\PROGRA~1\HIDOWN~1\hidownload.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://jcs.chat.dcn.yahoo.com/v45/yacscom.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://68.213.17.223/ConnectComputer/nshelp.dll
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124181589156
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {B2FCED61-570E-11D3-B160-00A0C9E70E84} (OmniForm Form Control) - https://www4.lsac.org/LSACD_XMLWebServices/Http/OIFActiveX/ofmctl.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Messanger - Unknown owner - c:\Recyclers\svchost.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender10\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)







Thanks,
Jen

Hi Jen, welcome to Safer Networking, I wish to be sure you have viewed and understand this information. "BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Hi Jen, have you resolved these issues yet? If not, I don't see a lot in the HJT log, but I do see this:
O23 - Service: Messanger - Unknown owner - c:\Recyclers\svchost.exe (file missing) CastleCops knows nothing about that item running from services:
Messanger so we can assume something nasty is at work there.

I also see this clue in the scan result you posted: Win32.Sober.V@mm
Here's the Google on that one: http://www.google.com/search?hl=en&q=Win32.Sober.V&btnG=Google+Search

If you have not resolved these issues, let start like this and see what happens:

1) I checked my file on C:\ and it says >>> RECYCLER and it is 85 bites. If you open it you will see your Recycler Bin and one or more numbers similiar to this: S-1-5-21-3540737331-etc.
This is your VALID Recycle Bin folder.

Here is the BAD one: c:\Recyclers\svchost.exe <<< notice the s on recycler, delete that complete folder, the bad file inside will go with it.
You may have to stop the service:
Disable the Service
Click Start > Run and type services.msc
Scroll down to Messanger and right click on it.
Click Properties and under Service Status click Stop, then under Startup Type change it to Disabled.

and the hackers may have hidden that file:
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

There may be more junk hidden. Let's run this tool to see if it shows anything else.
Thanks to sUBs and anyone else who helped with this fix.

2) Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Once you are clean, you will want to change all passwords, you may want to view this information just in case.
http://www.dslreports.com/faq/10451

Post the combofix log, a new HJT log and any comments you think will help.

Thanks...Phil

Hi Phil,

Thanks! I deleted the malicious "recyclers" folder.

I'm not sure if this fact is pertinent, but recently, when I try to open up a new webpage in internet explorer, a blank screen comes up saying the webpage cannot be found instead of the normal webpage. This happens about 30% of the time. Also, this usually occurs with all sites, including reputable sites like cnn and (the) google, too. I'm confident it is not my internet connection b/c I have no such problems while using my laptop on this network.


Here is the combofix log:

2007-07-18 10:17:20 - ComboFix 07-07-17.8 - Service Pack 2 NTFS


((((((((((((((((((((((((( Files Created from 2007-06-18 to 2007-07-18 )))))))))))))))))))))))))))))))


2007-07-18 10:15 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-14 23:30 <DIR> d-------- C:\Hijack This
2007-07-14 22:29 76,160 --a------ C:\WINDOWS\system32\drivers\lnsfw1.sys
2007-07-14 22:29 46,208 --a------ C:\WINDOWS\system32\drivers\lnsfw.sys
2007-07-14 22:29 36,924 --a------ C:\WINDOWS\system32\fwapi.dll
2007-07-14 22:29 <DIR> d-------- C:\Program Files\Soft4Ever
2007-07-14 16:24 <DIR> d-------- C:\Program Files\CCleaner
2007-07-14 10:23 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Bitdefender
2007-07-14 10:22 1,572,864 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-07-13 22:14 <DIR> d-------- C:\DOCUME~1\DREAMR~1\APPLIC~1\Bitdefender
2007-07-13 22:13 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\BitDefender
2007-07-13 20:39 <DIR> d-------- C:\DOCUME~1\DREAMR~1\APPLIC~1\GetRightToGo
2007-07-06 11:57 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2007-06-24 22:19 <DIR> d-------- C:\DOCUME~1\DREAMR~1\APPLIC~1\ImgBurn
2007-06-24 20:35 <DIR> d-------- C:\Program Files\ImgBurn
2007-06-19 20:06 <DIR> d-------- C:\Program Files\DiscWizard for Windows
2007-06-19 15:23 <DIR> d-------- C:\Program Files\Investintech.com Inc
2007-06-19 15:16 <DIR> d-------- C:\Program Files\VeryPDF PDF Editor v2.2
2007-06-19 14:19 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-18 14:21:51 -------- d-----w C:\DOCUME~1\DREAMR~1\APPLIC~1\uTorrent
2007-07-18 14:19:27 81,984 ----a-w C:\WINDOWS\system32\bdod.bin
2007-07-15 18:13:19 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-07-14 20:51:38 -------- d-----w C:\Program Files\GetRight
2007-07-14 02:36:09 -------- d-----w C:\Program Files\NewsBin
2007-07-14 02:36:07 -------- d-----w C:\Program Files\nbpro
2007-07-14 00:39:43 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-06-21 16:32:18 -------- d-----w C:\DOCUME~1\DREAMR~1\APPLIC~1\dvdcss
2007-06-18 04:29:13 -------- d-----w C:\DOCUME~1\DREAMR~1\APPLIC~1\Aim
2007-06-14 21:48:05 -------- d-----w C:\Program Files\BitLord
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2006-07-18 01:23:52 138 ----a-w C:\Program Files\INSTALL.LOG
2006-05-03 10:06:54 163,328 --sh--r C:\WINDOWS\system32\flvDX.dll
2007-02-21 11:47:16 31,232 --sh--r C:\WINDOWS\system32\msfDX.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02DCA195-602B-4B1F-83FF-381B7E804BDB}]
2003-03-27 06:37 208896 --a------ C:\WINDOWS\system32\HDBHO.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2003-05-15 00:47 50376 --a------ C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{31FF080D-12A3-439A-A2EF-4BA95A3148E8}]
2004-10-06 10:18 233472 --a------ C:\Program Files\GetRight\xx2gr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
2005-05-31 01:04 853672 --a------ C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}]
2005-12-09 17:22 786656 --a------ C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2006-07-26 03:17 434279 --a------ C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]
2003-05-15 01:03 147456 --a------ C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B56A7D7D-6927-48C8-A975-17DF180C71AC}]
2006-02-12 16:43 847608 --a------ C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DeadAIM"="C:\Program Files\AIM\\DeadAIM.ocm" [2004-02-28 12:12]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-10-18 16:28]
"nwiz"="nwiz.exe" [2005-11-11 14:47 C:\WINDOWS\system32\nwiz.exe]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"BDMCon"="C:\PROGRA~1\Softwin\BITDEF~2\bdmcon.exe" [2007-07-13 22:53]
"BDAgent"="C:\Program Files\Softwin\BitDefender10\bdagent.exe" [2007-03-26 15:49]
"Look 'n' Stop"="C:\Program Files\Soft4Ever\looknstop\looknstop.exe" [2007-07-14 22:31]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\Program Files\AIM\aim.exe" [2004-04-27 18:18]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2006-01-11 03:56]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]
"µTorrent"="C:\torrents\utorrent.exe" [2007-04-21 17:11]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" /Q

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 01:19:50]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-07-28 21:20:22]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=sockspy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GetRight - Tray Icon.lnk]
backup=C:\WINDOWS\pss\GetRight - Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitComet]
"C:\Program Files\BitLord\BitLord.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJCFD]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
"C:\Program Files\Google\Google Talk\googletalk.exe" /autostart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedTouch USB Diagnostics]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"C:\Program Files\Winamp\Winampa.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Pml Driver HPZ12"=3 (0x3)
"Pctspk"=2 (0x2)
"Diskeeper"=2 (0x2)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{253d4b52-ff29-11d9-b2bf-000347297883}]
AutoRun\command- G:\setupSNK.exe


Contents of the 'Scheduled Tasks' folder
2007-07-18 11:18:14 C:\WINDOWS\tasks\MP Scheduled Scan.job

**************************************************************************

catchme 0.3.1040 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-18 10:20:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

? [12664]
? [13204]


scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-18 10:23:06

--- E O F ---




Here is the HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 10:33:38 AM, on 7/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\Softwin\BITDEF~2\bdmcon.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\Program Files\Soft4Ever\looknstop\looknstop.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\torrents\utorrent.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijack This\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: (no name) - {02DCA195-602B-4B1F-83FF-381B7E804BDB} - C:\WINDOWS\system32\HDBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~2\bdmcon.exe
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [Look 'n' Stop] "C:\Program Files\Soft4Ever\looknstop\looknstop.exe" -auto
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [µTorrent] "C:\torrents\utorrent.exe"
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Download All Files by HiDownload - C:\PROGRA~1\HIDOWN~1\HDGetAll.htm
O8 - Extra context menu item: Download by HiDownload - C:\PROGRA~1\HIDOWN~1\HDGet.htm
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - C:\PROGRA~1\HIDOWN~1\hidownload.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://jcs.chat.dcn.yahoo.com/v45/yacscom.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://68.213.17.223/ConnectComputer/nshelp.dll
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124181589156
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {B2FCED61-570E-11D3-B160-00A0C9E70E84} (OmniForm Form Control) - https://www4.lsac.org/LSACD_XMLWebServices/Http/OIFActiveX/ofmctl.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender10\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)


Thanks again,
Jen

Thanks for returning your information and the feedback. I see no malware in the HJT, and nothing is being shown by combofix, but it looks for specific items.

Let's look at what I do see, first read this:
http://forums.spybot.info/showpost.php?p=12880&postcount=2
C:\Program Files\Java\jre1.5.0_08\ <<< Java is out of date, download the newest version and uninstall all old versions in Add Remove Programs. This is how dangerous out of date Java is:
http://www.theregister.com/2007/05/11/google_malware_map/

I see BitDefender as your Anti-Virus Component, what are you using for a Firewall? We know to run only one antivirus and one firewall, but the jury is still out on how many spyware programs to run and which ones might cause conflitctions. Are you sure running SpyWareDoctor and Windows Defender creates no such issue? If not, you might want to ask tech support at the programs to be sure.

I am not seeing anything else in the log, could you take a look and make sure nothing is there you are not aware of.

It is important in searching that the error messages are word for word so I am hoping this one is:
webpage cannot be found >>>here is the Google: http://www.google.com/search?hl=en&q=webpage+cannot+be+found+&btnG=Search
Have a look at this information to see if it helps:
http://www.microsoft.com/windows/IE/community/columns/IEtopten.mspx

I would like you to run a scan we use that will show any bad stuff if it is there. It will not remove anything but it is one of the very best scanners. Before I post the instructions I want to comment of the BitDefender scan which I am not real familiar with. As you look at those results, these
E:\System Volume Information\_restore are infected System Restore files and they are harmless unless you use System Restore. I am interested in what BitDefender did with the rest of the stuff it found? Did it delete or quarantine it?

Run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner

Next Click on Launch Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.

Then post it here. Please also post any information I requested and any comments you think will help.

Thanks

Thanks for the quick response, Phil.

I uninstalled Java. (Is there any reason to reinstall it?)

I'm using Look'n'stop as the firewall. I have no idea whether using spywaredoctor and window's defender creates an issue, but I will look into it.

Looking at the log, why are there so many instances of svhost.exe? Is that natural?

In regard to bitdefender, I ran the scan multiple times before finally posting the results on my first post. In most of the scans, Bitdefender quaratined items and then I manually deleted them. For the files it could not quarantine or move, I booted into safemode and deleted them manually.

Here are the results from the kaspersky online file scan:

------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, July 18, 2007 2:03:41 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 18/07/2007
Kaspersky Anti-Virus database records: 342363
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 125736
Number of viruses found: 1
Number of infected objects: 2 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:35:55

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-12312006-020524.log Object is locked skipped
C:\Documents and Settings\dreamraped inc\Application Data\Bitdefender\Desktop\Profiles\asdict.dat Object is locked skipped
C:\Documents and Settings\dreamraped inc\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\dreamraped inc\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\dreamraped inc\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\dreamraped inc\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\dreamraped inc\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{34095909-32F3-4426-9A37-EE78DBBA34F8} Object is locked skipped
C:\Documents and Settings\dreamraped inc\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\dreamraped inc\Local Settings\History\History.IE5\MSHist012007071820070719\index.dat Object is locked skipped
C:\Documents and Settings\dreamraped inc\Local Settings\Temp\Perflib_Perfdata_220.dat Object is locked skipped
C:\Documents and Settings\dreamraped inc\Local Settings\Temp\~DF1D09.tmp Object is locked skipped
C:\Documents and Settings\dreamraped inc\Local Settings\Temp\~DF1D16.tmp Object is locked skipped
C:\Documents and Settings\dreamraped inc\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\dreamraped inc\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\dreamraped inc\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\dreamraped inc\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Softwin\BitDefender10\aspdict.dat Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{CCCDBBBC-A956-41D7-A99C-28913F29BF02}\RP1204\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{ED6CA5D0-66BE-4AAE-B57C-956DE738CE76}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\kspydoc.log Object is locked skipped
C:\WINDOWS\system32\Sweeper.cfg Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
E:\System Volume Information\_restore{CCCDBBBC-A956-41D7-A99C-28913F29BF02}\RP1200\A0072743.exe/data0002 Infected: Sniffer.Win32.Advanfer skipped
E:\System Volume Information\_restore{CCCDBBBC-A956-41D7-A99C-28913F29BF02}\RP1200\A0072743.exe Inno: infected - 1 skipped
G:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.


Thanks,
Jen

I uninstalled Java. (Is there any reason to reinstall it?)
Jen, for the computer to function correctly as it should, you need to have Java installed. There are choices, Microsoft also has a Java program. I suggest you read about Java so you will know what it does.
http://java.sun.com/docs/books/tutorial/getStarted/intro/definition.html
http://www.google.com/search?hl=en&q=What+is+Java&btnG=Google+Search

You may be able to run without it? I am not sure, but it will effect how you compute, view information, webpages, etc.

http://www.looknstop.com/En/index2.htm >>> looks ok to me, I know nothing about it but new software comes out so fast it is hard to keep up. I suggest you make sure the Service Pack #2 ICF in your Security Center is turned off (run only one)

Watch your spelling (svhost.exe) is a trojan and svchost.exe is a very important part of Windows:
http://support.microsoft.com/kb/314056
http://www.liutilities.com/products/wintaskspro/processlibrary/svchost/
MORE INFORMATION

The Svchost.exe file is located in the %SystemRoot%\System32 folder. At startup, Svchost.exe checks the services part of the registry to construct a list of services that it must load. Multiple instances of Svchost.exe can run at the same time. Each Svchost.exe session can contain a grouping of services. Therefore, separate services can run, depending on how and where Svchost.exe is started. This grouping of services permits better control and easier debugging.

Thanks for that feedback about the BitDefender scan, this would mean if you run the scan now it should be clean.

KASPERSKY ONLINE SCANNER REPORT
Number of viruses found: 1
Number of infected objects: 2 / 0

Both infected items are in your System Restore files and we will clean those now:

System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

You should be good to go at this point. Let me know is you need me to do more.

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html

Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

Thanks...Phil
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

This topic has been moved to archives.

If you need the thread re-opened, please send me a private message (pm) and provide a link.

Applies only to the original poster, anyone else with similar problems please start your own topic.