Smitfraud-C.CoreService [Archive] - Safer-Networking Forums

View Full Version : Smitfraud-C.CoreService

Nefas

2008-04-17, 21:34

Applications started opening on their own, mainly Internet Explorer and LimeWire, with and several strange proccesess. I would try stoping them using the task manager but they kept popping up.
I used AdAware, Trend Micro PC-cillon 2006(expired definitions), Webroot Spysweeper (expired definitions). That found many infections and stopped the Limewire problem but i still have Internet Explorer opening up.
Used Spybot and found several more infections including "Smitfraud-C.CoreService". Was able to adress all other issues except for this one.

I apreciate any help you can give me.

Here are the logs

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, April 17, 2008 8:54:30 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 17/04/2008
Kaspersky Anti-Virus database records: 711959
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 77622
Number of viruses found: 13
Number of infected objects: 80
Number of suspicious objects: 0
Duration of the scan process: 02:40:09

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Data\settings.dat Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS0BC2F294-785F-44FD-977F-3260FE702CB5.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS0FF830BA-B5B9-47E2-8AD8-F76CEDA1FA1E.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS1103B9D8-6F0C-4C3B-81AA-40FEB8C0111C.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS11F50BD6-F458-4743-80EA-C94091B44E08.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS12686BC5-30A9-4C45-8ECB-AC2A99DBFF3F.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS12FC10DF-8E61-4FD5-BE7A-ADC16DC04998.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS13067D9F-86A0-4E23-8C27-0ECF9CA9B556.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS13143E99-B86C-46AE-8EB6-70CA8F774E1C.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS16A7F905-BD69-4646-B505-E2D85A59E20F.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS1952FEB5-4BAB-4FEB-936C-949BA0527CA9.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS1B17BBF2-6E49-4627-9DC7-3DECCAAC9578.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS1E60CF1E-4321-4F3E-8290-9CFD334A698B.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS21595311-052B-4A0B-8ECA-7EFFF2E6CAC4.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS242E09D8-0A2D-4CEE-8343-3DA003B76BDF.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS2E0047D8-B218-47C0-8528-44E8757B966C.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS3023C5EA-E8AF-4263-856F-91419F5A3C0E.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS3175ED6A-2C80-4647-BA65-AC742055EAC6.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS325A7982-5054-489C-8B92-A380B7A4F528.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS328D2A07-4018-47A3-AEBB-EDD7E1470A22.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS3299E484-2E5F-4070-9608-CBF4C5E0FB35.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS346143B6-FBC4-428A-86F8-AAB8ADB8F1D5.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS35FB65BB-BA5E-422C-9629-5255EB3DFC16.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS38A1B5C4-D5FF-4C4E-BB4C-1C9899C7748A.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS39042DEB-4BDF-4C9B-A502-9B96BF79AF5C.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS3CB30C4A-D0C3-4DFC-8C51-84FB95D23D7C.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS3D54C89A-A943-468F-9999-78010E4998D0.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS433544B2-74E0-47D8-B9B8-ABB3DFDC84F0.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS44CFFC3F-25B6-44CD-85C8-AB84F38F8D9E.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS4B2721C1-B88D-4A25-87E7-2DCD07E5A990.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS4C44BE99-ACEA-43A6-ABFD-74F973D32D78.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS4C6A8361-8B02-4094-86D5-941E68C36B9B.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS4CB721A1-0DD2-4CDC-BF38-2BC861164BF5.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS4D2041A3-99AC-4DFE-AD95-7322244589BF.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS5849228C-72E2-4171-98D5-AA0AF550CC09.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS5C2E3A92-23C7-4F39-A53D-5EBC86E9A6E9.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS5F4A6E92-DDB2-4D05-ACFF-455C31137C50.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS61D152AC-7C1B-4D50-B266-AF4E26A70E75.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS64165611-B8B3-4171-A0F6-401D4679C7B6.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS64F33D3E-6274-42AB-9597-04D46BAFBE60.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS66CE580C-E523-4E23-BAE5-406D8D4E70A2.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS6803E6FA-A1D4-4761-952E-594E75FAF08C.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS6B7CF265-5B19-4D4F-8049-CF8FE445EEF9.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS6DEB86C8-B2FA-42DC-A758-C9C37B0A6338.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS6EE70C49-0ED3-4C3C-9827-1089069558B8.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS6FABB255-7A0D-430B-BFEC-2CB9D6F55804.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS79D86D93-0C70-49BE-8688-C1990D7A048D.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS7E01A3D3-83BA-4475-ACB3-212BB742F005.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS87AEDBD4-2471-4D18-9C25-482E521547EB.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS88876CB7-B0AD-4076-B296-187EE2039BE2.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS8AD53B3D-FA98-49A3-A593-0A85DB49C985.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS8B33AE6D-F2BC-47FD-96BA-1C58A256A52F.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS8BC61972-7B67-4D6D-846A-04350A525B6D.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS8C9E9BD9-470D-4D3D-9DDC-3400427004F4.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS92A119FC-B7FD-40F8-853D-7A921F853AC6.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS934CEF74-BC11-44A5-B205-0C0AFE039A66.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS9545268C-1EE6-428D-8932-169DA8048063.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS9702375B-3F05-4631-9C23-9A1D93EE1469.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS97D082EC-3ECA-42D7-80C4-1EC16F58C5F4.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS9806239C-F2E6-4CC1-97B8-2F13E9FA1284.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS9CBE58BB-2B5F-4D49-921A-EB34F5FA8B44.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSA422E5CC-DB0F-4372-A35A-A3883B34DFBC.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSA6572FF5-4A40-4044-A830-FAA6335D219D.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSA8EF9AEE-876D-4F05-86E1-8C233FD57B5B.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSA9E1399C-E1FC-4B7E-88F0-07E4E6243EB3.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSAAB10DB8-43D7-495F-8F60-999248F141C9.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSAB616AC5-759E-400D-BB07-EA5BB2413A72.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSB5058119-28A0-456B-A850-1983F410F474.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSBB20E911-62D1-40E7-A435-DF2980CFA37E.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSC021B0D2-C1EF-468E-BD4C-2D3D740B4E7E.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSC243804B-8574-4346-A88D-9F855E619AF0.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSC4321BBB-6CB3-4AC5-895C-A4478D744DCF.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSC9835D79-4464-41BC-A368-B92E55F1A430.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSCB00A9D9-71B5-47B7-8A29-3C6207055C6C.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSD021F893-1828-40BF-8846-E340AFA892EB.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSD1332973-2BC6-4551-AE64-4348132D495D.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSD185E3B4-49D2-4939-8A0C-D4F7F32A9A65.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSD45476E2-825A-456C-A430-06E43F93FE29.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSD50ECA61-AB31-4604-9C19-BECBE326C0CF.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSD545B3A7-3B45-4165-B7C3-95C63B1B1F94.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSD5AF9048-8946-46DE-8F8A-FDD1FA24CE5A.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSDECDC1F0-C5F5-4683-BB44-9D01083B7A59.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSE128EF9D-9516-4078-A785-5521C0597CA2.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSE22EC6EB-C7A0-4EAC-98E5-3D757AF32F61.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSE9CC4219-3D38-4A92-ABE9-A23BA5818866.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSEDDC37E2-0699-47F6-80A9-96DD664A17BD.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSF753F11C-07A5-446E-BA28-DB0D490BA54D.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSF98883CA-56C8-4217-93D7-F1AA37CD19D9.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSF9D1C798-F428-40B0-A571-8A762297560E.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSFD0073DC-BF2B-4FFD-A07A-23E00B41E264.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSFD2EA671-E86A-4F0E-90CF-5FD951D8935D.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSFFA4CFDB-5DC4-44FC-9B5D-94623B231635.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Nefas\Application Data\Webroot\Spy Sweeper\Logs\080416232647.ses Object is locked skipped
C:\Documents and Settings\Nefas\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Nefas\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Nefas\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Nefas\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Nefas\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Nefas\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Nefas\lsass.exe Infected: Backdoor.Win32.VB.czs skipped
C:\Documents and Settings\Nefas\My Documents\WindowBlinds\WindowBlinds 5.50 Enhanced release 2.2.rar/WindowBlinds 5.50 Enhanced release 2.2/windowblinds550_enh.exe Infected: Packed.Win32.PolyCrypt.d skipped
C:\Documents and Settings\Nefas\My Documents\WindowBlinds\WindowBlinds 5.50 Enhanced release 2.2.rar RAR: infected - 1 skipped
C:\Documents and Settings\Nefas\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Nefas\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Trend Micro\Internet Security 2006\Quarantine\2B2.tmp Infected: Virus.Win32.Fontra.c skipped
C:\Program Files\Trend Micro\Internet Security 2006\Quarantine\2C1.tmp Infected: Virus.Win32.Fontra.c skipped
C:\Program Files\Trend Micro\Internet Security 2006\Quarantine\2D5.tmp Infected: Virus.Win32.Fontra.c skipped
C:\Program Files\Trend Micro\Internet Security 2006\Quarantine\2E5.tmp Infected: Virus.Win32.Fontra.c skipped
C:\Program Files\Trend Micro\Internet Security 2006\Quarantine\2F2.tmp Infected: Virus.Win32.Fontra.c skipped
C:\Program Files\Trend Micro\Internet Security 2006\Quarantine\2F6.tmp Infected: Virus.Win32.Fontra.c skipped
C:\Program Files\Trend Micro\Internet Security 2006\Quarantine\2FB.tmp Infected: Virus.Win32.Fontra.c skipped
C:\Program Files\Trend Micro\Internet Security 2006\Quarantine\3B9.tmp Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\Program Files\Trend Micro\Internet Security 2006\Quarantine\BE.tmp/Setup.exe Infected: Virus.Win32.Fontra.c skipped
C:\Program Files\Trend Micro\Internet Security 2006\Quarantine\BE.tmp ZIP: infected - 1 skipped
C:\Program Files\Trend Micro\Internet Security 2006\Quarantine\BE.tmp CryptFF.b: infected - 1 skipped
C:\Program Files\Trend Micro\Internet Security 2006\Quarantine\FBD.tmp Infected: Exploit.Win32.IMG-WMF.u skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSS9C0LV.0G4 Infected: not-a-virus:NetTool.Win32.Portscan.c skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSS9C0LV.0G5 Infected: not-a-virus:PSWTool.Win32.MailPassView.130 skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSS9C0LV.0G6 Infected: not-a-virus:PSWTool.Win32.Outlooker skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSS9DQQV.09J Infected: not-a-virus:NetTool.Win32.Portscan.c skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSS9DQQV.09K Infected: not-a-virus:PSWTool.Win32.MailPassView.130 skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSS9DQQV.09L Infected: not-a-virus:PSWTool.Win32.Outlooker skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSS9DSLV.0EC Infected: not-a-virus:NetTool.Win32.Portscan.c skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSS9DSLV.0ED Infected: not-a-virus:PSWTool.Win32.MailPassView.130 skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSS9DSLV.0EE Infected: not-a-virus:PSWTool.Win32.Outlooker skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSS9ENLV.09J Infected: not-a-virus:NetTool.Win32.Portscan.c skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSS9ENLV.09K Infected: not-a-virus:PSWTool.Win32.MailPassView.130 skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSS9ENLV.09L Infected: not-a-virus:PSWTool.Win32.Outlooker skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSS9ETLV.0ED Infected: not-a-virus:NetTool.Win32.Portscan.c skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSS9ETLV.0EE Infected: not-a-virus:PSWTool.Win32.MailPassView.130 skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSS9ETLV.0EF Infected: not-a-virus:PSWTool.Win32.Outlooker skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSS9EVQV.0G6 Infected: not-a-virus:NetTool.Win32.Portscan.c skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSS9EVQV.0G7 Infected: not-a-virus:PSWTool.Win32.MailPassView.130 skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSS9EVQV.0G8 Infected: not-a-virus:PSWTool.Win32.Outlooker skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSS9FC3N.09K Infected: not-a-virus:PSWTool.Win32.MailPassView.130 skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSS9FC3N.09L Infected: not-a-virus:PSWTool.Win32.Outlooker skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSS9FFLV.09L Infected: not-a-virus:PSWTool.Win32.MailPassView.130 skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSS9FFLV.09M Infected: not-a-virus:PSWTool.Win32.Outlooker skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSS9FM3N.09L Infected: not-a-virus:PSWTool.Win32.MailPassView.130 skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSS9FM3N.09M Infected: not-a-virus:PSWTool.Win32.Outlooker skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSS9G63N.09L Infected: not-a-virus:PSWTool.Win32.MailPassView.130 skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSS9G63N.09M Infected: not-a-virus:PSWTool.Win32.Outlooker skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSS9GI0N.09K Infected: not-a-virus:PSWTool.Win32.MailPassView.130 skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSS9GI0N.09L Infected: not-a-virus:PSWTool.Win32.Outlooker skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSS9HDQV.09M Infected: not-a-virus:NetTool.Win32.Portscan.c skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSS9HDQV.09N Infected: not-a-virus:PSWTool.Win32.MailPassView.130 skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSS9HDQV.09O Infected: not-a-virus:PSWTool.Win32.Outlooker skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSS9HSLV.09J Infected: not-a-virus:NetTool.Win32.Portscan.c skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSS9HSLV.09K Infected: not-a-virus:PSWTool.Win32.MailPassView.130 skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSS9HSLV.09L Infected: not-a-virus:PSWTool.Win32.Outlooker skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSSAV5NV.0EE Infected: not-a-virus:NetTool.Win32.Portscan.c skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSSAV5NV.0EF Infected: not-a-virus:PSWTool.Win32.MailPassView.130 skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSSAV5NV.0EG Infected: not-a-virus:PSWTool.Win32.Outlooker skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSSAVCNV.0EE Infected: not-a-virus:NetTool.Win32.Portscan.c skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSSAVCNV.0EF Infected: not-a-virus:PSWTool.Win32.MailPassView.130 skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSSCUB5N.09M Infected: not-a-virus:PSWTool.Win32.MailPassView.130 skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSSCUB5N.09N Infected: not-a-virus:PSWTool.Win32.Outlooker skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSSCVDEF.09J Infected: not-a-virus:NetTool.Win32.Portscan.c skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSSCVDEF.09K Infected: not-a-virus:PSWTool.Win32.MailPassView.130 skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSSCVDEF.09L Infected: not-a-virus:PSWTool.Win32.Outlooker skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSSDVCVF.09J Infected: not-a-virus:NetTool.Win32.Portscan.c skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSSDVCVF.09K Infected: not-a-virus:PSWTool.Win32.MailPassView.130 skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSSDVCVF.09L Infected: not-a-virus:PSWTool.Win32.Outlooker skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSSFVTLV.0ED Infected: not-a-virus:NetTool.Win32.Portscan.c skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSSFVTLV.0EE Infected: not-a-virus:PSWTool.Win32.MailPassView.130 skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSSFVTLV.0EF Infected: not-a-virus:PSWTool.Win32.Outlooker skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSSGUVVV.09J Infected: not-a-virus:NetTool.Win32.Portscan.c skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSSGUVVV.09K Infected: not-a-virus:PSWTool.Win32.MailPassView.130 skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSSGUVVV.09L Infected: not-a-virus:PSWTool.Win32.Outlooker skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\masters.bak Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\Masters.const Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\masters.mst Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters.base Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{4DF7BEB3-E3D2-473C-B32D-682F2CA7D884}\RP533\A0157085.dll Infected: not-a-virus:AdWare.Win32.TrafficSol.ai skipped
C:\System Volume Information\_restore{4DF7BEB3-E3D2-473C-B32D-682F2CA7D884}\RP537\A0163333.exe Infected: Trojan-Downloader.Win32.VB.dck skipped
C:\System Volume Information\_restore{4DF7BEB3-E3D2-473C-B32D-682F2CA7D884}\RP544\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Fonts\a.zip/Setup.exe Infected: Trojan-Downloader.Win32.VB.dck skipped
C:\WINDOWS\Fonts\a.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\Setup.exe Infected: Trojan-Downloader.Win32.VB.dck skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{A627D52B-CA37-4B4B-B26C-00B52BF29B9C}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{2152A73C-9C25-4B2C-A849-2FF5037A130A}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\bharebio18\bharebio182328.exe Infected: Trojan-Downloader.Win32.VB.dsk skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\core.cache.dsk Object is locked skipped
C:\WINDOWS\system32\drivers\crusoee.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\pinz1\cegmgr76.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.am skipped
C:\WINDOWS\system32\rwwnw64d.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.am skipped
C:\WINDOWS\system32\scnttkdn.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.aw skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wii\HTgn1dll.exe/stream/data0003 Infected: not-a-virus:AdWare.Win32.TrafficSol.ai skipped
C:\WINDOWS\system32\wii\HTgn1dll.exe/stream Infected: not-a-virus:AdWare.Win32.TrafficSol.ai skipped
C:\WINDOWS\system32\wii\HTgn1dll.exe NSIS: infected - 2 skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
====================================================================================================================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:27:51 AM, on 4/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://products.webroot.com/disp0201.php?pc=64150&rc=1&ps=R&oc=62&mjv=4&mnv=5&bld=607&cd=&dcc=&drc=&mo=&sid=&lang=en&loc=USA&rsc=&kc=ppbc__oi%5E%5E%5E_bc_damkp&ac=alertexp
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4F58D4C4-0786-41C0-B887-773F9965BB19} - C:\WINDOWS\system32\jkkjkhfc.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [Toshiba Hotkey Utility] "c:\Program Files\Toshiba\Windows Utilities\Hotkey.exe" /lang en
O4 - HKLM\..\Run: [SmoothView] "C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\Protector Suite QL\launcher.exe" /startup
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [UserFaultCheck] C:\WINDOWS\system32\dumprep 0 -u
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [TOSCDSPD] "C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe"
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - https://10.32.40.11/sre/Downloads/ICSScanner.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - Winlogon Notify: jkkjkhfc - C:\WINDOWS\SYSTEM32\jkkjkhfc.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O24 - Desktop Component 0: (no name) - C:\Documents and Settings\Nefas\My Documents\Snaps.JPG

--
End of file - 11799 bytes
====================================================================================================================

Shaba

2008-04-18, 11:44

Hi Nefas

We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:

1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.

1. Download combofix from any of these links and save it to Desktop:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

If you have problems with Combofix usage, see here (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

Post:

- a fresh HijackThis log
- combofix report

Nefas

2008-04-20, 04:10

I was unable to run combo fix.

I downloaded "ComboFix.exe" to the desktop and tried to run it. I got a plain blue window with a blinking cursor titled ".". I left the computer alone for a while and when i checked nothing had changed. After reading the article "http://www.bleepingcomputer.com/combofix/how-to-use-combofix" i downloaded "WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe" and tried to run it as instructed. I got a small progress bar labeled combo fix that finished quickly then went to the blue window. I tried downloading Combo Fix from the other sources listed, bu had the same results.

Im not sure if it will make a difference but i was trying to use the recovery console for windows xp home edition service pack 2, but my computer is running windows xp media center edition service pack 2.

I have looked for the 4 processes mentioned above but found none of them.

What should I do?

Shaba

2008-04-20, 12:25

Hi

Try to run in safe mode next, please :)

Nefas

2008-04-20, 20:50

thanks, safemode got passed all that mess.
combofix restarted windows while i wasnt paying attention and froze up again so i restarted and re-did combofix in safe mode. i then ran hijack this in normal mode.

here are the logs

ComboFix 08-04-18.3 - Nefas 2008-04-20 10:31:08.2 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1761 [GMT -7:00]
Running from: C:\Documents and Settings\Nefas\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Documents and Settings\Nefas\lsass.exe
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\Fonts\a.zip
C:\WINDOWS\Fonts\Setup.exe
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\crusoee.sys
C:\WINDOWS\system32\pac.txt

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CRUSOEE
-------\Service_crusoee

((((((((((((((((((((((((( Files Created from 2008-03-20 to 2008-04-20 )))))))))))))))))))))))))))))))
.

2008-04-16 23:52 . 2008-04-16 23:52 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-16 23:52 . 2008-04-16 23:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-12 19:24 . 2008-04-12 19:25 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-12 19:24 . 2008-04-12 19:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-07 19:47 . 2008-04-07 19:47 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2008-04-07 19:44 . 2008-04-07 19:44 <DIR> d-------- C:\WINDOWS\system32\wii
2008-04-07 19:44 . 2008-04-07 19:44 <DIR> d-------- C:\WINDOWS\system32\pinz1
2008-04-07 19:44 . 2008-04-07 19:44 <DIR> d-------- C:\WINDOWS\system32\IDE2
2008-04-07 19:44 . 2008-04-07 19:44 <DIR> d-------- C:\WINDOWS\system32\ExTmp
2008-04-07 19:44 . 2008-04-07 19:44 196,678 --a------ C:\WINDOWS\system32\scnttkdn.exe
2008-04-07 19:44 . 2008-04-07 19:44 49,158 --a------ C:\WINDOWS\system32\rwwnw64d.exe
2008-04-07 19:44 . 2008-04-07 19:45 923 --a------ C:\WINDOWS\system32\winpfz33.sys
2008-04-07 19:43 . 2008-04-07 19:43 <DIR> d-------- C:\WINDOWS\system32\bharebio18
2008-04-07 19:43 . 2008-04-07 19:44 <DIR> d-------- C:\Temp\wdlw14
2008-04-07 19:43 . 2008-04-20 09:46 <DIR> d-------- C:\Temp
2008-04-07 19:43 . 2008-04-07 19:43 40,960 --a------ C:\WINDOWS\system32\jkkjkhfc.dll
2008-03-31 00:52 . 2008-03-31 00:52 <DIR> d-------- C:\Documents and Settings\Nefas\Application Data\Leadertech
2008-03-30 21:39 . 2008-03-30 21:39 <DIR> d-------- C:\Documents and Settings\Nefas\WINDOWS
2008-03-20 16:52 . 2008-03-20 16:52 <DIR> d-------- C:\Program Files\MSN Messenger

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-17 06:43 --------- d-----w C:\Program Files\Real
2008-04-17 06:35 --------- d-----w C:\Program Files\Logon Loader
2008-04-17 06:35 --------- d-----w C:\Program Files\Google
2008-04-17 06:25 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-17 06:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-17 06:12 --------- d-----w C:\Program Files\LimeWire
2008-04-15 18:51 --------- d-----w C:\Program Files\Trend Micro
2008-04-13 04:09 0 ----a-w C:\WINDOWS\system32\drivers\lvuvc.hs
2008-04-08 03:54 --------- d-----w C:\Documents and Settings\Nefas\Application Data\LimeWire
2008-04-08 02:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-04-08 02:53 --------- d-----w C:\Documents and Settings\Nefas\Application Data\Move Networks
2008-04-08 02:47 --------- d-----w C:\Documents and Settings\Nefas\Application Data\FrostWire
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-17 10:14 --------- d-----w C:\Program Files\Windows Live
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-16 17:30 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-11-05 14:23 37,088 ----a-w C:\Documents and Settings\Nefas\Application Data\GDIPFONTCACHEV1.DAT
2007-07-09 05:31 2,796 -c--a-w C:\Documents and Settings\Nefas\Application Data\wklnhst.dat
2005-08-22 20:29 1,238,544 -c--a-r C:\Program Files\procexp.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4F58D4C4-0786-41C0-B887-773F9965BB19}]
2008-04-07 19:43 40960 --a------ C:\WINDOWS\system32\jkkjkhfc.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 01:32 65536]
"LogitechSoftwareUpdate"="C:\Program Files\Logitech\Video\ManifestEngine.exe" [2005-01-18 17:07 196608]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 05:00 15360]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 14:56 64512]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2005-12-29 15:21 61952 C:\WINDOWS\system32\CHDAudPropShortcut.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-16 17:32 761945]
"Toshiba Hotkey Utility"="c:\Program Files\Toshiba\Windows Utilities\Hotkey.exe" [2006-02-20 16:31 1589248]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-26 17:13 122880]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 11:41 602182]
"PSQLLauncher"="C:\Program Files\Protector Suite QL\launcher.exe" [2005-12-21 21:29 30208]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2006-07-19 12:03 94208 C:\WINDOWS\KHALMNPR.Exe]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-01-18 10:52 185896]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-10 05:00 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-10 05:00 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2006-08-30 16:36:24 25214]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2006-11-20 20:04:10 671744]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2006-03-02 15:23:46 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyPictures"= 01000000
"NoViewOnDrive"= 0 (0x0)
"NoLogoff"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Documents and Settings\Nefas\My Documents\Snaps.JPG
FriendlyName=

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{4F58D4C4-0786-41C0-B887-773F9965BB19}"= C:\WINDOWS\system32\jkkjkhfc.dll [2008-04-07 19:43 40960]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkjkhfc]
jkkjkhfc.dll 2008-04-07 19:43 40960 C:\WINDOWS\system32\jkkjkhfc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
psqlpwd.dll 2005-12-21 21:42 40448 C:\WINDOWS\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"mcupdmgr.exe"=3 (0x3)
"McTskshd.exe"=2 (0x2)
"McShield"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"C:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= C:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-1.12.0.5595-to-1.12.1.5875-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.4.6314-to-2.0.5.6320-enUS-downloader.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"C:\\Program Files\\Windows Plus\\Party Mode\\PartyMode.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.5.6320-to-2.0.6.6337-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.6.6337-to-2.0.7.6383-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.8.6403-to-2.0.10.6448-enUS-downloader.exe"=
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.7.6383-to-2.0.8.6403-enUS-downloader.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"23122:TCP"= 23122:TCP:BitComet 23122 TCP
"23122:UDP"= 23122:UDP:BitComet 23122 UDP

R3 BoiHwsetup;Access 32bits INT15 routine;C:\WINDOWS\system32\drivers\BoiHwSetup.sys [2005-06-10 22:42]
R3 qkbfiltr;Quanta HotKey Keyboard Filter Driver;C:\WINDOWS\system32\drivers\qkbfiltr.sys [2006-01-12 17:21]
R3 qmofiltr;Quanta HotKey Mouse Filter Driver;C:\WINDOWS\system32\drivers\qmofiltr.sys [2005-05-05 15:27]
S2 FdRedir;FdRedir;C:\Program Files\Common Files\Protector Suite QL\Drivers\FdRedir.sys [2005-12-21 21:55]
S2 FileDisk2;FileDisk Protector Kernel Driver;C:\Program Files\Common Files\Protector Suite QL\Drivers\filedisk.sys [2005-12-21 21:55]
S2 LBeepKE;LBeepKE;C:\WINDOWS\system32\Drivers\LBeepKE.sys [2006-09-01 12:32]
S2 smihlp;SMI helper driver;C:\Program Files\Protector Suite QL\smihlp.sys [2005-12-21 21:25]
S3 AVUSBPVR;AVerMedia USB MPEG-2 Capture Device;C:\WINDOWS\system32\DRIVERS\avusbpvr.sys [2006-04-12 02:45]
S3 LVPrcMon;Logitech LVPrcMon Driver;C:\WINDOWS\system32\drivers\LVPrcMon.sys [2005-09-01 13:11]
S3 SMCB000;SMSC CIR HID Miniport Device Driver;C:\WINDOWS\system32\DRIVERS\hidsmsc.sys [2006-01-17 17:30]
S3 TcUsb;TC USB Kernel Driver;C:\WINDOWS\system32\Drivers\tcusb.sys [2005-12-21 21:37]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b1f2a76f-3e36-11db-ad40-00130276da50}]
\Shell\AutoRun\command - E:\setupSNK.exe

*Newly Created Service* - LBEEPKE
*Newly Created Service* - MDMXSDK
.
Contents of the 'Scheduled Tasks' folder
"2008-01-22 13:39:33 C:\WINDOWS\Tasks\02 Switchback.job"
- C:\Documents and Settings\Nefas\Desktop\Music\Celldweller\02 Switchback.mp3
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-20 10:35:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 7

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\jkkjkhfc.dll
.
Completion time: 2008-04-20 10:38:12
ComboFix-quarantined-files.txt 2008-04-20 17:37:53

Pre-Run: 76,172,603,392 bytes free
Post-Run: 76,158,500,864 bytes free

200 --- E O F --- 2008-04-09 15:49:18

==========================================================
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:43, on 2008-04-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\system32\RAMASST.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forums.spybot.info/showthread.php?p=183306#post183306
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://products.webroot.com/disp0201.php?pc=64150&rc=1&ps=R&oc=62&mjv=4&mnv=5&bld=607&cd=&dcc=&drc=&mo=&sid=&lang=en&loc=USA&rsc=&kc=ppbc__oi%5E%5E%5E_bc_damkp&ac=alertexp
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4F58D4C4-0786-41C0-B887-773F9965BB19} - C:\WINDOWS\system32\jkkjkhfc.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [Toshiba Hotkey Utility] "c:\Program Files\Toshiba\Windows Utilities\Hotkey.exe" /lang en
O4 - HKLM\..\Run: [SmoothView] "C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\Protector Suite QL\launcher.exe" /startup
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [UserFaultCheck] C:\WINDOWS\system32\dumprep 0 -u
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [TOSCDSPD] "C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe"
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - https://10.32.40.11/sre/Downloads/ICSScanner.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - Winlogon Notify: jkkjkhfc - C:\WINDOWS\SYSTEM32\jkkjkhfc.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O24 - Desktop Component 0: (no name) - C:\Documents and Settings\Nefas\My Documents\Snaps.JPG

--
End of file - 11867 bytes

==========================================================
whats next?

Shaba

2008-04-20, 20:53

Hi

Open notepad and copy/paste the text in the codebox below into it:

File::
C:\WINDOWS\system32\scnttkdn.exe
C:\WINDOWS\system32\rwwnw64d.exe
C:\WINDOWS\system32\winpfz33.sys
C:\WINDOWS\system32\jkkjkhfc.dll

Folder::
C:\WINDOWS\system32\vbzip10.dll
C:\WINDOWS\system32\wii
C:\WINDOWS\system32\pinz1
C:\WINDOWS\system32\IDE2
C:\WINDOWS\system32\ExTmp
C:\WINDOWS\system32\bharebio18
C:\Temp

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4F58D4C4-0786-41C0-B887-773F9965BB19}]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{4F58D4C4-0786-41C0-B887-773F9965BB19}"=

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkjkhfc]

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

Please click this link-->Jotti (http://virusscan.jotti.org/)

Copy/paste the first file on the list into the white Upload a file box and click Submit/Send (depends on which one you are using Jotti or VirusTotal).

C:\WINDOWS\system32\drivers\lvuvc.hs

Repeat steps for all files on the list.

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

Post:

- a fresh HijackThis log
- combofix report
- jotti/virustotal results

Nefas

2008-04-20, 21:30

hi
I'm not sure i understand this part:

Please click this link-->Jotti

Copy/paste the first file on the list into the white Upload a file box and click Submit/Send (depends on which one you are using Jotti or VirusTotal).

Repeat steps for all files on the list.

What list? Do you mean from the text box from the message you sent?

What is "C:\WINDOWS\system32\drivers\lvuvc.hs" ?

I will complete the other steps and post those in the mean time.

Nefas

2008-04-21, 00:34

hi
the list had a total of one item right?:red:
neither site is working for me :banghead:

virustotal
0 bytes size received / Se ha recibido un archivo vacio

jotti
The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

i am unsure how to disable the firewall in the router to allow these through.
I am using a 2Wire 2701HG-B gateway

here are the logs for combofix and hijackthis

ComboFix 08-04-18.3 - Nefas 2008-04-20 12:35:34.4 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1773 [GMT -7:00]
Running from: C:\Documents and Settings\Nefas\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Nefas\Desktop\CFScript.txt

FILE ::
C:\WINDOWS\system32\jkkjkhfc.dll
C:\WINDOWS\system32\rwwnw64d.exe
C:\WINDOWS\system32\scnttkdn.exe
C:\WINDOWS\system32\winpfz33.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\jkkjkhfc.dll
C:\WINDOWS\system32\vbzip10.dll\
.
---- Previous Run -------
.
C:\Temp
C:\Temp\wdlw14\maxN1bo.log
C:\WINDOWS\system32\bharebio18
C:\WINDOWS\system32\bharebio18\bharebio182328.exe
C:\WINDOWS\system32\ExTmp
C:\WINDOWS\system32\IDE2
C:\WINDOWS\system32\IDE2\mdllcom2.exe
C:\WINDOWS\system32\pinz1
C:\WINDOWS\system32\pinz1\cegmgr76.exe
C:\WINDOWS\system32\rwwnw64d.exe
C:\WINDOWS\system32\scnttkdn.exe
C:\WINDOWS\system32\vbzip10.dll\
C:\WINDOWS\system32\wii
C:\WINDOWS\system32\wii\HTgn1dll.exe
C:\WINDOWS\system32\winpfz33.sys

.
((((((((((((((((((((((((( Files Created from 2008-03-20 to 2008-04-20 )))))))))))))))))))))))))))))))
.

2008-04-16 23:52 . 2008-04-16 23:52 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-16 23:52 . 2008-04-16 23:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-12 19:24 . 2008-04-12 19:25 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-12 19:24 . 2008-04-12 19:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-07 19:47 . 2008-04-07 19:47 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2008-03-31 00:52 . 2008-03-31 00:52 <DIR> d-------- C:\Documents and Settings\Nefas\Application Data\Leadertech
2008-03-30 21:39 . 2008-03-30 21:39 <DIR> d-------- C:\Documents and Settings\Nefas\WINDOWS
2008-03-20 16:52 . 2008-03-20 16:52 <DIR> d-------- C:\Program Files\MSN Messenger

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-17 06:43 --------- d-----w C:\Program Files\Real
2008-04-17 06:35 --------- d-----w C:\Program Files\Logon Loader
2008-04-17 06:35 --------- d-----w C:\Program Files\Google
2008-04-17 06:25 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-17 06:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-17 06:12 --------- d-----w C:\Program Files\LimeWire
2008-04-15 18:51 --------- d-----w C:\Program Files\Trend Micro
2008-04-13 04:09 0 ----a-w C:\WINDOWS\system32\drivers\lvuvc.hs
2008-04-08 03:54 --------- d-----w C:\Documents and Settings\Nefas\Application Data\LimeWire
2008-04-08 02:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-04-08 02:53 --------- d-----w C:\Documents and Settings\Nefas\Application Data\Move Networks
2008-04-08 02:47 --------- d-----w C:\Documents and Settings\Nefas\Application Data\FrostWire
2008-03-17 10:14 --------- d-----w C:\Program Files\Windows Live
2007-11-05 14:23 37,088 ----a-w C:\Documents and Settings\Nefas\Application Data\GDIPFONTCACHEV1.DAT
2007-07-09 05:31 2,796 -c--a-w C:\Documents and Settings\Nefas\Application Data\wklnhst.dat
2005-08-22 20:29 1,238,544 -c--a-r C:\Program Files\procexp.exe
.

((((((((((((((((((((((((((((( snapshot@2008-04-20_10.36.43.60 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-20 17:24:58 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-20 19:40:02 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-04-20 17:29:58 53,436 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-04-20 19:37:07 53,436 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-04-20 17:29:58 381,692 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-04-20 19:37:07 381,692 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 01:32 65536]
"LogitechSoftwareUpdate"="C:\Program Files\Logitech\Video\ManifestEngine.exe" [2005-01-18 17:07 196608]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 05:00 15360]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 14:56 64512]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2005-12-29 15:21 61952 C:\WINDOWS\system32\CHDAudPropShortcut.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-16 17:32 761945]
"Toshiba Hotkey Utility"="c:\Program Files\Toshiba\Windows Utilities\Hotkey.exe" [2006-02-20 16:31 1589248]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-26 17:13 122880]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 11:41 602182]
"PSQLLauncher"="C:\Program Files\Protector Suite QL\launcher.exe" [2005-12-21 21:29 30208]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2006-07-19 12:03 94208 C:\WINDOWS\KHALMNPR.Exe]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-01-18 10:52 185896]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-10 05:00 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-10 05:00 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2006-08-30 16:36:24 25214]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2006-11-20 20:04:10 671744]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2006-03-02 15:23:46 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyPictures"= 01000000
"NoViewOnDrive"= 0 (0x0)
"NoLogoff"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Documents and Settings\Nefas\My Documents\Snaps.JPG
FriendlyName=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
psqlpwd.dll 2005-12-21 21:42 40448 C:\WINDOWS\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"mcupdmgr.exe"=3 (0x3)
"McTskshd.exe"=2 (0x2)
"McShield"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"C:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= C:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-1.12.0.5595-to-1.12.1.5875-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.4.6314-to-2.0.5.6320-enUS-downloader.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"C:\\Program Files\\Windows Plus\\Party Mode\\PartyMode.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.5.6320-to-2.0.6.6337-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.6.6337-to-2.0.7.6383-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.8.6403-to-2.0.10.6448-enUS-downloader.exe"=
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.7.6383-to-2.0.8.6403-enUS-downloader.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"23122:TCP"= 23122:TCP:BitComet 23122 TCP
"23122:UDP"= 23122:UDP:BitComet 23122 UDP

R3 BoiHwsetup;Access 32bits INT15 routine;C:\WINDOWS\system32\drivers\BoiHwSetup.sys [2005-06-10 22:42]
R3 qkbfiltr;Quanta HotKey Keyboard Filter Driver;C:\WINDOWS\system32\drivers\qkbfiltr.sys [2006-01-12 17:21]
R3 qmofiltr;Quanta HotKey Mouse Filter Driver;C:\WINDOWS\system32\drivers\qmofiltr.sys [2005-05-05 15:27]
S2 FdRedir;FdRedir;C:\Program Files\Common Files\Protector Suite QL\Drivers\FdRedir.sys [2005-12-21 21:55]
S2 FileDisk2;FileDisk Protector Kernel Driver;C:\Program Files\Common Files\Protector Suite QL\Drivers\filedisk.sys [2005-12-21 21:55]
S2 LBeepKE;LBeepKE;C:\WINDOWS\system32\Drivers\LBeepKE.sys [2006-09-01 12:32]
S2 smihlp;SMI helper driver;C:\Program Files\Protector Suite QL\smihlp.sys [2005-12-21 21:25]
S3 AVUSBPVR;AVerMedia USB MPEG-2 Capture Device;C:\WINDOWS\system32\DRIVERS\avusbpvr.sys [2006-04-12 02:45]
S3 LVPrcMon;Logitech LVPrcMon Driver;C:\WINDOWS\system32\drivers\LVPrcMon.sys [2005-09-01 13:11]
S3 SMCB000;SMSC CIR HID Miniport Device Driver;C:\WINDOWS\system32\DRIVERS\hidsmsc.sys [2006-01-17 17:30]
S3 TcUsb;TC USB Kernel Driver;C:\WINDOWS\system32\Drivers\tcusb.sys [2005-12-21 21:37]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b1f2a76f-3e36-11db-ad40-00130276da50}]
\Shell\AutoRun\command - E:\setupSNK.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-01-22 13:39:33 C:\WINDOWS\Tasks\02 Switchback.job"
- C:\Documents and Settings\Nefas\Desktop\Music\Celldweller\02 Switchback.mp3
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-20 12:42:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 7

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
.
**************************************************************************
.
Completion time: 2008-04-20 12:48:05 - machine was rebooted [Nefas]
ComboFix-quarantined-files.txt 2008-04-20 19:48:01
ComboFix2.txt 2008-04-20 17:38:13

Pre-Run: 76,159,709,184 bytes free
Post-Run: 76,145,897,472 bytes free

197 --- E O F --- 2008-04-09 15:49:18

====================================================================================================================
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:02, on 2008-04-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\system32\RAMASST.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forums.spybot.info/showthread.php?p=183306#post183306
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://products.webroot.com/disp0201.php?pc=64150&rc=1&ps=R&oc=62&mjv=4&mnv=5&bld=607&cd=&dcc=&drc=&mo=&sid=&lang=en&loc=USA&rsc=&kc=ppbc__oi%5E%5E%5E_bc_damkp&ac=alertexp
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [Toshiba Hotkey Utility] "c:\Program Files\Toshiba\Windows Utilities\Hotkey.exe" /lang en
O4 - HKLM\..\Run: [SmoothView] "C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\Protector Suite QL\launcher.exe" /startup
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [UserFaultCheck] C:\WINDOWS\system32\dumprep 0 -u
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [TOSCDSPD] "C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe"
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - https://10.32.40.11/sre/Downloads/ICSScanner.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: PsExec (PSEXESVC) - Unknown owner - C:\WINDOWS\PSEXESVC.EXE (file missing)
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O24 - Desktop Component 0: (no name) - C:\Documents and Settings\Nefas\My Documents\Snaps.JPG

--
End of file - 11600 bytes
====================================================================================================================

Shaba

2008-04-21, 15:51

Hi

That's OK :)

Please do an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/virusscanner). You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:

o Scan using the following Anti-Virus database:

+ Extended (If available otherwise Standard)

o Scan Options:

+ Scan Archives
+ Scan Mail Bases

Click OK
Now under select a target to scan select My Computer
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Please do not use your computer while the scan is running. Once the scan is complete it will display if your system has been infected.
Click the Save Report As... button (see red arrow below)
http://img.photobucket.com/albums/v666/sUBs/Kas-SaveReport-1.gif
In the Save as... prompt, select Desktop
In the File name box, name the file KasScan-ddmmyy (or similar)
In the Save as type prompt, select Text file (see below)
http://img.photobucket.com/albums/v666/sUBs/Kas-Savetxt.gif
Now click on the Save as Text button
Savethe file to your desktop.
Copy and paste that information in your next post.

Note: This scanner will work with Internet Explorer Only! Keep ALL other programs closed during the scan

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Post:

- a fresh HijackThis log
- kaspersky report

Nefas

2008-04-21, 21:04

here are the logs

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
2008-04-21 11:02
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 21/04/2008
Kaspersky Anti-Virus database records: 719022
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 70670
Number of viruses found: 13
Number of infected objects: 78
Number of suspicious objects: 0
Duration of the scan process: 00:56:34

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Data\settings.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Nefas\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Nefas\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Nefas\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Nefas\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Nefas\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Nefas\Local Settings\History\History.IE5\MSHist012008042120080422\index.dat Object is locked skipped
C:\Documents and Settings\Nefas\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Nefas\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Nefas\My Documents\WindowBlinds\WindowBlinds 5.50 Enhanced release 2.2.rar/WindowBlinds 5.50 Enhanced release 2.2/windowblinds550_enh.exe Infected: Packed.Win32.PolyCrypt.d skipped
C:\Documents and Settings\Nefas\My Documents\WindowBlinds\WindowBlinds 5.50 Enhanced release 2.2.rar RAR: infected - 1 skipped
C:\Documents and Settings\Nefas\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Nefas\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Trend Micro\Internet Security 2006\Quarantine\2B2.tmp Infected: Virus.Win32.Fontra.c skipped
C:\Program Files\Trend Micro\Internet Security 2006\Quarantine\2C1.tmp Infected: Virus.Win32.Fontra.c skipped
C:\Program Files\Trend Micro\Internet Security 2006\Quarantine\2D5.tmp Infected: Virus.Win32.Fontra.c skipped
C:\Program Files\Trend Micro\Internet Security 2006\Quarantine\2E5.tmp Infected: Virus.Win32.Fontra.c skipped
C:\Program Files\Trend Micro\Internet Security 2006\Quarantine\2F2.tmp Infected: Virus.Win32.Fontra.c skipped
C:\Program Files\Trend Micro\Internet Security 2006\Quarantine\2F6.tmp Infected: Virus.Win32.Fontra.c skipped
C:\Program Files\Trend Micro\Internet Security 2006\Quarantine\2FB.tmp Infected: Virus.Win32.Fontra.c skipped
C:\Program Files\Trend Micro\Internet Security 2006\Quarantine\3B9.tmp Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\Program Files\Trend Micro\Internet Security 2006\Quarantine\BE.tmp/Setup.exe Infected: Virus.Win32.Fontra.c skipped
C:\Program Files\Trend Micro\Internet Security 2006\Quarantine\BE.tmp ZIP: infected - 1 skipped
C:\Program Files\Trend Micro\Internet Security 2006\Quarantine\BE.tmp CryptFF.b: infected - 1 skipped
C:\Program Files\Trend Micro\Internet Security 2006\Quarantine\FBD.tmp Infected: Exploit.Win32.IMG-WMF.u skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSS9C0LV.0G4 Infected: not-a-virus:NetTool.Win32.Portscan.c skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSS9C0LV.0G5 Infected: not-a-virus:PSWTool.Win32.MailPassView.130 skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSS9C0LV.0G6 Infected: not-a-virus:PSWTool.Win32.Outlooker skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSS9DQQV.09J Infected: not-a-virus:NetTool.Win32.Portscan.c skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSS9DQQV.09K Infected: not-a-virus:PSWTool.Win32.MailPassView.130 skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSS9DQQV.09L Infected: not-a-virus:PSWTool.Win32.Outlooker skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSS9DSLV.0EC Infected: not-a-virus:NetTool.Win32.Portscan.c skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSS9DSLV.0ED Infected: not-a-virus:PSWTool.Win32.MailPassView.130 skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSS9DSLV.0EE Infected: not-a-virus:PSWTool.Win32.Outlooker skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSS9ENLV.09J Infected: not-a-virus:NetTool.Win32.Portscan.c skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSS9ENLV.09K Infected: not-a-virus:PSWTool.Win32.MailPassView.130 skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSS9ENLV.09L Infected: not-a-virus:PSWTool.Win32.Outlooker skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSS9ETLV.0ED Infected: not-a-virus:NetTool.Win32.Portscan.c skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSS9ETLV.0EE Infected: not-a-virus:PSWTool.Win32.MailPassView.130 skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSS9ETLV.0EF Infected: not-a-virus:PSWTool.Win32.Outlooker skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSS9EVQV.0G6 Infected: not-a-virus:NetTool.Win32.Portscan.c skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSS9EVQV.0G7 Infected: not-a-virus:PSWTool.Win32.MailPassView.130 skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSS9EVQV.0G8 Infected: not-a-virus:PSWTool.Win32.Outlooker skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSS9FC3N.09K Infected: not-a-virus:PSWTool.Win32.MailPassView.130 skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSS9FC3N.09L Infected: not-a-virus:PSWTool.Win32.Outlooker skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSS9FFLV.09L Infected: not-a-virus:PSWTool.Win32.MailPassView.130 skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSS9FFLV.09M Infected: not-a-virus:PSWTool.Win32.Outlooker skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSS9FM3N.09L Infected: not-a-virus:PSWTool.Win32.MailPassView.130 skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSS9FM3N.09M Infected: not-a-virus:PSWTool.Win32.Outlooker skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSS9G63N.09L Infected: not-a-virus:PSWTool.Win32.MailPassView.130 skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSS9G63N.09M Infected: not-a-virus:PSWTool.Win32.Outlooker skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSS9GI0N.09K Infected: not-a-virus:PSWTool.Win32.MailPassView.130 skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSS9GI0N.09L Infected: not-a-virus:PSWTool.Win32.Outlooker skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSS9HDQV.09M Infected: not-a-virus:NetTool.Win32.Portscan.c skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSS9HDQV.09N Infected: not-a-virus:PSWTool.Win32.MailPassView.130 skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSS9HDQV.09O Infected: not-a-virus:PSWTool.Win32.Outlooker skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSS9HSLV.09J Infected: not-a-virus:NetTool.Win32.Portscan.c skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSS9HSLV.09K Infected: not-a-virus:PSWTool.Win32.MailPassView.130 skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSS9HSLV.09L Infected: not-a-virus:PSWTool.Win32.Outlooker skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSSAV5NV.0EE Infected: not-a-virus:NetTool.Win32.Portscan.c skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSSAV5NV.0EF Infected: not-a-virus:PSWTool.Win32.MailPassView.130 skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSSAV5NV.0EG Infected: not-a-virus:PSWTool.Win32.Outlooker skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSSAVCNV.0EE Infected: not-a-virus:NetTool.Win32.Portscan.c skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSSAVCNV.0EF Infected: not-a-virus:PSWTool.Win32.MailPassView.130 skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSSCUB5N.09M Infected: not-a-virus:PSWTool.Win32.MailPassView.130 skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSSCUB5N.09N Infected: not-a-virus:PSWTool.Win32.Outlooker skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSSCVDEF.09J Infected: not-a-virus:NetTool.Win32.Portscan.c skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSSCVDEF.09K Infected: not-a-virus:PSWTool.Win32.MailPassView.130 skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSSCVDEF.09L Infected: not-a-virus:PSWTool.Win32.Outlooker skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSSDVCVF.09J Infected: not-a-virus:NetTool.Win32.Portscan.c skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSSDVCVF.09K Infected: not-a-virus:PSWTool.Win32.MailPassView.130 skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSSDVCVF.09L Infected: not-a-virus:PSWTool.Win32.Outlooker skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSSFVTLV.0ED Infected: not-a-virus:NetTool.Win32.Portscan.c skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSSFVTLV.0EE Infected: not-a-virus:PSWTool.Win32.MailPassView.130 skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSSFVTLV.0EF Infected: not-a-virus:PSWTool.Win32.Outlooker skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSSGUVVV.09J Infected: not-a-virus:NetTool.Win32.Portscan.c skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSSGUVVV.09K Infected: not-a-virus:PSWTool.Win32.MailPassView.130 skipped
C:\Program Files\Trend Micro\Internet Security 2006\VSSGUVVV.09L Infected: not-a-virus:PSWTool.Win32.Outlooker skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\masters.bak Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\Masters.const Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\masters.mst Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters.base Object is locked skipped
C:\QooBox\Quarantine\C\Documents and Settings\Nefas\lsass.exe.vir Infected: Backdoor.Win32.VB.czs skipped
C:\QooBox\Quarantine\C\WINDOWS\Fonts\a.zip.vir/Setup.exe Infected: Trojan-Downloader.Win32.VB.dck skipped
C:\QooBox\Quarantine\C\WINDOWS\Fonts\a.zip.vir ZIP: infected - 1 skipped
C:\QooBox\Quarantine\C\WINDOWS\Fonts\Setup.exe.vir Infected: Trojan-Downloader.Win32.VB.dck skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\bharebio18\bharebio182328.exe.vir Infected: Trojan-Downloader.Win32.VB.dsk skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\pinz1\cegmgr76.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.am skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\rwwnw64d.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.am skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\scnttkdn.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.aw skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\wii\HTgn1dll.exe.vir/stream/data0003 Infected: not-a-virus:AdWare.Win32.TrafficSol.ai skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\wii\HTgn1dll.exe.vir/stream Infected: not-a-virus:AdWare.Win32.TrafficSol.ai skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\wii\HTgn1dll.exe.vir NSIS: infected - 2 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{4DF7BEB3-E3D2-473C-B32D-682F2CA7D884}\RP548\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{686244AE-A5A3-4CA6-9E7D-5BC7818A7F9A}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
==========================================================
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:00, on 2008-04-21
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forums.spybot.info/showthread.php?p=183306#post183306
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://products.webroot.com/disp0201.php?pc=64150&rc=1&ps=R&oc=62&mjv=4&mnv=5&bld=607&cd=&dcc=&drc=&mo=&sid=&lang=en&loc=USA&rsc=&kc=ppbc__oi%5E%5E%5E_bc_damkp&ac=alertexp
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [Toshiba Hotkey Utility] "c:\Program Files\Toshiba\Windows Utilities\Hotkey.exe" /lang en
O4 - HKLM\..\Run: [SmoothView] "C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - https://10.32.40.11/sre/Downloads/ICSScanner.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O24 - Desktop Component 0: (no name) - C:\Documents and Settings\Nefas\My Documents\Snaps.JPG

--
End of file - 9188 bytes

==========================================================
what's next?

Shaba

2008-04-22, 15:31

Hi

Delete this:

C:\Documents and Settings\Nefas\My Documents\WindowBlinds\WindowBlinds 5.50 Enhanced release 2.2.rar

Empty these folders:

C:\Program Files\Trend Micro\Internet Security 2006\Quarantine
C:\QooBox\Quarantine

Empty Recycle Bin.

Still problems?

Nefas

2008-04-23, 21:40

I dont have any more pop ups but there still seems to be alot more proccesses running than normal. I've run Pc-cillion, Spysweeper, AdAware but none caught anything. Having trouble running spybot because my laptop over heats before the scan is completed even ig it is the only active program. (something that has happened before but only with spybot).

Can I do anything about any of that?

Shaba

2008-04-24, 11:39

Hi

Which processes you actually mean?

As for overheating, you may try to scan in safe mode.

If no go, you may need to replace cpu fan or something like that.

Nefas

2008-04-24, 16:44

I was able to get past the overheat by running the scan at night after letting the laptop cool of completly (turned it of for a bit, then ran the scan first thing).

Spy bot only found a couple of cookies, nothing im worried about but in my process manager I see:

ssu.exe
KALMNPR.exe
RAMASST.exe
igfx.exe
alg.exe
ehmsas.exe
iFrmewrk.exe
Tmntsrv.exe
Dot1Cfg.exe
S24EvMon.exe
EvtEng.exe
PCCtlCom.exe
ehsched.exe
ehrecvr.exe
CDAC11BA.EXE

Shaba

2008-04-24, 17:07

Hi

Most of them are related to laptop software so I don't recommend disabling them.

Is your computer slower?

Nefas

2008-04-25, 22:10

Yes the effect is most noticible in Internet Explorer. Ive tried clearing out history, running Spybot, Webroot, PC-cillon but it still loads slower than normal for my laptop.

Shaba

2008-04-26, 11:59

Hi

Well I don't think that is related to malware in any way.

If it bothers you, you can try to use another browser (FireFox, Opera) or I can re-direct you to some windows forum :)

Nefas

2008-04-28, 10:03

Thats ok. Its probably just me expecting more problems. Does this mean my computer is clean? Let me know if there is anything else I need to do.

Thanks

Shaba

2008-04-28, 17:11

Hi

Yes unless you have some other symptoms left?

Nefas

2008-04-28, 18:44

None that I've noticed.

Shaba

2008-04-28, 19:35

Hi

Then you're clean!

I recommend this (http://forums.pcpitstop.com/index.php?) forum.

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. A malicious site could render Java content under older, vulnerable versions of Sun's software if the user has not removed them. Please follow these steps to remove older version Java components and update: Download the latest version of Java Runtime Environment (JRE) 6 Update 6 (http://java.sun.com/javase/downloads/index.jsp) and save it to your desktop.
Scroll down to where it saysThe Java SE Runtime Environment (JRE) allows end-users to run Java applications..
Click the Download button to the right.
Select Windows on platform combobox and check the box that says:
Accept License Agreement. Click continue.
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u6-windows-i586-p.exe to install the newest version.

Now lets uninstall ComboFix:

Click START then RUN
Now type Combofix /u in the runbox and click OK

Next we remove all used tools.

Please download OTCleanIt (http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe) and save it to desktop.

Double-click OTCleanIt.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.

Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

Disable and Enable System Restore. - If you are using Windows XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and re-enable system restore here:

Windows XP System Restore Guide (http://www.bleepingcomputer.com/forums/tutorial56.html)

Re-enable system restore with instructions from tutorial above

Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt

Change the Download unsigned ActiveX controls to Disable

Change the Initialize and script ActiveX controls not marked as safe to Disable

Change the Installation of desktop items to Prompt

Change the Launching programs and files in an IFRAME to Prompt

Change the Navigate sub-frames across different domains to Prompt

When all these settings have been made, click on the OK button.

If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com (http://www.windowsupdate.com) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Install Malwarebytes' Anti-Malware - Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
totally free but for real-time protection you will have to pay a small one-time fee. Tutorial on installing & using this product can be found below:

Malwarebytes' Anti-Malware Setup Guide (http://bfccomputers.com/index.php?showtopic=1644)

Malwarebytes' Anti-Malware Scanning Guide (http://bfccomputers.com/index.php?showtopic=1645)

Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option.

This will provide real-time spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an anti virus software. A tutorial on installing & using this product can be found here:

Instructions for Spybot S & D (http://www.bleepingcomputer.com/forums/?showtutorial=43)

Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/tutorials/tutorial49.html)

Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety

MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Google Toolbar (http://toolbar.google.com/) <= Get the free google toolbar to help stop pop up windows.
Comodo BOCLEAN (http://www.comodo.com/boclean/boclean.html) <= Stop identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
Winpatrol (http://www.winpatrol.com/) <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)

Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place (http://castlecops.com/postlite7736-.html)

Happy surfing and stay clean! :bigthumb:

Shaba

2008-04-30, 15:34

Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.

Note: If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.