PDA

View Full Version : Every virus known to man



supplyer
2008-05-09, 18:12
Please help! My computer has HIV. I did something silly and have a ton of viruses, including Smitfraud. Before using Spybot I took measures to try to remove Smitfraud with various virus removal tools and fixes (including SmitFraudFix), and I have gotten rid of the visible side effects of the virus (no more desktop changing to a "You have spyware" message, no more exclamation popups on the taskbar), but apparently there is more than just SmitFraud, and I still get IE popup advertisements randomly while using the computer. Every time I run Spybot, it finds lots of spyware, including SmitFraud, and seems to clean successfully but they are all there on the next restart (even after fixing in safe mode). I appreciate any help, thanks.

Kaspersky log (Note: I was unable to complete the Kaspersky scan, it went to 8% and just stopped... the timer continued, but it spent about 10-15 minutes scanning the same file. However, it managed to find plenty of infections from scanning that 8%, so here is what I have):

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, May 08, 2008 6:03:58 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 8/05/2008
Kaspersky Anti-Virus database records: 747889
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
Z:\

Scan Statistics:
Total number of scanned objects: 62219
Number of viruses found: 10
Number of infected objects: 34
Number of suspicious objects: 2
Duration of the scan process: 00:38:24

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\ActivityLog\InboxLOG.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\ActivityLog\OutboxLOG.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SecondThoughtSTCLoader.zip/stcloader.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SecondThoughtSTCLoader.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\136D0846.cla Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\14EC6472.cla Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1CEF5F84.cla Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1CF85D79.cla Infected: Trojan.Java.ClassLoader.Dummy.d skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1D092F67.cla Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1D0C5964.cla Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1D596B47.exe Infected: not-a-virus:AdTool.Win32.WhenU.b skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1D824D5B.cla Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1D857757.cla Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1DA94530.cla Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\24816231.cla Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\28822977.cla Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2F1E4C24.tmp Infected: Virus.Win9x.CIH.dam skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2FC372A1.cla Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\4CD02ABB.cla Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\4D451239.cla Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\4DA52A47.cla Infected: Trojan.Java.ClassLoader.Dummy.d skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\52E35C3D.tmp Infected: Trojan.Java.ClassLoader.d skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5B0F5710.exe Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5E38458B.cla Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\66982F58.cla Infected: Trojan.Java.ClassLoader.Dummy.d skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6A6237FE.tmp Infected: Trojan.Java.ClassLoader.h skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6C2613B0.cla Infected: Trojan.Java.ClassLoader.Dummy.d skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6D306A69.cla Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6E446551.cla Infected: Trojan.Java.ClassLoader.Dummy.d skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\76E352A4.cla Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\76E67CA0.cla Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\79E653B8.zip/Counter.class Infected: Trojan.Java.Femad skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\79E653B8.zip/VerifierBug.class Infected: Trojan.Java.Femad skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\79E653B8.zip/web.exe Infected: not-virus:Hoax.Win32.Renos.bb skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\79E653B8.zip/Worker.class Infected: Trojan.Java.Femad skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\79E653B8.zip/Xeyond.class Infected: Trojan.Java.Femad skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\79E653B8.zip ZIP: infected - 5 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\79E653B8.zip CryptFF: infected - 5 skipped

Scan was interrupted by user!




HiJackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:14:58 PM, on 5/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\Apache Software Foundation\Apache2\bin\httpd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\Program Files\Apache Software Foundation\Apache2\bin\httpd.exe
C:\WINDOWS\System32\SnoopFreeSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: (no name) - {2B1913B7-B4FA-4E11-B13E-A01B89CB5E5C} - (no file)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5553F1BD-533B-4A9C-9B05-CA3EE8ABB02C} - (no file)
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MI1933~1\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\progra~1\common~1\instal~1\update~1\isuspm.exe" -startup
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [RegRun WinBait] C:\WINDOWS\winbait.exe
O4 - HKLM\..\Run: [@RegRunOnSecure] C:\PROGRA~1\Greatis\REGRUN~1\OnSecure.exe
O4 - HKLM\..\RunOnce: [SpybotDeletingA8387] command /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4872] cmd /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Regrun2] C:\PROGRA~1\Greatis\REGRUN~1\WatchDog.exe
O4 - HKCU\..\Run: [Registry] "C:\Program Files\Greatis\RegRunSuite\lsoon.exe" -1 30 "C:\Program Files\Greatis\RegRunSuite\rescue.exe" /a "c:\backreg\rstore.ini"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Search - ?p=ZJfox000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open with XmlPad - res://C:\Program Files\WMHelp Software\WMHelp XmlPad\WmhASPP.dll/101
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Yan\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} - http://85.255.114.166/1/rdgUS2404.exe
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://download.cdn.winsoftware.com/files/installers/cab/WinAntiVirusPro2006FreeInstall.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MI1933~1\Office12\GR99D3~1.DLL
O18 - Protocol: wmh - {A1428E78-2D00-4590-A071-0CC9700A7768} - C:\Program Files\WMHelp Software\WMHelp XmlPad\WmhASPP.dll
O23 - Service: Apache2.2 - Apache Software Foundation - C:\Program Files\Apache Software Foundation\Apache2\bin\httpd.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)
O23 - Service: SnoopFree Service (SnoopFreeSvc) - Unknown owner - C:\WINDOWS\System32\SnoopFreeSvc.exe

--
End of file - 10777 bytes

Rorschach112
2008-05-09, 18:46
Can you run Kaspersky again as you stopped the scan

And do this

Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune.
This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.




Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

supplyer
2008-05-11, 19:50
Thanks for the help. I installed the recovery console, but I am having a problem getting the ComboFix log - according to the instructions it should just appear at the end of the scan. However, at the end of the ComboFix scan, it reboots my computer, then nothing else comes up once it has rebooted. I tried running the scan again with the same result. No log is created at any point, and there does not seem to be one in C:\combofix directory which was apparently generated by combofix.exe.

However, here is the full Kaspersky scan result:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, May 11, 2008 11:25:12 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 11/05/2008
Kaspersky Anti-Virus database records: 755758
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\

Scan Statistics:
Total number of scanned objects: 239799
Number of viruses found: 23
Number of infected objects: 73
Number of suspicious objects: 2
Duration of the scan process: 03:24:32

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\ActivityLog\InboxLOG.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\ActivityLog\OutboxLOG.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SecondThoughtSTCLoader.zip/stcloader.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SecondThoughtSTCLoader.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\136D0846.cla Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\14EC6472.cla Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1CEF5F84.cla Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1CF85D79.cla Infected: Trojan.Java.ClassLoader.Dummy.d skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1D092F67.cla Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1D0C5964.cla Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1D596B47.exe Infected: not-a-virus:AdTool.Win32.WhenU.b skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1D824D5B.cla Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1D857757.cla Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1DA94530.cla Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\24816231.cla Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\28822977.cla Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2F1E4C24.tmp Infected: Virus.Win9x.CIH.dam skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2FC372A1.cla Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\4CD02ABB.cla Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\4D451239.cla Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\4DA52A47.cla Infected: Trojan.Java.ClassLoader.Dummy.d skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\52E35C3D.tmp Infected: Trojan.Java.ClassLoader.d skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5B0F5710.exe Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5E38458B.cla Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\66982F58.cla Infected: Trojan.Java.ClassLoader.Dummy.d skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6A6237FE.tmp Infected: Trojan.Java.ClassLoader.h skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6C2613B0.cla Infected: Trojan.Java.ClassLoader.Dummy.d skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6D306A69.cla Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6E446551.cla Infected: Trojan.Java.ClassLoader.Dummy.d skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\76E352A4.cla Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\76E67CA0.cla Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\79E653B8.zip/Counter.class Infected: Trojan.Java.Femad skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\79E653B8.zip/VerifierBug.class Infected: Trojan.Java.Femad skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\79E653B8.zip/web.exe Infected: not-virus:Hoax.Win32.Renos.bb skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\79E653B8.zip/Worker.class Infected: Trojan.Java.Femad skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\79E653B8.zip/Xeyond.class Infected: Trojan.Java.Femad skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\79E653B8.zip ZIP: infected - 5 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\79E653B8.zip CryptFF: infected - 5 skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Yan\Application Data\Sun\Java\Deployment\cache\6.0\22\10453ed6-4d7b9a46/vmain.class Infected: Exploit.Java.Gimsh.b skipped
C:\Documents and Settings\Yan\Application Data\Sun\Java\Deployment\cache\6.0\22\10453ed6-4d7b9a46 ZIP: infected - 1 skipped
C:\Documents and Settings\Yan\Application Data\Sun\Java\Deployment\cache\6.0\49\49820371-76144f0c/vmain.class Infected: Exploit.Java.Gimsh.b skipped
C:\Documents and Settings\Yan\Application Data\Sun\Java\Deployment\cache\6.0\49\49820371-76144f0c ZIP: infected - 1 skipped
C:\Documents and Settings\Yan\Application Data\Sun\Java\Deployment\cache\6.0\52\1c9644b4-712f2e26/vmain.class Infected: Exploit.Java.Gimsh.b skipped
C:\Documents and Settings\Yan\Application Data\Sun\Java\Deployment\cache\6.0\52\1c9644b4-712f2e26 ZIP: infected - 1 skipped
C:\Documents and Settings\Yan\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Yan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Yan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Yan\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Yan\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Yan\Local Settings\Temporary Internet Files\Content.IE5\TZXTRRPR\aggg[1].htm Object is locked skipped
C:\Documents and Settings\Yan\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Yan\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Apache Software Foundation\Apache2\logs\access.log Object is locked skipped
C:\Program Files\Apache Software Foundation\Apache2\logs\access_log Object is locked skipped
C:\Program Files\Apache Software Foundation\Apache2\logs\error.log Object is locked skipped
C:\Program Files\Apache Software Foundation\Apache2\logs\error_log Object is locked skipped
C:\Program Files\Apache Software Foundation\Apache2\logs\ssl_request_log Object is locked skipped
C:\Program Files\Mozilla Firefox\SmitfraudFix\IEDFix.exe Infected: Constructor.Win32.Binder.bn skipped
C:\Program Files\Mozilla Firefox\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Program Files\NinjaVideo\NinjaVideo Helper\output.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP100\A0020842.exe Infected: Trojan.Win32.DNSChanger.cjd skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP100\A0020844.dll Infected: not-a-virus:AdWare.Win32.Rabio.m skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP100\A0020846.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP100\A0020847.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP100\A0020849.exe Infected: not-virus:Hoax.Win32.Renos.ccc skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP100\A0020850.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP100\A0020851.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP102\A0020909.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP102\A0020911.exe Infected: Trojan-Downloader.Win32.Homles.bk skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP102\A0020912.exe Infected: Trojan-Downloader.Win32.Homles.bk skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP102\A0020913.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP103\A0021162.exe/SmitfraudFix/IEDFix.exe Infected: Constructor.Win32.Binder.bn skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP103\A0021162.exe/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP103\A0021162.exe RAR: infected - 2 skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP103\A0021169.exe Infected: Constructor.Win32.Binder.bn skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP103\A0021171.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP104\A0021205.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP113\A0022489.dll Infected: not-a-virus:AdWare.Win32.Rabio.m skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP121\change.log Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP98\A0018763.exe Infected: Trojan-Downloader.Win32.Homles.bk skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP98\A0018857.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP98\A0018859.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP98\A0018860.exe Infected: not-a-virus:AdWare.Win32.WebHancer.423 skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP98\A0019832.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP98\A0019868.exe/file098 Infected: Backdoor.Win32.Rbot.kmk skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP98\A0019868.exe Inno: infected - 1 skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\lfn.exe Infected: not-virus:Hoax.Win32.Renos.ccc skipped
C:\WINDOWS\ModemLog_Conexant D110 MDC V.9x Modem.txt Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{E4B9C75F-4CA7-4DB9-BFD6-ADA9FCD57FC0}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\404Fix.exe Infected: Constructor.Win32.Binder.bn skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\WindowsPowerShell.evt Object is locked skipped
C:\WINDOWS\system32\drivers\ASPI322.sys Object is locked skipped
C:\WINDOWS\system32\drivers\core.cache.dsk Object is locked skipped
C:\WINDOWS\system32\drivers\SnopFree.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\IEDFix.exe Infected: Constructor.Win32.Binder.bn skipped
C:\WINDOWS\system32\kn3\comsdirp3.exe Infected: Trojan.Win32.Agent.lke skipped
C:\WINDOWS\system32\nnnkHbAP.dll Infected: Trojan.Win32.Monder.gen skipped
C:\WINDOWS\system32\pnVes06\pnVes061083.exe Infected: Trojan-Downloader.Win32.VB.ebf skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\WMSDKNS.EXE.del Infected: not-virus:Hoax.Win32.Renos.ccc skipped
C:\WINDOWS\system32\YAYXRROE.DLL.del Infected: Trojan.Win32.Monder.gen skipped
C:\WINDOWS\Temp\hsperfdata_SYSTEM\1220 Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

=======================================================
And here is the full HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:49, on 2008-05-11
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\Apache Software Foundation\Apache2\bin\httpd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\Program Files\NinjaVideo\NinjaVideo Helper\NinjaVideo Helper.exe
C:\Program Files\Apache Software Foundation\Apache2\bin\httpd.exe
C:\WINDOWS\System32\SnoopFreeSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: (no name) - {2B1913B7-B4FA-4E11-B13E-A01B89CB5E5C} - (no file)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5553F1BD-533B-4A9C-9B05-CA3EE8ABB02C} - (no file)
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MI1933~1\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\progra~1\common~1\instal~1\update~1\isuspm.exe" -startup
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZJfox000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open with XmlPad - res://C:\Program Files\WMHelp Software\WMHelp XmlPad\WmhASPP.dll/101
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Yan\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} - http://85.255.114.166/1/rdgUS2404.exe
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://download.cdn.winsoftware.com/files/installers/cab/WinAntiVirusPro2006FreeInstall.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MI1933~1\Office12\GR99D3~1.DLL
O18 - Protocol: wmh - {A1428E78-2D00-4590-A071-0CC9700A7768} - C:\Program Files\WMHelp Software\WMHelp XmlPad\WmhASPP.dll
O23 - Service: Apache2.2 - Apache Software Foundation - C:\Program Files\Apache Software Foundation\Apache2\bin\httpd.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)
O23 - Service: NinjaVideo Helper (NinjaVideo Helper.exe) - NinjaVideo - C:\Program Files\NinjaVideo\NinjaVideo Helper\NinjaVideo Helper.exe
O23 - Service: Snoop Free Service (SnoopFreeSvc) - Unknown owner - C:\WINDOWS\System32\SnoopFreeSvc.exe

--
End of file - 10082 bytes


Please let me know if I should do anything differently to get a ComboFix log or if this is sufficient to proceed with troubleshooting. Thank you.

Rorschach112
2008-05-11, 21:15
Hello

Please download the OTMoveIt2 by OldTimer (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe).

Save it to your desktop.
Please double-click OTMoveIt2.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):



[kill explorer]
C:\WINDOWS\lfn.exe
C:\WINDOWS\system32\kn3
C:\WINDOWS\system32\nnnkHbAP.dll
C:\WINDOWS\system32\pnVes06
C:\WINDOWS\system32\WMSDKNS.EXE.del
C:\WINDOWS\system32\YAYXRROE.DLL.del
purity
[start explorer]


Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
Click the red Moveit! button.
A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


Then run ComboFix.exe once more and post the log

supplyer
2008-05-12, 02:26
It worked, here is the ComboFix log:

ComboFix 08-05-09.1 - Yan 2008-05-11 19:03:19.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.614 [GMT -4:00]
Running from: C:\Documents and Settings\Yan\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\ASPI322.sys
.
---- Previous Run -------
.
C:\Documents and Settings\All Users\Application Data\Rabio
C:\Documents and Settings\Yan\Application Data\.#
C:\Documents and Settings\Yan\Application Data\macromedia\Flash Player\#SharedObjects\ZP6TZ4QL\www.broadcaster.com
C:\Documents and Settings\Yan\Application Data\macromedia\Flash Player\#SharedObjects\ZP6TZ4QL\www.broadcaster.com\played_list.sol
C:\Documents and Settings\Yan\Application Data\macromedia\Flash Player\#SharedObjects\ZP6TZ4QL\www.broadcaster.com\video_queue.sol
C:\Documents and Settings\Yan\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Yan\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Program Files\Common Files\{D45D3~1
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\123messenger.per
C:\WINDOWS\apphelp32.dll
C:\WINDOWS\asferror32.dll
C:\WINDOWS\asycfilt32.dll
C:\WINDOWS\athprxy32.dll
C:\WINDOWS\ati2dvaa32.dll
C:\WINDOWS\ati2dvag32.dll
C:\WINDOWS\audiosrv32.dll
C:\WINDOWS\autodisc32.dll
C:\WINDOWS\avifile32.dll
C:\WINDOWS\avisynthex32.dll
C:\WINDOWS\aviwrap32.dll
C:\WINDOWS\bjam.dll
C:\WINDOWS\bokja.exe
C:\WINDOWS\browserad.dll
C:\WINDOWS\cdsm32.dll
C:\WINDOWS\changeurl_30.dll
C:\WINDOWS\lfn.exe
C:\WINDOWS\licencia.txt
C:\WINDOWS\mainms.vpi
C:\WINDOWS\megavid.cdt
C:\WINDOWS\msa64chk.dll
C:\WINDOWS\msapasrc.dll
C:\WINDOWS\mspphe.dll
C:\WINDOWS\mssvr.exe
C:\WINDOWS\muotr.so
C:\WINDOWS\ntnut.exe
C:\WINDOWS\pskt.ini
C:\WINDOWS\saiemod.dll
C:\WINDOWS\shdocpe.dll
C:\WINDOWS\shdocpl.dll
C:\WINDOWS\swin32.dll
C:\WINDOWS\system32\bang-006.ico
C:\WINDOWS\system32\ihkmp.bak2
C:\WINDOWS\system32\ihkmp.ini
C:\WINDOWS\system32\jrarnpet.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\nnnkHbAP.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\WEehQXbc.ini
C:\WINDOWS\system32\WEehQXbc.ini2
C:\WINDOWS\telefonos.txt
C:\WINDOWS\textos.txt
C:\WINDOWS\voiceip.dll
C:\WINDOWS\winsb.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ASPI322
-------\Legacy_MSSECURITY1.209.4
-------\Legacy_NETWORK_MONITOR
-------\Legacy_TNIDRIVER
-------\Service_ASPI322


((((((((((((((((((((((((( Files Created from 2008-04-11 to 2008-05-11 )))))))))))))))))))))))))))))))
.

2008-05-11 19:02 . 2008-05-11 19:02 <DIR> d-------- C:\_OTMoveIt
2008-05-10 22:18 . 2008-05-10 22:18 <DIR> d-------- C:\Program Files\FastSum
2008-05-10 22:18 . 2008-05-10 22:18 <DIR> d-------- C:\Documents and Settings\Yan\Application Data\FastSum
2008-05-10 22:06 . 2008-05-10 22:06 <DIR> d-------- C:\Program Files\NinjaVideo
2008-05-08 20:30 . 2008-05-08 20:30 <DIR> d-------- C:\Documents and Settings\Yan\Application Data\QQ Games
2008-05-08 19:59 . 2008-05-08 20:09 <DIR> d-------- C:\Program Files\DFX
2008-05-08 19:59 . 2008-05-08 19:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DFX
2008-05-08 19:38 . 2008-05-08 19:38 <DIR> d-------- C:\Program Files\AIMTunes
2008-05-08 19:24 . 2008-05-08 19:24 <DIR> d-------- C:\Program Files\AIM Music Link
2008-05-08 19:14 . 2008-05-08 19:14 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-08 18:35 . 2008-05-08 18:35 167,545 --------- C:\WINDOWS\system32\drivers\core.cache.dsk
2008-05-08 16:43 . 2008-05-08 16:43 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-08 16:43 . 2008-05-08 16:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-08 15:11 . 2008-05-08 15:11 <DIR> d-------- C:\RootkitNO
2008-05-08 15:11 . 2008-05-08 15:11 123 --a------ C:\WINDOWS\rootkitno.ini
2008-05-08 14:56 . 2008-05-08 14:56 221,184 --a------ C:\WINDOWS\SnoopFreeUI.exe
2008-05-08 14:56 . 2008-05-08 14:56 90,112 --a------ C:\WINDOWS\system32\SnoopFreeSvc.exe
2008-05-08 14:56 . 2008-05-08 14:56 45,056 --a------ C:\WINDOWS\SnoopFreeDll.dll
2008-05-08 14:56 . 2008-05-08 14:56 9,472 --a------ C:\WINDOWS\system32\drivers\SnopFree.sys
2008-05-03 15:53 . 2008-05-10 23:09 77 --a------ C:\WINDOWS\lsoon.ini
2008-05-03 13:55 . 2008-05-03 13:55 <DIR> d-------- C:\Program Files\DjVu
2008-05-03 00:51 . C:\WINDOWS\(2) C:\ComboFix\winstart.bat
2008-05-03 00:50 . 2008-05-03 00:50 <DIR> d-------- C:\Documents and Settings\Yan\Application Data\Regrun
2008-05-03 00:50 . 2008-05-10 23:09 <DIR> d-------- C:\backreg
2008-05-03 00:49 . 2008-05-03 00:49 <DIR> d-------- C:\Program Files\Greatis
2008-05-03 00:49 . 2003-09-06 15:55 57,556 --a------ C:\WINDOWS\guard.bmp
2008-05-03 00:33 . 2008-05-03 00:33 109,738 --a------ C:\WINDOWS\BMd76e0ef1.xml
2008-05-02 16:40 . 2008-05-02 17:32 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-02 16:16 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-05-02 16:16 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-05-02 16:16 . 2008-04-24 08:10 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-05-02 16:16 . 2008-04-28 08:03 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-05-02 16:16 . 2008-04-28 08:03 82,944 --a------ C:\WINDOWS\system32\404Fix.exe
2008-05-02 16:16 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-05-02 16:16 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-05-02 16:16 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-05-02 16:04 . 2008-05-03 00:26 3,516 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-02 13:00 . 2008-05-02 13:00 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-05-02 12:56 . 2005-07-05 16:36 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-05-02 12:56 . 2005-07-05 16:30 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Jasc Software Inc
2008-05-02 12:56 . 2005-07-05 16:25 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intel
2008-05-02 12:56 . 2008-05-02 12:56 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-02 12:56 . 2008-05-11 12:01 1,024 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG
2008-05-02 12:25 . 2008-05-02 12:25 <DIR> d-------- C:\WINDOWS\system32\vb1
2008-05-02 12:25 . 2008-05-04 10:29 <DIR> d-------- C:\WINDOWS\system32\swTMP
2008-05-02 12:25 . 2008-05-02 12:25 <DIR> d-------- C:\Temp\zvebs14
2008-05-02 12:25 . 2008-05-02 12:25 <DIR> d-------- C:\Temp\kvebs14
2008-05-02 12:25 . 2008-05-11 12:22 <DIR> d-------- C:\Temp
2008-05-02 05:00 . 2008-05-02 05:00 <DIR> d-------- C:\Program Files\Silurian
2008-05-02 00:01 . 2008-05-02 00:01 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2008-05-02 00:01 . 2008-03-05 15:56 3,786,760 --a------ C:\WINDOWS\system32\D3DX9_37.dll
2008-05-02 00:01 . 2008-03-05 15:56 1,420,824 --a------ C:\WINDOWS\system32\D3DCompiler_37.dll
2008-05-02 00:01 . 2008-03-05 16:03 479,752 --a------ C:\WINDOWS\system32\XAudio2_0.dll
2008-05-02 00:01 . 2008-02-05 23:07 462,864 --a------ C:\WINDOWS\system32\d3dx10_37.dll
2008-05-02 00:01 . 2008-03-05 16:03 238,088 --a------ C:\WINDOWS\system32\xactengine3_0.dll
2008-05-02 00:01 . 2008-03-05 16:00 25,608 --a------ C:\WINDOWS\system32\X3DAudio1_3.dll
2008-05-01 01:13 . 2008-05-03 20:58 <DIR> d-------- C:\Program Files\Darkstar One
2008-04-29 12:47 . 2008-04-29 12:47 <DIR> d-------- C:\Program Files\PDF to DOC
2008-04-29 12:46 . 2008-04-29 12:49 <DIR> d-------- C:\Documents and Settings\Yan\Application Data\CTdeveloping
2008-04-27 23:31 . 2008-04-27 23:31 <DIR> d-------- C:\Program Files\uTorrent
2008-04-27 06:35 . 2008-05-02 14:24 <DIR> d-------- C:\Documents and Settings\Yan\Application Data\Hamachi
2008-04-27 06:34 . 2008-04-27 06:35 <DIR> d-------- C:\Program Files\Hamachi
2008-04-27 06:34 . 2008-04-27 06:34 25,280 --a------ C:\WINDOWS\system32\drivers\hamachi.sys
2008-04-25 01:53 . 2008-04-25 01:53 <DIR> d-------- C:\Program Files\Monte Cristo
2008-04-22 20:23 . 2008-04-22 20:23 <DIR> d-------- C:\Documents and Settings\Yan\Application Data\Media Player Classic
2008-04-22 20:22 . 2008-04-22 20:22 <DIR> d-------- C:\Program Files\Real Alternative
2008-04-19 19:23 . 2008-04-20 00:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Dell
2008-04-19 18:14 . 2008-04-25 01:25 <DIR> d-------- C:\Program Files\EA GAMES
2008-04-19 18:14 . 2004-08-17 23:14 442,368 -ra------ C:\WINDOWS\system32\vp6vfw.dll
2008-04-15 18:13 . 2008-04-15 18:27 <DIR> d-------- C:\Documents and Settings\Yan\Application Data\Autodesk
2008-04-15 18:13 . 2008-04-27 02:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Autodesk
2008-04-15 18:02 . 2008-04-15 18:02 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-04-15 18:00 . 2008-04-15 18:00 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-04-15 17:59 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2008-04-15 08:03 . 2008-04-15 08:05 <DIR> d-------- C:\Program Files\SmallStellaDEMO
2008-04-15 03:24 . 2008-04-25 00:27 <DIR> d-------- C:\Program Files\Stella4DDEMO
2008-04-11 22:19 . 2008-04-11 22:26 <DIR> d-------- C:\Program Files\webcamXP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-11 14:26 --------- d-----w C:\Documents and Settings\Yan\Application Data\AVG7
2008-05-11 04:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2008-05-11 01:52 --------- d-----w C:\Documents and Settings\Yan\Application Data\uTorrent
2008-05-09 00:09 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-08 23:29 --------- d-----w C:\Program Files\AIM6
2008-05-08 17:19 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-08 17:17 --------- d-----w C:\Documents and Settings\Yan\Application Data\AdobeUM
2008-05-08 00:25 --------- d-----w C:\Program Files\MagicISO
2008-05-03 17:15 --------- d-----w C:\Program Files\Trillian
2008-05-03 15:57 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-03 15:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-03 04:38 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-02 04:00 --------- d-----w C:\Program Files\Xvid
2008-04-28 17:37 --------- d-----w C:\Program Files\BitTorrent
2008-04-28 05:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-26 21:55 --------- d-----w C:\Documents and Settings\Yan\Application Data\BitTorrent
2008-04-26 08:41 --------- d-----w C:\Documents and Settings\Yan\Application Data\LimeWire
2008-04-25 05:17 --------- d-----w C:\Program Files\StarNet
2008-04-25 05:15 --------- d-----w C:\Program Files\Yahoo!
2008-04-25 05:11 --------- d-----w C:\Program Files\iTunes
2008-04-25 05:11 --------- d-----w C:\Program Files\iPod
2008-04-25 05:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-25 05:07 --------- d-----w C:\Program Files\EarthLink TotalAccess
2008-04-25 04:51 --------- d-----w C:\Program Files\Dell
2008-04-25 04:51 --------- d-----w C:\Program Files\Creative
2008-04-25 04:49 --------- d-----w C:\Program Files\AIM
2008-04-25 04:49 --------- d-----w C:\Documents and Settings\Yan\Application Data\Aim
2008-04-05 03:56 --------- d-----w C:\Program Files\MSN Messenger
2008-04-05 03:55 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-05 03:55 --------- d-----w C:\Program Files\Windows Live
2008-04-05 03:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-04-02 03:32 --------- d-----w C:\Documents and Settings\Yan\Application Data\yoclient
2008-04-01 03:04 --------- d-----w C:\Program Files\Lionhead Studios
2008-03-31 04:14 --------- d-----w C:\Program Files\FlashGet
2008-03-30 07:35 --------- d-----w C:\Program Files\Lionhead Studios Ltd
2008-03-29 21:54 120,320 ----a-w C:\WINDOWS\system32\drivers\SSHDRV65.sys
2008-03-29 21:48 --------- d-----w C:\Program Files\Ascaron Entertainment
2008-03-29 21:11 --------- d-----w C:\Program Files\Tales of Pirates Online
2008-03-29 04:36 --------- d-----w C:\Documents and Settings\Yan\Application Data\QQ Games Plugin
2008-03-29 04:35 --------- d-----w C:\Program Files\Tencent
2008-03-29 04:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-03-29 04:34 --------- d-----w C:\Program Files\Viewpoint
2008-03-29 04:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-03-23 18:37 --------- d-----w C:\Program Files\JoWooD
2008-03-14 07:07 104,144 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-03-14 07:07 --------- d-----w C:\Program Files\Symantec
2008-03-14 07:07 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-14 07:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-03-14 01:56 --------- d-----w C:\Program Files\Real
2008-03-14 01:56 --------- d-----w C:\Program Files\Common Files\Real
2008-03-14 01:55 --------- d-----w C:\Program Files\Crimsonland
2008-03-14 01:35 --------- d-----w C:\Program Files\MySpace
2008-03-14 01:27 --------- d-----w C:\Program Files\RustemSoft
2008-03-13 01:56 --------- d-----w C:\Program Files\Audacity
2008-03-12 03:18 --------- d-----w C:\Documents and Settings\Yan\Application Data\IMVU
2008-03-12 01:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\EPSON
2008-03-12 01:24 --------- d-----w C:\Program Files\epson
2008-03-09 21:38 22,328 ----a-w C:\Documents and Settings\Yan\Application Data\PnkBstrK.sys
2008-02-02 03:32 32 ----a-r C:\Documents and Settings\All Users\hash.dat
2007-10-07 23:03 80 --sh--r C:\WINDOWS\system32\2D832349BD.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25 6731312]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-09-08 17:58 7118848]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 17:50 81920]
"ISUSPM Startup"="c:\progra~1\common~1\instal~1\update~1\isuspm.exe" [2004-07-27 17:50 221184]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 15:59 385024]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-05-31 05:33 122941]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2005-03-04 12:56 622592]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-09-14 16:09 157592]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-21 09:45 579072]
"SnoopFreeUI"="SnoopFreeUI.exe" [2008-05-08 14:56 221184 C:\WINDOWS\SnoopFreeUI.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-23 08:46 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-07-19 09:15:07 113664]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-07-05 16:26:52 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 17:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
PCANotify.dll 2004-11-01 11:50 8704 C:\WINDOWS\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\adstart]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
--a------ 2004-09-13 17:33 155648 C:\Program Files\Apoint\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
--a------ 2005-03-04 12:56 622592 C:\Program Files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2005-02-23 17:19 53248 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
--a------ 2004-10-30 15:59 385024 C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 12:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2005-09-08 18:58 1519616 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Orb]
C:\Program Files\Winamp Remote\bin\OrbTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
C:\Program Files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 06:24 286720 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegRun WinBait]
C:\WINDOWS\winbait.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Regrun2]
C:\PROGRA~1\Greatis\REGRUN~1\WatchDog.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tarantula]
--a------ 2007-05-07 10:52 159744 C:\Program Files\Razer\Tarantula\razerhid.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VC9Player]
C:\Program Files\Virtual CD v9\System\VC9Play.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WLANKEEPER"=2 (0x2)
"WebrootSpySweeperService"=2 (0x2)
"Viewpoint Manager Service"=2 (0x2)
"VC9SecS"=2 (0x2)
"usnjsvc"=3 (0x3)
"UserAccess7"=2 (0x2)
"SQLWriter"=2 (0x2)
"SQLBrowser"=2 (0x2)
"S24EventMonitor"=2 (0x2)
"RegSrvc"=2 (0x2)
"PnkBstrA"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"NVSvc"=2 (0x2)
"NICCONFIGSVC"=2 (0x2)
"MySQL4"=2 (0x2)
"MySql"=2 (0x2)
"MSSQL$SQLEXPRESS"=2 (0x2)
"Microsoft Office Groove Audit Service"=3 (0x3)
"McSysmon"=3 (0x3)
"McShield"=2 (0x2)
"Macromedia Licensing Service"=3 (0x3)
"LightScribeService"=2 (0x2)
"LexBceS"=2 (0x2)
"iPod Service"=3 (0x3)
"iPAHelper.exe"=2 (0x2)
"IDriverT"=3 (0x3)
"gusvc"=3 (0x3)
"EvtEng"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)
"Apache2"=2 (0x2)
"mnmsrvc"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\Trillian\\trillian.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\GameTap\\bin\\Release\\gametap.exe"=
"C:\\Program Files\\Motorola\\Software Update\\msu.exe"=
"C:\\Program Files\\Ipswitch\\WS_FTP Home\\wsftpgui.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\WINDOWS\\system32\\fxsclnt.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Apache Software Foundation\\Apache2\\bin\\httpd.exe"=
"C:\\Program Files\\Java\\jdk1.6.0_02\\bin\\java.exe"=
"C:\\ruby\\bin\\ruby.exe"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
"C:\\Program Files\\Java\\jre1.6.0_03\\bin\\javaw.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program Files\\Symantec\\pcAnywhere\\awhost32.exe"=
"C:\\Program Files\\Tencent\\QQ Games\\QQGames.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\SSH Communications Security\\SSH Secure Shell\\SshClient.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=

R1 SSHDRV65;SSHDRV65;C:\WINDOWS\system32\drivers\SSHDRV65.sys [2008-03-29 17:54]
R1 vdrv9000;vdrv9000;C:\WINDOWS\system32\DRIVERS\vdrv9000.sys [2007-08-20 15:34]
R2 acedrv11;acedrv11;C:\WINDOWS\system32\drivers\acedrv11.sys [2008-01-23 04:19]
R2 Apache2.2;Apache2.2;"C:\Program Files\Apache Software Foundation\Apache2\bin\httpd.exe" -k runservice []
R2 NinjaVideo Helper.exe;NinjaVideo Helper;"C:\Program Files\NinjaVideo\NinjaVideo Helper\NinjaVideo Helper.exe" [2008-04-10 21:01]
S0 Partizan;Partizan;C:\WINDOWS\system32\drivers\Partizan.sys []
S3 HH9Help.sys;HH9Help.sys;C:\WINDOWS\system32\drivers\HH9Help.sys [2006-09-20 13:42]
S3 motccgp;Motorola USB Composite Device Driver;C:\WINDOWS\system32\DRIVERS\motccgp.sys [2007-04-05 15:04]
S3 motccgpfl;MotCcgpFlService;C:\WINDOWS\system32\DRIVERS\motccgpfl.sys [2007-01-23 19:03]
S3 MotDev;Motorola Inc. USB Device;C:\WINDOWS\system32\DRIVERS\motodrv.sys [2007-05-04 17:04]
S3 TarFltr;Razer Tarantula USB Keyboard;C:\WINDOWS\system32\Drivers\UsbFltr.sys [2007-04-11 16:23]
S3 uisp;Freescale USB JW32 driver;C:\WINDOWS\system32\Drivers\usbicp.sys [2005-12-21 11:23]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"c:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 []
S4 MySQL4;MySQL4;"C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt" --defaults-file="C:\Program Files\MySQL\MySQL Server 5.0\my.ini" MySQL4 []
S4 SQLWriter;SQL Server VSS Writer;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2007-02-10 05:29]
S4 VC9SecS;Virtual CD v9 Management Service;C:\Program Files\Virtual CD v9\System\vc9secs.exe []

.
Contents of the 'Scheduled Tasks' folder
"2008-05-10 11:16:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-11 19:09:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MySQL4]
"ImagePath"="\"C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"C:\Program Files\MySQL\MySQL Server 5.0\my.ini\" MySQL4"
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\WINDOWS\system32\SnoopFreeSvc.exe
C:\WINDOWS\system32\fxssvc.exe
.
**************************************************************************
.
Completion time: 2008-05-11 19:23:48 - machine was rebooted [Yan]
ComboFix-quarantined-files.txt 2008-05-11 23:23:26

Pre-Run: 25,524,297,728 bytes free
Post-Run: 25,501,450,240 bytes free

394 --- E O F --- 2008-05-11 07:02:54

Rorschach112
2008-05-12, 02:34
Hello

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:


File::
C:\WINDOWS\BMd76e0ef1.xml
C:\WINDOWS\system32\2D832349BD.dll

Folder::
C:\WINDOWS\system32\vb1
C:\WINDOWS\system32\swTMP
C:\Temp\zvebs14
C:\Temp\kvebs14

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\adstart]

Driver::



Save this as CFScript.txt, in the same location as ComboFix.exe


http://i266.photobucket.com/albums/ii277/sUBs_/Combo-Do.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


Also post a new HijackThis log

supplyer
2008-05-12, 05:47
New ComboFix log:

ComboFix 08-05-09.1 - Yan 2008-05-11 22:29:28.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.636 [GMT -4:00]
Running from: C:\Documents and Settings\Yan\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Yan\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\BMd76e0ef1.xml
C:\WINDOWS\system32\2D832349BD.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\kvebs14
C:\Temp\kvebs14\zvKarru.log
C:\Temp\zvebs14
C:\WINDOWS\BMd76e0ef1.xml
C:\WINDOWS\system32\2D832349BD.dll
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\swTMP
C:\WINDOWS\system32\vb1

.
((((((((((((((((((((((((( Files Created from 2008-04-12 to 2008-05-12 )))))))))))))))))))))))))))))))
.

2008-05-11 21:35 . 2008-05-11 21:35 <DIR> d-------- C:\Program Files\Transcend
2008-05-11 20:25 . 2008-05-11 20:25 <DIR> d-------- C:\Program Files\Canon
2008-05-11 19:02 . 2008-05-11 19:02 <DIR> d-------- C:\_OTMoveIt
2008-05-10 22:18 . 2008-05-10 22:18 <DIR> d-------- C:\Program Files\FastSum
2008-05-10 22:18 . 2008-05-10 22:18 <DIR> d-------- C:\Documents and Settings\Yan\Application Data\FastSum
2008-05-10 22:06 . 2008-05-10 22:06 <DIR> d-------- C:\Program Files\NinjaVideo
2008-05-08 20:30 . 2008-05-08 20:30 <DIR> d-------- C:\Documents and Settings\Yan\Application Data\QQ Games
2008-05-08 19:59 . 2008-05-08 20:09 <DIR> d-------- C:\Program Files\DFX
2008-05-08 19:59 . 2008-05-08 19:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DFX
2008-05-08 19:38 . 2008-05-08 19:38 <DIR> d-------- C:\Program Files\AIMTunes
2008-05-08 19:24 . 2008-05-08 19:24 <DIR> d-------- C:\Program Files\AIM Music Link
2008-05-08 19:14 . 2008-05-08 19:14 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-08 16:43 . 2008-05-08 16:43 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-08 16:43 . 2008-05-08 16:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-08 15:11 . 2008-05-08 15:11 <DIR> d-------- C:\RootkitNO
2008-05-08 15:11 . 2008-05-08 15:11 123 --a------ C:\WINDOWS\rootkitno.ini
2008-05-08 14:56 . 2008-05-08 14:56 221,184 --a------ C:\WINDOWS\SnoopFreeUI.exe
2008-05-08 14:56 . 2008-05-08 14:56 90,112 --a------ C:\WINDOWS\system32\SnoopFreeSvc.exe
2008-05-08 14:56 . 2008-05-08 14:56 45,056 --a------ C:\WINDOWS\SnoopFreeDll.dll
2008-05-08 14:56 . 2008-05-08 14:56 9,472 --a------ C:\WINDOWS\system32\drivers\SnopFree.sys
2008-05-03 15:53 . 2008-05-10 23:09 77 --a------ C:\WINDOWS\lsoon.ini
2008-05-03 13:55 . 2008-05-03 13:55 <DIR> d-------- C:\Program Files\DjVu
2008-05-03 00:51 . C:\WINDOWS\(2) C:\ComboFix\winstart.bat
2008-05-03 00:50 . 2008-05-03 00:50 <DIR> d-------- C:\Documents and Settings\Yan\Application Data\Regrun
2008-05-03 00:50 . 2008-05-10 23:09 <DIR> d-------- C:\backreg
2008-05-03 00:49 . 2008-05-03 00:49 <DIR> d-------- C:\Program Files\Greatis
2008-05-03 00:49 . 2003-09-06 15:55 57,556 --a------ C:\WINDOWS\guard.bmp
2008-05-02 16:40 . 2008-05-02 17:32 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-02 16:16 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-05-02 16:16 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-05-02 16:16 . 2008-04-24 08:10 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-05-02 16:16 . 2008-04-28 08:03 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-05-02 16:16 . 2008-04-28 08:03 82,944 --a------ C:\WINDOWS\system32\404Fix.exe
2008-05-02 16:16 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-05-02 16:16 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-05-02 16:16 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-05-02 16:04 . 2008-05-03 00:26 3,516 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-02 13:00 . 2008-05-02 13:00 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-05-02 12:56 . 2005-07-05 16:36 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-05-02 12:56 . 2005-07-05 16:30 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Jasc Software Inc
2008-05-02 12:56 . 2005-07-05 16:25 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intel
2008-05-02 12:56 . 2008-05-02 12:56 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-02 12:56 . 2008-05-11 22:20 1,024 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG
2008-05-02 12:25 . 2008-05-11 22:29 <DIR> d-------- C:\Temp
2008-05-02 05:00 . 2008-05-02 05:00 <DIR> d-------- C:\Program Files\Silurian
2008-05-02 00:01 . 2008-05-02 00:01 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2008-05-02 00:01 . 2008-03-05 15:56 3,786,760 --a------ C:\WINDOWS\system32\D3DX9_37.dll
2008-05-02 00:01 . 2008-03-05 15:56 1,420,824 --a------ C:\WINDOWS\system32\D3DCompiler_37.dll
2008-05-02 00:01 . 2008-03-05 16:03 479,752 --a------ C:\WINDOWS\system32\XAudio2_0.dll
2008-05-02 00:01 . 2008-02-05 23:07 462,864 --a------ C:\WINDOWS\system32\d3dx10_37.dll
2008-05-02 00:01 . 2008-03-05 16:03 238,088 --a------ C:\WINDOWS\system32\xactengine3_0.dll
2008-05-02 00:01 . 2008-03-05 16:00 25,608 --a------ C:\WINDOWS\system32\X3DAudio1_3.dll
2008-05-01 01:13 . 2008-05-03 20:58 <DIR> d-------- C:\Program Files\Darkstar One
2008-04-29 12:47 . 2008-04-29 12:47 <DIR> d-------- C:\Program Files\PDF to DOC
2008-04-29 12:46 . 2008-04-29 12:49 <DIR> d-------- C:\Documents and Settings\Yan\Application Data\CTdeveloping
2008-04-27 23:31 . 2008-04-27 23:31 <DIR> d-------- C:\Program Files\uTorrent
2008-04-27 06:35 . 2008-05-02 14:24 <DIR> d-------- C:\Documents and Settings\Yan\Application Data\Hamachi
2008-04-27 06:34 . 2008-04-27 06:35 <DIR> d-------- C:\Program Files\Hamachi
2008-04-27 06:34 . 2008-04-27 06:34 25,280 --a------ C:\WINDOWS\system32\drivers\hamachi.sys
2008-04-25 01:53 . 2008-04-25 01:53 <DIR> d-------- C:\Program Files\Monte Cristo
2008-04-22 20:23 . 2008-04-22 20:23 <DIR> d-------- C:\Documents and Settings\Yan\Application Data\Media Player Classic
2008-04-22 20:22 . 2008-04-22 20:22 <DIR> d-------- C:\Program Files\Real Alternative
2008-04-19 19:23 . 2008-04-20 00:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Dell
2008-04-19 18:14 . 2008-04-25 01:25 <DIR> d-------- C:\Program Files\EA GAMES
2008-04-19 18:14 . 2004-08-17 23:14 442,368 -ra------ C:\WINDOWS\system32\vp6vfw.dll
2008-04-15 18:13 . 2008-04-15 18:27 <DIR> d-------- C:\Documents and Settings\Yan\Application Data\Autodesk
2008-04-15 18:13 . 2008-04-27 02:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Autodesk
2008-04-15 18:02 . 2008-04-15 18:02 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-04-15 18:00 . 2008-04-15 18:00 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-04-15 17:59 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2008-04-15 08:03 . 2008-04-15 08:05 <DIR> d-------- C:\Program Files\SmallStellaDEMO
2008-04-15 03:24 . 2008-04-25 00:27 <DIR> d-------- C:\Program Files\Stella4DDEMO

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-12 02:10 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-11 14:26 --------- d-----w C:\Documents and Settings\Yan\Application Data\AVG7
2008-05-11 04:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2008-05-11 01:52 --------- d-----w C:\Documents and Settings\Yan\Application Data\uTorrent
2008-05-09 00:09 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-08 23:29 --------- d-----w C:\Program Files\AIM6
2008-05-08 17:19 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-08 17:17 --------- d-----w C:\Documents and Settings\Yan\Application Data\AdobeUM
2008-05-08 00:25 --------- d-----w C:\Program Files\MagicISO
2008-05-03 17:15 --------- d-----w C:\Program Files\Trillian
2008-05-03 15:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-03 04:38 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-02 04:00 --------- d-----w C:\Program Files\Xvid
2008-04-28 17:37 --------- d-----w C:\Program Files\BitTorrent
2008-04-28 05:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-26 21:55 --------- d-----w C:\Documents and Settings\Yan\Application Data\BitTorrent
2008-04-26 08:41 --------- d-----w C:\Documents and Settings\Yan\Application Data\LimeWire
2008-04-25 05:17 --------- d-----w C:\Program Files\StarNet
2008-04-25 05:15 --------- d-----w C:\Program Files\Yahoo!
2008-04-25 05:11 --------- d-----w C:\Program Files\iTunes
2008-04-25 05:11 --------- d-----w C:\Program Files\iPod
2008-04-25 05:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-25 05:07 --------- d-----w C:\Program Files\EarthLink TotalAccess
2008-04-25 04:51 --------- d-----w C:\Program Files\Dell
2008-04-25 04:51 --------- d-----w C:\Program Files\Creative
2008-04-25 04:49 --------- d-----w C:\Program Files\AIM
2008-04-25 04:49 --------- d-----w C:\Documents and Settings\Yan\Application Data\Aim
2008-04-12 02:26 --------- d-----w C:\Program Files\webcamXP
2008-04-05 03:56 --------- d-----w C:\Program Files\MSN Messenger
2008-04-05 03:55 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-05 03:55 --------- d-----w C:\Program Files\Windows Live
2008-04-05 03:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-04-02 03:32 --------- d-----w C:\Documents and Settings\Yan\Application Data\yoclient
2008-04-01 03:04 --------- d-----w C:\Program Files\Lionhead Studios
2008-03-31 04:14 --------- d-----w C:\Program Files\FlashGet
2008-03-30 07:35 --------- d-----w C:\Program Files\Lionhead Studios Ltd
2008-03-29 21:54 120,320 ----a-w C:\WINDOWS\system32\drivers\SSHDRV65.sys
2008-03-29 21:48 --------- d-----w C:\Program Files\Ascaron Entertainment
2008-03-29 21:11 --------- d-----w C:\Program Files\Tales of Pirates Online
2008-03-29 04:36 --------- d-----w C:\Documents and Settings\Yan\Application Data\QQ Games Plugin
2008-03-29 04:35 --------- d-----w C:\Program Files\Tencent
2008-03-29 04:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-03-29 04:34 --------- d-----w C:\Program Files\Viewpoint
2008-03-29 04:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-03-23 18:37 --------- d-----w C:\Program Files\JoWooD
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-14 07:07 83,168 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-03-14 07:07 104,144 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-03-14 07:07 --------- d-----w C:\Program Files\Symantec
2008-03-14 07:07 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-14 07:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-03-14 05:40 1,708 ----a-w C:\WINDOWS\pchealth\helpctr\Config\incstore.bin
2008-03-14 01:56 --------- d-----w C:\Program Files\Real
2008-03-14 01:56 --------- d-----w C:\Program Files\Common Files\Real
2008-03-14 01:55 --------- d-----w C:\Program Files\Crimsonland
2008-03-14 01:35 --------- d-----w C:\Program Files\MySpace
2008-03-14 01:27 --------- d-----w C:\Program Files\RustemSoft
2008-03-13 16:59 5,120 ----a-w C:\WINDOWS\system32\BReWErS.dll
2008-03-13 01:56 --------- d-----w C:\Program Files\Audacity
2008-03-12 03:18 --------- d-----w C:\Documents and Settings\Yan\Application Data\IMVU
2008-03-12 01:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\EPSON
2008-03-12 01:24 --------- d-----w C:\Program Files\epson
2008-03-09 21:44 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2008-03-09 21:44 103,736 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-03-09 21:38 22,328 ----a-w C:\Documents and Settings\Yan\Application Data\PnkBstrK.sys
2008-03-01 22:36 3,591,680 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-02-29 19:22 413,696 ----a-w C:\WINDOWS\system32\wrap_oal.dll
2008-02-29 19:22 110,592 ----a-w C:\WINDOWS\system32\OpenAL32.dll
2008-02-29 08:55 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-02-29 08:55 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-02-22 10:00 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-15 05:44 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-02-02 03:32 32 ----a-r C:\Documents and Settings\All Users\hash.dat
.

((((((((((((((((((((((((((((( snapshot@2008-05-11_19.23.07.84 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-11 23:08:48 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-12 02:21:38 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25 6731312]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-09-08 17:58 7118848]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 17:50 81920]
"ISUSPM Startup"="c:\progra~1\common~1\instal~1\update~1\isuspm.exe" [2004-07-27 17:50 221184]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 15:59 385024]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-05-31 05:33 122941]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2005-03-04 12:56 622592]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-09-14 16:09 157592]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-21 09:45 579072]
"SnoopFreeUI"="SnoopFreeUI.exe" [2008-05-08 14:56 221184 C:\WINDOWS\SnoopFreeUI.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-23 08:46 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-07-19 09:15:07 113664]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-07-05 16:26:52 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 17:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
PCANotify.dll 2004-11-01 11:50 8704 C:\WINDOWS\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
--a------ 2004-09-13 17:33 155648 C:\Program Files\Apoint\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
--a------ 2005-03-04 12:56 622592 C:\Program Files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2005-02-23 17:19 53248 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
--a------ 2004-10-30 15:59 385024 C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 12:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2005-09-08 18:58 1519616 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Orb]
C:\Program Files\Winamp Remote\bin\OrbTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
C:\Program Files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 06:24 286720 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegRun WinBait]
C:\WINDOWS\winbait.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Regrun2]
C:\PROGRA~1\Greatis\REGRUN~1\WatchDog.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tarantula]
--a------ 2007-05-07 10:52 159744 C:\Program Files\Razer\Tarantula\razerhid.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VC9Player]
C:\Program Files\Virtual CD v9\System\VC9Play.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WLANKEEPER"=2 (0x2)
"WebrootSpySweeperService"=2 (0x2)
"Viewpoint Manager Service"=2 (0x2)
"VC9SecS"=2 (0x2)
"usnjsvc"=3 (0x3)
"UserAccess7"=2 (0x2)
"SQLWriter"=2 (0x2)
"SQLBrowser"=2 (0x2)
"S24EventMonitor"=2 (0x2)
"RegSrvc"=2 (0x2)
"PnkBstrA"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"NVSvc"=2 (0x2)
"NICCONFIGSVC"=2 (0x2)
"MySQL4"=2 (0x2)
"MySql"=2 (0x2)
"MSSQL$SQLEXPRESS"=2 (0x2)
"Microsoft Office Groove Audit Service"=3 (0x3)
"McSysmon"=3 (0x3)
"McShield"=2 (0x2)
"Macromedia Licensing Service"=3 (0x3)
"LightScribeService"=2 (0x2)
"LexBceS"=2 (0x2)
"iPod Service"=3 (0x3)
"iPAHelper.exe"=2 (0x2)
"IDriverT"=3 (0x3)
"gusvc"=3 (0x3)
"EvtEng"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)
"Apache2"=2 (0x2)
"mnmsrvc"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\Trillian\\trillian.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\GameTap\\bin\\Release\\gametap.exe"=
"C:\\Program Files\\Motorola\\Software Update\\msu.exe"=
"C:\\Program Files\\Ipswitch\\WS_FTP Home\\wsftpgui.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\WINDOWS\\system32\\fxsclnt.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Apache Software Foundation\\Apache2\\bin\\httpd.exe"=
"C:\\Program Files\\Java\\jdk1.6.0_02\\bin\\java.exe"=
"C:\\ruby\\bin\\ruby.exe"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
"C:\\Program Files\\Java\\jre1.6.0_03\\bin\\javaw.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program Files\\Symantec\\pcAnywhere\\awhost32.exe"=
"C:\\Program Files\\Tencent\\QQ Games\\QQGames.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\SSH Communications Security\\SSH Secure Shell\\SshClient.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=

R1 SSHDRV65;SSHDRV65;C:\WINDOWS\system32\drivers\SSHDRV65.sys [2008-03-29 17:54]
R1 vdrv9000;vdrv9000;C:\WINDOWS\system32\DRIVERS\vdrv9000.sys [2007-08-20 15:34]
R2 acedrv11;acedrv11;C:\WINDOWS\system32\drivers\acedrv11.sys [2008-01-23 04:19]
R2 Apache2.2;Apache2.2;"C:\Program Files\Apache Software Foundation\Apache2\bin\httpd.exe" -k runservice []
S0 Partizan;Partizan;C:\WINDOWS\system32\drivers\Partizan.sys []
S2 NinjaVideo Helper.exe;NinjaVideo Helper;"C:\Program Files\NinjaVideo\NinjaVideo Helper\NinjaVideo Helper.exe" [2008-04-10 21:01]
S3 HH9Help.sys;HH9Help.sys;C:\WINDOWS\system32\drivers\HH9Help.sys [2006-09-20 13:42]
S3 motccgp;Motorola USB Composite Device Driver;C:\WINDOWS\system32\DRIVERS\motccgp.sys [2007-04-05 15:04]
S3 motccgpfl;MotCcgpFlService;C:\WINDOWS\system32\DRIVERS\motccgpfl.sys [2007-01-23 19:03]
S3 MotDev;Motorola Inc. USB Device;C:\WINDOWS\system32\DRIVERS\motodrv.sys [2007-05-04 17:04]
S3 TarFltr;Razer Tarantula USB Keyboard;C:\WINDOWS\system32\Drivers\UsbFltr.sys [2007-04-11 16:23]
S3 uisp;Freescale USB JW32 driver;C:\WINDOWS\system32\Drivers\usbicp.sys [2005-12-21 11:23]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"c:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 []
S4 MySQL4;MySQL4;"C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt" --defaults-file="C:\Program Files\MySQL\MySQL Server 5.0\my.ini" MySQL4 []
S4 SQLWriter;SQL Server VSS Writer;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2007-02-10 05:29]
S4 VC9SecS;Virtual CD v9 Management Service;C:\Program Files\Virtual CD v9\System\vc9secs.exe []

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-05-10 11:16:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-11 22:33:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\MySQL4]
"ImagePath"="\"C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"C:\Program Files\MySQL\MySQL Server 5.0\my.ini\" MySQL4"
.
Completion time: 2008-05-11 22:40:31
ComboFix-quarantined-files.txt 2008-05-12 02:39:29
ComboFix2.txt 2008-05-11 23:23:49

Pre-Run: 28,708,945,920 bytes free
Post-Run: 28,693,463,040 bytes free

348 --- E O F --- 2008-05-11 07:02:54


New HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:47:08 PM, on 5/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\Apache Software Foundation\Apache2\bin\httpd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\Program Files\Apache Software Foundation\Apache2\bin\httpd.exe
C:\WINDOWS\System32\SnoopFreeSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\SnoopFreeUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MI1933~1\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\progra~1\common~1\instal~1\update~1\isuspm.exe" -startup
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SnoopFreeUI] SnoopFreeUI.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZJfox000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open with XmlPad - res://C:\Program Files\WMHelp Software\WMHelp XmlPad\WmhASPP.dll/101
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Yan\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} - http://85.255.114.166/1/rdgUS2404.exe
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://download.cdn.winsoftware.com/files/installers/cab/WinAntiVirusPro2006FreeInstall.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MI1933~1\Office12\GR99D3~1.DLL
O18 - Protocol: wmh - {A1428E78-2D00-4590-A071-0CC9700A7768} - C:\Program Files\WMHelp Software\WMHelp XmlPad\WmhASPP.dll
O23 - Service: Apache2.2 - Apache Software Foundation - C:\Program Files\Apache Software Foundation\Apache2\bin\httpd.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)
O23 - Service: NinjaVideo Helper (NinjaVideo Helper.exe) - NinjaVideo - C:\Program Files\NinjaVideo\NinjaVideo Helper\NinjaVideo Helper.exe
O23 - Service: Snoop Free Service (SnoopFreeSvc) - Unknown owner - C:\WINDOWS\System32\SnoopFreeSvc.exe

--
End of file - 9293 bytes

Rorschach112
2008-05-12, 17:04
Hello

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...tml?p=ZJfox000


2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.



Please download Malwarebytes' Anti-Malware from Here (http://www.besttechie.net/tools/mbam-setup.exe) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)

Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


Also tell me how your PC is running

supplyer
2008-05-13, 03:21
Hi, thanks again for the help. My PC is running fine - somewhere during the cleaning process I stopped getting random IE popups and no longer have any visible effects from my malware. However I ran Spybot again and it still found 12 infections, so I don't want to take my chances. Here is the log:

Malwarebytes' Anti-Malware 1.12
Database version: 743

Scan type: Quick Scan
Objects scanned: 36994
Time elapsed: 4 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 13
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\AppID\{f663b917-591f-4172-8d87-3d7d729007ca} (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bat.batbho (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bat.batbho.1 (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{63f7460b-c831-4142-a4aa-5ec303ec4343} (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d279bc2b-a85b-4559-8fd9-ddc55f5d402d} (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{b80a3586-caa5-41c8-89bf-e617f0b6cfbf} (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\bat.DLL (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Rorschach112
2008-05-13, 03:39
Your logs are clean ! We need to do a few things

Follow these steps to uninstall Combofix and tools used in the removal of malware

Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png





Make sure you have an Internet Connection.
Double-click OTMoveIt2.exe to run it.
Click on the CleanUp! button
A list of tool components used in the Cleanup of malware will be downloaded.
If your Firewall or Real Time protection attempts to block OtMoveit2 to rech the Internet, please allow the application to do so.
Click Yes to beging the Cleanup process and remove these components, including this application.
You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.



Your using an old version of Adobe Acrobat Reader, this can leave your pc open to vulnerabilities, you can update it here :
http://www.adobe.com/products/acrobat/readstep2.html



You now need to update your Java and remove your older versions.

Please follow these steps to remove older version Java components.

* Click Start > Control Panel.
* Click Add/Remove Programs.
* Check any item with Java Runtime Environment (JRE) in the name.
* Click the Remove or Change/Remove button.

Download the latest version of Java Runtime Environment (JRE), and install it to your computer from
here (http://java.sun.com/javase/downloads/index.jsp)



Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
SpywareBlaster (http://www.javacoolsoftware.com/sbdownload.html) protects against bad ActiveX
IE-SPYAD (http://www.spywarewarrior.com/uiuc/res/ie-spyad.exe) puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here (http://www.bleepingcomputer.com/tutorials/tutorial53.html)

* SpywareGuard (http://www.javacoolsoftware.com/sgdownload.html) offers realtime protection from spyware installation attempts.

Make Internet Explorer more secure

Click Start > Run
Type Inetcpl.cpl & click OK
Click on the Security tab
Click Reset all zones to default level
Make sure the Internet Zone is selected & Click Custom level
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
Next Click OK, then Apply button and then OK to exit the Internet Properties page.


* MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here (http://www.mozilla.org/products/firefox/)

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here (http://forums.spywareinfo.com/index.php?showtopic=60955)

Thank you for your patience, and performing all of the procedures requested.

supplyer
2008-05-16, 01:37
Great, thanks for all your help! I am really glad that I didn't have to format.

Rorschach112
2008-05-16, 03:12
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.

Note: If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.