View Full Version : DriveCleaner 2006, and Virtumonde
Ive been having issues removing DriveCleaner 2006, and Virtumonde from my computer, please help, Here is my log file, removal of any unneeded material would be great to thanks.
Logfile of HijackThis v1.99.1
Scan saved at 7:38:56 AM, on 8/10/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\WINDOWS\domino.exe
C:\WINDOWS\VMSnap1.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\System32\wuauclt.exe
C:\DOCUME~1\SCIENC~1\MYDOCU~1\ASEMBL~1\winword.exe
C:\Program Files\?ecurity\e?plorer.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Science Wiz\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [domino] C:\WINDOWS\domino.exe
O4 - HKLM\..\Run: [VMSnap1] C:\WINDOWS\VMSnap1.exe
O4 - HKLM\..\Run: [MSConfig] "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" /auto
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\System32\ehhfppyy.dll",forkonce
O4 - HKLM\..\RunOnce: [SpybotSnD] "D:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Petp] "C:\DOCUME~1\SCIENC~1\MYDOCU~1\ASEMBL~1\winword.exe" -vt yazb
O4 - HKCU\..\RunOnce: [SpybotDeletingD3137] cmd /c del "C:\WINDOWS\system32\qwerty12.exe_tobedeleted_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB6938] command /c del "C:\WINDOWS\system32\qwerty12.exe_tobedeleted_old"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &D&ownload &with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Search - ?p=ZSYYYYYYJIUS
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
BTW I am also having a serious issua at start-up, sometimes, in fact, alot of the time, my system will reboot when it reaches the screen when it says "Now loading your personal settings", but this doesnt happen in safe mode. This could have something to do with something that load in start-up, any help would be greatly appreciated.
Hi
1. Download this file -
combofix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your
next reply with a fresh hjt log.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause
it to stall
ComboFix 07-08-09.3 - "Science Wiz" 2007-08-10 23:40:51.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.726 [GMT -7:00]
((((((((((((((((((((((((( Files Created from 2007-07-11 to 2007-08-11 )))))))))))))))))))))))))))))))
2007-08-10 21:29 <DIR> d-------- C:\WINDOWS\system32\ReinstallBackups
2007-08-10 18:10 94,208 --a------ C:\WINDOWS\DIIUnin.exe
2007-08-10 18:10 33,470 --a------ C:\WINDOWS\DIIUnin.dat
2007-08-10 18:10 2,829 --a------ C:\WINDOWS\DIIUnin.pif
2007-08-10 16:03 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-08-10 14:38 86,016 --a------ C:\WINDOWS\unvise32.exe
2007-08-10 12:49 356,352 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2007-08-10 12:49 <DIR> d-------- C:\NVIDIA
2007-08-10 08:53 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-10 08:26 <DIR> d-------- C:\VundoFix Backups
2007-08-09 22:03 520,192 --------- C:\WINDOWS\system32\ati2sgag.exe
2007-08-09 21:49 <DIR> d-------- C:\Program Files\ATI Technologies
2007-08-09 21:09 <DIR> d-------- C:\ATI
2007-08-09 20:55 75,328 --a------ C:\WINDOWS\system32\vseknmtv.exe
2007-08-09 20:47 991,232 --a------ C:\WINDOWS\system32\esent.dll
2007-08-09 20:34 53,248 --a------ C:\WINDOWS\system32\spoolsv.exe
2007-08-09 20:06 <DIR> d-------- C:\WINDOWS\system32\bits
2007-08-09 20:02 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-08-09 20:02 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2007-08-09 20:01 7,680 -----c--- C:\WINDOWS\system32\dllcache\bitsprx2.dll
2007-08-09 20:01 7,680 --------- C:\WINDOWS\system32\bitsprx2.dll
2007-08-09 20:01 7,168 -----c--- C:\WINDOWS\system32\dllcache\bitsprx3.dll
2007-08-09 20:01 7,168 --------- C:\WINDOWS\system32\bitsprx3.dll
2007-08-09 20:01 331,776 --a------ C:\WINDOWS\system32\winhttp.dll
2007-08-09 20:01 17,408 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2007-08-09 20:00 16,384 --a------ C:\WINDOWS\system32\linkinfo.dll
2007-08-09 19:59 68,608 --a------ C:\WINDOWS\system32\olecli32.dll
2007-08-09 19:59 62,464 --a------ C:\WINDOWS\system32\colbact.dll
2007-08-09 19:59 581,632 --a------ C:\WINDOWS\system32\catsrvut.dll
2007-08-09 19:59 535,552 --a------ C:\WINDOWS\system32\rpcrt4.dll
2007-08-09 19:59 497,152 --a------ C:\WINDOWS\system32\clbcatq.dll
2007-08-09 19:59 276,992 --a------ C:\WINDOWS\system32\rpcss.dll
2007-08-09 19:59 227,328 --a------ C:\WINDOWS\system32\es.dll
2007-08-09 19:59 220,672 --a------ C:\WINDOWS\system32\catsrv.dll
2007-08-09 19:59 1,190,400 --a------ C:\WINDOWS\system32\ole32.dll
2007-08-09 19:59 1,179,136 --a------ C:\WINDOWS\system32\comsvcs.dll
2007-08-08 10:30 75,328 --a------ C:\WINDOWS\system32\rtqaecep.exe
2007-08-07 22:29 1,728,633 ---hs---- C:\WINDOWS\system32\gjjjl.bak1
2007-08-07 22:18 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\Webroot
2007-08-07 22:02 786,432 --ah----- C:\DOCUME~1\Guest\NTUSER.DAT
2007-08-03 22:31 <DIR> d-------- C:\DOCUME~1\SCIENC~1\Jeremy
2007-08-01 16:40 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2007-08-01 16:40 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2007-08-01 16:40 20,480 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll
2007-08-01 16:40 20,480 --a------ C:\WINDOWS\system32\hidserv.dll
2007-08-01 16:40 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2007-08-01 16:40 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2007-08-01 16:14 3,932,160 --a------ C:\DOCUME~1\SCIENC~1\ntuser.dat
2007-08-01 16:14 1,310,720 --a------ C:\DOCUME~1\LOCALS~1\ntuser.dat
2007-08-01 06:34 1,737,955 ---hs---- C:\WINDOWS\system32\dffii.bak2
2007-07-30 18:33 1,733,915 ---hs---- C:\WINDOWS\system32\dffii.bak1
2007-07-30 18:30 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2007-07-30 18:30 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-07-30 18:30 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-07-30 18:30 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2007-07-30 09:28 9,769 --a------ C:\WINDOWS\gqjeu0578.exe
2007-07-30 09:03 6,467 ---hs---- C:\WINDOWS\system32\lmoqr.bak1
2007-07-29 18:31 1,734,278 ---hs---- C:\WINDOWS\system32\uuxbc.bak1
2007-07-29 18:30 <DIR> d-------- C:\DOCUME~1\NETWOR~1\APPLIC~1\Webroot
2007-07-29 18:26 192,596 --a------ C:\WINDOWS\system32\twinsndt.exe
2007-07-29 18:25 <DIR> d-------- C:\Temp
2007-07-25 01:48 <DIR> d-------- C:\DOCUME~1\SCIENC~1\APPLIC~1\acccore
2007-07-25 01:46 <DIR> d-------- C:\Program Files\Viewpoint
2007-07-25 01:46 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Viewpoint
2007-07-25 01:46 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL OCP
2007-07-25 01:46 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL
2007-07-25 01:45 335 --a------ C:\WINDOWS\nsreg.dat
2007-07-25 01:45 <DIR> d-------- C:\Program Files\Common Files\AOL
2007-07-25 01:45 <DIR> d-------- C:\Program Files\AIM6
2007-07-25 01:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL Downloads
2007-07-23 15:29 <DIR> d-------- C:\Program Files\Lavasoft
2007-07-23 15:29 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-07-23 15:21 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-07-20 19:09 1,310,720 --a------ C:\DOCUME~1\NETWOR~1\ntuser.dat
2007-07-16 17:02 <DIR> d-------- C:\DOCUME~1\SCIENC~1\APPLIC~1\Ventrilo
2007-07-16 16:36 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-08-10 19:01 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2007-08-10 18:56 21840 --a----t- C:\WINDOWS\system32\SIntfNT.dll
2007-08-10 18:56 17212 --a----t- C:\WINDOWS\system32\SIntf32.dll
2007-08-10 18:56 12067 --a----t- C:\WINDOWS\system32\SIntf16.dll
2007-08-10 13:56 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-10 08:55 --------- d--h----- C:\Program Files\WindowsUpdate
2007-08-10 07:59 --------- d-------- C:\Program Files\Messenger
2007-08-07 12:35 --------- d-------- C:\DOCUME~1\SCIENC~1\APPLIC~1\U3
2007-07-23 11:16 --------- d-------- C:\Program Files\MSN Messenger
2007-07-18 09:49 707 --a------ C:\Program Files\INSTALL.LOG
2007-06-29 01:54 356352 --a------ C:\WINDOWS\system32\nvudisp.exe
2007-06-29 00:43 8466432 --a------ C:\WINDOWS\system32\nvcpl.dll
2007-06-29 00:43 81920 --a------ C:\WINDOWS\system32\nvwddi.dll
2007-06-29 00:43 81920 --a------ C:\WINDOWS\system32\nvmctray.dll
2007-06-29 00:43 753664 --a------ C:\WINDOWS\system32\nvcplui.exe
2007-06-29 00:43 6807328 --a--c--- C:\WINDOWS\system32\dllcache\nv4_mini.sys
2007-06-29 00:43 6807328 --a------ C:\WINDOWS\system32\drivers\nv4_mini.sys
2007-06-29 00:43 6729728 --a------ C:\WINDOWS\system32\nvoglnt.dll
2007-06-29 00:43 6234112 --a------ C:\WINDOWS\system32\nvdisps.dll
2007-06-29 00:43 5690624 --a--c--- C:\WINDOWS\system32\dllcache\nv4_disp.dll
2007-06-29 00:43 5690624 --a------ C:\WINDOWS\system32\nv4_disp.dll
2007-06-29 00:43 5455872 --a------ C:\WINDOWS\system32\nvdispsr.dll
2007-06-29 00:43 466944 --a------ C:\WINDOWS\system32\nvshell.dll
2007-06-29 00:43 458752 --a------ C:\WINDOWS\system32\nvmccssr.dll
2007-06-29 00:43 45056 --a------ C:\WINDOWS\system32\nvmccsrs.dll
2007-06-29 00:43 442368 --a------ C:\WINDOWS\system32\nvappbar.exe
2007-06-29 00:43 425984 --a------ C:\WINDOWS\system32\keystone.exe
2007-06-29 00:43 37376 --a------ C:\WINDOWS\system32\nvcodins.dll
2007-06-29 00:43 37376 --a------ C:\WINDOWS\system32\nvcod.dll
2007-06-29 00:43 360448 --a------ C:\WINDOWS\system32\nvapi.dll
2007-06-29 00:43 3600384 --a------ C:\WINDOWS\system32\nvvitvsr.dll
2007-06-29 00:43 3518464 --a------ C:\WINDOWS\system32\nvvitvs.dll
2007-06-29 00:43 3321856 --a------ C:\WINDOWS\system32\nvgames.dll
2007-06-29 00:43 3072000 --a------ C:\WINDOWS\system32\nvgamesr.dll
2007-06-29 00:43 307200 --a------ C:\WINDOWS\system32\nvexpbar.dll
2007-06-29 00:43 286720 --a------ C:\WINDOWS\system32\nvnt4cpl.dll
2007-06-29 00:43 2854912 --a------ C:\WINDOWS\system32\nvmoblsr.dll
2007-06-29 00:43 2416640 --a------ C:\WINDOWS\system32\nvwssr.dll
2007-06-29 00:43 2330624 --a------ C:\WINDOWS\system32\nvwss.dll
2007-06-29 00:43 229376 --a------ C:\WINDOWS\system32\nvmccs.dll
2007-06-29 00:43 188416 --a------ C:\WINDOWS\system32\nvmccss.dll
2007-06-29 00:43 1703936 --a------ C:\WINDOWS\system32\nvwdmcpl.dll
2007-06-29 00:43 1626112 --a------ C:\WINDOWS\system32\nwiz.exe
2007-06-29 00:43 155716 --a------ C:\WINDOWS\system32\nvsvc32.exe
2007-06-29 00:43 1474560 --a------ C:\WINDOWS\system32\nview.dll
2007-06-29 00:43 147456 --a------ C:\WINDOWS\system32\nvcolor.exe
2007-06-29 00:43 1339392 --a------ C:\WINDOWS\system32\nvdspsch.exe
2007-06-29 00:43 1142784 --a------ C:\WINDOWS\system32\nvmobls.dll
2007-06-29 00:43 1073152 --a------ C:\WINDOWS\system32\nvcpluir.dll
2007-06-29 00:43 1019904 --a------ C:\WINDOWS\system32\nvwimg.dll
2007-06-29 00:43 1018772 --a------ C:\WINDOWS\system32\nvucode.bin
2007-06-11 10:42 --------- d-------- C:\Program Files\IncrediMail
2003-12-18 11:33 20102 --a------ C:\Program Files\Readme.txt
2003-09-03 07:46 10960 --a------ C:\Program Files\EULA.txt
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E06E1B90-6258-45D8-A4FC-0DD1EFB5353A}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2007-06-29 00:43]
"Cmaudio"="cmicnfg.cpl" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe" [2006-05-03 02:56]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58]
"domino"="C:\WINDOWS\domino.exe" [2006-07-04 15:16]
"VMSnap1"="C:\WINDOWS\VMSnap1.exe" [2006-07-17 12:27]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2002-08-29 03:41]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2006-11-17 17:14]
"nwiz"="nwiz.exe" [2007-06-29 00:43 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [2001-08-23 05:00 C:\WINDOWS\system32\rundll32.exe]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-11-30 21:49]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 13:54]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 14:17]
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.exe" [2004-11-15 16:18]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 01:15:54]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxuu]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljjjg]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\svcWRSSSDK]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\My Web Search Bar]
rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL,S
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
"nwiz.exe" /install
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
"C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WebrootSpySweeperService"=2 (0x2)
"Themes"=2 (0x2)
R0 sfsync04;StarForce Protection Synchronization Driver (version 4.x);C:\WINDOWS\System32\drivers\sfsync04.sys
R0 SSFS0509;Spy Sweeper File System Filer Driver: 0509;C:\WINDOWS\System32\Drivers\SSFS0509.SYS
R0 SSHRMD;Spy Sweeper Hookrack MiniDriver;C:\WINDOWS\System32\Drivers\SSHRMD.SYS
R0 SSIDRV;Spy Sweeper Interdiction Driver;C:\WINDOWS\System32\Drivers\SSIDRV.SYS
R1 prodrv04;Star Force copy protection driver v4;C:\WINDOWS\System32\drivers\prodrv04.sys
R3 cmuda;C-Media WDM Audio Interface;C:\WINDOWS\System32\drivers\cmuda.sys
R3 SSKBFD;Webroot Spy Sweeper Keylogger Shield Keyboard Filter;C:\WINDOWS\System32\Drivers\sskbfd.sys
R3 ZSMC301b;Vimicro USB PC Camera(ZC0301PL);C:\WINDOWS\System32\Drivers\usbVM31b.sys
S3 cdrmkaun;cdrmkaun;\??\C:\DOCUME~1\SCIENC~1\LOCALS~1\Temp\cdrmkaun.sys
S3 dump_wmimmc;dump_wmimmc;\??\C:\WINDOWS\System32\drivers\dump_wmimmc.sys
S3 rndistap;rndistap;\??\C:\DOCUME~1\SCIENC~1\LOCALS~1\Temp\rndistap.sys
S3 rraspppo;rraspppo;\??\C:\DOCUME~1\SCIENC~1\LOCALS~1\Temp\rraspppo.sys
S3 ymsdv;ymsdv;\??\C:\DOCUME~1\SCIENC~1\LOCALS~1\Temp\ymsdv.sys
Contents of the 'Scheduled Tasks' folder
2007-08-07 11:00:57 C:\WINDOWS\Tasks\wrSpySweeper20060611134626.job - C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-10 23:42:17
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-08-10 23:43:19
C:\ComboFix-quarantined-files.txt ... 2007-08-10 23:42
C:\ComboFix2.txt ... 2007-08-10 09:10
--- E O F ---
Hi
Upload following files to VirusTotal (http://www.virustotal.com):
C:\Documents and settings\Science Wiz\Local settings\Temp\cdrmkaun.sys
C:\Documents and settings\Science Wiz\Local settings\Temp\rndistap.sys
C:\Documents and settings\Science Wiz\Local settings\Temp\rraspppo.sys
C:\Documents and settings\Science Wiz\Local settings\Temp\ymsdv.sys
and post back the results. Post also a fresh hjt log. :)
Logfile of HijackThis v1.99.1
Scan saved at 3:25:59 PM, on 8/11/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\WINDOWS\domino.exe
C:\WINDOWS\VMSnap1.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Documents and Settings\Science Wiz\Desktop\Hijack This\HijackThis.exe
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {E06E1B90-6258-45D8-A4FC-0DD1EFB5353A} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [domino] C:\WINDOWS\domino.exe
O4 - HKLM\..\Run: [VMSnap1] C:\WINDOWS\VMSnap1.exe
O4 - HKLM\..\Run: [MSConfig] "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" /auto
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Search - ?p=ZSYYYYYYJIUS
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1186757215116
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: cbxuu - C:\WINDOWS\
O20 - Winlogon Notify: ljjjg - C:\WINDOWS\
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
For the uploader, I uploaded each of the four files with result as follows:
0 bytes size received / Se ha recibido un archivo vacio
0 bytes size received / Se ha recibido un archivo vacio
0 bytes size received / Se ha recibido un archivo vacio
0 bytes size received / Se ha recibido un archivo vacio
Hi
For the uploader, I uploaded each of the four files with result as follows:
0 bytes size received / Se ha recibido un archivo vacio
0 bytes size received / Se ha recibido un archivo vacio
0 bytes size received / Se ha recibido un archivo vacio
0 bytes size received / Se ha recibido un archivo vacio
Show hidden files
-----------------
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.
Can you see these files
C:\Documents and settings\Science Wiz\Local settings\Temp\cdrmkaun.sys
C:\Documents and settings\Science Wiz\Local settings\Temp\rndistap.sys
C:\Documents and settings\Science Wiz\Local settings\Temp\rraspppo.sys
C:\Documents and settings\Science Wiz\Local settings\Temp\ymsdv.sys ?
If yes, try uploading them again.
Remove thru add/remove programs following entry (if found):
My Web Search (may be a bit differently written)
Open notepad and copy/paste the text in the quotebox below into it:
File::
C:\WINDOWS\system32\vseknmtv.exe
C:\WINDOWS\system32\rtqaecep.exe
C:\WINDOWS\system32\gjjjl.bak1
C:\WINDOWS\system32\dffii.bak2
C:\WINDOWS\system32\dffii.bak1
C:\WINDOWS\gqjeu0578.exe
C:\WINDOWS\system32\lmoqr.bak1
C:\WINDOWS\system32\uuxbc.bak1
C:\WINDOWS\system32\twinsndt.exe
Folder::
C:\VundoFix Backups
C:\Temp
C:\PROGRA~1\MYWEBS~1
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E06E1B90-6258-45D8-A4FC-0DD1EFB5353A}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxuu]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljjjg]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\My Web Search Bar]
Save this as
CFScript
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif
Refering to the picture above, drag CFScript into ComboFix.exe
Then post:
-the resultant log
-a fresh hjt log.
ComboFix 07-08-09.3 - "Science Wiz" 2007-08-12 17:01:52.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.600 [GMT -7:00]
Command switches used :: C:\Documents and Settings\Science Wiz\Desktop\CFScript.txt
* Created a new restore point
FILE::
C:\WINDOWS\system32\vseknmtv.exe
C:\WINDOWS\system32\rtqaecep.exe
C:\WINDOWS\system32\gjjjl.bak1
C:\WINDOWS\system32\dffii.bak2
C:\WINDOWS\system32\dffii.bak1
C:\WINDOWS\gqjeu0578.exe
C:\WINDOWS\system32\lmoqr.bak1
C:\WINDOWS\system32\uuxbc.bak1
C:\WINDOWS\system32\twinsndt.exe
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\Temp
C:\VundoFix Backups
C:\VundoFix Backups\addmorefiles.txt
C:\VundoFix Backups\adfhk.bak1.bad
C:\VundoFix Backups\adfhk.bak2.bad
C:\VundoFix Backups\adfhk.ini.bad
C:\VundoFix Backups\auvqxvuq.dll.bad
C:\VundoFix Backups\caofqwgw.dll.bad
C:\VundoFix Backups\ehhfppyy.dll.bad
C:\VundoFix Backups\khfda.dll.bad
C:\VundoFix Backups\nnnkklj.dll.bad
C:\VundoFix Backups\quvxqvua.ini.bad
C:\VundoFix Backups\taveeeqg.dll.bad
C:\VundoFix Backups\wvutrpp.dll.bad
C:\VundoFix Backups\yayvvtq.dll.bad
C:\VundoFix Backups\yayvwvs.dll.bad
C:\VundoFix Backups\yyppfhhe.ini.bad
C:\WINDOWS\gqjeu0578.exe
C:\WINDOWS\system32\dffii.bak1
C:\WINDOWS\system32\dffii.bak2
C:\WINDOWS\system32\gjjjl.bak1
C:\WINDOWS\system32\lmoqr.bak1
C:\WINDOWS\system32\rtqaecep.exe
C:\WINDOWS\system32\twinsndt.exe
C:\WINDOWS\system32\uuxbc.bak1
C:\WINDOWS\system32\vseknmtv.exe
((((((((((((((((((((((((( Files Created from 2007-07-13 to 2007-08-13 )))))))))))))))))))))))))))))))
2007-08-10 21:29 <DIR> d-------- C:\WINDOWS\system32\ReinstallBackups
2007-08-10 18:10 94,208 --a------ C:\WINDOWS\DIIUnin.exe
2007-08-10 18:10 33,470 --a------ C:\WINDOWS\DIIUnin.dat
2007-08-10 18:10 2,829 --a------ C:\WINDOWS\DIIUnin.pif
2007-08-10 16:03 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-08-10 14:38 86,016 --a------ C:\WINDOWS\unvise32.exe
2007-08-10 12:49 356,352 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2007-08-10 12:49 <DIR> d-------- C:\NVIDIA
2007-08-10 08:53 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-09 22:03 520,192 --------- C:\WINDOWS\system32\ati2sgag.exe
2007-08-09 21:49 <DIR> d-------- C:\Program Files\ATI Technologies
2007-08-09 21:09 <DIR> d-------- C:\ATI
2007-08-09 20:47 991,232 --a------ C:\WINDOWS\system32\esent.dll
2007-08-09 20:34 53,248 --a------ C:\WINDOWS\system32\spoolsv.exe
2007-08-09 20:06 <DIR> d-------- C:\WINDOWS\system32\bits
2007-08-09 20:02 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-08-09 20:02 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2007-08-09 20:01 7,680 -----c--- C:\WINDOWS\system32\dllcache\bitsprx2.dll
2007-08-09 20:01 7,680 --------- C:\WINDOWS\system32\bitsprx2.dll
2007-08-09 20:01 7,168 -----c--- C:\WINDOWS\system32\dllcache\bitsprx3.dll
2007-08-09 20:01 7,168 --------- C:\WINDOWS\system32\bitsprx3.dll
2007-08-09 20:01 331,776 --a------ C:\WINDOWS\system32\winhttp.dll
2007-08-09 20:01 17,408 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2007-08-09 20:00 16,384 --a------ C:\WINDOWS\system32\linkinfo.dll
2007-08-09 19:59 68,608 --a------ C:\WINDOWS\system32\olecli32.dll
2007-08-09 19:59 62,464 --a------ C:\WINDOWS\system32\colbact.dll
2007-08-09 19:59 581,632 --a------ C:\WINDOWS\system32\catsrvut.dll
2007-08-09 19:59 535,552 --a------ C:\WINDOWS\system32\rpcrt4.dll
2007-08-09 19:59 497,152 --a------ C:\WINDOWS\system32\clbcatq.dll
2007-08-09 19:59 276,992 --a------ C:\WINDOWS\system32\rpcss.dll
2007-08-09 19:59 227,328 --a------ C:\WINDOWS\system32\es.dll
2007-08-09 19:59 220,672 --a------ C:\WINDOWS\system32\catsrv.dll
2007-08-09 19:59 1,190,400 --a------ C:\WINDOWS\system32\ole32.dll
2007-08-09 19:59 1,179,136 --a------ C:\WINDOWS\system32\comsvcs.dll
2007-08-07 22:18 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\Webroot
2007-08-07 22:02 786,432 --ah----- C:\DOCUME~1\Guest\NTUSER.DAT
2007-08-03 22:31 <DIR> d-------- C:\DOCUME~1\SCIENC~1\Jeremy
2007-08-01 16:40 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2007-08-01 16:40 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2007-08-01 16:40 20,480 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll
2007-08-01 16:40 20,480 --a------ C:\WINDOWS\system32\hidserv.dll
2007-08-01 16:40 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2007-08-01 16:40 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2007-08-01 16:14 3,932,160 --a------ C:\DOCUME~1\SCIENC~1\ntuser.dat
2007-08-01 16:14 1,310,720 --a------ C:\DOCUME~1\LOCALS~1\ntuser.dat
2007-07-30 18:30 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2007-07-30 18:30 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-07-30 18:30 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-07-30 18:30 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2007-07-29 18:30 <DIR> d-------- C:\DOCUME~1\NETWOR~1\APPLIC~1\Webroot
2007-07-25 01:48 <DIR> d-------- C:\DOCUME~1\SCIENC~1\APPLIC~1\acccore
2007-07-25 01:46 <DIR> d-------- C:\Program Files\Viewpoint
2007-07-25 01:46 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Viewpoint
2007-07-25 01:46 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL OCP
2007-07-25 01:46 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL
2007-07-25 01:45 335 --a------ C:\WINDOWS\nsreg.dat
2007-07-25 01:45 <DIR> d-------- C:\Program Files\Common Files\AOL
2007-07-25 01:45 <DIR> d-------- C:\Program Files\AIM6
2007-07-25 01:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL Downloads
2007-07-23 15:29 <DIR> d-------- C:\Program Files\Lavasoft
2007-07-23 15:29 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-07-23 15:21 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-07-20 19:09 1,310,720 --a------ C:\DOCUME~1\NETWOR~1\ntuser.dat
2007-07-16 17:02 <DIR> d-------- C:\DOCUME~1\SCIENC~1\APPLIC~1\Ventrilo
2007-07-16 16:36 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-08-12 15:59 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2007-08-12 01:55 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-10 18:56 21840 --a----t- C:\WINDOWS\system32\SIntfNT.dll
2007-08-10 18:56 17212 --a----t- C:\WINDOWS\system32\SIntf32.dll
2007-08-10 18:56 12067 --a----t- C:\WINDOWS\system32\SIntf16.dll
2007-08-10 08:55 --------- d--h----- C:\Program Files\WindowsUpdate
2007-08-10 07:59 --------- d-------- C:\Program Files\Messenger
2007-08-07 12:35 --------- d-------- C:\DOCUME~1\SCIENC~1\APPLIC~1\U3
2007-07-23 11:16 --------- d-------- C:\Program Files\MSN Messenger
2007-07-18 09:49 707 --a------ C:\Program Files\INSTALL.LOG
2007-06-29 01:54 356352 --a------ C:\WINDOWS\system32\nvudisp.exe
2007-06-29 00:43 8466432 --a------ C:\WINDOWS\system32\nvcpl.dll
2007-06-29 00:43 81920 --a------ C:\WINDOWS\system32\nvwddi.dll
2007-06-29 00:43 81920 --a------ C:\WINDOWS\system32\nvmctray.dll
2007-06-29 00:43 753664 --a------ C:\WINDOWS\system32\nvcplui.exe
2007-06-29 00:43 6807328 --a--c--- C:\WINDOWS\system32\dllcache\nv4_mini.sys
2007-06-29 00:43 6807328 --a------ C:\WINDOWS\system32\drivers\nv4_mini.sys
2007-06-29 00:43 6729728 --a------ C:\WINDOWS\system32\nvoglnt.dll
2007-06-29 00:43 6234112 --a------ C:\WINDOWS\system32\nvdisps.dll
2007-06-29 00:43 5690624 --a--c--- C:\WINDOWS\system32\dllcache\nv4_disp.dll
2007-06-29 00:43 5690624 --a------ C:\WINDOWS\system32\nv4_disp.dll
2007-06-29 00:43 5455872 --a------ C:\WINDOWS\system32\nvdispsr.dll
2007-06-29 00:43 466944 --a------ C:\WINDOWS\system32\nvshell.dll
2007-06-29 00:43 458752 --a------ C:\WINDOWS\system32\nvmccssr.dll
2007-06-29 00:43 45056 --a------ C:\WINDOWS\system32\nvmccsrs.dll
2007-06-29 00:43 442368 --a------ C:\WINDOWS\system32\nvappbar.exe
2007-06-29 00:43 425984 --a------ C:\WINDOWS\system32\keystone.exe
2007-06-29 00:43 37376 --a------ C:\WINDOWS\system32\nvcodins.dll
2007-06-29 00:43 37376 --a------ C:\WINDOWS\system32\nvcod.dll
2007-06-29 00:43 360448 --a------ C:\WINDOWS\system32\nvapi.dll
2007-06-29 00:43 3600384 --a------ C:\WINDOWS\system32\nvvitvsr.dll
2007-06-29 00:43 3518464 --a------ C:\WINDOWS\system32\nvvitvs.dll
2007-06-29 00:43 3321856 --a------ C:\WINDOWS\system32\nvgames.dll
2007-06-29 00:43 3072000 --a------ C:\WINDOWS\system32\nvgamesr.dll
2007-06-29 00:43 307200 --a------ C:\WINDOWS\system32\nvexpbar.dll
2007-06-29 00:43 286720 --a------ C:\WINDOWS\system32\nvnt4cpl.dll
2007-06-29 00:43 2854912 --a------ C:\WINDOWS\system32\nvmoblsr.dll
2007-06-29 00:43 2416640 --a------ C:\WINDOWS\system32\nvwssr.dll
2007-06-29 00:43 2330624 --a------ C:\WINDOWS\system32\nvwss.dll
2007-06-29 00:43 229376 --a------ C:\WINDOWS\system32\nvmccs.dll
2007-06-29 00:43 188416 --a------ C:\WINDOWS\system32\nvmccss.dll
2007-06-29 00:43 1703936 --a------ C:\WINDOWS\system32\nvwdmcpl.dll
2007-06-29 00:43 1626112 --a------ C:\WINDOWS\system32\nwiz.exe
2007-06-29 00:43 155716 --a------ C:\WINDOWS\system32\nvsvc32.exe
2007-06-29 00:43 1474560 --a------ C:\WINDOWS\system32\nview.dll
2007-06-29 00:43 147456 --a------ C:\WINDOWS\system32\nvcolor.exe
2007-06-29 00:43 1339392 --a------ C:\WINDOWS\system32\nvdspsch.exe
2007-06-29 00:43 1142784 --a------ C:\WINDOWS\system32\nvmobls.dll
2007-06-29 00:43 1073152 --a------ C:\WINDOWS\system32\nvcpluir.dll
2007-06-29 00:43 1019904 --a------ C:\WINDOWS\system32\nvwimg.dll
2007-06-29 00:43 1018772 --a------ C:\WINDOWS\system32\nvucode.bin
2003-12-18 11:33 20102 --a------ C:\Program Files\Readme.txt
2003-09-03 07:46 10960 --a------ C:\Program Files\EULA.txt
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [2001-08-23 05:00 C:\WINDOWS\system32\rundll32.exe]
"Cmaudio"="cmicnfg.cpl" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe" [2006-05-03 02:56]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58]
"domino"="C:\WINDOWS\domino.exe" [2006-07-04 15:16]
"VMSnap1"="C:\WINDOWS\VMSnap1.exe" [2006-07-17 12:27]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2002-08-29 03:41]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2006-11-17 17:14]
"nwiz"="nwiz.exe" [2007-06-29 00:43 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [2001-08-23 05:00 C:\WINDOWS\system32\rundll32.exe]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-11-30 21:49]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 13:54]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 14:17]
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.exe" [2004-11-15 16:18]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 01:15:54]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\svcWRSSSDK]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
"nwiz.exe" /install
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
"C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WebrootSpySweeperService"=2 (0x2)
"Themes"=2 (0x2)
R0 sfsync04;StarForce Protection Synchronization Driver (version 4.x);C:\WINDOWS\System32\drivers\sfsync04.sys
R0 SSFS0509;Spy Sweeper File System Filer Driver: 0509;C:\WINDOWS\System32\Drivers\SSFS0509.SYS
R0 SSHRMD;Spy Sweeper Hookrack MiniDriver;C:\WINDOWS\System32\Drivers\SSHRMD.SYS
R0 SSIDRV;Spy Sweeper Interdiction Driver;C:\WINDOWS\System32\Drivers\SSIDRV.SYS
R1 prodrv04;Star Force copy protection driver v4;C:\WINDOWS\System32\drivers\prodrv04.sys
R3 cmuda;C-Media WDM Audio Interface;C:\WINDOWS\System32\drivers\cmuda.sys
R3 SSKBFD;Webroot Spy Sweeper Keylogger Shield Keyboard Filter;C:\WINDOWS\System32\Drivers\sskbfd.sys
R3 ZSMC301b;Vimicro USB PC Camera(ZC0301PL);C:\WINDOWS\System32\Drivers\usbVM31b.sys
S3 cdrmkaun;cdrmkaun;\??\C:\DOCUME~1\SCIENC~1\LOCALS~1\Temp\cdrmkaun.sys
S3 dump_wmimmc;dump_wmimmc;\??\C:\WINDOWS\System32\drivers\dump_wmimmc.sys
S3 rndistap;rndistap;\??\C:\DOCUME~1\SCIENC~1\LOCALS~1\Temp\rndistap.sys
S3 rraspppo;rraspppo;\??\C:\DOCUME~1\SCIENC~1\LOCALS~1\Temp\rraspppo.sys
S3 ymsdv;ymsdv;\??\C:\DOCUME~1\SCIENC~1\LOCALS~1\Temp\ymsdv.sys
Contents of the 'Scheduled Tasks' folder
2007-08-11 11:00:19 C:\WINDOWS\Tasks\wrSpySweeper20060611134626.job - C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-12 17:05:37
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-08-12 17:10:10 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-12 17:09
C:\ComboFix2.txt ... 2007-08-10 23:43
C:\ComboFix3.txt ... 2007-08-10 09:10
--- E O F ---
Logfile of HijackThis v1.99.1
Scan saved at 5:17:05 PM, on 8/12/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\domino.exe
C:\WINDOWS\VMSnap1.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Science Wiz\Desktop\Hijack This\HijackThis.exe
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [domino] C:\WINDOWS\domino.exe
O4 - HKLM\..\Run: [VMSnap1] C:\WINDOWS\VMSnap1.exe
O4 - HKLM\..\Run: [MSConfig] "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" /auto
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Search - ?p=ZSYYYYYYJIUS
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1186757215116
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
Hi
Did you find those four files?
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.
Double-click ATF Cleaner.exe to open it
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.
Please do an online scan with
Kaspersky
WebScanner (http://www.kaspersky.com/virusscanner)
Click on Kaspersky Online Scanner
You will be promted to install an ActiveX component from Kaspersky,
Click Yes.
The program will launch and then begin downloading the latest
definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise
Standard)
Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been
infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post with a fresh hjt log.
Note for Internet Explorer 7 users: If at any time you have trouble with the Accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.
If having a problme doing the above
Make sure that your Internet security settings are set to default values.
To set default security settings for Internet Explorer:
* Open Internet Explorer.
* Go to the Tools menu, then choose Internet Options.
* Click on the Security tab.
* Make sure that all four item (Internet, Local intranet, Trusted sites, and Restricted sites) are set to their default settings.
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, August 12, 2007 11:37:13 PM
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 13/08/2007
Kaspersky Anti-Virus database records: 379216
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
Scan Statistics:
Total number of scanned objects: 27776
Number of viruses found: 15
Number of infected objects: 21
Number of suspicious objects: 2
Duration of the scan process: 00:43:14
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Yazzle.zip/Yazzle1281OinUninstaller.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Yazzle.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Data\settings.dat Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS02A084C8-9CFA-4658-BD14-CA4DC298CE45.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS04D130EB-91C2-4428-8E0C-69CDC65B7735.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS05D17FAD-E054-4F47-8D49-B601CC07515B.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS06A9271E-8D28-4FCA-A4B8-D0DAA62A5146.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS0705965E-E647-42B3-9545-F0B19EADFF8D.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS07B2F59E-39E4-4AC4-9D67-4CB94A2ED4E6.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS07B5211A-7C1F-4FC8-9DE9-08AB1B80295D.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS095D97BF-A1C0-4DA0-856F-874F16E58781.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS0B976BA5-C4D7-4474-9E86-DC9584183C9E.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS163E9A20-F59D-433D-894C-BA8226AF9400.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS1E655D24-3A37-440D-9384-9D67F4B16A2A.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS1EA84E0E-750D-43EE-B4F5-5EE57E6071A5.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS1FEC999D-BABD-4D29-B9B7-68BFFF9FD5D9.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS21C5E251-3856-448F-AC35-5462D11CB1C9.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS227A2F7A-3B39-44A7-992B-DDA9E3EC0F74.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS26F16498-7BE7-440C-9F53-CAB66B40CD83.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS287CCA75-ABD2-4B51-9570-C58DAEB81796.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS2CFEC76B-C26D-4F76-8C6D-38C09773B37F.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS31598F4C-4AA7-452C-BC00-BC1263E80681.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS32417F90-F5FF-48D6-8C3D-FCF784635F14.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS3371EF43-031C-47FD-99E0-86F8158E6853.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS3AB9BF70-C421-4F04-9E8B-27B5EE332514.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS3B0F7C1A-5812-47CB-9E29-B50137458371.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS3D176B3C-9BC8-4F2E-BF72-532B090C8074.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS3EEBDEBE-C1CE-41C0-884E-DA60B8506833.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS3F57B52F-E64A-4FF3-8A46-C68F0513C16B.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS4631231B-47F5-4476-A1A8-7F28AD591C22.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS46319407-5D51-4AA2-B906-3CE62DAD3832.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS47F8B5AC-F390-43BF-9365-BE5EF08C96EE.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS4811AE7B-AF86-4E5A-BD36-30AD89133424.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS4BD493F9-A2D8-4796-BEC0-AA3D67AD475D.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS4CC4DD63-6F11-479A-A434-C1A633CEB7A0.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS4D3DDF07-C771-45F0-A4C2-33B16FC36BEC.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS4EB887CE-E34B-42E8-9D41-16B46A0C54EA.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS50A85A6C-03DC-49FE-8813-E849350AE90F.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS5141787C-0F63-4B8E-B9C3-A1D887F6E494.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS5A916DD6-11C1-400C-B744-ACF3EE2FFB2A.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS5D40F773-ADE9-4EB9-AE08-B148A4343C9A.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS5E05677F-339D-4E8C-B05C-F229524AB69B.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS60BC90FC-21AE-4F55-A894-A70C1A104148.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS6671D24B-F06A-4004-886E-46BD98228513.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS6B815CBF-F673-4E23-A382-DDDC431EDED4.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS70F7CCCC-32C1-49BA-A7E9-B8DB8C4EF36E.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS74E2B635-EF04-469B-A91C-13E3E26B734E.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS7A58A3F4-A42E-4FA8-AE35-7C403650D811.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS7DEDF671-2B9A-4EE3-8911-3FF684BDAE3D.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS7E98F1F5-2CA0-46D5-8CB4-8D0243157A08.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS83EBEB88-C503-401D-B7F3-5A0C9D905C29.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS848F5DCC-4B3A-45BF-8412-8A1E2F9DACB4.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS8498F1C5-34FE-453D-8E76-8FE239D431C5.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS859BEA0B-2F04-4132-A4EF-6111135E38DB.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS8801B9CE-359B-4D9D-A548-F8AAE6527F3A.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS899FEF50-E7B7-45B2-876B-17D7EC23AE4F.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS8A29B3E2-3D89-48C1-B1CA-A1B6CFD0EFAE.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS8B1F4769-F873-48A6-8D64-04F18ECDE30F.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS8D4A5257-88DD-4FE1-AF85-B07D2277AEA8.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS907E4D47-C5FB-4BA4-887D-45A6CFC5F045.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS942E2287-6700-4DD2-ADBF-0EE7782A170E.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS98B78C61-D0E2-463A-A5A7-60FB13FAB8F4.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSA2FD882B-7060-4C59-BDBC-B60F7894BE42.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSA3D29D85-FD59-4066-810D-B2FCF1DADA47.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSA9A90493-499A-4F16-81FC-7E672CC99526.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSADBA8196-BD9B-43D9-B92F-94CA94DA9173.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSB40F743D-C76A-4B55-9A7F-E8EBB73E8090.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSB4ABFDD9-61D3-45A6-9015-DAE087D9B901.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSB6A13273-6551-4760-850F-DA1982241021.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSB7A18686-5476-4297-A7F0-810EF0903D04.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSB837B6E2-A58A-4FEA-8B84-9B842C5731B6.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSBC3C286A-FEB5-49B2-9D43-46B9EF56FC48.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSC15F765B-09B1-497F-B503-2FDFC1348096.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSC24E8352-4799-4DFB-A728-0FD26FFB3E50.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSC32C3FC4-A7CB-4B0E-A12B-8D39B6CBCE43.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSC41D35EF-5840-483D-A1E9-DFBBF7A60440.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSC6437AB3-547C-4AA3-B209-F96A3ADE9B29.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSCCBB31D2-D25B-48E6-AD18-AE875C1CF863.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSDA19F88E-C166-4D24-89E7-52EC903869E5.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSDD7F38CA-8297-4F8F-8219-843F27C35404.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSE5582AAA-8EED-4B74-902F-7B59C792A6D2.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSE69E6347-E6A5-4659-9ADA-4ADB09685D9F.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSE918CCD8-57A9-408F-AC17-4040674520E2.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSEBB2A742-D4A8-4551-83CF-7B519EC3E6A6.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSEBE94472-FDA9-45B7-8B27-CC3233606575.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSEC71F2B2-221B-4028-A981-60085B01BD4E.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSF7261FC2-4D06-4701-9357-3EBCB37A7982.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSF7BCE9FC-7C1C-4D30-860B-43F968D6E3E7.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSFD002BF2-6A5B-4325-99E4-677EFDB5330D.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSFD9FC5AF-030B-4096-B934-6114B3661212.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSFDB9301C-AF9C-470D-8FCA-A58B7C324F77.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSFE43C137-AB2F-4531-8D22-B4CB60946414.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSFFB0A329-0541-4022-B785-5C07E9761089.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSFFFC0377-8BCE-4420-84E4-1DF65E0DDEF9.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Science Wiz\Application Data\Webroot\Spy Sweeper\Logs\070811040028.ses Object is locked skipped
C:\Documents and Settings\Science Wiz\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Science Wiz\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Science Wiz\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Science Wiz\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Science Wiz\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Science Wiz\ntuser.dat Object is locked skipped
C:\Documents and Settings\Science Wiz\NTUSER.DAT.LOG Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\Masters.const Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\masters.mst Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters.base Object is locked skipped
C:\QooBox\Quarantine\C\Documents and Settings\All Users\Documents\Settings\artm_new.dll.vir Infected: Trojan-Proxy.Win32.Xorpix.v skipped
C:\QooBox\Quarantine\C\Program Files\Internet Explorer\niqyxeze83122.dll.vir Infected: not-a-virus:AdWare.Win32.TTC.b skipped
C:\QooBox\Quarantine\C\Program Files\WinPop\UnInstall.exe.vir Infected: Trojan.Win32.Small.oa skipped
C:\QooBox\Quarantine\C\VundoFix Backups\nnnkklj.dll.bad.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\QooBox\Quarantine\C\VundoFix Backups\wvutrpp.dll.bad.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\QooBox\Quarantine\C\VundoFix Backups\yayvvtq.dll.bad.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\QooBox\Quarantine\C\VundoFix Backups\yayvwvs.dll.bad.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\QooBox\Quarantine\C\WINDOWS\b122.exe.vir Infected: not-a-virus:AdWare.Win32.Rond.c skipped
C:\QooBox\Quarantine\C\WINDOWS\dls0523pmw.exe.vir Infected: Trojan-Downloader.Win32.Zlob.bqw skipped
C:\QooBox\Quarantine\C\WINDOWS\gqjeu0578.exe.vir Infected: Trojan-Downloader.Win32.Small.dxm skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\b02FdUe\b02FdUe1065.exe.vir Infected: Trojan-Downloader.Win32.VB.awj skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\G1\kmhp83122.exe.vir/data0002 Infected: not-a-virus:AdWare.Win32.TTC.b skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\G1\kmhp83122.exe.vir NSIS: infected - 1 skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\G11\z553.exe.vir Infected: Trojan-Dropper.Win32.Agent.mu skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\G3\wr725.exe.vir Infected: Trojan-Downloader.Win32.Small.eqn skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\mqblmkls.exe.vir Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\twinsndt.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.r skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\wehaucap.exe.vir Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\QooBox\Quarantine\C\WINDOWS\xssqsca.exe.vir Infected: Trojan-Dropper.Win32.Agent.mu skipped
C:\System Volume Information\_restore{2CC251DD-69EF-4A48-9972-110E15A0D160}\RP364\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\aaadcrrf.exe Infected: Backdoor.Win32.IRCBot.abf skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\xsokaaaa.exe Infected: Trojan-Spy.Win32.BZub.in skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\_restore{2CC251DD-69EF-4A48-9972-110E15A0D160}\RP364\change.log Object is locked skipped
Scan process completed.
Logfile of HijackThis v1.99.1
Scan saved at 11:45:35 PM, on 8/12/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\WINDOWS\domino.exe
C:\WINDOWS\VMSnap1.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Science Wiz\Desktop\Hijack This\HijackThis.exe
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {36645342-9475-2663-166A-466739207346} - C:\WINDOWS\System32\ipv6mops.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [domino] C:\WINDOWS\domino.exe
O4 - HKLM\..\Run: [VMSnap1] C:\WINDOWS\VMSnap1.exe
O4 - HKLM\..\Run: [MSConfig] "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" /auto
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Search - ?p=ZSYYYYYYJIUS
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1186757215116
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
One or more of the identified infections is a backdoor trojan.
This allows hackers to remotely control your computer, steal critical system information and Download and Execute files
I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.
Please read this for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? (http://www.dslreports.com/faq/10451)
Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
Click on Change state next to Resident shield. It should now change to inactive.
Click on Change state next to Automatic updates. It should now change to inactive.
Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates (http://www.ewido.net/en/download/updates/).
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update. Don't run AVG yet. Will do it a bit later.
Disable SpySweeper's realtime protection temporarily (you can switch it back on after cleaning is done).
Open Spysweeper and click on Options
Choose Program Options and uncheck
load at windows
startup
.
On the left click
shields
and then uncheck everything.
Uncheck
home page shield
.
Uncheck
automatically restore default without notification
.
Exit the program.
Start hjt, click do a system scan only, check:
O2 - BHO: (no name) - {36645342-9475-2663-166A-466739207346} - C:\WINDOWS\System32\ipv6mops.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
Close browsers and other windows. Click fix checked.
Show hidden files (if not already visible)
-----------------
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.
Delete if found:
C:\WINDOWS\system32\aaadcrrf.exe
C:\WINDOWS\system32\xsokaaaa.exe
C:\WINDOWS\system32\ipv6mops.dll
Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
Click on Scanner on the toolbar.
Click on the Settings tab.
Under How to act?
Click on Recommended Action and choose Quarantine from the popup menu.
Under How to scan?
All checkboxes should be ticked.
Under Possibly unwanted software:
All checkboxes should be ticked.
Under Reports:
Don't select Automatically generate report after every scan and uncheck Only if threats were found.
Under What to scan?
Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the
Save Scan Report
button before you did hit the
Apply all Actions
button.
Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
At the bottom of the window click on the Apply all Actions button. (3)
http://img509.imageshack.us/img509/4851/scanavgjk2.jpg
When done, click the Save Scan Report button. (4)
Click the Save Report as button.
Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot.
Post
-AVG Anti-Spyware log
-a fresh HJT log.
BTW, I still haven't got you answer regarding those four .sys files. Did you find them and try re-uploading if found? You should also get yourself a firewall. See here (http://www.freebyte.com/antivirus/#firewalls) to choose one.
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 9:57:13 PM 8/13/2007
+ Scan result:
C:\System Volume Information\_restore{2CC251DD-69EF-4A48-9972-110E15A0D160}\RP365\A0144930.exe -> Downloader.Tiny.fl : Cleaned with backup (quarantined).
C:\Documents and Settings\Science Wiz\Cookies\science wiz@revsci[2].txt -> TrackingCookie.Revsci : Cleaned.
C:\System Volume Information\_restore{2CC251DD-69EF-4A48-9972-110E15A0D160}\RP365\A0144929.exe -> Trojan.Tanspy : Cleaned with backup (quarantined).
::Report end
THIS IS THE SECOND REPORT< I FORGOT TO SAVE THE FIRST ONE. HERE IS THE HJT LOG:
Logfile of HijackThis v1.99.1
Scan saved at 10:09:14 PM, on 8/13/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\WINDOWS\domino.exe
C:\WINDOWS\VMSnap1.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Science Wiz\Desktop\Hijack This\HijackThis.exe
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: HttpGuard - {98B822AD-6BE7-49BC-B773-97240B774080} - C:\WINDOWS\system32\AClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [domino] C:\WINDOWS\domino.exe
O4 - HKLM\..\Run: [VMSnap1] C:\WINDOWS\VMSnap1.exe
O4 - HKLM\..\Run: [MSConfig] "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" /auto
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Search - ?p=ZSYYYYYYJIUS
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1186757215116
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
Hi
How about those 4 files I asked you to upload to VirusTotal (I asked you to first switch off hidden files, check if those exist and try uploading again if any exists) any news about them? :)
Due to lack of a response to helper this topic has been archived.
If you need it re-opened please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.