PDA

View Full Version : Zenosearch and more won't go away!



dolomick
2008-05-06, 21:58
So I've run ad-aware, spybot in safe-mode, combofix and smitfraud fix after then reading i shouldn't have before posting a log (oops). here is the latest log...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:43:06 AM, on 5/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\iPod Access for Windows\iPAHelper.exe
C:\Program Files\M-Audio MobilePre\Install\MPInst.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wshtcpip.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\WINDOWS\System32\Rundll32.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Svconr\Svconr.exe
C:\Documents and Settings\Owner\Application Data\SpeedRunner\SpeedRunner.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Application Data\Microsoft\Windows\nkkvvo.exe
C:\Program Files\Apoint2K\HidFind.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\M-Audio MobilePre\MPTask.exe
C:\Program Files\MOTU\FireWire Audio\MFWAKeys.exe
C:\WINDOWS\system32\kcntmkdm.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.whynotsearchhere.com/start.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.we1.attbb.net:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.we1.attbb.net;*.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: gooochi browser optimizer - {48ef2043-3396-10b3-0a15-9880fe3c93d9} - C:\WINDOWS\system32\{72709b0a-ee6f-ec75-72b6-de300b8c2a83}.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {62C21114-D4A8-499B-A15C-684FDB8B79B5} - C:\WINDOWS\system32\opnlKAro.dll (file missing)
O2 - BHO: (no name) - {70186681-442D-4D62-936D-E2B79089D6EB} - C:\WINDOWS\system32\qoMcyARl.dll (file missing)
O2 - BHO: (no name) - {87ed7406-1dca-4fab-ad56-37e4a6d893ca} - (no file)
O2 - BHO: (no name) - {A6C54318-5AC7-477D-B0A7-49AF5189300C} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: DbarBHO - {CC11617C-259E-429c-9063-7D70B8355EBD} - C:\Program Files\dbar\Deskbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [{D3-34-47-78-DW}] C:\WINDOWS\system32\cdTMP\cdrev132.exe DWram
O4 - HKLM\..\Run: [ec5d34d7] rundll32.exe "C:\WINDOWS\system32\istlpcuw.dll",b
O4 - HKLM\..\Run: [dbar_starter] C:\Documents and Settings\Owner\Application Data\Deskbar_{2498A92A-9F59-40c3-B5EA-244D3BBADA04}\starter.exe
O4 - HKLM\..\Run: [BMef6e074b] Rundll32.exe "C:\WINDOWS\system32\hfjdljfu.dll",s
O4 - HKLM\..\Run: [spa_start] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{72709b0a-ee6f-ec75-72b6-de300b8c2a83}.dll" DllInit
O4 - HKCU\..\Run: [mprddm] C:\WINDOWS\System32\mprddm.exe
O4 - HKCU\..\Run: [196_150_ni] C:\WINDOWS\System32\196_150_ni.exe
O4 - HKCU\..\Run: [197_150_ni_4] C:\WINDOWS\System32\197_150_ni_4.exe
O4 - HKCU\..\Run: [198_150_ni_1] "C:\Documents and Settings\Owner\198_150_ni_1.exe"
O4 - HKCU\..\Run: [rsvpsp] "C:\WINDOWS\System32\rsvpsp.exe"
O4 - HKCU\..\Run: [avicap32] "C:\WINDOWS\System32\avicap32.exe"
O4 - HKCU\..\Run: [xpsp2res] "C:\WINDOWS\System32\xpsp2res.exe"
O4 - HKCU\..\Run: [rtm] "C:\WINDOWS\System32\rtm.exe"
O4 - HKCU\..\Run: [dgnet] "C:\WINDOWS\System32\dgnet.exe"
O4 - HKCU\..\Run: [oleacc] "C:\WINDOWS\System32\oleacc.exe"
O4 - HKCU\..\Run: [tapiperf] "C:\WINDOWS\System32\tapiperf.exe"
O4 - HKCU\..\Run: [mciseq] "C:\WINDOWS\System32\mciseq.exe"
O4 - HKCU\..\Run: [fsusd] "C:\WINDOWS\System32\fsusd.exe"
O4 - HKCU\..\Run: [query] "C:\WINDOWS\System32\query.exe"
O4 - HKCU\..\Run: [dskquoui] "C:\WINDOWS\System32\dskquoui.exe"
O4 - HKCU\..\Run: [wpdtrace] "C:\WINDOWS\System32\wpdtrace.exe"
O4 - HKCU\..\Run: [blackbox] "C:\WINDOWS\System32\blackbox.exe"
O4 - HKCU\..\Run: [odbccr32] "C:\WINDOWS\System32\odbccr32.exe"
O4 - HKCU\..\Run: [mswsock] "C:\WINDOWS\System32\mswsock.exe"
O4 - HKCU\..\Run: [shimeng] "C:\WINDOWS\System32\shimeng.exe"
O4 - HKCU\..\Run: [imagxpr5] "C:\WINDOWS\System32\imagxpr5.exe"
O4 - HKCU\..\Run: [netui2] "C:\WINDOWS\System32\netui2.exe"
O4 - HKCU\..\Run: [ir41_qc] "C:\WINDOWS\System32\ir41_qc.exe"
O4 - HKCU\..\Run: [cdfview] "C:\WINDOWS\System32\cdfview.exe"
O4 - HKCU\..\Run: [wmsdmoe2] "C:\WINDOWS\System32\wmsdmoe2.exe"
O4 - HKCU\..\Run: [msvcrt40] "C:\WINDOWS\System32\msvcrt40.exe"
O4 - HKCU\..\Run: [psnppagn] "C:\WINDOWS\System32\psnppagn.exe"
O4 - HKCU\..\Run: [imagehlp] "C:\WINDOWS\System32\imagehlp.exe"
O4 - HKCU\..\Run: [dbnmpntw] "C:\WINDOWS\System32\dbnmpntw.exe"
O4 - HKCU\..\Run: [msexcl40] "C:\WINDOWS\System32\msexcl40.exe"
O4 - HKCU\..\Run: [deskadp] "C:\WINDOWS\System32\deskadp.exe"
O4 - HKCU\..\Run: [browselc] "C:\WINDOWS\System32\browselc.exe"
O4 - HKCU\..\Run: [dssenh] "C:\WINDOWS\System32\dssenh.exe"
O4 - HKCU\..\Run: [licdll] "C:\WINDOWS\System32\licdll.exe"
O4 - HKCU\..\Run: [iasads] "C:\WINDOWS\System32\iasads.exe"
O4 - HKCU\..\Run: [cdmodem] "C:\WINDOWS\System32\cdmodem.exe"
O4 - HKCU\..\Run: [msr2cenu] "C:\WINDOWS\System32\msr2cenu.exe"
O4 - HKCU\..\Run: [iologmsg] "C:\WINDOWS\System32\iologmsg.exe"
O4 - HKCU\..\Run: [dinput8] "C:\WINDOWS\System32\dinput8.exe"
O4 - HKCU\..\Run: [stobject] "C:\WINDOWS\System32\stobject.exe"
O4 - HKCU\..\Run: [ipv6mon] "C:\WINDOWS\System32\ipv6mon.exe"
O4 - HKCU\..\Run: [mydocs] "C:\WINDOWS\System32\mydocs.exe"
O4 - HKCU\..\Run: [modemui] "C:\WINDOWS\System32\modemui.exe"
O4 - HKCU\..\Run: [eventcls] "C:\WINDOWS\System32\eventcls.exe"
O4 - HKCU\..\Run: [wmvsdecd] "C:\WINDOWS\system32\wmvsdecd.exe"
O4 - HKCU\..\Run: [msswch] "C:\WINDOWS\system32\msswch.exe"
O4 - HKCU\..\Run: [rdpcfgex] "C:\WINDOWS\system32\rdpcfgex.exe"
O4 - HKCU\..\Run: [glu32] "C:\WINDOWS\system32\glu32.exe"
O4 - HKCU\..\Run: [lfpsd11n] "C:\WINDOWS\system32\lfpsd11n.exe"
O4 - HKCU\..\Run: [kbdkyr] "C:\WINDOWS\system32\kbdkyr.exe"
O4 - HKCU\..\Run: [xactsrv] "C:\WINDOWS\system32\xactsrv.exe"
O4 - HKCU\..\Run: [jscript] "C:\WINDOWS\system32\jscript.exe"
O4 - HKCU\..\Run: [qasf] "C:\WINDOWS\system32\qasf.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [icmp] "C:\WINDOWS\system32\icmp.exe"
O4 - HKCU\..\Run: [dsprpres] "C:\WINDOWS\system32\dsprpres.exe"
O4 - HKCU\..\Run: [nddeapi] "C:\WINDOWS\system32\nddeapi.exe"
O4 - HKCU\..\Run: [hpovst08] "C:\WINDOWS\system32\hpovst08.exe"
O4 - HKCU\..\Run: [shdoclc] "C:\WINDOWS\system32\shdoclc.exe"
O4 - HKCU\..\Run: [rsvpmsg] "C:\WINDOWS\system32\rsvpmsg.exe"
O4 - HKCU\..\Run: [dmserver] "C:\WINDOWS\system32\dmserver.exe"
O4 - HKCU\..\Run: [usbmon] "C:\WINDOWS\system32\usbmon.exe"
O4 - HKCU\..\Run: [stclient] "C:\WINDOWS\system32\stclient.exe"
O4 - HKCU\..\Run: [ciodm] "C:\WINDOWS\system32\ciodm.exe"
O4 - HKCU\..\Run: [msprivs] "C:\WINDOWS\system32\msprivs.exe"
O4 - HKCU\..\Run: [wldap32] "C:\WINDOWS\system32\wldap32.exe"
O4 - HKCU\..\Run: [pncrt] "C:\WINDOWS\system32\pncrt.exe"
O4 - HKCU\..\Run: [vjoy] "C:\WINDOWS\system32\vjoy.exe"
O4 - HKCU\..\Run: [winsta] "C:\WINDOWS\system32\winsta.exe"
O4 - HKCU\..\Run: [WinUpdater] "C:\Program Files\winvi\update.exe" /background
O4 - HKCU\..\Run: [WebSUpdater] "C:\Program Files\winvi\wupda.exe" /background
O4 - HKCU\..\Run: [Svconr] C:\Program Files\Svconr\Svconr.exe
O4 - HKCU\..\Run: [SpeedRunner] C:\Documents and Settings\Owner\Application Data\SpeedRunner\SpeedRunner.exe
O4 - HKCU\..\Run: [SfKg6wIP] C:\Documents and Settings\Owner\Application Data\Microsoft\Windows\nkkvvo.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ir50_qcx] "C:\WINDOWS\system32\ir50_qcx.exe"
O4 - HKCU\..\Run: [svcpack] "C:\WINDOWS\system32\svcpack.exe"
O4 - S-1-5-18 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: Deewoo.lnk = C:\WINDOWS\system32\kcntmkdm.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: DW_Start.lnk = C:\WINDOWS\system32\cdTMP\cdrev132.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Default user')
O4 - .DEFAULT Startup: Deewoo.lnk = C:\WINDOWS\system32\kcntmkdm.exe (User 'Default user')
O4 - .DEFAULT Startup: DW_Start.lnk = C:\WINDOWS\system32\cdTMP\cdrev132.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\kcntmkdm.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\cdTMP\cdrev132.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: M-Audio MobilePre Control Panel Launcher.lnk = C:\Program Files\M-Audio MobilePre\MPTask.exe
O4 - Global Startup: MFWAKeys.lnk = C:\Program Files\MOTU\FireWire Audio\MFWAKeys.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.fujitsupc.com/
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O20 - Winlogon Notify: efcDWNfc - efcDWNfc.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPAHelper.exe - Unknown owner - C:\Program Files\iPod Access for Windows\iPAHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MobilePre Installer (MobilePreInstallerService) - M-Audio - C:\Program Files\M-Audio MobilePre\Install\MPInst.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe
O23 - Service: wshtcpip - Unknown owner - C:\WINDOWS\System32\wshtcpip.exe

--
End of file - 14626 bytes


KASPERSKY LOG:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, May 06, 2008 9:21:15 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 6/05/2008
Kaspersky Anti-Virus database records: 741846
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 108032
Number of viruses found: 26
Number of infected objects: 149
Number of suspicious objects: 0
Duration of the scan process: 02:03:26

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\PWMR8UHI\200_160_i_3[1].abc Infected: Trojan-Downloader.Win32.Agent.wd skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\198_150_ni_1.exe Infected: Trojan-Downloader.Win32.Agent.am skipped
C:\Documents and Settings\Owner\Application Data\Microsoft\Windows\nkkvvo.exe Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\uhq8xtir.default\cert8.db Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\uhq8xtir.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\uhq8xtir.default\history.dat Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\uhq8xtir.default\key3.db Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\uhq8xtir.default\parent.lock Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\uhq8xtir.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\uhq8xtir.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Owner\Application Data\SpeedRunner\SpeedRunner.exe Infected: Trojan-Downloader.Win32.Agent.ndt skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\uhq8xtir.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\uhq8xtir.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\uhq8xtir.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\uhq8xtir.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\MSHist012008050620080507\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\Perflib_Perfdata_25c.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DF469A.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\xJWIYFSHYHT.exe Infected: Trojan-Downloader.Win32.Agent.am skipped
C:\Documents and Settings\Owner\xVYDKKPLIKK.exe Infected: Trojan-Downloader.Win32.Agent.am skipped
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.612 skipped
C:\Program Files\winvi\update.exe/stream/Script Infected: Trojan.NSIS.StartPage.c skipped
C:\Program Files\winvi\update.exe/stream Infected: Trojan.NSIS.StartPage.c skipped
C:\Program Files\winvi\update.exe NSIS: infected - 2 skipped
C:\QooBox\Quarantine\C\Program Files\JavaCore\JavaCore.exe.vir Infected: not-a-virus:AdWare.Win32.Insider.c skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\cbXRKBuu.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.qng skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\efcDWNfc.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.qng skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\test.bmp.vir Infected: Trojan-Downloader.Win32.Reqlook.d skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{11827C99-88BA-4A82-B691-A920F3B1A44E}\RP463\A0070878.exe Infected: Trojan-Downloader.Win32.Agent.wd skipped
C:\System Volume Information\_restore{11827C99-88BA-4A82-B691-A920F3B1A44E}\RP464\A0070909.exe Infected: Trojan-Downloader.Win32.Agent.wd skipped
C:\System Volume Information\_restore{11827C99-88BA-4A82-B691-A920F3B1A44E}\RP466\A0070936.exe Infected: Trojan-Downloader.Win32.Agent.wd skipped
C:\System Volume Information\_restore{11827C99-88BA-4A82-B691-A920F3B1A44E}\RP466\A0070949.exe Infected: Trojan-Downloader.Win32.Agent.wd skipped
C:\System Volume Information\_restore{11827C99-88BA-4A82-B691-A920F3B1A44E}\RP467\A0070967.exe Infected: Trojan-Downloader.Win32.Agent.am skipped
C:\System Volume Information\_restore{11827C99-88BA-4A82-B691-A920F3B1A44E}\RP467\A0070968.exe Infected: Trojan-Downloader.Win32.Agent.wd skipped
C:\System Volume Information\_restore{11827C99-88BA-4A82-B691-A920F3B1A44E}\RP468\A0070984.exe Infected: Trojan-Downloader.Win32.Agent.am skipped
C:\System Volume Information\_restore{11827C99-88BA-4A82-B691-A920F3B1A44E}\RP468\A0070985.exe Infected: Trojan-Downloader.Win32.Agent.wd skipped
C:\System Volume Information\_restore{11827C99-88BA-4A82-B691-A920F3B1A44E}\RP469\A0071006.exe Infected: Trojan-Downloader.Win32.Agent.wd skipped
C:\System Volume Information\_restore{11827C99-88BA-4A82-B691-A920F3B1A44E}\RP471\A0071053.exe Infected: Trojan-Downloader.Win32.Agent.wd skipped
C:\System Volume Information\_restore{11827C99-88BA-4A82-B691-A920F3B1A44E}\RP472\A0071064.exe Infected: Trojan-Downloader.Win32.Agent.wd skipped
C:\System Volume Information\_restore{11827C99-88BA-4A82-B691-A920F3B1A44E}\RP473\A0071079.exe Infected: Trojan-Downloader.Win32.Agent.am skipped
C:\System Volume Information\_restore{11827C99-88BA-4A82-B691-A920F3B1A44E}\RP475\A0071123.exe Infected: Trojan-Downloader.Win32.Agent.wd skipped
C:\System Volume Information\_restore{11827C99-88BA-4A82-B691-A920F3B1A44E}\RP476\A0071138.exe Infected: Trojan-Downloader.Win32.Agent.wd skipped
C:\System Volume Information\_restore{11827C99-88BA-4A82-B691-A920F3B1A44E}\RP476\A0071146.exe Infected: Trojan-Downloader.Win32.Agent.am skipped
C:\System Volume Information\_restore{11827C99-88BA-4A82-B691-A920F3B1A44E}\RP477\A0071183.exe Infected: Trojan-Downloader.Win32.Agent.wd skipped
C:\System Volume Information\_restore{11827C99-88BA-4A82-B691-A920F3B1A44E}\RP478\A0071199.exe Infected: Trojan-Downloader.Win32.Agent.am skipped
C:\System Volume Information\_restore{11827C99-88BA-4A82-B691-A920F3B1A44E}\RP480\A0071216.exe Infected: Trojan-Downloader.Win32.Homles.bk skipped
C:\System Volume Information\_restore{11827C99-88BA-4A82-B691-A920F3B1A44E}\RP480\A0072247.exe Infected: Trojan-Downloader.Win32.Agent.am skipped
C:\System Volume Information\_restore{11827C99-88BA-4A82-B691-A920F3B1A44E}\RP480\A0072249.exe Infected: Trojan-Downloader.Win32.PurityScan.fj skipped
C:\System Volume Information\_restore{11827C99-88BA-4A82-B691-A920F3B1A44E}\RP480\A0072250.dll Infected: not-a-virus:AdWare.Win32.PurityScan.hk skipped
C:\System Volume Information\_restore{11827C99-88BA-4A82-B691-A920F3B1A44E}\RP480\A0072251.exe Infected: not-a-virus:AdWare.Win32.PurityScan.hl skipped
C:\System Volume Information\_restore{11827C99-88BA-4A82-B691-A920F3B1A44E}\RP480\A0072253.dll Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped
C:\System Volume Information\_restore{11827C99-88BA-4A82-B691-A920F3B1A44E}\RP480\A0072256.exe/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped
C:\System Volume Information\_restore{11827C99-88BA-4A82-B691-A920F3B1A44E}\RP480\A0072256.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{11827C99-88BA-4A82-B691-A920F3B1A44E}\RP480\A0072257.exe Infected: Trojan.Win32.Scapur.k skipped
C:\System Volume Information\_restore{11827C99-88BA-4A82-B691-A920F3B1A44E}\RP482\A0072305.exe Infected: Trojan-Downloader.Win32.Homles.bk skipped
C:\System Volume Information\_restore{11827C99-88BA-4A82-B691-A920F3B1A44E}\RP482\A0072308.exe Infected: Trojan-Downloader.Win32.Agent.ezc skipped
C:\System Volume Information\_restore{11827C99-88BA-4A82-B691-A920F3B1A44E}\RP482\A0072310.exe Infected: not-a-virus:AdWare.Win32.Insider.c skipped
C:\System Volume Information\_restore{11827C99-88BA-4A82-B691-A920F3B1A44E}\RP482\A0072311.exe Infected: Trojan.Win32.BHO.blh skipped
C:\System Volume Information\_restore{11827C99-88BA-4A82-B691-A920F3B1A44E}\RP482\A0072312.exe Infected: not-a-virus:AdWare.Win32.Insider.f skipped
C:\System Volume Information\_restore{11827C99-88BA-4A82-B691-A920F3B1A44E}\RP482\A0072313.exe Infected: Trojan-Downloader.Win32.Agent.jih skipped
C:\System Volume Information\_restore{11827C99-88BA-4A82-B691-A920F3B1A44E}\RP482\A0072314.exe Infected: Trojan-Downloader.Win32.Homles.bk skipped
C:\System Volume Information\_restore{11827C99-88BA-4A82-B691-A920F3B1A44E}\RP483\A0074388.exe Infected: not-a-virus:AdWare.Win32.Insider.c skipped
C:\System Volume Information\_restore{11827C99-88BA-4A82-B691-A920F3B1A44E}\RP483\A0074394.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qng skipped
C:\System Volume Information\_restore{11827C99-88BA-4A82-B691-A920F3B1A44E}\RP483\A0074395.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qng skipped
C:\System Volume Information\_restore{11827C99-88BA-4A82-B691-A920F3B1A44E}\RP483\A0074429.exe Infected: not-a-virus:Downloader.Win32.WinFixer.fs skipped
C:\System Volume Information\_restore{11827C99-88BA-4A82-B691-A920F3B1A44E}\RP483\A0074430.exe Infected: not-a-virus:Downloader.Win32.WinFixer.fs skipped
C:\System Volume Information\_restore{11827C99-88BA-4A82-B691-A920F3B1A44E}\RP484\A0074522.exe Infected: Trojan-Downloader.Win32.Agent.wd skipped
C:\System Volume Information\_restore{11827C99-88BA-4A82-B691-A920F3B1A44E}\RP484\change.log Object is locked skipped
C:\WINDOWS\b155.exe_old Infected: Trojan.Win32.BHO.blh skipped
C:\WINDOWS\b156.exe_old Infected: not-a-virus:AdWare.Win32.Insider.f skipped
C:\WINDOWS\b157.exe_old Infected: Trojan-Downloader.Win32.Agent.jih skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\ModemLog_Communications cable between two computers.txt Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\12033\cvserchka.exe Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\WINDOWS\system32\198_150_ni_1.exe Infected: Trojan-Downloader.Win32.Agent.am skipped
C:\WINDOWS\system32\adsldp.exe Infected: Trojan-Downloader.Win32.Agent.am skipped
C:\WINDOWS\system32\autodisc.exe Infected: Trojan-Downloader.Win32.Agent.am skipped
C:\WINDOWS\system32\avicap32.exe Infected: Trojan-Downloader.Win32.Agent.am skipped
C:\WINDOWS\system32\bkEur01\bkEur011065.exe Infected: Trojan-Downloader.Win32.VB.edw skipped
C:\WINDOWS\system32\blackbox.exe Infected: Trojan-Downloader.Win32.Agent.am skipped
C:\WINDOWS\system32\browselc.exe Infected: Trojan-Downloader.Win32.Agent.am skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\cdfview.exe Infected: Trojan-Downloader.Win32.Agent.am skipped
C:\WINDOWS\system32\cdmodem.exe Infected: Trojan-Downloader.Win32.Agent.am skipped
C:\WINDOWS\system32\cdTMP\cdrev132.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.am skipped
C:\WINDOWS\system32\ciodm.exe Infected: Trojan-Downloader.Win32.Agent.am skipped
C:\WINDOWS\system32\cNF\srkcont3.exe/stream/data0007/stream/Script Infected: Trojan.NSIS.StartPage.c skipped
C:\WINDOWS\system32\cNF\srkcont3.exe/stream/data0007/stream Infected: Trojan.NSIS.StartPage.c skipped
C:\WINDOWS\system32\cNF\srkcont3.exe/stream/data0007 Infected: Trojan.NSIS.StartPage.c skipped
C:\WINDOWS\system32\cNF\srkcont3.exe/stream Infected: Trojan.NSIS.StartPage.c skipped
C:\WINDOWS\system32\cNF\srkcont3.exe NSIS: infected - 4 skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\d3d9.exe Infected: Trojan-Downloader.Win32.Agent.am skipped
C:\WINDOWS\system32\d3dramp.exe Infected: Trojan-Downloader.Win32.Agent.am skipped
C:\WINDOWS\system32\d3dxof.exe Infected: Trojan-Downloader.Win32.Agent.am skipped
C:\WINDOWS\system32\davclnt.exe Infected: Trojan-Downloader.Win32.Agent.am skipped
C:\WINDOWS\system32\dbnmpntw.exe Infected: Trojan-Downloader.Win32.Agent.am skipped
C:\WINDOWS\system32\deskadp.exe Infected: Trojan-Downloader.Win32.Agent.am skipped
C:\WINDOWS\system32\dgnet.exe Infected: Trojan-Downloader.Win32.Agent.am skipped
C:\WINDOWS\system32\din3\is-setup03x.exe Infected: Trojan.Win32.Agent.lom skipped
C:\WINDOWS\system32\dinput8.exe Infected: Trojan-Downloader.Win32.Agent.am skipped
C:\WINDOWS\system32\dmserver.exe Infected: Trojan-Downloader.Win32.Agent.am skipped
C:\WINDOWS\system32\dplay.exe Infected: Trojan-Downloader.Win32.Agent.am skipped
C:\WINDOWS\system32\dskquoui.exe Infected: Trojan-Downloader.Win32.Agent.am skipped
C:\WINDOWS\system32\dsprpres.exe Infected: Trojan-Downloader.Win32.Agent.am skipped
C:\WINDOWS\system32\dssenh.exe Infected: Trojan-Downloader.Win32.Agent.am skipped
C:\WINDOWS\system32\eventcls.exe Infected: Trojan-Downloader.Win32.Agent.am skipped
C:\WINDOWS\system32\fsusd.exe Infected: Trojan-Downloader.Win32.Agent.am skipped
C:\WINDOWS\system32\glu32.exe Infected: Trojan-Downloader.Win32.Agent.am skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\hpovst08.exe Infected: Trojan-Downloader.Win32.Agent.am skipped
C:\WINDOWS\system32\iasads.exe Infected: Trojan-Downloader.Win32.Agent.am skipped
C:\WINDOWS\system32\icmp.exe Infected: Trojan-Downloader.Win32.Agent.am skipped
C:\WINDOWS\system32\icwdial.exe Infected: Trojan-Downloader.Win32.Agent.am skipped
C:\WINDOWS\system32\imagehlp.exe Infected: Trojan-Downloader.Win32.Agent.am skipped
C:\WINDOWS\system32\imagxpr5.exe Infected: Trojan-Downloader.Win32.Agent.am skipped
C:\WINDOWS\system32\inetcplc.exe Infected: Trojan-Downloader.Win32.Agent.am skipped
C:\WINDOWS\system32\iologmsg.exe Infected: Trojan-Downloader.Win32.Agent.am skipped
C:\WINDOWS\system32\ipv6mon.exe Infected: Trojan-Downloader.Win32.Agent.am skipped
C:\WINDOWS\system32\ir41_qc.exe Infected: Trojan-Downloader.Win32.Agent.am skipped
C:\WINDOWS\system32\ir50_qcx.exe Infected: Trojan-Downloader.Win32.Agent.am skipped
C:\WINDOWS\system32\jscript.exe Infected: Trojan-Downloader.Win32.Agent.am skipped
C:\WINDOWS\system32\kbdfr.exe Infected: Trojan-Downloader.Win32.Agent.am skipped
C:\WINDOWS\system32\kbdkyr.exe Infected: Trojan-Downloader.Win32.Agent.am skipped
C:\WINDOWS\system32\kcntmkdm.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.bc skipped
C:\WINDOWS\system32\langwrbk.exe Infected: Trojan-Downloader.Win32.Agent.am skipped
C:\WINDOWS\system32\ld.exe Infected: Trojan.Win32.Crypt.t skipped
C:\WINDOWS\system32\lfpsd11n.exe Infected: Trojan-Downloader.Win32.Agent.am skipped
C:\WINDOWS\system32\licdll.exe Infected: Trojan-Downloader.Win32.Agent.am skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\mciseq.exe Infected: Trojan-Downloader.Win32.Agent.am skipped
C:\WINDOWS\system32\modemui.exe Infected: Trojan-Downloader.Win32.Agent.am skipped
C:\WINDOWS\system32\msexcl40.exe Infected: Trojan-Downloader.Win32.Agent.am skipped
C:\WINDOWS\system32\msprivs.exe Infected: Trojan-Downloader.Win32.Agent.am skipped
C:\WINDOWS\system32\msr2cenu.exe Infected: Trojan-Downloader.Win32.Agent.am skipped
C:\WINDOWS\system32\msswch.exe Infected: Trojan-Downloader.Win32.Agent.am skipped
C:\WINDOWS\system32\msvcrt40.exe Infected: Trojan-Downloader.Win32.Agent.am skipped
C:\WINDOWS\system32\mswsock.exe Infected: Trojan-Downloader.Win32.Agent.am skipped
C:\WINDOWS\system32\mydocs.exe Infected: Trojan-Downloader.Win32.Agent.am skipped
C:\WINDOWS\system32\nddeapi.exe Infected: Trojan-Downloader.Win32.Agent.am skipped
C:\WINDOWS\system32\netui2.exe Infected: Trojan-Downloader.Win32.Agent.am skipped
C:\WINDOWS\system32\odbccr32.exe Infected: Trojan-Downloader.Win32.Agent.am skipped
C:\WINDOWS\system32\oleacc.exe Infected: Trojan-Downloader.Win32.Agent.am skipped
C:\WINDOWS\system32\pncrt.exe Infected: Trojan-Downloader.Win32.Agent.am skipped
C:\WINDOWS\system32\psnppagn.exe Infected: Trojan-Downloader.Win32.Agent.am skipped
C:\WINDOWS\system32\qasf.exe Infected: Trojan-Downloader.Win32.Agent.am skipped
C:\WINDOWS\system32\rdpcfgex.exe Infected: Trojan-Downloader.Win32.Agent.am skipped
C:\WINDOWS\system32\rsvpmsg.exe Infected: Trojan-Downloader.Win32.Agent.am skipped
C:\WINDOWS\system32\rsvpsp.exe Infected: Trojan-Downloader.Win32.Agent.am skipped
C:\WINDOWS\system32\rtm.exe Infected: Trojan-Downloader.Win32.Agent.am skipped
C:\WINDOWS\system32\rwwnw64d.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.am skipped
C:\WINDOWS\system32\shdoclc.exe Infected: Trojan-Downloader.Win32.Agent.am skipped
C:\WINDOWS\system32\shimeng.exe Infected: Trojan-Downloader.Win32.Agent.am skipped
C:\WINDOWS\system32\stclient.exe Infected: Trojan-Downloader.Win32.Agent.am skipped
C:\WINDOWS\system32\stobject.exe Infected: Trojan-Downloader.Win32.Agent.am skipped
C:\WINDOWS\system32\svcpack.exe Infected: Trojan-Downloader.Win32.Agent.am skipped
C:\WINDOWS\system32\swprv.exe Infected: Trojan-Downloader.Win32.Agent.am skipped
C:\WINDOWS\system32\tapiperf.exe Infected: Trojan-Downloader.Win32.Agent.am skipped
C:\WINDOWS\system32\tcntmkdm.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.bc skipped
C:\WINDOWS\system32\test.bmp Infected: Trojan-Downloader.Win32.Reqlook.d skipped
C:\WINDOWS\system32\usbmon.exe Infected: Trojan-Downloader.Win32.Agent.am skipped
C:\WINDOWS\system32\vjoy.exe Infected: Trojan-Downloader.Win32.Agent.am skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\winsta.exe Infected: Trojan-Downloader.Win32.Agent.am skipped
C:\WINDOWS\system32\wldap32.exe Infected: Trojan-Downloader.Win32.Agent.am skipped
C:\WINDOWS\system32\wmsdmoe2.exe Infected: Trojan-Downloader.Win32.Agent.am skipped
C:\WINDOWS\system32\wmvsdecd.exe Infected: Trojan-Downloader.Win32.Agent.am skipped
C:\WINDOWS\system32\wpdtrace.exe Infected: Trojan-Downloader.Win32.Agent.am skipped
C:\WINDOWS\system32\wshtcpip.exe Infected: Trojan-Downloader.Win32.Reqlook.d skipped
C:\WINDOWS\system32\xactsrv.exe Infected: Trojan-Downloader.Win32.Agent.am skipped
C:\WINDOWS\system32\xenroll.exe Infected: Trojan-Downloader.Win32.Agent.am skipped
C:\WINDOWS\system32\xpsp2res.exe Infected: Trojan-Downloader.Win32.Agent.am skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Rorschach112
2008-05-06, 22:39
Hello

Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.


Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum.




Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

dolomick
2008-05-07, 01:37
OK, did everything...

SmitFraudFix v2.319

Scan done at 11:08:26.05, Tue 05/06/2008
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{CBAD33A3-A408-476C-A68E-EA7FF6C9611C}: DhcpNameServer=10.0.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{CBAD33A3-A408-476C-A68E-EA7FF6C9611C}: DhcpNameServer=10.0.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{CBAD33A3-A408-476C-A68E-EA7FF6C9611C}: DhcpNameServer=10.0.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=10.0.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=10.0.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=10.0.1.1


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End







ComboFix 08-05-01.3 - Kevin 2008-05-06 15:04:14.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.173 [GMT -7:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\test.bmp

.
((((((((((((((((((((((((( Files Created from 2008-04-06 to 2008-05-06 )))))))))))))))))))))))))))))))
.

2008-05-06 15:13 . 2008-05-06 15:13 93 --a------ C:\WINDOWS\system32\msnav32.ax
2008-05-06 15:12 . 2008-05-06 15:12 49,160 --a------ C:\WINDOWS\system32\rwwnw64d.exe
2008-05-06 13:43 . 2008-05-06 13:43 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-06 13:39 . 2008-05-06 14:42 <DIR> d-------- C:\SDFix
2008-05-06 13:11 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-06 13:07 . 2008-05-06 13:07 <DIR> d-------- C:\Program Files\Common Files\Java
2008-05-06 12:39 . 2008-05-06 12:39 <DIR> d-------- C:\Program Files\Windows Defender
2008-05-06 12:36 . 2008-05-06 13:11 <DIR> d-------- C:\Program Files\SpywareGuard
2008-05-06 12:32 . 2008-05-06 12:33 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-05-06 12:32 . 2008-05-06 14:58 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-06 11:32 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-05-06 11:32 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-05-06 11:32 . 2008-04-24 08:10 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-05-06 11:32 . 2008-04-28 08:03 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-05-06 11:32 . 2008-04-28 08:03 82,944 --a------ C:\WINDOWS\system32\404Fix.exe
2008-05-06 11:32 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-05-06 11:32 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-05-06 11:32 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-05-06 10:59 . 2008-05-06 11:33 4,102 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-06 08:52 . 2008-05-06 08:52 9,662 --a------ C:\WINDOWS\system32\iphone-6y.ico
2008-05-06 01:03 . 2008-05-06 01:03 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-06 00:38 . 2008-05-06 00:48 43,040 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-05-06 00:38 . 2008-05-06 00:48 1,824 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-05-06 00:38 . 2008-05-06 00:48 1,580 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-05-06 00:38 . 2008-05-06 00:48 1,220 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-05-05 23:27 . 2008-05-05 23:27 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-05 23:27 . 2008-05-06 00:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-05 23:19 . 2008-05-05 23:19 403,064 --a------ C:\WINDOWS\system32\g27.exe
2008-05-05 23:19 . 2008-05-05 23:19 200,776 --a------ C:\WINDOWS\system32\kcntmkdm.exe
2008-05-05 22:38 . 2008-05-06 10:44 863 --a------ C:\WINDOWS\system32\winpfz33.sys
2008-05-05 22:37 . 2008-05-05 22:37 400,061 --a------ C:\WINDOWS\system32\g25.exe
2008-05-05 22:37 . 2008-05-05 22:37 200,769 --a------ C:\WINDOWS\system32\tcntmkdm.exe
2008-05-05 22:37 . 2008-05-05 23:19 63,893 --a------ C:\WINDOWS\system32\{72709b0a-ee6f-ec75-72b6-de300b8c2a83}.dll-uninst.exe
2008-05-05 16:33 . 2008-05-05 19:12 694 --a------ C:\WINDOWS\wininit.ini
2008-05-05 15:55 . 2008-05-05 15:56 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-05 15:55 . 2008-05-05 17:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-05 15:29 . 2008-05-05 15:29 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-05-05 13:29 . 2008-05-05 18:02 109,774 --a------ C:\WINDOWS\BMef6e074b.xml
2008-05-05 13:22 . 2008-05-05 13:22 <DIR> d-------- C:\Program Files\Svconr
2008-05-05 13:22 . 2008-05-05 13:22 <DIR> d-------- C:\Program Files\Spcron
2008-05-05 13:18 . 2008-05-05 13:18 <DIR> d-------- C:\WINDOWS\system32\din3
2008-05-05 13:18 . 2008-05-05 13:18 <DIR> d-------- C:\WINDOWS\system32\cNF
2008-05-05 13:18 . 2008-05-05 13:18 <DIR> d-------- C:\WINDOWS\system32\cdTMP
2008-05-05 13:18 . 2008-05-05 13:18 <DIR> d-------- C:\WINDOWS\system32\12033
2008-05-05 13:17 . 2008-05-06 14:32 <DIR> d-------- C:\Temp
2008-05-01 05:40 . 2008-05-01 02:40 68,608 --------- C:\WINDOWS\b155.exe_old
2008-04-30 12:42 . 2008-05-01 13:10 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-30 12:42 . 2008-04-30 12:42 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-30 12:06 . 2008-04-30 12:06 <DIR> d-------- C:\Program Files\LaCieTools
2008-04-30 12:06 . 2005-10-19 09:34 15,872 --a------ C:\WINDOWS\system32\drivers\LaCieUSBFilter.sys
2008-04-30 12:06 . 2005-10-18 08:28 14,848 --a------ C:\WINDOWS\system32\drivers\LaCieFWFilter.sys
2008-04-30 12:06 . 2008-04-30 12:06 640 --a------ C:\WINDOWS\UndeviceUpd
2008-04-24 14:44 . 2008-04-24 11:44 73,728 --------- C:\WINDOWS\b156.exe_old
2008-04-24 10:51 . 2008-04-24 10:51 <DIR> d-------- C:\Program Files\.Mac Utilities
2008-04-14 11:08 . 2008-04-14 08:08 46,592 --------- C:\WINDOWS\b157.exe_old
2008-04-09 11:16 . 2008-04-09 11:16 <DIR> d-------- C:\Program Files\Common Files\Adobe AIR
2008-04-09 11:16 . 2008-04-09 11:16 <DIR> d-------- C:\Program Files\Adobe Media Player
2008-04-07 09:19 . 2008-04-07 09:19 331,776 --a------ C:\WINDOWS\system32\{72709b0a-ee6f-ec75-72b6-de300b8c2a83}.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-06 20:11 --------- d-----w C:\Program Files\Java
2008-05-06 19:59 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-06 07:47 --------- d-----w C:\Documents and Settings\Owner\Application Data\uTorrent
2008-04-18 18:19 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-04-08 01:06 --------- d-----w C:\Program Files\FLStudio4
2008-03-21 01:52 --------- d-----w C:\Program Files\Trillian
2005-12-05 04:51 99,098 ----a-w C:\Documents and Settings\Owner\198_150_ni_1.exe
2005-10-06 03:22 97,048 ----a-w C:\Documents and Settings\Owner\xJWIYFSHYHT.exe
2005-09-04 08:10 80,665 ----a-w C:\Documents and Settings\Owner\xVYDKKPLIKK.exe
.

((((((((((((((((((((((((((((( snapshot@2008-05-05_22.45.41.35 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-06 05:33:46 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-06 22:11:50 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-06 04:42:51 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-05-06 20:43:51 5,873,664 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
+ 2008-05-06 20:43:52 172,032 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-05-06 04:42:51 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-05-06 20:43:41 5,873,664 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\ntuser.dat
+ 2008-05-06 20:43:41 172,032 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
- 2008-05-06 05:37:16 63,893 ----a-w C:\WINDOWS\system32\{72709b0a-ee6f-ec75-72b6-de300b8c2a83}.dll-uninst.exe
+ 2008-05-06 06:19:13 63,893 ----a-w C:\WINDOWS\system32\{72709b0a-ee6f-ec75-72b6-de300b8c2a83}.dll-uninst.exe
- 2008-04-07 16:19:34 328,704 ----a-w C:\WINDOWS\system32\{72709b0a-ee6f-ec75-72b6-de300b8c2a83}.dll
+ 2008-04-07 16:19:50 331,776 ----a-w C:\WINDOWS\system32\{72709b0a-ee6f-ec75-72b6-de300b8c2a83}.dll
- 2004-02-23 05:52:42 24,681 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-03-25 08:28:39 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2004-02-23 05:52:44 28,779 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-03-25 08:28:43 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-03-25 09:37:01 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2005-05-24 19:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 22:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 22:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
+ 2003-03-31 12:00:00 99,098 ----a-w C:\WINDOWS\system32\kbdfr.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{48ef2043-3396-10b3-0a15-9880fe3c93d9}]
2008-04-07 09:19 331776 --a------ C:\WINDOWS\system32\{72709b0a-ee6f-ec75-72b6-de300b8c2a83}.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{62C21114-D4A8-499B-A15C-684FDB8B79B5}]
C:\WINDOWS\system32\opnlKAro.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{70186681-442D-4D62-936D-E2B79089D6EB}]
C:\WINDOWS\system32\qoMcyARl.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{87ed7406-1dca-4fab-ad56-37e4a6d893ca}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9506910A-0F94-4ea1-B567-7070428B8B2B}]
2008-03-27 08:35 333824 --a------ C:\WINDOWS\system32\mysidesearch_sidebar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CC11617C-259E-429c-9063-7D70B8355EBD}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mprddm"="C:\WINDOWS\System32\mprddm.exe" [ ]
"196_150_ni"="C:\WINDOWS\System32\196_150_ni.exe" [ ]
"197_150_ni_4"="C:\WINDOWS\System32\197_150_ni_4.exe" [ ]
"198_150_ni_1"="C:\Documents and Settings\Owner\198_150_ni_1.exe" [2005-12-04 21:51 99098]
"rsvpsp"="C:\WINDOWS\System32\rsvpsp.exe" [2003-03-31 05:00 98586]
"avicap32"="C:\WINDOWS\System32\avicap32.exe" [2003-03-31 05:00 99098]
"xpsp2res"="C:\WINDOWS\System32\xpsp2res.exe" [2004-03-10 10:59 98586]
"rtm"="C:\WINDOWS\System32\rtm.exe" [2003-03-31 05:00 99098]
"dgnet"="C:\WINDOWS\System32\dgnet.exe" [2003-03-31 05:00 99098]
"oleacc"="C:\WINDOWS\System32\oleacc.exe" [2003-03-31 05:00 99098]
"tapiperf"="C:\WINDOWS\System32\tapiperf.exe" [2003-03-31 05:00 99098]
"mciseq"="C:\WINDOWS\System32\mciseq.exe" [2003-03-31 05:00 99098]
"fsusd"="C:\WINDOWS\System32\fsusd.exe" [2003-03-31 05:00 99098]
"query"="C:\WINDOWS\System32\query.exe" [2003-03-31 05:00 9728]
"dskquoui"="C:\WINDOWS\System32\dskquoui.exe" [2003-03-31 05:00 99098]
"wpdtrace"="C:\WINDOWS\System32\wpdtrace.exe" [2004-08-11 01:45 99098]
"blackbox"="C:\WINDOWS\System32\blackbox.exe" [2004-08-11 01:45 99098]
"odbccr32"="C:\WINDOWS\System32\odbccr32.exe" [2003-03-31 05:00 99098]
"mswsock"="C:\WINDOWS\System32\mswsock.exe" [2003-03-31 05:00 99098]
"shimeng"="C:\WINDOWS\System32\shimeng.exe" [2003-03-31 05:00 99098]
"imagxpr5"="C:\WINDOWS\System32\imagxpr5.exe" [2001-07-06 18:24 99098]
"netui2"="C:\WINDOWS\System32\netui2.exe" [2003-03-31 05:00 99098]
"ir41_qc"="C:\WINDOWS\System32\ir41_qc.exe" [2002-11-14 12:58 99098]
"cdfview"="C:\WINDOWS\System32\cdfview.exe" [2004-12-07 18:43 99098]
"wmsdmoe2"="C:\WINDOWS\System32\wmsdmoe2.exe" [2004-08-11 01:45 99098]
"msvcrt40"="C:\WINDOWS\System32\msvcrt40.exe" [2003-03-31 05:00 99098]
"psnppagn"="C:\WINDOWS\System32\psnppagn.exe" [2003-03-31 05:00 99098]
"imagehlp"="C:\WINDOWS\System32\imagehlp.exe" [2003-03-31 05:00 99098]
"dbnmpntw"="C:\WINDOWS\System32\dbnmpntw.exe" [2003-03-31 05:00 99098]
"msexcl40"="C:\WINDOWS\System32\msexcl40.exe" [2004-03-01 11:55 99098]
"deskadp"="C:\WINDOWS\System32\deskadp.exe" [2003-03-31 05:00 99098]
"browselc"="C:\WINDOWS\System32\browselc.exe" [2003-03-31 05:00 99098]
"dssenh"="C:\WINDOWS\System32\dssenh.exe" [2003-03-31 05:00 99098]
"licdll"="C:\WINDOWS\System32\licdll.exe" [2003-03-31 05:00 99098]
"iasads"="C:\WINDOWS\System32\iasads.exe" [2003-03-31 05:00 99098]
"cdmodem"="C:\WINDOWS\System32\cdmodem.exe" [2003-03-31 05:00 99098]
"modemui"="C:\WINDOWS\System32\modemui.exe" [2003-03-31 05:00 99098]
"msswch"="C:\WINDOWS\system32\msswch.exe" [2003-03-31 05:00 99098]
"glu32"="C:\WINDOWS\system32\glu32.exe" [2004-08-04 00:56 99098]
"xactsrv"="C:\WINDOWS\system32\xactsrv.exe" [2004-08-04 00:56 99098]
"jscript"="C:\WINDOWS\system32\jscript.exe" [ ]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-10 21:36 68856]
"icmp"="C:\WINDOWS\system32\icmp.exe" [2004-08-04 00:56 99098]
"rsvpmsg"="C:\WINDOWS\system32\rsvpmsg.exe" [2003-03-31 05:00 99098]
"usbmon"="C:\WINDOWS\system32\usbmon.exe" [2004-08-04 00:56 99098]
"msprivs"="C:\WINDOWS\system32\msprivs.exe" [2004-08-04 00:56 99098]
"pncrt"="C:\WINDOWS\system32\pncrt.exe" [2004-06-07 18:58 99098]
"winsta"="C:\WINDOWS\system32\winsta.exe" [2004-08-04 00:56 99098]
"Svconr"="C:\Program Files\Svconr\Svconr.exe" [2008-05-05 13:22 57344]
"ir50_qcx"="C:\WINDOWS\system32\ir50_qcx.exe" [ ]
"svcpack"="C:\WINDOWS\system32\svcpack.exe" [ ]
"msr2cenu"="C:\WINDOWS\System32\msr2cenu.exe" [2003-03-31 05:00 99098]
"iologmsg"="C:\WINDOWS\System32\iologmsg.exe" [ ]
"dinput8"="C:\WINDOWS\System32\dinput8.exe" [2003-03-31 05:00 99098]
"stobject"="C:\WINDOWS\System32\stobject.exe" [2003-03-31 05:00 99098]
"ipv6mon"="C:\WINDOWS\System32\ipv6mon.exe" [2006-08-16 05:14 99098]
"mydocs"="C:\WINDOWS\System32\mydocs.exe" [ ]
"eventcls"="C:\WINDOWS\System32\eventcls.exe" [ ]
"wmvsdecd"="C:\WINDOWS\system32\wmvsdecd.exe" [ ]
"rdpcfgex"="C:\WINDOWS\system32\rdpcfgex.exe" [ ]
"lfpsd11n"="C:\WINDOWS\system32\lfpsd11n.exe" [ ]
"kbdkyr"="C:\WINDOWS\system32\kbdkyr.exe" [2003-03-31 05:00 99098]
"qasf"="C:\WINDOWS\system32\qasf.exe" [ ]
"dsprpres"="C:\WINDOWS\system32\dsprpres.exe" [ ]
"nddeapi"="C:\WINDOWS\system32\nddeapi.exe" [2004-08-04 00:56 99098]
"hpovst08"="C:\WINDOWS\system32\hpovst08.exe" [ ]
"shdoclc"="C:\WINDOWS\system32\shdoclc.exe" [ ]
"dmserver"="C:\WINDOWS\system32\dmserver.exe" [ ]
"stclient"="C:\WINDOWS\system32\stclient.exe" [ ]
"ciodm"="C:\WINDOWS\system32\ciodm.exe" [ ]
"wldap32"="C:\WINDOWS\system32\wldap32.exe" [ ]
"vjoy"="C:\WINDOWS\system32\vjoy.exe" [ ]
"WinUpdater"="C:\Program Files\winvi\update.exe" [ ]
"WebSUpdater"="C:\Program Files\winvi\wupda.exe" [ ]
"SpeedRunner"="C:\Documents and Settings\Owner\Application Data\SpeedRunner\SpeedRunner.exe" [ ]
"SfKg6wIP"="C:\Documents and Settings\Owner\Application Data\Microsoft\Windows\nkkvvo.exe" [ ]
"pstorec"="C:\WINDOWS\system32\pstorec.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 00:24 28672 C:\WINDOWS\system32\Ati2mdxx.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-07-11 12:15 335872]
"AGRSMMSG"="AGRSMMSG.exe" [2003-07-24 19:22 88363 C:\WINDOWS\AGRSMMSG.exe]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-07-16 06:19 159744]
"IndicatorUtility"="C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe" [2003-08-20 19:33 81920]
"LoadFujitsuQuickTouch"="C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe" [2003-08-21 09:29 242688]
"LoadBtnHnd"="C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe" [2003-08-21 09:37 61440]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"H2O"="C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe" [2005-05-11 02:46 200069]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 11:54 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 20:05 257088]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 14:22 3739648]
"{D3-34-47-78-DW}"="c:\windows\system32\rwwnw64d.exe" [2008-05-06 15:12 49160]
"ec5d34d7"="C:\WINDOWS\system32\istlpcuw.dll" [ ]
"BMef6e074b"="C:\WINDOWS\system32\hfjdljfu.dll" [ ]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"spa_start"="C:\WINDOWS\system32\{72709b0a-ee6f-ec75-72b6-de300b8c2a83}.dll" [2008-04-07 09:19 331776]
"ExploreUpdSched"="C:\WINDOWS\system32\kcntmkdm.exe" [2008-05-05 23:19 200776]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-07-08 20:52:52 113664]
Deewoo.lnk - C:\WINDOWS\system32\kcntmkdm.exe [2008-05-05 23:19:06 200776]
DW_Start.lnk - C:\WINDOWS\system32\rwwnw64d.exe [2008-05-06 15:12:34 49160]
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 19:05:35 360448]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [2004-07-13 17:40:48 98304]
M-Audio MobilePre Control Panel Launcher.lnk - C:\Program Files\M-Audio MobilePre\MPTask.exe [2004-03-04 16:29:11 61440]
MFWAKeys.lnk - C:\Program Files\MOTU\FireWire Audio\MFWAKeys.exe [2004-09-02 12:43:36 126976]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 13:05:56 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcDWNfc]
efcDWNfc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"Midi1"= usbmn2x2.dll
"Midi2"= usbkt1x1.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-05-11 23:12 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer]
--a------ 2007-10-31 18:33 208941 C:\Program Files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-10-31 18:33 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Documents and Settings\\Owner\\Desktop\\utorrent.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R1 Asapi;Asapi;C:\WINDOWS\system32\drivers\Asapi.sys [2000-01-08 09:22]
R2 MobilePreInstallerService;MobilePre Installer;C:\Program Files\M-Audio MobilePre\Install\MPInst.exe [2006-12-20 13:04]
R2 wshtcpip;wshtcpip;C:\WINDOWS\System32\wshtcpip.exe [2003-09-24 18:02]
R3 ALiIRDA;ALi Infrared Device Driver;C:\WINDOWS\system32\DRIVERS\alifir.sys [2001-08-17 06:49]
R3 CLEDX;Team H2O CLEDX service;C:\WINDOWS\system32\DRIVERS\cledx.sys [2005-05-09 20:08]
R3 CONAN;CONAN;C:\WINDOWS\system32\drivers\o2mmb.sys [2003-10-27 05:17]
R3 LaCieFWFilter;Silver 1394 Filter (1394 BUS Filter Driver);C:\WINDOWS\system32\DRIVERS\LaCieFWFilter.sys [2005-10-18 08:28]
R3 LaCieUSBFilter;Silver USB Filter (USB BUS Filter Driver);C:\WINDOWS\system32\DRIVERS\LaCieUSBFilter.sys [2005-10-19 09:34]
R3 MbxStby;MbxStby;C:\WINDOWS\system32\drivers\MbxStby.sys [2003-08-25 17:46]
R3 motubus;MOTU Audio MIDI Extension;C:\WINDOWS\system32\drivers\MotuBus.sys [2003-07-10 11:02]
S3 ma763004;M-Audio MobilePre USB;C:\WINDOWS\system32\drivers\MA763004.sys [2006-12-20 13:04]
S3 mbxfilt;mbxfilt;C:\WINDOWS\system32\drivers\MbxFilt.sys [2002-12-08 23:29]
S3 MFWAMIDI;MOTU FireWire Audio MIDI;C:\WINDOWS\system32\drivers\MFWAMIDI.sys [2004-07-27 13:42]
S3 MFWAWAVE;MOTU FireWire Audio Wave;C:\WINDOWS\system32\drivers\MFWAWAVE.sys [2004-07-27 13:41]
S3 MotuFWA;MotuFWA;C:\WINDOWS\system32\drivers\MotuFWA.sys [2004-08-05 17:28]
S3 SeratoUsb;SeratoUsb driver;C:\WINDOWS\system32\Drivers\SeratoUsb.sys [2004-01-14 12:49]
S3 UKS11LDR;M-Audio USB Keystation Loader;C:\WINDOWS\system32\drivers\uks11ldr.sys [2006-08-08 17:19]
S3 USB22LDR;M-Audio USB MidiSport 2x2 Loader;C:\WINDOWS\system32\drivers\usb22ldr.sys [2006-08-02 23:40]
S3 USBKT1X1;M-Audio USB Keystation;C:\WINDOWS\system32\drivers\usbkt1x1.sys [2006-08-08 17:19]
S3 USBMN2X2;M-Audio USB MidiSport 2x2;C:\WINDOWS\system32\drivers\usbmn2x2.sys [2006-08-02 23:40]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-26 00:15:56 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2004\SystemOptimizer.exe
"2008-05-01 21:14:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-05-06 22:15:15 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2004-05-30 22:25:29 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-06 15:12:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\msnav32.ax 93 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\iPod Access for Windows\iPAHelper.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Apoint2K\ApntEx.exe
C:\Program Files\Apoint2K\Hidfind.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-05-06 15:25:30 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-06 22:24:49
ComboFix2.txt 2008-05-06 05:46:53

Pre-Run: 2,009,817,088 bytes free
Post-Run: 2,067,283,968 bytes free

321












Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:31:47 PM, on 5/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\iPod Access for Windows\iPAHelper.exe
C:\Program Files\M-Audio MobilePre\Install\MPInst.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wshtcpip.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Svconr\Svconr.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\M-Audio MobilePre\MPTask.exe
C:\Program Files\MOTU\FireWire Audio\MFWAKeys.exe
c:\windows\system32\rwwnw64d.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Apoint2K\HidFind.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\Rundll32.exe
C:\WINDOWS\system32\kcntmkdm.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.whynotsearchhere.com/start.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.we1.attbb.net:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.we1.attbb.net;*.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: gooochi browser optimizer - {48ef2043-3396-10b3-0a15-9880fe3c93d9} - C:\WINDOWS\system32\{72709b0a-ee6f-ec75-72b6-de300b8c2a83}.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {62C21114-D4A8-499B-A15C-684FDB8B79B5} - C:\WINDOWS\system32\opnlKAro.dll (file missing)
O2 - BHO: (no name) - {70186681-442D-4D62-936D-E2B79089D6EB} - C:\WINDOWS\system32\qoMcyARl.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {87ed7406-1dca-4fab-ad56-37e4a6d893ca} - (no file)
O2 - BHO: MySidesearch Search Assistant - {9506910A-0F94-4ea1-B567-7070428B8B2B} - C:\WINDOWS\system32\mysidesearch_sidebar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {CC11617C-259E-429c-9063-7D70B8355EBD} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [{D3-34-47-78-DW}] c:\windows\system32\rwwnw64d.exe DWram
O4 - HKLM\..\Run: [ec5d34d7] rundll32.exe "C:\WINDOWS\system32\istlpcuw.dll",b
O4 - HKLM\..\Run: [BMef6e074b] Rundll32.exe "C:\WINDOWS\system32\hfjdljfu.dll",s
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [mprddm] C:\WINDOWS\System32\mprddm.exe
O4 - HKCU\..\Run: [196_150_ni] C:\WINDOWS\System32\196_150_ni.exe
O4 - HKCU\..\Run: [197_150_ni_4] C:\WINDOWS\System32\197_150_ni_4.exe
O4 - HKCU\..\Run: [198_150_ni_1] "C:\Documents and Settings\Owner\198_150_ni_1.exe"
O4 - HKCU\..\Run: [rsvpsp] "C:\WINDOWS\System32\rsvpsp.exe"
O4 - HKCU\..\Run: [avicap32] "C:\WINDOWS\System32\avicap32.exe"
O4 - HKCU\..\Run: [xpsp2res] "C:\WINDOWS\System32\xpsp2res.exe"
O4 - HKCU\..\Run: [rtm] "C:\WINDOWS\System32\rtm.exe"
O4 - HKCU\..\Run: [dgnet] "C:\WINDOWS\System32\dgnet.exe"
O4 - HKCU\..\Run: [oleacc] "C:\WINDOWS\System32\oleacc.exe"
O4 - HKCU\..\Run: [tapiperf] "C:\WINDOWS\System32\tapiperf.exe"
O4 - HKCU\..\Run: [mciseq] "C:\WINDOWS\System32\mciseq.exe"
O4 - HKCU\..\Run: [fsusd] "C:\WINDOWS\System32\fsusd.exe"
O4 - HKCU\..\Run: [query] "C:\WINDOWS\System32\query.exe"
O4 - HKCU\..\Run: [dskquoui] "C:\WINDOWS\System32\dskquoui.exe"
O4 - HKCU\..\Run: [wpdtrace] "C:\WINDOWS\System32\wpdtrace.exe"
O4 - HKCU\..\Run: [blackbox] "C:\WINDOWS\System32\blackbox.exe"
O4 - HKCU\..\Run: [odbccr32] "C:\WINDOWS\System32\odbccr32.exe"
O4 - HKCU\..\Run: [mswsock] "C:\WINDOWS\System32\mswsock.exe"
O4 - HKCU\..\Run: [shimeng] "C:\WINDOWS\System32\shimeng.exe"
O4 - HKCU\..\Run: [imagxpr5] "C:\WINDOWS\System32\imagxpr5.exe"
O4 - HKCU\..\Run: [netui2] "C:\WINDOWS\System32\netui2.exe"
O4 - HKCU\..\Run: [ir41_qc] "C:\WINDOWS\System32\ir41_qc.exe"
O4 - HKCU\..\Run: [cdfview] "C:\WINDOWS\System32\cdfview.exe"
O4 - HKCU\..\Run: [wmsdmoe2] "C:\WINDOWS\System32\wmsdmoe2.exe"
O4 - HKCU\..\Run: [msvcrt40] "C:\WINDOWS\System32\msvcrt40.exe"
O4 - HKCU\..\Run: [psnppagn] "C:\WINDOWS\System32\psnppagn.exe"
O4 - HKCU\..\Run: [imagehlp] "C:\WINDOWS\System32\imagehlp.exe"
O4 - HKCU\..\Run: [dbnmpntw] "C:\WINDOWS\System32\dbnmpntw.exe"
O4 - HKCU\..\Run: [msexcl40] "C:\WINDOWS\System32\msexcl40.exe"
O4 - HKCU\..\Run: [deskadp] "C:\WINDOWS\System32\deskadp.exe"
O4 - HKCU\..\Run: [browselc] "C:\WINDOWS\System32\browselc.exe"
O4 - HKCU\..\Run: [dssenh] "C:\WINDOWS\System32\dssenh.exe"
O4 - HKCU\..\Run: [licdll] "C:\WINDOWS\System32\licdll.exe"
O4 - HKCU\..\Run: [iasads] "C:\WINDOWS\System32\iasads.exe"
O4 - HKCU\..\Run: [cdmodem] "C:\WINDOWS\System32\cdmodem.exe"
O4 - HKCU\..\Run: [modemui] "C:\WINDOWS\System32\modemui.exe"
O4 - HKCU\..\Run: [msswch] "C:\WINDOWS\system32\msswch.exe"
O4 - HKCU\..\Run: [glu32] "C:\WINDOWS\system32\glu32.exe"
O4 - HKCU\..\Run: [xactsrv] "C:\WINDOWS\system32\xactsrv.exe"
O4 - HKCU\..\Run: [jscript] "C:\WINDOWS\system32\jscript.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [icmp] "C:\WINDOWS\system32\icmp.exe"
O4 - HKCU\..\Run: [rsvpmsg] "C:\WINDOWS\system32\rsvpmsg.exe"
O4 - HKCU\..\Run: [usbmon] "C:\WINDOWS\system32\usbmon.exe"
O4 - HKCU\..\Run: [msprivs] "C:\WINDOWS\system32\msprivs.exe"
O4 - HKCU\..\Run: [pncrt] "C:\WINDOWS\system32\pncrt.exe"
O4 - HKCU\..\Run: [winsta] "C:\WINDOWS\system32\winsta.exe"
O4 - HKCU\..\Run: [Svconr] C:\Program Files\Svconr\Svconr.exe
O4 - HKCU\..\Run: [ir50_qcx] "C:\WINDOWS\system32\ir50_qcx.exe"
O4 - HKCU\..\Run: [svcpack] "C:\WINDOWS\system32\svcpack.exe"
O4 - HKCU\..\Run: [msr2cenu] "C:\WINDOWS\System32\msr2cenu.exe"
O4 - HKCU\..\Run: [iologmsg] "C:\WINDOWS\System32\iologmsg.exe"
O4 - HKCU\..\Run: [dinput8] "C:\WINDOWS\System32\dinput8.exe"
O4 - HKCU\..\Run: [stobject] "C:\WINDOWS\System32\stobject.exe"
O4 - HKCU\..\Run: [ipv6mon] "C:\WINDOWS\System32\ipv6mon.exe"
O4 - HKCU\..\Run: [mydocs] "C:\WINDOWS\System32\mydocs.exe"
O4 - HKCU\..\Run: [eventcls] "C:\WINDOWS\System32\eventcls.exe"
O4 - HKCU\..\Run: [wmvsdecd] "C:\WINDOWS\system32\wmvsdecd.exe"
O4 - HKCU\..\Run: [rdpcfgex] "C:\WINDOWS\system32\rdpcfgex.exe"
O4 - HKCU\..\Run: [lfpsd11n] "C:\WINDOWS\system32\lfpsd11n.exe"
O4 - HKCU\..\Run: [kbdkyr] "C:\WINDOWS\system32\kbdkyr.exe"
O4 - HKCU\..\Run: [qasf] "C:\WINDOWS\system32\qasf.exe"
O4 - HKCU\..\Run: [dsprpres] "C:\WINDOWS\system32\dsprpres.exe"
O4 - HKCU\..\Run: [nddeapi] "C:\WINDOWS\system32\nddeapi.exe"
O4 - HKCU\..\Run: [hpovst08] "C:\WINDOWS\system32\hpovst08.exe"
O4 - HKCU\..\Run: [shdoclc] "C:\WINDOWS\system32\shdoclc.exe"
O4 - HKCU\..\Run: [dmserver] "C:\WINDOWS\system32\dmserver.exe"
O4 - HKCU\..\Run: [stclient] "C:\WINDOWS\system32\stclient.exe"
O4 - HKCU\..\Run: [ciodm] "C:\WINDOWS\system32\ciodm.exe"
O4 - HKCU\..\Run: [wldap32] "C:\WINDOWS\system32\wldap32.exe"
O4 - HKCU\..\Run: [vjoy] "C:\WINDOWS\system32\vjoy.exe"
O4 - HKCU\..\Run: [WinUpdater] "C:\Program Files\winvi\update.exe" /background
O4 - HKCU\..\Run: [WebSUpdater] "C:\Program Files\winvi\wupda.exe" /background
O4 - HKCU\..\Run: [SpeedRunner] C:\Documents and Settings\Owner\Application Data\SpeedRunner\SpeedRunner.exe
O4 - HKCU\..\Run: [SfKg6wIP] C:\Documents and Settings\Owner\Application Data\Microsoft\Windows\nkkvvo.exe
O4 - HKCU\..\Run: [pstorec] "C:\WINDOWS\system32\pstorec.exe"
O4 - S-1-5-18 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: Deewoo.lnk = C:\WINDOWS\system32\kcntmkdm.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: DW_Start.lnk = C:\WINDOWS\system32\rwwnw64d.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Default user')
O4 - .DEFAULT Startup: Deewoo.lnk = C:\WINDOWS\system32\kcntmkdm.exe (User 'Default user')
O4 - .DEFAULT Startup: DW_Start.lnk = C:\WINDOWS\system32\rwwnw64d.exe (User 'Default user')
O4 - .DEFAULT Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\kcntmkdm.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\rwwnw64d.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: M-Audio MobilePre Control Panel Launcher.lnk = C:\Program Files\M-Audio MobilePre\MPTask.exe
O4 - Global Startup: MFWAKeys.lnk = C:\Program Files\MOTU\FireWire Audio\MFWAKeys.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.fujitsupc.com/
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O20 - Winlogon Notify: efcDWNfc - efcDWNfc.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPAHelper.exe - Unknown owner - C:\Program Files\iPod Access for Windows\iPAHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MobilePre Installer (MobilePreInstallerService) - M-Audio - C:\Program Files\M-Audio MobilePre\Install\MPInst.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe
O23 - Service: wshtcpip - Unknown owner - C:\WINDOWS\System32\wshtcpip.exe

--
End of file - 14654 bytes

Rorschach112
2008-05-07, 01:55
I asked you to run SDFix

Can you please do that

dolomick
2008-05-07, 02:23
oops. posted the wrong log, here it is....


SDFix: Version 1.180
Run by Kevin on Tue 05/06/2008 at 01:50 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default Desktop Wallpaper

Rebooting


Checking Files :

Trojan Files Found:

C:\DOCUME~1\OWNER\APPLIC~1\MICROS~1\WINDOWS\NKKVVO.EXE - Deleted
C:\Documents and Settings\Owner\Application Data\Deskbar_{2498A92A-9F59-40c3-B5EA-244D3BBADA04}\local.xml - Deleted
C:\Documents and Settings\Owner\Application Data\Deskbar_{2498A92A-9F59-40c3-B5EA-244D3BBADA04}\log.txt - Deleted
C:\Documents and Settings\Owner\Application Data\Deskbar_{2498A92A-9F59-40c3-B5EA-244D3BBADA04}\version.ini - Deleted
C:\Documents and Settings\Owner\Application Data\Deskbar_{2498A92A-9F59-40c3-B5EA-244D3BBADA04}\Cache\d6e9bb027c32ce9950910af1fce37bb9.xml - Deleted
C:\Documents and Settings\Owner\Application Data\SpeedRunner\config.cfg - Deleted
C:\Documents and Settings\Owner\Application Data\SpeedRunner\SpeedRunner.exe - Deleted
C:\Documents and Settings\Owner\Application Data\SpeedRunner\SRUninstall.exe - Deleted
C:\Temp\maxsv15\rLCubd.log - Deleted
C:\WINDOWS\system32\bkEur01\bkEur011065.exe - Deleted
C:\Program Files\dbar\basis.xml - Deleted
C:\Program Files\dbar\channel.tmpl - Deleted
C:\Program Files\dbar\content.tmpl - Deleted
C:\Program Files\dbar\date.tmpl - Deleted
C:\Program Files\dbar\dbaruninst.exe - Deleted
C:\Program Files\dbar\deskbar.crc - Deleted
C:\Program Files\dbar\deskbar.dll - Deleted
C:\Program Files\dbar\deskbar.inf - Deleted
C:\Program Files\dbar\edit_rss.tmpl - Deleted
C:\Program Files\dbar\local.xml - Deleted
C:\Program Files\dbar\nav1.bmp - Deleted
C:\Program Files\dbar\nav2.bmp - Deleted
C:\Program Files\dbar\new_alert.tmpl - Deleted
C:\Program Files\dbar\version.ini - Deleted
C:\Program Files\dbar\version.txt - Deleted
C:\Program Files\winvi\Uninst.exe - Deleted
C:\Program Files\winvi\update.exe - Deleted
C:\Program Files\winvi\version.ini - Deleted
C:\Program Files\winvi\wupda.exe - Deleted
C:\Program Files\winvi\dsktp\AC_RunActiveContent.js - Deleted
C:\Program Files\winvi\dsktp\desktop.html - Deleted
C:\Program Files\winvi\dsktp\internetDetection.swf - Deleted
C:\Program Files\winvi\dsktp\settings.sol - Deleted
C:\Program Files\winvi\icons\bufferthis.ico - Deleted
C:\Program Files\winvi\icons\flashfunpages.ico - Deleted
C:\Program Files\winvi\icons\funnies.ico - Deleted
C:\Program Files\winvi\icons\funnyfunpages.ico - Deleted
C:\Program Files\winvi\icons\goodcleanvideos.ico - Deleted
C:\Program Files\winvi\icons\newfunpages.ico - Deleted
C:\Program Files\winvi\icons\positivethoughts.ico - Deleted
C:\Program Files\winvi\icons\removespyware.ico - Deleted
C:\Program Files\winvi\icons\thissiterocks.ico - Deleted
C:\Program Files\winvi\temp\version.ini - Deleted
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Deewoo.lnk - Deleted
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\DW_Start.lnk - Deleted
C:\WINDOWS\system32\jscript.exe - Deleted
C:\WINDOWS\system32\msnav32.ax - Deleted
C:\WINDOWS\system32\rwwnw64d.exe - Deleted
C:\WINDOWS\system32\zxdnt3d.cfg - Deleted



Folder C:\Documents and Settings\Owner\Application Data\Deskbar_{2498A92A-9F59-40c3-B5EA-244D3BBADA04} - Removed
Folder C:\Documents and Settings\Owner\Application Data\SpeedRunner - Removed
Folder C:\Program Files\dbar - Removed
Folder C:\Program Files\winvi - Removed
Folder C:\Temp\maxsv15 - Removed
Folder C:\WINDOWS\system32\bkEur01 - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1353.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-06 14:32:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Documents and Settings\\Owner\\Desktop\\utorrent.exe"="C:\\Documents and Settings\\Owner\\Desktop\\utorrent.exe:*:Enabled:æTorrent"
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Wed 26 Oct 2005 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 28 Apr 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Wed 12 Jan 2005 14,848 A..H. --- "C:\Documents and Settings\Owner\My Documents\Zack\~WRL0004.tmp"
Thu 15 May 2003 43,008 ...H. --- "C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe"
Thu 7 Dec 2006 3,096,576 A..H. --- "C:\Documents and Settings\Owner\Application Data\U3\temp\Launchpad Removal.exe"

Finished!

Rorschach112
2008-05-07, 02:47
Hello

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:


File::
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\rwwnw64d.exe
C:\WINDOWS\system32\g27.exe
C:\WINDOWS\system32\kcntmkdm.exe
C:\WINDOWS\system32\winpfz33.sys
C:\WINDOWS\system32\g25.exe
C:\WINDOWS\system32\tcntmkdm.exe
C:\WINDOWS\system32\{72709b0a-ee6f-ec75-72b6-de300b8c2a83}.dll-uninst.exe
C:\WINDOWS\BMef6e074b.xml
C:\WINDOWS\b155.exe_old
C:\WINDOWS\b156.exe_old
C:\WINDOWS\b157.exe_old
C:\WINDOWS\system32\{72709b0a-ee6f-ec75-72b6-de300b8c2a83}.dll
C:\Documents and Settings\Owner\198_150_ni_1.exe
C:\Documents and Settings\Owner\xJWIYFSHYHT.exe
C:\Documents and Settings\Owner\xVYDKKPLIKK.exe

Folder::
C:\Program Files\Svconr
C:\Program Files\Spcron
C:\WINDOWS\system32\din3
C:\WINDOWS\system32\cNF
C:\WINDOWS\system32\cdTMP
C:\WINDOWS\system32\12033

Registry::

Driver::



Save this as CFScript.txt, in the same location as ComboFix.exe


http://i266.photobucket.com/albums/ii277/sUBs_/Combo-Do.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall



Reboot and do this


Download OTScanIt.exe (http://download.bleepingcomputer.com/oldtimer/OTScanIt.exe) to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

Open the OTScanIt folder and double-click on OTScanIt.exe to start the program.
Under Additional Scans check the boxes beside Reg - Bot Check, Reg - Desktop Components, Reg - Disabled MS Config Items, Reg Mountpoints2, File - Lop Check, and File - Purity Scan.
Under Drivers change it to Non-Microsoft.
Under Files Created Within and Files Modified Within change it to 90 days.
Now click the Run Scan button on the toolbar.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Use the Add Reply button and post the information back here in an attachment. I will review it when it comes in. The last line is < End of Report >, so make sure that is the last line in the attached report.


Make sure you attach the report in your reply. If it is too big to upload, then zip the text file and upload it that way

dolomick
2008-05-07, 03:34
ok, see attached zip file. thanks!

Rorschach112
2008-05-07, 18:40
Hello

Don't attach the logs from here on


Start OTScanIt. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.


[Kill Explorer]
[Unregister Dlls]
[Win32 Services - Non-Microsoft Only]
YY -> (wshtcpip) wshtcpip [Win32_Own | Auto | Stopped] -> %SystemRoot%\System32\wshtcpip.exe
[Registry - Non-Microsoft Only]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> BMef6e074b -> %SystemRoot%\system32\hfjdljfu.DLL [Rundll32.exe "C:\WINDOWS\system32\hfjdljfu.dll",s]
YN -> ec5d34d7 -> %SystemRoot%\system32\istlpcuw.DLL [rundll32.exe "C:\WINDOWS\system32\istlpcuw.dll",b]
< Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> 196_150_ni -> %SystemRoot%\System32\196_150_ni.exe [C:\WINDOWS\System32\196_150_ni.exe]
YN -> 197_150_ni_4 -> %SystemRoot%\System32\197_150_ni_4.exe [C:\WINDOWS\System32\197_150_ni_4.exe]
YN -> 198_150_ni_1 -> %UserProfile%\198_150_ni_1.exe ["C:\Documents and Settings\Owner\198_150_ni_1.exe"]
YY -> avicap32 -> %SystemRoot%\system32\avicap32.exe ["C:\WINDOWS\System32\avicap32.exe"]
YY -> browselc -> %SystemRoot%\system32\browselc.exe ["C:\WINDOWS\System32\browselc.exe"]
YY -> cdfview -> %SystemRoot%\system32\cdfview.exe ["C:\WINDOWS\System32\cdfview.exe"]
YY -> cdmodem -> %SystemRoot%\system32\cdmodem.exe ["C:\WINDOWS\System32\cdmodem.exe"]
YN -> ciodm -> %SystemRoot%\system32\ciodm.exe ["C:\WINDOWS\system32\ciodm.exe"]
YY -> dbnmpntw -> %SystemRoot%\system32\dbnmpntw.exe ["C:\WINDOWS\System32\dbnmpntw.exe"]
YY -> deskadp -> %SystemRoot%\system32\deskadp.exe ["C:\WINDOWS\System32\deskadp.exe"]
YY -> dgnet -> %SystemRoot%\system32\dgnet.exe ["C:\WINDOWS\System32\dgnet.exe"]
YY -> dinput8 -> %SystemRoot%\system32\dinput8.exe ["C:\WINDOWS\System32\dinput8.exe"]
YN -> dmserver -> %SystemRoot%\system32\dmserver.exe ["C:\WINDOWS\system32\dmserver.exe"]
YY -> dskquoui -> %SystemRoot%\system32\dskquoui.exe ["C:\WINDOWS\System32\dskquoui.exe"]
YN -> dsprpres -> %SystemRoot%\system32\dsprpres.exe ["C:\WINDOWS\system32\dsprpres.exe"]
YY -> dssenh -> %SystemRoot%\system32\dssenh.exe ["C:\WINDOWS\System32\dssenh.exe"]
YN -> eventcls -> %SystemRoot%\System32\eventcls.exe ["C:\WINDOWS\System32\eventcls.exe"]
YY -> fsusd -> %SystemRoot%\system32\fsusd.exe ["C:\WINDOWS\System32\fsusd.exe"]
YY -> glu32 -> %SystemRoot%\system32\glu32.exe ["C:\WINDOWS\system32\glu32.exe"]
YN -> hpovst08 -> %SystemRoot%\system32\hpovst08.exe ["C:\WINDOWS\system32\hpovst08.exe"]
YY -> iasads -> %SystemRoot%\system32\iasads.exe ["C:\WINDOWS\System32\iasads.exe"]
YY -> icmp -> %SystemRoot%\system32\icmp.exe ["C:\WINDOWS\system32\icmp.exe"]
YY -> imagehlp -> %SystemRoot%\system32\imagehlp.exe ["C:\WINDOWS\System32\imagehlp.exe"]
YY -> imagxpr5 -> %SystemRoot%\system32\imagxpr5.exe ["C:\WINDOWS\System32\imagxpr5.exe"]
YN -> iologmsg -> %SystemRoot%\System32\iologmsg.exe ["C:\WINDOWS\System32\iologmsg.exe"]
YY -> ipv6mon -> %SystemRoot%\system32\ipv6mon.exe ["C:\WINDOWS\System32\ipv6mon.exe"]
YY -> ir41_qc -> %SystemRoot%\system32\ir41_qc.exe ["C:\WINDOWS\System32\ir41_qc.exe"]
YN -> ir50_qcx -> %SystemRoot%\system32\ir50_qcx.exe ["C:\WINDOWS\system32\ir50_qcx.exe"]
YN -> jscript -> %SystemRoot%\system32\jscript.exe ["C:\WINDOWS\system32\jscript.exe"]
YY -> kbdkyr -> %SystemRoot%\system32\kbdkyr.exe ["C:\WINDOWS\system32\kbdkyr.exe"]
YN -> lfpsd11n -> %SystemRoot%\system32\lfpsd11n.exe ["C:\WINDOWS\system32\lfpsd11n.exe"]
YY -> licdll -> %SystemRoot%\system32\licdll.exe ["C:\WINDOWS\System32\licdll.exe"]
YY -> mciseq -> %SystemRoot%\system32\mciseq.exe ["C:\WINDOWS\System32\mciseq.exe"]
YY -> modemui -> %SystemRoot%\system32\modemui.exe ["C:\WINDOWS\System32\modemui.exe"]
YN -> mprddm -> %SystemRoot%\System32\mprddm.exe [C:\WINDOWS\System32\mprddm.exe]
YY -> msexcl40 -> %SystemRoot%\system32\msexcl40.exe ["C:\WINDOWS\System32\msexcl40.exe"]
YY -> msprivs -> %SystemRoot%\system32\msprivs.exe ["C:\WINDOWS\system32\msprivs.exe"]
YY -> msr2cenu -> %SystemRoot%\system32\msr2cenu.exe ["C:\WINDOWS\System32\msr2cenu.exe"]
YY -> msswch -> %SystemRoot%\system32\msswch.exe ["C:\WINDOWS\system32\msswch.exe"]
YY -> msvcrt40 -> %SystemRoot%\system32\msvcrt40.exe ["C:\WINDOWS\System32\msvcrt40.exe"]
YY -> mswsock -> %SystemRoot%\system32\mswsock.exe ["C:\WINDOWS\System32\mswsock.exe"]
YN -> mydocs -> %SystemRoot%\System32\mydocs.exe ["C:\WINDOWS\System32\mydocs.exe"]
YY -> netui2 -> %SystemRoot%\system32\netui2.exe ["C:\WINDOWS\System32\netui2.exe"]
YY -> odbccr32 -> %SystemRoot%\system32\odbccr32.exe ["C:\WINDOWS\System32\odbccr32.exe"]
YY -> oleacc -> %SystemRoot%\system32\oleacc.exe ["C:\WINDOWS\System32\oleacc.exe"]
YY -> psnppagn -> %SystemRoot%\system32\psnppagn.exe ["C:\WINDOWS\System32\psnppagn.exe"]
YN -> pstorec -> %SystemRoot%\system32\pstorec.exe ["C:\WINDOWS\system32\pstorec.exe"]
YN -> qasf -> %SystemRoot%\system32\qasf.exe ["C:\WINDOWS\system32\qasf.exe"]
YN -> rdpcfgex -> %SystemRoot%\system32\rdpcfgex.exe ["C:\WINDOWS\system32\rdpcfgex.exe"]
YY -> rsvpmsg -> %SystemRoot%\system32\rsvpmsg.exe ["C:\WINDOWS\system32\rsvpmsg.exe"]
YY -> rsvpsp -> %SystemRoot%\system32\rsvpsp.exe ["C:\WINDOWS\System32\rsvpsp.exe"]
YY -> rtm -> %SystemRoot%\system32\rtm.exe ["C:\WINDOWS\System32\rtm.exe"]
YN -> SfKg6wIP -> %AppData%\Microsoft\Windows\nkkvvo.exe [C:\Documents and Settings\Owner\Application Data\Microsoft\Windows\nkkvvo.exe]
YN -> shdoclc -> %SystemRoot%\system32\shdoclc.exe ["C:\WINDOWS\system32\shdoclc.exe"]
YY -> shimeng -> %SystemRoot%\system32\shimeng.exe ["C:\WINDOWS\System32\shimeng.exe"]
YN -> SpeedRunner -> %AppData%\SpeedRunner\SpeedRunner.exe [C:\Documents and Settings\Owner\Application Data\SpeedRunner\SpeedRunner.exe]
YN -> stclient -> %SystemRoot%\system32\stclient.exe ["C:\WINDOWS\system32\stclient.exe"]
YY -> stobject -> %SystemRoot%\system32\stobject.exe ["C:\WINDOWS\System32\stobject.exe"]
YN -> Svconr -> %ProgramFiles%\Svconr\Svconr.exe [C:\Program Files\Svconr\Svconr.exe]
YN -> svcpack -> %SystemRoot%\system32\svcpack.exe ["C:\WINDOWS\system32\svcpack.exe"]
YN -> tapiperf -> %SystemRoot%\system32\tapiperf.exe ["C:\WINDOWS\System32\tapiperf.exe"]
YN -> vjoy -> %SystemRoot%\system32\vjoy.exe ["C:\WINDOWS\system32\vjoy.exe"]
YN -> WebSUpdater -> %ProgramFiles%\winvi\wupda.exe ["C:\Program Files\winvi\wupda.exe" /background]
YY -> winsta -> %SystemRoot%\system32\winsta.exe ["C:\WINDOWS\system32\winsta.exe"]
YN -> WinUpdater -> %ProgramFiles%\winvi\update.exe ["C:\Program Files\winvi\update.exe" /background]
YN -> wldap32 -> %SystemRoot%\system32\wldap32.exe ["C:\WINDOWS\system32\wldap32.exe"]
YY -> wmsdmoe2 -> %SystemRoot%\system32\wmsdmoe2.exe ["C:\WINDOWS\System32\wmsdmoe2.exe"]
YN -> wmvsdecd -> %SystemRoot%\system32\wmvsdecd.exe ["C:\WINDOWS\system32\wmvsdecd.exe"]
YY -> wpdtrace -> %SystemRoot%\system32\wpdtrace.exe ["C:\WINDOWS\System32\wpdtrace.exe"]
YY -> xactsrv -> %SystemRoot%\system32\xactsrv.exe ["C:\WINDOWS\system32\xactsrv.exe"]
YY -> xpsp2res -> %SystemRoot%\system32\xpsp2res.exe ["C:\WINDOWS\System32\xpsp2res.exe"]
< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
YN -> efcDWNfc ->
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {62C21114-D4A8-499B-A15C-684FDB8B79B5} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\opnlKAro.dll [Reg Error: Value does not exist or could not be read.]
YN -> {70186681-442D-4D62-936D-E2B79089D6EB} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\qoMcyARl.dll [Reg Error: Value does not exist or could not be read.]
< Internet Explorer Bars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
YN -> {32683183-48a0-441b-a342-7c2a440a9478} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YY -> {FABA076A-478A-4c32-A0A5-C774607901C2} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\mysidesearch_sidebar.dll [ADPanel]
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
YN -> ShellBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
[Registry - Additional Scans - Non-Microsoft Only]
< Disabled MSConfig Folder Items [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\
YN -> C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk -> %SystemDrive%\PROGRA~1\HP\DIGITA~1\bin\hpqtra08.exe
[Files/Folders - Created Within 90 days]
NY -> SDFix -> %SystemDrive%\SDFix
NY -> 404Fix.exe -> %SystemRoot%\System32\404Fix.exe
NY -> IEDFix.exe -> %SystemRoot%\System32\IEDFix.exe
NY -> iphone-6y.ico -> %SystemRoot%\System32\iphone-6y.ico
NY -> java.exe -> %SystemRoot%\System32\java.exe
NY -> mysidesearch_sidebar.dll -> %SystemRoot%\System32\mysidesearch_sidebar.dll
NY -> mysidesearch_sidebar_uninstall.exe -> %SystemRoot%\System32\mysidesearch_sidebar_uninstall.exe
NY -> SrchSTS.exe -> %SystemRoot%\System32\SrchSTS.exe
NY -> tmp.reg -> %SystemRoot%\System32\tmp.reg
NY -> VACFix.exe -> %SystemRoot%\System32\VACFix.exe
NY -> VCCLSID.exe -> %SystemRoot%\System32\VCCLSID.exe
NY -> WS2Fix.exe -> %SystemRoot%\System32\WS2Fix.exe
NY -> 3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
[Files/Folders - Modified Within 90 days]
NY -> gside.exe -> %SystemRoot%\System32\gside.exe
NY -> mysidesearch_sidebar.dll -> %SystemRoot%\System32\mysidesearch_sidebar.dll
NY -> mysidesearch_sidebar_uninstall.exe -> %SystemRoot%\System32\mysidesearch_sidebar_uninstall.exe
NY -> tmp.reg -> %SystemRoot%\System32\tmp.reg
NY -> TmpA3329507 -> %SystemRoot%\System32\TmpA3329507
NY -> VACFix.exe -> %SystemRoot%\System32\VACFix.exe
[Empty Temp Folders]
[Start Explorer]
[Reboot]


The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.




Please download Malwarebytes' Anti-Malware from Here (http://www.besttechie.net/tools/mbam-setup.exe) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)

Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Full Scan", then click Scan. Check all the boxes and click Start Scan
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.



Then run ComboFix again and post that log with another HijackThis log

dolomick
2008-05-07, 22:47
ok...

Explorer killed successfully
[Win32 Services - Non-Microsoft Only]
Service wshtcpip stopped successfully.
Service wshtcpip deleted successfully.
File C:\WINDOWS\System32\wshtcpip.exe not found.
[Registry - Non-Microsoft Only]
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\BMef6e074b deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\ec5d34d7 deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\196_150_ni deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\197_150_ni_4 deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\198_150_ni_1 deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\avicap32 deleted successfully.
C:\WINDOWS\system32\avicap32.exe moved successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\browselc deleted successfully.
C:\WINDOWS\system32\browselc.exe moved successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\cdfview deleted successfully.
C:\WINDOWS\system32\cdfview.exe moved successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\cdmodem deleted successfully.
C:\WINDOWS\system32\cdmodem.exe moved successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\ciodm deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\dbnmpntw deleted successfully.
C:\WINDOWS\system32\dbnmpntw.exe moved successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\deskadp deleted successfully.
C:\WINDOWS\system32\deskadp.exe moved successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\dgnet deleted successfully.
C:\WINDOWS\system32\dgnet.exe moved successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\dinput8 deleted successfully.
C:\WINDOWS\system32\dinput8.exe moved successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\dmserver deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\dskquoui deleted successfully.
C:\WINDOWS\system32\dskquoui.exe moved successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\dsprpres deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\dssenh deleted successfully.
C:\WINDOWS\system32\dssenh.exe moved successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\eventcls deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\fsusd deleted successfully.
C:\WINDOWS\system32\fsusd.exe moved successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\glu32 deleted successfully.
C:\WINDOWS\system32\glu32.exe moved successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\hpovst08 deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\iasads deleted successfully.
C:\WINDOWS\system32\iasads.exe moved successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\icmp deleted successfully.
C:\WINDOWS\system32\icmp.exe moved successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\imagehlp deleted successfully.
C:\WINDOWS\system32\imagehlp.exe moved successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\imagxpr5 deleted successfully.
C:\WINDOWS\system32\imagxpr5.exe moved successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\iologmsg deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\ipv6mon deleted successfully.
C:\WINDOWS\system32\ipv6mon.exe moved successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\ir41_qc deleted successfully.
C:\WINDOWS\system32\ir41_qc.exe moved successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\ir50_qcx deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\jscript deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\kbdkyr deleted successfully.
C:\WINDOWS\system32\kbdkyr.exe moved successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\lfpsd11n deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\licdll deleted successfully.
C:\WINDOWS\system32\licdll.exe moved successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\mciseq deleted successfully.
C:\WINDOWS\system32\mciseq.exe moved successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\modemui deleted successfully.
C:\WINDOWS\system32\modemui.exe moved successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\mprddm deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\msexcl40 deleted successfully.
C:\WINDOWS\system32\msexcl40.exe moved successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\msprivs deleted successfully.
C:\WINDOWS\system32\msprivs.exe moved successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\msr2cenu deleted successfully.
C:\WINDOWS\system32\msr2cenu.exe moved successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\msswch deleted successfully.
C:\WINDOWS\system32\msswch.exe moved successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\msvcrt40 deleted successfully.
C:\WINDOWS\system32\msvcrt40.exe moved successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\mswsock deleted successfully.
C:\WINDOWS\system32\mswsock.exe moved successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\mydocs deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\netui2 deleted successfully.
C:\WINDOWS\system32\netui2.exe moved successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\odbccr32 deleted successfully.
C:\WINDOWS\system32\odbccr32.exe moved successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\oleacc deleted successfully.
C:\WINDOWS\system32\oleacc.exe moved successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\psnppagn deleted successfully.
C:\WINDOWS\system32\psnppagn.exe moved successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\pstorec deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\qasf deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\rdpcfgex deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\rsvpmsg deleted successfully.
C:\WINDOWS\system32\rsvpmsg.exe moved successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\rsvpsp deleted successfully.
C:\WINDOWS\system32\rsvpsp.exe moved successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\rtm deleted successfully.
C:\WINDOWS\system32\rtm.exe moved successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\SfKg6wIP deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\shdoclc deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\shimeng deleted successfully.
C:\WINDOWS\system32\shimeng.exe moved successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\SpeedRunner deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\stclient deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\stobject deleted successfully.
C:\WINDOWS\system32\stobject.exe moved successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Svconr deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\svcpack deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\tapiperf deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\vjoy deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\WebSUpdater deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\winsta deleted successfully.
C:\WINDOWS\system32\winsta.exe moved successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\WinUpdater deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\wldap32 deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\wmsdmoe2 deleted successfully.
C:\WINDOWS\system32\wmsdmoe2.exe moved successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\wmvsdecd deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\wpdtrace deleted successfully.
C:\WINDOWS\system32\wpdtrace.exe moved successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\xactsrv deleted successfully.
C:\WINDOWS\system32\xactsrv.exe moved successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\xpsp2res deleted successfully.
C:\WINDOWS\system32\xpsp2res.exe moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\efcDWNfc\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{62C21114-D4A8-499B-A15C-684FDB8B79B5}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{62C21114-D4A8-499B-A15C-684FDB8B79B5}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{70186681-442D-4D62-936D-E2B79089D6EB}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{70186681-442D-4D62-936D-E2B79089D6EB}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{32683183-48a0-441b-a342-7c2a440a9478}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FABA076A-478A-4c32-A0A5-C774607901C2}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FABA076A-478A-4c32-A0A5-C774607901C2}\ deleted successfully.
C:\WINDOWS\system32\mysidesearch_sidebar.dll NOT unregistered.
C:\WINDOWS\system32\mysidesearch_sidebar.dll moved successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found.
[Registry - Additional Scans - Non-Microsoft Only]
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk\ deleted successfully.
File C:\WINDOWS\pss\HP Digital Imaging Monitor.lnk not found.
[Files/Folders - Created Within 90 days]
C:\SDFix\backups folder moved successfully.
C:\SDFix\apps\Replace\xp folder moved successfully.
C:\SDFix\apps\Replace\w2k folder moved successfully.
C:\SDFix\apps\Replace folder moved successfully.
C:\SDFix\apps folder moved successfully.
C:\SDFix folder moved successfully.
C:\WINDOWS\System32\404Fix.exe moved successfully.
C:\WINDOWS\System32\IEDFix.exe moved successfully.
C:\WINDOWS\System32\iphone-6y.ico moved successfully.
C:\WINDOWS\System32\java.exe moved successfully.
File C:\WINDOWS\System32\mysidesearch_sidebar.dll not found!
C:\WINDOWS\System32\mysidesearch_sidebar_uninstall.exe moved successfully.
C:\WINDOWS\System32\SrchSTS.exe moved successfully.
C:\WINDOWS\System32\tmp.reg moved successfully.
C:\WINDOWS\System32\VACFix.exe moved successfully.
C:\WINDOWS\System32\VCCLSID.exe moved successfully.
C:\WINDOWS\System32\WS2Fix.exe moved successfully.
[Files/Folders - Modified Within 90 days]
C:\WINDOWS\System32\gside.exe moved successfully.
File C:\WINDOWS\System32\mysidesearch_sidebar.dll not found!
File C:\WINDOWS\System32\mysidesearch_sidebar_uninstall.exe not found!
File C:\WINDOWS\System32\tmp.reg not found!
C:\WINDOWS\System32\TmpA3329507 moved successfully.
File C:\WINDOWS\System32\VACFix.exe not found!
[Empty Temp Folders]
File delete failed. C:\Documents and Settings\Owner\Local Settings\Temp\Perflib_Perfdata_7d0.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Temp\~DF783A.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\uhq8xtir.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\uhq8xtir.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\uhq8xtir.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\uhq8xtir.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
FireFox cache emptied.
RecycleBin -> emptied.
Explorer started successfully
< End of fix log >
OTScanIt by OldTimer - Version 1.0.12.1 fix logfile created on 05072008_105619

Files moved on Reboot...
File C:\Documents and Settings\Owner\Local Settings\Temp\Perflib_Perfdata_7d0.dat not found!
C:\Documents and Settings\Owner\Local Settings\Temp\~DF783A.tmp moved successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat moved successfully.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\uhq8xtir.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\uhq8xtir.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\uhq8xtir.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\uhq8xtir.default\Cache\_CACHE_MAP_ moved successfully.










Malwarebytes' Anti-Malware 1.12
Database version: 729

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 140339
Time elapsed: 1 hour(s), 15 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 15
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 40

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\program files\mozilla firefox\components\srff.dll (Adware.SurfAccuracy) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{1e404d48-670a-4085-a6a0-d195793ddd33} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{9f593aac-ca4c-4a41-a7ff-a00812192d61} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{749ec66f-a838-4b38-b8e5-e65d905fff74} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1e404d48-670a-4085-a6a0-d195793ddd33} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\dbreg.dbar.1 (Adware.SoftMate) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\dbreg.dbarbho.1 (Adware.SoftMate) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\dbreg.dbarenabler.1 (Adware.SoftMate) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{80985322-3f89-4873-9bce-9297d217ccad} (Adware.SoftMate) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MySidesearchSearchAssistant (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\SpeedRunner (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\winvi (Adware.SoftMate) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\winvi (Adware.SoftMate) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\program files\mozilla firefox\components\srff.dll (Adware.SurfAccuracy) -> Delete on reboot.
C:\Documents and Settings\Owner\Desktop\OTScanIt\MovedFiles\05072008_105619\C_WINDOWS\system32\mysidesearch_sidebar_uninstall.exe (Adware.BHO) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Program Files\JavaCore\JavaCore.exe.vir (Trojan.Insider) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Program Files\Spcron\Spcron.dll.vir (Adware.Agent) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\b155.exe_old.vir (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\b156.exe_old.vir (Adware.Insider) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\b157.exe_old.vir (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\b999.exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\cbXRKBuu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\efcDWNfc.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\{72709b0a-ee6f-ec75-72b6-de300b8c2a83}.dll-uninst.exe.vir (Adware.Rotator) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\{72709b0a-ee6f-ec75-72b6-de300b8c2a83}.dll.vir (Adware.Rotator) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\12033\cvserchka.exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\cdTMP\cdrev132.exe.vir (Adware.ZeroSearch) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\cNF\srkcont3.exe.vir (Trojan.StartPage) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\din3\is-setup03x.exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{11827C99-88BA-4A82-B691-A920F3B1A44E}\RP490\A0074994.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{11827C99-88BA-4A82-B691-A920F3B1A44E}\RP490\A0074996.exe (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{11827C99-88BA-4A82-B691-A920F3B1A44E}\RP490\A0074997.exe (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{11827C99-88BA-4A82-B691-A920F3B1A44E}\RP490\A0075000.dll (Adware.SoftMate) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{11827C99-88BA-4A82-B691-A920F3B1A44E}\RP490\A0075004.exe (Trojan.StartPage) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{11827C99-88BA-4A82-B691-A920F3B1A44E}\RP490\A0075006.exe (Adware.SoftMate) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{11827C99-88BA-4A82-B691-A920F3B1A44E}\RP490\A0075021.exe (Adware.ZeroSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{11827C99-88BA-4A82-B691-A920F3B1A44E}\RP490\A0075032.dll (Adware.SoftMate) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{11827C99-88BA-4A82-B691-A920F3B1A44E}\RP490\A0075042.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{11827C99-88BA-4A82-B691-A920F3B1A44E}\RP490\A0075045.exe (Adware.ZeroSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{11827C99-88BA-4A82-B691-A920F3B1A44E}\RP490\A0075046.exe (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{11827C99-88BA-4A82-B691-A920F3B1A44E}\RP490\A0075047.exe (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{11827C99-88BA-4A82-B691-A920F3B1A44E}\RP490\A0075050.exe (Trojan.StartPage) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{11827C99-88BA-4A82-B691-A920F3B1A44E}\RP490\A0075053.exe (Adware.SoftMate) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{11827C99-88BA-4A82-B691-A920F3B1A44E}\RP491\A0075238.exe (Adware.ZeroSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{11827C99-88BA-4A82-B691-A920F3B1A44E}\RP491\A0075239.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{11827C99-88BA-4A82-B691-A920F3B1A44E}\RP492\A0075259.dll (Adware.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{11827C99-88BA-4A82-B691-A920F3B1A44E}\RP492\A0075260.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{11827C99-88BA-4A82-B691-A920F3B1A44E}\RP492\A0075261.exe (Adware.ZeroSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{11827C99-88BA-4A82-B691-A920F3B1A44E}\RP492\A0075262.exe (Trojan.StartPage) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{11827C99-88BA-4A82-B691-A920F3B1A44E}\RP492\A0075263.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{11827C99-88BA-4A82-B691-A920F3B1A44E}\RP492\A0075266.dll (Adware.Rotator) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{11827C99-88BA-4A82-B691-A920F3B1A44E}\RP492\A0075267.exe (Adware.Rotator) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{11827C99-88BA-4A82-B691-A920F3B1A44E}\RP492\A0075275.exe (Trojan.Downloader) -> Quarantined and deleted successfully.









ComboFix 08-05-01.3 - Kevin 2008-05-07 12:30:17.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.149 [GMT -7:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-04-07 to 2008-05-07 )))))))))))))))))))))))))))))))
.

2008-05-07 11:05 . 2008-05-07 11:05 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-07 11:05 . 2008-05-07 11:05 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-05-07 11:05 . 2008-05-07 11:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-07 11:05 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-07 11:05 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-06 15:44 . 2008-05-06 15:44 <DIR> d-------- C:\Program Files\Avira
2008-05-06 15:44 . 2008-05-06 15:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-05-06 13:43 . 2008-05-06 13:43 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-06 13:11 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-06 13:07 . 2008-05-06 13:07 <DIR> d-------- C:\Program Files\Common Files\Java
2008-05-06 12:39 . 2008-05-06 12:39 <DIR> d-------- C:\Program Files\Windows Defender
2008-05-06 12:36 . 2008-05-06 13:11 <DIR> d-------- C:\Program Files\SpywareGuard
2008-05-06 12:32 . 2008-05-06 12:33 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-05-06 12:32 . 2008-05-06 14:58 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-06 11:32 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-05-06 11:32 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-05-06 01:03 . 2008-05-06 01:03 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-06 00:38 . 2008-05-06 00:48 43,040 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-05-06 00:38 . 2008-05-06 00:48 1,824 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-05-06 00:38 . 2008-05-06 00:48 1,580 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-05-06 00:38 . 2008-05-06 00:48 1,220 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-05-05 23:27 . 2008-05-05 23:27 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-05 23:27 . 2008-05-06 00:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-05 16:33 . 2008-05-05 19:12 694 --a------ C:\WINDOWS\wininit.ini
2008-05-05 15:55 . 2008-05-05 15:56 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-05 15:55 . 2008-05-05 17:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-05 15:29 . 2008-05-05 15:29 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-05-05 13:17 . 2008-05-06 14:32 <DIR> d-------- C:\Temp
2008-04-30 12:42 . 2008-05-06 16:17 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-30 12:42 . 2008-04-30 12:42 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-30 12:06 . 2008-04-30 12:06 <DIR> d-------- C:\Program Files\LaCieTools
2008-04-30 12:06 . 2005-10-19 09:34 15,872 --a------ C:\WINDOWS\system32\drivers\LaCieUSBFilter.sys
2008-04-30 12:06 . 2005-10-18 08:28 14,848 --a------ C:\WINDOWS\system32\drivers\LaCieFWFilter.sys
2008-04-30 12:06 . 2008-04-30 12:06 640 --a------ C:\WINDOWS\UndeviceUpd
2008-04-24 10:51 . 2008-04-24 10:51 <DIR> d-------- C:\Program Files\.Mac Utilities
2008-04-09 11:16 . 2008-04-09 11:16 <DIR> d-------- C:\Program Files\Common Files\Adobe AIR
2008-04-09 11:16 . 2008-04-09 11:16 <DIR> d-------- C:\Program Files\Adobe Media Player

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-06 20:11 --------- d-----w C:\Program Files\Java
2008-05-06 19:59 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-06 07:47 --------- d-----w C:\Documents and Settings\Owner\Application Data\uTorrent
2008-04-18 18:19 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-04-08 01:06 --------- d-----w C:\Program Files\FLStudio4
2008-03-21 01:52 --------- d-----w C:\Program Files\Trillian
.

((((((((((((((((((((((((((((( snapshot@2008-05-05_22.45.41.35 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-06 05:33:46 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-07 19:25:24 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-06 04:42:51 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-05-06 20:43:51 5,873,664 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
+ 2008-05-06 20:43:52 172,032 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-05-06 04:42:51 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-05-06 20:43:41 5,873,664 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\ntuser.dat
+ 2008-05-06 20:43:41 172,032 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
+ 2007-08-09 20:04:11 40,768 ----a-w C:\WINDOWS\system32\drivers\avgntdd.sys
+ 2007-07-18 21:22:19 21,312 ----a-w C:\WINDOWS\system32\drivers\avgntmgr.sys
+ 2008-05-06 22:54:33 79,424 ----a-w C:\WINDOWS\system32\drivers\avipbb.sys
+ 2007-03-01 17:34:36 28,352 ----a-w C:\WINDOWS\system32\drivers\ssmdrv.sys
- 2004-02-23 05:52:44 28,779 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-03-25 08:28:43 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-03-25 09:37:01 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2005-05-24 19:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 22:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 22:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
+ 2003-03-31 12:00:00 99,098 ----a-w C:\WINDOWS\system32\kbdfr.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"query"="C:\WINDOWS\System32\query.exe" [2003-03-31 05:00 9728]
"blackbox"="C:\WINDOWS\System32\blackbox.exe" [2004-08-11 01:45 99098]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-10 21:36 68856]
"usbmon"="C:\WINDOWS\system32\usbmon.exe" [2004-08-04 00:56 99098]
"pncrt"="C:\WINDOWS\system32\pncrt.exe" [2004-06-07 18:58 99098]
"nddeapi"="C:\WINDOWS\system32\nddeapi.exe" [2004-08-04 00:56 99098]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 00:24 28672 C:\WINDOWS\system32\Ati2mdxx.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-07-11 12:15 335872]
"AGRSMMSG"="AGRSMMSG.exe" [2003-07-24 19:22 88363 C:\WINDOWS\AGRSMMSG.exe]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-07-16 06:19 159744]
"IndicatorUtility"="C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe" [2003-08-20 19:33 81920]
"LoadFujitsuQuickTouch"="C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe" [2003-08-21 09:29 242688]
"LoadBtnHnd"="C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe" [2003-08-21 09:37 61440]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"H2O"="C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe" [2005-05-11 02:46 200069]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 11:54 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 20:05 257088]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 14:22 3739648]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-05-06 15:54 262401]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-07-08 20:52:52 113664]
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 19:05:35 360448]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [2004-07-13 17:40:48 98304]
M-Audio MobilePre Control Panel Launcher.lnk - C:\Program Files\M-Audio MobilePre\MPTask.exe [2004-03-04 16:29:11 61440]
MFWAKeys.lnk - C:\Program Files\MOTU\FireWire Audio\MFWAKeys.exe [2004-09-02 12:43:36 126976]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 13:05:56 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"Midi1"= usbmn2x2.dll
"Midi2"= usbkt1x1.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-05-11 23:12 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer]
--a------ 2007-10-31 18:33 208941 C:\Program Files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-10-31 18:33 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Documents and Settings\\Owner\\Desktop\\utorrent.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R1 Asapi;Asapi;C:\WINDOWS\system32\drivers\Asapi.sys [2000-01-08 09:22]
R2 MobilePreInstallerService;MobilePre Installer;C:\Program Files\M-Audio MobilePre\Install\MPInst.exe [2006-12-20 13:04]
R3 ALiIRDA;ALi Infrared Device Driver;C:\WINDOWS\system32\DRIVERS\alifir.sys [2001-08-17 06:49]
R3 CLEDX;Team H2O CLEDX service;C:\WINDOWS\system32\DRIVERS\cledx.sys [2005-05-09 20:08]
R3 CONAN;CONAN;C:\WINDOWS\system32\drivers\o2mmb.sys [2003-10-27 05:17]
R3 LaCieFWFilter;Silver 1394 Filter (1394 BUS Filter Driver);C:\WINDOWS\system32\DRIVERS\LaCieFWFilter.sys [2005-10-18 08:28]
R3 LaCieUSBFilter;Silver USB Filter (USB BUS Filter Driver);C:\WINDOWS\system32\DRIVERS\LaCieUSBFilter.sys [2005-10-19 09:34]
R3 MbxStby;MbxStby;C:\WINDOWS\system32\drivers\MbxStby.sys [2003-08-25 17:46]
R3 motubus;MOTU Audio MIDI Extension;C:\WINDOWS\system32\drivers\MotuBus.sys [2003-07-10 11:02]
S3 ma763004;M-Audio MobilePre USB;C:\WINDOWS\system32\drivers\MA763004.sys [2006-12-20 13:04]
S3 mbxfilt;mbxfilt;C:\WINDOWS\system32\drivers\MbxFilt.sys [2002-12-08 23:29]
S3 MFWAMIDI;MOTU FireWire Audio MIDI;C:\WINDOWS\system32\drivers\MFWAMIDI.sys [2004-07-27 13:42]
S3 MFWAWAVE;MOTU FireWire Audio Wave;C:\WINDOWS\system32\drivers\MFWAWAVE.sys [2004-07-27 13:41]
S3 MotuFWA;MotuFWA;C:\WINDOWS\system32\drivers\MotuFWA.sys [2004-08-05 17:28]
S3 SeratoUsb;SeratoUsb driver;C:\WINDOWS\system32\Drivers\SeratoUsb.sys [2004-01-14 12:49]
S3 UKS11LDR;M-Audio USB Keystation Loader;C:\WINDOWS\system32\drivers\uks11ldr.sys [2006-08-08 17:19]
S3 USB22LDR;M-Audio USB MidiSport 2x2 Loader;C:\WINDOWS\system32\drivers\usb22ldr.sys [2006-08-02 23:40]
S3 USBKT1X1;M-Audio USB Keystation;C:\WINDOWS\system32\drivers\usbkt1x1.sys [2006-08-08 17:19]
S3 USBMN2X2;M-Audio USB MidiSport 2x2;C:\WINDOWS\system32\drivers\usbmn2x2.sys [2006-08-02 23:40]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-04-26 00:15:56 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2004\SystemOptimizer.exe
"2008-05-01 21:14:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-05-07 19:28:55 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2004-05-30 22:25:29 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-07 12:35:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-07 12:41:48
ComboFix-quarantined-files.txt 2008-05-07 19:41:26
ComboFix2.txt 2008-05-07 00:15:16
ComboFix3.txt 2008-05-06 22:25:31
ComboFix4.txt 2008-05-06 05:46:53

Pre-Run: 2,031,042,560 bytes free
Post-Run: 2,019,622,912 bytes free

183











Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:43:43 PM, on 5/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\M-Audio MobilePre\MPTask.exe
C:\Program Files\MOTU\FireWire Audio\MFWAKeys.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Apoint2K\HidFind.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\iPod Access for Windows\iPAHelper.exe
C:\Program Files\M-Audio MobilePre\Install\MPInst.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.whynotsearchhere.com/start.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.we1.attbb.net:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.we1.attbb.net;*.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [query] "C:\WINDOWS\System32\query.exe"
O4 - HKCU\..\Run: [blackbox] "C:\WINDOWS\System32\blackbox.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [usbmon] "C:\WINDOWS\system32\usbmon.exe"
O4 - HKCU\..\Run: [pncrt] "C:\WINDOWS\system32\pncrt.exe"
O4 - HKCU\..\Run: [nddeapi] "C:\WINDOWS\system32\nddeapi.exe"
O4 - S-1-5-18 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Default user')
O4 - .DEFAULT Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: M-Audio MobilePre Control Panel Launcher.lnk = C:\Program Files\M-Audio MobilePre\MPTask.exe
O4 - Global Startup: MFWAKeys.lnk = C:\Program Files\MOTU\FireWire Audio\MFWAKeys.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.fujitsupc.com/
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPAHelper.exe - Unknown owner - C:\Program Files\iPod Access for Windows\iPAHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MobilePre Installer (MobilePreInstallerService) - M-Audio - C:\Program Files\M-Audio MobilePre\Install\MPInst.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe

--
End of file - 8831 bytes

Rorschach112
2008-05-07, 23:59
Hello

Go to this site:
http://www.virustotal.com/
On top you'll find 'Browse'
Click the browse button and browse to the file:

C:\WINDOWS\system32\nddeapi.exe

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results as well in your next reply.


Repeat it for these files

C:\WINDOWS\system32\pncrt.exe
C:\WINDOWS\System32\query.exe

dolomick
2008-05-08, 00:48
ok...


File nddeapi.exe received on 05.07.2008 23:35:58 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 28/31 (90.33%)

File nddeapi.exe received on 05.07.2008 23:35:58 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2008.5.3.0 2008.05.07 Win-Trojan/Xema.variant
AntiVir 7.8.0.11 2008.05.07 TR/Dldr.Agent.am.3
Authentium 4.93.8 2008.05.07 W32/Downloader.ABBT
Avast 4.8.1169.0 2008.05.07 Win32:Trojano-2773
AVG 7.5.0.516 2008.05.07 Generic.QYG
BitDefender 7.2 2008.05.07 Trojan.Downloader.Agent.FT
CAT-QuickHeal 9.50 2008.05.07 -
ClamAV 0.92.1 2008.05.07 Trojan.Downloader.Agent-585
DrWeb 4.44.0.09170 2008.05.07 Trojan.DownLoader.8073
eSafe 7.0.15.0 2008.05.07 -
eTrust-Vet 31.4.5768 2008.05.07 Win32/SillyDl.ANI
Ewido 4.0 2008.05.07 Downloader.Small
F-Prot 4.4.2.54 2008.05.07 W32/Downloader.ABBT
F-Secure 6.70.13260.0 2008.05.07 Trojan-Downloader.Win32.Agent.am
Fortinet 3.14.0.0 2008.05.07 W32/Agent.am!tr.dldr
Ikarus T3.1.1.26.0 2008.05.07 Trojan-Downloader.Win32.Agent.AM
Kaspersky 7.0.0.125 2008.05.07 Trojan-Downloader.Win32.Agent.am
McAfee 5290 2008.05.07 Downloader-ARA
Microsoft 1.3408 2008.05.07 TrojanDownloader:Win32/Agent.AJI
NOD32v2 3083 2008.05.07 Win32/TrojanDownloader.Agent.AM
Norman 5.80.02 2008.05.07 W32/Agent.ZZG
Panda 9.0.0.4 2008.05.07 Trj/Downloader.JFP
Prevx1 V2 2008.05.07 Malware Downloader
Rising 20.43.12.00 2008.05.07 Trojan.DL.Agent.iev
Sophos 4.29.0 2008.05.07 Troj/DwnLdr-HBS
Sunbelt 3.0.1097.0 2008.05.07 -
Symantec 10 2008.05.07 Downloader
TheHacker 6.2.92.302 2008.05.07 Trojan/Downloader.Agent.am
VBA32 3.12.6.5 2008.05.07 OScope.Dialer.GMHA
VirusBuster 4.3.26:9 2008.05.07 Trojan.DL.Agent.DDG
Webwasher-Gateway 6.6.2 2008.05.07 Trojan.Dldr.Agent.am.3
Additional information
File size: 99098 bytes
MD5...: 1ff98f74e7de4648a56f3acfb5175d9b
SHA1..: 39d67b908fccd1fe1e05d42336a9bf8047918bf3
SHA256: 36bf1f3c54f4e9b081a9ed861abb838d4ff0417464930426c43a127e199268c1
SHA512: efd594fef98fe10ee1ea417e84652a0304d42f40c34f2eae0434f0456b23ab5a<br>1e5740849cc254b877e7767c059bb3f0a90be53819b9e61a607560a8bf570336
PEiD..: -
PEInfo: PE Structure information<br><br>( base data )<br>entrypointaddress.: 0x401000<br>timedatestamp.....: 0x43e3fa62 (Sat Feb 04 00:50:42 2006)<br>machinetype.......: 0x14c (I386)<br><br>( 3 sections )<br>name viradd virsiz rawdsiz ntrpy md5<br>.text 0x1000 0xfe12 0x10000 5.96 d92dc28c1b2a41fdd570fe60da097dc8<br>.data 0x11000 0x8170 0x7c00 6.10 4321f250e676cee0e92fc01689d9b25b<br>.flat 0x1a000 0x269 0x400 4.06 efc84573a327cfb06b6a8096bfef39bc<br><br>( 10 imports ) <br>&gt; CRTDLL.dll: memset, strlen, _strnicmp, strncmp, strncpy, strcpy, strcat, localtime, mktime, gmtime, sprintf<br>&gt; USER32.dll: wsprintfA, wvsprintfA, MessageBoxA, GetWindowThreadProcessId, IsWindowVisible, IsWindowEnabled, GetForegroundWindow, EnableWindow, EnumWindows<br>&gt; ADVAPI32.dll: RegOpenKeyExA, RegConnectRegistryA, RegSetValueExA, RegCloseKey, RegQueryValueExA, RegEnumKeyExA, RegDeleteValueA, RegCreateKeyExA, RegDeleteKeyA, RegEnumValueA, RegCreateKeyA, OpenProcessToken, LookupPrivilegeValueA, AdjustTokenPrivileges<br>&gt; OLEAUT32.dll: SysAllocStringLen<br>&gt; ole32.dll: CoInitialize, CoCreateInstance, CoUninitialize<br>&gt; WININET.dll: InternetOpenA, InternetOpenUrlA, InternetReadFile, InternetCloseHandle<br>&gt; urlmon.dll: URLDownloadToFileA<br>&gt; COMCTL32.dll: InitCommonControls<br>&gt; KERNEL32.DLL: GetModuleHandleA, GetCommandLineA, ExitProcess, HeapCreate, GetModuleFileNameA, GetVersion, GetSystemDirectoryA, CreateFileA, SetFileTime, CloseHandle, GetFileTime, HeapDestroy, HeapReAlloc, FreeLibrary, GetProcAddress, HeapAlloc, LoadLibraryA, IsBadReadPtr, HeapFree, MultiByteToWideChar, WideCharToMultiByte, SetUnhandledExceptionFilter, GetVersionExA, GetCurrentDirectoryA, GlobalAlloc, OpenProcess, GetLastError, FormatMessageA, TerminateProcess, GlobalFree, GetCurrentProcess, GetCurrentThreadId, GetCurrentProcessId, WaitForSingleObject, Sleep, GetTickCount, GetDriveTypeA, FindFirstFileA, FindClose, FindNextFileA, DeleteFileA, CopyFileA, MoveFileA, ReadFile, SetFilePointer, GetFileSize, WriteFile, GetLocalTime<br>&gt; SHELL32.DLL: ShellExecuteExA<br><br>( 0 exports ) <br>
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=B4B722EA1AB6FD9C838301A2BED28D00C1B22D5F







File pncrt.exe received on 05.07.2008 23:40:07 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 28/31 (90.33%)

File pncrt.exe received on 05.07.2008 23:40:07 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2008.5.3.0 2008.05.07 Win-Trojan/Xema.variant
AntiVir 7.8.0.11 2008.05.07 TR/Dldr.Agent.am.3
Authentium 4.93.8 2008.05.07 W32/Downloader.ABBT
Avast 4.8.1169.0 2008.05.06 Win32:Trojano-2773
AVG 7.5.0.516 2008.05.07 Generic.QYG
BitDefender 7.2 2008.05.07 Trojan.Downloader.Agent.FT
CAT-QuickHeal 9.50 2008.05.06 -
ClamAV 0.92.1 2008.05.07 Trojan.Downloader.Agent-585
DrWeb 4.44.0.09170 2008.05.07 Trojan.DownLoader.8073
eSafe 7.0.15.0 2008.05.06 -
eTrust-Vet 31.4.5766 2008.05.07 Win32/SillyDl.ANI
Ewido 4.0 2008.05.06 Downloader.Small
F-Prot 4.4.2.54 2008.05.06 W32/Downloader.ABBT
F-Secure 6.70.13260.0 2008.05.07 Trojan-Downloader.Win32.Agent.am
Fortinet 3.14.0.0 2008.05.07 W32/Agent.am!tr.dldr
Ikarus T3.1.1.26.0 2008.05.07 Trojan-Downloader.Win32.Agent.AM
Kaspersky 7.0.0.125 2008.05.07 Trojan-Downloader.Win32.Agent.am
McAfee 5289 2008.05.06 Downloader-ARA
Microsoft 1.3408 2008.05.07 TrojanDownloader:Win32/Agent.AJI
NOD32v2 3082 2008.05.07 Win32/TrojanDownloader.Agent.AM
Norman 5.80.02 2008.05.06 W32/Agent.ZZG
Panda 9.0.0.4 2008.05.06 Trj/Downloader.JFP
Prevx1 V2 2008.05.08 Malware Downloader
Rising 20.43.12.00 2008.05.07 Trojan.DL.Agent.iev
Sophos 4.29.0 2008.05.07 Troj/DwnLdr-HBS
Sunbelt 3.0.1097.0 2008.05.07 -
Symantec 10 2008.05.07 Downloader
TheHacker 6.2.92.302 2008.05.07 Trojan/Downloader.Agent.am
VBA32 3.12.6.5 2008.05.06 OScope.Dialer.GMHA
VirusBuster 4.3.26:9 2008.05.06 Trojan.DL.Agent.DDG
Webwasher-Gateway 6.6.2 2008.05.07 Trojan.Dldr.Agent.am.3
Additional information
File size: 99098 bytes
MD5...: a2b141170b8108756dda520e6f9d957a
SHA1..: a6585f19dbf4a3e5c0f346a89d39e227394cc985
SHA256: bbdf0d5cf1f7a79455497ccc5a9e3ae51b76a5218db64b8162ee802a35606512
SHA512: c6ef5e9dfec3dc0b0e3733252661735fa48460cf2434710c3963ee83a372bc5f<br>249b3ea393d8efa579d7e3c5ba367f4ca11a6dced6a61d54493c5288a511b0ff
PEiD..: -
PEInfo: PE Structure information<br><br>( base data )<br>entrypointaddress.: 0x401000<br>timedatestamp.....: 0x43e3fa62 (Sat Feb 04 00:50:42 2006)<br>machinetype.......: 0x14c (I386)<br><br>( 3 sections )<br>name viradd virsiz rawdsiz ntrpy md5<br>.text 0x1000 0xfe12 0x10000 5.96 d92dc28c1b2a41fdd570fe60da097dc8<br>.data 0x11000 0x8170 0x7c00 6.10 4321f250e676cee0e92fc01689d9b25b<br>.flat 0x1a000 0x269 0x400 4.06 efc84573a327cfb06b6a8096bfef39bc<br><br>( 10 imports ) <br>&gt; CRTDLL.dll: memset, strlen, _strnicmp, strncmp, strncpy, strcpy, strcat, localtime, mktime, gmtime, sprintf<br>&gt; USER32.dll: wsprintfA, wvsprintfA, MessageBoxA, GetWindowThreadProcessId, IsWindowVisible, IsWindowEnabled, GetForegroundWindow, EnableWindow, EnumWindows<br>&gt; ADVAPI32.dll: RegOpenKeyExA, RegConnectRegistryA, RegSetValueExA, RegCloseKey, RegQueryValueExA, RegEnumKeyExA, RegDeleteValueA, RegCreateKeyExA, RegDeleteKeyA, RegEnumValueA, RegCreateKeyA, OpenProcessToken, LookupPrivilegeValueA, AdjustTokenPrivileges<br>&gt; OLEAUT32.dll: SysAllocStringLen<br>&gt; ole32.dll: CoInitialize, CoCreateInstance, CoUninitialize<br>&gt; WININET.dll: InternetOpenA, InternetOpenUrlA, InternetReadFile, InternetCloseHandle<br>&gt; urlmon.dll: URLDownloadToFileA<br>&gt; COMCTL32.dll: InitCommonControls<br>&gt; KERNEL32.DLL: GetModuleHandleA, GetCommandLineA, ExitProcess, HeapCreate, GetModuleFileNameA, GetVersion, GetSystemDirectoryA, CreateFileA, SetFileTime, CloseHandle, GetFileTime, HeapDestroy, HeapReAlloc, FreeLibrary, GetProcAddress, HeapAlloc, LoadLibraryA, IsBadReadPtr, HeapFree, MultiByteToWideChar, WideCharToMultiByte, SetUnhandledExceptionFilter, GetVersionExA, GetCurrentDirectoryA, GlobalAlloc, OpenProcess, GetLastError, FormatMessageA, TerminateProcess, GlobalFree, GetCurrentProcess, GetCurrentThreadId, GetCurrentProcessId, WaitForSingleObject, Sleep, GetTickCount, GetDriveTypeA, FindFirstFileA, FindClose, FindNextFileA, DeleteFileA, CopyFileA, MoveFileA, ReadFile, SetFilePointer, GetFileSize, WriteFile, GetLocalTime<br>&gt; SHELL32.DLL: ShellExecuteExA<br><br>( 0 exports ) <br>
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=B4B722EA1AB6FD9C838301A2BED28D00DF884106





File query.exe received on 05.07.2008 23:43:08 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/31 (0%)

File query.exe received on 05.07.2008 23:43:08 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2008.5.3.0 2008.05.07 -
AntiVir 7.8.0.11 2008.05.07 -
Authentium 4.93.8 2008.05.07 -
Avast 4.8.1169.0 2008.05.06 -
AVG 7.5.0.516 2008.05.07 -
BitDefender 7.2 2008.05.07 -
CAT-QuickHeal 9.50 2008.05.06 -
ClamAV 0.92.1 2008.05.07 -
DrWeb 4.44.0.09170 2008.05.07 -
eSafe 7.0.15.0 2008.05.06 -
eTrust-Vet 31.4.5766 2008.05.07 -
Ewido 4.0 2008.05.06 -
F-Prot 4.4.2.54 2008.05.06 -
F-Secure 6.70.13260.0 2008.05.07 -
Fortinet 3.14.0.0 2008.05.07 -
Ikarus T3.1.1.26.0 2008.05.07 -
Kaspersky 7.0.0.125 2008.05.07 -
McAfee 5289 2008.05.06 -
Microsoft 1.3408 2008.05.07 -
NOD32v2 3082 2008.05.07 -
Norman 5.80.02 2008.05.06 -
Panda 9.0.0.4 2008.05.06 -
Prevx1 V2 2008.05.08 -
Rising 20.43.12.00 2008.05.07 -
Sophos 4.29.0 2008.05.07 -
Sunbelt 3.0.1097.0 2008.05.07 -
Symantec 10 2008.05.07 -
TheHacker 6.2.92.302 2008.05.07 -
VBA32 3.12.6.5 2008.05.06 -
VirusBuster 4.3.26:9 2008.05.06 -
Webwasher-Gateway 6.6.2 2008.05.07 -
Additional information
File size: 9728 bytes
MD5...: 4663dc45bb2b2a58ba4833212bdbf49d
SHA1..: 43157044b9936443afb3c3a3df97e832a4f06555
SHA256: 7b7848360432329df19a52f7a05dc6963d35d0dae3be523b8f1cd3dfac67e047
SHA512: db5e53c45f9a61fe68d4464706f0eb9c4de5e76554e57d62aa24ed8c381f3bde<br>8c1b51bec7d926b848779a73de8aae10af65627d8386fb9e40f47b79ae9735fc
PEiD..: -
PEInfo: PE Structure information<br><br>( base data )<br>entrypointaddress.: 0x1001ff6<br>timedatestamp.....: 0x3b7d8336 (Fri Aug 17 20:48:54 2001)<br>machinetype.......: 0x14c (I386)<br><br>( 3 sections )<br>name viradd virsiz rawdsiz ntrpy md5<br>.text 0x1000 0x1670 0x1800 5.96 7d2fe22795c8e27be397b9def935b0ed<br>.data 0x3000 0x124c 0x400 4.89 8987fc5bfec506a55333efb8a5b96a57<br>.rsrc 0x5000 0x568 0x600 3.08 2be6ca4b63c01d49e89012a7c3694366<br><br>( 5 imports ) <br>&gt; REGAPI.dll: RegQueryUtilityCommandList, RegFreeUtilityCommandList<br>&gt; USER32.dll: LoadStringW, wsprintfW<br>&gt; ntdll.dll: wcschr, wcscpy, wcslen, _wcsnicmp, wcscat, memmove, _ultoa<br>&gt; msvcrt.dll: _c_exit, _exit, _XcptFilter, _cexit, exit, __initenv, _initterm, __setusermatherr, _adjust_fdiv, __p__commode, fwprintf, __set_app_type, _controlfp, _except_handler3, free, malloc, _iob, fprintf, setlocale, vswprintf, __p__fmode, vfwprintf, __getmainargs<br>&gt; KERNEL32.dll: GetLastError, LoadLibraryW, GetModuleHandleA, GetCommandLineW, LocalAlloc, LocalFree, SearchPathW, CreateProcessW, WaitForSingleObject, CloseHandle, FormatMessageW, GetModuleHandleW, MultiByteToWideChar, GetStdHandle, GetFileType, WriteConsoleW, SetLastError, FreeLibrary<br><br>( 0 exports ) <br>

Rorschach112
2008-05-08, 03:52
Hello

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O4 - HKCU\..\Run: [usbmon] "C:\WINDOWS\system32\usbmon.exe"
O4 - HKCU\..\Run: [pncrt] "C:\WINDOWS\system32\pncrt.exe"
O4 - HKCU\..\Run: [nddeapi] "C:\WINDOWS\system32\nddeapi.exe"


2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.




Please download the OTMoveIt2 by OldTimer (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe).

Save it to your desktop.
Please double-click OTMoveIt2.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):



[kill explorer]
C:\WINDOWS\system32\nddeapi.exe
C:\WINDOWS\system32\pncrt.exe
C:\WINDOWS\system32\usbmon.exe
purity
[start explorer]


Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
Click the red Moveit! button.
A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.



Reboot and post a new HijackThis log

dolomick
2008-05-08, 21:23
Explorer killed successfully
C:\WINDOWS\system32\nddeapi.exe moved successfully.
C:\WINDOWS\system32\pncrt.exe moved successfully.
C:\WINDOWS\system32\usbmon.exe moved successfully.
< purity >
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 05082008_111608




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:20:16 AM, on 5/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\M-Audio MobilePre\MPTask.exe
C:\Program Files\MOTU\FireWire Audio\MFWAKeys.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Apoint2K\HidFind.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\iPod Access for Windows\iPAHelper.exe
C:\Program Files\M-Audio MobilePre\Install\MPInst.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.whynotsearchhere.com/start.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.we1.attbb.net:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.we1.attbb.net;*.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [query] "C:\WINDOWS\System32\query.exe"
O4 - HKCU\..\Run: [blackbox] "C:\WINDOWS\System32\blackbox.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - S-1-5-18 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Default user')
O4 - .DEFAULT Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: M-Audio MobilePre Control Panel Launcher.lnk = C:\Program Files\M-Audio MobilePre\MPTask.exe
O4 - Global Startup: MFWAKeys.lnk = C:\Program Files\MOTU\FireWire Audio\MFWAKeys.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.fujitsupc.com/
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPAHelper.exe - Unknown owner - C:\Program Files\iPod Access for Windows\iPAHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MobilePre Installer (MobilePreInstallerService) - M-Audio - C:\Program Files\M-Audio MobilePre\Install\MPInst.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe

--
End of file - 8516 bytes

Rorschach112
2008-05-08, 21:28
Your logs are clean ! We need to do a few things

Follow these steps to uninstall Combofix and tools used in the removal of malware

Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png




Make sure you have an Internet Connection.
Double-click OTMoveIt2.exe to run it.
Click on the CleanUp! button
A list of tool components used in the Cleanup of malware will be downloaded.
If your Firewall or Real Time protection attempts to block OtMoveit2 to rech the Internet, please allow the application to do so.
Click Yes to beging the Cleanup process and remove these components, including this application.
You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.



Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
SpywareBlaster (http://www.javacoolsoftware.com/sbdownload.html) protects against bad ActiveX
IE-SPYAD (http://www.spywarewarrior.com/uiuc/res/ie-spyad.exe) puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here (http://www.bleepingcomputer.com/tutorials/tutorial53.html)

* SpywareGuard (http://www.javacoolsoftware.com/sgdownload.html) offers realtime protection from spyware installation attempts.

Make Internet Explorer more secure

Click Start > Run
Type Inetcpl.cpl & click OK
Click on the Security tab
Click Reset all zones to default level
Make sure the Internet Zone is selected & Click Custom level
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
Next Click OK, then Apply button and then OK to exit the Internet Properties page.


* MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here (http://www.mozilla.org/products/firefox/)

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here (http://forums.spywareinfo.com/index.php?showtopic=60955)

Thank you for your patience, and performing all of the procedures requested.

dolomick
2008-05-08, 22:40
THANK YOU!!!

Do you know what it means when Avira AntiVir is still popping up a warning saying that a virus or unwanted program was found.

"C:\windows\system32\198_150_ni_1.exe
is the Trojan horse TR/Dldr.agent.am.3"


Is this something to worry about or is this a false positive?

Thanks!

Rorschach112
2008-05-08, 23:07
I wouldn't worry about that, we deleted that file a while ago. You can fix it with Avira if you want

Any other questions ?

dolomick
2008-05-08, 23:09
Great.... THANKS AGAIN!

I will be making a donation now!

Kevin

Rorschach112
2008-05-08, 23:11
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.

Note: If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.