PDA

View Full Version : Lots of problems?



rosenbee
2007-10-03, 06:25
This computer seems to have a multiple set of problems. It is a computer used primarily by kids. It has various alerts saying that there is a potential spyware problem.

Below is the HJT file:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:18:27 PM, on 10/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\CyberArmor\casvc.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\CyberArmor\pcshelp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
C:\WINDOWS\system32\WinAvXX.exe
C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - x?$3D70E-1895-11CF-8E15-001234567890} - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {67982BB7-0F95-44C5-92DC-E3AF3DC19D6D} - (no file)
O2 - BHO: (no name) - ¨?$82BB7-0F95-44C5-92DC-E3AF3DC19D6D} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [CyberArmorHelper] C:\Program Files\CyberArmor\pcshelp.exe -check
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autofix
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe
O4 - Startup: system.exe
O4 - Global Startup: autorun.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://extraweb-americas.ey.com/home/extraweb/iNotes.cab
O16 - DPF: {2042B57E-6336-459E-B7CE-2A0F6C9E6AF8} (IEPlayInterface Class) - http://www.lotrdvd.com/dvdkey/extended_dvd/downloads/iaieplay.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1171378805921
O20 - AppInit_DLLs: systems.txt
O21 - SSODL: eitheror - {2016a466-91a2-43c6-97d8-2fd380f065ef} - (no file)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CyberArmor Run Service (CyberArmorRunService) - InfoExpress - C:\Program Files\CyberArmor\casvc.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 8092 bytes

rosenbee
2007-10-03, 06:26
Here is the Kaspersky report
-----
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, October 02, 2007 7:21:52 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.1
Kaspersky Anti-Virus database last update: 3/10/2007
Kaspersky Anti-Virus database records: 426516
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 92630
Number of viruses found: 10
Number of infected objects: 17
Number of suspicious objects: 7
Duration of the scan process: 00:57:30

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\OneCare Protection\Support\MPLog-02132007-151229.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Protection Service\edb.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Protection Service\MPSSVCPolicyIdLog.etl Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobImageActiveXObject1.zip/uninst.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobImageActiveXObject1.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobVideoActiveXObject.zip/uninst.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobVideoActiveXObject.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobVideoActiveXObject10.zip/uninst.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobVideoActiveXObject10.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02780000.VBN Suspicious: Exploit.HTML.Mht skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09CC0001.VBN/MagicApplet.class Infected: Trojan-Downloader.Java.OpenConnection.ao skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09CC0001.VBN/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.ao skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09CC0001.VBN ZIP: infected - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09CC0001.VBN CryptZ: infected - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D780000.VBN Infected: not-a-virus:FraudTool.Win32.WorldSecurityOnline.c skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DC80000.VBN Infected: Trojan-Downloader.Win32.Agent.bfj skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DC80001.VBN Infected: Trojan-Downloader.Win32.Agent.bfj skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E000000.VBN Infected: Trojan-Downloader.Win32.Agent.bfj skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E000001.VBN Infected: Trojan-Downloader.Win32.Agent.bfj skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E080000.VBN Infected: not-a-virus:FraudTool.Win32.WorldSecurityOnline.c skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0FE80001.VBN Infected: not-virus:Hoax.Win32.Renos.jh skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Nate\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Nate\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Nate\Desktop\SmitfraudFix.zip/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Nate\Desktop\SmitfraudFix.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Nate\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Nate\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Nate\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Nate\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Nate\Local Settings\History\History.IE5\MSHist012007100220071003\index.dat Object is locked skipped
C:\Documents and Settings\Nate\Local Settings\Temp\Perflib_Perfdata_850.dat Object is locked skipped
C:\Documents and Settings\Nate\Local Settings\Temp\us0008.exe Infected: not-virus:Hoax.Win32.Renos.gk skipped
C:\Documents and Settings\Nate\Local Settings\Temp\~DF2C72.tmp Object is locked skipped
C:\Documents and Settings\Nate\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Nate\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Nate\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Nate\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\ClientSD\Ent.dat Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\Database\edb.log Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\Database\tmp.edb Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\Database\WinSS_st.edb Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\onecaremp_log.bin Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\WinSSSvc_log.bin Object is locked skipped
C:\Program Files\Yahoo!\YPSR\Quarantine\20070213152646.zip Object is locked skipped
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq22.tmp Object is locked skipped
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq24.tmp Object is locked skipped
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq26.tmp Object is locked skipped
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq28.tmp Object is locked skipped
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2A.tmp Object is locked skipped
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2C.tmp Object is locked skipped
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2E.tmp Object is locked skipped
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq30.tmp Object is locked skipped
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq32.tmp Object is locked skipped
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq34.tmp Object is locked skipped
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq36.tmp Object is locked skipped
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq38.tmp Object is locked skipped
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3A.tmp Object is locked skipped
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3C.tmp Object is locked skipped
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3E.tmp Object is locked skipped
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq40.tmp Object is locked skipped
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq42.tmp Object is locked skipped
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq43.tmp Object is locked skipped
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq44.tmp Object is locked skipped
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqdb.dat Object is locked skipped
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqsdb.dat Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP340\A0024228.exe Infected: Trojan-Downloader.Win32.Zlob.bon skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP357\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{B784232C-B92B-4463-81D9-B4AAA0E9BCAE}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\MSFWSVC.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\Windows_OneCare_Evt.evt Object is locked skipped
C:\WINDOWS\system32\drivers\etc\hosts.20070914-164637.backup Infected: Trojan.Win32.Qhost.mg skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_618.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.

Mr_JAk3
2007-10-05, 21:04
Hello and welcome to the FOrums :)

You're infected.

At first you need to disable a few realtime protections. These may interfere with our cleaning process.
We'll enable these when you're clean...

Disable Spybot S&D Teatimer.
Run Spybot-S&D in Advanced Mode
If it is not already set to do this, go to the Mode menu select "Advanced Mode"
On the left hand side, click on Tools
Then click on the Resident icon in the list
Uncheck "Resident TeaTimer" and OK any prompts.
Restart your computer


1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

rosenbee
2007-10-05, 21:57
Below is the report that Combofix produced. It restarted the computer during its run and then appeared to hang (I had SpyBot set to automatically run on startup). I reran Combifix and got the following report:

ComboFix 07-10-05.3 - Nate 2007-10-05 11:47:56.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.477 [GMT -7:00]
Running from: C:\Documents and Settings\Nate\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-09-05 to 2007-10-05 )))))))))))))))))))))))))))))))
.

2007-10-05 11:18 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-02 19:28 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-10-02 17:43 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-02 15:41 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-10-02 15:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-10-02 15:36 2,382 --a------ C:\WINDOWS\system32\tmp.reg
2007-10-02 15:35 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-10-02 15:35 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-10-02 15:35 25,088 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-10-02 15:34 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-10-02 15:34 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-10-02 13:21 <DIR> d-------- C:\Documents and Settings\Nate\Application Data\Corel Photo Album
2007-09-29 15:20 <DIR> d-------- C:\Program Files\MalwareMonitor
2007-09-15 01:04 <DIR> d-------- C:\Program Files\Lavasoft
2007-09-15 01:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-09-15 01:03 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-14 19:17 <DIR> d-------- C:\Documents and Settings\John\Application Data\DivX
2007-09-14 18:22 <DIR> d-------- C:\Program Files\DivX

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-05 11:26 --------- d-------- C:\Program Files\Symantec AntiVirus
2007-10-02 13:21 3350 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2007-09-15 19:20 --------- d-------- C:\Program Files\PCFriendly
2007-09-14 16:40 --------- d-------- C:\Program Files\Microsoft Windows OneCare Live
2007-08-31 16:35 --------- d-------- C:\Program Files\National Instruments
2007-08-31 16:35 --------- d-------- C:\Program Files\LEGO Software
2007-08-14 15:15 --------- d-------- C:\Documents and Settings\Maddie\Application Data\AdobeUM
2007-08-10 11:04 --------- d-------- C:\Documents and Settings\Carla\Application Data\GTek
2007-08-07 13:58 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-07 13:56 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\dllcache\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\dllcache\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\dllcache\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\dllcache\wups.dll
2007-07-26 16:06 524288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-07-26 16:06 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-07-26 16:06 144704 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-07-26 16:03 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-07-26 16:03 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-07-26 16:03 81920 --a------ C:\WINDOWS\system32\dpl100.dll
2007-07-26 16:03 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-07-26 16:03 740442 --a------ C:\WINDOWS\system32\DivX.dll
2007-07-26 16:03 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2007-07-18 23:59 3583488 --a------ C:\WINDOWS\system32\dllcache\mshtml.dll
2007-07-12 16:31 765952 --a------ C:\WINDOWS\system32\dllcache\vgx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-14 18:49]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-14 18:46]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-10-14 18:50]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 08:44]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 08:44]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 03:20]
"CyberArmorHelper"="C:\Program Files\CyberArmor\pcshelp.exe" [2005-11-09 19:42]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2005-08-18 11:50]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-11-01 01:12]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 16:16]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-07-05 12:27]
"Lexmark X5100 Series"="C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe" [2002-12-16 04:10]
"OneCareUI"="C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe" [2007-04-02 09:27]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:00]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" []

C:\Documents and Settings\Maddie\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2007-04-22 10:01:02]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, xlibgfl254.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Personal Coach.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Personal Coach.lnk
backup=C:\WINDOWS\pss\Personal Coach.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Push Client.LNK]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Push Client.LNK
backup=C:\WINDOWS\pss\Push Client.LNKCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
"C:\Program Files\DellSupport\DSAgnt.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
C:\Program Files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X5100 Series]
"C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MalwareMonitor]
C:\Program Files\MalwareMonitor\MalwareMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OneCareUI]
"C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyHunter]
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe

R1 MSFWHLPR;MSFWHLPR;C:\WINDOWS\system32\DRIVERS\msfwhlpr.sys
R2 CyberArmorRunService;CyberArmor Run Service;C:\Program Files\CyberArmor\casvc.exe
R2 MSFWDrv;MSFWDrv;C:\WINDOWS\system32\DRIVERS\msfwdrv.sys
R2 msfwsvc;OneCare Firewall;"C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe"
R2 OneCareMP;OneCare AntiSpyware and AntiVirus;"C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe"
R2 Viexpf2k;CyberArmor W2KDriver;C:\WINDOWS\system32\drivers\viexpf2k.sys
R3 MpFilter;Microsoft Malware Protection Driver;C:\WINDOWS\system32\DRIVERS\MpFilter.sys
S3 FANTOM;LEGO MINDSTORMS NXT Driver;C:\WINDOWS\system32\DRIVERS\fantom.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-10-05 18:28:45 C:\WINDOWS\Tasks\MP Scheduled Quick Scan.job"
"2007-10-05 18:28:44 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MpCmdRun.exe
"2007-10-05 18:28:45 C:\WINDOWS\Tasks\MP Scheduled Signature Update.job"
- C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MpCmdRun.exe
"2007-10-05 07:23:00 C:\WINDOWS\Tasks\shutdown.job"
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-05 11:51:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-05 11:52:52
C:\ComboFix-quarantined-files.txt ... 2007-10-05 11:52
.
--- E O F ---

Mr_JAk3
2007-10-06, 21:08
Hi again, we'll continue :)

You should print these instructions or save these to a text file. Follow these instructions carefully.

Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.

Download Dr.Web CureIt to the desktop -> ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Do NOT run yet.

Make your hidden files visible:
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Uncheck "Hide protected operating system files"
Click Apply and then the OK and close My Computer.

==================


Backup Your Registry with ERUNT:
Download erunt.zip to your Desktop from here:
http://aumha.org/downloads/erunt.zip
Right-click erunt.zip, select Extract All... and follow the prompts to extract ERUNT to a new folder on your Desktop
Inside the new folder, double-click ERUNT.exe to start the program
OK all the prompts to back up your registry to the default location.Note: to restore your registry, go to the backup folder and start ERDNT.exe


Open Notepad (NOT WORDPAD!) and copy the following lines from the quote box below into a new document, leaving a blank line at the end. (don't forget to copy and paste the word REGEDIT4) :


REGEDIT4

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"



Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.

Save the document to your desktop as Fix.reg and filetype: All Files
Go to your desktop and double click on the file to run Fix.reg and when it asks you if you want to merge the contents to the registry, click yes/ok.

Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.

Use the Windows search Start
Search
All files and folders
More advanced options Checkmark these options: "Search system folders"
"Search hidden files and folders"
"Search subfolders"
Search for this and delete if found: xlibgfl254.dll

Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Run a scan with Dr.Web CureIt Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, you should now mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.

When the scan has finished, look if you can click next icon next to the files found http://users.telenet.be/bluepatchy/miekiemoes/images/check.gif
If so, click it and then click the next icon right below and select Move incurable
After the scan, in the menu, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot the computer in Normal Mode,
Post the Cure-it report and a fresh HijackThis log

rosenbee
2007-10-07, 08:47
Hi there,

Okay ran all the steps. Didn't see any icons like you mentioned at the end of the message, but it Dr.Web did delete and move a bunch of files.

Thanks much for the help, can tell the computer is ailing a bit less each time. Here is the report:

RegUBP2b-Nate.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots;Trojan.StartPage.1505;Deleted.;
3 Months Free NetZero.exe;C:\Documents and Settings\All Users\Start Menu;Trojan.Click.1487;Deleted.;
Process.exe;C:\Documents and Settings\Nate\Desktop\SmitfraudFix;Tool.Prockill;;
restart.exe;C:\Documents and Settings\Nate\Desktop\SmitfraudFix;Tool.ShutDown.11;;
3 Months Free NetZero.exe;C:\Program Files\Dell\Launcher\files;Trojan.Click.1487;Deleted.;
qdiagd.ocx;C:\Program Files\DellSupport;Probably DLOADER.Trojan;;
InstallDetect.ocx;C:\Program Files\interwise\participant;Trojan.Deefi.origin;Incurable.Moved.;
autorun.exe.vir;C:\qoobox\Quarantine\C\Documents and Settings\All Users\Start Menu\Programs\Startup;Trojan.Fakealert.305 - read error;Deleted.;
system.exe.vir;C:\qoobox\Quarantine\C\Documents and Settings\Carla\Start Menu\Programs\Startup;Trojan.Fakealert.305 - read error;Deleted.;
system.exe.vir;C:\qoobox\Quarantine\C\Documents and Settings\John\Start Menu\Programs\Startup;Trojan.Fakealert.305 - read error;Deleted.;
system.exe.vir;C:\qoobox\Quarantine\C\Documents and Settings\Levi\Start Menu\Programs\Startup;Trojan.Fakealert.305 - read error;Deleted.;
system.exe.vir;C:\qoobox\Quarantine\C\Documents and Settings\Maddie\Start Menu\Programs\Startup;Trojan.Fakealert.305 - read error;Deleted.;
system.exe.vir;C:\qoobox\Quarantine\C\Documents and Settings\Nate\Start Menu\Programs\Startup;Trojan.Fakealert.305 - read error;Deleted.;
xpupdate.exe.vir;C:\qoobox\Quarantine\C\WINDOWS;Trojan.Fakealert;Deleted.;
printer.exe.vir;C:\qoobox\Quarantine\C\WINDOWS\system32;Trojan.Fakealert.305 - read error;Deleted.;
winavxx.exe.vir;C:\qoobox\Quarantine\C\WINDOWS\system32;Trojan.Fakealert.305 - read error;Deleted.;
A0020163.ocx;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP292;Trojan.Deefi.origin;Incurable.Moved.;
A0023171.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP336;Trojan.Fakealert.305 - read error;Deleted.;
A0023175.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP336;Trojan.Fakealert.305 - read error;Deleted.;
A0023176.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP336;Trojan.Fakealert.305 - read error;Deleted.;
A0024174.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP337;Trojan.Fakealert.305 - read error;Deleted.;
A0024175.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP337;Trojan.Fakealert.305 - read error;Deleted.;
A0024176.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP337;Trojan.Fakealert.305 - read error;Deleted.;
A0024185.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP339;Trojan.Fakealert.305 - read error;Deleted.;
A0024186.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP339;Trojan.Fakealert.305 - read error;Deleted.;
A0024206.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP340;Trojan.Fakealert.305 - read error;Deleted.;
A0024207.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP340;Trojan.Fakealert.305 - read error;Deleted.;
A0024240.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP340;Trojan.Fakealert.305 - read error;Deleted.;
A0024241.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP340;Trojan.Fakealert.305 - read error;Deleted.;
A0024270.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP340;Trojan.Fakealert.305 - read error;Deleted.;
A0024271.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP340;Trojan.Fakealert.305 - read error;Deleted.;
A0024272.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP340;Trojan.Fakealert.305 - read error;Deleted.;
A0024286.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP340;Trojan.Fakealert.305 - read error;Deleted.;
A0024287.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP340;Trojan.Fakealert.305 - read error;Deleted.;
A0024288.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP340;Trojan.Fakealert.305 - read error;Deleted.;
A0024294.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP340;Trojan.Fakealert.305 - read error;Deleted.;
A0024295.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP340;Trojan.Fakealert.305 - read error;Deleted.;
A0024296.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP340;Trojan.Fakealert.305 - read error;Deleted.;
A0024309.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP341;Trojan.Fakealert.305 - read error;Deleted.;
A0024310.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP341;Trojan.Fakealert.305 - read error;Deleted.;
A0024311.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP341;Trojan.Fakealert.305 - read error;Deleted.;
A0024350.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP341;Trojan.Fakealert.305 - read error;Deleted.;
A0024351.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP341;Trojan.Fakealert.305 - read error;Deleted.;
A0024352.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP341;Trojan.Fakealert.305 - read error;Deleted.;
A0024360.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP341;Trojan.Fakealert.305 - read error;Deleted.;
A0024377.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP341;Trojan.Fakealert.305 - read error;Deleted.;
A0024379.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP341;Trojan.Fakealert.305 - read error;Deleted.;
A0024380.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP341;Trojan.Fakealert.305 - read error;Deleted.;
A0024386.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP342;Trojan.Fakealert.305 - read error;Deleted.;
A0024387.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP342;Trojan.Fakealert.305 - read error;Deleted.;
A0024388.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP342;Trojan.Fakealert.305 - read error;Deleted.;
A0024401.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP342;Trojan.Fakealert.305 - read error;Deleted.;
A0024402.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP342;Trojan.Fakealert.305 - read error;Deleted.;
A0024410.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP344;Trojan.Fakealert.305 - read error;Deleted.;
A0024411.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP344;Trojan.Fakealert.305 - read error;Deleted.;
A0024430.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP345;Trojan.Fakealert.305 - read error;Deleted.;
A0024431.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP345;Trojan.Fakealert.305 - read error;Deleted.;
A0024432.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP345;Trojan.Fakealert.305 - read error;Deleted.;
A0024450.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP346;Trojan.Fakealert.305 - read error;Deleted.;
A0024464.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP346;Trojan.Fakealert.305 - read error;Deleted.;
A0024465.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP346;Trojan.Fakealert.305 - read error;Deleted.;
A0024466.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP346;Trojan.Fakealert.305 - read error;Deleted.;
A0024518.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP347;Trojan.Fakealert.305 - read error;Deleted.;
A0024519.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP347;Trojan.Fakealert.305 - read error;Deleted.;
A0024520.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP347;Trojan.Fakealert.305 - read error;Deleted.;
A0024535.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP348;Trojan.Fakealert.305 - read error;Deleted.;
A0024536.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP348;Trojan.Fakealert.305 - read error;Deleted.;
A0024537.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP348;Trojan.Fakealert.305 - read error;Deleted.;
A0024544.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP349;Trojan.Fakealert.305 - read error;Deleted.;
A0024545.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP349;Trojan.Fakealert.305 - read error;Deleted.;
A0024546.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP349;Trojan.Fakealert.305 - read error;Deleted.;
A0024554.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP349;Trojan.Fakealert.305 - read error;Deleted.;
A0024560.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP350;Trojan.Fakealert.305 - read error;Deleted.;
A0024561.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP350;Trojan.Fakealert.305 - read error;Deleted.;
A0024562.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP350;Trojan.Fakealert.305 - read error;Deleted.;
A0024568.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP350;Trojan.Fakealert.305 - read error;Deleted.;
A0024569.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP350;Trojan.Fakealert.305 - read error;Deleted.;
A0024573.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP350;Trojan.Fakealert.305 - read error;Deleted.;
A0024602.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP351;Trojan.Fakealert.305 - read error;Deleted.;
A0024603.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP351;Trojan.Fakealert.305 - read error;Deleted.;
A0024604.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP351;Trojan.Fakealert.305 - read error;Deleted.;
A0024621.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP352;Trojan.Fakealert.305 - read error;Deleted.;
A0024622.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP352;Trojan.Fakealert.305 - read error;Deleted.;
A0024623.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP352;Trojan.Fakealert.305 - read error;Deleted.;
A0024627.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP353;Trojan.Fakealert.305 - read error;Deleted.;
A0024628.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP353;Trojan.Fakealert.305 - read error;Deleted.;
A0024629.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP353;Trojan.Fakealert.305 - read error;Deleted.;
A0024649.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP353;Trojan.Fakealert.305 - read error;Deleted.;
A0024650.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP353;Trojan.Fakealert.305 - read error;Deleted.;
A0024651.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP353;Trojan.Fakealert.305 - read error;Deleted.;
A0024658.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP353;Trojan.Fakealert.305 - read error;Deleted.;
A0024673.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP353;Trojan.Fakealert.305 - read error;Deleted.;
A0024679.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP354;Trojan.Fakealert.305 - read error;Deleted.;
A0024680.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP354;Trojan.Fakealert.305 - read error;Deleted.;
A0024681.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP354;Trojan.Fakealert.305 - read error;Deleted.;
A0024688.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP354;Trojan.Fakealert.305 - read error;Deleted.;
A0024691.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP354;Trojan.Fakealert.305 - read error;Deleted.;

rosenbee
2007-10-07, 08:48
A0024702.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP355;Trojan.Fakealert.305 - read error;Deleted.;
A0024703.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP355;Trojan.Fakealert.305 - read error;Deleted.;
A0024704.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP355;Trojan.Fakealert.305 - read error;Deleted.;
A0024712.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP355;Trojan.Fakealert.305 - read error;Deleted.;
A0024719.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP356;Trojan.Fakealert.305 - read error;Deleted.;
A0024720.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP356;Trojan.Fakealert.305 - read error;Deleted.;
A0024721.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP356;Trojan.Fakealert.305 - read error;Deleted.;
A0024726.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP356;Trojan.Fakealert.305 - read error;Deleted.;
A0024731.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP357;Trojan.Fakealert.305 - read error;Deleted.;
A0024732.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP357;Trojan.Fakealert.305 - read error;Deleted.;
A0024733.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP357;Trojan.Fakealert.305 - read error;Deleted.;
A0024742.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP357;Trojan.Fakealert.305 - read error;Deleted.;
A0024743.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP357;Trojan.Fakealert.305 - read error;Deleted.;
A0024744.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP357;Trojan.Fakealert.305 - read error;Deleted.;
A0024765.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP357;Trojan.Fakealert.305 - read error;Deleted.;
A0024767.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP357;Trojan.Fakealert.305 - read error;Deleted.;
A0024768.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP357;Trojan.Fakealert.305 - read error;Deleted.;
A0024779.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP357;Trojan.Fakealert.305 - read error;Deleted.;
A0024780.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP357;Trojan.Fakealert.305 - read error;Deleted.;
A0024781.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP357;Trojan.Fakealert.305 - read error;Deleted.;
A0024803.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP357;Trojan.Fakealert.305 - read error;Deleted.;
A0024821.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP358;Trojan.Fakealert.305 - read error;Deleted.;
A0024822.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP358;Trojan.Fakealert.305 - read error;Deleted.;
A0024834.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP358;Trojan.Fakealert.305 - read error;Deleted.;
A0024835.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP358;Trojan.Fakealert.305 - read error;Deleted.;
A0024837.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP358;Trojan.Fakealert.305 - read error;Deleted.;
A0024848.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP358;Trojan.Fakealert.305 - read error;Deleted.;
A0025834.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP359;Trojan.Fakealert.305 - read error;Deleted.;
A0025835.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP359;Trojan.Fakealert.305 - read error;Deleted.;
A0025836.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP359;Trojan.Fakealert.305 - read error;Deleted.;
A0025843.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP359;Trojan.Fakealert.305 - read error;Deleted.;
A0025850.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP360;Trojan.Fakealert.305 - read error;Deleted.;
A0025851.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP360;Trojan.Fakealert.305 - read error;Deleted.;
A0025852.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP360;Trojan.Fakealert.305 - read error;Deleted.;
A0025862.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP360;Trojan.Fakealert.305 - read error;Deleted.;
A0025900.reg;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP360;Trojan.StartPage.1505;Deleted.;
A0025923.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP360;Trojan.Fakealert.305 - read error;Deleted.;
A0025924.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP360;Trojan.Fakealert.305 - read error;Deleted.;
A0025925.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP360;Trojan.Fakealert.305 - read error;Deleted.;
A0025934.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP361;Trojan.Fakealert.305 - read error;Deleted.;
A0025935.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP361;Trojan.Fakealert.305 - read error;Deleted.;
A0025936.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP361;Trojan.Fakealert.305 - read error;Deleted.;
A0025937.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP361;Trojan.Fakealert.305 - read error;Deleted.;
A0025938.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP361;Trojan.Fakealert.305 - read error;Deleted.;
A0025939.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP361;Trojan.Fakealert.305 - read error;Deleted.;
A0025940.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP361;Trojan.Fakealert.305 - read error;Deleted.;
A0025941.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP361;Trojan.Fakealert.305 - read error;Deleted.;
A0025942.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP361;Trojan.Fakealert;Deleted.;
A0026025.reg;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP362;Trojan.StartPage.1505;Deleted.;
A0026026.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP362;Trojan.Click.1487;Deleted.;
A0026027.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP362;Trojan.Click.1487;Deleted.;
A0026028.ocx;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP362;Trojan.Deefi.origin;Incurable.Moved.;
Process.exe;C:\WINDOWS\system32;Tool.Prockill;;

Mr_JAk3
2007-10-07, 16:23
Hi :)

Please post a fresh HiajckThis log too. How is the computer running? :bigthumb:

rosenbee
2007-10-07, 19:02
:oops:Oops Sorry! Computer is running much cleaner and not getting the nasty popups, etc. Thanks much.

----
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:00:17 AM, on 10/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\CyberArmor\casvc.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\CyberArmor\pcshelp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [CyberArmorHelper] C:\Program Files\CyberArmor\pcshelp.exe -check
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://extraweb-americas.ey.com/home/extraweb/iNotes.cab
O16 - DPF: {2042B57E-6336-459E-B7CE-2A0F6C9E6AF8} (IEPlayInterface Class) - http://www.lotrdvd.com/dvdkey/extended_dvd/downloads/iaieplay.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1171378805921
O21 - SSODL: eitheror - {2016a466-91a2-43c6-97d8-2fd380f065ef} - (no file)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CyberArmor Run Service (CyberArmorRunService) - InfoExpress - C:\Program Files\CyberArmor\casvc.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 6679 bytes

Mr_JAk3
2007-10-07, 22:49
Hi again, it is looking good now :)

One minor leftover.

Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.
O21 - SSODL: eitheror - {2016a466-91a2-43c6-97d8-2fd380f065ef} - (no file)

restart the pc and run a new HijackThis scan. The O21 entry you just fixed should be gone now.

You can remove the tools we used and enable Spybot Teatimer again.
You can delete the following backup folder: C:\qoobox

Then you should update your Java to the latest version (6u3) Start
Control Panel
Add/Remove Programs
Delete the old Java,
Java 2 Runtime Environment, SE v1.4.2_03
Download the latest version of Java Runtime Environment (JRE) 6u3 (http://java.sun.com/javase/downloads/index.jsp).
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications."
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement."
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Install it

Now you can make your hidden files hidden again.
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Check "Hide protected operating system files"
Click Apply and then the OK and close My Computer.

=============

Now that you seem to be clean, please follow these simple steps in order to keep your computer clean and secure:
Clear your system restore (http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx)
This will clear the system restore folders from possible malware that was left behind during the cleaning process.

Use ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1)
Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.

Use Ad-Aware (http://www.bleepingcomputer.com/forums/?showtutorial=48)
Download and install Ad-Aware. Update it and scan your computer regularly with it.

Use AVG Anti-Spyware (http://www.ewido.net/en/)
Download and install AVG Anti-Spyware. Update it and scan your computer regularly with it.

Use Spybot S&D (http://www.bleepingcomputer.com/forums/?showtutorial=43)
Download and install Spybot S&D. Update it and scan your computer regularly with it.

Install SpywareBlaster (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
SpywareBlaster will prevent spyware from being installed.

Install MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm)
This prevents your computer from connecting to harmful sites.

Use Firefox browser (http://www.mozilla.org)
Firefox is faster and more secure browser than Internet Explorer.

Keep your systen up-to-date (http://windowsupdate.microsoft.com)
Visit Windows Update regularly. How to enable Automatic Updates? (http://www.bleepingcomputer.com/tutorials/tutorial35.html)

Keep your antivirus (http://forum.malwareremoval.com/viewtopic.php?p=53#53) and firewall (http://forum.malwareremoval.com/viewtopic.php?p=56#56) up-to-date
Scan your computer regularly with you antivirus software.

Read this article by TonyKlein (http://forums.spybot.info/showthread.php?t=279)
So how did I get infected in the first place?

Stand Up and Be Counted ! (http://www.malwarecomplaints.info/index.php)
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.


Stay clean and be safe ;)

rosenbee
2007-10-08, 06:05
Thanks much! I have taken all your advice. Hopefully we can keep the lid on this computer from now on.

Mr_JAk3
2007-10-08, 10:31
As the problem appears to be resolved this topic has been archived.

If you need it re-opened please send a private message (pm) to a forum staff member and provide a link to the thread; this applies only to the original topic starter.

Glad we could help :2thumb: