PDA

View Full Version : WinAntiSpyware Alert



Scott5150
2007-07-16, 04:14
Hi,

First of all, all of the helpers here have been great to me. I have posted a couple of times over the past few years and both times the folks here have fixed the problem. Thank you for all your help. I really appreciate it.

The current problem I have is that a box is popping up at the bottom right of my computer indicating WinAntiSpyware Alert!. In the box, it asks if I want to Allow. It then says "To remove the security Threats found please register WinAnit Spyware 2007." I cant seem top get rid of the box.

Also, when I run Windows Defender it indcates Severe Alert. If I click to Remove All, I get a message that Windows Defender encountered an error and that the Group or Resource is not the correct state to perform the requested action. I notice that my computer is running a bit slow as well.

Here is the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 9:11:26 PM, on 7/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\system32\tmrsrv32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\WinAntiSpyware 2007\was7.exe
C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe
C:\WINDOWS\amwnmdoA.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\CROSOF~1.NET\rundll.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\PROGRA~1\MUSICM~1\MUSICM~2\MMDiag.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Scott\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cgi.verizon.net/bookmarks/bmredir.asp?region=all&bw=fiber&cd=1.0&bm=ho_home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [poolsv] "C:\WINDOWS\poolsv.exe"
O4 - HKLM\..\Run: [WinAntiSpyware 2007 Free] "C:\Program Files\WinAntiSpyware 2007\was7.exe" /min
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe"
O4 - HKLM\..\Run: [amwnmdoA] C:\WINDOWS\amwnmdoA.exe
O4 - HKLM\..\Run: [{5D-D6-66-68-ZN}] c:\windows\system32\modsregn.exe SKY009
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Uaol] "C:\WINDOWS\CROSOF~1.NET\rundll.exe" -vt yazb
O4 - Startup: TA_Start.lnk = C:\WINDOWS\SYSTEM32\dwdsregt.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Verizon Central - {5B3FB261-CF72-4c66-B314-8E6FF9980307} - www.verizon.net (file missing)
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://locator1.cdn.imagesrvr.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://verizon.exent.com/vzunlimited/classes/ExentCtl.ocx
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe


Thank you,
Scott

pskelley
2007-07-16, 16:01
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information. "BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

1) Looks like a Vundo infection to me, please see this information:
http://forums.spybot.info/showpost.php?p=12880&postcount=2
C:\Program Files\Java\j2re1.4.2_03\ <<< Java is BADLY out dated. Download the newest version and uninstall all old versions in Add Remove Programs.

2) Move HJT from the Desktop for safety. I prefer C:\HJT\HijackThis.exe, if you need additional instructions use these: http://russelltexas.com/malware/createhjtfolder.htm
Once you get it moved, rename HJT.exe, Scott.exe will do.

3) They are all bad but this one is real nasty: C:\WINDOWS\system32\tmrsrv32.exe
http://spywarefiles.prevx.com/RREHCD38818560/TMRSRV32.EXE.html
We need to check your Hosts files after we kill this one:
Installs programs.
Invokes dll components.
Creates Run Keys.
Modifies the hostsfile.
Runs other programs.
Communicates with web sites using httpout protocols.
Modifies Browser Search Settings.
Hijacks running processes.
Creates known malware.
Creates copies of itself.

4) Thanks to sUBs and anyone else who helped with this fix.

Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Thanks

Scott5150
2007-07-17, 06:50
Thanks PSKelley. Here is the Combofix log. I will post in multiple replies.

"Scott" - 2007-07-16 23:19:54 - ComboFix 07-07-14.6 - Service Pack 2 NTFS


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\cghvjarg.dll
C:\WINDOWS\system32\nfsbfepa.dll
C:\WINDOWS\system32\wndlpanv.dll
C:\WINDOWS\system32\xxyyywt.dll
C:\WINDOWS\system32\reohhvcm.exe
C:\WINDOWS\system32\rmuymrjg.exe
C:\WINDOWS\system32\sxqgppcy.dll
C:\WINDOWS\system32\tcdaeifa.dll
C:\WINDOWS\system32\xxyyywt.dll
C:\WINDOWS\SYSTEM32\nmllm.bak1
C:\WINDOWS\SYSTEM32\nmllm.bak2
C:\WINDOWS\SYSTEM32\nmllm.ini
C:\WINDOWS\SYSTEM32\apefbsfn.ini
C:\WINDOWS\SYSTEM32\vnapldnw.ini
C:\WINDOWS\system32\mllmn.dll
C:\WINDOWS\system32\urqrsrp.dll
C:\WINDOWS\system32\urqrsrp.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\ALLUSE~1\APPLIC~1.\salesmonitor
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\Abbr
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\ProductCode
C:\DOCUME~1\Scott\APPLIC~1.\curity~1
C:\DOCUME~1\Scott\APPLIC~1.\winantispyware 2007
C:\DOCUME~1\Scott\APPLIC~1.\winantispyware 2007\Logs\update.log
C:\DOCUME~1\Scott\MYDOCU~1.\mbols~1
C:\Program Files\Common Files\fnts~1
C:\Program Files\Common Files\mcroso~1
C:\Program Files\Common Files\winantispyware 2007
C:\Program Files\Common Files\winantispyware 2007\err.log
C:\Program Files\Common Files\winantispyware 2007\WAS7Mon.exe
C:\Program Files\ComPlus Applications\mewody83122.dll
C:\Program Files\Movie Maker\qujawine.dll
C:\Program Files\outerinfo
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\poolsv
C:\Program Files\poolsv\k11u72.exe
C:\Program Files\poolsv\WinAntiSpyware2007FreeInstall.exe
C:\Program Files\poolsv\YazzleBundle-1549.exe
C:\Program Files\svhost
C:\Program Files\winantispyware 2007
C:\Program Files\winantispyware 2007\Activate.dat
C:\Program Files\winantispyware 2007\appupdate.dat
C:\Program Files\winantispyware 2007\AsAgents.dll
C:\Program Files\winantispyware 2007\AsAgents.xml
C:\Program Files\winantispyware 2007\atl71.dll
C:\Program Files\winantispyware 2007\AutoProcess.dat
C:\Program Files\winantispyware 2007\bnlink.dat
C:\Program Files\winantispyware 2007\database\enemies.dat
C:\Program Files\winantispyware 2007\database\knownfiles.dat
C:\Program Files\winantispyware 2007\database\TEBase.dat
C:\Program Files\winantispyware 2007\database\vbpv.dat
C:\Program Files\winantispyware 2007\dbupdate.dat
C:\Program Files\winantispyware 2007\fopnl.dll
C:\Program Files\winantispyware 2007\InstHelp.exe
C:\Program Files\winantispyware 2007\InstUp.exe
C:\Program Files\winantispyware 2007\lapv.dat
C:\Program Files\winantispyware 2007\license.rtf
C:\Program Files\winantispyware 2007\manual.pdf
C:\Program Files\winantispyware 2007\manual.url
C:\Program Files\winantispyware 2007\mfc71.dll
C:\Program Files\winantispyware 2007\monstate.dat
C:\Program Files\winantispyware 2007\msvcp71.dll
C:\Program Files\winantispyware 2007\msvcr71.dll
C:\Program Files\winantispyware 2007\ps.dat
C:\Program Files\winantispyware 2007\pv.dat
C:\Program Files\winantispyware 2007\quaratine.dat\#post_quarantine
C:\Program Files\winantispyware 2007\readme.rtf
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\3558f1cef293452c7931a5ad\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\3558f1cef293452c7931a5ad\0d05b79f84d54729fd27c6a2\#data
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\3558f1cef293452c7931a5ad\0d05b79f84d54729fd27c6a2\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\3558f1cef293452c7931a5ad\0d05b79f84d54729fd27c6a2\#name
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\3558f1cef293452c7931a5ad\0d2610769c9046afe41ecf83\#data
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\3558f1cef293452c7931a5ad\0d2610769c9046afe41ecf83\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\3558f1cef293452c7931a5ad\0d2610769c9046afe41ecf83\#name
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\3558f1cef293452c7931a5ad\0d2610769c9046afe41ecf83\Scott
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\3558f1cef293452c7931a5ad\10335a5a026342c47cd865a5\#data
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\3558f1cef293452c7931a5ad\10335a5a026342c47cd865a5\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\3558f1cef293452c7931a5ad\10335a5a026342c47cd865a5\#name
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\3558f1cef293452c7931a5ad\103bc1dc8fba41d500b252b8\#data
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\3558f1cef293452c7931a5ad\103bc1dc8fba41d500b252b8\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\3558f1cef293452c7931a5ad\103bc1dc8fba41d500b252b8\#name
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\3558f1cef293452c7931a5ad\103bc1dc8fba41d500b252b8\Scott
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\3558f1cef293452c7931a5ad\14c6dc208ac5410db563ce9c\#data
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\3558f1cef293452c7931a5ad\14c6dc208ac5410db563ce9c\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\3558f1cef293452c7931a5ad\14c6dc208ac5410db563ce9c\#name
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\3558f1cef293452c7931a5ad\1a4da281e41e4708e55cbdba\#data
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\3558f1cef293452c7931a5ad\1a4da281e41e4708e55cbdba\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\3558f1cef293452c7931a5ad\1a4da281e41e4708e55cbdba\#name
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\3558f1cef293452c7931a5ad\2941d85e11da4f50fa0965a6\#data
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\3558f1cef293452c7931a5ad\2941d85e11da4f50fa0965a6\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\3558f1cef293452c7931a5ad\2941d85e11da4f50fa0965a6\#name
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\3558f1cef293452c7931a5ad\403a29f7f7214ce5c8967891\#data
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\3558f1cef293452c7931a5ad\403a29f7f7214ce5c8967891\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\3558f1cef293452c7931a5ad\403a29f7f7214ce5c8967891\#name
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\3558f1cef293452c7931a5ad\403a29f7f7214ce5c8967891\Scott
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\3558f1cef293452c7931a5ad\4532233b52c94455b5bd0b98\#data
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\3558f1cef293452c7931a5ad\4532233b52c94455b5bd0b98\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\3558f1cef293452c7931a5ad\4532233b52c94455b5bd0b98\#name
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\3558f1cef293452c7931a5ad\4532233b52c94455b5bd0b98\Scott
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\3558f1cef293452c7931a5ad\471b4d846d5645362296deb5\#data
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\3558f1cef293452c7931a5ad\471b4d846d5645362296deb5\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\3558f1cef293452c7931a5ad\471b4d846d5645362296deb5\#name
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\3558f1cef293452c7931a5ad\4aef88ff3a294d4d4e80a698\#data
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\3558f1cef293452c7931a5ad\4aef88ff3a294d4d4e80a698\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\3558f1cef293452c7931a5ad\4aef88ff3a294d4d4e80a698\#name
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\3558f1cef293452c7931a5ad\4aef88ff3a294d4d4e80a698\Scott
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\3558f1cef293452c7931a5ad\4b0a961b0d6648e84d474fb5\#data
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\3558f1cef293452c7931a5ad\4b0a961b0d6648e84d474fb5\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\3558f1cef293452c7931a5ad\4b0a961b0d6648e84d474fb5\#name
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\3558f1cef293452c7931a5ad\4b0a961b0d6648e84d474fb5\Scott
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\3558f1cef293452c7931a5ad\60c35cde4b194075922df9a3\#data
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\3558f1cef293452c7931a5ad\60c35cde4b194075922df9a3\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\3558f1cef293452c7931a5ad\60c35cde4b194075922df9a3\#name
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\3558f1cef293452c7931a5ad\6b0453a9f8c04f05e5b9b9b3\#data
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\3558f1cef293452c7931a5ad\6b0453a9f8c04f05e5b9b9b3\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\3558f1cef293452c7931a5ad\6b0453a9f8c04f05e5b9b9b3\#name
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\3558f1cef293452c7931a5ad\6c84076dadf34b003df03eb7\#data
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\3558f1cef293452c7931a5ad\6c84076dadf34b003df03eb7\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\3558f1cef293452c7931a5ad\6c84076dadf34b003df03eb7\#name
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\3558f1cef293452c7931a5ad\7d73615b83a943834abe4194\#data
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\3558f1cef293452c7931a5ad\7d73615b83a943834abe4194\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\3558f1cef293452c7931a5ad\7d73615b83a943834abe4194\#name
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\3558f1cef293452c7931a5ad\85025466fe40413ed97b79b7\#data
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\3558f1cef293452c7931a5ad\85025466fe40413ed97b79b7\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\3558f1cef293452c7931a5ad\85025466fe40413ed97b79b7\#name
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\3558f1cef293452c7931a5ad\858722e4c44a426e9cb2829d\#data
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\3558f1cef293452c7931a5ad\858722e4c44a426e9cb2829d\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\3558f1cef293452c7931a5ad\858722e4c44a426e9cb2829d\#name
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\3558f1cef293452c7931a5ad\8f73a24c8a1e43aa7a8ec197\#data
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\3558f1cef293452c7931a5ad\8f73a24c8a1e43aa7a8ec197\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\3558f1cef293452c7931a5ad\8f73a24c8a1e43aa7a8ec197\#name
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\3558f1cef293452c7931a5ad\8f73a24c8a1e43aa7a8ec197\Scott
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\3558f1cef293452c7931a5ad\9826fc60f8354475b88e488a\#data
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\3558f1cef293452c7931a5ad\9826fc60f8354475b88e488a\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\3558f1cef293452c7931a5ad\9826fc60f8354475b88e488a\#name
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\3558f1cef293452c7931a5ad\aa307dbbf28b4c9ecba70bb3\#data
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\3558f1cef293452c7931a5ad\aa307dbbf28b4c9ecba70bb3\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\3558f1cef293452c7931a5ad\aa307dbbf28b4c9ecba70bb3\#name
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\3558f1cef293452c7931a5ad\ba602ba5da044e3596c3f6bb\#data
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\3558f1cef293452c7931a5ad\ba602ba5da044e3596c3f6bb\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\3558f1cef293452c7931a5ad\ba602ba5da044e3596c3f6bb\#name
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\3558f1cef293452c7931a5ad\bca6fd4549c64750b243f3a3\#data
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\3558f1cef293452c7931a5ad\bca6fd4549c64750b243f3a3\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\3558f1cef293452c7931a5ad\bca6fd4549c64750b243f3a3\#name
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\3558f1cef293452c7931a5ad\bca6fd4549c64750b243f3a3\Scott
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\3558f1cef293452c7931a5ad\c9f14b789d83410d982234bb\#data
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\3558f1cef293452c7931a5ad\c9f14b789d83410d982234bb\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\3558f1cef293452c7931a5ad\c9f14b789d83410d982234bb\#name
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\3558f1cef293452c7931a5ad\d1d6e3988a4c4120d901f387\#data
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\3558f1cef293452c7931a5ad\d1d6e3988a4c4120d901f387\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\3558f1cef293452c7931a5ad\d1d6e3988a4c4120d901f387\#name
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\3558f1cef293452c7931a5ad\dc28f4455af04b55a3e3cd86\#data
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\3558f1cef293452c7931a5ad\dc28f4455af04b55a3e3cd86\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\3558f1cef293452c7931a5ad\dc28f4455af04b55a3e3cd86\#name
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\3558f1cef293452c7931a5ad\ea8de467b825424566257083\#data
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\3558f1cef293452c7931a5ad\ea8de467b825424566257083\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\3558f1cef293452c7931a5ad\ea8de467b825424566257083\#name
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\3558f1cef293452c7931a5ad\ea8de467b825424566257083\Scott
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\3558f1cef293452c7931a5ad\ecede3a6a33348bfd0b12a85\#data
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\3558f1cef293452c7931a5ad\ecede3a6a33348bfd0b12a85\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\3558f1cef293452c7931a5ad\ecede3a6a33348bfd0b12a85\#name
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\cc7caa6019104ffa480e9cad\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\cc7caa6019104ffa480e9cad\0d59a60af669480a6ac029b7\#data
C:\Program Files\winantispyware

Scott5150
2007-07-17, 06:51
More Combofix log:

2007\RTMonitor.dat\54813b09e2dc461070cfabb8\cc7caa6019104ffa480e9cad\0d59a60af669480a6ac029b7\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\cc7caa6019104ffa480e9cad\0d59a60af669480a6ac029b7\#name
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\cc7caa6019104ffa480e9cad\1ca3eb6cb3c443847f984886\#data
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\cc7caa6019104ffa480e9cad\1ca3eb6cb3c443847f984886\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\cc7caa6019104ffa480e9cad\1ca3eb6cb3c443847f984886\#name
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\cc7caa6019104ffa480e9cad\95447328551846b911f3ceb3\#data
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\cc7caa6019104ffa480e9cad\95447328551846b911f3ceb3\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\cc7caa6019104ffa480e9cad\95447328551846b911f3ceb3\#name
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\cc7caa6019104ffa480e9cad\a9b31d08d1a449146bafb093\#data
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\cc7caa6019104ffa480e9cad\a9b31d08d1a449146bafb093\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\cc7caa6019104ffa480e9cad\a9b31d08d1a449146bafb093\#name
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\fcda81e040504c8b6c48c99e\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\fcda81e040504c8b6c48c99e\12aa938494154c547c435696\#data
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\fcda81e040504c8b6c48c99e\12aa938494154c547c435696\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\fcda81e040504c8b6c48c99e\12aa938494154c547c435696\#name
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\fcda81e040504c8b6c48c99e\a1f96f7e564a4f83f4f86cbd\#data
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\fcda81e040504c8b6c48c99e\a1f96f7e564a4f83f4f86cbd\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\fcda81e040504c8b6c48c99e\a1f96f7e564a4f83f4f86cbd\#name
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\fcda81e040504c8b6c48c99e\e593f324cc254811942d5b91\#data
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\fcda81e040504c8b6c48c99e\e593f324cc254811942d5b91\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\54813b09e2dc461070cfabb8\fcda81e040504c8b6c48c99e\e593f324cc254811942d5b91\#name
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\002800c4f618414a98c7eca3\#data
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\002800c4f618414a98c7eca3\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\002800c4f618414a98c7eca3\#startup
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\086f0f770b1843979477ed9f\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\086f0f770b1843979477ed9f\#startup
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\0a163dfe907949b466d3aba1\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\0a163dfe907949b466d3aba1\#startup
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\0d3d8babfc564e8e0a4bc883\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\0d3d8babfc564e8e0a4bc883\#startup
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\11c6a17f48904651daa9a295\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\11c6a17f48904651daa9a295\#startup
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\14c96327caff4220af9185a4\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\14c96327caff4220af9185a4\#startup
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\22c49734436b4f68039845a2\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\22c49734436b4f68039845a2\#startup
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\2a2df3d65842449666bac890\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\2a2df3d65842449666bac890\#startup
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\2a6945e5e73b4763e1cfea95\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\2a6945e5e73b4763e1cfea95\#startup
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\2f936852351a49b5903517a6\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\2f936852351a49b5903517a6\#startup
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\374a5a32bfef44ea075a80b0\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\374a5a32bfef44ea075a80b0\#startup
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\497f291d03b94c45d1b4e293\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\497f291d03b94c45d1b4e293\#startup
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\508c5e8017c74864baa184aa\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\508c5e8017c74864baa184aa\#startup
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\571eb1de6d8f40ce18d7beab\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\571eb1de6d8f40ce18d7beab\#startup
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\5a5c7480b91d4213ecda0b9c\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\5a5c7480b91d4213ecda0b9c\#startup
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\6752ede15b844471c069d899\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\6752ede15b844471c069d899\#startup
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\68df7c2710d8473f4eafc2a1\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\68df7c2710d8473f4eafc2a1\#startup
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\7834e6884bf546a25200819a\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\7834e6884bf546a25200819a\#startup
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\7c76866b58b44402d390af95\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\7c76866b58b44402d390af95\#startup
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\8677fe334d8c4fd070e24d93\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\8677fe334d8c4fd070e24d93\#startup
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\88d952ecc8db4f28c2a1d2b5\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\88d952ecc8db4f28c2a1d2b5\#startup
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\8b0859fc60be4d2215626e8f\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\8b0859fc60be4d2215626e8f\#startup
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\8f92be4c9fec453da8fc8098\#data
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\8f92be4c9fec453da8fc8098\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\8f92be4c9fec453da8fc8098\#startup
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\91bf880afd354b43294234a1\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\91bf880afd354b43294234a1\#settings
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\91bf880afd354b43294234a1\#startup
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\91f85f478c1c439c53822886\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\91f85f478c1c439c53822886\#startup


C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\9b650a350a054939e427118c\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\9b650a350a054939e427118c\#startup
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\a1269440327a490db6f32f8d\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\a1269440327a490db6f32f8d\#startup
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\a5ed6e4f11244eb604374586\#data
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\a5ed6e4f11244eb604374586\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\a5ed6e4f11244eb604374586\#startup
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\aa51b7d206064486cb3ea89d\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\aa51b7d206064486cb3ea89d\#startup
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\aa90df7c886b4ecec668168e\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\aa90df7c886b4ecec668168e\#startup
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\b065e545bf334c099bfa09ab\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\b065e545bf334c099bfa09ab\#startup
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\b1240d4e172f403cb3526898\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\b1240d4e172f403cb3526898\#startup
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\b5a952d74ef74a8d8469d195\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\b5a952d74ef74a8d8469d195\#startup
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\bc347cc5c9f3488e8b09ef87\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\bc347cc5c9f3488e8b09ef87\#startup
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\bcd16634ccf24515a0b453bc\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\bcd16634ccf24515a0b453bc\#startup
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\c008f69fa1374707abdb0493\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\c008f69fa1374707abdb0493\#startup
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\c542753e1229492839a34884\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\c542753e1229492839a34884\#startup
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\c8090bc9e52a48cb8d48ce89\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\c8090bc9e52a48cb8d48ce89\#startup
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\d23c1c9d9533440164f784a7\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\d23c1c9d9533440164f784a7\#startup
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\d50ba1184fa240fbe33154b7\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\d50ba1184fa240fbe33154b7\#startup
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\dd1f1e07d2d74f6c529b81bb\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\dd1f1e07d2d74f6c529b81bb\#startup
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\e6914b4771054a8c71edd089\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\e6914b4771054a8c71edd089\#startup
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\e7c4297b6330431ad6ba98a3\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\e7c4297b6330431ad6ba98a3\#startup
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\e963d1d133344457f429499a\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\e963d1d133344457f429499a\#startup
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\eaaa2c21a0964ce7a5e448bf\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\eaaa2c21a0964ce7a5e448bf\#startup
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\eb8752ef9c73443ec239e5ae\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\eb8752ef9c73443ec239e5ae\#startup
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\ec7dcbf7a02f4bb7b43a6a95\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\ec7dcbf7a02f4bb7b43a6a95\#startup
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\f0819f609d304db570a28c8a\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\f0819f609d304db570a28c8a\#startup
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\f348f366f8e74271b1371488\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\f348f366f8e74271b1371488\#startup
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\fd43be11b9ea4152f434e2b1\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\a1350906caf4484b4eab5a96\fd43be11b9ea4152f434e2b1\#startup
C:\Program Files\winantispyware 2007\scanlog.xml
C:\Program Files\winantispyware 2007\settings.ini
C:\Program Files\winantispyware 2007\shellext.xml
C:\Program Files\winantispyware 2007\sr.log
C:\Program Files\winantispyware 2007\Summary.dat
C:\Program Files\winantispyware 2007\support.url
C:\Program Files\winantispyware 2007\tasks.dat
C:\Program Files\winantispyware 2007\threatnet.dat
C:\Program Files\winantispyware 2007\threatnet.ini
C:\Program Files\winantispyware 2007\unins000.dat
C:\Program Files\winantispyware 2007\unins000.exe
C:\Program Files\winantispyware 2007\uninstall.ico
C:\Program Files\winantispyware 2007\UnWizard.exe
C:\Program Files\winantispyware 2007\unwizard.xml
C:\Program Files\winantispyware 2007\up.dat
C:\Program Files\winantispyware 2007\updater.dat
C:\Program Files\winantispyware 2007\was7.exe
C:\Program Files\winantispyware 2007\WAS7.url
C:\Program Files\winantispyware 2007\WAS7.xml
C:\WINDOWS\7search.dll
C:\WINDOWS\bjam.dll
C:\WINDOWS\bokja.exe
C:\WINDOWS\cdsm32.dll
C:\WINDOWS\crosof~1.net
C:\WINDOWS\crosof~1.net\rundll.exe
C:\WINDOWS\flt.dll
C:\WINDOWS\mspphe.dll
C:\WINDOWS\mssvr.exe
C:\WINDOWS\pbar.dll
C:\WINDOWS\poolsv.exe
C:\WINDOWS\saiemod.dll
C:\WINDOWS\stcloader.exe
C:\WINDOWS\swin32.dll
C:\WINDOWS\system32\B0
C:\WINDOWS\system32\B0\mwspasrt83122.exe
C:\WINDOWS\system32\B1
C:\WINDOWS\system32\B1\wr73.exe
C:\WINDOWS\system32\B2
C:\WINDOWS\system32\B2\st2.exe
C:\WINDOWS\system32\B3
C:\WINDOWS\system32\B5
C:\WINDOWS\system32\B5\z53.exe
C:\WINDOWS\system32\drivers\ApiMon.sys
C:\WINDOWS\system32\drivers\fopn.sys

Scott5150
2007-07-17, 06:52
Final part of Combofix log:

C:\WINDOWS\system32\gtv_sd.bin
C:\WINDOWS\system32\msdn_lib.dll
C:\WINDOWS\system32\msixu.dll
C:\WINDOWS\system32\ogydvkmn.exe
C:\WINDOWS\system32\sl.bin
C:\WINDOWS\system32\stera.exe
C:\WINDOWS\system32\sxdxvooj.exe
C:\WINDOWS\system32\uypetspj.exe
C:\WINDOWS\system32\vxddsk.exe
C:\WINDOWS\system32\wer8274.dll
C:\WINDOWS\system32\wml.exe
C:\WINDOWS\system32\wnscpsv32.exe
C:\WINDOWS\system32\wptftks.dll
C:\WINDOWS\tk58.exe
C:\WINDOWS\voiceip.dll
C:\WINDOWS\wml.exe


((((((((((((((((((((((((( Files Created from 2007-06-17 to 2007-07-17 )))))))))))))))))))))))))))))))


2007-07-16 23:10 <DIR> d-------- C:\HJT
2007-07-13 00:22 736,352 -r-hs---- C:\WINDOWS\amwnmdoA.exe
2007-07-13 00:22 54,784 --a------ C:\WINDOWS\amwnmdo.exe
2007-07-13 00:22 <DIR> d-------- C:\WINDOWS\SYSTEM32\driver
2007-07-13 00:22 <DIR> d-------- C:\WINDOWS\SYSTEM32\b10FdUe
2007-07-13 00:22 <DIR> d-------- C:\Temp\brr
2007-07-13 00:22 <DIR> d-------- C:\Temp\0c2


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-17 03:27:06 12 ----a-w C:\WINDOWS\system32\sl.bin
2007-07-17 03:24:52 -------- d-----w C:\Program Files\Movie Maker
2007-07-16 10:37:44 -------- d-----w C:\Program Files\NetZero
2007-07-13 04:22:47 49,152 ----a-w C:\WINDOWS\TISKY009.exe
2007-07-11 22:15:15 1,802 ----a-w C:\DOCUME~1\Scott\APPLIC~1\wklnhst.dat
2007-06-21 22:57:37 -------- d-----w C:\Program Files\Google
2007-06-18 00:25:39 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-18 00:25:39 -------- d-----w C:\Program Files\Dearborn
2007-06-17 04:11:58 51,200 ----a-w C:\WINDOWS\nircmd.exe
2007-06-12 03:08:37 2,938 ----a-w C:\WINDOWS\system32\tmp.reg
2007-06-12 02:41:31 4 ----a-w C:\WINDOWS\system32\stfv.bin
2007-06-12 00:27:51 18,432 ----a-w C:\WINDOWS\sysrlb32.exe
2007-06-09 17:28:54 10,240 ----a-w C:\WINDOWS\vxddsk.exe
2007-06-09 17:28:33 801 ----a-w C:\WINDOWS\system32\drivers\system_stable_header_small.gif
2007-06-09 17:28:33 567 ----a-w C:\WINDOWS\system32\drivers\users_rating.gif
2007-06-09 17:28:33 291 ----a-w C:\WINDOWS\system32\drivers\v.gif
2007-06-09 17:28:33 283 ----a-w C:\WINDOWS\system32\drivers\x.gif
2007-06-09 17:28:32 6,533 ----a-w C:\WINDOWS\system32\drivers\system_stable_box_small.jpg
2007-06-09 17:28:32 579 ----a-w C:\WINDOWS\system32\drivers\spy_away_header_small.gif
2007-06-09 17:28:32 15,075 ----a-w C:\WINDOWS\system32\drivers\system_stable_box.jpg
2007-06-09 17:28:32 1,636 ----a-w C:\WINDOWS\system32\drivers\system_stable_header.gif
2007-06-09 17:28:31 5,097 ----a-w C:\WINDOWS\system32\drivers\spy_away_box_small.jpg
2007-06-09 17:28:31 14,484 ----a-w C:\WINDOWS\system32\drivers\protect.gif
2007-06-09 17:28:31 13,618 ----a-w C:\WINDOWS\system32\drivers\spy_away_box.jpg
2007-06-09 17:28:31 1,139 ----a-w C:\WINDOWS\system32\drivers\spy_away_header.gif
2007-06-09 17:28:30 841 ----a-w C:\WINDOWS\system32\drivers\perfect_cleaner_header_small.gif
2007-06-09 17:28:30 4,557 ----a-w C:\WINDOWS\system32\drivers\perfect_cleaner_box_small.jpg
2007-06-09 17:28:30 10,260 ----a-w C:\WINDOWS\system32\drivers\perfect_cleaner_box.jpg
2007-06-09 17:28:30 1,804 ----a-w C:\WINDOWS\system32\drivers\perfect_cleaner_header.gif
2007-06-09 17:28:29 811 ----a-w C:\WINDOWS\system32\drivers\download_btn.gif
2007-06-09 17:28:29 737 ----a-w C:\WINDOWS\system32\drivers\logo_bg.gif
2007-06-09 17:28:29 580 ----a-w C:\WINDOWS\system32\drivers\features.gif
2007-06-09 17:28:29 3,099 ----a-w C:\WINDOWS\system32\drivers\logo.gif
2007-06-09 17:28:28 746 ----a-w C:\WINDOWS\system32\drivers\buy_btn.gif
2007-06-09 17:28:28 50,250 ----a-w C:\WINDOWS\system32\drivers\pt.htm
2007-06-09 17:28:28 427 ----a-w C:\WINDOWS\system32\drivers\4_stars.gif
2007-06-09 17:28:28 365 ----a-w C:\WINDOWS\system32\drivers\5_stars.gif
2007-06-09 17:28:27 945 ----a-w C:\WINDOWS\system32\drivers\s_detect.htm
2007-06-09 17:28:27 6,575 ----a-w C:\WINDOWS\system32\drivers\remove_spyware_button.gif
2007-06-09 17:28:27 6,373 ----a-w C:\WINDOWS\system32\drivers\secuity_center_logo.gif
2007-06-09 17:28:26 64 ----a-w C:\WINDOWS\system32\drivers\close_icon.gif
2007-06-09 17:28:26 4,825 ----a-w C:\WINDOWS\system32\drivers\detect.htm
2007-06-09 17:28:26 360 ----a-w C:\WINDOWS\system32\drivers\header_bg.gif
2007-06-09 17:28:26 2,186 ----a-w C:\WINDOWS\system32\drivers\alert_icon.gif
2007-06-09 17:28:26 1,014 ----a-w C:\WINDOWS\system32\drivers\icon_warning.gif
2007-06-05 01:30:22 -------- d-----w C:\Program Files\Common Files\Scanner
2007-06-05 01:30:15 -------- d-----w C:\Program Files\Yahoo!
2007-06-03 15:26:22 -------- d-----w C:\Program Files\Windows Defender
2007-06-03 15:12:28 -------- d-----w C:\Program Files\Verizon Games on Demand Player
2007-06-03 15:12:23 -------- d-----w C:\Program Files\QuickTime
2007-06-03 15:12:22 -------- d-----w C:\Program Files\OfficeUpdate11
2007-06-03 15:12:20 -------- d-----w C:\Program Files\Modem Helper
2007-06-03 15:12:19 -------- d-----w C:\Program Files\McAfee.com
2007-06-03 15:12:14 -------- d-----w C:\Program Files\Intel
2007-06-03 15:12:11 -------- d-----w C:\Program Files\Connection Wizard
2007-06-03 15:12:09 -------- d-----w C:\Program Files\Common Files\aolshare
2007-06-03 15:12:06 -------- d-----w C:\Program Files\America Online 9.0
2007-06-03 15:12:02 -------- d-----w C:\Program Files\myCleanerPC
2007-06-03 03:16:14 54,784 ----a-w C:\WINDOWS\bawiabh.exe
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe


2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2005-09-04 16:26:07 720,562 ----a-w C:\Program Files\nero_photoshow_express_setup_intl_us.exe
2005-04-26 01:58:34 1,094,021 ----a-w C:\Program Files\dvdshrink32setup.zip
2005-04-24 01:35:04 615,152 ----a-w C:\Program Files\NetzeroSetup.exe
1989-12-12 14:10:10 326,352 --sh--r C:\WINDOWS\bawiabhA.exe
2005-10-19 03:18:19 28,173 --sha-w C:\WINDOWS\SYSTEM32\gebyx.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}]
2005-11-21 15:54 399424 --a------ C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2003-11-03 15:17 54248 --a------ C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5BDA388D-57BB-4F99-A2B4-99DF8A0E2BAC}]
C:\Program Files\ComPlus Applications\mewody83122.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890}]
2004-12-06 02:05 118842 --a------ C:\WINDOWS\system32\dla\tfswshx.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2007-07-12 04:00 501136 --a------ C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
2007-01-20 00:55 2403392 -ra------ c:\program files\google\googletoolbar4.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
2007-06-27 07:22 325048 --a------ C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 21:12]
"CTSysVol"="C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 11:43]
"P17Helper"="P17.dll" [2004-06-10 12:51 C:\WINDOWS\SYSTEM32\P17.dll]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 17:54]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 02:01]
"MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2006-11-07 16:41]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe" [2006-11-07 16:41]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-10-22 18:49]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NetZero_uoltray"="C:\Program Files\NetZero\exec.exe" [2005-06-28 15:23]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2003-10-14 05:15]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-27 07:22]
"Uaol"="C:\WINDOWS\CROSOF~1.NET\rundll.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\Movie Maker\rterelehdu.html
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
Source= C:\WINDOWS\warnhp.html
FriendlyName= Desktop Uninstall

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcyaab]
efcyaab.dll


HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}
C:\WINDOWS\system32\msorcl32.exe

HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{Y479C6D0-OTRW-U5GH-S1EE-E02310B4E666}
C:\WINDOWS\system32\tmrsrv32.exe

Contents of the 'Scheduled Tasks' folder
2007-07-10 18:24:00 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-07-17 03:06:53 C:\WINDOWS\tasks\MP Scheduled Scan.job

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-16 23:30:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-16 23:30:40 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-16 23:30
C:\ComboFix2.txt ... 2007-06-11 20:49

--- E O F ---

Scott5150
2007-07-17, 06:53
Here is the HJT log

Logfile of HijackThis v1.99.1
Scan saved at 11:36:46 PM, on 7/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\tmrsrv32.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\MUSICM~1\MUSICM~2\MMDiag.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Hijack This\hjt.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cgi.verizon.net/bookmarks/bmredir.asp?region=all&bw=fiber&cd=1.0&bm=ho_home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5BDA388D-57BB-4F99-A2B4-99DF8A0E2BAC} - C:\Program Files\ComPlus Applications\mewody83122.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Uaol] "C:\WINDOWS\CROSOF~1.NET\rundll.exe" -vt yazb
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Verizon Central - {5B3FB261-CF72-4c66-B314-8E6FF9980307} - www.verizon.net (file missing)
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://locator1.cdn.imagesrvr.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://verizon.exent.com/vzunlimited/classes/ExentCtl.ocx
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
O20 - Winlogon Notify: efcyaab - efcyaab.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe

Thanks PS

pskelley
2007-07-17, 13:09
Hello Scott, you can see how bad this infection was from the combofix log, until the legal system does something about these folks, all we can do is plug away at them. Here is information for you.
Since there is a class action involving this one, you may want to view this information:
http://www.networkworld.com/news/2007/030807-mystery-around-winfixer-slowly-unravels.html
http://www.youtube.com/watch?v=zBUZHiKhsog
http://msmvps.com/blogs/spywaresucks/search.aspx?q=winfixer+msn
http://www.revenews.com/wayneporter/archives/adware-spyware-greynets/getting_the_fix_on_winfixer_aol_network_now/
http://www.malwarecomplaints.info/ <<< complain here

It looks like combofix did a great job with the junk, there is malware left, we will remove it manually and run a good scan to see how things are.

1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.

2) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

3) We need to disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.
Open Windows Defender, Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.
After all of the fixes are complete it is very important that you enable Real-time Protection again.

4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O2 - BHO: (no name) - {5BDA388D-57BB-4F99-A2B4-99DF8A0E2BAC} - C:\Program Files\ComPlus Applications\mewody83122.dll (file missing)
O4 - HKCU\..\Run: [Uaol] "C:\WINDOWS\CROSOF~1.NET\rundll.exe" -vt yazb
(if you are positive the next item is safe in the TZ, you may leave it)
O15 - Trusted Zone: http://locator1.cdn.imagesrvr.com
O20 - Winlogon Notify: efcyaab - efcyaab.dll (file missing)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

5) RIGHT Click on Start then click on Explore. Locate and delete these items:

C:\WINDOWS\CROSOF~1.NET\ <<< delete that folder if there

C:\WINDOWS\system32\tmrsrv32.exe <<< delete that file

(this file may give you trouble, if it does use this tool and instructions)
How to use the Delete on Reboot tool
http://www.bleepingcomputer.com/tutorials/tutorial42.html#delreb

6) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

7) Run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner

Next Click on Launch Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.

8) Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
(You may edit out Microsoft, Hotfixes, Security Update for Windows XP, Update for Windows XP and Windows XP Hotfix to shorten the list)

Restart the computer and post the uninstall list, the report from the Kaspersky scan, a new HJT log and any comments you think will help. Let me know how the computer is running.

Thanks...Phil

Scott5150
2007-07-17, 18:55
I will have to do multiple replies again. Thanks for all your help.

Here is the Kapersky:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, July 17, 2007 11:38:55 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 17/07/2007
Kaspersky Anti-Virus database records: 340882
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 78978
Number of viruses found: 31
Number of infected objects: 207
Number of suspicious objects: 0
Duration of the scan process: 00:48:45

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_5b150187-0f05-4c72-917c-77c8e6964ac4 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\a0cb2472c99f005c6126760533c20ac5_5b150187-0f05-4c72-917c-77c8e6964ac4 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\LOGS\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-06032007-112645.log Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Scott\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Scott\Desktop\backups\backup-20070611-225543-132.dll Infected: Packed.Win32.Klone.j skipped
C:\Documents and Settings\Scott\Desktop\backups\backup-20070611-225543-164.dll Infected: Packed.Win32.Klone.j skipped
C:\Documents and Settings\Scott\Desktop\backups\backup-20070611-225543-821.dll Infected: Trojan-Downloader.Win32.VB.apq skipped
C:\Documents and Settings\Scott\Desktop\backups\backup-20070611-225543-842.dll Infected: Packed.Win32.Klone.j skipped
C:\Documents and Settings\Scott\Desktop\backups\backup-20070611-225543-962.dll Infected: Packed.Win32.Klone.j skipped
C:\Documents and Settings\Scott\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Scott\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Scott\Local Settings\Application Data\Musicmatch\Jukebox\mmjbaltlog.txt Object is locked skipped
C:\Documents and Settings\Scott\Local Settings\Application Data\Musicmatch\Jukebox\mmjblog.txt Object is locked skipped
C:\Documents and Settings\Scott\Local Settings\Application Data\Musicmatch\MIM\Database\Default.ldb Object is locked skipped
C:\Documents and Settings\Scott\Local Settings\Application Data\Musicmatch\MIM\Database\Default.mdb Object is locked skipped
C:\Documents and Settings\Scott\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Scott\Local Settings\History\History.IE5\MSHist012007071720070718\index.dat Object is locked skipped
C:\Documents and Settings\Scott\Local Settings\Temp\JET950C.tmp Object is locked skipped
C:\Documents and Settings\Scott\Local Settings\Temp\Perflib_Perfdata_acc.dat Object is locked skipped
C:\Documents and Settings\Scott\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Scott\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Scott\ntuser.dat.LOG Object is locked skipped
C:\Program Files\NetZero\BootExceptions.log Object is locked skipped
C:\Program Files\NetZero\ExecExceptions.log Object is locked skipped
C:\Program Files\NetZero\IspDblog.txt Object is locked skipped
C:\Program Files\NetZero\MainExceptions.log Object is locked skipped
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqD8.tmp Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\QooBox\Quarantine\C\Program Files\Movie Maker\qujawine.dll.vir Infected: Trojan.Win32.BHO.ab skipped
C:\QooBox\Quarantine\C\Program Files\poolsv\k11u72.exe.vir/data0005 Infected: Trojan-Downloader.Win32.VB.awj skipped
C:\QooBox\Quarantine\C\Program Files\poolsv\k11u72.exe.vir NSIS: infected - 1 skipped
C:\QooBox\Quarantine\C\Program Files\poolsv\YazzleBundle-1549.exe.vir/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\QooBox\Quarantine\C\Program Files\poolsv\YazzleBundle-1549.exe.vir NSIS: infected - 1 skipped
C:\QooBox\Quarantine\C\w.exe.vir Infected: Trojan-Downloader.Win32.Agent.aie skipped
C:\QooBox\Quarantine\C\WINDOWS\dls0523pmw.exe.vir Infected: Trojan-Downloader.Win32.Zlob.bqw skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\B1\wr73.exe.vir Infected: Trojan-Downloader.Win32.Small.eqn skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\B2\st2.exe.vir Infected: Trojan-Dropper.Win32.Agent.bfr skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\B5\z53.exe.vir Infected: Trojan-Dropper.Win32.Agent.mu skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\cghvjarg.dll.vir Infected: Trojan.Win32.BHO.o skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\CURITY~1\smss.exe.vir Infected: Trojan-Downloader.Win32.PurityScan.af skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\msdn_lib.dll.vir Infected: Trojan-Downloader.Win32.VB.apq skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\reohhvcm.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\rmuymrjg.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\T3\am67.exe.vir Infected: Trojan.Win32.BHO.ab skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\T4\amst5.exe.vir Infected: Trojan-Dropper.Win32.Agent.bfr skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\tcdaeifa.dll.vir Infected: Trojan.Win32.BHO.bd skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\wmvds32.dll.vir Infected: Trojan-Downloader.Win32.VB.asx skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\~.exe.vir Infected: Trojan-Downloader.Win32.VB.axs skipped
C:\QooBox\Quarantine\C\WINDOWS\tk58.exe.vir Infected: Trojan.Win32.BHO.ab skipped
C:\QooBox\Quarantine\catchme2007-06-11_204841.23.zip/core.sys Infected: Rootkit.Win32.Agent.eq skipped
C:\QooBox\Quarantine\catchme2007-06-11_204841.23.zip ZIP: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP598\A0040536.dll Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP600\A0040578.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP600\A0040580.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP601\A0040625.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP601\A0040626.sys Infected: Trojan.Win32.Agent.ny skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP601\A0040630.exe Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP612\A0041863.exe Infected: Trojan.Win32.VB.azo skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP612\A0041866.dll Infected: Trojan.Win32.BHO.bd skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP612\A0041867.exe Infected: Trojan.Win32.Agent.anr skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP612\A0041868.exe Infected: Trojan-Clicker.Win32.Small.mw skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP612\A0041870.exe Infected: Trojan.Win32.Agent.anr skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP612\A0041871.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP612\A0041872.exe Infected: Trojan.Win32.Small.ju skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP612\A0041873.exe Infected: Trojan.Win32.Small.ju skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP612\A0041874.dll Infected: Trojan.Win32.BHO.bd skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP612\A0041876.exe Infected: Trojan.Win32.Agent.anr skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP612\A0041883.dll Infected: Trojan-Clicker.Win32.Small.mw skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP613\A0041899.exe Infected: Trojan-Downloader.Win32.VB.axs skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP613\A0041900.exe Infected: Trojan-Downloader.Win32.Agent.aie skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP613\A0041903.exe Infected: Trojan-Downloader.Win32.PurityScan.af skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP613\A0041905.exe Infected: Trojan-Dropper.Win32.Agent.bfr skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP613\A0041906.exe Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP613\A0041909.exe Infected: Trojan-Downloader.Win32.Zlob.bqw skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP613\A0041911.dll Infected: Trojan-Downloader.Win32.VB.asx skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP641\A0042678.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP641\A0042679.exe Infected: Trojan-Downloader.Win32.Zlob.bqw skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP641\A0042680.exe Infected: Trojan-Downloader.Win32.Small.eqn skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP641\A0042681.exe Infected: Trojan-Downloader.Win32.Small.eqn skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP641\A0042682.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP641\A0042683.dll Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP641\A0042684.exe Infected: Trojan.Win32.StartPage.ahg skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP641\A0042685.exe Infected: Trojan.Win32.StartPage.ahg skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP641\A0042687.exe Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP641\A0042700.exe Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP642\A0042708.exe Infected: Trojan-Downloader.Win32.VB.awj skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP642\A0042724.dll Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP644\A0042765.exe Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP645\A0042772.dll Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP645\A0042781.dll Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP645\A0042787.exe Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP646\A0042798.dll Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP646\A0042808.exe Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP647\A0042811.dll Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP649\A0042837.exe Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP650\A0042849.dll Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP650\A0042853.exe/data0005 Infected: Trojan-Downloader.Win32.VB.awj skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP650\A0042853.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP650\A0042855.exe/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP650\A0042855.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP650\A0042872.exe Infected: Trojan-Downloader.Win32.Small.eqn skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP650\A0042873.exe Infected: Trojan-Dropper.Win32.Agent.bfr skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP650\A0042874.exe Infected: Trojan-Dropper.Win32.Agent.mu skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP650\A0042875.dll Infected: Trojan-Downloader.Win32.VB.apq skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP650\A0042896.exe Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP650\A0042898.dll Infected: Trojan.Win32.BHO.o skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP650\A0042901.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP650\A0042902.dll Infected: Trojan.Win32.BHO.bd skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP650\change.log Object is locked skipped
C:\VundoFix Backups\afjkqhod.dll.bad Infected: Trojan.Win32.BHO.bd skipped
C:\VundoFix Backups\bmiannkf.exe.bad Infected: Trojan.Win32.Agent.anr skipped
C:\VundoFix Backups\cocqymnj.exe.bad Infected: Trojan-Clicker.Win32.Small.mw skipped
C:\VundoFix Backups\fcyirgig.exe.bad Infected: Trojan.Win32.Agent.anr skipped
C:\VundoFix Backups\hxtryjvv.dll.bad Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\VundoFix Backups\iyulgape.exe.bad Infected: Trojan.Win32.Small.ju skipped
C:\VundoFix Backups\j3211432.dll.bad Infected: Trojan-Clicker.Win32.Small.mw skipped
C:\VundoFix Backups\muwlaxmg.exe.bad Infected: Trojan.Win32.Small.ju skipped
C:\VundoFix Backups\rvqnduwu.dll.bad Infected: Trojan.Win32.BHO.bd skipped
C:\VundoFix Backups\vjqvoxoy.exe.bad Infected: Trojan.Win32.Agent.anr skipped
C:\WINDOWS\$NtUninstallKB912812$\wininet.dll Infected: Virus.Win32.Nsag.b skipped
C:\WINDOWS\amwnmdo.exe Infected: Trojan-Dropper.Win32.Agent.mu skipped
C:\WINDOWS\bawiabh.exe Infected: Trojan-Dropper.Win32.Agent.mu skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\ModemLog_Intel(R) 537EP V9x DF PCI Modem.txt Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{441BD15D-FCA0-4E3B-B942-1D5BE814353D}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\sysrlb32.exe Infected: Trojan.Win32.VB.azo skipped
C:\WINDOWS\SYSTEM32\akgrheli.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\aoihiqmt.exe Infected: Trojan.Win32.Agent.ny skipped
C:\WINDOWS\SYSTEM32\auqdytrh.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\b10FdUe\b10FdUe1099.exe Infected: Trojan-Downloader.Win32.VB.awj skipped
C:\WINDOWS\SYSTEM32\bnsadwli.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\bopjqxue.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\bpwhtooe.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\brikjfsn.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\btyjrwql.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\buptabwn.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\cawlmpct.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\ccyjucrr.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\cgrqgnot.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\chillwjn.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\cktofrji.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped

Scott5150
2007-07-17, 19:01
Here is the rest of the Kapersky:

C:\WINDOWS\SYSTEM32\CONFIG\Media Ce.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\coqxdpuq.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\cxnykxtk.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\cyykwmes.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\dfewjtnt.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\djajvmsg.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\dliwswvw.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\duwqkpoh.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\eflnoybc.exe Infected: Trojan.Win32.Agent.ny skipped
C:\WINDOWS\SYSTEM32\eslfcnux.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\fcyiykrc.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\fgaaidgb.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\fidhldsn.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\fnostvjv.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\fpvpefiv.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\fyreulea.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\gebyx.dll Infected: Trojan-Downloader.Win32.Agent.yf skipped
C:\WINDOWS\SYSTEM32\geofxaou.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\gmciduwm.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\gnfylqgk.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\gpdvrlbd.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\gwabwkog.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\hbekrkrm.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\hgkjamal.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\hyibrkvy.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\ipfncxkk.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\ipnoihep.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\isymtnle.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\jfoixhwm.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\jfutatme.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\jlmamssm.exe Infected: Trojan.Win32.Agent.ny skipped
C:\WINDOWS\SYSTEM32\jncqaufc.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\joeefpls.exe Infected: Trojan.Win32.Agent.ny skipped
C:\WINDOWS\SYSTEM32\jqxxddxw.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\kapmdxnx.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\kdvqecpy.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\keifummk.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\kswmuqwu.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\lubxtbio.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\lvonpxjs.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\lwlfdpul.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\mbvveqwj.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\miqfahst.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\msorcl32.exe Infected: not-virus:Hoax.Win32.Renos.fn skipped
C:\WINDOWS\SYSTEM32\mywkephx.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\negojtsf.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\nnjfkmkk.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\nqdikcji.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\ohktwoxn.exe Infected: Trojan.Win32.Agent.ny skipped
C:\WINDOWS\SYSTEM32\oiqexdpy.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\omeoobnp.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\omrkvupf.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\oqdjudnt.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\peggordo.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\pjwokpdy.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\pjxaappc.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\qegfrkpq.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\qmeulast.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\qmjloadd.dll Infected: Packed.Win32.Klone.j skipped
C:\WINDOWS\SYSTEM32\qmucwpjx.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\qvggbvxa.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\reidwmiw.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\rrbaoihg.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\rrhxyjwa.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\rutmngdp.exe Infected: Trojan.Win32.Agent.ny skipped
C:\WINDOWS\SYSTEM32\sbjvlpvo.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\stpohvji.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\swjoepgl.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\syuqbyfc.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\T1QaSQ\T1QaSQ1065.exe Infected: Trojan-Downloader.Win32.VB.awj skipped
C:\WINDOWS\SYSTEM32\T6\amwr.exe Infected: Trojan-Downloader.Win32.Agent.brf skipped
C:\WINDOWS\SYSTEM32\T9\zn531.exe Infected: Trojan-Dropper.Win32.Agent.mu skipped
C:\WINDOWS\SYSTEM32\tkdwsenn.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\tklabfcm.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\tkwwukqb.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\tmrsrv32.exe Infected: Trojan-Downloader.Win32.VB.avl skipped
C:\WINDOWS\SYSTEM32\TQ0\am52.exe Infected: Trojan-Dropper.Win32.Agent.mu skipped
C:\WINDOWS\SYSTEM32\twiykbek.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\uenlnlbp.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\ugfgpkev.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\unnthjlq.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\uxrfgjyy.exe Infected: Trojan.Win32.Agent.ny skipped
C:\WINDOWS\SYSTEM32\vrjrxwsc.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\vulwtcwu.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\vxruhqlb.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\wamadunj.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wemlwfev.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\wllqgmet.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\wvomxeoy.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\xaerqedq.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\xwaqyefs.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\xysegugt.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\yblimier.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Scott5150
2007-07-17, 19:12
Here is the HJT log

Logfile of HijackThis v1.99.1
Scan saved at 11:50:35 AM, on 7/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\tmrsrv32.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\MUSICM~1\MUSICM~2\MMDiag.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Hijack This\hjt.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cgi.verizon.net/bookmarks/bmredir.asp?region=all&bw=fiber&cd=1.0&bm=ho_home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Verizon Central - {5B3FB261-CF72-4c66-B314-8E6FF9980307} - www.verizon.net (file missing)
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://verizon.exent.com/vzunlimited/classes/ExentCtl.ocx
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe

Scott5150
2007-07-17, 19:15
Here is the Uninstall. Computer seems to be working good. Thank you again with all your help.

Adobe Acrobat - Reader 6.0.2 Update
Adobe Flash Player 9 ActiveX
Adobe Photoshop Elements 3.0
Adobe Reader 6.0.1
Adobe Shockwave Player
America Online (Choose which version to remove)
AOL Coach Version 1.0(Build:20040229.1 en)
AOL Connectivity Services
Apple Software Update
ArcSoft Software Suite
Banctec Service Agreement
Canon PhotoRecord
Canon PIXMA iP4000
Canon Utilities Easy-PhotoPrint
Creative MediaSource
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell Picture Studio v3.0
DellSupport
Draft Analyzer
DVD Shrink 3.2
Easy-WebPrint
ESPNMotion
GemMaster Mystic
Get High Speed Internet!
Google Earth
Google Toolbar for Internet Explorer
H&R Block Tax Offer
HijackThis 1.99.1
Intel(R) 537EP V9x DF PCI Modem
Intel(R) Graphics Media Accelerator Driver
Intel(R) PRO Network Adapters and Drivers
Intel(R) PROSet for Wired Connections
Internet Explorer Default Page
iTunes
Jasc Paint Shop Photo Album 5
Jasc Paint Shop Pro Studio, Dell Editon
Java 2 Runtime Environment, SE v1.4.2_03
Java DB 10.2.2.0
Java(TM) 6 Update 2
Java(TM) SE Development Kit 6 Update 2
Kaspersky Online Scanner
Learn2 Player (Uninstall Only)
Macromedia Flash Player
MathPlayer
Microsoft .NET Framework 1.0 Hotfix (KB887998)
Microsoft .NET Framework 1.0 Hotfix (KB930494)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Encarta Encyclopedia Standard 2005
Microsoft Money 2005
Microsoft Picture It! Premium 10
Microsoft Streets and Trips 2005
Microsoft Word 2002
Microsoft Works
Microsoft Works 2005 Setup Launcher
Microsoft Works Suite Add-in for Microsoft Word
Modem Event Monitor
Modem Helper
Modem On Hold
Mozilla Firefox (2.0.0.4)
MSN
MSN Encarta Plus Support Files
MSN Messenger 6.1
MSN Music Assistant
MSXML 4.0 SP2 (KB927978)
Musicmatch® Jukebox
NetZero
NetZero Connection Wizard
Nikon Message Center
Otto
PartyPokerNet
PictureProject
PowerDVD 5.3
QuickBooks Simple Start Special Edition
QuickTime
RealPlayer
Robin Hood: The Legend Of Sherwood Demo
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Series 24 Drill and Practice
Series 7 Drill and Practice
Shockwave
Sonic DLA
Sonic Encoders
Sonic MyDVD
Sonic RecordNow! Plus
Sonic Update Manager
Sound Blaster Live! 24-bit
Spybot - Search & Destroy 1.4
Stronghold Crusader
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB936357)
Verizon Games on Demand Player
Verizon Online
Viewpoint Media Player
WinAntiSpyware 2007 4.0.193.0
Windows Defender
Windows Defender Signatures
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Yahoo! Anti-Spy
Yahoo! Toolbar

Scott5150
2007-07-17, 19:39
There's one thing unusual. Windows Defender detects one High Alert. When I hit Remove All it says "Windows Defender encountered an error 0x8007139f. The group or resource is not in the correct state to perform the requested action."

pskelley
2007-07-17, 20:14
Please take your time, read and follow the instructions carefully. Don't be concerned with Windows Defender just now, if I was a spyware program on this computer I would be screaming too.


Scott, this computer is still badly infected. Look at the Kaspersky results.
Number of viruses found: 31
Number of infected objects: 207

I am trying to figure the best way to kill this junk besides doing it manually. You have many problems in your C:\Windows\System32\ folder. I strongly suggest you keep this computer offline except when troubleshooting. This is going to take a while.

You have a load of junk backed up in backups, quarantines, System Restore, besides a load of other junk. Let's go after ths stuff slowly like this.

1) C:\Documents and Settings\Scott\Desktop\backups\ <<< start here, you should have moved this backup folder with the HJT.exe to here:
C:\Hijack This\hjt.exe.exe <<< if you moved backups it will be in the C:\Hijakc This\ folder, but check in both placed. Open that backup folder like this: Open HJT > Open Main Menu > View the list of backups > Delete All of those backups

2) C:\Program Files\Yahoo!\YPSR\Quarantine\ <<< delete everything that is in that quarantine folder

3) C:\QooBox\ <<< delete that folder, also delete combofix completely from your computer. We will download it again if we need it.

4) C:\System Volume Information\_restore These are your System Restore files and we will have to do this again later, please follow these directions:
System Restore does not know the good files from the bad. Bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

5) C:\VundoFix Backups\ <<< delete that folder, and remove any of the Vundofix tool that is still on your computer.

Please make sure you have followed the directions above completely, I believe from the looks of things that the infection was too massive for the tools to clean it at once. Many files are still showing in the System32 folder as I stated and we will probably need to delete them manually, but let's give the tools another chance.

Restart the computer and download combofix NEW and follow the directions.

6) Thanks to sUBs and anyone else who helped with this fix.

Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

7) I need to point out to you that this item: C:\WINDOWS\system32\tmrsrv32.exe is still in the log you just posted.
Logfile of HijackThis v1.99.1 Scan saved at 11:50:35 AM, on 7/17/2007
You may want to look at the delete on reboot instructions again, that item needs to go and I can't remove it for you from here.
Look at the log, you can not miss it.
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\tmrsrv32.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

8) Post the combofix results, once you have them posted...

9) Run another Kaspersky scan results and post those.

Thanks

Scott5150
2007-07-18, 02:29
One problem. I can't delete the C:\Windows\system32\wscntfy.exe file or the C:\Windows\system32\tmrsrv32.exe items. I get the following message: "Access is denied. Make sure the disk is not write protected and tha tthe file is not currently in use." Also, did you want me to delete C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe.

Here is the Combofix log:

Scott" - 2007-07-17 19:12:44 - ComboFix 07-07-13.8 - Service Pack 2 NTFS


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\sl.bin


((((((((((((((((((((((((( Files Created from 2007-06-17 to 2007-07-17 )))))))))))))))))))))))))))))))


2007-07-17 19:12 1,168,935 --a------ C:\ComboFix.exe
2007-07-17 10:28 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-07-17 10:28 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-07-16 23:10 <DIR> d-------- C:\HJT
2007-07-13 00:22 736,352 -r-hs---- C:\WINDOWS\amwnmdoA.exe
2007-07-13 00:22 54,784 --a------ C:\WINDOWS\amwnmdo.exe
2007-07-13 00:22 <DIR> d-------- C:\WINDOWS\SYSTEM32\driver
2007-07-13 00:22 <DIR> d-------- C:\WINDOWS\SYSTEM32\b10FdUe
2007-07-13 00:22 <DIR> d-------- C:\Temp\brr
2007-07-13 00:22 <DIR> d-------- C:\Temp\0c2


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-17 03:24:52 -------- d-----w C:\Program Files\Movie Maker
2007-07-16 10:37:44 -------- d-----w C:\Program Files\NetZero
2007-07-13 04:22:47 49,152 ----a-w C:\WINDOWS\TISKY009.exe
2007-07-11 22:15:15 1,802 ----a-w C:\DOCUME~1\Scott\APPLIC~1\wklnhst.dat
2007-06-21 22:57:37 -------- d-----w C:\Program Files\Google
2007-06-18 00:25:39 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-18 00:25:39 -------- d-----w C:\Program Files\Dearborn
2007-06-17 04:11:58 51,200 ----a-w C:\WINDOWS\nircmd.exe
2007-06-12 03:08:37 2,938 ----a-w C:\WINDOWS\system32\tmp.reg
2007-06-12 02:41:31 4 ----a-w C:\WINDOWS\system32\stfv.bin
2007-06-12 00:27:51 18,432 ----a-w C:\WINDOWS\sysrlb32.exe
2007-06-09 17:28:54 10,240 ----a-w C:\WINDOWS\vxddsk.exe
2007-06-09 17:28:33 801 ----a-w C:\WINDOWS\system32\drivers\system_stable_header_small.gif
2007-06-09 17:28:33 567 ----a-w C:\WINDOWS\system32\drivers\users_rating.gif
2007-06-09 17:28:33 291 ----a-w C:\WINDOWS\system32\drivers\v.gif
2007-06-09 17:28:33 283 ----a-w C:\WINDOWS\system32\drivers\x.gif
2007-06-09 17:28:32 6,533 ----a-w C:\WINDOWS\system32\drivers\system_stable_box_small.jpg
2007-06-09 17:28:32 579 ----a-w C:\WINDOWS\system32\drivers\spy_away_header_small.gif
2007-06-09 17:28:32 15,075 ----a-w C:\WINDOWS\system32\drivers\system_stable_box.jpg
2007-06-09 17:28:32 1,636 ----a-w C:\WINDOWS\system32\drivers\system_stable_header.gif
2007-06-09 17:28:31 5,097 ----a-w C:\WINDOWS\system32\drivers\spy_away_box_small.jpg
2007-06-09 17:28:31 14,484 ----a-w C:\WINDOWS\system32\drivers\protect.gif
2007-06-09 17:28:31 13,618 ----a-w C:\WINDOWS\system32\drivers\spy_away_box.jpg
2007-06-09 17:28:31 1,139 ----a-w C:\WINDOWS\system32\drivers\spy_away_header.gif
2007-06-09 17:28:30 841 ----a-w C:\WINDOWS\system32\drivers\perfect_cleaner_header_small.gif
2007-06-09 17:28:30 4,557 ----a-w C:\WINDOWS\system32\drivers\perfect_cleaner_box_small.jpg
2007-06-09 17:28:30 10,260 ----a-w C:\WINDOWS\system32\drivers\perfect_cleaner_box.jpg
2007-06-09 17:28:30 1,804 ----a-w C:\WINDOWS\system32\drivers\perfect_cleaner_header.gif
2007-06-09 17:28:29 811 ----a-w C:\WINDOWS\system32\drivers\download_btn.gif
2007-06-09 17:28:29 737 ----a-w C:\WINDOWS\system32\drivers\logo_bg.gif
2007-06-09 17:28:29 580 ----a-w C:\WINDOWS\system32\drivers\features.gif
2007-06-09 17:28:29 3,099 ----a-w C:\WINDOWS\system32\drivers\logo.gif
2007-06-09 17:28:28 746 ----a-w C:\WINDOWS\system32\drivers\buy_btn.gif
2007-06-09 17:28:28 50,250 ----a-w C:\WINDOWS\system32\drivers\pt.htm
2007-06-09 17:28:28 427 ----a-w C:\WINDOWS\system32\drivers\4_stars.gif
2007-06-09 17:28:28 365 ----a-w C:\WINDOWS\system32\drivers\5_stars.gif
2007-06-09 17:28:27 945 ----a-w C:\WINDOWS\system32\drivers\s_detect.htm
2007-06-09 17:28:27 6,575 ----a-w C:\WINDOWS\system32\drivers\remove_spyware_button.gif
2007-06-09 17:28:27 6,373 ----a-w C:\WINDOWS\system32\drivers\secuity_center_logo.gif
2007-06-09 17:28:26 64 ----a-w C:\WINDOWS\system32\drivers\close_icon.gif
2007-06-09 17:28:26 4,825 ----a-w C:\WINDOWS\system32\drivers\detect.htm
2007-06-09 17:28:26 360 ----a-w C:\WINDOWS\system32\drivers\header_bg.gif
2007-06-09 17:28:26 2,186 ----a-w C:\WINDOWS\system32\drivers\alert_icon.gif
2007-06-09 17:28:26 1,014 ----a-w C:\WINDOWS\system32\drivers\icon_warning.gif
2007-06-05 01:30:22 -------- d-----w C:\Program Files\Common Files\Scanner
2007-06-05 01:30:15 -------- d-----w C:\Program Files\Yahoo!
2007-06-03 15:26:22 -------- d-----w C:\Program Files\Windows Defender
2007-06-03 15:12:28 -------- d-----w C:\Program Files\Verizon Games on Demand Player
2007-06-03 15:12:23 -------- d-----w C:\Program Files\QuickTime
2007-06-03 15:12:22 -------- d-----w C:\Program Files\OfficeUpdate11
2007-06-03 15:12:20 -------- d-----w C:\Program Files\Modem Helper
2007-06-03 15:12:19 -------- d-----w C:\Program Files\McAfee.com
2007-06-03 15:12:14 -------- d-----w C:\Program Files\Intel
2007-06-03 15:12:11 -------- d-----w C:\Program Files\Connection Wizard
2007-06-03 15:12:09 -------- d-----w C:\Program Files\Common Files\aolshare
2007-06-03 15:12:06 -------- d-----w C:\Program Files\America Online 9.0
2007-06-03 15:12:02 -------- d-----w C:\Program Files\myCleanerPC
2007-06-03 03:16:14 54,784 ----a-w C:\WINDOWS\bawiabh.exe
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2005-09-04 16:26:07 720,562 ----a-w C:\Program Files\nero_photoshow_express_setup_intl_us.exe
2005-04-26 01:58:34 1,094,021 ----a-w C:\Program Files\dvdshrink32setup.zip
2005-04-24 01:35:04 615,152 ----a-w C:\Program Files\NetzeroSetup.exe
1989-12-12 14:10:10 326,352 --sh--r C:\WINDOWS\bawiabhA.exe
2005-10-19 03:18:19 28,173 --sha-w C:\WINDOWS\SYSTEM32\gebyx.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}]
2005-11-21 15:54 399424 --a------ C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2003-11-03 15:17 54248 --a------ C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890}]
2004-12-06 02:05 118842 --a------ C:\WINDOWS\system32\dla\tfswshx.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2007-07-12 04:00 501136 --a------ C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
2007-01-20 00:55 2403392 -ra------ c:\program files\google\googletoolbar4.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
2007-06-27 07:22 325048 --a------ C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 21:12]
"CTSysVol"="C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 11:43]
"P17Helper"="P17.dll" [2004-06-10 12:51 C:\WINDOWS\SYSTEM32\P17.dll]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 17:54]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 02:01]
"MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2006-11-07 16:41]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe" [2006-11-07 16:41]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-10-22 18:49]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NetZero_uoltray"="C:\Program Files\NetZero\exec.exe" [2005-06-28 15:23]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2003-10-14 05:15]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-27 07:22]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\Movie Maker\rterelehdu.html
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
Source= C:\WINDOWS\warnhp.html
FriendlyName= Desktop Uninstall


HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}
C:\WINDOWS\system32\msorcl32.exe

HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{Y479C6D0-OTRW-U5GH-S1EE-E02310B4E666}
C:\WINDOWS\system32\tmrsrv32.exe

Contents of the 'Scheduled Tasks' folder
2007-07-17 18:24:00 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-07-17 23:07:40 C:\WINDOWS\tasks\MP Scheduled Scan.job

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-17 19:15:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-17 19:15:56
C:\ComboFix-quarantined-files.txt ... 2007-07-17 19:15

--- E O F ---

Scott5150
2007-07-18, 02:43
Here is the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 7:29:36 PM, on 7/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\tmrsrv32.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\MUSICM~1\MUSICM~2\MMDiag.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\Hijack This\hjt.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cgi.verizon.net/bookmarks/bmredir.asp?region=all&bw=fiber&cd=1.0&bm=ho_home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Verizon Central - {5B3FB261-CF72-4c66-B314-8E6FF9980307} - www.verizon.net (file missing)
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://verizon.exent.com/vzunlimited/classes/ExentCtl.ocx
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe

The Kapersky is on the way shortly.

pskelley
2007-07-18, 02:47
One problem. I can't delete the C:\Windows\system32\wscntfy.exe file or the C:\Windows\system32\tmrsrv32.exe items. I get the following message: "Access is denied. Make sure the disk is not write protected and tha tthe file is not currently in use." Also, did you want me to delete C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe.
Please do not delete anything but the bad file, I simply posted it like that so you could see which file was bad, that is the reason I highlited it in red, so you could see where it is in the HJT log,

C:\WINDOWS\system32\tmrsrv32.exe <<< this is the file we need to delete. Once again, here is information about that file:
http://spywarefiles.prevx.com/RREHCD38818560/TMRSRV32.EXE.html
Did you read the information in that link?

That file must go, start like this:

How to use the Delete on Reboot tool
http://www.bleepingcomputer.com/tutorials/tutorial42.html#delreb
Start Hijackthis
Click on the Config button
Click on the Misc Tools button
Click on the button labeled Delete a file on reboot...
A new window will open asking you to select the file that you would like to delete on reboot. Navigate to the file: C:\WINDOWS\SYSTEM32\tmrsrv32.exe and click on it once, and then click on the Open button.
You will now be asked if you would like to reboot your computer to delete the file. Click on the Yes button if you would like to reboot now.


If you can not delete it with that tool then use these instructions to start your computer in safe mode:
http://spyware-free.us/tutorials/safemode/
Navigate to and delete the file when it is not running.


If you need it, read these instructions then download and use Killbox to remove it:
http://forum.malwareremoval.com/viewtopic.php?t=320


Post the Kaspersky scan results as soon and you have it, post a new HJT log as soon as tmrsrv32.exe has been deleted.

Thanks

Scott5150
2007-07-18, 03:27
Here is the Kapersky log. Thanks for all your help.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, July 17, 2007 8:25:42 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 18/07/2007
Kaspersky Anti-Virus database records: 341003
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 72321
Number of viruses found: 12
Number of infected objects: 116
Number of suspicious objects: 0
Duration of the scan process: 00:44:15

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_5b150187-0f05-4c72-917c-77c8e6964ac4 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\a0cb2472c99f005c6126760533c20ac5_5b150187-0f05-4c72-917c-77c8e6964ac4 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\LOGS\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-06032007-112645.log Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Scott\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Scott\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Scott\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Scott\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{43279B48-8ECB-4326-AA73-F7929FFC7E25} Object is locked skipped
C:\Documents and Settings\Scott\Local Settings\Application Data\Musicmatch\Jukebox\mmjbaltlog.txt Object is locked skipped
C:\Documents and Settings\Scott\Local Settings\Application Data\Musicmatch\Jukebox\mmjblog.txt Object is locked skipped
C:\Documents and Settings\Scott\Local Settings\Application Data\Musicmatch\MIM\Database\Default.ldb Object is locked skipped
C:\Documents and Settings\Scott\Local Settings\Application Data\Musicmatch\MIM\Database\Default.mdb Object is locked skipped
C:\Documents and Settings\Scott\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Scott\Local Settings\History\History.IE5\MSHist012007071720070718\index.dat Object is locked skipped
C:\Documents and Settings\Scott\Local Settings\Temp\JETA354.tmp Object is locked skipped
C:\Documents and Settings\Scott\Local Settings\Temp\Perflib_Perfdata_9c0.dat Object is locked skipped
C:\Documents and Settings\Scott\Local Settings\Temp\~DF5DD3.tmp Object is locked skipped
C:\Documents and Settings\Scott\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Scott\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Scott\ntuser.dat.LOG Object is locked skipped
C:\Program Files\NetZero\BootExceptions.log Object is locked skipped
C:\Program Files\NetZero\ExecExceptions.log Object is locked skipped
C:\Program Files\NetZero\IspDblog.txt Object is locked skipped
C:\Program Files\NetZero\MainExceptions.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP653\A0043124.dll Infected: Packed.Win32.Klone.j skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP653\A0043126.dll Infected: Trojan-Downloader.Win32.VB.apq skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP653\A0043129.dll Infected: Packed.Win32.Klone.j skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP653\A0043130.dll Infected: Packed.Win32.Klone.j skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP653\A0043131.dll Infected: Packed.Win32.Klone.j skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP653\change.log Object is locked skipped
C:\WINDOWS\$NtUninstallKB912812$\wininet.dll Infected: Virus.Win32.Nsag.b skipped
C:\WINDOWS\amwnmdo.exe Infected: Trojan-Dropper.Win32.Agent.mu skipped
C:\WINDOWS\bawiabh.exe Infected: Trojan-Dropper.Win32.Agent.mu skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\ModemLog_Intel(R) 537EP V9x DF PCI Modem.txt Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{808478FC-0251-4282-AD06-5AFE129DBD79}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\sysrlb32.exe Infected: Trojan.Win32.VB.azo skipped
C:\WINDOWS\SYSTEM32\akgrheli.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\aoihiqmt.exe Infected: Trojan.Win32.Agent.ny skipped
C:\WINDOWS\SYSTEM32\auqdytrh.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\b10FdUe\b10FdUe1099.exe Infected: Trojan-Downloader.Win32.VB.awj skipped
C:\WINDOWS\SYSTEM32\bnsadwli.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\bopjqxue.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\bpwhtooe.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\brikjfsn.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\btyjrwql.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\buptabwn.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\cawlmpct.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\ccyjucrr.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\cgrqgnot.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\chillwjn.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\cktofrji.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Media Ce.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\coqxdpuq.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\cxnykxtk.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\cyykwmes.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\dfewjtnt.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\djajvmsg.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\dliwswvw.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\duwqkpoh.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\eflnoybc.exe Infected: Trojan.Win32.Agent.ny skipped
C:\WINDOWS\SYSTEM32\eslfcnux.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\fcyiykrc.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\fgaaidgb.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\fidhldsn.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\fnostvjv.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\fpvpefiv.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\fyreulea.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\gebyx.dll Infected: Trojan-Downloader.Win32.Agent.yf skipped
C:\WINDOWS\SYSTEM32\geofxaou.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\gmciduwm.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\gnfylqgk.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\gpdvrlbd.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\gwabwkog.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\hbekrkrm.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\hgkjamal.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\hyibrkvy.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\ipfncxkk.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\ipnoihep.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\isymtnle.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\jfoixhwm.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\jfutatme.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\jlmamssm.exe Infected: Trojan.Win32.Agent.ny skipped
C:\WINDOWS\SYSTEM32\jncqaufc.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\joeefpls.exe Infected: Trojan.Win32.Agent.ny skipped
C:\WINDOWS\SYSTEM32\jqxxddxw.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\kapmdxnx.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\kdvqecpy.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\keifummk.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\kswmuqwu.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\lubxtbio.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\lvonpxjs.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\lwlfdpul.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\mbvveqwj.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\miqfahst.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\msorcl32.exe Infected: not-virus:Hoax.Win32.Renos.fn skipped
C:\WINDOWS\SYSTEM32\mywkephx.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\negojtsf.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\nnjfkmkk.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\nqdikcji.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\ohktwoxn.exe Infected: Trojan.Win32.Agent.ny skipped
C:\WINDOWS\SYSTEM32\oiqexdpy.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\omeoobnp.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\omrkvupf.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\oqdjudnt.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\peggordo.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\pjwokpdy.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\pjxaappc.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\qegfrkpq.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\qmeulast.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\qmjloadd.dll Infected: Packed.Win32.Klone.j skipped
C:\WINDOWS\SYSTEM32\qmucwpjx.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\qvggbvxa.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\reidwmiw.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\rrbaoihg.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\rrhxyjwa.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\rutmngdp.exe Infected: Trojan.Win32.Agent.ny skipped
C:\WINDOWS\SYSTEM32\sbjvlpvo.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\stpohvji.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\swjoepgl.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\syuqbyfc.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\T1QaSQ\T1QaSQ1065.exe Infected: Trojan-Downloader.Win32.VB.awj skipped
C:\WINDOWS\SYSTEM32\T6\amwr.exe Infected: Trojan-Downloader.Win32.Agent.brf skipped
C:\WINDOWS\SYSTEM32\T9\zn531.exe Infected: Trojan-Dropper.Win32.Agent.mu skipped
C:\WINDOWS\SYSTEM32\tkdwsenn.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\tklabfcm.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\tkwwukqb.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\tmrsrv32.exe Infected: Trojan-Downloader.Win32.VB.avl skipped
C:\WINDOWS\SYSTEM32\TQ0\am52.exe Infected: Trojan-Dropper.Win32.Agent.mu skipped
C:\WINDOWS\SYSTEM32\twiykbek.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\uenlnlbp.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\ugfgpkev.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\unnthjlq.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\uxrfgjyy.exe Infected: Trojan.Win32.Agent.ny skipped
C:\WINDOWS\SYSTEM32\vrjrxwsc.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\vulwtcwu.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\vxruhqlb.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\wamadunj.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wemlwfev.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\wllqgmet.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\wvomxeoy.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\xaerqedq.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\xwaqyefs.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\xysegugt.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\yblimier.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Scott5150
2007-07-18, 04:14
I believe tmrsrv32.exe is now gone. Here is the HJT log created after removing it. Thanks.

Logfile of HijackThis v1.99.1
Scan saved at 9:12:18 PM, on 7/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Prevx2\PXConsole.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\PROGRA~1\MUSICM~1\MUSICM~2\MMDiag.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\Program Files\Prevx2\PXAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Hijack This\hjt.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cgi.verizon.net/bookmarks/bmredir.asp?region=all&bw=fiber&cd=1.0&bm=ho_home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx2\PXConsole.exe"
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Verizon Central - {5B3FB261-CF72-4c66-B314-8E6FF9980307} - www.verizon.net (file missing)
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://verizon.exent.com/vzunlimited/classes/ExentCtl.ocx
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx2\PXAgent.exe" -f (file missing)

pskelley
2007-07-18, 12:17
Thanks for your hard work and returning your information, and great job looks like a clean HJT log. I see Prevx in your log? Did you use that tool to remove tmrsrv32.exe or can you tell me what tool removed it. It was tough and I have not seen that trojan before.
Let's talk about Prevx a moment. I use it from time to time to remove tough malware and have even tried the trial on my computer to see how it runs. In my case it slowed my computer badly and I had to remove it so you may wish to uninstall that product unless you purchased it.

We still have problems with the Kaspersky scan: Number of infected objects: 116
We need to get that number to O Let me say I see what I count seven
(7) infected System Restore files. I believe these may be infected because of the new restore point established when you restarted System Restore, and we will have to do that again, but the balance of these files all appear to be in your C:\Windows\System32\ folder, and it won't do any good to clean System Restore until we remove those files. It appears combofix can't kill them (it can kill only files added and hackers keep coming up with new names)

It is not too hard to see the bad files and I am fairly certain they were all created by the Vundo infection. I am posting one so you can see what they look like:
C:\WINDOWS\SYSTEM32\rutmngdp.exe Infected: Trojan.Win32.Agent.ny skipped
Only the file name is different and random. I can post the list and you can delete them manually, but it may be easier to use Vundofix. I understand you tried Vundofix before at some point, and I don't know if you used it for this infection or not. I suggest you try it, run it again and again, my best guess is there are around 100 files that it must delete. I will also post the list for you to delete manually if you wish, just let me know. Please by sure you have removed the old Vundofix program and download it fresh from the link I provide. Atribune, the creator, is constantly adding new random files to the fix. Thanks to Atribune and any others who helped with this fix.

Please understand these hackers can call there junk anything they wish. Vundofix may not know the files at first, but it will learn. You want to run the fix until you see all Vundo files say: "Has been deleted"

Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThislogin a reply to this thread.Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

If there is a file VundoFix doesn't find we need it submitted. Please submit
the files to upload malware http://www.uploadmalware.com

It appears the only way to see the files beside looking in the System32folder is Kaspersky. I suggest you keep count until you see Vundofix has removed about 100, or until it becomes obvious to you it will not remove more. Then run Kaspersky and post the log. We will remove what is left manually. I will also say I have removed probably 1000 or so of these Vundo infections and I have never seen one this bad.

Thanks...Phil

Scott5150
2007-07-18, 15:11
Thanks Phil.

I just ran the Vundofix and it said no infected files were found. Do you want me to post any logs or should I start to just manually remove the bad files. If so, please send them along. Thanks again. Scott

Scott5150
2007-07-18, 15:26
One other thing. I did use Prevx to remove the file.

pskelley
2007-07-18, 15:40
OK Scott, Kaspersky says they are there, so they are probably there. You may be able to delete them in normal mode, if not boot to safe mode and do it. Be careful, here is the list:

Most are files and a few are folder, I will code them in red for you.

C:\WINDOWS\$NtUninstallKB912812$\wininet.dll Infected
C:\WINDOWS\amwnmdo.exe
C:\WINDOWS\bawiabh.exe
C:\WINDOWS\sysrlb32.exe Infected: Trojan.Win32.VB.azo skipped
C:\WINDOWS\SYSTEM32\akgrheli.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\aoihiqmt.exe Infected: Trojan.Win32.Agent.ny skipped
C:\WINDOWS\SYSTEM32\auqdytrh.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\b10FdUe\b10FdUe1099.exe Infected: Trojan-Downloader.Win32.VB.awj skipped
C:\WINDOWS\SYSTEM32\bnsadwli.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\bopjqxue.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\bpwhtooe.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\brikjfsn.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\btyjrwql.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\buptabwn.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\cawlmpct.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\ccyjucrr.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\cgrqgnot.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\chillwjn.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\cktofrji.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\coqxdpuq.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\cxnykxtk.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\cyykwmes.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\dfewjtnt.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\djajvmsg.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\dliwswvw.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\duwqkpoh.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\eflnoybc.exe Infected: Trojan.Win32.Agent.ny skipped
C:\WINDOWS\SYSTEM32\eslfcnux.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\fcyiykrc.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\fgaaidgb.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\fidhldsn.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\fnostvjv.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\fpvpefiv.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\fyreulea.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\gebyx.dll Infected: Trojan-Downloader.Win32.Agent.yf skipped
C:\WINDOWS\SYSTEM32\geofxaou.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\gmciduwm.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\gnfylqgk.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\gpdvrlbd.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\gwabwkog.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\hbekrkrm.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\hgkjamal.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\hyibrkvy.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\ipfncxkk.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\ipnoihep.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\isymtnle.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\jfoixhwm.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\jfutatme.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\jlmamssm.exe Infected: Trojan.Win32.Agent.ny skipped
C:\WINDOWS\SYSTEM32\jncqaufc.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\joeefpls.exe Infected: Trojan.Win32.Agent.ny skipped
C:\WINDOWS\SYSTEM32\jqxxddxw.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\kapmdxnx.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\kdvqecpy.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\keifummk.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\kswmuqwu.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\lubxtbio.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\lvonpxjs.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\lwlfdpul.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\mbvveqwj.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\miqfahst.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\msorcl32.exe Infected: not-virus:Hoax.Win32.Renos.fn skipped
C:\WINDOWS\SYSTEM32\mywkephx.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\negojtsf.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\nnjfkmkk.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\nqdikcji.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\ohktwoxn.exe Infected: Trojan.Win32.Agent.ny skipped
C:\WINDOWS\SYSTEM32\oiqexdpy.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\omeoobnp.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\omrkvupf.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\oqdjudnt.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\peggordo.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\pjwokpdy.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\pjxaappc.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\qegfrkpq.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\qmeulast.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\qmjloadd.dll Infected: Packed.Win32.Klone.j skipped
C:\WINDOWS\SYSTEM32\qmucwpjx.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\qvggbvxa.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\reidwmiw.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\rrbaoihg.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\rrhxyjwa.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\rutmngdp.exe Infected: Trojan.Win32.Agent.ny skipped
C:\WINDOWS\SYSTEM32\sbjvlpvo.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\stpohvji.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\swjoepgl.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\syuqbyfc.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\T1QaSQ\T1QaSQ1065.exe Infected: Trojan-Downloader.Win32.VB.awj skipped
C:\WINDOWS\SYSTEM32\T6\amwr.exe Infected: Trojan-Downloader.Win32.Agent.brf skipped
C:\WINDOWS\SYSTEM32\T9\zn531.exe Infected: Trojan-Dropper.Win32.Agent.mu skipped
C:\WINDOWS\SYSTEM32\tkdwsenn.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\tklabfcm.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\tkwwukqb.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\tmrsrv32.exe Infected: Trojan-Downloader.Win32.VB.avl skipped
C:\WINDOWS\SYSTEM32\TQ0\am52.exe Infected: Trojan-Dropper.Win32.Agent.mu skipped
C:\WINDOWS\SYSTEM32\twiykbek.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\uenlnlbp.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\ugfgpkev.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\unnthjlq.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\uxrfgjyy.exe Infected: Trojan.Win32.Agent.ny skipped
C:\WINDOWS\SYSTEM32\vrjrxwsc.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\vulwtcwu.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\vxruhqlb.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\wamadunj.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\wemlwfev.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\wllqgmet.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\wvomxeoy.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\xaerqedq.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\xwaqyefs.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\xysegugt.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\WINDOWS\SYSTEM32\yblimier.dll Infected: Trojan-Spy.Win32.Agent.kg skipped

Quite a mess of them, Kaspersky at least alphabetized them for you. Be careful not to delete any valid files, take your time. You should be able to highlite multiples and delete many at once, by holding down the shift key.

Restart and send a new Kaspersky report.

Thanks...Phil

Scott5150
2007-07-18, 23:53
Hi, I deleted the files and folders you highlighted. Here is the Kapersky. Thanks.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, July 18, 2007 4:49:35 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 18/07/2007
Kaspersky Anti-Virus database records: 342405
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 75754
Number of viruses found: 12
Number of infected objects: 116
Number of suspicious objects: 0
Duration of the scan process: 00:49:13

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_5b150187-0f05-4c72-917c-77c8e6964ac4 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\a0cb2472c99f005c6126760533c20ac5_5b150187-0f05-4c72-917c-77c8e6964ac4 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\LOGS\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-06032007-112645.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Prevx\LDB_EV-00.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Prevx\LDB_EV-Index.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Prevx\LDB_FP-00.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Prevx\LDB_FP-01.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Prevx\LDB_FP-02.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Prevx\LDB_FP-03.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Prevx\LDB_FP-Index.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Prevx\LDB_GX-00.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Prevx\LDB_GX-01.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Prevx\LDB_GX-02.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Prevx\LDB_GX-Index.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Prevx\LDB_PX-00.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Prevx\LDB_PX-01.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Prevx\LDB_PX-02.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Prevx\LDB_PX-03.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Prevx\LDB_PX-Index.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Prevx\LDB_RG-00.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Prevx\LDB_RG-Index.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Prevx\LDB_TG-00.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Prevx\LDB_TG-Index.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Prevx\LDB_VX-00.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Prevx\LDB_VX-Index.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Prevx\Local.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Scott\Application Data\Prevx\proc.cat Object is locked skipped
C:\Documents and Settings\Scott\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Scott\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Scott\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Scott\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{4ED88F4D-8675-4508-876A-2208AE4ABDD5} Object is locked skipped
C:\Documents and Settings\Scott\Local Settings\Application Data\Musicmatch\Jukebox\mmjbaltlog.txt Object is locked skipped
C:\Documents and Settings\Scott\Local Settings\Application Data\Musicmatch\Jukebox\mmjblog.txt Object is locked skipped
C:\Documents and Settings\Scott\Local Settings\Application Data\Musicmatch\MIM\Database\Default.ldb Object is locked skipped
C:\Documents and Settings\Scott\Local Settings\Application Data\Musicmatch\MIM\Database\Default.mdb Object is locked skipped
C:\Documents and Settings\Scott\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Scott\Local Settings\History\History.IE5\MSHist012007071820070719\index.dat Object is locked skipped
C:\Documents and Settings\Scott\Local Settings\Temp\JETEF3D.tmp Object is locked skipped
C:\Documents and Settings\Scott\Local Settings\Temp\Perflib_Perfdata_e20.dat Object is locked skipped
C:\Documents and Settings\Scott\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Scott\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Scott\ntuser.dat.LOG Object is locked skipped
C:\Program Files\NetZero\BootExceptions.log Object is locked skipped
C:\Program Files\NetZero\ExecExceptions.log Object is locked skipped
C:\Program Files\NetZero\IspDblog.txt Object is locked skipped
C:\Program Files\NetZero\MainExceptions.log Object is locked skipped
C:\Program Files\Prevx2\lclbrk.cache Object is locked skipped
C:\Program Files\Prevx2\log\px-log.txt Object is locked skipped
C:\Program Files\Prevx2\paws.cache Object is locked skipped
C:\Program Files\Prevx2\prevx.cache Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP653\A0043124.dll Infected: Packed.Win32.Klone.j skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP653\A0043126.dll Infected: Trojan-Downloader.Win32.VB.apq skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP653\A0043129.dll Infected: Packed.Win32.Klone.j skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP653\A0043130.dll Infected: Packed.Win32.Klone.j skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP653\A0043131.dll Infected: Packed.Win32.Klone.j skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP654\A0043159.exe Infected: Trojan-Downloader.Win32.VB.avl skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043218.exe Infected: Trojan-Dropper.Win32.Agent.mu skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043219.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043220.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043221.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043222.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043223.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043224.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043225.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043226.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043227.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043228.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043229.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043230.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043231.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043232.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043233.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043234.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043235.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043236.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043237.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043238.exe Infected: Trojan-Dropper.Win32.Agent.mu skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043239.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043240.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043241.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043242.dll Infected: Trojan-Spy.Win32.Agent.kg skipped

Scott5150
2007-07-18, 23:54
Here is the rest of the Kapersky. Thanks.

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043243.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043244.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043245.exe Infected: Trojan.Win32.Agent.ny skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043246.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043247.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043248.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043249.exe Infected: Trojan.Win32.VB.azo skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043250.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043251.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043252.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043253.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043254.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043255.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043256.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043257.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043258.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043259.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043260.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043261.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043262.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043263.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043264.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043265.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043266.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043267.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043268.exe Infected: Trojan.Win32.Agent.ny skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043269.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043270.exe Infected: Trojan.Win32.Agent.ny skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043271.exe Infected: Trojan.Win32.Agent.ny skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043272.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043273.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043274.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043275.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043276.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043277.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043278.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043279.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043280.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043281.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043282.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043283.exe Infected: not-virus:Hoax.Win32.Renos.fn skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043284.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043285.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043286.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043287.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043288.exe Infected: Trojan.Win32.Agent.ny skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043289.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043290.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043291.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043292.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043293.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043294.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043295.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043296.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043297.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043298.dll Infected: Packed.Win32.Klone.j skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043299.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043300.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043301.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043302.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043303.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043304.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043305.exe Infected: Trojan.Win32.Agent.ny skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043306.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043307.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043308.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043309.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043310.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043311.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043312.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043313.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043314.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043315.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043316.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043317.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043318.exe Infected: Trojan.Win32.Agent.ny skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043319.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043320.dll Infected: Trojan-Spy.Win32.Agent.kg skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043321.exe Infected: Trojan-Dropper.Win32.Agent.mu skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043322.exe Infected: Trojan-Dropper.Win32.Agent.mu skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043323.exe Infected: Trojan-Downloader.Win32.Agent.brf skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043324.exe Infected: Trojan-Downloader.Win32.VB.awj skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\A0043325.exe Infected: Trojan-Downloader.Win32.VB.awj skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP657\change.log Object is locked skipped
C:\WINDOWS\$NtUninstallKB912812$\wininet.dll Infected: Virus.Win32.Nsag.b skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\ModemLog_Intel(R) 537EP V9x DF PCI Modem.txt Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{112B7533-82F6-4A51-B25F-18527239492A}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Media Ce.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\gebyx.dll Infected: Trojan-Downloader.Win32.Agent.yf skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

pskelley
2007-07-19, 00:11
Thanks Scott, it looks like everything is in the System Restore files now, follow these directions:
System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
This is just a repeat in case these instructions help:

MANUAL INSTRUCTIONS FOR SYSTEM RESTORE
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

another tutorial for System Restore
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Please follow these instructions once more:
Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Be sure to choose SELECT ALL, I want to be positive Prefetch is cleaned. It might slow your computer for a boot or two until Windows repopulates the folder with needed files.

I know you must be tired of working on the computer, take the time you need, but once you clean System Restore I would appreciate it if you would restart your computer and scan then post a last Kaspersky, since we have come this far we might as well be positive you are clean. Let me know how the computer is performing also.

Thanks...Phil

Scott5150
2007-07-19, 01:23
Im running Kapersky right now. I am just glad you have been here to help. I have had to stay at home the past few days and Im psyched this much was done while I was at home. If I had been at work this would have taken a week. I really appreciate the help.

I don't think I mentioned it but I had been noticing that every time I shut down there was a box popping up just shut down that said updates were being made. It was always very fast. I tried to hit cancel every time I saw that happening but some times it happened too fast. I think it said something like "Shell con hidden." I assume that was part of the virus.

One other thing. My Windows Defender still identifies one High Alert that cannot be removed. I think I mentioned it yesterday. Not sure if that is an issue or not. I can give you the details on it if you think it would be helpful.

The Kapersky log will be done shortly.

Thanks again.

Scott

pskelley
2007-07-19, 01:54
OK Scott, I am hoping your computer can recover from this massive infection, we shall see.
What is important is that you give me these error messages exactly as they occur, word for word. I can not research them any other way.

A box pops up, exactly what the message is.
something like "Shell con hidden will not do it, I must have the exact message. Google is used to search most, but at times the Microsoft Knowledge Base is used. Neither will provide the resaults unless we search with the exact messages.
Windows Defender may have been damaged as well as other programs, and may require that it be uninstalled and reinstalled. We will tackle the issues as they come up as soon as we are sure the computer is free of the malware.

Thanks

Scott5150
2007-07-19, 03:17
Here is the Kaspersky log.

KASPERSKY ONLINE SCANNER REPORT
Wednesday, July 18, 2007 8:15:25 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 19/07/2007
Kaspersky Anti-Virus database records: 342428
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 73344
Number of viruses found: 2
Number of infected objects: 2
Number of suspicious objects: 0
Duration of the scan process: 00:46:16

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_5b150187-0f05-4c72-917c-77c8e6964ac4 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\a0cb2472c99f005c6126760533c20ac5_5b150187-0f05-4c72-917c-77c8e6964ac4 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\LOGS\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-06032007-112645.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Prevx\LDB_EV-00.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Prevx\LDB_EV-Index.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Prevx\LDB_FP-00.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Prevx\LDB_FP-01.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Prevx\LDB_FP-02.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Prevx\LDB_FP-03.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Prevx\LDB_FP-Index.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Prevx\LDB_GX-00.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Prevx\LDB_GX-01.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Prevx\LDB_GX-02.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Prevx\LDB_GX-Index.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Prevx\LDB_PX-00.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Prevx\LDB_PX-01.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Prevx\LDB_PX-02.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Prevx\LDB_PX-03.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Prevx\LDB_PX-Index.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Prevx\LDB_RG-00.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Prevx\LDB_RG-Index.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Prevx\LDB_TG-00.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Prevx\LDB_TG-Index.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Prevx\LDB_VX-00.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Prevx\LDB_VX-Index.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Prevx\Local.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Scott\Application Data\Prevx\proc.cat Object is locked skipped
C:\Documents and Settings\Scott\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Scott\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Scott\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Scott\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{857F20C3-1542-4F46-B340-70CB774FB823} Object is locked skipped
C:\Documents and Settings\Scott\Local Settings\Application Data\Musicmatch\Jukebox\mmjbaltlog.txt Object is locked skipped
C:\Documents and Settings\Scott\Local Settings\Application Data\Musicmatch\Jukebox\mmjblog.txt Object is locked skipped
C:\Documents and Settings\Scott\Local Settings\Application Data\Musicmatch\MIM\Database\Default.ldb Object is locked skipped
C:\Documents and Settings\Scott\Local Settings\Application Data\Musicmatch\MIM\Database\Default.mdb Object is locked skipped
C:\Documents and Settings\Scott\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Scott\Local Settings\History\History.IE5\MSHist012007071820070719\index.dat Object is locked skipped
C:\Documents and Settings\Scott\Local Settings\Temp\JET10E3.tmp Object is locked skipped
C:\Documents and Settings\Scott\Local Settings\Temp\Perflib_Perfdata_b98.dat Object is locked skipped
C:\Documents and Settings\Scott\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Scott\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Scott\ntuser.dat.LOG Object is locked skipped
C:\Program Files\NetZero\BootExceptions.log Object is locked skipped
C:\Program Files\NetZero\ExecExceptions.log Object is locked skipped
C:\Program Files\NetZero\IspDblog.txt Object is locked skipped
C:\Program Files\NetZero\MainExceptions.log Object is locked skipped
C:\Program Files\Prevx2\lclbrk.cache Object is locked skipped
C:\Program Files\Prevx2\log\px-log.txt Object is locked skipped
C:\Program Files\Prevx2\paws.cache Object is locked skipped
C:\Program Files\Prevx2\prevx.cache Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP2\change.log Object is locked skipped
C:\WINDOWS\$NtUninstallKB912812$\wininet.dll Infected: Virus.Win32.Nsag.b skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{43DB6126-DCAA-4CA8-AF58-8F1B736F6F55}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{9ADCA5C9-BB5C-4C14-A26C-4503EA693315}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Media Ce.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\gebyx.dll Infected: Trojan-Downloader.Win32.Agent.yf skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

pskelley
2007-07-19, 03:56
KASPERSKY ONLINE SCANNER REPORT Wednesday, July 18, 2007 8:15:25 PM
Number of viruses found: 2
Number of infected objects: 2

It going to get a little tricky now, let's get rid of this one first:
C:\WINDOWS\SYSTEM32\gebyx.dll <<< delete that file. Either I missed it or you did, get it gone.

Now comes the tricky part, what we have now is something I have not done before either. We have an infected wininet.dll

I would like you to look here: C:\I386 <<< on the C:\ drive and tell me if you have that folder.

The first thing we will try is System File Checker, it will check all Windows Files looking for missing or corrupted files. I am hoping it will find this file and replace it. If you do not have the C:\I386 on your computer, you will need to have your Windows CD ready. I am hoping at that point Windows will see the corrupt file and ask you to insert the CD so it can install the clean file from the CD.

C:\WINDOWS\$NtUninstallKB912812$\wininet.dll Infected: Virus.Win32.Nsag.b skipped
http://www.google.com/search?hl=en&q=wininet.dll&btnG=Google+Search

Here are two tutorials to show you how to use SFC
http://dwightblackburn.com/winxp/
http://www.updatexp.com/scannow-sfc.html

I would also like to know if you remember trying to delete that file?
C:\WINDOWS\$NtUninstallKB912812$\wininet.dll <<< this one?
I know it is an valid file but if it is infected it needs to be replaced.
Here are the scanners again, if you would like to scan to be sure it is infected:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/flash/index_en.html

Information about the file:
http://www.liutilities.com/products/wintaskspro/dlllibrary/wininet/

You will need all files and folders enabled to see that file. If you find it is infected, let's hope System File Checker will replace the bad one.
Make sure you let me know about the C:\I386, if it is there and SFC does not work, we may be able to use another tool that replaces an infected wininet.dll from that folder when it finds an infected one during the process of running the Smitfraudfix tool.

Keep me posted.

Thanks...Phil

Scott5150
2007-07-19, 06:15
I ran the system file checker. I got a message to insert a CD. Unfortunately I do not have a CD. I tried doing some of the things mentioned in the link you provided. Those didnt seem to help. The problem I have now is I cant seem to now get a status bar. I tried running again and am hoping I get the message that mentions what I need to insert. For whatever reason the box closed on me. I think it said I need to insert CD (2).

As for those gebyx.dll file I cant find it. I did a search and it still isnt showing. I did a search of the wininet.dll file and found three entries but none in the $NtUninstallKB912812$ folder. I couldn't find them when I was manually removing files and folders earlier.

As for the C:I386 folder, it is there.

Thanks,
Scott

Scott5150
2007-07-19, 06:16
One other thing. I have more information on that box that pops up when I log out. It is titled End Program and it says ShellConHidden..... I am given the option of cancelling it and do when given enough time. It only pops up for a couple of seconds. Thanks.

Scott5150
2007-07-19, 06:20
I just shut down and noticed one thing. The box is actually titled ShellconHiddenWi....

Scott5150
2007-07-19, 06:21
I ran SFC again after rebooting. The status bar has returned.

pskelley
2007-07-19, 13:03
Humm...you are positive you still have all files and folder enabled? Here is the link again if you need it:
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Where is your Windows CD? Could you have what is called a System Restore CD?
I would appreciate it if you look in that C:\I386 folder (those are backups of critical system files few folks know they have) scroll down to:
WININET.DLL and let me know that file is there, (remember if you ever use files in here always COPY the file NEVER cut it or you will move your backup) For now I just need to be assured it is there if we need it.

For whatever reason the box closed on me
If the SFC finds a missing or corrupt file, it will stop until you take action, if it does not it will continue to run until finished and then close.

The problem I have now is I cant seem to now get a status bar
What exactly are you talking about here? Is this the toolbar that runs across the bottom of the display which which contains the System Tray with the clock, etc. to your right?

Look for a PM from me also. I do not want to give to many instructions at once so as not to confuse both of us. I would like to know generally how the computer is running now that all of that junk was removed.

Thanks...Phil

Scott5150
2007-07-19, 20:08
I will be back at the computer tonight and let you know if the wininet.dll file is in I386 and the result of the SFC. My Dell computer didn't come with a Windows CD. I will check again to see if there was a System Restore CD.

As for the status bar, I meant the SFC status bar that lets you know how far along the scan is. It came back after I rebooted. Thanks. Scott

pskelley
2007-07-19, 21:09
http://dwightblackburn.com/winxp/
If you are talking about the "Windows File Protection"
Here: When the scan starts, you will see a progress bar.
That will remain visable as long as the scan is running and then close. You would have to start SFC again to see that box again.

My Dell computer didn't come with a Windows CD. I will check again to see if there was a System Restore CD.
That's a good thing, if we can not fix this, that will be one of your choices.

I just shut down and noticed one thing. The box is actually titled ShellconHiddenWi....
There has to be more to the message than that, is there anything you can click on to get more information. Here is the Google, you are not the first to see the message:
http://www.google.com/search?hl=en&q=ShellconHiddenWi....&btnG=Google+Search

Thanks

Scott5150
2007-07-20, 03:58
Shellconhiddenwi... is all I get for the message. I think Im all set with the progress bar issue. Thanks.

As for SFC, a box titled Windows File Protection popped up that reads: "Files that are required for Windows to run properly must be copied to the DLL Cache. Insert your Windows XP Professional CD2 now."

I checked my folder again and I do not have a Windows or restore CD. I have a card from Dell with the picture of a CD on it. At the top it says "Your new Computer does not require an operating system DR or drivers CDs. Instead, if you ever need to reinstall your software, use one of the following methods:

Microsoft Windows System Restore returns your computer to an earlier operating state without affecting data files. For more information, double click the Owner's Manual icon on your desktop.

Dell PC Restore returns your computer to its original operating state. For more information, double click the Owner's Manual icon on your computer.

To learn more about creating or obtaining a copy of your operating system CD or drivers for your computer, visit support.dell.com/pcrt."

I checked the I386 folder and the wininet.dll file is there. Thanks. Scott

pskelley
2007-07-20, 04:27
1) did you read the link I provided under the red Google? The first website offers suggestions, I just do not have the time to read those for you.

2) You realize what you can or can not do without a Windows CD or a System Restore Disk. I suggest you take this up with Dell.

3) System Restore would have done you no good, you would just have been putting the junk that was backed up in SR back on your computer. Now you may want to make sure you have a clean restore point, here is information:
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx


I checked the I386 folder and the wininet.dll file is there.

4) One area that can get infected by the Zlob trojan aka Smitfraud is the wininet.dll When Smitfraudfix finds and infected wininet.dll it is supposed to replace the infected file with a clean one if there is one on the computer, which in your case there appears to be. Let's give the fix a try, follow only the posted instructions.

http://siri.geekstogo.com/SmitfraudFix.php <<< download Smitfraudfix from here and follow ONLY these directions.

Search:
Double-click SmitfraudFix.exe
Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt

Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/processutil/processutil.htm

Post the C:\rapport.txt so I can see that report.

Add any other comments you think will help.

Thanks

Scott5150
2007-07-20, 04:35
Yes, I read shellconnhidden link. I am trying to see if I can fix. Thanks.

Here is the log:

SmitFraudFix v2.204

Scan done at 21:33:50.90, Thu 07/19/2007
Run from C:\Documents and Settings\Scott\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Prevx2\PXConsole.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\PROGRA~1\MUSICM~1\MUSICM~2\MMDiag.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\Program Files\Prevx2\PXAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\CSCRIPT.EXE

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Scott


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Scott\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\scott\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="C:\\Program Files\\Movie Maker\\rterelehdu.html"
"SubscribedURL"=""
"FriendlyName"=""

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\2]
"Source"="C:\\WINDOWS\\warnhp.html"
"SubscribedURL"=""
"FriendlyName"="Desktop Uninstall"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Intel(R) PRO/100 VE Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 192.168.0.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{A53F4D88-25FD-4AAC-82D8-FEAAFC74534D}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{A53F4D88-25FD-4AAC-82D8-FEAAFC74534D}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{A53F4D88-25FD-4AAC-82D8-FEAAFC74534D}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

pskelley
2007-07-20, 13:38
Well...the Smitfraudfix does not show the item to be infected. I may cover some areas again.

This appears to be the only item in question, have you searched to see if it is there? Make sure all files and folders are enabled or it is probably hidden.

C:\WINDOWS\$NtUninstallKB912812$\wininet.dll

On my Windows XP Pro I have this folder: C:\WINDOWS\$NtUninstallKB912812-IE6SP1-20060322.182418$
In that folder I have this file: wininet.dll says it is an Internet Extension for Win32
It is a Microsoft Corporation file which is 562 KB.

You should have the same file in the same place (I think)
Would you check to see if is there and then scan that file to see if is infected.

http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/flash/index_en.html

Thanks

Scott5150
2007-07-21, 07:01
I found the file in C:\WINDOWS\$NtUninstallKB912812$. Below is the result of the scan I did using http://virusscan.jotti.org/. It looks like it's infected. Thanks. Scott


File: wininet.dll
Status: INFECTED/MALWARE
MD5: 09a3a03061ca8640db90519f2436a0cf
Packers detected: -
Bit9 reports: File not found

Scanner results
Scan taken on 21 Jul 2007 03:56:22 (GMT)
A-Squared Found nothing
AntiVir Found W32/Nsag.B
ArcaVir Found Trojan.Callgate.Oleadm.3
Avast Found Win32:Nsag-B
AVG Antivirus Found Win32/Nsag
BitDefender Found Trojan.WininetHook.A
ClamAV Found W32.Nsag.B
CPsecure Found W32.Nsag.B
Dr.Web Found Trojan.DownLoader.2636
F-Prot Antivirus Found W32/Oleadm.B
F-Secure Anti-Virus Found Virus.Win32.Nsag.b
Fortinet Found W32/Nsag.B
Kaspersky Anti-Virus Found Virus.Win32.Nsag.b
NOD32 Found Win32/Oleloa.gen
Norman Virus Control Found W32/Nsag.B
Panda Antivirus Found W32/Smitfraud.D
Rising Antivirus Found Trojan.SpyWare.j
Sophos Antivirus Found Troj/AleSpy-O
VirusBuster Found Win32.NSag.C
VBA32 Found Virus.Win32.Nsag.b

pskelley
2007-07-21, 14:52
Thanks for that information, now you see the importance of being able to use SFC and having a Windows CD. I own two Dells, but I will not purchase another unless I am supplied with my own copy. I have restore disks but that does not make me happy.

I also must say that fixing this infected file may not end your troubles, but it sure must be fixed. You must remember what I said about making a copy of the file in C:\I386. You can try this first.
Please also keep in mind, I am a novice at what we are doing right now. I know what should be done, just have never had to do it by remote repair.

Navigate to C:\I386 then to WININET.DLL and point the mouse at that file. Right click the mouse and choose COPY. Now navigate to the C:\WINDOWS\$NtUninstallKB912812$\ folder and point your mouse at a blank spot and choose paste. IF you get a message about "you already have that file do you want to replace it" or something like that, then click YES.
If you do not, then you MUST delete the old file. Make sure you know where it is and the size should be your clue, remember I said: It is a Microsoft Corporation file which is 562 KB.
Before you even start, mouse over the infected file to see the size, it is not going to be the same because it has been modified. The hackers will not be that good.

Best I can say it, the bad file MUST be deleted and a COPY of the clean file from your C:\I386 must be put in it's place (it must be deleted). If need be, navigate to safe mode and do this when nothing but basic drivers are running:
http://spyware-free.us/tutorials/safemode/

When this has been accomplished, scan for and post a new HJT log and we will figure out where to go from there.
Did you get the PM I sent you? I go not remember getting a reply to it?

Thanks...Phil

Scott5150
2007-07-21, 17:02
The wininet I have in I386 is 641 Kb. Is that OK? I did click replace the old one in C:\WINDOWS\$NtUninstallKB912812$\. Should I undo or should I go ahead and do the HJT log at this time? Thanks. Scott

pskelley
2007-07-21, 17:30
Scott, that worries me a little, you have XPPro...correct? And I have XPPro. I would think they would be the same size. Could you scan this file:

The wininet I have in I386 is 641 Kb to make sure it is not infected. If it is we have a problem, we have no clean file to use.

Thanks

Scott5150
2007-07-21, 17:46
Here it is. Seems to look good. Thanks.

Service load: 0% 100%

File: wininet.dll
Status: OK
MD5: cba65b573c66fe23f647ff96e3a10994
Packers detected: -
Bit9 reports: No threat detected (more info)

Scanner results
Scan taken on 21 Jul 2007 14:41:05 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

Scott5150
2007-07-21, 19:40
Here's a new HJT. Thanks.

Logfile of HijackThis v1.99.1
Scan saved at 12:39:09 PM, on 7/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Prevx2\PXConsole.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\Program Files\Prevx2\PXAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Hijack This\hjt.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cgi.verizon.net/bookmarks/bmredir.asp?region=all&bw=fiber&cd=1.0&bm=ho_home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx2\PXConsole.exe"
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Verizon Central - {5B3FB261-CF72-4c66-B314-8E6FF9980307} - www.verizon.net (file missing)
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://verizon.exent.com/vzunlimited/classes/ExentCtl.ocx
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx2\PXAgent.exe" -f (file missing)

pskelley
2007-07-21, 20:16
This is a clean HJT log. Unless Prevx does not slow your computer dramatically like it did mine, and you want to benefit from the trial period, I would uninstall that program.

Let me have some feedback now...

Thanks

Scott5150
2007-07-21, 21:37
The computer is working well. I don't really have anything that seems to be not working properly. I really appreciate the help on this, you did a great job and your instructions were always easy to understand, even for a relative novice such as myself.

Prevx doesnt seem to really slow my computer down. It is running pretty quick. Do you have any reccommendations about staying uninfected. Thanks.

Scott

pskelley
2007-07-21, 23:08
Sounds good Scott:bigthumb: do remember once the trial is over Prevx should be uninstalled or at least turned off so it uses no resources.
Make sure you remove all of the programs we downloaded for the cleanup. You may keep ATF-Cleaner if you wish, it is a nice small program.
Your questions should all be answered in the information I am about to post, if not, let me know.
System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html

Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.