PDA

View Full Version : Win32.tiny.abk


Jezebel
2008-02-10, 19:17
As many of you are aware - once you have this then you can hardly function on the Internet.. So Please do not flame me if this has been asked - as I keep losing my connection etc.. so searching is impossible til this is gone !!

I am looking for a fix to get rid of this. I am on a XP using AVG - Spybot... I have deleted it but it comes back.

I am not what you would call PC SAVVY - so nothing complicated.. this explanation needs to be in WAY LAYMANS TERMS PLEASE...

Hope you can help x
tashi
2008-02-10, 20:14
Hi there.

As many of you are aware - once you have this then you can hardly function on the Internet..
Done what? :)

Our helpers would need to see a log to analyze the situation, can you do this:


Note:

If you have lost your Internet connection on the infected computer, or otherwise cannot post from that machine; you can download HJT to a clean PC if one is available.

Upload to infected machine
Place HJT into own folder
Run HJT on the infected PC and post the log you produce using the clean PC.
"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)

If so, copy and paste the HJT log into a new topic, and a helper will assist you as soon as available.

Best regards.
Jezebel
2008-02-10, 20:26
ek.. you totally lost me there.

Ok I will have my partner look at this thread when he gets home. He will know what it means and he can then send me instructions on how to do it.

Thanks tho.. x
Jezebel
2008-02-10, 23:27
Ok .. here goes - its taken me all night to do this !!
Acutally did it myself in the end.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:20:03, on 10/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\acer\epm\epm-dm.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Launch Manager\PowerKey.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\OSDCtrl.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Carrie Simpson\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.downloadfestival.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.downloadfestival.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [preload] C:\Windows\RUNXMLPL.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [EPM-DM] c:\acer\epm\epm-dm.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LaunchAp] "C:\Program Files\Launch Manager\LaunchAp.exe"
O4 - HKLM\..\Run: [PowerKey] "C:\Program Files\Launch Manager\PowerKey.exe"
O4 - HKLM\..\Run: [LManager] "C:\Program Files\Launch Manager\HotkeyApp.exe"
O4 - HKLM\..\Run: [CtrlVol] "C:\Program Files\Launch Manager\CtrlVol.exe"
O4 - HKLM\..\Run: [LMgrOSD] "C:\Program Files\Launch Manager\OSDCtrl.exe"
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_11\bin\npjpi142_11.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_11\bin\npjpi142_11.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1154531028818
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 7721 bytes



KASPERSKY ONLINE SCANNER REPORT
Sunday, February 10, 2008 9:23:29 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 10/02/2008
Kaspersky Anti-Virus database records: 556123
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 57356
Number of viruses found: 4
Number of infected objects: 8
Number of suspicious objects: 4
Duration of the scan process: 01:19:19

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\drivers\etc\hosts.20080210-111654.backup Infected: Trojan.Win32.Qhost skipped
C:\WINDOWS\system32\drivers\etc\hosts.20080210-123538.backup Infected: Trojan.Win32.Qhost skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edbtmp.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobPerfectCodec.zip/uninst.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobPerfectCodec.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobPerfectCodec1.zip/iesuninst.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobPerfectCodec1.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4PMB4HIB\df34[1].htm Infected: not-a-virus:AdWare.Win32.BHO.vm skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Carrie Simpson\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Carrie Simpson\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Carrie Simpson\Local Settings\Temp\~DF6789.tmp Object is locked skipped
C:\Documents and Settings\Carrie Simpson\Local Settings\Temp\~DF67C4.tmp Object is locked skipped
C:\Documents and Settings\Carrie Simpson\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Carrie Simpson\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Carrie Simpson\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Carrie Simpson\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Carrie Simpson\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Carrie Simpson\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-550b5a0-4695fbb6.zip/vmain.class Infected: Exploit.Java.Gimsh.a skipped
C:\Documents and Settings\Carrie Simpson\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-550b5a0-4695fbb6.zip ZIP: infected - 1 skipped
C:\Recycled\Dc1.backup Infected: Trojan.Win32.Qhost skipped
C:\Recycled\Dc2.backup Infected: Trojan.Win32.Qhost skipped
C:\Recycled\Dc3.backup Infected: Trojan.Win32.Qhost skipped

Scan process completed.
little eagle
2008-02-17, 14:49
Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) or Here (http://subs.geekstogo.com/ComboFix.exe) to your Desktop.

In the event you already have Combofix, this is a new version that I need you to download.
It must be saved directly to your desktop.


1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
Click on this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
Remember to re enable the protection again afterwards before connecting to the net



2. Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.

IF you have not already done so Combofix will disconnect your machine from the Internet when it starts.
If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.


3. Now double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review


Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze.
Jezebel
2008-02-23, 15:33
ComboFix 08-02-23.2 - Carrie Simpson 2008-02-23 13:47:06.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.76 [GMT 0:00]
Running from: C:\Documents and Settings\Carrie Simpson\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-23 to 2008-02-23 )))))))))))))))))))))))))))))))
.

2008-02-23 13:38 . 2008-02-23 13:38 <DIR> d-------- C:\WINDOWS\LastGood
2008-02-10 19:33 . 2008-02-10 19:33 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-10 19:33 . 2008-02-10 19:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-10 12:54 . 2008-02-10 12:54 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-10 12:53 . 2008-02-10 12:53 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-10 12:48 . 2008-02-10 12:48 <DIR> d-------- C:\Program Files\Abexo
2008-02-10 11:08 . 2008-02-10 11:07 691,545 --a------ C:\WINDOWS\unins000.exe
2008-02-10 11:08 . 2008-02-10 11:08 3,485 --a------ C:\WINDOWS\unins000.dat
2008-02-10 10:32 . 2008-02-10 10:32 <DIR> d-------- C:\Program Files\Registry Clean Expert
2008-02-10 00:30 . 2008-02-10 00:30 <DIR> d-------- C:\Program Files\Registry Clean Pro
2008-02-10 00:30 . 2000-12-08 20:59 122,880 --a------ C:\WINDOWS\UnGins.exe
2008-02-06 22:04 . 2008-02-06 22:04 244 --ah----- C:\sqmnoopt18.sqm
2008-02-06 22:04 . 2008-02-06 22:04 232 --ah----- C:\sqmdata18.sqm
2008-02-06 21:46 . 2008-02-06 21:46 244 --ah----- C:\sqmnoopt17.sqm
2008-02-06 21:46 . 2008-02-06 21:46 232 --ah----- C:\sqmdata17.sqm
2008-02-06 21:44 . 2008-02-06 21:44 244 --ah----- C:\sqmnoopt16.sqm
2008-02-06 21:44 . 2008-02-06 21:44 232 --ah----- C:\sqmdata16.sqm
2008-02-06 21:40 . 2008-02-06 21:40 244 --ah----- C:\sqmnoopt15.sqm
2008-02-06 21:40 . 2008-02-06 21:40 232 --ah----- C:\sqmdata15.sqm
2008-02-06 07:54 . 2008-02-06 07:54 <DIR> d--hs---- C:\FOUND.048
2008-02-01 07:11 . 2008-02-01 07:11 <DIR> d--hs---- C:\FOUND.047
2008-01-31 07:11 . 2008-01-31 07:11 <DIR> d--hs---- C:\FOUND.046
2008-01-28 18:48 . 2008-01-28 18:48 <DIR> d--hs---- C:\FOUND.045
2008-01-24 16:52 . 2008-01-24 16:52 <DIR> d--hs---- C:\FOUND.044
2008-01-24 06:56 . 2008-01-24 06:56 <DIR> d--hs---- C:\FOUND.043

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-22 23:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-22 20:34 120 ----a-w C:\tempdel.bat
2008-01-21 20:20 54,764 ----a-w C:\WINDOWS\system32\drivers\astq.tga
2007-12-17 23:03 53,928 ----a-w C:\Documents and Settings\Carrie Simpson\Application Data\GDIPFONTCACHEV1.DAT
2007-12-14 11:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-11-24 13:54 5,732 ----a-w C:\Documents and Settings\Carrie Simpson\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"preload"="C:\Windows\RUNXMLPL.exe" [2005-05-19 17:09 32768]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-01-23 10:36 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-01-23 10:31 126976]
"SoundMan"="SOUNDMAN.EXE" [2005-04-15 11:01 77824 C:\WINDOWS\SOUNDMAN.EXE]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-04 11:12 102490]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-04 11:11 708698]
"EPM-DM"="c:\acer\epm\epm-dm.exe" [2005-10-26 16:18 212992]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-07-15 01:07 32768]
"LaunchAp"="C:\Program Files\Launch Manager\LaunchAp.exe" [2005-07-25 13:36 32768]
"PowerKey"="C:\Program Files\Launch Manager\PowerKey.exe" [2002-08-30 15:02 94208]
"LManager"="C:\Program Files\Launch Manager\HotkeyApp.exe" [2005-06-06 11:52 69632]
"CtrlVol"="C:\Program Files\Launch Manager\CtrlVol.exe" [2003-09-16 14:28 20480]
"LMgrOSD"="C:\Program Files\Launch Manager\OSDCtrl.exe" [2005-07-25 10:45 241664]
"Wbutton"="C:\Program Files\Launch Manager\Wbutton.exe" [2005-07-25 13:34 81920]
"eRecoveryService"="C:\Acer\Empowering Technology\eRecovery\Monitor.exe" [2005-10-31 19:05 385024]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-12-20 20:30 579072]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 19:05 257088]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 05:00 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 05:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00 455168]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 05:00 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-27 20:31 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"= %windir%\\system32\\sessmgr.exe:@xpsp2res.dll,-22019
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"= %windir%\\Network Diagnostic\\xpnetdiag.exe:@xpsp3res.dll,-20000
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R0 UBHelper;UBHelper;C:\WINDOWS\system32\drivers\UBHelper.sys [2004-12-17 17:14]
R1 Hotkey;Hotkey;C:\WINDOWS\system32\drivers\Hotkey.sys [2003-04-28 11:27]
R2 EpmPsd;Acer EPM Power Scheme Driver;C:\WINDOWS\system32\drivers\epm-psd.sys [2004-07-19 13:10]
R2 EpmShd;Acer EPM System Hardware Driver;C:\WINDOWS\system32\drivers\epm-shd.sys [2005-04-07 18:08]
R2 int15.sys;int15.sys;C:\Acer\Empowering Technology\eRecovery\int15.sys [2005-01-13 14:46]
R2 osaio;osaio;C:\WINDOWS\system32\drivers\osaio.sys [2005-03-04 16:37]
R2 osanbm;osanbm;C:\WINDOWS\system32\drivers\osanbm.sys [2005-01-14 15:57]
R3 POWERKEY;POWERKEY;C:\Program Files\Launch Manager\POWERKEY.sys [2000-12-19 18:29]
S1 Wbutton;Wbutton;C:\WINDOWS\system32\drivers\Wbutton.sys []

*Newly Created Service* - INT15.SYS
.
Contents of the 'Scheduled Tasks' folder
"2008-01-21 06:46:08 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-10 22:25:06 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-23 13:48:37
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-23 13:49:45
.
2008-01-27 13:29:00 --- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:51:22, on 23/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\acer\epm\epm-dm.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\PowerKey.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\OSDCtrl.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Carrie Simpson\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.downloadfestival.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.downloadfestival.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [preload] C:\Windows\RUNXMLPL.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [EPM-DM] c:\acer\epm\epm-dm.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LaunchAp] "C:\Program Files\Launch Manager\LaunchAp.exe"
O4 - HKLM\..\Run: [PowerKey] "C:\Program Files\Launch Manager\PowerKey.exe"
O4 - HKLM\..\Run: [LManager] "C:\Program Files\Launch Manager\HotkeyApp.exe"
O4 - HKLM\..\Run: [CtrlVol] "C:\Program Files\Launch Manager\CtrlVol.exe"
O4 - HKLM\..\Run: [LMgrOSD] "C:\Program Files\Launch Manager\OSDCtrl.exe"
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_11\bin\npjpi142_11.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_11\bin\npjpi142_11.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1154531028818
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 7469 bytes
little eagle
2008-02-23, 15:45
Open notepad and copy/paste the text in the codebox below into it:




Folder::
C:\FOUND.048
C:\FOUND.047
C:\FOUND.046
C:\FOUND.045
C:\FOUND.044
C:\FOUND.043


Save this as Save this as "CFScript"


http://nutnworks.com/CFix/CFScript.gif

Refering to the picture above, drag CFScript.txt into ComboFix.exe

Then post the results log and a new HijackThis log.
Jezebel
2008-02-24, 13:00
ComboFix 08-02-23.2 - Carrie Simpson 2008-02-24 11:52:08.2 - FAT32x86
Running from: C:\Documents and Settings\Carrie Simpson\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Carrie Simpson\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\FOUND.043
C:\FOUND.043\FILE0000.CHK
C:\FOUND.044
C:\FOUND.044\FILE0000.CHK
C:\FOUND.045
C:\FOUND.045\FILE0000.CHK
C:\FOUND.045\FILE0001.CHK
C:\FOUND.045\FILE0002.CHK
C:\FOUND.045\FILE0003.CHK
C:\FOUND.045\FILE0004.CHK
C:\FOUND.045\FILE0005.CHK
C:\FOUND.045\FILE0006.CHK
C:\FOUND.045\FILE0007.CHK
C:\FOUND.045\FILE0008.CHK
C:\FOUND.045\FILE0009.CHK
C:\FOUND.046
C:\FOUND.046\FILE0000.CHK
C:\FOUND.046\FILE0001.CHK
C:\FOUND.046\FILE0002.CHK
C:\FOUND.047
C:\FOUND.047\FILE0000.CHK
C:\FOUND.047\FILE0001.CHK
C:\FOUND.047\FILE0002.CHK
C:\FOUND.047\FILE0003.CHK
C:\FOUND.047\FILE0004.CHK
C:\FOUND.048
C:\FOUND.048\FILE0000.CHK

.
((((((((((((((((((((((((( Files Created from 2008-01-24 to 2008-02-24 )))))))))))))))))))))))))))))))
.

2008-02-10 19:33 . 2008-02-10 19:33 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-10 19:33 . 2008-02-10 19:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-10 12:54 . 2008-02-10 12:54 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-10 12:53 . 2008-02-10 12:53 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-10 12:48 . 2008-02-10 12:48 <DIR> d-------- C:\Program Files\Abexo
2008-02-10 11:08 . 2008-02-10 11:07 691,545 --a------ C:\WINDOWS\unins000.exe
2008-02-10 11:08 . 2008-02-10 11:08 3,485 --a------ C:\WINDOWS\unins000.dat
2008-02-10 10:32 . 2008-02-10 10:32 <DIR> d-------- C:\Program Files\Registry Clean Expert
2008-02-10 00:30 . 2008-02-10 00:30 <DIR> d-------- C:\Program Files\Registry Clean Pro
2008-02-10 00:30 . 2000-12-08 20:59 122,880 --a------ C:\WINDOWS\UnGins.exe
2008-02-06 22:04 . 2008-02-06 22:04 244 --ah----- C:\sqmnoopt18.sqm
2008-02-06 22:04 . 2008-02-06 22:04 232 --ah----- C:\sqmdata18.sqm
2008-02-06 21:46 . 2008-02-06 21:46 244 --ah----- C:\sqmnoopt17.sqm
2008-02-06 21:46 . 2008-02-06 21:46 232 --ah----- C:\sqmdata17.sqm
2008-02-06 21:44 . 2008-02-06 21:44 244 --ah----- C:\sqmnoopt16.sqm
2008-02-06 21:44 . 2008-02-06 21:44 232 --ah----- C:\sqmdata16.sqm
2008-02-06 21:40 . 2008-02-06 21:40 244 --ah----- C:\sqmnoopt15.sqm
2008-02-06 21:40 . 2008-02-06 21:40 232 --ah----- C:\sqmdata15.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-22 23:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-22 20:34 120 ----a-w C:\tempdel.bat
2008-01-21 20:20 54,764 ----a-w C:\WINDOWS\system32\drivers\astq.tga
2008-01-11 05:53 44,544 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-12-19 23:01 347,136 ----a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\dllcache\mrxdav.sys
2007-12-17 23:03 53,928 ----a-w C:\Documents and Settings\Carrie Simpson\Application Data\GDIPFONTCACHEV1.DAT
2007-12-14 11:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-12-08 05:21 3,592,192 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-12-06 11:01 625,664 ----a-w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-12-06 11:00 70,656 ----a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-12-06 11:00 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-12-06 04:59 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\dllcache\oleaut32.dll
2007-11-24 13:54 5,732 ----a-w C:\Documents and Settings\Carrie Simpson\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"preload"="C:\Windows\RUNXMLPL.exe" [2005-05-19 17:09 32768]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-01-23 10:36 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-01-23 10:31 126976]
"SoundMan"="SOUNDMAN.EXE" [2005-04-15 11:01 77824 C:\WINDOWS\SOUNDMAN.EXE]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-04 11:12 102490]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-04 11:11 708698]
"EPM-DM"="c:\acer\epm\epm-dm.exe" [2005-10-26 16:18 212992]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-07-15 01:07 32768]
"LaunchAp"="C:\Program Files\Launch Manager\LaunchAp.exe" [2005-07-25 13:36 32768]
"PowerKey"="C:\Program Files\Launch Manager\PowerKey.exe" [2002-08-30 15:02 94208]
"LManager"="C:\Program Files\Launch Manager\HotkeyApp.exe" [2005-06-06 11:52 69632]
"CtrlVol"="C:\Program Files\Launch Manager\CtrlVol.exe" [2003-09-16 14:28 20480]
"LMgrOSD"="C:\Program Files\Launch Manager\OSDCtrl.exe" [2005-07-25 10:45 241664]
"Wbutton"="C:\Program Files\Launch Manager\Wbutton.exe" [2005-07-25 13:34 81920]
"eRecoveryService"="C:\Acer\Empowering Technology\eRecovery\Monitor.exe" [2005-10-31 19:05 385024]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-12-20 20:30 579072]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 19:05 257088]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 05:00 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 05:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00 455168]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 05:00 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-27 20:31 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"= %windir%\\system32\\sessmgr.exe:@xpsp2res.dll,-22019
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"= %windir%\\Network Diagnostic\\xpnetdiag.exe:@xpsp3res.dll,-20000
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R0 UBHelper;UBHelper;C:\WINDOWS\system32\drivers\UBHelper.sys [2004-12-17 17:14]
R1 Hotkey;Hotkey;C:\WINDOWS\system32\drivers\Hotkey.sys [2003-04-28 11:27]
R2 EpmPsd;Acer EPM Power Scheme Driver;C:\WINDOWS\system32\drivers\epm-psd.sys [2004-07-19 13:10]
R2 EpmShd;Acer EPM System Hardware Driver;C:\WINDOWS\system32\drivers\epm-shd.sys [2005-04-07 18:08]
R2 int15.sys;int15.sys;C:\Acer\Empowering Technology\eRecovery\int15.sys [2005-01-13 14:46]
R2 osaio;osaio;C:\WINDOWS\system32\drivers\osaio.sys [2005-03-04 16:37]
R2 osanbm;osanbm;C:\WINDOWS\system32\drivers\osanbm.sys [2005-01-14 15:57]
R3 POWERKEY;POWERKEY;C:\Program Files\Launch Manager\POWERKEY.sys [2000-12-19 18:29]
S1 Wbutton;Wbutton;C:\WINDOWS\system32\drivers\Wbutton.sys []

*Newly Created Service* - INT15.SYS
.
Contents of the 'Scheduled Tasks' folder
"2008-01-21 06:46:08 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-24 11:25:06 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-24 11:53:43
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-24 11:54:15
ComboFix-quarantined-files.txt 2008-02-24 11:54:12
.
2008-02-23 15:20:15 --- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:56:11, on 24/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Acer\eManager\anbmServ.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\acer\epm\epm-dm.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\PowerKey.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\OSDCtrl.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Carrie Simpson\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.downloadfestival.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.downloadfestival.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [preload] C:\Windows\RUNXMLPL.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [EPM-DM] c:\acer\epm\epm-dm.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LaunchAp] "C:\Program Files\Launch Manager\LaunchAp.exe"
O4 - HKLM\..\Run: [PowerKey] "C:\Program Files\Launch Manager\PowerKey.exe"
O4 - HKLM\..\Run: [LManager] "C:\Program Files\Launch Manager\HotkeyApp.exe"
O4 - HKLM\..\Run: [CtrlVol] "C:\Program Files\Launch Manager\CtrlVol.exe"
O4 - HKLM\..\Run: [LMgrOSD] "C:\Program Files\Launch Manager\OSDCtrl.exe"
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_11\bin\npjpi142_11.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_11\bin\npjpi142_11.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1154531028818
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 7594 bytes
little eagle
2008-02-24, 17:05
Click HERE (http://www.pandasoftware.com/products/activescan.htm) to run Panda's ActiveScan

* You need to use IE to run this scan
* Once you are on the Panda site click the Scan your PC button
* A new window will open...click the Check Now button
* Enter your Country
* Enter your State/Province
* Enter your e-mail address and click send
* Select either Home User or Company
* Click the big Scan Now button
* If it wants to install an ActiveX component allow it
* It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
* When download is complete, click on My Computer to start the scan
* When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report
Jezebel
2008-02-24, 22:56
Incident Status Location

Virus:Trj/Qhost.gen Disinfected C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.20080210-111654.backup
Virus:Trj/Spammer.AFL Disinfected C:\WINDOWS\SYSTEM32\DRIVERS\ASTQ.TGA
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\Nircmd.exe
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Carrie Simpson\Desktop\ComboFix.exe[327882R2FWJFW\nircmd.com]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Carrie Simpson\Desktop\ComboFix.exe[327882R2FWJFW\nircmd.cfexe]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie simpson@bs.serving-sys[1].txt
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie simpson@bluestreak[1].txt
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie simpson@adtech[2].txt
Spyware:Cookie/Intelli-tracker Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie simpson@www.intelli-tracker[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie simpson@adrevolver[1].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie simpson@as-eu.falkag[1].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie simpson@server.iad.liveperson[1].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie simpson@as1.falkag[2].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie simpson@adrevolver[3].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie simpson@realmedia[2].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie simpson@apmebf[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie simpson@serving-sys[1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie_simpson@go[1].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie simpson@as-us.falkag[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie simpson@burstnet[2].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie simpson@ads.pointroll[2].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie simpson@questionmarket[2].txt
Spyware:Cookie/Xmts Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie_simpson@xmts[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie simpson@overture[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie simpson@tribalfusion[1].txt
Spyware:Cookie/Clicktracks Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie simpson@stats1.clicktracks[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie simpson@ad.yieldmanager[1].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie simpson@statcounter[1].txt
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie simpson@maxserving[1].txt
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie simpson@tradedoubler[1].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie simpson@xiti[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie simpson@com[1].txt
Spyware:Cookie/NewMedia Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie_simpson@anm.co[2].txt
Spyware:Cookie/HotLog Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie_simpson@hotlog[1].txt
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie simpson@maxserving[3].txt
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie_simpson@revenue[1].txt
Spyware:Cookie/CentrPort Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie_simpson@centrport[1].txt
Spyware:Cookie/Weborama Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie simpson@weborama[2].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie_simpson@as-us.falkag[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie_simpson@overture[1].txt
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie simpson@did-it[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie_simpson@overture[4].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie_simpson@server.iad.liveperson[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie_simpson@bs.serving-sys[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie_simpson@realmedia[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie_simpson@perf.overture[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie_simpson@questionmarket[2].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie_simpson@burstnet[2].txt
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie_simpson@stat.onestat[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie_simpson@serving-sys[1].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie_simpson@searchportal.information[1].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie_simpson@ads.pointroll[2].txt
Jezebel
2008-02-24, 23:00
Damn it.. the 2nd half has been lost.. grr..

I will do the scan again !! Its too big to post in here in one go so tried to copy and paste but when I selected the 2nd portion it copied the first half. Sworry.. :oops:
Jezebel
2008-02-25, 00:05
Incident Status Location

Virus:Trj/Spammer.AFL Disinfected C:\WINDOWS\SYSTEM32\DRIVERS\ASTQ.TGA
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\Nircmd.exe
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Carrie Simpson\Desktop\ComboFix.exe[327882R2FWJFW\nircmd.com]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Carrie Simpson\Desktop\ComboFix.exe[327882R2FWJFW\nircmd.cfexe]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie simpson@bs.serving-sys[1].txt
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie simpson@bluestreak[1].txt
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie simpson@adtech[2].txt
Spyware:Cookie/Intelli-tracker Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie simpson@www.intelli-tracker[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie simpson@adrevolver[1].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie simpson@as-eu.falkag[1].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie simpson@server.iad.liveperson[1].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie simpson@as1.falkag[2].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie simpson@adrevolver[3].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie simpson@realmedia[2].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie simpson@apmebf[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie simpson@serving-sys[1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie_simpson@go[1].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie simpson@as-us.falkag[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie simpson@burstnet[2].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie simpson@ads.pointroll[2].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie simpson@questionmarket[2].txt
Spyware:Cookie/Xmts Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie_simpson@xmts[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie simpson@overture[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie simpson@tribalfusion[1].txt
Spyware:Cookie/Clicktracks Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie simpson@stats1.clicktracks[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie simpson@ad.yieldmanager[1].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie simpson@statcounter[1].txt
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie simpson@maxserving[1].txt
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie simpson@tradedoubler[1].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie simpson@xiti[1].txt
Jezebel
2008-02-25, 00:06
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie simpson@com[1].txt
Spyware:Cookie/NewMedia Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie_simpson@anm.co[2].txt
Spyware:Cookie/HotLog Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie_simpson@hotlog[1].txt
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie simpson@maxserving[3].txt
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie_simpson@revenue[1].txt
Spyware:Cookie/CentrPort Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie_simpson@centrport[1].txt
Spyware:Cookie/Weborama Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie simpson@weborama[2].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie_simpson@as-us.falkag[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie_simpson@overture[1].txt
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie simpson@did-it[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie_simpson@overture[4].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie_simpson@server.iad.liveperson[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie_simpson@bs.serving-sys[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie_simpson@realmedia[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie_simpson@perf.overture[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie_simpson@questionmarket[2].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie_simpson@burstnet[2].txt
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie_simpson@stat.onestat[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie_simpson@serving-sys[1].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie_simpson@searchportal.information[1].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie_simpson@ads.pointroll[2].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie_simpson@trafficmp[2].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie_simpson@stats.drivecleaner[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie_simpson@tribalfusion[2].txt
Spyware:Cookie/WebPower Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie_simpson@webpower[1].txt
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie_simpson@bravenet[1].txt
Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie_simpson@www.myaffiliateprogram[1].txt
Spyware:Cookie/Bilbo.counted Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie_simpson@bilbo.counted[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie_simpson@247realmedia[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie_simpson@atwola[1].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie_simpson@as-eu.falkag[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie_simpson@uol.com[1].txt
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie_simpson@did-it[2].txt
Jezebel
2008-02-25, 00:07
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie_simpson@as-us.falkag[2].txt
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie_simpson@toplist[1].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie_simpson@azjmp[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie_simpson@questionmarket[4].txt
Spyware:Cookie/HotLog Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie_simpson@hotlog[2].txt
Spyware:Cookie/web-stat Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie_simpson@www.web-stat[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie_simpson@overture[2].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie_simpson@ads.pointroll[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie_simpson@tribalfusion[1].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie_simpson@as-eu.falkag[3].txt
Spyware:Cookie/Weborama Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie_simpson@weborama[1].txt
Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie_simpson@gostats[2].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie_simpson@server.iad.liveperson[5].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie_simpson@drivecleaner[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie_simpson@247realmedia[1].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie_simpson@trafficmp[1].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie_simpson@www3.addfreestats[1].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie_simpson@www6.addfreestats[1].txt
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie_simpson@stat.onestat[3].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie_simpson@bs.serving-sys[1].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie_simpson@www.burstbeacon[2].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie_simpson@burstnet[3].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie_simpson@questionmarket[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie_simpson@atwola[3].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie_simpson@realmedia[3].txt
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie_simpson@bravenet[2].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie_simpson@trafficmp[3].txt
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie_simpson@bravenet[4].txt
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie_simpson@yadro[2].txt
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie_simpson@stat.onestat[2].txt
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie_simpson@adtech[2].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie_simpson@ads.pointroll[4].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie_simpson@www2.addfreestats[1].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie_simpson@server.iad.liveperson[9].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie_simpson@atwola[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie_simpson@247realmedia[3].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie_simpson@bs.serving-sys[3].txt
Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie_simpson@ads.addynamix[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie_simpson@serving-sys[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Carrie Simpson\Cookies\carrie_simpson@tribalfusion[3].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Phil Hull\Cookies\phil_hull@com[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\FOUND.024\FILE0002.CHK
Spyware:Cookie/Serving-sys Not disinfected C:\FOUND.039\FILE0001.CHK
little eagle
2008-02-25, 05:31
Download and run - ATF Cleaner instructions here. (http://forums.security-central.us/showthread.php?t=1925)

Then run panda one more time please :red:
Jezebel
2008-02-25, 13:53
Will do it when I get home.. It aint looking good it is :sad:
little eagle
2008-02-25, 15:55
:crowned:Not that bad seen worse.
Jezebel
2008-02-25, 20:16
Hopefully this is a bit cleaner... awaits my next task !!

Incident Status Location

Virus:Trj/Spammer.AFL Disinfected C:\WINDOWS\SYSTEM32\DRIVERS\ASTQ.TGA
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\Nircmd.exe
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Carrie Simpson\Desktop\ComboFix.exe[327882R2FWJFW\nircmd.com]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Carrie Simpson\Desktop\ComboFix.exe[327882R2FWJFW\nircmd.cfexe]
Spyware:Cookie/QuestionMarket Not disinfected C:\FOUND.024\FILE0002.CHK
Spyware:Cookie/Serving-sys Not disinfected C:\FOUND.039\FILE0001.CHK
little eagle
2008-02-25, 22:06
Open notepad and copy/paste the text in the codebox below into it:



File::
C:\WINDOWS\SYSTEM32\DRIVERS\ASTQ.TGA
C:\FOUND.039\FILE0001.CHK
C:\FOUND.024\FILE0002.CHK


Save this as Save this as "CFScript"


http://nutnworks.com/CFix/CFScript.gif

Refering to the picture above, drag CFScript.txt into ComboFix.exe

Then post the results log and a new HijackThis log.
Jezebel
2008-02-25, 22:50
ComboFix 08-02-23.2 - Carrie Simpson 2008-02-25 21:18:55.3 - FAT32x86
Running from: C:\Documents and Settings\Carrie Simpson\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-25 to 2008-02-25 )))))))))))))))))))))))))))))))
.

2008-02-25 18:47 . 2006-06-30 14:13 8,704 --a------ C:\WINDOWS\system32\pfdnnt.exe
2008-02-25 18:47 . 2008-02-25 18:47 81 --a------ C:\WINDOWS\system32\pfdnnt_actions.sys
2008-02-25 18:39 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-02-25 18:13 . 2008-02-25 18:13 <DIR> d--hs---- C:\FOUND.043
2008-02-24 20:25 . 2008-02-24 20:25 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-24 20:25 . 2008-02-25 18:26 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-24 20:25 . 2008-02-25 18:26 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-24 20:25 . 2008-02-25 18:26 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-10 19:33 . 2008-02-10 19:33 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-10 19:33 . 2008-02-10 19:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-10 12:54 . 2008-02-10 12:54 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-10 12:53 . 2008-02-10 12:53 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-10 12:48 . 2008-02-10 12:48 <DIR> d-------- C:\Program Files\Abexo
2008-02-10 11:08 . 2008-02-10 11:07 691,545 --a------ C:\WINDOWS\unins000.exe
2008-02-10 11:08 . 2008-02-10 11:08 3,485 --a------ C:\WINDOWS\unins000.dat
2008-02-10 10:32 . 2008-02-10 10:32 <DIR> d-------- C:\Program Files\Registry Clean Expert
2008-02-10 00:30 . 2008-02-10 00:30 <DIR> d-------- C:\Program Files\Registry Clean Pro
2008-02-10 00:30 . 2000-12-08 20:59 122,880 --a------ C:\WINDOWS\UnGins.exe
2008-02-06 22:04 . 2008-02-06 22:04 244 --ah----- C:\sqmnoopt18.sqm
2008-02-06 22:04 . 2008-02-06 22:04 232 --ah----- C:\sqmdata18.sqm
2008-02-06 21:46 . 2008-02-06 21:46 244 --ah----- C:\sqmnoopt17.sqm
2008-02-06 21:46 . 2008-02-06 21:46 232 --ah----- C:\sqmdata17.sqm
2008-02-06 21:44 . 2008-02-06 21:44 244 --ah----- C:\sqmnoopt16.sqm
2008-02-06 21:44 . 2008-02-06 21:44 232 --ah----- C:\sqmdata16.sqm
2008-02-06 21:40 . 2008-02-06 21:40 244 --ah----- C:\sqmnoopt15.sqm
2008-02-06 21:40 . 2008-02-06 21:40 232 --ah----- C:\sqmdata15.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-22 23:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-22 20:34 120 ----a-w C:\tempdel.bat
2008-01-21 20:20 54,764 ----a-w C:\WINDOWS\system32\drivers\astq.tga
2008-01-11 05:53 44,544 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-12-19 23:01 347,136 ----a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\dllcache\mrxdav.sys
2007-12-17 23:03 53,928 ----a-w C:\Documents and Settings\Carrie Simpson\Application Data\GDIPFONTCACHEV1.DAT
2007-12-14 11:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-12-08 05:21 3,592,192 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-12-06 11:01 625,664 ----a-w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-12-06 11:00 70,656 ----a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-12-06 11:00 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-12-06 04:59 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\dllcache\oleaut32.dll
2007-11-24 13:54 5,732 ----a-w C:\Documents and Settings\Carrie Simpson\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"preload"="C:\Windows\RUNXMLPL.exe" [2005-05-19 17:09 32768]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-01-23 10:36 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-01-23 10:31 126976]
"SoundMan"="SOUNDMAN.EXE" [2005-04-15 11:01 77824 C:\WINDOWS\SOUNDMAN.EXE]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-04 11:12 102490]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-04 11:11 708698]
"EPM-DM"="c:\acer\epm\epm-dm.exe" [2005-10-26 16:18 212992]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-07-15 01:07 32768]
"LaunchAp"="C:\Program Files\Launch Manager\LaunchAp.exe" [2005-07-25 13:36 32768]
"PowerKey"="C:\Program Files\Launch Manager\PowerKey.exe" [2002-08-30 15:02 94208]
"LManager"="C:\Program Files\Launch Manager\HotkeyApp.exe" [2005-06-06 11:52 69632]
"CtrlVol"="C:\Program Files\Launch Manager\CtrlVol.exe" [2003-09-16 14:28 20480]
"LMgrOSD"="C:\Program Files\Launch Manager\OSDCtrl.exe" [2005-07-25 10:45 241664]
"Wbutton"="C:\Program Files\Launch Manager\Wbutton.exe" [2005-07-25 13:34 81920]
"eRecoveryService"="C:\Acer\Empowering Technology\eRecovery\Monitor.exe" [2005-10-31 19:05 385024]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-12-20 20:30 579072]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 19:05 257088]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 05:00 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 05:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00 455168]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 05:00 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-27 20:31 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"= %windir%\\system32\\sessmgr.exe:@xpsp2res.dll,-22019
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"= %windir%\\Network Diagnostic\\xpnetdiag.exe:@xpsp3res.dll,-20000
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R0 UBHelper;UBHelper;C:\WINDOWS\system32\drivers\UBHelper.sys [2004-12-17 17:14]
R1 Hotkey;Hotkey;C:\WINDOWS\system32\drivers\Hotkey.sys [2003-04-28 11:27]
R2 EpmPsd;Acer EPM Power Scheme Driver;C:\WINDOWS\system32\drivers\epm-psd.sys [2004-07-19 13:10]
R2 EpmShd;Acer EPM System Hardware Driver;C:\WINDOWS\system32\drivers\epm-shd.sys [2005-04-07 18:08]
R2 int15.sys;int15.sys;C:\Acer\Empowering Technology\eRecovery\int15.sys [2005-01-13 14:46]
R2 osaio;osaio;C:\WINDOWS\system32\drivers\osaio.sys [2005-03-04 16:37]
R2 osanbm;osanbm;C:\WINDOWS\system32\drivers\osanbm.sys [2005-01-14 15:57]
R3 POWERKEY;POWERKEY;C:\Program Files\Launch Manager\POWERKEY.sys [2000-12-19 18:29]
S1 Wbutton;Wbutton;C:\WINDOWS\system32\drivers\Wbutton.sys []

*Newly Created Service* - EQOBUBYUJWBL
*Newly Created Service* - SDTHOOK
.
Contents of the 'Scheduled Tasks' folder
"2008-01-21 06:46:08 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-25 21:25:24 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-25 21:26:45
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-25 21:28:30
ComboFix-quarantined-files.txt 2008-02-25 21:28:24
ComboFix2.txt 2008-02-24 11:54:16
.
2008-02-24 18:20:29 --- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:31:13, on 25/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Acer\eManager\anbmServ.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\acer\epm\epm-dm.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\PowerKey.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\OSDCtrl.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Carrie Simpson\Desktop\ComboFix.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\Carrie Simpson\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.downloadfestival.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.downloadfestival.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [preload] C:\Windows\RUNXMLPL.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [EPM-DM] c:\acer\epm\epm-dm.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LaunchAp] "C:\Program Files\Launch Manager\LaunchAp.exe"
O4 - HKLM\..\Run: [PowerKey] "C:\Program Files\Launch Manager\PowerKey.exe"
O4 - HKLM\..\Run: [LManager] "C:\Program Files\Launch Manager\HotkeyApp.exe"
O4 - HKLM\..\Run: [CtrlVol] "C:\Program Files\Launch Manager\CtrlVol.exe"
O4 - HKLM\..\Run: [LMgrOSD] "C:\Program Files\Launch Manager\OSDCtrl.exe"
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_11\bin\npjpi142_11.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_11\bin\npjpi142_11.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1154531028818
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 7845 bytes


I am also getting registry deny approve windows for the following..

Session Manager
Value Changed
BootExecute
Old Data - Autocheck autochk *\lsdelete
New Data - Autocheck autchk *\lsdelete\pfdnntC:\WIN

And another one that is similar - do I accept them. I have been denying them.. :red:
little eagle
2008-02-26, 00:06
We will need to disable TeaTimer
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
5) Restart your computer.

Then try this step again.



Open notepad and copy/paste the text in the codebox below into it:



File::
C:\WINDOWS\SYSTEM32\DRIVERS\ASTQ.TGA
C:\FOUND.039\FILE0001.CHK
C:\FOUND.024\FILE0002.CHK


Save this as Save this as "CFScript"


http://nutnworks.com/CFix/CFScript.gif

Refering to the picture above, drag CFScript.txt into ComboFix.exe

Then post the results log and a new HijackThis log.
Jezebel
2008-02-26, 01:03
Cor..what happened then ! First time I tried it - it started to bleep and totally shut down - then came back saying it was ok but a serious error was located. :red:

The CRFScript file on my desk top totally disappeared etc.. so I did it all again and this is what if found.... but it also asked me to send a link to the bleeping forums -- Below.

C:\Documents and Settings\Carrie Simpson\Desktop.\[4]-Submit_2008-02-25@23.43.zip

Anyways - here are the reports for you.

ComboFix 08-02-23.2 - Carrie Simpson 2008-02-25 23:43:36.5 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.69 [GMT 0:00]
Running from: C:\Documents and Settings\Carrie Simpson\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Carrie Simpson\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\FOUND.024\FILE0002.CHK
C:\FOUND.039\FILE0001.CHK
C:\WINDOWS\SYSTEM32\DRIVERS\ASTQ.TGA
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\FOUND.024\FILE0002.CHK
C:\FOUND.039\FILE0001.CHK

.
((((((((((((((((((((((((( Files Created from 2008-01-25 to 2008-02-25 )))))))))))))))))))))))))))))))
.

2008-02-25 23:30 . 2008-02-25 23:30 <DIR> d--hs---- C:\FOUND.044
2008-02-25 18:39 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-02-25 18:13 . 2008-02-25 18:13 <DIR> d--hs---- C:\FOUND.043
2008-02-24 20:25 . 2008-02-24 20:25 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-24 20:25 . 2008-02-25 18:26 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-24 20:25 . 2008-02-25 18:26 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-24 20:25 . 2008-02-25 18:26 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-10 19:33 . 2008-02-10 19:33 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-10 19:33 . 2008-02-10 19:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-10 12:54 . 2008-02-10 12:54 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-10 12:53 . 2008-02-10 12:53 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-10 12:48 . 2008-02-10 12:48 <DIR> d-------- C:\Program Files\Abexo
2008-02-10 11:08 . 2008-02-10 11:07 691,545 --a------ C:\WINDOWS\unins000.exe
2008-02-10 11:08 . 2008-02-10 11:08 3,485 --a------ C:\WINDOWS\unins000.dat
2008-02-10 10:32 . 2008-02-10 10:32 <DIR> d-------- C:\Program Files\Registry Clean Expert
2008-02-10 00:30 . 2008-02-10 00:30 <DIR> d-------- C:\Program Files\Registry Clean Pro
2008-02-10 00:30 . 2000-12-08 20:59 122,880 --a------ C:\WINDOWS\UnGins.exe
2008-02-06 22:04 . 2008-02-06 22:04 244 --ah----- C:\sqmnoopt18.sqm
2008-02-06 22:04 . 2008-02-06 22:04 232 --ah----- C:\sqmdata18.sqm
2008-02-06 21:46 . 2008-02-06 21:46 244 --ah----- C:\sqmnoopt17.sqm
2008-02-06 21:46 . 2008-02-06 21:46 232 --ah----- C:\sqmdata17.sqm
2008-02-06 21:44 . 2008-02-06 21:44 244 --ah----- C:\sqmnoopt16.sqm
2008-02-06 21:44 . 2008-02-06 21:44 232 --ah----- C:\sqmdata16.sqm
2008-02-06 21:40 . 2008-02-06 21:40 244 --ah----- C:\sqmnoopt15.sqm
2008-02-06 21:40 . 2008-02-06 21:40 232 --ah----- C:\sqmdata15.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-22 23:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-22 20:34 120 ----a-w C:\tempdel.bat
2008-01-11 05:53 44,544 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-12-19 23:01 347,136 ----a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\dllcache\mrxdav.sys
2007-12-17 23:03 53,928 ----a-w C:\Documents and Settings\Carrie Simpson\Application Data\GDIPFONTCACHEV1.DAT
2007-12-14 11:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-12-08 05:21 3,592,192 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-12-06 11:01 625,664 ----a-w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-12-06 11:00 70,656 ----a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-12-06 11:00 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-12-06 04:59 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\dllcache\oleaut32.dll
2007-11-24 13:54 5,732 ----a-w C:\Documents and Settings\Carrie Simpson\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"preload"="C:\Windows\RUNXMLPL.exe" [2005-05-19 17:09 32768]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-01-23 10:36 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-01-23 10:31 126976]
"SoundMan"="SOUNDMAN.EXE" [2005-04-15 11:01 77824 C:\WINDOWS\SOUNDMAN.EXE]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-04 11:12 102490]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-04 11:11 708698]
"EPM-DM"="c:\acer\epm\epm-dm.exe" [2005-10-26 16:18 212992]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-07-15 01:07 32768]
"LaunchAp"="C:\Program Files\Launch Manager\LaunchAp.exe" [2005-07-25 13:36 32768]
"PowerKey"="C:\Program Files\Launch Manager\PowerKey.exe" [2002-08-30 15:02 94208]
"LManager"="C:\Program Files\Launch Manager\HotkeyApp.exe" [2005-06-06 11:52 69632]
"CtrlVol"="C:\Program Files\Launch Manager\CtrlVol.exe" [2003-09-16 14:28 20480]
"LMgrOSD"="C:\Program Files\Launch Manager\OSDCtrl.exe" [2005-07-25 10:45 241664]
"Wbutton"="C:\Program Files\Launch Manager\Wbutton.exe" [2005-07-25 13:34 81920]
"eRecoveryService"="C:\Acer\Empowering Technology\eRecovery\Monitor.exe" [2005-10-31 19:05 385024]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-12-20 20:30 579072]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 19:05 257088]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 05:00 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 05:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00 455168]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 05:00 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-27 20:31 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"= %windir%\\system32\\sessmgr.exe:@xpsp2res.dll,-22019
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"= %windir%\\Network Diagnostic\\xpnetdiag.exe:@xpsp3res.dll,-20000
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R0 UBHelper;UBHelper;C:\WINDOWS\system32\drivers\UBHelper.sys [2004-12-17 17:14]
R1 Hotkey;Hotkey;C:\WINDOWS\system32\drivers\Hotkey.sys [2003-04-28 11:27]
R2 EpmPsd;Acer EPM Power Scheme Driver;C:\WINDOWS\system32\drivers\epm-psd.sys [2004-07-19 13:10]
R2 EpmShd;Acer EPM System Hardware Driver;C:\WINDOWS\system32\drivers\epm-shd.sys [2005-04-07 18:08]
R2 int15.sys;int15.sys;C:\Acer\Empowering Technology\eRecovery\int15.sys [2005-01-13 14:46]
R2 osaio;osaio;C:\WINDOWS\system32\drivers\osaio.sys [2005-03-04 16:37]
R2 osanbm;osanbm;C:\WINDOWS\system32\drivers\osanbm.sys [2005-01-14 15:57]
R3 POWERKEY;POWERKEY;C:\Program Files\Launch Manager\POWERKEY.sys [2000-12-19 18:29]
S1 astq;astq;C:\WINDOWS\system32\drivers\astq.tga []
S1 Wbutton;Wbutton;C:\WINDOWS\system32\drivers\Wbutton.sys []

*Newly Created Service* - INT15.SYS
.
Contents of the 'Scheduled Tasks' folder
"2008-01-21 06:46:08 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-25 23:25:16 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-25 23:48:39
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Acer\eManager\anbmServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\imapi.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-02-25 23:52:52 - machine was rebooted [Carrie Simpson]
ComboFix-quarantined-files.txt 2008-02-25 23:52:46
ComboFix3.txt 2008-02-24 11:54:16
ComboFix2.txt 2008-02-25 21:28:34
.
2008-02-24 18:20:29 --- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:57:44, on 25/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\acer\epm\epm-dm.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\PowerKey.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\OSDCtrl.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\explorer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Carrie Simpson\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.downloadfestival.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.downloadfestival.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [preload] C:\Windows\RUNXMLPL.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [EPM-DM] c:\acer\epm\epm-dm.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LaunchAp] "C:\Program Files\Launch Manager\LaunchAp.exe"
O4 - HKLM\..\Run: [PowerKey] "C:\Program Files\Launch Manager\PowerKey.exe"
O4 - HKLM\..\Run: [LManager] "C:\Program Files\Launch Manager\HotkeyApp.exe"
O4 - HKLM\..\Run: [CtrlVol] "C:\Program Files\Launch Manager\CtrlVol.exe"
O4 - HKLM\..\Run: [LMgrOSD] "C:\Program Files\Launch Manager\OSDCtrl.exe"
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_11\bin\npjpi142_11.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_11\bin\npjpi142_11.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1154531028818
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 7577 bytes
little eagle
2008-02-26, 01:47
C:\FOUND.044

I would like to see a copy of the file/folder in bold.

Click start / then my computer / local disk then follow the process tree.
Or using Windows Explorer, locate the first file you want to zip.
Right click on the file and select Send To and Compressed (zipped) Folder.
This makes a copy it does not delete it.
Please zip the file and upload it here (http://forums.security-central.us/showthread.php?t=270)
Or email it here (little_eagle@security-central.us)

Please include a link to this thread.
Jezebel
2008-02-28, 08:45
I emailed the log to you a couple of days ago - did you recieve it ok ?
little eagle
2008-02-28, 13:55
Yes and like a dummy I never got back to look at it :red:

Sorry for the delay the file is one that was renamed by your AV.

Download the OTMoveIt (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe).

Save it to your desktop.
Please double-click OTMoveIt.exe to run it.

Press cleanup & it will search for and delete/uninstall all the tools we have used
to fix your problems and all their backup folders and then delete itself when you next reboot.

----------------------------------

Run - ATF Cleaner instructions here. (http://forums.security-central.us/showthread.php?t=1925)

----------------


Then download Malwarebytes' Anti-Malware (http://www.besttechie.net/tools/mbam-setup.exe) to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Jezebel
2008-02-28, 23:10
I take it you want to see the log ?? Please tell me its fixed ;)

Malwarebytes' Anti-Malware 1.05
Database version: 422

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 62577
Time elapsed: 33 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Carrie Simpson\Favorites\Online Security Test.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Security Troubleshooting.url (Rogue.Link) -> Quarantined and deleted successfully.
little eagle
2008-02-29, 03:31
Please tell me its fixed ;)

Well looks like your PC is clean :police:

My little list of tips to stay clean (http://www.nutnworks.com/forums/showthread.php?t=98).

Start a new thread if you need us :clown:

Any questions?? Before this thread is closed.
tashi
2008-03-10, 22:24
Thank you little eagle.