Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 03:50:37, on 08/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\WINDOWS\system32\wwSecure.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {355D7733-76E2-4146-9BB2-C761006CE06B} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {96134ABB-AD7C-4135-A927-329B735D524F} - C:\WINDOWS\system32\vtUnNeef.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {CE5873B0-64B6-4A18-9E47-608097EDFF5D} - C:\WINDOWS\system32\pmnkIAtS.dll (file missing)
O2 - BHO: (no name) - {D9D410EC-D2A1-442A-8578-EDC41B498F40} - C:\WINDOWS\system32\pmnMdEtT.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: (no name) - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - (no file)
O3 - Toolbar: atfxqogp - {9FE5B166-BC73-48F4-8696-A66ADB1485AE} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [BullGuard] "C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe" -boot
O4 - HKLM\..\Run: [64405645] rundll32.exe "C:\WINDOWS\system32\kubcjqky.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BullGuard] "C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O17 - HKLM\System\CCS\Services\Tcpip\..\{A726A23D-B1E7-40ED-B9FB-8F04F2935931}: NameServer = 193.36.79.100 193.36.79.101
O20 - Winlogon Notify: vtUnNeef - C:\WINDOWS\SYSTEM32\vtUnNeef.dll
O21 - SSODL: vregfwlx - {89F28A38-C769-409E-9972-B34B1D005A1F} - (no file)
O21 - SSODL: vltdfabw - {FAE83260-F458-4B51-A535-101576F34BB5} - (no file)
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BullGuard LiveUpdate (BgLiveSvc) - BullGuard Ltd. - C:\Program Files\BullGuard Ltd\BullGuard\BullGuardUpdate.exe
O23 - Service: BGRaSvc - BullGuard - C:\Program Files\BullGuard Ltd\BullGuard\support\bgrasvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

--
End of file - 7650 bytes

Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

You are infected, I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
This can be a tough infection to remove so do not expect fast or easy.

2008-05-23, 22:16 <<< is this the same computer shelf life cleaned two weeks ago?

Read the directions pinned (sticky) to the top of this forum and posted above, provide:

1) You have MBAM onboard, run a scan, clean what it finds and post the report.

2) You have a Vundo infection and may have Smitfraud also, this information will tell us:
http://siri.geekstogo.com/SmitfraudFix.php <<< download Smitfraudfix from here and follow ONLY these directions.

Search:
Double-click SmitfraudFix.exe
Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt

Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/processutil/processutil.htm

Post the C:\rapport.txt

3) By not reading the directions you missed the instructions for a Kaspersky Online Scan (KOS):

Run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner
http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html

Next Click on Launch Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.

Then post it here.

Recap: Read the directions then post the report from MBAM, the report from Smitfraudfix and the scan results from KOS.

Thanks

Thanks so much for getting back to me, it has taken me so long to get online and to this site and been able to post properly.

Malwarebytes' Anti-Malware 1.15
Database version: 839

12:15:30 08/06/2008
mbam-log-6-8-2008 (12-15-30).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 121960
Time elapsed: 40 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 4
Registry Keys Infected: 15
Registry Values Infected: 6
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\ithgcesi.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\kubcjqky.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\pmnMdEtT.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\vtUnNeef.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d9d410ec-d2a1-442a-8578-edc41b498f40} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{d9d410ec-d2a1-442a-8578-edc41b498f40} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{96134abb-ad7c-4135-a927-329b735d524f} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{96134abb-ad7c-4135-a927-329b735d524f} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\vtunneef (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{355d7733-76e2-4146-9bb2-c761006ce06b} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\atfxqogp.bakq (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\atfxqogp.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9fe5b166-bc73-48f4-8696-a66adb1485ae} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{0f8b0aa8-9d77-4231-91c8-368195e82551} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{28f85800-2969-4966-8894-eda174875e71} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\64405645 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{96134abb-ad7c-4135-a927-329b735d524f} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{9fe5b166-bc73-48f4-8696-a66adb1485ae} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\vltdfabw (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\vregfwlx (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\pmnmdett -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\pmnmdett -> Delete on reboot.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\ithgcesi.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\isecghti.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kubcjqky.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\ykqjcbuk.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pmnMdEtT.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\TtEdMnmp.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TtEdMnmp.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vtUnNeef.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\esva.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.


My Kaspersky doesn't always work and stops at 8 percent, and I cannot find a log to post.

Sorry, yes it is the same computer

SmitFraudFix v2.323

Scan done at 13:17:12.89, 13/06/2008
Run from C:\Program Files\Mozilla Firefox\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\wwSecure.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\SmitfraudFix\Policies.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\fredrick


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\fredrick\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\fredrick\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\\PROGRA~1\\KASPER~1\\KASPER~1.0\\adialhk.dll"


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: WAN (PPP/SLIP) Interface
DNS Server Search Order: 193.36.79.101
DNS Server Search Order: 193.36.79.100

HKLM\SYSTEM\CCS\Services\Tcpip\..\{A726A23D-B1E7-40ED-B9FB-8F04F2935931}: NameServer=193.36.79.101 193.36.79.100
HKLM\SYSTEM\CS2\Services\Tcpip\..\{A726A23D-B1E7-40ED-B9FB-8F04F2935931}: NameServer=193.36.79.101 193.36.79.100


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

Please describe any malware symptoms that are occuring, post any error message you receive "word for word", and a new HJT log.

Thanks

Hi, thanks for getting back to me,

The same things seem to be happening over and over again, I'll find I cannot search the internet or even use it at times by clicking previous links, but then if I wait a bit I often can

My anti virus has been turned off and I've had to reinstall my anti virus, also my updating has been turned off but that is working now.


I do not know if this is important but I do keep getting these warnings
09/06/2008 20:38:06 Intrusion.Win.MSSQL.worm.Helkern! Attacker IP address: 219.153.8.64. Protocol/service: UDP on local port 1434. Time: 09/06/2008 20:38:06

10/06/2008 13:12:18 Intrusion.Win.MSSQL.worm.Helkern! Attacker IP address: 61.153.50.237. Protocol/service: UDP on local port 1434. Time: 10/06/2008 13:12:18

I'm not sure whether this helps

08/06/2008 12:33:35 You are advised to perform a full computer scan as soon as possible.
08/06/2008 12:33:36 Database is out of date, leaving your computer at risk of infection. Please update your database.
08/06/2008 12:33:36 Protection of your computer is enabled.
08/06/2008 12:40:58 Please restart your computer to complete the installation of new or updated protection components.
08/06/2008 12:41:09 Process (PID 1456) tried to access Kaspersky Internet Security process (PID 1736), but the action has been blocked by the Self-Defense component. No action on your part is required.
08/06/2008 12:41:23 Please restart your computer to complete the installation of new or updated protection components.
08/06/2008 12:41:24 Update completed successfully
08/06/2008 12:41:30 Protection of your computer is not running. You are advised to resume protection.
08/06/2008 12:44:05 You are advised to perform a full computer scan as soon as possible.
08/06/2008 12:44:05 Protection of your computer is enabled.
08/06/2008 13:03:19 Intrusion.Win.MSSQL.worm.Helkern! Attacker IP address: 89.222.153.113. Protocol/service: UDP on local port 1434. Time: 08/06/2008 13:03:19
08/06/2008 13:35:53 Process (PID 440) tried to access Kaspersky Internet Security process (PID 1804), but the action has been blocked by the Self-Defense component. No action on your part is required.
08/06/2008 13:35:53 Process (PID 440) tried to access Kaspersky Internet Security process (PID 664), but the action has been blocked by the Self-Defense component. No action on your part is required.
08/06/2008 14:14:53 Process C:\PROGRA~1\MSNGAM~1\Windows\zclientm.exe (PID 1404) successfully completed.
08/06/2008 14:14:54 C:\PROGRA~1\MSNGAM~1\Windows\zclientm.exe quarantined.
08/06/2008 14:17:07 Process C:\PROGRA~1\MSNGAM~1\Windows\zclientm.exe (PID 228) successfully completed.
08/06/2008 14:17:08 C:\PROGRA~1\MSNGAM~1\Windows\zclientm.exe quarantined.
08/06/2008 14:17:29 Process C:\PROGRA~1\MSNGAM~1\Windows\zclientm.exe (PID 544) successfully completed.
08/06/2008 14:17:29 C:\PROGRA~1\MSNGAM~1\Windows\zclientm.exe quarantined.
08/06/2008 14:57:40 Update completed successfully
08/06/2008 15:30:37 File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde.zip/sbRecovery.reg: is password protected.
08/06/2008 15:30:37 File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde.zip/sbRecovery.ini: is password protected.
08/06/2008 15:30:37 File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde1.zip/sbRecovery.reg: is password protected.
08/06/2008 15:30:37 File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde1.zip/sbRecovery.ini: is password protected.
08/06/2008 15:30:37 File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde2.zip/sbRecovery.reg: is password protected.
08/06/2008 15:30:37 File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde2.zip/sbRecovery.ini: is password protected.
08/06/2008 15:30:37 File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde3.zip/sbRecovery.reg: is password protected.
08/06/2008 15:30:37 File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde3.zip/sbRecovery.ini: is password protected.
08/06/2008 15:30:37 File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll.zip/pmnkIAtS.dll: is password protected.
08/06/2008 15:30:37 File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll.zip/sbRecovery.ini: is password protected.
08/06/2008 15:30:37 File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll1.zip/sbRecovery.reg: is password protected.
08/06/2008 15:30:37 File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll1.zip/sbRecovery.ini: is password protected.
08/06/2008 15:30:37 File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll2.zip/sbRecovery.reg: is password protected.
08/06/2008 15:30:37 File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll2.zip/sbRecovery.ini: is password protected.
08/06/2008 15:30:37 File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll3.zip/pmnkIAtS.dll_old: is password protected.
08/06/2008 15:30:37 File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll3.zip/sbRecovery.ini: is password protected.
08/06/2008 16:01:45 File C:\kazaa 3\Winzip 8.0 full version.exe/winzip80.exe/SETUP.WZ/WINZIP32.EX_: is password protected.
08/06/2008 16:50:11 Process (PID 3800) tried to access Kaspersky Internet Security process (PID 664), but the action has been blocked by the Self-Defense component. No action on your part is required.
08/06/2008 16:50:11 Process (PID 3800) tried to access Kaspersky Internet Security process (PID 1776), but the action has been blocked by the Self-Defense component. No action on your part is required.
08/06/2008 16:50:11 Process (PID 3800) tried to access Kaspersky Internet Security process (PID 1804), but the action has been blocked by the Self-Defense component. No action on your part is required.
08/06/2008 17:03:28 Process C:\PROGRA~1\MSNGAM~1\Windows\zclientm.exe (PID 852) successfully completed.
08/06/2008 17:03:28 Error placing C:\PROGRA~1\MSNGAM~1\Windows\zclientm.exe in quarantine (access denied or object not found)
08/06/2008 17:03:31 Process C:\PROGRA~1\MSNGAM~1\Windows\zclientm.exe (PID 2824) successfully completed.
08/06/2008 17:03:31 C:\PROGRA~1\MSNGAM~1\Windows\zclientm.exe quarantined.
08/06/2008 17:17:02 Update completed successfully
08/06/2008 18:19:58 Intrusion.Win.MSSQL.worm.Helkern! Attacker IP address: 166.111.86.250. Protocol/service: UDP on local port 1434. Time: 08/06/2008 18:19:58
08/06/2008 19:36:39 Update completed successfully
08/06/2008 19:42:21 File C:\winzip\winzip80.exe/SETUP.WZ/WINZIP32.EX_: is password protected.
08/06/2008 19:54:00 File D:\heroes season 2 ep3 hdtv xvid pntpw\heroes.s02e03.hdtv.xvid pntpw.rar/heroes.s02e03.hdtv.xvid pntpw.avi: is password protected.
08/06/2008 21:55:58 Update completed successfully
09/06/2008 00:16:30 Update completed successfully
09/06/2008 01:04:11 Your evaluation period will end in 29 days. To ensure uninterrupted protection, please <a v(buy)>click here to purchase</a>.
09/06/2008 02:59:25 Update completed successfully
09/06/2008 11:41:09 Update completed successfully
09/06/2008 13:55:01 Process C:\PROGRA~1\MSNGAM~1\Windows\zclientm.exe (PID 1916) successfully completed.
09/06/2008 13:55:02 C:\PROGRA~1\MSNGAM~1\Windows\zclientm.exe quarantined.
09/06/2008 13:57:46 Update completed successfully
09/06/2008 14:39:44 Process C:\PROGRA~1\MSNGAM~1\Windows\zclientm.exe (PID: 3036): attempt to perform suspicious actions is allowed.
09/06/2008 16:14:14 Update completed successfully
09/06/2008 18:17:17 Update completed successfully
09/06/2008 18:23:10 Intrusion.Win.MSSQL.worm.Helkern! Attacker IP address: 210.192.102.41. Protocol/service: UDP on local port 1434. Time: 09/06/2008 18:23:10
09/06/2008 18:43:05 Process C:\PROGRA~1\MSNGAM~1\Windows\zclientm.exe (PID: 3680): attempt to perform suspicious actions is allowed.
09/06/2008 18:59:49 Intrusion.Win.MSSQL.worm.Helkern! Attacker IP address: 218.7.154.35. Protocol/service: UDP on local port 1434. Time: 09/06/2008 18:59:49
09/06/2008 19:05:42 Intrusion.Win.MSSQL.worm.Helkern! Attacker IP address: 212.117.50.244. Protocol/service: UDP on local port 1434. Time: 09/06/2008 19:05:42
09/06/2008 19:08:18 Update completed successfully
09/06/2008 20:38:06 Intrusion.Win.MSSQL.worm.Helkern! Attacker IP address: 219.153.8.64. Protocol/service: UDP on local port 1434. Time: 09/06/2008 20:38:06
09/06/2008 21:18:07 Update completed successfully
09/06/2008 23:38:08 Update completed successfully
10/06/2008 00:29:01 Process C:\PROGRA~1\MSNGAM~1\Windows\zclientm.exe (PID: 1284): attempt to perform suspicious actions is allowed.
10/06/2008 01:24:45 Intrusion.Win.MSSQL.worm.Helkern! Attacker IP address: 89.222.153.113. Protocol/service: UDP on local port 1434. Time: 10/06/2008 01:24:45
10/06/2008 10:09:40 Update completed successfully
10/06/2008 10:10:34 Process C:\PROGRA~1\MSNGAM~1\Windows\zclientm.exe (PID: 3820): attempt to perform suspicious actions is allowed.
10/06/2008 10:23:08 Intrusion.Win.MSSQL.worm.Helkern! Attacker IP address: 122.225.1.148. Protocol/service: UDP on local port 1434. Time: 10/06/2008 10:23:08
10/06/2008 11:09:51 Process (PID 2960) tried to access Kaspersky Internet Security process (PID 1804), but the action has been blocked by the Self-Defense component. No action on your part is required.
10/06/2008 11:09:51 Process (PID 2960) tried to access Kaspersky Internet Security process (PID 664), but the action has been blocked by the Self-Defense component. No action on your part is required.
10/06/2008 12:19:24 Update completed successfully
10/06/2008 13:12:18 Intrusion.Win.MSSQL.worm.Helkern! Attacker IP address: 61.153.50.237. Protocol/service: UDP on local port 1434. Time: 10/06/2008 13:12:18
10/06/2008 14:44:41 Update completed successfully
10/06/2008 15:06:01 Intrusion.Win.MSSQL.worm.Helkern! Attacker IP address: 61.157.96.212. Protocol/service: UDP on local port 1434. Time: 10/06/2008 15:06:01
10/06/2008 15:54:04 Intrusion.Win.MSSQL.worm.Helkern! Attacker IP address: 122.225.1.148. Protocol/service: UDP on local port 1434. Time: 10/06/2008 15:54:04
10/06/2008 16:42:51 Process C:\PROGRA~1\MSNGAM~1\Windows\zclientm.exe (PID: 3020): attempt to perform suspicious actions is allowed.
10/06/2008 16:43:05 Process C:\PROGRA~1\MSNGAM~1\Windows\zclientm.exe (PID: 3020): attempt to perform suspicious actions is allowed.
10/06/2008 16:54:22 Process C:\PROGRA~1\MSNGAM~1\Windows\zclientm.exe (PID: 3240): attempt to perform suspicious actions is allowed.
10/06/2008 16:55:21 Process C:\PROGRA~1\MSNGAM~1\Windows\zclientm.exe (PID: 3240): attempt to perform suspicious actions is allowed.
10/06/2008 16:55:45 Process C:\PROGRA~1\MSNGAM~1\Windows\zclientm.exe (PID: 3240): attempt to perform suspicious actions is allowed.
10/06/2008 16:55:56 Process C:\PROGRA~1\MSNGAM~1\Windows\zclientm.exe (PID: 3240): attempt to perform suspicious actions is allowed.
10/06/2008 16:56:09 Process C:\PROGRA~1\MSNGAM~1\Windows\zclientm.exe (PID: 3240): attempt to perform suspicious actions is allowed.
10/06/2008 16:56:13 Process C:\PROGRA~1\MSNGAM~1\Windows\zclientm.exe (PID: 3240): attempt to perform suspicious actions is allowed.
10/06/2008 17:00:09 Update completed successfully
10/06/2008 17:22:29 Intrusion.Win.MSSQL.worm.Helkern! Attacker IP address: 117.65.64.44. Protocol/service: UDP on local port 1434. Time: 10/06/2008 17:22:29
10/06/2008 17:44:40 Intrusion.Win.MSSQL.worm.Helkern! Attacker IP address: 222.66.160.2. Protocol/service: UDP on local port 1434. Time: 10/06/2008 17:44:40
10/06/2008 18:07:49 Intrusion.Win.MSSQL.worm.Helkern! Attacker IP address: 61.134.56.18. Protocol/service: UDP on local port 1434. Time: 10/06/2008 18:07:49
10/06/2008 18:24:38 Intrusion.Win.MSSQL.worm.Helkern! Attacker IP address: 61.157.96.212. Protocol/service: UDP on local port 1434. Time: 10/06/2008 18:24:38
10/06/2008 18:49:07 Intrusion.Win.MSSQL.worm.Helkern! Attacker IP address: 221.6.231.130. Protocol/service: UDP on local port 1434. Time: 10/06/2008 18:49:07
10/06/2008 18:58:44 Process C:\PROGRA~1\MSNGAM~1\Windows\zclientm.exe (PID: 604): attempt to perform suspicious actions is allowed.
10/06/2008 18:58:50 Process C:\PROGRA~1\MSNGAM~1\Windows\zclientm.exe (PID: 604): attempt to perform suspicious actions is allowed.
10/06/2008 18:58:54 Process C:\PROGRA~1\MSNGAM~1\Windows\zclientm.exe (PID: 604): attempt to perform suspicious actions is allowed.
10/06/2008 19:03:05 Process (PID 324) tried to access Kaspersky Internet Security process (PID 1804), but the action has been blocked by the Self-Defense component. No action on your part is required.
10/06/2008 19:03:06 Process (PID 324) tried to access Kaspersky Internet Security process (PID 664), but the action has been blocked by the Self-Defense component. No action on your part is required.
10/06/2008 19:20:23 Update completed successfully
10/06/2008 21:27:35 Process C:\PROGRA~1\MSNGAM~1\Windows\zclientm.exe (PID: 3556): attempt to perform suspicious actions is allowed.
10/06/2008 21:39:37 Update completed successfully
10/06/2008 22:14:29 Intrusion.Win.MSSQL.worm.Helkern! Attacker IP address: 136.1.7.55. Protocol/service: UDP on local port 1434. Time: 10/06/2008 22:14:29
10/06/2008 22:38:23 Process C:\PROGRA~1\MSNGAM~1\Windows\zclientm.exe (PID: 3712): attempt to perform suspicious actions is allowed.
10/06/2008 22:38:33 Process C:\PROGRA~1\MSNGAM~1\Windows\zclientm.exe (PID: 3712): attempt to perform suspicious actions is allowed.
10/06/2008 22:40:26 Process C:\PROGRA~1\MSNGAM~1\Windows\zclientm.exe (PID: 3712): attempt to perform suspicious actions is allowed.
10/06/2008 22:47:30 Process C:\PROGRA~1\MSNGAM~1\Windows\zclientm.exe (PID: 3428): attempt to perform suspicious actions is allowed.
10/06/2008 22:48:46 Process C:\PROGRA~1\MSNGAM~1\Windows\zclientm.exe (PID: 3428): attempt to perform suspicious actions is allowed.
10/06/2008 22:48:50 Process C:\PROGRA~1\MSNGAM~1\Windows\zclientm.exe (PID: 3428): attempt to perform suspicious actions is allowed.
10/06/2008 22:48:54 Process C:\PROGRA~1\MSNGAM~1\Windows\zclientm.exe (PID: 3428): attempt to perform suspicious actions is allowed.
10/06/2008 22:48:58 Process C:\PROGRA~1\MSNGAM~1\Windows\zclientm.exe (PID: 3428): attempt to perform suspicious actions is allowed.
10/06/2008 23:32:39 Update completed successfully
11/06/2008 00:27:34 File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde.zip/sbRecovery.reg: is password protected.
11/06/2008 00:27:34 File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde.zip/sbRecovery.ini: is password protected.
11/06/2008 00:27:35 File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde1.zip/sbRecovery.reg: is password protected.
11/06/2008 00:27:35 File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde1.zip/sbRecovery.ini: is password protected.
11/06/2008 00:27:35 File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde2.zip/sbRecovery.reg: is password protected.
11/06/2008 00:27:35 File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde2.zip/sbRecovery.ini: is password protected.
11/06/2008 00:27:35 File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde3.zip/sbRecovery.reg: is password protected.
11/06/2008 00:27:35 File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde3.zip/sbRecovery.ini: is password protected.
11/06/2008 00:27:35 File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll.zip/pmnkIAtS.dll: is password protected.
11/06/2008 00:27:35 File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll.zip/sbRecovery.ini: is password protected.
11/06/2008 00:27:35 File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll1.zip/sbRecovery.reg: is password protected.
11/06/2008 00:27:35 File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll1.zip/sbRecovery.ini: is password protected.
11/06/2008 00:27:35 File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll2.zip/sbRecovery.reg: is password protected.
11/06/2008 00:27:35 File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll2.zip/sbRecovery.ini: is password protected.
11/06/2008 00:27:35 File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll3.zip/pmnkIAtS.dll_old: is password protected.
11/06/2008 00:27:35 File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll3.zip/sbRecovery.ini: is password protected.
11/06/2008 00:41:15 Process C:\PROGRA~1\MSNGAM~1\Windows\zclientm.exe (PID: 1392): attempt to perform suspicious actions is allowed.
11/06/2008 00:41:29 Process C:\PROGRA~1\MSNGAM~1\Windows\zclientm.exe (PID: 1392): attempt to perform suspicious actions is allowed.
11/06/2008 00:41:38 Process C:\PROGRA~1\MSNGAM~1\Windows\zclientm.exe (PID: 1392): attempt to perform suspicious actions is allowed.
11/06/2008 00:41:42 Process C:\PROGRA~1\MSNGAM~1\Windows\zclientm.exe (PID: 1392): attempt to perform suspicious actions is allowed.
11/06/2008 00:41:55 Process C:\PROGRA~1\MSNGAM~1\Windows\zclientm.exe (PID: 1392): attempt to perform suspicious actions is allowed.
11/06/2008 00:42:53 Process C:\PROGRA~1\MSNGAM~1\Windows\zclientm.exe (PID: 1392): attempt to perform suspicious actions is allowed.
11/06/2008 00:42:59 Process C:\PROGRA~1\MSNGAM~1\Windows\zclientm.exe (PID: 1392): attempt to perform suspicious actions is allowed.
11/06/2008 00:44:14 Process C:\PROGRA~1\MSNGAM~1\Windows\zclientm.exe (PID: 1392): attempt to perform suspicious actions is allowed.
11/06/2008 00:44:23 Process C:\PROGRA~1\MSNGAM~1\Windows\zclientm.exe (PID: 1392): attempt to perform suspicious actions is allowed.
11/06/2008 00:44:29 Process C:\PROGRA~1\MSNGAM~1\Windows\zclientm.exe (PID: 1392): attempt to perform suspicious actions is allowed.
11/06/2008 00:44:35 Process C:\PROGRA~1\MSNGAM~1\Windows\zclientm.exe (PID: 1392): attempt to perform suspicious actions is allowed.
11/06/2008 00:46:30 Process C:\PROGRA~1\MSNGAM~1\Windows\zclientm.exe (PID: 1392): attempt to perform suspicious actions is allowed.
11/06/2008 00:46:35 Process C:\PROGRA~1\MSNGAM~1\Windows\zclientm.exe (PID: 1392): attempt to perform suspicious actions is allowed.
11/06/2008 00:46:42 Process C:\PROGRA~1\MSNGAM~1\Windows\zclientm.exe (PID: 1392): attempt to perform suspicious actions is allowed.
11/06/2008 00:46:46 Process C:\PROGRA~1\MSNGAM~1\Windows\zclientm.exe (PID: 1392): attempt to perform suspicious actions is allowed.
11/06/2008 00:46:55 Process C:\PROGRA~1\MSNGAM~1\Windows\zclientm.exe (PID: 1392): attempt to perform suspicious actions is allowed.
11/06/2008 01:33:43 File C:\kazaa 3\Winzip 8.0 full version.exe/winzip80.exe/SETUP.WZ/WINZIP32.EX_: is password protected.
11/06/2008 04:22:06 File C:\winzip\winzip80.exe/SETUP.WZ/WINZIP32.EX_: is password protected.
11/06/2008 04:27:06 File D:\heroes season 2 ep3 hdtv xvid pntpw\heroes.s02e03.hdtv.xvid pntpw.rar/heroes.s02e03.hdtv.xvid pntpw.avi: is password protected.
11/06/2008 07:28:42 Update completed successfully
11/06/2008 07:34:26 File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde.zip/sbRecovery.reg: is password protected.
11/06/2008 07:34:26 File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde.zip/sbRecovery.ini: is password protected.
11/06/2008 07:34:26 File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde1.zip/sbRecovery.reg: is password protected.
11/06/2008 07:34:26 File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde1.zip/sbRecovery.ini: is password protected.
11/06/2008 07:34:26 File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde2.zip/sbRecovery.reg: is password protected.
11/06/2008 07:34:26 File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde2.zip/sbRecovery.ini: is password protected.
11/06/2008 07:34:26 File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde3.zip/sbRecovery.reg: is password protected.
11/06/2008 07:34:26 File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde3.zip/sbRecovery.ini: is password protected.
11/06/2008 07:34:27 File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll.zip/pmnkIAtS.dll: is password protected.
11/06/2008 07:34:27 File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll.zip/sbRecovery.ini: is password protected.
11/06/2008 07:34:27 File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll1.zip/sbRecovery.reg: is password protected.
11/06/2008 07:34:27 File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll1.zip/sbRecovery.ini: is password protected.
11/06/2008 07:34:28 File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll2.zip/sbRecovery.reg: is password protected.
11/06/2008 07:34:28 File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll2.zip/sbRecovery.ini: is password protected.
11/06/2008 07:34:29 File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll3.zip/pmnkIAtS.dll_old: is password protected.
11/06/2008 07:34:29 File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll3.zip/sbRecovery.ini: is password protected.
11/06/2008 07:39:58 Process C:\PROGRA~1\MSNGAM~1\Windows\zclientm.exe (PID: 3260): attempt to perform suspicious actions is allowed.
11/06/2008 08:03:07 File C:\kazaa 3\Winzip 8.0 full version.exe/winzip80.exe/SETUP.WZ/WINZIP32.EX_: is password protected.
11/06/2008 11:22:17 File C:\winzip\winzip80.exe/SETUP.WZ/WINZIP32.EX_: is password protected.
11/06/2008 11:27:26 File D:\heroes season 2 ep3 hdtv xvid pntpw\heroes.s02e03.hdtv.xvid pntpw.rar/heroes.s02e03.hdtv.xvid pntpw.avi: is password protected.
11/06/2008 12:09:20 Update completed successfully
11/06/2008 18:20:39 Update completed successfully
11/06/2008 19:07:15 Process C:\PROGRA~1\MSNGAM~1\Windows\zclientm.exe (PID: 1752): attempt to perform suspicious actions is allowed.
11/06/2008 19:07:59 Process C:\PROGRA~1\MSNGAM~1\Windows\zclientm.exe (PID: 1752): attempt to perform suspicious actions is allowed.
11/06/2008 19:11:08 Process C:\PROGRA~1\MSNGAM~1\Windows\zclientm.exe (PID: 1752): attempt to perform suspicious actions is allowed.
11/06/2008 19:11:12 Process C:\PROGRA~1\MSNGAM~1\Windows\zclientm.exe (PID: 1752): attempt to perform suspicious actions is allowed.
11/06/2008 19:11:17 Process C:\PROGRA~1\MSNGAM~1\Windows\zclientm.exe (PID: 1752): attempt to perform suspicious actions is allowed.
11/06/2008 19:45:18 Process (PID 3744) tried to access Kaspersky Internet Security process (PID 1804), but the action has been blocked by the Self-Defense component. No action on your part is required.
11/06/2008 19:45:18 Process (PID 3744) tried to access Kaspersky Internet Security process (PID 664), but the action has been blocked by the Self-Defense component. No action on your part is required.
11/06/2008 19:49:21 Process C:\PROGRA~1\MSNGAM~1\Windows\zclientm.exe (PID: 3400): attempt to perform suspicious actions is allowed.
11/06/2008 20:03:57 Protection of your computer is enabled.
11/06/2008 20:23:56 Update completed successfully
11/06/2008 22:05:48 Intrusion.Win.MSSQL.worm.Helkern! Attacker IP address: 202.99.11.99. Protocol/service: UDP on local port 1434. Time: 11/06/2008 22:05:48
11/06/2008 22:18:19 Process C:\PROGRA~1\MSNGAM~1\Windows\zclientm.exe (PID: 392): attempt to perform suspicious actions is allowed.
11/06/2008 22:26:58 Update completed successfully
12/06/2008 00:32:38 Process (PID 1388) tried to access Kaspersky Internet Security process (PID 1832), but the action has been blocked by the Self-Defense component. No action on your part is required.
12/06/2008 00:32:40 Process (PID 1388) tried to access Kaspersky Internet Security process (PID 916), but the action has been blocked by the Self-Defense component. No action on your part is required.
12/06/2008 00:45:00 Intrusion.Win.MSSQL.worm.Helkern! Attacker IP address: 89.222.153.113. Protocol/service: UDP on local port 1434. Time: 12/06/2008 00:45:00
12/06/2008 00:47:32 Update completed successfully
12/06/2008 00:50:29 Process C:\PROGRA~1\MSNGAM~1\Windows\zclientm.exe (PID: 2000): attempt to perform suspicious actions is allowed.
12/06/2008 00:50:58 Process C:\PROGRA~1\MSNGAM~1\Windows\zclientm.exe (PID: 2000): attempt to perform suspicious actions is allowed.
12/06/2008 01:04:00 Your evaluation period will end in 26 days. To ensure uninterrupted protection, please <a v(buy)>click here to purchase</a>.
12/06/2008 01:19:39 Update completed successfully
12/06/2008 01:20:58 Process C:\PROGRA~1\MSNGAM~1\Windows\zclientm.exe (PID: 1108): attempt to perform suspicious actions is allowed.
12/06/2008 01:21:05 Process C:\PROGRA~1\MSNGAM~1\Windows\zclientm.exe (PID: 3648): attempt to perform suspicious actions is allowed.
12/06/2008 08:41:57 Update completed successfully
12/06/2008 09:21:56 File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde.zip/sbRecovery.reg: is password protected.
12/06/2008 09:21:56 File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde.zip/sbRecovery.ini: is password protected.
12/06/2008 09:21:56 File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde1.zip/sbRecovery.reg: is password protected.
12/06/2008 09:21:56 File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde1.zip/sbRecovery.ini: is password protected.
12/06/2008 09:21:56 File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde2.zip/sbRecovery.reg: is password protected.
12/06/2008 09:21:56 File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde2.zip/sbRecovery.ini: is password protected.
12/06/2008 09:21:56 File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde3.zip/sbRecovery.reg: is password protected.
12/06/2008 09:21:56 File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde3.zip/sbRecovery.ini: is password protected.
12/06/2008 09:21:56 File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll.zip/pmnkIAtS.dll: is password protected.
12/06/2008 09:21:56 File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll.zip/sbRecovery.ini: is password protected.
12/06/2008 09:21:56 File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll1.zip/sbRecovery.reg: is password protected.
12/06/2008 09:21:56 File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll1.zip/sbRecovery.ini: is password protected.
12/06/2008 09:21:56 File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll2.zip/sbRecovery.reg: is password protected.
12/06/2008 09:21:56 File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll2.zip/sbRecovery.ini: is password protected.
12/06/2008 09:21:57 File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll3.zip/pmnkIAtS.dll_old: is password protected.
12/06/2008 09:21:57 File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll3.zip/sbRecovery.ini: is password protected.
12/06/2008 09:46:48 File C:\kazaa 3\Winzip 8.0 full version.exe/winzip80.exe/SETUP.WZ/WINZIP32.EX_: is password protected.
12/06/2008 10:52:54 Update completed successfully
12/06/2008 14:02:46 Update completed successfully
12/06/2008 14:30:49 Process (PID 1128) tried to access Kaspersky Internet Security process (PID 916), but the action has been blocked by the Self-Defense component. No action on your part is required.
12/06/2008 14:30:49 Process (PID 1128) tried to access Kaspersky Internet Security process (PID 1832), but the action has been blocked by the Self-Defense component. No action on your part is required.
12/06/2008 15:48:01 Intrusion.Win.MSSQL.worm.Helkern! Attacker IP address: 202.99.11.99. Protocol/service: UDP on local port 1434. Time: 12/06/2008 15:48:01
12/06/2008 16:01:02 File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde.zip/sbRecovery.reg: is password protected.
12/06/2008 16:01:02 File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde.zip/sbRecovery.ini: is password protected.
12/06/2008 16:01:02 File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde1.zip/sbRecovery.reg: is password protected.
12/06/2008 16:01:02 File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde1.zip/sbRecovery.ini: is password protected.
12/06/2008 16:01:02 File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde2.zip/sbRecovery.reg: is password protected.
12/06/2008 16:01:02 File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde2.zip/sbRecovery.ini: is password protected.
12/06/2008 16:01:02 File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde3.zip/sbRecovery.reg: is password protected.
12/06/2008 16:01:02 File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde3.zip/sbRecovery.ini: is password protected.
12/06/2008 16:01:02 File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll.zip/pmnkIAtS.dll: is password protected.
12/06/2008 16:01:02 File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll.zip/sbRecovery.ini: is password protected.
12/06/2008 16:01:02 File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll1.zip/sbRecovery.reg: is password protected.
12/06/2008 16:01:02 File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll1.zip/sbRecovery.ini: is password protected.
12/06/2008 16:01:02 File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll2.zip/sbRecovery.reg: is password protected.
12/06/2008 16:01:02 File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll2.zip/sbRecovery.ini: is password protected.
12/06/2008 16:01:02 File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll3.zip/pmnkIAtS.dll_old: is password protected.
12/06/2008 16:01:02 File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll3.zip/sbRecovery.ini: is password protected.
12/06/2008 16:07:40 Update completed successfully
12/06/2008 16:24:20 File C:\kazaa 3\Winzip 8.0 full version.exe/winzip80.exe/SETUP.WZ/WINZIP32.EX_: is password protected.
12/06/2008 18:13:01 Update completed successfully
12/06/2008 21:26:47 Update completed successfully
12/06/2008 22:53:47 Process (PID 552) tried to access Kaspersky Internet Security process (PID 1832), but the action has been blocked by the Self-Defense component. No action on your part is required.
12/06/2008 22:53:47 Process (PID 552) tried to access Kaspersky Internet Security process (PID 916), but the action has been blocked by the Self-Defense component. No action on your part is required.
12/06/2008 23:48:15 Update completed successfully
13/06/2008 02:11:11 Update completed successfully
13/06/2008 02:15:06 Process C:\PROGRA~1\MSNGAM~1\Windows\zclientm.exe (PID: 872): attempt to perform suspicious actions is allowed.
13/06/2008 02:15:32 Process C:\PROGRA~1\MSNGAM~1\Windows\zclientm.exe (PID: 872): attempt to perform suspicious actions is allowed.
13/06/2008 02:15:42 Process C:\PROGRA~1\MSNGAM~1\Windows\zclientm.exe (PID: 872): attempt to perform suspicious actions is allowed.
13/06/2008 02:15:52 Process C:\PROGRA~1\MSNGAM~1\Windows\zclientm.exe (PID: 872): attempt to perform suspicious actions is allowed.
13/06/2008 02:16:03 Process C:\PROGRA~1\MSNGAM~1\Windows\zclientm.exe (PID: 872): attempt to perform suspicious actions is allowed.
13/06/2008 02:16:12 Process C:\PROGRA~1\MSNGAM~1\Windows\zclientm.exe (PID: 872): attempt to perform suspicious actions is allowed.
13/06/2008 02:16:42 Process C:\PROGRA~1\MSNGAM~1\Windows\zclientm.exe (PID: 872): attempt to perform suspicious actions is allowed.
13/06/2008 02:33:34 Protection of your computer is enabled.
13/06/2008 02:47:18 File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde.zip/sbRecovery.reg: is password protected.
13/06/2008 02:47:18 File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde.zip/sbRecovery.ini: is password protected.
13/06/2008 02:47:18 File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde1.zip/sbRecovery.reg: is password protected.
13/06/2008 02:47:18 File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde1.zip/sbRecovery.ini: is password protected.
13/06/2008 02:47:19 File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde2.zip/sbRecovery.reg: is password protected.
13/06/2008 02:47:19 File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde2.zip/sbRecovery.ini: is password protected.
13/06/2008 02:47:19 File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde3.zip/sbRecovery.reg: is password protected.
13/06/2008 02:47:19 File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde3.zip/sbRecovery.ini: is password protected.
13/06/2008 02:47:19 File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll.zip/pmnkIAtS.dll: is password protected.
13/06/2008 02:47:19 File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll.zip/sbRecovery.ini: is password protected.
13/06/2008 02:47:19 File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll1.zip/sbRecovery.reg: is password protected.
13/06/2008 02:47:19 File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll1.zip/sbRecovery.ini: is password protected.
13/06/2008 02:47:19 File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll2.zip/sbRecovery.reg: is password protected.
13/06/2008 02:47:19 File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll2.zip/sbRecovery.ini: is password protected.
13/06/2008 02:47:19 File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll3.zip/pmnkIAtS.dll_old: is password protected.
13/06/2008 02:47:19 File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondedll3.zip/sbRecovery.ini: is password protected.
13/06/2008 03:09:22 File C:\kazaa 3\Winzip 8.0 full version.exe/winzip80.exe/SETUP.WZ/WINZIP32.EX_: is password protected.
13/06/2008 11:41:07 Protection of your computer is enabled.
13/06/2008 11:44:30 Process (PID 3324) tried to access Kaspersky Internet Security process (PID 1732), but the action has been blocked by the Self-Defense component. No action on your part is required.
13/06/2008 11:44:41 Protection of your computer is not running. You are advised to resume protection.
13/06/2008 11:50:44 Protection of your computer is enabled.
13/06/2008 12:00:57 Update completed successfully
13/06/2008 13:08:35 Process (PID 1744) tried to access Kaspersky Internet Security process (PID 1732), but the action has been blocked by the Self-Defense component. No action on your part is required.
13/06/2008 13:34:20 Process (PID 2888) tried to access Kaspersky Internet Security process (PID 1732), but the action has been blocked by the Self-Defense component. No action on your part is required.
13/06/2008 15:05:06 Update completed successfully
13/06/2008 15:24:49 Process C:\PROGRA~1\MSNGAM~1\Windows\zclientm.exe (PID: 320): attempt to perform suspicious actions is allowed.
13/06/2008 15:24:56 Process C:\PROGRA~1\MSNGAM~1\Windows\zclientm.exe (PID: 320): attempt to perform suspicious actions is allowed.
13/06/2008 15:33:45 Process C:\PROGRA~1\MSNGAM~1\Windows\zclientm.exe (PID: 3876): attempt to perform suspicious actions is allowed.
13/06/2008 15:33:52 Process C:\PROGRA~1\MSNGAM~1\Windows\zclientm.exe (PID: 3876): attempt to perform suspicious actions is allowed.
13/06/2008 15:38:55 Process C:\PROGRA~1\MSNGAM~1\Windows\zclientm.exe (PID: 2976): attempt to perform suspicious actions is allowed.
13/06/2008 15:39:15 Process C:\PROGRA~1\MSNGAM~1\Windows\zclientm.exe (PID: 2976): attempt to perform suspicious actions is allowed.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:48:54, on 13/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\wwSecure.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {CE5873B0-64B6-4A18-9E47-608097EDFF5D} - C:\WINDOWS\system32\pmnkIAtS.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: (no name) - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O17 - HKLM\System\CCS\Services\Tcpip\..\{A726A23D-B1E7-40ED-B9FB-8F04F2935931}: NameServer = 193.36.79.101 193.36.79.100
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

--
End of file - 6739 bytes

Thanks for posting the HJT log, we will need to look more for the malware.

The same things seem to be happening over and over again, I'll find I cannot search the internet or even use it at times by clicking previous links, but then if I wait a bit I often canCan you tell me if you get any messages at this time from your browser or Windows? We can not always assume it is malware, it can be a problem with your ISP (that does happen)

1) C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe <<< this program is obsolete, uninstall it in Add Remove Programs.
AVG Anti-Spyware and AVG Anti-Rootkit are no longer available
http://free.grisoft.com/ww.download-avg-anti-spyware-and-anti-rootkit

2) C:\Program Files\a-squared Anti-Malware\a2service.exe <<< unless you own this program, please uninstall it in Add Remove programs also, we will not be using it.

3) This information is valid for you: http://whois.domaintools.com/193.36.79.101

4) Let's check for a rootkit infection first with BlackLight:

Please download F-Secure Blacklight:
ftp://ftp.f-secure.com/anti-virus/tools/fsbl.exe
and save to your C:\ drive.
Open a command window by going to Start > Run and typing: cmd
Copy/paste or type the following in the command window: C:\fsbl.exe /expert
Hit "Enter" to start the program and then close the cmd box.
Accept the user agreement and click "Next".
Click "Scan".
After the scan is complete, click "Next", then "Exit".
BlackLight will create a log in C:\ drive named "fsbl-xxxxxxx.log" (the xxxxxxx will be the date and time of the scan).
The log will have a list of all items found. Do not choose to rename any yet!
Most if not all of the items will be valid, post the log for me to view.

Ta

Thanks,

I've deleted that software and here is the log

06/13/08 16:50:16 [Info]: BlackLight Engine 1.0.70 initialized
06/13/08 16:50:16 [Info]: OS: 5.1 build 2600 (Service Pack 2)
06/13/08 16:50:16 [Note]: 7019 4
06/13/08 16:50:16 [Note]: 7005 0
06/13/08 16:50:21 [Note]: 7006 0
06/13/08 16:50:21 [Note]: 7011 1908
06/13/08 16:50:56 [Note]: 7035 0
06/13/08 16:50:56 [Note]: 7026 0
06/13/08 16:50:56 [Note]: 7026 0
06/13/08 16:51:02 [Note]: FSRAW library version 1.7.1024
06/13/08 17:13:38 [Note]: 7007 0

Something I meant to tell you but forgot, the problems only re-occurred after my bit defenders month trial run out and I uninstalled it.

No I don't get any browser messages or any other messages, when I cannot search or use the internet. I can often use the internet but then search will not work and sometime later I cannot use the internet. But then it will work again.

Since I've done what you said above I seem to be ok? Could I have caused a problem by deleting the bitdefender?

Thanks for returning your information...

1) Blacklight is clean, delete that program.

2)
Something I meant to tell you but forgot, the problems only re-occurred after my bit defenders month trial run out and I uninstalled it.
I do not use BitDefender, you would have to ask them about that, I suppose anything is possible, but the question is not something I would have knowledge about:
http://www.bitdefender.com/site/Downloads/browseEvaluationVersion/

3) I asked if that information applies to you, could you assure me of that please.

4) I suggest you discuss these issues with technical support at your ISP. They may be able to help. Here are troubleshooting links that may help:
http://www.google.com/search?hl=en&sa=X&oi=spell&resnum=0&ct=result&cd=1&q=troubleshooting+internet+connections&spell=1

5) Post a new HJT log, I'll take another look, keep an eye on things for any symptoms.

Cheers...Phil

3) I asked if that information applies to you, could you assure me of that please.

Sorry what information applies to me? Do you mean that IP?
I thought you were giving me that tool to see who was sending me the
No I'm from Manchester the worm.Helkern.

Why do you ask?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:04:57, on 13/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\wwSecure.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\TuneUp Utilities 2008\OneClick.exe
C:\Program Files\TuneUp Utilities 2008\RegistryCleaner.exe
C:\WINDOWS\System32\TuneUpDefragService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {CE5873B0-64B6-4A18-9E47-608097EDFF5D} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: (no name) - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O17 - HKLM\System\CCS\Services\Tcpip\..\{A726A23D-B1E7-40ED-B9FB-8F04F2935931}: NameServer = 193.36.79.100 193.36.79.101
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

--
End of file - 6493 bytes

Because of this item in your HJT log:
O17 - HKLM\System\CCS\Services\Tcpip\..\{A726A23D-B1E7-40ED-B9FB-8F04F2935931}: NameServer = 193.36.79.100 193.36.79.101
http://www.bleepingcomputer.com/tutorials/tutorial42.html#O17Diag

If you see entries for this and do not recognize the domain as belonging to your ISP or company, and the DNS servers do not belong to your ISP or company, then you should have HijackThis fix it. You can go to Arin to do a whois a on the DNS server IP addresses to determine what company they belong to.
I used: http://www.whois.sc/ to look it up: http://whois.domaintools.com/193.36.79.100
If that information is wrong I would contact your ISP and have them reset it for you. Have them check all of your settings.

C:\Program Files\TuneUp Utilities 2008\RegistryCleaner.exe <<< I want to point out that I am nervous about fix all programs that mess with the registry. Unless you are positive you know what you are doing, I would be very careful and always make a backup before using these programs.

Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 19:04:57, on 13/06/2008

Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O2 - BHO: (no name) - {CE5873B0-64B6-4A18-9E47-608097EDFF5D} - (no file)
O3 - Toolbar: (no name) - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - (no file)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

(cleaning prefetch may result in a few slow boots until Windows repopulates with needed information)
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html

I suggest, since you can't seem to run the Kaspersky Online Scan, that you update your resident antivirus and run a system scan. let me know about anything unusual.

Thanks

I have been with the same provider since I got the computer around 2003 I think , and I had dial up, I know at one time it was in Leeds, now it is Manchester could that be it? it is the right provider but the wrong Ip and address

That would not be "malware removal" and I suggest you contact your ISP technical support for instructions.
I could post information but would it be the right information for your ISP? Since the service is what you pay them for.

Thanks

Cheers, done that what i did was download kaspersky Internet Security they are doing a months free trial but the full anti virus scan seems to stop at 8 or 9 percent every time.

I am sorry you have lost me with this provider and IP business, I'm not that knowledgeable about computers and don't really understand what you mean?

I provided a link to a free online scanner and the instructions for using it in my post #2, item number 3. At no time did I request that you download a trial version of Kaspersky.


http://www.wisegeek.com/what-is-an-isp.htm
http://www.google.com/search?hl=en&q=what+is+an+ISP

http://www.google.com/search?hl=en&defl=en&q=define:IP+NUMBER&sa=X&oi=glossary_definition&ct=title
http://www.google.com/search?hl=en&q=what+is+an+IP+number&btnG=Search

Thanks

Sorry, I didn't think it would make any difference, if I scanned it online or downloaded it.

is it ok if I use Firefox, I know you say Explorer but I've just tried that and it didn't work, but Firefox seems to be working the scan.

I understand it does work with Firefox, until very recently this was not the case.

Thanks

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.

Everyone else please begin a New Topic.