View Full Version : After Spybot, Ad-Aware, SuperAntiSpyware, Vundofix, Avast something still stalks me
Very grateful to anyone who can help. I have the Kaspersky results ready to post but haven't because even if I cut the extraneous material out it would still result in three initial posts. They're well over 100 times the size of the 20,000 char post limit but most of it is from a mystery folder in C:\Windows\Fonts\' containing infected ZIPS. This ' folder doesn't show up in Windows Explorer but the "scan selected folders" option in Kaspersky and their "Browse for Folders" tool confirmed it's existence. When I post them I'll remove most of the results from this folder except for a little from the beginning and end as an example which will be on either side of a break in the results.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:41:09 AM, on 12/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Documents and Settings\conanan\Desktop\karren.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0C02B19E-948F-4ADE-AACB-E35EF1CF096C} - (no file)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {60856BD0-4DA2-4F29-9097-941A2A5E1C9C} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {8E3FBDE2-7DBD-4040-85D9-29BBC559C129} - [SASInprocServer32] (file missing)
O2 - BHO: (no name) - {9066792A-E4FB-48DD-8178-3A8112545371} - (no file)
O2 - BHO: (no name) - {96735C56-F0D9-48B8-9B3C-A86C886C1D27} - C:\WINDOWS\system32\ddabx.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - S-1-5-18 Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe
O4 - Global Startup: HP Pavilion Webcam Tray Icon.lnk = C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: LUMIX Simple Viewer.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://gsnwww-qa.worldwinner.com/games/v47/shared/FunGamesLoader.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www-qa.worldwinner.com/games/shared/wwlaunch.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: wvwwwuv - wvwwwuv.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
--
End of file - 13118 bytes
Hello Karren and welcome to the Forums :)
YOu're infected.
At first you need to disable a few realtime protections. These may interfere with our cleaning process.
We'll enable these when you're clean...
Disable Spybot S&D Teatimer.
Run Spybot-S&D in Advanced Mode
If it is not already set to do this, go to the Mode menu select "Advanced Mode"
On the left hand side, click on Tools
Then click on the Resident icon in the list
Uncheck "Resident TeaTimer" and OK any prompts.
Restart your computer
1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Thanks for finding my post, I would have responded sooner but I thought it had gone unnoticed. It's probably not important, but I found that C:\Windows\Fonts\' folder using the Explorer address bar(duh) and deleted it, hope that's OK. Also, since I've been infected every time I shutdown an End Program - QLBCTRL.EXE dialog box opens and I have to hit End Now to shutdown.
There are two user accounts on this computer, will that matter?
ComboFix 07-12-09.1 - Karlaa 2007-12-10 15:31:07.5 - NTFSx86,
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1414 [GMT -7:00]
Running from: C:\Documents and Settings\Karlaa\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\Fonts\a.zip
C:\winlogon.exe
C:\x.dat
C:\z.dat
.
((((((((((((((((((((((((( Files Created from 2007-11-10 to 2007-12-10 )))))))))))))))))))))))))))))))
.
2007-12-09 17:33 . 2007-12-09 17:33 <DIR> d-------- C:\Program Files\iTunes
2007-12-09 17:33 . 2007-12-09 17:33 <DIR> d-------- C:\Program Files\iPod
2007-12-08 21:13 . 2007-12-08 21:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PopCap
2007-12-08 16:40 . 2007-12-08 16:40 <DIR> d-------- C:\Documents and Settings\conanan\Application Data\Panasonic
2007-12-07 23:45 . 2007-12-10 15:28 <DIR> d-------- C:\Documents and Settings\conanan\Application Data\OnlineArmor
2007-12-07 23:18 . 2007-12-07 23:18 <DIR> d-------- C:\Program Files\Tall Emu
2007-12-07 23:18 . 2007-12-07 23:18 <DIR> d-------- C:\OnlineArmor
2007-12-07 23:18 . 2007-12-10 14:47 <DIR> d-------- C:\Documents and Settings\Karlaa\Application Data\OnlineArmor
2007-12-07 23:18 . 2007-12-07 23:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\OnlineArmor
2007-12-07 23:18 . 2007-11-08 06:37 68,608 --a------ C:\WINDOWS\system32\drivers\OADriver.sys
2007-12-07 23:18 . 2007-09-29 00:06 25,600 --a------ C:\WINDOWS\system32\drivers\OAmon.sys
2007-12-07 23:18 . 2007-09-29 00:06 18,944 --a------ C:\WINDOWS\system32\drivers\ndisrd.sys
2007-12-07 23:16 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-07 19:28 . 2007-12-07 19:28 <DIR> d-------- C:\Documents and Settings\Karlaa\Application Data\SUPERAntiSpyware.com
2007-12-07 12:28 . 2007-12-07 12:28 <DIR> d-------- C:\ie-spyad
2007-12-07 12:28 . 1999-12-21 07:58 21,312 --a------ C:\WINDOWS\choice.exe
2007-12-07 12:26 . 2007-01-18 05:00 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2007-12-07 12:15 . 2007-12-10 15:19 <DIR> d-------- C:\Documents and Settings\conanan\Application Data\SiteAdvisor
2007-12-06 15:10 . 2007-12-06 15:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-06 15:08 . 2007-12-09 14:56 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-12-06 15:08 . 2007-12-06 15:08 <DIR> d-------- C:\Documents and Settings\conanan\Application Data\SUPERAntiSpyware.com
2007-12-05 22:34 . 2007-12-06 08:53 <DIR> d-------- C:\VundoFix Backups
2007-12-05 20:27 . 2007-12-05 20:27 294 ---hs---- C:\WINDOWS\system32\kbnqxlpp.ini
2007-12-03 16:09 . 2007-12-04 07:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-03 16:09 . 2007-12-04 07:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-03 16:09 . 2007-12-04 07:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-03 16:08 . 2007-12-03 16:08 <DIR> d-------- C:\Program Files\Alwil Software
2007-12-03 16:08 . 2007-12-04 06:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-12-03 16:08 . 2004-01-09 03:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2007-12-03 16:08 . 2007-12-04 05:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-12-03 16:08 . 2007-12-04 07:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-03 16:08 . 2007-12-04 07:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-03 15:58 . 2007-12-07 08:21 442,109 --ahs---- C:\WINDOWS\system32\xbadd.ini
2007-12-03 15:54 . 2007-12-10 14:40 <DIR> d-------- C:\Documents and Settings\Karlaa\Application Data\SiteAdvisor
2007-12-03 15:54 . 2007-12-03 15:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-12-03 15:54 . 2007-12-03 15:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2007-12-03 14:29 . 2007-12-03 17:47 178 --ah----- C:\aaw7boot.cmd
2007-12-03 12:35 . 2007-12-10 15:24 <DIR> d-------- C:\Program Files\SpywareGuard
2007-12-03 12:32 . 2007-12-03 12:34 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-12-03 12:11 . 2007-12-03 12:11 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-03 12:11 . 2007-12-03 12:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-03 12:10 . 2007-12-06 15:07 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-03 09:48 . 2007-12-03 09:49 143 --a------ C:\WINDOWS\system32\mcrh.tmp
2007-11-30 19:36 . 2007-11-30 19:36 0 --ahs---- C:\Documents and Settings\conanan\Application Data\30464bbca083187de71bbc2850574a240ba1e2bc.dat
2007-11-30 16:18 . 2007-11-30 16:19 489,984 --a------ C:\Documents and Settings\conanan\load.exe
2007-11-30 15:41 . 2007-11-30 15:41 679,424 --a------ C:\WINDOWS\is-9FD8H.exe
2007-11-30 15:41 . 2007-11-30 15:41 10,861 --a------ C:\WINDOWS\is-9FD8H.msg
2007-11-30 15:41 . 2007-11-30 15:41 132 --a------ C:\WINDOWS\is-9FD8H.lst
2007-11-30 15:01 . 2007-11-30 15:01 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-30 15:01 . 2007-12-03 14:54 <DIR> d-------- C:\Documents and Settings\conanan\Application Data\LimeWire
2007-11-30 15:01 . 2007-11-30 15:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-30 14:56 . 2007-11-30 14:56 <DIR> d-------- C:\WINDOWS\system32\daSgo05
2007-11-30 05:47 . 2007-12-05 11:33 794,690 ---hs---- C:\WINDOWS\system32\ctwiogte.ini
2007-11-29 14:05 . 2007-11-29 14:05 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2007-11-29 14:02 . 2007-11-29 14:02 <DIR> d-------- C:\WINDOWS\system32\daSgo18
2007-11-29 14:02 . 2007-11-29 14:03 <DIR> d-------- C:\Temp\bkR11
2007-11-29 14:02 . 2007-11-30 15:10 <DIR> d-------- C:\Temp
2007-11-25 17:29 . 2007-11-25 17:29 <DIR> d-------- C:\Documents and Settings\Karlaa\Application Data\Snapfish
2007-11-25 16:59 . 2007-11-25 17:32 <DIR> d-------- C:\Program Files\Shutterfly
2007-11-14 23:43 . 2007-11-14 23:43 65,536 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2007-11-14 23:43 . 2007-11-14 23:43 49,152 --a------ C:\WINDOWS\system32\QuickTime.qts
2007-11-14 11:21 . 2007-11-14 11:21 49 --a------ C:\WINDOWS\cdplayer.ini
2007-11-13 18:28 . 2007-11-13 18:28 <DIR> d-------- C:\Documents and Settings\Karlaa\Application Data\Panasonic
2007-11-13 18:27 . 2007-11-13 18:27 <DIR> d-------- C:\Program Files\Panasonic
2007-11-13 18:27 . 2007-11-13 18:27 <DIR> d-------- C:\Documents and Settings\Karlaa\Application Data\InstallShield
2007-11-13 18:25 . 2007-11-13 18:25 <DIR> d-------- C:\Documents and Settings\Karlaa\Application Data\Sonic
2007-11-13 18:25 . 2007-11-13 18:25 <DIR> d-------- C:\Documents and Settings\Karlaa\Application Data\Leadertech
2007-11-12 07:45 . 2007-11-12 07:45 <DIR> d-------- C:\Documents and Settings\conanan\Application Data\MySpace
2007-11-10 10:32 . 2007-11-25 17:13 <DIR> d-------- C:\Program Files\MySpace
2007-11-10 10:32 . 2007-11-10 10:32 <DIR> d-------- C:\Documents and Settings\Karlaa\Application Data\MySpace
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-10 21:49 --------- d-----w C:\Documents and Settings\Karlaa\Application Data\Skype
2007-12-10 00:40 --------- d-----w C:\Program Files\LimeWire
2007-12-10 00:31 --------- d-----w C:\Program Files\QuickTime
2007-12-09 03:58 --------- d-----w C:\Program Files\Yahoo! Games
2007-12-08 06:16 --------- d-----w C:\Program Files\Java
2007-12-03 21:29 --------- d-----w C:\Program Files\Hewlett-Packard
2007-11-30 23:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-30 22:09 246 ----a-w C:\Program Files\Common Files\baruh513
2007-11-30 21:56 134 ----a-w C:\n.bat
2007-11-29 21:03 166,945 ----a-w C:\WINDOWS\system32\drivers\core.cache(7).dsk
2007-11-29 21:03 166,945 ----a-w C:\WINDOWS\system32\drivers\core.cache(6).dsk
2007-11-29 21:03 166,945 ----a-w C:\WINDOWS\system32\drivers\core.cache(5).dsk
2007-11-29 21:03 166,945 ----a-w C:\WINDOWS\system32\drivers\core.cache(4).dsk
2007-11-29 21:03 166,945 ----a-w C:\WINDOWS\system32\drivers\core.cache(3).dsk
2007-11-29 21:03 166,945 ----a-w C:\WINDOWS\system32\drivers\core.cache(2).dsk
2007-11-21 01:08 --------- d-----w C:\Program Files\Common Files\Adobe
2007-11-14 01:27 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-31 21:09 30,464 ----a-w C:\WINDOWS\system32\drivers\usbaapl.sys
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-26 01:03 --------- d-----w C:\Documents and Settings\Karlaa\Application Data\Otto
2007-10-26 01:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Otto
2007-10-16 18:40 91,520 ----a-w C:\WINDOWS\HPBroker.dll
2007-09-21 04:52 654 ----a-w C:\Documents and Settings\Karlaa\Application Data\wklnhst.dat
2007-06-16 19:24 434,316 ----a-w C:\Program Files\lame-3.97.zip
2005-09-24 15:49 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
.
((((((((((((((((((((((((((((( snapshot@2007-11-30_15.17.13.43 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-08 23:59:01 136,704 ----a-w C:\WINDOWS\catchme.exe
+ 2007-12-08 10:32:45 141,824 ----a-w C:\WINDOWS\catchme.exe
+ 2005-08-26 22:27:58 45,056 ----a-w C:\WINDOWS\devenum.exe
+ 2005-04-21 16:59:06 131,072 ----a-w C:\WINDOWS\Downloaded Program Files\popcaploader.dll
+ 2007-12-10 00:33:59 102,400 ----a-r C:\WINDOWS\Installer\{4F5CE18C-D97D-48FF-A510-A0D90C918294}\iTunesIco.exe
+ 2007-12-06 22:08:44 34,304 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF1.exe
+ 2007-12-06 22:08:44 29,696 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF11.exe
+ 2007-12-03 19:11:57 1,038,336 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC.exe
+ 2007-12-03 19:11:57 178,688 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC1.exe
+ 2007-12-03 19:11:57 171,008 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B.exe
+ 2007-12-03 19:11:57 8,704 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B1.exe
+ 2007-01-31 13:33:46 5,632 ----a-w C:\WINDOWS\system32\drivers\avgarkt.sys
+ 2007-07-11 20:37:26 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys
+ 2007-08-07 19:58:08 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
+ 2007-08-07 19:56:58 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
- 2007-11-21 01:10:51 263,024 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2007-12-06 07:46:22 264,616 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
- 2005-11-11 02:27:06 49,248 ----a-w C:\WINDOWS\system32\java.exe
+ 2007-09-25 05:30:28 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2005-11-11 02:27:16 49,250 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2007-09-25 05:30:30 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2005-11-11 04:03:54 127,078 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2007-09-25 06:31:42 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2007-04-13 21:19:52 7,680 ----a-w C:\WINDOWS\system32\lsdelete.exe
+ 2007-12-10 21:47:11 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_784.dat
+ 2005-08-26 22:28:34 143,360 ----a-w C:\WINDOWS\unzip.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{60856BD0-4DA2-4F29-9097-941A2A5E1C9C}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9066792A-E4FB-48DD-8178-3A8112545371}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" []
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-08-06 11:43]
"DW4"="C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe" [2007-03-16 06:51]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-05 11:04]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05]
"WebBuying"="C:\Program Files\Web Buying\v1.8.6\webbuying.exe" []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 21:56]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-03 22:58]
"NvCplDaemon"="RUNDLL32.exe" [2006-03-15 21:00 C:\WINDOWS\system32\rundll32.exe]
"MsmqIntCert"="regsvr32 /s mqrt.dll" []
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-04-18 04:29 C:\WINDOWS\system32\CHDAudPropShortcut.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-06-16 22:22]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2006-07-11 21:55]
"ISUSPM Startup"="c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 16:30]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 16:30]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-19 11:33]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2006-01-26 16:18]
"RecGuard"="C:\Windows\SMINST\RecGuard.exe" [2005-10-11 10:23]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-05-20 14:46 C:\WINDOWS\KHALMNPR.Exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-08-17 12:53]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-08-18 19:31]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-16 22:11]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 06:00]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-11-14 23:43]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 13:11]
"OnlineArmor GUI"="C:\Program Files\Tall Emu\Online Armor\oaui.exe" [2007-11-16 07:51]
C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\
Vongo Tray.lnk - C:\Program Files\Vongo\Tray.exe [2006-05-09 13:09:32]
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
Vongo Tray.lnk - C:\Program Files\Vongo\Tray.exe [2006-05-09 13:09:32]
C:\Documents and Settings\Karlaa\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 19:05:35]
C:\Documents and Settings\conanan\Start Menu\Programs\Startup\
Vongo Tray.lnk - C:\Program Files\Vongo\Tray.exe [2006-05-09 13:09:32]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Pavilion Webcam Tray Icon.lnk - C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe [2006-12-13 06:21:02]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2005-09-24 09:39:30]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2006-12-22 22:21:47]
LUMIX Simple Viewer.lnk - C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe [2007-11-13 18:27:39]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= C:\PROGRA~1\TALLEM~1\ONLINE~1\oaevent.dll [2007-11-16 07:50 633344]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvwwwuv]
wvwwwuv.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
R1 NDISRD;NDISRD;\??\C:\WINDOWS\system32\drivers\NDISRD.sys
R1 OADevice;OADriver;\??\C:\WINDOWS\system32\drivers\OADriver.sys
R1 OAmon;OAmon;\??\C:\WINDOWS\system32\drivers\OAmon.sys
R2 SvcOnlineArmor;Online Armor;"C:\Program Files\Tall Emu\Online Armor\oasrv.exe"
R3 nvsmu;nvsmu;C:\WINDOWS\system32\DRIVERS\nvsmu.sys
R3 SNP2UVC;USB2.0 PC Camera (SNP2UVC);C:\WINDOWS\system32\DRIVERS\snp2uvc.sys
S3 USBAAPL;Apple Mobile USB Driver;C:\WINDOWS\system32\Drivers\usbaapl.sys
.
Contents of the 'Scheduled Tasks' folder
"2007-12-03 23:06:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1331 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-10 15:34:53
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe?????? ???@???????????????@? ???H?????????@???????@
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-12-10 15:36:29
C:\ComboFix2.txt ... 2007-12-10 15:14
C:\ComboFix3.txt ... 2007-12-07 09:22
.
--- E O F ---
Hi
Open notepad and copy/paste the text in the quotebox below into it:
File::
C:\WINDOWS\system32\kbnqxlpp.ini
C:\WINDOWS\system32\xbadd.ini
C:\WINDOWS\system32\mcrh.tmp
C:\Documents and Settings\conanan\Application Data\30464bbca083187de71bbc2850574a240ba1e2bc.dat
C:\Documents and Settings\conanan\load.exe
C:\WINDOWS\is-9FD8H.exe
C:\WINDOWS\is-9FD8H.msg
C:\WINDOWS\is-9FD8H.lst
C:\WINDOWS\system32\ctwiogte.ini
C:\Program Files\Common Files\baruh513
C:\n.bat
C:\WINDOWS\system32\drivers\core.cache(7).dsk
C:\WINDOWS\system32\drivers\core.cache(6).dsk
C:\WINDOWS\system32\drivers\core.cache(5).dsk
C:\WINDOWS\system32\drivers\core.cache(4).dsk
C:\WINDOWS\system32\drivers\core.cache(3).dsk
C:\WINDOWS\system32\drivers\core.cache(2).dsk
C:\WINDOWS\devenum.exe
C:\WINDOWS\Downloaded Program Files\popcaploader.dll
C:\PROGRA~1\TALLEM~1\ONLINE~1\oaevent.dll
Folder::
C:\WINDOWS\system32\daSgo18
C:\Temp\bkR11
C:\WINDOWS\system32\daSgo05
C:\Program Files\Web Buying
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{60856BD0-4DA2-4F29-9097-941A2A5E1C9C}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9066792A-E4FB-48DD-8178-3A8112545371}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WebBuying"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvwwwuv]
Save this as "CFScript"
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
I had Online Armor firewall running during the ComboFix process and it popped up several dialog boxes all of which I allowed, I hope this is not a problem.
ComboFix 07-12-09.1 - Karlaa 2007-12-11 13:45:37.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1295 [GMT -7:00]
Running from: C:\Documents and Settings\Karlaa\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Karlaa\Desktop\CFScript.txt
* Created a new restore point
FILE
C:\Documents and Settings\conanan\Application Data\30464bbca083187de71bbc2850574a240ba1e2bc.dat
C:\Documents and Settings\conanan\load.exe
C:\n.bat
C:\PROGRA~1\TALLEM~1\ONLINE~1\oaevent.dll
C:\Program Files\Common Files\baruh513
C:\WINDOWS\devenum.exe
C:\WINDOWS\Downloaded Program Files\popcaploader.dll
C:\WINDOWS\is-9FD8H.exe
C:\WINDOWS\is-9FD8H.lst
C:\WINDOWS\is-9FD8H.msg
C:\WINDOWS\system32\ctwiogte.ini
C:\WINDOWS\system32\drivers\core.cache(2).dsk
C:\WINDOWS\system32\drivers\core.cache(3).dsk
C:\WINDOWS\system32\drivers\core.cache(4).dsk
C:\WINDOWS\system32\drivers\core.cache(5).dsk
C:\WINDOWS\system32\drivers\core.cache(6).dsk
C:\WINDOWS\system32\drivers\core.cache(7).dsk
C:\WINDOWS\system32\kbnqxlpp.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\xbadd.ini
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\conanan\Application Data\30464bbca083187de71bbc2850574a240ba1e2bc.dat
C:\Documents and Settings\conanan\load.exe
C:\n.bat
C:\PROGRA~1\TALLEM~1\ONLINE~1\oaevent.dll
C:\Program Files\Common Files\baruh513
C:\Temp\bkR11
C:\Temp\bkR11\ftCa.log
C:\WINDOWS\devenum.exe
C:\WINDOWS\Downloaded Program Files\popcaploader.dll
C:\WINDOWS\is-9FD8H.exe
C:\WINDOWS\is-9FD8H.lst
C:\WINDOWS\is-9FD8H.msg
C:\WINDOWS\system32\ctwiogte.ini
C:\WINDOWS\system32\daSgo05
C:\WINDOWS\system32\daSgo05\daSgo051080.exe
C:\WINDOWS\system32\daSgo18
C:\WINDOWS\system32\daSgo18\daSgo182328.exe
C:\WINDOWS\system32\drivers\core.cache(2).dsk
C:\WINDOWS\system32\drivers\core.cache(3).dsk
C:\WINDOWS\system32\drivers\core.cache(4).dsk
C:\WINDOWS\system32\drivers\core.cache(5).dsk
C:\WINDOWS\system32\drivers\core.cache(6).dsk
C:\WINDOWS\system32\drivers\core.cache(7).dsk
C:\WINDOWS\system32\kbnqxlpp.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\xbadd.ini
.
((((((((((((((((((((((((( Files Created from 2007-11-11 to 2007-12-11 )))))))))))))))))))))))))))))))
.
2007-12-09 17:33 . 2007-12-09 17:33 <DIR> d-------- C:\Program Files\iTunes
2007-12-09 17:33 . 2007-12-09 17:33 <DIR> d-------- C:\Program Files\iPod
2007-12-08 21:13 . 2007-12-08 21:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PopCap
2007-12-08 16:40 . 2007-12-08 16:40 <DIR> d-------- C:\Documents and Settings\conanan\Application Data\Panasonic
2007-12-07 23:45 . 2007-12-10 15:28 <DIR> d-------- C:\Documents and Settings\conanan\Application Data\OnlineArmor
2007-12-07 23:18 . 2007-12-07 23:18 <DIR> d-------- C:\Program Files\Tall Emu
2007-12-07 23:18 . 2007-12-07 23:18 <DIR> d-------- C:\OnlineArmor
2007-12-07 23:18 . 2007-12-10 14:47 <DIR> d-------- C:\Documents and Settings\Karlaa\Application Data\OnlineArmor
2007-12-07 23:18 . 2007-12-07 23:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\OnlineArmor
2007-12-07 23:18 . 2007-11-08 06:37 68,608 --a------ C:\WINDOWS\system32\drivers\OADriver.sys
2007-12-07 23:18 . 2007-09-29 00:06 25,600 --a------ C:\WINDOWS\system32\drivers\OAmon.sys
2007-12-07 23:18 . 2007-09-29 00:06 18,944 --a------ C:\WINDOWS\system32\drivers\ndisrd.sys
2007-12-07 23:16 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-07 19:28 . 2007-12-07 19:28 <DIR> d-------- C:\Documents and Settings\Karlaa\Application Data\SUPERAntiSpyware.com
2007-12-07 12:28 . 2007-12-07 12:28 <DIR> d-------- C:\ie-spyad
2007-12-07 12:28 . 1999-12-21 07:58 21,312 --a------ C:\WINDOWS\choice.exe
2007-12-07 12:26 . 2007-01-18 05:00 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2007-12-07 12:15 . 2007-12-10 15:19 <DIR> d-------- C:\Documents and Settings\conanan\Application Data\SiteAdvisor
2007-12-06 15:10 . 2007-12-06 15:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-06 15:08 . 2007-12-09 14:56 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-12-06 15:08 . 2007-12-06 15:08 <DIR> d-------- C:\Documents and Settings\conanan\Application Data\SUPERAntiSpyware.com
2007-12-05 22:34 . 2007-12-06 08:53 <DIR> d-------- C:\VundoFix Backups
2007-12-03 16:09 . 2007-12-04 07:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-03 16:09 . 2007-12-04 07:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-03 16:09 . 2007-12-04 07:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-03 16:08 . 2007-12-03 16:08 <DIR> d-------- C:\Program Files\Alwil Software
2007-12-03 16:08 . 2007-12-04 06:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-12-03 16:08 . 2004-01-09 03:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2007-12-03 16:08 . 2007-12-04 05:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-12-03 16:08 . 2007-12-04 07:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-03 16:08 . 2007-12-04 07:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-03 15:54 . 2007-12-11 13:39 <DIR> d-------- C:\Documents and Settings\Karlaa\Application Data\SiteAdvisor
2007-12-03 15:54 . 2007-12-03 15:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-12-03 15:54 . 2007-12-03 15:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2007-12-03 14:29 . 2007-12-03 17:47 178 --ah----- C:\aaw7boot.cmd
2007-12-03 12:35 . 2007-12-10 15:24 <DIR> d-------- C:\Program Files\SpywareGuard
2007-12-03 12:32 . 2007-12-03 12:34 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-12-03 12:11 . 2007-12-03 12:11 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-03 12:11 . 2007-12-03 12:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-03 12:10 . 2007-12-06 15:07 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-30 15:01 . 2007-11-30 15:01 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-30 15:01 . 2007-12-03 14:54 <DIR> d-------- C:\Documents and Settings\conanan\Application Data\LimeWire
2007-11-30 15:01 . 2007-11-30 15:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-29 14:05 . 2007-11-29 14:05 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2007-11-29 14:03 . 2007-12-03 14:29 <DIR> d-------- C:\WINDOWS\system32\mm6
2007-11-29 14:03 . 2007-12-03 14:29 <DIR> d-------- C:\WINDOWS\system32\hv2
2007-11-29 14:03 . 2007-11-29 17:37 <DIR> d-------- C:\WINDOWS\system32\ft21
2007-11-29 14:03 . 2007-12-03 12:29 <DIR> d-------- C:\WINDOWS\system32\dr1
2007-11-29 14:03 . 2007-12-06 16:35 <DIR> d--hs---- C:\WINDOWS\S2FybGFh
2007-11-29 14:02 . 2007-12-11 13:50 <DIR> d-------- C:\Temp
2007-11-25 17:29 . 2007-11-25 17:29 <DIR> d-------- C:\Documents and Settings\Karlaa\Application Data\Snapfish
2007-11-25 16:59 . 2007-11-25 17:32 <DIR> d-------- C:\Program Files\Shutterfly
2007-11-14 23:43 . 2007-11-14 23:43 65,536 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2007-11-14 23:43 . 2007-11-14 23:43 49,152 --a------ C:\WINDOWS\system32\QuickTime.qts
2007-11-14 11:21 . 2007-11-14 11:21 49 --a------ C:\WINDOWS\cdplayer.ini
2007-11-13 18:28 . 2007-11-13 18:28 <DIR> d-------- C:\Documents and Settings\Karlaa\Application Data\Panasonic
2007-11-13 18:27 . 2007-11-13 18:27 <DIR> d-------- C:\Program Files\Panasonic
2007-11-13 18:27 . 2007-11-13 18:27 <DIR> d-------- C:\Documents and Settings\Karlaa\Application Data\InstallShield
2007-11-13 18:25 . 2007-11-13 18:25 <DIR> d-------- C:\Documents and Settings\Karlaa\Application Data\Sonic
2007-11-13 18:25 . 2007-11-13 18:25 <DIR> d-------- C:\Documents and Settings\Karlaa\Application Data\Leadertech
2007-11-12 07:45 . 2007-11-12 07:45 <DIR> d-------- C:\Documents and Settings\conanan\Application Data\MySpace
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-11 20:55 --------- d-----w C:\Documents and Settings\Karlaa\Application Data\Skype
2007-12-10 00:40 --------- d-----w C:\Program Files\LimeWire
2007-12-10 00:31 --------- d-----w C:\Program Files\QuickTime
2007-12-09 03:58 --------- d-----w C:\Program Files\Yahoo! Games
2007-12-08 06:16 --------- d-----w C:\Program Files\Java
2007-12-03 21:29 --------- d-----w C:\Program Files\Hewlett-Packard
2007-11-30 23:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-26 00:13 --------- d-----w C:\Program Files\MySpace
2007-11-21 01:08 --------- d-----w C:\Program Files\Common Files\Adobe
2007-11-14 01:27 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-10 17:32 --------- d-----w C:\Documents and Settings\Karlaa\Application Data\MySpace
2007-10-31 21:09 30,464 ----a-w C:\WINDOWS\system32\drivers\usbaapl.sys
2007-10-26 01:03 --------- d-----w C:\Documents and Settings\Karlaa\Application Data\Otto
2007-10-26 01:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Otto
2007-10-16 18:40 91,520 ----a-w C:\WINDOWS\HPBroker.dll
2007-09-21 04:52 654 ----a-w C:\Documents and Settings\Karlaa\Application Data\wklnhst.dat
2007-06-16 19:24 434,316 ----a-w C:\Program Files\lame-3.97.zip
2005-09-24 15:49 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
.
((((((((((((((((((((((((((((( snapshot@2007-11-30_15.17.13.43 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-08 23:59:01 136,704 ----a-w C:\WINDOWS\catchme.exe
+ 2007-12-08 10:32:45 141,824 ----a-w C:\WINDOWS\catchme.exe
+ 2007-12-10 00:33:59 102,400 ----a-r C:\WINDOWS\Installer\{4F5CE18C-D97D-48FF-A510-A0D90C918294}\iTunesIco.exe
+ 2007-12-06 22:08:44 34,304 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF1.exe
+ 2007-12-06 22:08:44 29,696 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF11.exe
+ 2007-12-03 19:11:57 1,038,336 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC.exe
+ 2007-12-03 19:11:57 178,688 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC1.exe
+ 2007-12-03 19:11:57 171,008 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B.exe
+ 2007-12-03 19:11:57 8,704 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B1.exe
+ 2007-01-31 13:33:46 5,632 ----a-w C:\WINDOWS\system32\drivers\avgarkt.sys
+ 2007-07-11 20:37:26 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys
+ 2007-08-07 19:58:08 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
+ 2007-08-07 19:56:58 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
- 2007-11-21 01:10:51 263,024 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2007-12-06 07:46:22 264,616 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
- 2005-11-11 02:27:06 49,248 ----a-w C:\WINDOWS\system32\java.exe
+ 2007-09-25 05:30:28 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2005-11-11 02:27:16 49,250 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2007-09-25 05:30:30 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2005-11-11 04:03:54 127,078 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2007-09-25 06:31:42 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2007-04-13 21:19:52 7,680 ----a-w C:\WINDOWS\system32\lsdelete.exe
+ 2007-12-11 20:53:34 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_7d0.dat
+ 2007-12-11 20:54:51 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_a94.dat
+ 2005-08-26 22:28:34 143,360 ----a-w C:\WINDOWS\unzip.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" []
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-08-06 11:43]
"DW4"="C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe" [2007-03-16 06:51]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-05 11:04]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 21:56]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-03 22:58]
"NvCplDaemon"="RUNDLL32.exe" [2006-03-15 21:00 C:\WINDOWS\system32\rundll32.exe]
"MsmqIntCert"="regsvr32 /s mqrt.dll" []
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-04-18 04:29 C:\WINDOWS\system32\CHDAudPropShortcut.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-06-16 22:22]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2006-07-11 21:55]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 16:30]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 16:30]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-19 11:33]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2006-01-26 16:18]
"RecGuard"="C:\Windows\SMINST\RecGuard.exe" [2005-10-11 10:23]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-05-20 14:46 C:\WINDOWS\KHALMNPR.Exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-08-17 12:53]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-08-18 19:31]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-16 22:11]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 06:00]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-11-14 23:43]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 13:11]
"OnlineArmor GUI"="C:\Program Files\Tall Emu\Online Armor\oaui.exe" [2007-11-16 07:51]
C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\
Vongo Tray.lnk - C:\Program Files\Vongo\Tray.exe [2006-05-09 13:09:32]
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
Vongo Tray.lnk - C:\Program Files\Vongo\Tray.exe [2006-05-09 13:09:32]
C:\Documents and Settings\conanan\Start Menu\Programs\Startup\
Vongo Tray.lnk - C:\Program Files\Vongo\Tray.exe [2006-05-09 13:09:32]
C:\Documents and Settings\Karlaa\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 19:05:35]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Pavilion Webcam Tray Icon.lnk - C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe [2006-12-13 06:21:02]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2005-09-24 09:39:30]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2006-12-22 22:21:47]
LUMIX Simple Viewer.lnk - C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe [2007-11-13 18:27:39]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= C:\PROGRA~1\TALLEM~1\ONLINE~1\oaevent.dll [ ]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
R1 NDISRD;NDISRD;\??\C:\WINDOWS\system32\drivers\NDISRD.sys
R1 OADevice;OADriver;\??\C:\WINDOWS\system32\drivers\OADriver.sys
R1 OAmon;OAmon;\??\C:\WINDOWS\system32\drivers\OAmon.sys
R2 SvcOnlineArmor;Online Armor;"C:\Program Files\Tall Emu\Online Armor\oasrv.exe"
R3 nvsmu;nvsmu;C:\WINDOWS\system32\DRIVERS\nvsmu.sys
R3 SNP2UVC;USB2.0 PC Camera (SNP2UVC);C:\WINDOWS\system32\DRIVERS\snp2uvc.sys
S3 USBAAPL;Apple Mobile USB Driver;C:\WINDOWS\system32\Drivers\usbaapl.sys
.
Contents of the 'Scheduled Tasks' folder
"2007-12-10 23:06:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1331 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-11 13:55:18
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe?????? ???@???????????????@? ???0?????????@???????@
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-12-11 13:57:08 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-10 15:36
C:\ComboFix3.txt ... 2007-12-10 15:14
.
--- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:57:39 PM, on 12/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Karlaa\Desktop\karren.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://register.hp.com/servlet/WebReg.servlets.ProdReg1Servlet?appID=java_wreg_wreg_genpg&modelID=RG414UA&product_full_name=HP%20Pavilion%20dv2000&PROD_SERIAL_ID=HP%20Pavilion%20dv2000%20(RG414UA#ABA)&PURCH_DT_MONTH=12&PURCH_DT_DAY=13&PURCH_DT_YEAR=2006&gwCountry=US&language=EN&prodOS=012
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - S-1-5-18 Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: HP Pavilion Webcam Tray Icon.lnk = C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: LUMIX Simple Viewer.lnk = ?
O8 - Extra context menu item: &Search - ?p=ZKxdm021MWUS
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://gsnwww-qa.worldwinner.com/games/v47/shared/FunGamesLoader.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www-qa.worldwinner.com/games/shared/wwlaunch.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe
--
End of file - 13847 bytes
We'll continue :)
You should print these instructions or save these to a text file. Follow these instructions carefully.
Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
Do NOT run yet.
Make your hidden files visible:
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Uncheck "Hide protected operating system files"
Click Apply and then the OK and close My Computer.
Delete these folders via My Computer (if found):
C:\WINDOWS\system32\mm6
C:\WINDOWS\system32\hv2
C:\WINDOWS\system32\ft21
C:\WINDOWS\system32\dr1
C:\WINDOWS\S2FybGFh
Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
Download Dr.Web CureIt to the desktop -> ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.
Run a scan with Dr.Web CureIt Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, you should now mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found http://users.telenet.be/bluepatchy/miekiemoes/images/check.gif
If so, click it and then click the next icon right below and select Move incurable
After the scan, in the menu, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot the computer in Normal Mode,
Post the Cure-it report and a fresh HijackThis log
RegUBP2b-conanan.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2;Trojan.StartPage.1505;Deleted.;
RegUBP2b-Karlaa.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2;Trojan.StartPage.1505;Deleted.;
inetchk.exe;C:\Program Files\music_now;Trojan.Click.2093;Deleted.;
NPMyWebS.dll;C:\Program Files\Netscape\Netscape Browser\plugins;Adware.Websearch;Incurable.Moved.;
PPCInstall.dll;C:\Program Files\Online Services\PeoplePC;Probably STPAGE.Trojan;Incurable.Moved.;
winlogon.exe.vir\data001;C:\qoobox\Quarantine\C\winlogon.exe.vir;Tool.FirePassword;;
winlogon.exe.vir\data002;C:\qoobox\Quarantine\C\winlogon.exe.vir;Tool.Netpass;;
winlogon.exe.vir\data003;C:\qoobox\Quarantine\C\winlogon.exe.vir;Tool.PassView;;
winlogon.exe.vir;C:\qoobox\Quarantine\C;Archive contains infected objects;Moved.;
popcaploader.dll.vir;C:\qoobox\Quarantine\C\WINDOWS\Downloaded Program Files;Program.PopcapLoader;Incurable.Moved.;
daSgo051080.exe.vir;C:\qoobox\Quarantine\C\WINDOWS\system32\daSgo05;Trojan.DownLoader.24715;Deleted.;
daSgo182328.exe.vir;C:\qoobox\Quarantine\C\WINDOWS\system32\daSgo18;Trojan.DownLoader.24715;Deleted.;
brandit.exe;C:\SWSetup\BrandIt\Disk1;Probably STPAGE.Trojan;Incurable.Moved.;
A0031525.scr;C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP289;Adware.Msearch;Incurable.Moved.;
A0031526.dll;C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP289;Adware.Websearch;Incurable.Moved.;
A0031527.dll;C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP289;Adware.Funweb;Incurable.Moved.;
A0031528.DLL;C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP289;Trojan.Funweb;Deleted.;
A0031531.EXE;C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP289;Adware.Websearch;Incurable.Moved.;
A0031533.DLL;C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP289;Adware.MWS;Incurable.Moved.;
A0031534.DLL;C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP289;Adware.Websearch;Incurable.Moved.;
A0031535.DLL;C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP289;Adware.Websearch;Incurable.Moved.;
A0031536.EXE;C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP289;Adware.Websearch;Incurable.Moved.;
A0031537.DLL;C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP289;Adware.Websearch;Incurable.Moved.;
A0031539.DLL;C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP289;Adware.Funweb;Incurable.Moved.;
A0031540.DLL;C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP289;Adware.Msearch;Incurable.Moved.;
A0031541.DLL;C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP289;Adware.Websearch;Incurable.Moved.;
A0031542.DLL;C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP289;Trojan.Isbar.438;Deleted.;
A0031543.DLL;C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP289;Adware.Funweb;Incurable.Moved.;
A0031544.DLL;C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP289;Adware.Funweb;Incurable.Moved.;
A0031545.SCR;C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP289;Adware.Msearch;Incurable.Moved.;
A0031546.DLL;C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP289;Adware.Funweb;Incurable.Moved.;
A0031547.DLL;C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP289;Adware.Msearch;Incurable.Moved.;
A0031548.EXE;C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP289;Adware.Msearch;Incurable.Moved.;
A0031549.DLL;C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP289;Trojan.DownLoader.7028;Deleted.;
A0031550.DLL;C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP289;Adware.Funweb;Incurable.Moved.;
A0031551.DLL;C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP289;Adware.Msearch;Incurable.Moved.;
A0031553.DLL;C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP289;Adware.Websearch;Incurable.Moved.;
A0031554.DLL;C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP289;Adware.MWS;Incurable.Moved.;
A0031556.DLL;C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP289;Adware.Websearch;Incurable.Moved.;
A0031558.DLL;C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP289;Adware.Msearch;Incurable.Moved.;
A0031559.DLL;C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP289;Adware.Msearch;Incurable.Moved.;
A0031560.DLL;C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP289;Adware.Websearch;Incurable.Moved.;
A0031562.EXE;C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP289;Adware.Websearch;Incurable.Moved.;
A0031563.DLL;C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP289;Adware.Websearch;Incurable.Moved.;
A0031564.DLL;C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP289;Adware.Websearch;Incurable.Moved.;
A0031652.exe;C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP291;Trojan.DownLoader.24715;Deleted.;
A0031653.exe\data001;C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP291\A0031653.exe;Tool.FirePassword;;
A0031653.exe\data002;C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP291\A0031653.exe;Tool.Netpass;;
A0031653.exe\data003;C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP291\A0031653.exe;Tool.PassView;;
A0031653.exe;C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP291;Archive contains infected objects;Moved.;
A0031752.exe\data001;C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP292\A0031752.exe;Tool.FirePassword;;
A0031752.exe\data002;C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP292\A0031752.exe;Tool.Netpass;;
A0031752.exe\data003;C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP292\A0031752.exe;Tool.PassView;;
A0031752.exe;C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP292;Archive contains infected objects;Moved.;
A0031754.exe;C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP292;Trojan.DownLoader.24715;Deleted.;
A0031892.exe\data001;C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP293\A0031892.exe;Tool.FirePassword;;
A0031892.exe\data002;C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP293\A0031892.exe;Tool.Netpass;;
A0031892.exe\data003;C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP293\A0031892.exe;Tool.PassView;;
A0031892.exe;C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP293;Archive contains infected objects;Moved.;
A0032022.exe;C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP295;Trojan.DownLoader.24715;Deleted.;
A0032444.exe;C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP298;Trojan.DownLoader.24715;Deleted.;
A0035380.reg;C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP307;Trojan.StartPage.1505;Deleted.;
A0035456.exe\data001;C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP308\A0035456.exe;Tool.FirePassword;;
A0035456.exe\data002;C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP308\A0035456.exe;Tool.Netpass;;
A0035456.exe\data003;C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP308\A0035456.exe;Tool.PassView;;
A0035456.exe;C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP308;Archive contains infected objects;Moved.;
A0035516.exe;C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP309;Trojan.DownLoader.24715;Deleted.;
A0035517.exe;C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP309;Trojan.DownLoader.24715;Deleted.;
A0035718.reg;C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP310;Trojan.StartPage.1505;Deleted.;
A0035719.reg;C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP310;Trojan.StartPage.1505;Deleted.;
A0035720.exe;C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP310;Trojan.Click.2093;Deleted.;
mllmm.dll.bad;C:\VundoFix Backups;Trojan.Virtumod.248;Deleted.;
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:27:31 PM, on 12/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Documents and Settings\Karlaa\Desktop\karren.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://register.hp.com/servlet/WebReg.servlets.ProdReg1Servlet?appID=java_wreg_wreg_genpg&modelID=RG414UA&product_full_name=HP%20Pavilion%20dv2000&PROD_SERIAL_ID=HP%20Pavilion%20dv2000%20(RG414UA#ABA)&PURCH_DT_MONTH=12&PURCH_DT_DAY=13&PURCH_DT_YEAR=2006&gwCountry=US&language=EN&prodOS=012
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - S-1-5-18 Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: HP Pavilion Webcam Tray Icon.lnk = C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: LUMIX Simple Viewer.lnk = ?
O8 - Extra context menu item: &Search - ?p=ZKxdm021MWUS
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://gsnwww-qa.worldwinner.com/games/v47/shared/FunGamesLoader.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www-qa.worldwinner.com/games/shared/wwlaunch.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe
--
End of file - 13680 bytes
Thanks for helping me. I'd like to pay you for your help, do you have PayPal?, or if you'd like I could donate to Spybot or something else of your choosing.
Hi again, it is looking clean now :)
This leftover can be fixed with HijackTHis:
O8 - Extra context menu item: &Search - ?p=ZKxdm021MWUS
The help here is free but donations (http://www.spybot.info/en/donate/index.html) are always very appreciated. Thank you :)
You can remove the tools we used.
This backup folder can go too, C:\qoobox
=============
Now that you seem to be clean, please follow these simple steps in order to keep your computer clean and secure:
Clear your system restore (http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx)
This will clear the system restore folders from possible malware that was left behind during the cleaning process.
Use ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1)
Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.
Use AVG Anti-Spyware (http://www.ewido.net/en/)
Download and install AVG Anti-Spyware. Update it and scan your computer regularly with it.
Use Spybot S&D (http://www.bleepingcomputer.com/forums/?showtutorial=43)
Download and install Spybot S&D. Update it and scan your computer regularly with it.
Install SpywareBlaster (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
SpywareBlaster will prevent spyware from being installed.
Install MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm)
This prevents your computer from connecting to harmful sites.
Use Firefox browser (http://www.mozilla.org)
Firefox is faster and more secure browser than Internet Explorer.
Keep your systen up-to-date (http://windowsupdate.microsoft.com)
Visit Windows Update regularly. How to enable Automatic Updates? (http://www.bleepingcomputer.com/tutorials/tutorial35.html)
Keep your antivirus (http://forum.malwareremoval.com/viewtopic.php?p=53#53) and firewall (http://forum.malwareremoval.com/viewtopic.php?p=56#56) up-to-date
Scan your computer regularly with you antivirus software.
Read this article by TonyKlein (http://forums.spybot.info/showthread.php?t=279)
So how did I get infected in the first place?
Stand Up and Be Counted ! (http://www.malwarecomplaints.info/index.php)
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
Stay clean and be safe ;)
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, December 13, 2007 10:24:44 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 13/12/2007
Kaspersky Anti-Virus database records: 481147
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
E:\
Scan Statistics:
Total number of scanned objects: 74804
Number of viruses found: 18
Number of infected objects: 41
Number of suspicious objects: 4
Duration of the scan process: 01:29:46
Infected Object Name / Virus Name / Last Action
C:\50ef21957bdd43b9d0\update\update.exe Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WebBuyingAssistant.zip/v1.8.6/wbuninst.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WebBuyingAssistant.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WebBuyingAssistant3.zip/v1.8.6/wbuninst.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WebBuyingAssistant3.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2007-12-12_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\4A994195.zip/BlackBox.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\4A994195.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\4A994195.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\4A994195.zip ZIP: infected - 3 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\4A994195.zip CryptFF: infected - 3 skipped
C:\Documents and Settings\Karlaa\Application Data\Mozilla\Firefox\Profiles\6jhq5g1x.default\cert8.db Object is locked skipped
C:\Documents and Settings\Karlaa\Application Data\Mozilla\Firefox\Profiles\6jhq5g1x.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Karlaa\Application Data\Mozilla\Firefox\Profiles\6jhq5g1x.default\history.dat Object is locked skipped
C:\Documents and Settings\Karlaa\Application Data\Mozilla\Firefox\Profiles\6jhq5g1x.default\key3.db Object is locked skipped
C:\Documents and Settings\Karlaa\Application Data\Mozilla\Firefox\Profiles\6jhq5g1x.default\parent.lock Object is locked skipped
C:\Documents and Settings\Karlaa\Application Data\Mozilla\Firefox\Profiles\6jhq5g1x.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Karlaa\Application Data\Mozilla\Firefox\Profiles\6jhq5g1x.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Karlaa\Application Data\OnlineArmor\client.dat Object is locked skipped
C:\Documents and Settings\Karlaa\Application Data\Skype\karren.stephens\call256.dbb Object is locked skipped
C:\Documents and Settings\Karlaa\Application Data\Skype\karren.stephens\callmember256.dbb Object is locked skipped
C:\Documents and Settings\Karlaa\Application Data\Skype\karren.stephens\chat512.dbb Object is locked skipped
C:\Documents and Settings\Karlaa\Application Data\Skype\karren.stephens\chatmember256.dbb Object is locked skipped
C:\Documents and Settings\Karlaa\Application Data\Skype\karren.stephens\chatmsg256.dbb Object is locked skipped
C:\Documents and Settings\Karlaa\Application Data\Skype\karren.stephens\chatmsg512.dbb Object is locked skipped
C:\Documents and Settings\Karlaa\Application Data\Skype\karren.stephens\contactgroup256.dbb Object is locked skipped
C:\Documents and Settings\Karlaa\Application Data\Skype\karren.stephens\dyncontent\bundle.dat Object is locked skipped
C:\Documents and Settings\Karlaa\Application Data\Skype\karren.stephens\index2.dat Object is locked skipped
C:\Documents and Settings\Karlaa\Application Data\Skype\karren.stephens\profile256.dbb Object is locked skipped
C:\Documents and Settings\Karlaa\Application Data\Skype\karren.stephens\user1024.dbb Object is locked skipped
C:\Documents and Settings\Karlaa\Application Data\Skype\karren.stephens\user16384.dbb Object is locked skipped
C:\Documents and Settings\Karlaa\Application Data\Skype\karren.stephens\user256.dbb Object is locked skipped
C:\Documents and Settings\Karlaa\Application Data\Sun\Java\Deployment\cache\6.0\47\bd7ce2f-3d738993/vmain.class Infected: Exploit.Java.Gimsh.b skipped
C:\Documents and Settings\Karlaa\Application Data\Sun\Java\Deployment\cache\6.0\47\bd7ce2f-3d738993 ZIP: infected - 1 skipped
C:\Documents and Settings\Karlaa\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Karlaa\DoctorWeb\Quarantine\A0031525.scr Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\Documents and Settings\Karlaa\DoctorWeb\Quarantine\A0031526.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped
C:\Documents and Settings\Karlaa\DoctorWeb\Quarantine\A0031527.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\Documents and Settings\Karlaa\DoctorWeb\Quarantine\A0031531.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\Documents and Settings\Karlaa\DoctorWeb\Quarantine\A0031533.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\Documents and Settings\Karlaa\DoctorWeb\Quarantine\A0031534.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\Documents and Settings\Karlaa\DoctorWeb\Quarantine\A0031535.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.as skipped
C:\Documents and Settings\Karlaa\DoctorWeb\Quarantine\A0031536.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\Documents and Settings\Karlaa\DoctorWeb\Quarantine\A0031537.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.at skipped
C:\Documents and Settings\Karlaa\DoctorWeb\Quarantine\A0031539.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\Documents and Settings\Karlaa\DoctorWeb\Quarantine\A0031540.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\Documents and Settings\Karlaa\DoctorWeb\Quarantine\A0031541.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.l skipped
C:\Documents and Settings\Karlaa\DoctorWeb\Quarantine\A0031543.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\Documents and Settings\Karlaa\DoctorWeb\Quarantine\A0031544.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\Documents and Settings\Karlaa\DoctorWeb\Quarantine\A0031545.SCR Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\Documents and Settings\Karlaa\DoctorWeb\Quarantine\A0031546.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\Documents and Settings\Karlaa\DoctorWeb\Quarantine\A0031547.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\Documents and Settings\Karlaa\DoctorWeb\Quarantine\A0031548.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.a skipped
C:\Documents and Settings\Karlaa\DoctorWeb\Quarantine\A0031550.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.aq skipped
C:\Documents and Settings\Karlaa\DoctorWeb\Quarantine\A0031551.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bh skipped
C:\Documents and Settings\Karlaa\DoctorWeb\Quarantine\A0031553.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\Documents and Settings\Karlaa\DoctorWeb\Quarantine\A0031554.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ax skipped
C:\Documents and Settings\Karlaa\DoctorWeb\Quarantine\A0031556.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\Documents and Settings\Karlaa\DoctorWeb\Quarantine\A0031558.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\Documents and Settings\Karlaa\DoctorWeb\Quarantine\A0031559.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.as skipped
C:\Documents and Settings\Karlaa\DoctorWeb\Quarantine\A0031560.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ad skipped
C:\Documents and Settings\Karlaa\DoctorWeb\Quarantine\A0031562.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\Documents and Settings\Karlaa\DoctorWeb\Quarantine\A0031563.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\Documents and Settings\Karlaa\DoctorWeb\Quarantine\A0031564.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped
C:\Documents and Settings\Karlaa\DoctorWeb\Quarantine\NPMyWebS.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped
C:\Documents and Settings\Karlaa\DoctorWeb\Quarantine\popcaploader.dll.vir Infected: not-a-virus:Downloader.Win32.PopCap.b skipped
C:\Documents and Settings\Karlaa\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Karlaa\History\History.IE5\MSHist012007121220071213\index.dat Object is locked skipped
C:\Documents and Settings\Karlaa\Incomplete\T-227703846-Family Guy - 105 - A Hero Sits Next Door.mp4 Object is locked skipped
C:\Documents and Settings\Karlaa\Incomplete\T-366233600-CSI Las Vegas - 719 - Big Shots.avi Object is locked skipped
C:\Documents and Settings\Karlaa\Incomplete\T-366395392-CSI Las Vegas - 705 Double Cross.avi Object is locked skipped
C:\Documents and Settings\Karlaa\Local Settings\Application Data\Adobe\Acrobat\8.0\Updater\updater.log Object is locked skipped
C:\Documents and Settings\Karlaa\Local Settings\Application Data\Adobe\Updater5\aumLib.log Object is locked skipped
C:\Documents and Settings\Karlaa\Local Settings\Application Data\ApplicationHistory\hpqimzone.exe.3204510e.ini.inuse Object is locked skipped
C:\Documents and Settings\Karlaa\Local Settings\Application Data\HP\Digital Imaging\db\administrativeInfo.dbf Object is locked skipped
C:\Documents and Settings\Karlaa\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.cdx Object is locked skipped
C:\Documents and Settings\Karlaa\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.dbf Object is locked skipped
C:\Documents and Settings\Karlaa\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.cdx Object is locked skipped
C:\Documents and Settings\Karlaa\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.dbf Object is locked skipped
C:\Documents and Settings\Karlaa\Local Settings\Application Data\HP\Digital Imaging\db\CB_Server_Errors.txt Object is locked skipped
C:\Documents and Settings\Karlaa\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.cdx Object is locked skipped
C:\Documents and Settings\Karlaa\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.dbf Object is locked skipped
C:\Documents and Settings\Karlaa\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.cdx Object is locked skipped
C:\Documents and Settings\Karlaa\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.dbf Object is locked skipped
C:\Documents and Settings\Karlaa\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.fpt Object is locked skipped
C:\Documents and Settings\Karlaa\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.cdx Object is locked skipped
C:\Documents and Settings\Karlaa\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.dbf Object is locked skipped
C:\Documents and Settings\Karlaa\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.cdx Object is locked skipped
C:\Documents and Settings\Karlaa\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.dbf Object is locked skipped
C:\Documents and Settings\Karlaa\Local Settings\Application Data\HP\Digital Imaging\db\managedFolderTable.dbf Object is locked skipped
C:\Documents and Settings\Karlaa\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.cdx Object is locked skipped
C:\Documents and Settings\Karlaa\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.dbf Object is locked skipped
C:\Documents and Settings\Karlaa\Local Settings\Application Data\HP\Digital Imaging\db\propertiesTable.cdx Object is locked skipped
C:\Documents and Settings\Karlaa\Local Settings\Application Data\HP\Digital Imaging\db\propertiesTable.dbf Object is locked skipped
C:\Documents and Settings\Karlaa\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.cdx Object is locked skipped
C:\Documents and Settings\Karlaa\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.dbf Object is locked skipped
C:\Documents and Settings\Karlaa\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.cdx Object is locked skipped
C:\Documents and Settings\Karlaa\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.dbf Object is locked skipped
C:\Documents and Settings\Karlaa\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Karlaa\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Karlaa\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Karlaa\Local Settings\Application Data\Mozilla\Firefox\Profiles\6jhq5g1x.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Karlaa\Local Settings\Application Data\Mozilla\Firefox\Profiles\6jhq5g1x.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Karlaa\Local Settings\Application Data\Mozilla\Firefox\Profiles\6jhq5g1x.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Karlaa\Local Settings\Application Data\Mozilla\Firefox\Profiles\6jhq5g1x.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Karlaa\Local Settings\Temp\Acr817A.tmp Object is locked skipped
C:\Documents and Settings\Karlaa\Local Settings\Temp\hsperfdata_Karlaa\4604 Object is locked skipped
C:\Documents and Settings\Karlaa\Local Settings\Temp\~DF41AA.tmp Object is locked skipped
C:\Documents and Settings\Karlaa\Local Settings\Temp\~DF5E01.tmp Object is locked skipped
C:\Documents and Settings\Karlaa\Local Settings\Temp\~DF6A66.tmp Object is locked skipped
C:\Documents and Settings\Karlaa\Local Settings\Temp\~DFDBFC.tmp Object is locked skipped
C:\Documents and Settings\Karlaa\Local Settings\Temp\~DFF3B5.tmp Object is locked skipped
C:\Documents and Settings\Karlaa\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Karlaa\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Karlaa\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Karlaa\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
Hi again :)
The infections were found in the quarantine sections. They cannot harm you from there butwe may empty the quarantines...
Follow these instructions for Spybot quarantine (http://www.safer-networking.org/en/faq/4.html)
Follow these instructions for Norton quarantine (http://service1.symantec.com/SUPPORT/nav.nsf/docid/2000041213443506)
Delete all the files from this folder:
C:\Documents and Settings\Karlaa\DoctorWeb\Quarantine
Now Kaspersky shouldn't find any infections anymore :santa:
Duplicate topic: http://forums.spybot.info/showthread.php?p=142381#post142381