View Full Version : Infected with Virtumonde!!
Terry Paul Smith
2008-01-21, 10:58
Hello,
I am infected with the Virtumonde!! malware. I have followed Tashi's instructions in respect to "BEFORE you POST" etc.
I have both the Hijackthis and Kaspersky files ready for review and instruction. I cannot paste the Hijackthis file as the text is too long 23571.
Please advise....SOS!
steamwiz
2008-01-22, 00:31
Hi
Split your logs into a size that will post ... use as many posts as you have to ...
steam
Terry Paul Smith
2008-01-23, 13:01
Steamwiz,
Thanks...here is the first part of the Hijackthis file >
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:48:14 PM, on 21/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe
C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Terry Smith\Desktop\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optuszoo.ninemsn.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_AU&c=64&bd=pavilion&pf=laptop
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [MSDrive] rundll32.exe C:\WINDOWS\system32\drvdog.dll,startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: HP Pavilion Webcam Tray Icon.lnk = C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_AU&c=64&bd=pavilion&pf=laptop
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {156BF4B7-AE3A-4365-BD88-95A75AF8F09D} (HPSDDX Class) - http://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1165494530855
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
Terry Paul Smith
2008-01-23, 13:04
Steamwiz,
Here is the second part of the Hijackthis file >
O18 - Protocol: bw+0 - {5E8B963A-D876-4284-AFD9-34798957A7B2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {5E8B963A-D876-4284-AFD9-34798957A7B2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {5E8B963A-D876-4284-AFD9-34798957A7B2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {5E8B963A-D876-4284-AFD9-34798957A7B2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {5E8B963A-D876-4284-AFD9-34798957A7B2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {5E8B963A-D876-4284-AFD9-34798957A7B2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {5E8B963A-D876-4284-AFD9-34798957A7B2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {5E8B963A-D876-4284-AFD9-34798957A7B2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {5E8B963A-D876-4284-AFD9-34798957A7B2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {5E8B963A-D876-4284-AFD9-34798957A7B2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {5E8B963A-D876-4284-AFD9-34798957A7B2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {5E8B963A-D876-4284-AFD9-34798957A7B2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {5E8B963A-D876-4284-AFD9-34798957A7B2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {5E8B963A-D876-4284-AFD9-34798957A7B2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {5E8B963A-D876-4284-AFD9-34798957A7B2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {5E8B963A-D876-4284-AFD9-34798957A7B2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {5E8B963A-D876-4284-AFD9-34798957A7B2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {5E8B963A-D876-4284-AFD9-34798957A7B2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {5E8B963A-D876-4284-AFD9-34798957A7B2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {5E8B963A-D876-4284-AFD9-34798957A7B2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {5E8B963A-D876-4284-AFD9-34798957A7B2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {5E8B963A-D876-4284-AFD9-34798957A7B2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {5E8B963A-D876-4284-AFD9-34798957A7B2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {5E8B963A-D876-4284-AFD9-34798957A7B2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {5E8B963A-D876-4284-AFD9-34798957A7B2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {5E8B963A-D876-4284-AFD9-34798957A7B2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {5E8B963A-D876-4284-AFD9-34798957A7B2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {5E8B963A-D876-4284-AFD9-34798957A7B2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {5E8B963A-D876-4284-AFD9-34798957A7B2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {5E8B963A-D876-4284-AFD9-34798957A7B2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {5E8B963A-D876-4284-AFD9-34798957A7B2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {5E8B963A-D876-4284-AFD9-34798957A7B2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {5E8B963A-D876-4284-AFD9-34798957A7B2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {5E8B963A-D876-4284-AFD9-34798957A7B2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {5E8B963A-D876-4284-AFD9-34798957A7B2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {5E8B963A-D876-4284-AFD9-34798957A7B2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {5E8B963A-D876-4284-AFD9-34798957A7B2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {5E8B963A-D876-4284-AFD9-34798957A7B2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {5E8B963A-D876-4284-AFD9-34798957A7B2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {5E8B963A-D876-4284-AFD9-34798957A7B2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {5E8B963A-D876-4284-AFD9-34798957A7B2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {5E8B963A-D876-4284-AFD9-34798957A7B2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {5E8B963A-D876-4284-AFD9-34798957A7B2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {5E8B963A-D876-4284-AFD9-34798957A7B2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {5E8B963A-D876-4284-AFD9-34798957A7B2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {5E8B963A-D876-4284-AFD9-34798957A7B2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {5E8B963A-D876-4284-AFD9-34798957A7B2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {5E8B963A-D876-4284-AFD9-34798957A7B2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {5E8B963A-D876-4284-AFD9-34798957A7B2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {5E8B963A-D876-4284-AFD9-34798957A7B2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {5E8B963A-D876-4284-AFD9-34798957A7B2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {5E8B963A-D876-4284-AFD9-34798957A7B2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {5E8B963A-D876-4284-AFD9-34798957A7B2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {5E8B963A-D876-4284-AFD9-34798957A7B2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {5E8B963A-D876-4284-AFD9-34798957A7B2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {5E8B963A-D876-4284-AFD9-34798957A7B2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {5E8B963A-D876-4284-AFD9-34798957A7B2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {5E8B963A-D876-4284-AFD9-34798957A7B2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {5E8B963A-D876-4284-AFD9-34798957A7B2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {5E8B963A-D876-4284-AFD9-34798957A7B2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {5E8B963A-D876-4284-AFD9-34798957A7B2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {5E8B963A-D876-4284-AFD9-34798957A7B2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {5E8B963A-D876-4284-AFD9-34798957A7B2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {5E8B963A-D876-4284-AFD9-34798957A7B2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {5E8B963A-D876-4284-AFD9-34798957A7B2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {5E8B963A-D876-4284-AFD9-34798957A7B2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {5E8B963A-D876-4284-AFD9-34798957A7B2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {5E8B963A-D876-4284-AFD9-34798957A7B2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {5E8B963A-D876-4284-AFD9-34798957A7B2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {5E8B963A-D876-4284-AFD9-34798957A7B2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {5E8B963A-D876-4284-AFD9-34798957A7B2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {5E8B963A-D876-4284-AFD9-34798957A7B2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {5E8B963A-D876-4284-AFD9-34798957A7B2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {5E8B963A-D876-4284-AFD9-34798957A7B2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {5E8B963A-D876-4284-AFD9-34798957A7B2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {5E8B963A-D876-4284-AFD9-34798957A7B2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: offline-8876480 - {5E8B963A-D876-4284-AFD9-34798957A7B2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O20 - Winlogon Notify: wingqn32 - C:\WINDOWS\SYSTEM32\wingqn32.dll
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Dell Printer Status Watcher (DLPWD) - Dell Inc. - C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
O23 - Service: Dell Printer Status Database (DLSDB) - Dell Inc. - C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
--
End of file - 23504 bytes
Terry Paul Smith
2008-01-23, 13:08
Steamwiz,
Here is the Kaspersky txt file...PT1
KASPERSKY ONLINE SCANNER REPORT
Monday, January 21, 2008 7:33:47 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 20/01/2008
Kaspersky Anti-Virus database records: 524621
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
Scan Statistics:
Total number of scanned objects: 150441
Number of viruses found: 5
Number of infected objects: 28
Number of suspicious objects: 0
Duration of the scan process: 02:32:40
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\ccSubSDK\submissions.idx Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.DAT Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\volatile.DAT Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\{19A3E056-7891-4B10-8F13-AFF58E355B8B}.DAT Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\{5A194123-4AD8-4288-BA55-6A53CDC707B5}.DAT Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\{76CA5E42-AC77-4BF8-A099-1700CCFD5632}.DAT Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\{DE6FB16D-5D3A-4DA4-B796-3ACFFFF1904B}.DAT Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2008-01-20_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\index.qbs Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\Shl_{CC7FCD2A-22BA-4FA1-8481-84CB65727891}.ldb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\Shl_{CC7FCD2A-22BA-4FA1-8481-84CB65727891}.sds Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\5427970A.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\A465D668.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Terry Smith\Application Data\$_hpcst$.hpc Object is locked skipped
C:\Documents and Settings\Terry Smith\Application Data\Symantec\NPMDataStore\CIMStore.xml Object is locked skipped
C:\Documents and Settings\Terry Smith\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Terry Smith\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Terry Smith\Local Settings\Application Data\ApplicationHistory\hpqimzone.exe.3204510e.ini.inuse Object is locked skipped
C:\Documents and Settings\Terry Smith\Local Settings\Application Data\Google\Google Desktop Search\dbc2e.ht1 Object is locked skipped
C:\Documents and Settings\Terry Smith\Local Settings\Application Data\Google\Google Desktop Search\dbdam Object is locked skipped
C:\Documents and Settings\Terry Smith\Local Settings\Application Data\Google\Google Desktop Search\dbdao Object is locked skipped
C:\Documents and Settings\Terry Smith\Local Settings\Application Data\Google\Google Desktop Search\dbeam Object is locked skipped
C:\Documents and Settings\Terry Smith\Local Settings\Application Data\Google\Google Desktop Search\dbeao Object is locked skipped
C:\Documents and Settings\Terry Smith\Local Settings\Application Data\Google\Google Desktop Search\dbm Object is locked skipped
C:\Documents and Settings\Terry Smith\Local Settings\Application Data\Google\Google Desktop Search\dbu2d.ht1 Object is locked skipped
C:\Documents and Settings\Terry Smith\Local Settings\Application Data\Google\Google Desktop Search\dbvm.cf1 Object is locked skipped
C:\Documents and Settings\Terry Smith\Local Settings\Application Data\Google\Google Desktop Search\dbvmh.ht1 Object is locked skipped
C:\Documents and Settings\Terry Smith\Local Settings\Application Data\Google\Google Desktop Search\fii.cf1 Object is locked skipped
C:\Documents and Settings\Terry Smith\Local Settings\Application Data\Google\Google Desktop Search\fiih.ht1 Object is locked skipped
C:\Documents and Settings\Terry Smith\Local Settings\Application Data\Google\Google Desktop Search\hp Object is locked skipped
C:\Documents and Settings\Terry Smith\Local Settings\Application Data\Google\Google Desktop Search\hpt2i.ht1 Object is locked skipped
C:\Documents and Settings\Terry Smith\Local Settings\Application Data\Google\Google Desktop Search\rpm.cf1 Object is locked skipped
C:\Documents and Settings\Terry Smith\Local Settings\Application Data\Google\Google Desktop Search\rpmh.ht1 Object is locked skipped
C:\Documents and Settings\Terry Smith\Local Settings\Application Data\Google\Google Desktop Search\safeweb\goog-black-enchashm.cf1 Object is locked skipped
C:\Documents and Settings\Terry Smith\Local Settings\Application Data\Google\Google Desktop Search\safeweb\goog-black-enchashmh.ht1 Object is locked skipped
C:\Documents and Settings\Terry Smith\Local Settings\Application Data\Google\Google Desktop Search\safeweb\goog-black-urlm.cf1 Object is locked skipped
C:\Documents and Settings\Terry Smith\Local Settings\Application Data\Google\Google Desktop Search\safeweb\goog-black-urlmh.ht1 Object is locked skipped
C:\Documents and Settings\Terry Smith\Local Settings\Application Data\Google\Google Desktop Search\safeweb\goog-malware-domainm.cf1 Object is locked skipped
C:\Documents and Settings\Terry Smith\Local Settings\Application Data\Google\Google Desktop Search\safeweb\goog-malware-domainmh.ht1 Object is locked skipped
C:\Documents and Settings\Terry Smith\Local Settings\Application Data\Google\Google Desktop Search\safeweb\goog-white-domainm.cf1 Object is locked skipped
C:\Documents and Settings\Terry Smith\Local Settings\Application Data\Google\Google Desktop Search\safeweb\goog-white-domainmh.ht1 Object is locked skipped
C:\Documents and Settings\Terry Smith\Local Settings\Application Data\HP\Digital Imaging\db\administrativeInfo.dbf Object is locked skipped
C:\Documents and Settings\Terry Smith\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.cdx Object is locked skipped
C:\Documents and Settings\Terry Smith\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.dbf Object is locked skipped
C:\Documents and Settings\Terry Smith\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.cdx Object is locked skipped
C:\Documents and Settings\Terry Smith\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.dbf Object is locked skipped
C:\Documents and Settings\Terry Smith\Local Settings\Application Data\HP\Digital Imaging\db\CB_Server_Errors.txt Object is locked skipped
C:\Documents and Settings\Terry Smith\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.cdx Object is locked skipped
C:\Documents and Settings\Terry Smith\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.dbf Object is locked skipped
C:\Documents and Settings\Terry Smith\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.cdx Object is locked skipped
C:\Documents and Settings\Terry Smith\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.dbf Object is locked skipped
C:\Documents and Settings\Terry Smith\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.fpt Object is locked skipped
C:\Documents and Settings\Terry Smith\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.cdx Object is locked skipped
C:\Documents and Settings\Terry Smith\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.dbf Object is locked skipped
C:\Documents and Settings\Terry Smith\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.cdx Object is locked skipped
C:\Documents and Settings\Terry Smith\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.dbf Object is locked skipped
C:\Documents and Settings\Terry Smith\Local Settings\Application Data\HP\Digital Imaging\db\managedFolderTable.dbf Object is locked skipped
C:\Documents and Settings\Terry Smith\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.cdx Object is locked skipped
C:\Documents and Settings\Terry Smith\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.dbf Object is locked skipped
C:\Documents and Settings\Terry Smith\Local Settings\Application Data\HP\Digital Imaging\db\propertiesTable.cdx Object is locked skipped
C:\Documents and Settings\Terry Smith\Local Settings\Application Data\HP\Digital Imaging\db\propertiesTable.dbf Object is locked skipped
C:\Documents and Settings\Terry Smith\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.cdx Object is locked skipped
C:\Documents and Settings\Terry Smith\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.dbf Object is locked skipped
C:\Documents and Settings\Terry Smith\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.cdx Object is locked skipped
C:\Documents and Settings\Terry Smith\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.dbf Object is locked skipped
C:\Documents and Settings\Terry Smith\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Terry Smith\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Terry Smith\Local Settings\Temp\16host.exe Infected: Trojan-Downloader.Win32.Alphabet.bi skipped
C:\Documents and Settings\Terry Smith\Local Settings\Temp\16power.exe Infected: Trojan-Downloader.Win32.Alphabet.bi skipped
C:\Documents and Settings\Terry Smith\Local Settings\Temp\fla372A.tmp Object is locked skipped
C:\Documents and Settings\Terry Smith\Local Settings\Temp\gos590.tmp Infected: Trojan.Win32.Dialer.yz skipped
C:\Documents and Settings\Terry Smith\Local Settings\Temp\gos59F.tmp Infected: Trojan.Win32.Dialer.yz skipped
C:\Documents and Settings\Terry Smith\Local Settings\Temp\IMG33F.tmp Object is locked skipped
C:\Documents and Settings\Terry Smith\Local Settings\Temp\look32.exe Infected: Trojan-Downloader.Win32.Alphabet.bi skipped
C:\Documents and Settings\Terry Smith\Local Settings\Temp\monpower.exe Infected: Trojan-Downloader.Win32.Alphabet.bi skipped
C:\Documents and Settings\Terry Smith\Local Settings\Temp\powerserver.exe Infected: Trojan-Downloader.Win32.Alphabet.bi skipped
C:\Documents and Settings\Terry Smith\Local Settings\Temp\svhost.exe Infected: Trojan-Downloader.Win32.Alphabet.bi skipped
C:\Documents and Settings\Terry Smith\Local Settings\Temp\svsv.exe Infected: Trojan-Downloader.Win32.Alphabet.bi skipped
C:\Documents and Settings\Terry Smith\Local Settings\Temp\svwin.exe Infected: Trojan-Downloader.Win32.Alphabet.bi skipped
C:\Documents and Settings\Terry Smith\Local Settings\Temp\syslook.exe Infected: Trojan-Downloader.Win32.Alphabet.bi skipped
C:\Documents and Settings\Terry Smith\Local Settings\Temp\WCESLog.log Object is locked skipped
C:\Documents and Settings\Terry Smith\Local Settings\Temp\~DF326B.tmp Object is locked skipped
C:\Documents and Settings\Terry Smith\Local Settings\Temp\~DF6FE8.tmp Object is locked skipped
C:\Documents and Settings\Terry Smith\Local Settings\Temp\~DFDF73.tmp Object is locked skipped
C:\Documents and Settings\Terry Smith\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Terry Smith\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Terry Smith\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Terry Smith\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\NFWEVT.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Terry Smith\Data\BWDocMap.pht Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Terry Smith\Data\BWInfopakMap.pht Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Terry Smith\Data\chandir.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Terry Smith\Data\chandir.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Terry Smith\Data\chn.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Terry Smith\Data\chn.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Terry Smith\Data\D0000000.FCS Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Terry Smith\Data\inuse.txt Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Terry Smith\Data\L0000008.FCS Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Terry Smith\Data\main.log Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Terry Smith\Data\prs.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Terry Smith\Data\prs.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Terry Smith\Data\prs_die.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Terry Smith\Data\prs_die.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Terry Smith\Data\prs_dnd.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Terry Smith\Data\prs_dnd.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Terry Smith\Data\prs_ext.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Terry Smith\Data\prs_ext.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Terry Smith\Data\prs_rcv.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Terry Smith\Data\prs_rcv.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Terry Smith\Data\storydb.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Terry Smith\Data\storydb.idx Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVError.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVVirus.log Object is locked skipped
Terry Paul Smith
2008-01-23, 13:10
Steamwiz,
Here is the Kaspersky txt file...PT2
C:\RECYCLER\S-1-5-21-2431359442-1219533242-3910691260-1005\Dc524.rar/keygen.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.dnj skipped
C:\RECYCLER\S-1-5-21-2431359442-1219533242-3910691260-1005\Dc524.rar/crack.exe Infected: Trojan.Win32.Dialer.yz skipped
C:\RECYCLER\S-1-5-21-2431359442-1219533242-3910691260-1005\Dc524.rar RAR: infected - 2 skipped
C:\RECYCLER\S-1-5-21-2431359442-1219533242-3910691260-1005\Dc525.rar/keygen.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.dnj skipped
C:\RECYCLER\S-1-5-21-2431359442-1219533242-3910691260-1005\Dc525.rar/crack.exe Infected: Trojan.Win32.Dialer.yz skipped
C:\RECYCLER\S-1-5-21-2431359442-1219533242-3910691260-1005\Dc525.rar RAR: infected - 2 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP419\A0052147.exe Infected: Trojan-Downloader.Win32.Alphabet.bi skipped
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP420\A0053135.exe Infected: Trojan-Downloader.Win32.Agent.hat skipped
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP421\A0053149.exe Infected: Trojan-Downloader.Win32.Alphabet.bi skipped
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP421\A0053150.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP421\A0054135.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP422\A0054218.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP425\A0054588.exe Infected: Trojan-Downloader.Win32.Alphabet.bi skipped
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP425\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\ModemLog_HDAUDIO Soft Data Fax Modem with SmartCP.txt Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{A5DFEE33-C8E6-4CDF-8AEF-B38B74FF9203}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{7C3C4F09-76A3-41BD-8038-472D710E214E}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drvdog.dll Infected: Trojan.Win32.Dialer.yz skipped
C:\WINDOWS\system32\drvluv.dll Infected: Trojan.Win32.Dialer.yz skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\MsDtc\MSDTC.LOG Object is locked skipped
C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log Object is locked skipped
C:\WINDOWS\system32\msmq\storage\QMLog Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wingqn32.dll Infected: Trojan.Win32.Dialer.yz skipped
C:\WINDOWS\Temp\gos2B1A.tmp Infected: Trojan.Win32.Dialer.yz skipped
C:\WINDOWS\Temp\JET95A0.tmp Object is locked skipped
C:\WINDOWS\Temp\win231E.tmp Object is locked skipped
C:\WINDOWS\Temp\win231F.tmp Object is locked skipped
C:\WINDOWS\Temp\win2320.tmp Object is locked skipped
C:\WINDOWS\Temp\win2321.tmp Object is locked skipped
C:\WINDOWS\Temp\win372C.tmp Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
G:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
H:\RECYCLER\NPROTECT\00000000.exe Object is locked skipped
H:\RECYCLER\NPROTECT\00000001.exe Object is locked skipped
H:\RECYCLER\NPROTECT\00000002._P Object is locked skipped
H:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
Scan process completed.
steamwiz
2008-01-23, 21:54
Hi
First ...
Disconnect from the internet Close ALL browser windows (including this one) - run hijackthis and tick to fix (check the box next to) the list below.........when all are ticked (checked) click the Fix Checked button at the bottom. :-
ALL the O18 - Protocol: entries ... like these :-
O18 - Protocol: bw+0 - {5E8B963A-D876-4284-AFD9-34798957A7B2} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
Second ...
Please Download CCleaner from :-
http://www.filehippo.com/download_ccleaner/ (click the download tab)
During the installation be sure to UN-check the box for "Ccleaner Yahoo Toolbar" unless you want it.
doubleclick the ccsetup.exe file and install the program...
After installing, go to Start > programs > CCleaner > Options > Advanced > UNCHECK "Only delete files in Windows Temp folder older than 48 hours"
Make sure the "windows" tab is selected
Under "internet explorer" tick...
Temporary internet files
Cookies* > see Note below
History
Recently typed URL's (leave this unticked if you DON'T want to clear the drop down list in the address window of IE)
Delete index.dat files
Last download location
Autocomplete form history
under "Windows explorer" these are optional, but you can safely tick them all if you wish, they are only "most recently used lists"
Other explorer MRU's (leave this unticked if you DON'T want to clear lists such as the start\run list)
under "System"
Tick ALL these ...
under "Advanced"
no need to tick any of these (but you can if you want, and realise what they do)
Applications tab...
These will mostly clean out old log files for these applications...
Clean:- (if you use them)
Firefox/Mozilla (optional - leave the cookies - see note)
Opera
Sun Java
ZoneAlarm
...
Personally I clean everything in the applications tab... but you tick what you want...
Note: *If there are any cookies you want to keep (if you remove the cookie for a site you require a password for, you will need to re-enter your password when you next visit that site) ... click options > cookies > then keep the cookies you want.
click "analyse" if you want to see a list of what is going to be removed, before it is removed.
Or
click "run cleaner" to let it get on with it's work... clicking this will result in the following pop-up
"This process will permanently delete files from your system. Are you sure you wish to proceed?"
click OK.
---
THEN ...
Download Superantispyware.
http://www.superantispyware.com/
Once downloaded and installed update the definitions
and then run a full system scan quarantine what it finds!
* Double-click SUPERAntiSypware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
http://www.superantispyware.com/definitions.html
* Under "Configuration and Preferences", click the Preferences button.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):
o Close browsers before scanning.
o Scan for tracking cookies.
o Terminate memory threats before quarantining.
* Click the "Close" button to leave the control center screen.
* Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
* On the left, make sure you check C:\Fixed Drive.
* On the right, under "Complete Scan", choose Perform Complete Scan.
* Click "Next" to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
* Make sure everything has a checkmark next to it and click "Next".
* A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
* If asked if you want to reboot, click "Yes".
* To retrieve the removal information after reboot, launch SUPERAntispyware again.
o Click Preferences, then click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
o Please copy and paste the Scan Log results in your next reply.
* Click Close to exit the program.
THEN ...
Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
**Note: It is important that it is saved directly to your desktop**
--------------------------------------------------------------------
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
--------------------------------------------------------------------
Double click on combofix.exe & follow the prompts. When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
Please remember to post :-
1. SUPERAntiSpyware Scan Log
2. C:\ComboFix.txt
3. a new hijackthis log.( run after everything else)
steam
Terry Paul Smith
2008-01-26, 09:38
Hi Steam,
I have done as instructed....here are the logs.
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 01/26/2008 at 01:11 PM
Application Version : 3.9.1008
Core Rules Database Version : 3388
Trace Rules Database Version: 1382
Scan type : Complete Scan
Total Scan Time : 01:44:50
Memory items scanned : 611
Memory threats detected : 0
Registry items scanned : 8276
Registry threats detected : 10
File items scanned : 125251
File threats detected : 0
Trojan.Unknown Origin
HKLM\SOFTWARE\Microsoft\MSSMGR
HKLM\SOFTWARE\Microsoft\MSSMGR#Data
HKLM\SOFTWARE\Microsoft\MSSMGR#LSTV
HKLM\SOFTWARE\Microsoft\MSSMGR#BSTV
HKLM\SOFTWARE\Microsoft\MSSMGR#MSLIST
HKLM\SOFTWARE\Microsoft\MSSMGR#Brnd
HKLM\SOFTWARE\Microsoft\MSSMGR#SSTV
HKLM\SOFTWARE\Microsoft\MSSMGR#SCLIST
HKLM\SOFTWARE\Microsoft\MSSMGR#SSLIST
HKLM\SOFTWARE\Microsoft\MSSMGR#PSTV
ComboFix 08-01-23.1C - Terry Smith 2008-01-26 16:27:16.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.505 [GMT 11:00]
Running from: C:\Documents and Settings\Terry Smith\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\wingqn32.dll
E:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2007-12-26 to 2008-01-26 )))))))))))))))))))))))))))))))
.
2008-01-26 16:26 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-26 11:21 . 2008-01-26 13:51 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-26 11:21 . 2008-01-26 11:21 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-26 11:12 . 2008-01-26 11:12 <DIR> d-------- C:\Program Files\CCleaner
2008-01-26 11:02 . 2008-01-26 11:02 24,064 --a------ C:\195 Old Canterbury Road.doc
2008-01-20 19:57 . 2008-01-20 19:57 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-19 10:58 . 2008-01-26 16:34 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-19 10:58 . 2008-01-19 10:58 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-19 10:56 . 2008-01-19 10:56 <DIR> d-------- C:\Program Files\iTunes
2008-01-19 10:56 . 2008-01-19 10:56 <DIR> d-------- C:\Program Files\iPod
2008-01-19 10:52 . 2008-01-19 10:53 <DIR> d-------- C:\Program Files\QuickTime
2008-01-19 10:42 . 2008-01-19 10:42 103,936 --a------ C:\WINDOWS\system32\drvdog.dll
2008-01-16 23:09 . 2008-01-16 23:09 3,583 --a------ C:\hijackthis.zip
2008-01-16 23:07 . 2008-01-16 23:07 0 --a------ C:\WINDOWS\WIN.INI
2008-01-14 22:37 . 2008-01-14 22:38 30,349 --a------ C:\Program Files\1010.exe
2008-01-14 22:36 . 2008-01-14 22:36 103,424 --a------ C:\WINDOWS\system32\drvluv.dll
2008-01-10 15:27 . 2008-01-10 15:27 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-01-10 15:27 . 2008-01-10 15:27 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-26 02:54 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-16 10:51 --------- d-----w C:\Program Files\Norton Security Scan
2008-01-14 11:40 --------- d-----w C:\Program Files\Oberon Media
2008-01-14 11:18 --------- d-----w C:\Program Files\GemMaster
2007-12-21 21:54 --------- d-----w C:\Program Files\Norton Internet Security
2007-12-19 06:46 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-12-19 06:46 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-12-19 06:46 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-12-19 06:46 --------- d-----w C:\Program Files\Symantec
2007-12-14 23:28 --------- d-----w C:\Program Files\Windows Sidebar
2007-11-30 12:57 43,696 ----a-w C:\WINDOWS\system32\drivers\srtspx.sys
2007-11-30 12:57 317,616 ----a-w C:\WINDOWS\system32\drivers\srtspl.sys
2007-11-30 12:57 279,088 ----a-w C:\WINDOWS\system32\drivers\srtsp.sys
2007-11-30 12:57 10,549 ----a-w C:\WINDOWS\system32\drivers\srtspx.cat
2007-11-30 12:57 10,549 ----a-w C:\WINDOWS\system32\drivers\srtspl.cat
2007-11-30 12:57 10,545 ----a-w C:\WINDOWS\system32\drivers\srtsp.cat
2007-11-30 12:57 1,430 ----a-w C:\WINDOWS\system32\drivers\srtspl.inf
2007-11-30 12:57 1,421 ----a-w C:\WINDOWS\system32\drivers\srtspx.inf
2007-11-30 12:57 1,415 ----a-w C:\WINDOWS\system32\drivers\srtsp.inf
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
2007-08-25 14:51 316784 --a------ C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2007-12-15 10:27 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11D4-9B18-009027A5CD4F}
{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}
[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll [2007-08-25 14:51 316784]
[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-16 15:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-23 22:50 68856]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSDrive"="C:\WINDOWS\system32\drvdog.dll" [2008-01-19 10:42 103936]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-10 15:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 12:09 63712]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-07-20 16:58 7581696]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-09-28 12:17 443968]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 10:17 1241088]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart17.exe [2006-03-05 10:43:54 11000]
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-05-12 13:33:22 581693]
HP Pavilion Webcam Tray Icon.lnk - C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe [2006-12-07 19:41:30 102400]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2005-09-25 03:39:30 73728]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-01-04 19:05:49 671744]
Microsoft Office OneNote 2003 Quick Launch.lnk - C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2003-08-06 13:23:32 51776]
NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [2006-12-10 21:58:30 118784]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2008-01-16 23:07:50 389120]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wingqn32]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
R2 DLSDB;Dell Printer Status Database;C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE [2005-08-25 17:53]
R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" [2007-08-25 16:07]
R3 SNP2UVC;USB2.0 PC Camera (SNP2UVC);C:\WINDOWS\system32\DRIVERS\snp2uvc.sys [2006-07-06 10:28]
R3 SymIMMP;SymIMMP;C:\WINDOWS\system32\DRIVERS\SymIM.sys [2007-08-10 11:27]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2007-05-29 13:55]
S3 MODBDA2;DiBcom MOD3000 TV receiver;C:\WINDOWS\system32\Drivers\modbda2.sys [2006-06-13 12:53]
S3 SymIM;Symantec Network Security Intermediate Filter Service;C:\WINDOWS\system32\DRIVERS\SymIM.sys [2007-08-10 11:27]
*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-01-24 09:21:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-21 09:49:33 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Terry Smith.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-26 16:35:15
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\WINDOWS\system32\drvdog.dll
.
Completion time: 2008-01-26 16:37:36 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-26 05:37:32
.
2008-01-09 16:03:25 --- E O F ---
Terry Paul Smith
2008-01-26, 09:40
Steam,
Here is the hijackthis log...
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:35:22 PM, on 26/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe
C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Terry Smith\Desktop\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optuszoo.ninemsn.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_AU&c=64&bd=pavilion&pf=laptop
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [MSDrive] rundll32.exe C:\WINDOWS\system32\drvdog.dll,startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: HP Pavilion Webcam Tray Icon.lnk = C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_AU&c=64&bd=pavilion&pf=laptop
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {156BF4B7-AE3A-4365-BD88-95A75AF8F09D} (HPSDDX Class) - http://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1165494530855
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Dell Printer Status Watcher (DLPWD) - Dell Inc. - C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
O23 - Service: Dell Printer Status Database (DLSDB) - Dell Inc. - C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
--
End of file - 12338 bytes
steamwiz
2008-01-26, 21:00
Hi
Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the code box nothing out side of it.
Also ..
Pay particular attention to this :-
Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
File::
C:\WINDOWS\system32\drvdog.dll
C:\Program Files\1010.exe
C:\WINDOWS\system32\drvluv.dll
C:\WINDOWS\system32\wingqn32.dll
C:\WINDOWS\Temp\gos2B1A.tmp
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSDrive"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wingqn32]
Save this as "CFScript.txt"
Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
THEN ...
Empty your recycle bin
Run a new KASPERSKY ONLINE SCAN & post the log ...
steam
Terry Paul Smith
2008-01-28, 08:24
Hi Steam,
Here are the logs....
omboFix 08-01-23.1C - Terry Smith 2008-01-28 9:46:12.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.349 [GMT 11:00]
Running from: C:\Documents and Settings\Terry Smith\Desktop\ComboFix.exe
Command switches used :: C:\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE
C:\Program Files\1010.exe
C:\WINDOWS\system32\drvdog.dll
C:\WINDOWS\system32\drvluv.dll
C:\WINDOWS\system32\wingqn32.dll
C:\WINDOWS\Temp\gos2B1A.tmp
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\1010.exe
C:\WINDOWS\system32\drvluv.dll
.
((((((((((((((((((((((((( Files Created from 2007-12-27 to 2008-01-27 )))))))))))))))))))))))))))))))
.
2008-01-26 16:26 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-26 11:21 . 2008-01-26 13:51 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-26 11:21 . 2008-01-26 11:21 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-26 11:12 . 2008-01-26 11:12 <DIR> d-------- C:\Program Files\CCleaner
2008-01-26 11:02 . 2008-01-26 11:02 24,064 --a------ C:\195 Old Canterbury Road.doc
2008-01-20 19:57 . 2008-01-20 19:57 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-19 10:58 . 2008-01-26 16:34 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-19 10:58 . 2008-01-19 10:58 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-19 10:56 . 2008-01-19 10:56 <DIR> d-------- C:\Program Files\iTunes
2008-01-19 10:56 . 2008-01-19 10:56 <DIR> d-------- C:\Program Files\iPod
2008-01-19 10:52 . 2008-01-19 10:53 <DIR> d-------- C:\Program Files\QuickTime
2008-01-16 23:09 . 2008-01-16 23:09 3,583 --a------ C:\hijackthis.zip
2008-01-16 23:07 . 2008-01-16 23:07 0 --a------ C:\WINDOWS\WIN.INI
2008-01-10 15:27 . 2008-01-10 15:27 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-01-10 15:27 . 2008-01-10 15:27 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-27 22:37 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-16 10:51 --------- d-----w C:\Program Files\Norton Security Scan
2008-01-14 11:40 --------- d-----w C:\Program Files\Oberon Media
2008-01-14 11:18 --------- d-----w C:\Program Files\GemMaster
2007-12-21 21:54 --------- d-----w C:\Program Files\Norton Internet Security
2007-12-19 06:46 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-12-19 06:46 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2007-12-19 06:46 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-12-19 06:46 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-12-19 06:46 --------- d-----w C:\Program Files\Symantec
2007-12-14 23:28 --------- d-----w C:\Program Files\Windows Sidebar
2007-11-30 12:57 43,696 ----a-w C:\WINDOWS\system32\drivers\srtspx.sys
2007-11-30 12:57 317,616 ----a-w C:\WINDOWS\system32\drivers\srtspl.sys
2007-11-30 12:57 279,088 ----a-w C:\WINDOWS\system32\drivers\srtsp.sys
2007-11-30 12:57 10,549 ----a-w C:\WINDOWS\system32\drivers\srtspx.cat
2007-11-30 12:57 10,549 ----a-w C:\WINDOWS\system32\drivers\srtspl.cat
2007-11-30 12:57 10,545 ----a-w C:\WINDOWS\system32\drivers\srtsp.cat
2007-11-30 12:57 1,430 ----a-w C:\WINDOWS\system32\drivers\srtspl.inf
2007-11-30 12:57 1,421 ----a-w C:\WINDOWS\system32\drivers\srtspx.inf
2007-11-30 12:57 1,415 ----a-w C:\WINDOWS\system32\drivers\srtsp.inf
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-11-07 09:26 721,920 ------w C:\WINDOWS\system32\dllcache\lsasrv.dll
2007-10-30 23:42 3,590,656 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-30 17:20 360,064 ------w C:\WINDOWS\system32\dllcache\tcpip.sys
2007-10-29 22:35 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:35 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-27 06:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-27 06:40 222,720 ------w C:\WINDOWS\system32\dllcache\wmasf.dll
2005-09-24 15:49 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
.
((((((((((((((((((((((((((((( snapshot@2008-01-26_16.37.18.57 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-26 05:26:54 1,421,312 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-27 22:45:49 1,421,312 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-26 05:26:54 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-27 22:45:49 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-26 05:26:55 1,421,312 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-27 22:45:49 1,421,312 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-26 05:26:55 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-27 22:45:49 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-26 05:26:55 7,872,512 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-27 22:45:49 7,892,992 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-26 05:26:55 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-27 22:45:49 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
2007-08-25 14:51 316784 --a------ C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2007-12-15 10:27 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11D4-9B18-009027A5CD4F}
{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}
[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll [2007-08-25 14:51 316784]
[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-16 15:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-23 22:50 68856]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-10 15:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 12:09 63712]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-07-20 16:58 7581696]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-09-28 12:17 443968]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 10:17 1241088]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart17.exe [2006-03-05 10:43:54 11000]
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-05-12 13:33:22 581693]
HP Pavilion Webcam Tray Icon.lnk - C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe [2006-12-07 19:41:30 102400]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2005-09-25 03:39:30 73728]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-01-04 19:05:49 671744]
Microsoft Office OneNote 2003 Quick Launch.lnk - C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2003-08-06 13:23:32 51776]
NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [2006-12-10 21:58:30 118784]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2008-01-16 23:07:50 389120]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
R2 DLSDB;Dell Printer Status Database;C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE [2005-08-25 17:53]
R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" [2007-08-25 16:07]
R3 SNP2UVC;USB2.0 PC Camera (SNP2UVC);C:\WINDOWS\system32\DRIVERS\snp2uvc.sys [2006-07-06 10:28]
R3 SymIMMP;SymIMMP;C:\WINDOWS\system32\DRIVERS\SymIM.sys [2007-08-10 11:27]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2007-05-29 13:55]
S3 MODBDA2;DiBcom MOD3000 TV receiver;C:\WINDOWS\system32\Drivers\modbda2.sys [2006-06-13 12:53]
S3 SymIM;Symantec Network Security Intermediate Filter Service;C:\WINDOWS\system32\DRIVERS\SymIM.sys [2007-08-10 11:27]
*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-01-24 09:21:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-21 09:49:33 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Terry Smith.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-28 09:50:07
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-01-28 9:50:33
ComboFix-quarantined-files.txt 2008-01-27 22:50:31
ComboFix2.txt 2008-01-26 05:37:36
.
2008-01-09 16:03:25 --- E O F ---
Terry Paul Smith
2008-01-28, 08:26
Hi Steam,
Here are the logs....
ComboFix 08-01-23.1C - Terry Smith 2008-01-28 9:46:12.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.349 [GMT 11:00]
Running from: C:\Documents and Settings\Terry Smith\Desktop\ComboFix.exe
Command switches used :: C:\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE
C:\Program Files\1010.exe
C:\WINDOWS\system32\drvdog.dll
C:\WINDOWS\system32\drvluv.dll
C:\WINDOWS\system32\wingqn32.dll
C:\WINDOWS\Temp\gos2B1A.tmp
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\1010.exe
C:\WINDOWS\system32\drvluv.dll
.
((((((((((((((((((((((((( Files Created from 2007-12-27 to 2008-01-27 )))))))))))))))))))))))))))))))
.
2008-01-26 16:26 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-26 11:21 . 2008-01-26 13:51 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-26 11:21 . 2008-01-26 11:21 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-26 11:12 . 2008-01-26 11:12 <DIR> d-------- C:\Program Files\CCleaner
2008-01-26 11:02 . 2008-01-26 11:02 24,064 --a------ C:\195 Old Canterbury Road.doc
2008-01-20 19:57 . 2008-01-20 19:57 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-19 10:58 . 2008-01-26 16:34 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-19 10:58 . 2008-01-19 10:58 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-19 10:56 . 2008-01-19 10:56 <DIR> d-------- C:\Program Files\iTunes
2008-01-19 10:56 . 2008-01-19 10:56 <DIR> d-------- C:\Program Files\iPod
2008-01-19 10:52 . 2008-01-19 10:53 <DIR> d-------- C:\Program Files\QuickTime
2008-01-16 23:09 . 2008-01-16 23:09 3,583 --a------ C:\hijackthis.zip
2008-01-16 23:07 . 2008-01-16 23:07 0 --a------ C:\WINDOWS\WIN.INI
2008-01-10 15:27 . 2008-01-10 15:27 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-01-10 15:27 . 2008-01-10 15:27 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-27 22:37 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-16 10:51 --------- d-----w C:\Program Files\Norton Security Scan
2008-01-14 11:40 --------- d-----w C:\Program Files\Oberon Media
2008-01-14 11:18 --------- d-----w C:\Program Files\GemMaster
2007-12-21 21:54 --------- d-----w C:\Program Files\Norton Internet Security
2007-12-19 06:46 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-12-19 06:46 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2007-12-19 06:46 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-12-19 06:46 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-12-19 06:46 --------- d-----w C:\Program Files\Symantec
2007-12-14 23:28 --------- d-----w C:\Program Files\Windows Sidebar
2007-11-30 12:57 43,696 ----a-w C:\WINDOWS\system32\drivers\srtspx.sys
2007-11-30 12:57 317,616 ----a-w C:\WINDOWS\system32\drivers\srtspl.sys
2007-11-30 12:57 279,088 ----a-w C:\WINDOWS\system32\drivers\srtsp.sys
2007-11-30 12:57 10,549 ----a-w C:\WINDOWS\system32\drivers\srtspx.cat
2007-11-30 12:57 10,549 ----a-w C:\WINDOWS\system32\drivers\srtspl.cat
2007-11-30 12:57 10,545 ----a-w C:\WINDOWS\system32\drivers\srtsp.cat
2007-11-30 12:57 1,430 ----a-w C:\WINDOWS\system32\drivers\srtspl.inf
2007-11-30 12:57 1,421 ----a-w C:\WINDOWS\system32\drivers\srtspx.inf
2007-11-30 12:57 1,415 ----a-w C:\WINDOWS\system32\drivers\srtsp.inf
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-11-07 09:26 721,920 ------w C:\WINDOWS\system32\dllcache\lsasrv.dll
2007-10-30 23:42 3,590,656 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-30 17:20 360,064 ------w C:\WINDOWS\system32\dllcache\tcpip.sys
2007-10-29 22:35 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:35 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-27 06:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-27 06:40 222,720 ------w C:\WINDOWS\system32\dllcache\wmasf.dll
2005-09-24 15:49 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
.
((((((((((((((((((((((((((((( snapshot@2008-01-26_16.37.18.57 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-26 05:26:54 1,421,312 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-27 22:45:49 1,421,312 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-26 05:26:54 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-27 22:45:49 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-26 05:26:55 1,421,312 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-27 22:45:49 1,421,312 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-26 05:26:55 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-27 22:45:49 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-26 05:26:55 7,872,512 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-27 22:45:49 7,892,992 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-26 05:26:55 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-27 22:45:49 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
2007-08-25 14:51 316784 --a------ C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2007-12-15 10:27 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11D4-9B18-009027A5CD4F}
{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}
[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll [2007-08-25 14:51 316784]
[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-16 15:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-23 22:50 68856]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-10 15:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 12:09 63712]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-07-20 16:58 7581696]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-09-28 12:17 443968]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 10:17 1241088]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart17.exe [2006-03-05 10:43:54 11000]
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-05-12 13:33:22 581693]
HP Pavilion Webcam Tray Icon.lnk - C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe [2006-12-07 19:41:30 102400]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2005-09-25 03:39:30 73728]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-01-04 19:05:49 671744]
Microsoft Office OneNote 2003 Quick Launch.lnk - C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2003-08-06 13:23:32 51776]
NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [2006-12-10 21:58:30 118784]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2008-01-16 23:07:50 389120]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
R2 DLSDB;Dell Printer Status Database;C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE [2005-08-25 17:53]
R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" [2007-08-25 16:07]
R3 SNP2UVC;USB2.0 PC Camera (SNP2UVC);C:\WINDOWS\system32\DRIVERS\snp2uvc.sys [2006-07-06 10:28]
R3 SymIMMP;SymIMMP;C:\WINDOWS\system32\DRIVERS\SymIM.sys [2007-08-10 11:27]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2007-05-29 13:55]
S3 MODBDA2;DiBcom MOD3000 TV receiver;C:\WINDOWS\system32\Drivers\modbda2.sys [2006-06-13 12:53]
S3 SymIM;Symantec Network Security Intermediate Filter Service;C:\WINDOWS\system32\DRIVERS\SymIM.sys [2007-08-10 11:27]
*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-01-24 09:21:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-21 09:49:33 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Terry Smith.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-28 09:50:07
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-01-28 9:50:33
ComboFix-quarantined-files.txt 2008-01-27 22:50:31
ComboFix2.txt 2008-01-26 05:37:36
.
2008-01-09 16:03:25 --- E O F ---
Terry Paul Smith
2008-01-28, 08:27
Hijackthis...
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:53:31 AM, on 28/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe
C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\NAVW32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Terry Smith\Desktop\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optuszoo.ninemsn.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_AU&c=64&bd=pavilion&pf=laptop
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: HP Pavilion Webcam Tray Icon.lnk = C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_AU&c=64&bd=pavilion&pf=laptop
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {156BF4B7-AE3A-4365-BD88-95A75AF8F09D} (HPSDDX Class) - http://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1165494530855
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Dell Printer Status Watcher (DLPWD) - Dell Inc. - C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
O23 - Service: Dell Printer Status Database (DLSDB) - Dell Inc. - C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
--
End of file - 11930 bytes
Terry Paul Smith
2008-01-28, 08:29
Kaspersky....
KASPERSKY ONLINE SCANNER REPORT
Monday, January 28, 2008 5:23:59 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 27/01/2008
Kaspersky Anti-Virus database records: 534257
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
Scan Statistics:
Total number of scanned objects: 128012
Number of viruses found: 5
Number of infected objects: 14
Number of suspicious objects: 0
Duration of the scan process: 02:11:12
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\ccSubSDK\submissions.idx Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.DAT Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\volatile.DAT Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\{212152A0-38ED-4B77-9FAA-E0EA34AD4C74}.DAT Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\{7341B9DA-76D9-4663-BD01-E75E58202818}.DAT Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\{A7D2CD3A-1F71-4443-958D-09CDF0B6CBFA}.DAT Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2008-01-28_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\index.qbs Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\Shl_{CC7FCD2A-22BA-4FA1-8481-84CB65727891}.ldb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\Shl_{CC7FCD2A-22BA-4FA1-8481-84CB65727891}.sds Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\615EFFC4.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\DA12EC45.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Terry Smith\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SUPERANTISPYWARE.LOG Object is locked skipped
C:\Documents and Settings\Terry Smith\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Terry Smith\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Terry Smith\Local Settings\Application Data\ApplicationHistory\hpqimzone.exe.3204510e.ini.inuse Object is locked skipped
C:\Documents and Settings\Terry Smith\Local Settings\Application Data\HP\Digital Imaging\db\administrativeInfo.dbf Object is locked skipped
C:\Documents and Settings\Terry Smith\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.cdx Object is locked skipped
C:\Documents and Settings\Terry Smith\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.dbf Object is locked skipped
C:\Documents and Settings\Terry Smith\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.cdx Object is locked skipped
C:\Documents and Settings\Terry Smith\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.dbf Object is locked skipped
C:\Documents and Settings\Terry Smith\Local Settings\Application Data\HP\Digital Imaging\db\CB_Server_Errors.txt Object is locked skipped
C:\Documents and Settings\Terry Smith\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.cdx Object is locked skipped
C:\Documents and Settings\Terry Smith\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.dbf Object is locked skipped
C:\Documents and Settings\Terry Smith\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.cdx Object is locked skipped
C:\Documents and Settings\Terry Smith\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.dbf Object is locked skipped
C:\Documents and Settings\Terry Smith\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.fpt Object is locked skipped
C:\Documents and Settings\Terry Smith\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.cdx Object is locked skipped
C:\Documents and Settings\Terry Smith\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.dbf Object is locked skipped
C:\Documents and Settings\Terry Smith\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.cdx Object is locked skipped
C:\Documents and Settings\Terry Smith\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.dbf Object is locked skipped
C:\Documents and Settings\Terry Smith\Local Settings\Application Data\HP\Digital Imaging\db\managedFolderTable.dbf Object is locked skipped
C:\Documents and Settings\Terry Smith\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.cdx Object is locked skipped
C:\Documents and Settings\Terry Smith\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.dbf Object is locked skipped
C:\Documents and Settings\Terry Smith\Local Settings\Application Data\HP\Digital Imaging\db\propertiesTable.cdx Object is locked skipped
C:\Documents and Settings\Terry Smith\Local Settings\Application Data\HP\Digital Imaging\db\propertiesTable.dbf Object is locked skipped
C:\Documents and Settings\Terry Smith\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.cdx Object is locked skipped
C:\Documents and Settings\Terry Smith\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.dbf Object is locked skipped
C:\Documents and Settings\Terry Smith\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.cdx Object is locked skipped
C:\Documents and Settings\Terry Smith\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.dbf Object is locked skipped
C:\Documents and Settings\Terry Smith\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Terry Smith\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Terry Smith\Local Settings\Temp\~DFA4D5.tmp Object is locked skipped
C:\Documents and Settings\Terry Smith\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Terry Smith\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Terry Smith\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Terry Smith\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\NFWEVT.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVError.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drvluv.dll.vir Infected: Trojan.Win32.Dialer.yz skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\wingqn32.dll.vir Infected: Trojan.Win32.Dialer.yz skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP419\A0052147.exe Infected: Trojan-Downloader.Win32.Alphabet.bi skipped
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP420\A0053135.exe Infected: Trojan-Downloader.Win32.Agent.hat skipped
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP421\A0053149.exe Infected: Trojan-Downloader.Win32.Alphabet.bi skipped
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP421\A0053150.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP421\A0054135.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP422\A0054218.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP422\A0054219.exe Infected: Trojan-Dropper.Win32.Agent.dvf skipped
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP425\A0054588.exe Infected: Trojan-Downloader.Win32.Alphabet.bi skipped
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP433\A0055794.dll Infected: Trojan.Win32.Dialer.yz skipped
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP434\A0055859.dll Infected: Trojan.Win32.Dialer.yz skipped
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP435\A0055870.dll Infected: Trojan.Win32.Dialer.yz skipped
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP435\A0055873.dll Infected: Trojan.Win32.Dialer.yz skipped
C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP435\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\ModemLog_HDAUDIO Soft Data Fax Modem with SmartCP.txt Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{AB5EA526-EC6C-4EA2-B33F-961D93401046}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{D9481882-0FD8-498D-9D3F-7A00BA7A03FC}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\MsDtc\MSDTC.LOG Object is locked skipped
C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log Object is locked skipped
C:\WINDOWS\system32\msmq\storage\QMLog Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\JETB1DB.tmp Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP435\change.log Object is locked skipped
E:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP435\change.log Object is locked skipped
G:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
G:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP435\change.log Object is locked skipped
H:\RECYCLER\NPROTECT\00000000.exe Object is locked skipped
H:\RECYCLER\NPROTECT\00000001.exe Object is locked skipped
H:\RECYCLER\NPROTECT\00000002._P Object is locked skipped
H:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
H:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP435\change.log Object is locked skipped
Scan process completed.
pskelley
2008-02-05, 02:29
G'Day Terry, I apologize for the wait, steamwiz is not available just now.
See This: http://forums.spybot.info/showpost.php?p=12880&postcount=2
Check your Java program, I believe you need one update.
Your HJT log looks fine besides that, you can delete any program downloaded for the cleanup.
Kaspersky Online Scan:
C:\QooBox\Quarantine\ <<< delete that folder, empty the Recycle Bin on the Desktop
You have infected System Restore files, follow these directions to clean them:
MANUAL INSTRUCTIONS FOR SYSTEM RESTORE
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Reboot
Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
If you followed those directions, the next Kaspersky scan wil be clean, no need to post a clean scan.
Let us know if we can do more.
Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx
Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
Cheers...Phil
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.