PDA

View Full Version : Smitfraud C & Virtumonde.Dll



Jetsetter1999
2008-10-26, 01:21
Hi there! Your excellent Spybot directed me here for manual removal. Any help would be greatly appreciated. Thanks in advance.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:05:28 PM, on 10/25/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [F-PROT Antivirus Tray application] C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Belkin Wireless USB Utility.lnk = C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5036.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1222561858000
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5403/mcfscan.cab
O23 - Service: F-PROT Antivirus for Windows system (FPAVServer) - FRISK Software International - C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 6203 bytes

peku006
2008-10-26, 12:58
Hello and Welcome to the forums!

My name is peku006 and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:

If you don't know, stop and ask! Don't keep going on.
Please reply to this thread. Do not start a new topic.
Please continue to respond until I give you the "All Clear"
If you follow these instructions, everything should go smoothly.

Navigate into C:\Program Files\Trend Micro\HijackThis folder and rename HijackThis.exe file -> Jetsetter1999.exe. Post a fresh hjt log after renaming is done

Thanks peku006

Jetsetter1999
2008-10-26, 13:46
Good morning, Peku, and thank you for helping me!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:35:01 AM, on 10/26/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
C:\Program Files\Trend Micro\HijackThis\Jetsetter1999.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {9E91EF7B-6846-45C3-A8AB-67CF7C900783} - C:\WINDOWS\system32\vtUnoopN.dll
O2 - BHO: (no name) - {C042719D-97C2-4177-9A31-451263DE63F3} - C:\WINDOWS\system32\jkkJBQjJ.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [F-PROT Antivirus Tray application] C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Belkin Wireless USB Utility.lnk = C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5036.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1222561858000
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5403/mcfscan.cab
O20 - Winlogon Notify: vtUnoopN - C:\WINDOWS\SYSTEM32\vtUnoopN.dll
O23 - Service: F-PROT Antivirus for Windows system (FPAVServer) - FRISK Software International - C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 6722 bytes

peku006
2008-10-26, 14:16
Hi

Download ComboFix from one of these locations:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Jetsetter1999
2008-10-26, 15:58
When I download ComboFix (from link 1 & 3) my antivirus program says it's infected . I can't connect to link 2.

peku006
2008-10-26, 16:19
Hi Jetsetter1999

it is a "false positive" which is one of the many reasons why the instructions say to disable protection programs before using various tools including ComboFix.

Jetsetter1999
2008-10-26, 17:25
Okay. I had to actually uninstall Fprot to download ComboFix. Too bad it couldn't be that discriminating about malware!

ComboFix 08-10-25.01 - Owner 2008-10-26 11:03:19.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.244 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\temp\tn3
C:\WINDOWS\IA
C:\WINDOWS\system32\awecbvhm.ini
C:\WINDOWS\system32\buhxcxqt.dll
C:\WINDOWS\system32\ciiqpnrx.exe
C:\WINDOWS\system32\ciykxnca.exe
C:\WINDOWS\system32\csqxfwul.exe
C:\WINDOWS\system32\dfspkubj.ini
C:\WINDOWS\system32\drivers\ati1xsxxx.sys
C:\WINDOWS\system32\drivers\core.cache(2).dsk
C:\WINDOWS\system32\drivers\core.cache(3).dsk
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\ejlksvap.ini
C:\WINDOWS\system32\fohjllob.ini
C:\WINDOWS\system32\fwghsqta.exe
C:\WINDOWS\system32\fwprsmfd.exe
C:\WINDOWS\system32\fyxclqeh.ini
C:\WINDOWS\system32\goktcrqi.ini
C:\WINDOWS\system32\gvkndtue.exe
C:\WINDOWS\system32\JjQBJkkj.ini
C:\WINDOWS\system32\JjQBJkkj.ini2
C:\WINDOWS\system32\jkkJBQjJ.dll
C:\WINDOWS\system32\jmftvjnv.exe
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\nsrbkicw.ini
C:\WINDOWS\system32\opnlLDuU.dll
C:\WINDOWS\system32\pavsklje.dll
C:\WINDOWS\system32\rbgfqlcx.exe
C:\WINDOWS\system32\rlrowdqi.exe
C:\WINDOWS\system32\smffjftf.dll
C:\WINDOWS\system32\sxscdqso.ini
C:\WINDOWS\system32\uiplldbw.ini
C:\WINDOWS\system32\vaydqfaw.exe
C:\WINDOWS\system32\vtUnoopN.dll
C:\WINDOWS\system32\vxvwhbbu.ini
C:\WINDOWS\system32\wlkofv.dll
C:\WINDOWS\system32\ycdsagta.exe
C:\WINDOWS\Tasks\lejaqvqq.job
C:\WINDOWS\Tasks\xtktrvlo.job
C:\WINDOWS\Tasks\zndsvydr.job
C:\WINDOWS\Temp\tmp3.tmp
D:\Autorun.inf

----- BITS: Possible infected sites -----

hxxp://77.74.48.101
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ATI1XSXXX
-------\Service_ati1xsxxx


((((((((((((((((((((((((( Files Created from 2008-09-26 to 2008-10-26 )))))))))))))))))))))))))))))))
.

2008-10-25 18:04 . 2008-10-25 18:04 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-25 09:40 . 2008-10-25 09:40 60,928 --ahs---- C:\WINDOWS\system32\awtqrppp.dll
2008-10-25 08:30 . 2008-10-25 08:30 60,928 --ahs---- C:\WINDOWS\system32\pmnnLCrS.dll
2008-10-24 21:11 . 2008-10-24 21:17 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-10-24 21:11 . 2008-10-25 07:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-24 20:51 . 2008-10-24 21:02 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-10-24 18:33 . 2008-10-24 18:33 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Motive
2008-10-19 08:39 . 2008-10-19 08:39 121 --ahs---- C:\WINDOWS\system32\yemfxgta.ini
2008-10-14 01:28 . 2008-10-14 01:28 3,676 --a------ C:\WINDOWS\system32\OEMINFO.PNF
2008-10-13 21:10 . 2008-10-14 00:17 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-10-13 06:40 . 2008-10-13 06:40 <DIR> d-------- C:\Program Files\Windows Defender
2008-10-13 03:40 . 2008-10-13 03:40 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\IUpd721
2008-10-13 03:38 . 2008-10-13 03:38 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\FRISK Software
2008-10-13 03:33 . 2008-10-26 10:54 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-10-13 03:33 . 2008-10-26 10:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FRISK Software
2008-10-12 23:42 . 2008-10-12 23:42 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-10-12 23:42 . 2008-10-12 23:42 827,392 --a------ C:\WINDOWS\system32\FLASH.OCX
2008-10-12 23:30 . 2008-10-12 23:30 <DIR> d-------- C:\WINDOWS\McAfee.com
2008-10-12 21:20 . 2008-10-25 09:36 164 --a------ C:\WINDOWS\WININIT.INI
2008-10-12 21:17 . 2008-10-24 08:42 <DIR> d-------- C:\WINDOWS\system32\xan
2008-10-12 21:17 . 2008-10-13 08:23 <DIR> d-------- C:\WINDOWS\system32\sys3
2008-10-12 21:17 . 2008-10-13 04:59 <DIR> d-------- C:\WINDOWS\system32\pi
2008-10-12 21:17 . 2008-10-13 04:08 <DIR> d-------- C:\WINDOWS\system32\mco2
2008-10-12 21:17 . 2008-10-14 00:16 <DIR> d-------- C:\WINDOWS\system32\EV19
2008-10-12 21:17 . 2008-10-26 11:03 <DIR> d-------- C:\Temp
2008-10-12 21:17 . 2008-10-12 21:17 60,928 --ahs---- C:\WINDOWS\system32\ssqPjjkL.dll
2008-10-02 22:13 . 2008-10-02 22:13 <DIR> d-------- C:\Program Files\SimPE
2008-10-01 18:24 . 2008-10-01 18:24 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-10-01 18:07 . 2008-10-01 18:07 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-09-29 17:47 . 2008-09-29 17:47 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2008-09-28 07:14 . 2008-10-06 01:53 <DIR> d-------- C:\Program Files\EA GAMES
2008-09-28 07:14 . 2005-10-16 01:06 442,368 -ra------ C:\WINDOWS\system32\vp6vfw.dll
2008-09-27 23:51 . 2005-11-10 14:54 402,944 -ra------ C:\WINDOWS\system32\drivers\BLKWGU.sys
2008-09-27 23:50 . 2008-09-27 23:50 <DIR> d-------- C:\WINDOWS\Sun
2008-09-27 23:50 . 2008-09-27 23:50 <DIR> d-------- C:\Program Files\Belkin
2008-09-27 23:41 . 2004-11-02 09:58 163,840 --a------ C:\WINDOWS\system32\igfxres.dll
2008-09-27 23:41 . 2008-09-27 23:41 4,144 -rahs---- C:\WINDOWS\system32\drivers\HP_PC184A-ABA SR1123WM NA430_YC_Pres_QCNC425_E43NAheREG3_4_IGamila Giovani Neon series_SMICRO-STAR INTERNATIONAL CO., LTD_V030_B3.11_T040517_WXH1_L409_M504_J80_7Intel_8Celeron_92.67_1_N10EC8139_P_Z11C1048C_K_A808624C5.MRK
2008-09-27 23:39 . 2004-04-02 06:07 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\WINDOWS
2008-09-27 23:39 . 2004-04-03 04:05 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Symantec
2008-09-27 23:39 . 2004-04-02 21:28 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\SampleView
2008-09-27 23:38 . 2001-12-10 17:42 204,800 --a------ C:\WINDOWS\system32\IVIresizeW7.dll
2008-09-27 23:38 . 2001-12-10 17:42 200,704 --a------ C:\WINDOWS\system32\IVIresizeA6.dll
2008-09-27 23:38 . 2001-12-10 17:42 192,512 --a------ C:\WINDOWS\system32\IVIresizeP6.dll
2008-09-27 23:38 . 2001-12-10 17:42 192,512 --a------ C:\WINDOWS\system32\IVIresizeM6.dll
2008-09-27 23:38 . 2001-12-10 17:42 188,416 --a------ C:\WINDOWS\system32\IVIresizePX.dll
2008-09-27 23:38 . 2001-12-10 17:42 20,480 --a------ C:\WINDOWS\system32\IVIresize.dll
2008-09-27 23:36 . 2004-04-02 06:07 <DIR> d-------- C:\Documents and Settings\Default User\WINDOWS
2008-09-27 23:36 . 2008-04-13 15:18 52,480 --a------ C:\WINDOWS\system32\drivers\i8042prt.sys
2008-09-27 23:36 . 2008-04-13 14:39 24,576 --a------ C:\WINDOWS\system32\drivers\kbdclass.sys
2008-09-27 23:35 . 2008-06-23 12:57 6,066,176 --a--c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-09-27 23:35 . 2007-04-17 05:32 2,455,488 --a--c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-09-27 23:35 . 2007-03-08 01:10 991,232 --a--c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-09-27 23:35 . 2008-06-23 12:57 459,264 --a--c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-09-27 23:35 . 2008-06-23 12:57 383,488 --a--c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-09-27 23:35 . 2008-06-23 12:57 267,776 --a--c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-09-27 23:35 . 2008-06-23 12:57 63,488 --a--c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-09-27 23:35 . 2008-06-23 12:57 52,224 --a--c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-09-27 23:35 . 2008-06-23 05:20 13,824 --a--c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-09-27 23:28 . 2008-05-01 10:33 331,776 --a--c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-09-27 23:27 . 2008-06-13 07:05 272,128 --a--c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-09-27 23:26 . 2008-05-08 10:02 203,136 --a--c--- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-09-27 23:14 . 2008-09-27 23:14 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-09-27 23:14 . 2008-09-27 23:14 <DIR> d-------- C:\WINDOWS\system32\en
2008-09-27 23:14 . 2008-09-27 23:14 <DIR> d-------- C:\WINDOWS\l2schemas
2008-09-27 23:00 . 2008-04-13 20:12 1,306,624 --a------ C:\WINDOWS\system32\msxml6.dll
2008-09-27 22:59 . 2004-02-12 21:05 381,425 --a--c--- C:\WINDOWS\system32\dllcache\copycd.wmv
2008-09-27 22:30 . 2008-10-26 11:12 244 --a------ C:\WINDOWS\system\hpsysdrv.dat
2008-09-27 22:28 . 2008-09-27 22:29 <DIR> d-------- C:\WINDOWS\I386
2008-09-27 22:21 . 2008-10-24 04:00 <DIR> dr------- C:\Documents and Settings\All Users\Documents
2008-09-27 22:20 . 2008-09-27 23:45 <DIR> dr-hsc--- C:\WINDOWS\system32\dllcache
2008-09-27 22:05 . 2008-09-27 22:05 <DIR> d-------- C:\WINDOWS\provisioning
2008-09-27 22:05 . 2008-09-27 23:14 <DIR> d-------- C:\WINDOWS\peernet
2008-09-27 22:03 . 2008-09-27 22:03 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-09-27 21:57 . 2008-09-27 23:05 <DIR> d-------- C:\WINDOWS\EHome
2008-09-27 21:54 . 2002-04-15 21:11 67,866 --a------ C:\WINDOWS\system32\drivers\netwlan5.img
2008-09-27 21:54 . 2008-04-14 05:42 11,264 --a------ C:\WINDOWS\system32\spnpinst.exe
2008-09-27 21:54 . 2004-08-02 14:20 7,208 --a------ C:\WINDOWS\system32\secupd.sig
2008-09-27 21:54 . 2004-08-02 14:20 4,569 --a------ C:\WINDOWS\system32\secupd.dat
2008-09-27 21:14 . 2008-04-13 15:19 146,048 --a------ C:\WINDOWS\system32\drivers\portcls.sys
2008-09-27 21:14 . 2008-04-13 14:45 60,160 --a------ C:\WINDOWS\system32\drivers\drmk.sys
2008-09-27 21:04 . 2008-04-13 20:11 1,082,368 --a------ C:\WINDOWS\system32\esent.dll
2008-09-27 21:03 . 2008-04-13 20:12 274,944 --a------ C:\WINDOWS\system32\mstask.dll
2008-09-27 21:03 . 2008-04-13 20:12 192,512 --a------ C:\WINDOWS\system32\schedsvc.dll
2008-09-27 21:03 . 2008-04-13 20:12 12,288 --a------ C:\WINDOWS\system32\mstinit.exe
2008-09-27 20:25 . 2004-02-12 21:12 18,944 --a------ C:\WINDOWS\system32\simptcp.dll
2008-09-27 20:25 . 2004-02-12 21:12 18,944 --a--c--- C:\WINDOWS\system32\dllcache\simptcp.dll
2008-09-27 20:08 . 2008-09-27 23:44 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-09-27 20:08 . 2007-08-10 20:46 26,488 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-09-27 20:07 . 2008-09-27 23:14 <DIR> d-------- C:\WINDOWS\system32\bits
2008-09-27 20:06 . 2008-04-13 20:12 354,304 --a------ C:\WINDOWS\system32\winhttp.dll
2008-09-27 20:06 . 2008-04-13 20:12 18,944 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2008-09-27 20:06 . 2008-04-13 20:11 8,192 --a------ C:\WINDOWS\system32\bitsprx2.dll
2008-09-27 20:06 . 2008-04-13 20:11 7,168 --a------ C:\WINDOWS\system32\bitsprx3.dll
2008-09-27 20:02 . 2008-07-18 22:09 563,912 --a------ C:\WINDOWS\system32\wuapi.dll
2008-09-27 20:02 . 2008-07-18 22:09 325,832 --a------ C:\WINDOWS\system32\wucltui.dll
2008-09-27 20:02 . 2008-07-18 22:09 215,752 --a------ C:\WINDOWS\system32\wuaucpl.cpl
2008-09-27 20:02 . 2008-07-18 22:10 45,768 --a------ C:\WINDOWS\system32\wups2.dll
2008-09-27 20:02 . 2008-07-18 22:10 36,552 --a------ C:\WINDOWS\system32\wups.dll
2008-09-27 20:02 . 2008-07-18 22:10 33,992 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-09-27 20:02 . 2008-07-18 22:09 25,800 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-09-27 20:02 . 2008-07-18 22:09 25,800 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-09-27 20:02 . 2008-07-18 22:08 20,680 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-09-27 20:01 . 2008-09-27 20:01 <DIR> d--hs---- C:\Documents and Settings\Owner\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-28 03:42 --------- d-----w C:\Program Files\InterMute
2008-09-28 03:38 --------- d-----w C:\Program Files\InterVideo
2008-09-28 00:22 --------- d-----w C:\Program Files\Quicken
2008-09-28 00:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-09-28 00:17 --------- d-----w C:\Program Files\Microsoft Plus! Digital Media Edition
2008-09-28 00:13 --------- d-----w C:\Program Files\Easy Internet signup
2008-09-28 00:11 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-28 00:11 --------- d-----w C:\Program Files\Hewlett-Packard
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2004-04-02 32881]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-11-02 126976]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 61440]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-04-02 151597]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2004-01-16 229376]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 233472]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2003-09-12 98304]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-11-02 155648]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-04-02 98304]
"AGRSMMSG"="AGRSMMSG.exe" [2004-01-16 C:\WINDOWS\AGRSMMSG.exe]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 C:\WINDOWS\ALCXMNTR.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Belkin Wireless USB Utility.lnk - C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe [2005-10-28 1404928]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wlkofv.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

.
Contents of the 'Scheduled Tasks' folder

2008-10-26 C:\WINDOWS\Tasks\MP Scheduled Scan.job
- C:\Program Files\Windows Defender\MpCmdRun.exe [2006-11-03 20:20]
.
- - - - ORPHANS REMOVED - - - -

BHO-{9E91EF7B-6846-45C3-A8AB-67CF7C900783} - C:\WINDOWS\system32\vtUnoopN.dll
BHO-{b25c8fd3-c342-46b9-8d25-f7e7ac56d2d5} - C:\WINDOWS\system32\wlkofv.dll
BHO-{C042719D-97C2-4177-9A31-451263DE63F3} - (no file)
BHO-{E64E3843-F247-4092-900A-18A13B461389} - C:\WINDOWS\system32\jkkJBQjJ.dll
HKLM-Run-64ab8126 - C:\WINDOWS\system32\pavsklje.dll
HKLM-Run-VTTimer - VTTimer.exe
ShellExecuteHooks-{9E91EF7B-6846-45C3-A8AB-67CF7C900783} - C:\WINDOWS\system32\vtUnoopN.dll


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=desktop
R0 -: HKCU-Main,Default_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
R0 -: HKLM-Main,Search Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
R1 -: HKCU-Internet Settings,ProxyOverride = localhost
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-26 11:12:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\gearsec.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-10-26 11:19:42 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-26 15:19:38

Pre-Run: 50,905,305,088 bytes free
Post-Run: 50,766,024,704 bytes free

256

peku006
2008-10-26, 18:37
Hi Jetsetter1999

Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network. Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these excellent vendors NOW:

1) Antivir PersonalEdition Classic (http://www.free-av.com/)- Free anti-virus software for Windows. Free support.
2) avast! 4 Home Edition (http://www.avast.com/eng/avast_4_home.html) - Anti-virus program for Windows. The home edition is freeware for noncommercial users.
3) AVG Anti-Virus Free Edition (http://free.grisoft.com/ww.homepage) - Free edition of the AVG anti-virus program for Windows.

You should run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and results in program conflicts and false virus alerts.

1 - Run CFScript

Open Notepad and copy/paste the text in the box into the window:


File::
C:\WINDOWS\system32\awtqrppp.dll
C:\WINDOWS\system32\pmnnLCrS.dll
C:\WINDOWS\system32\yemfxgta.ini
C:\WINDOWS\system32\ssqPjjkL.dll

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""




Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

2 - Malwarebytes' Anti-Malware

Please download Malwarebytes Anti-Malware (http://www.besttechie.net/tools/mbam-setup.exe) and save it to your desktop.
alternate download link 1 (http://malwarebytes.gt500.org/mbam-setup.exe)
alternate download link 2 (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)

Double-click on Download_mbam-setup.exe to install the application.
When the installation begins, follow the prompts and do not make any changes to default settings.
When installation has finished, make sure you leave both of these checked:
Update Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware
Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
If an update is found, the program will automatically update itself.
Press the OK button to close that box and continue.
If you encounter any problems while downloading the updates, manually download them from here (http://www.malwarebytes.org/mbam/database/mbam-rules.exe) and just double-click on mbam-rules.exe to install.
On the Scanner tab:

Make sure the "Perform full scan" option is selected.
Then click on the Scan button.
If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button
The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:

Click on the Show Results button to see a list of any malware that was found.
Make sure that everything is checked, and click Remove Selected.
When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
The log can also be found here:

C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

3 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

4 - Status Check
Please reply with


1. the ComboFix log(C:\ComboFix.txt)
2. the Malwarebytes' Anti-Malware Log
3. a fresh HijackThis log
description of any problems you are having with your PC

Thanks peku006

Jetsetter1999
2008-10-26, 19:04
I got the following error message: Windows cannot find 'CFScript'. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click search.

peku006
2008-10-26, 19:17
Hi Jetsetter1999

Please do the following...

Download and Run OTMoveIt3
Download OTMoveIt3 (http://oldtimer.geekstogo.com/OTMoveIt3.exe) by OldTimer and save it to your desktop.

Double-click on OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
Copy the lines in the codebox below.
Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


:Files
C:\WINDOWS\system32\awtqrppp.dll
C:\WINDOWS\system32\pmnnLCrS.dll
C:\WINDOWS\system32\yemfxgta.ini
C:\WINDOWS\system32\ssqPjjkL.dll

:Reg
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""

Return to OTMoveIt3, right click in the Paste Instructions for Items to be Moved window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
If you are not asked to reboot close OTMoveIt3.
A log C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log will be created (where mmddyyyy_hhmmss are numbers giving date and time the log was created).


next
Malwarebytes' Anti-Malware

Please reply with

1 .the OTMoveIt3 log
2. the Malwarebytes' Anti-Malware Log
3. a fresh HijackThis log

Jetsetter1999
2008-10-26, 20:39
Hi Peku,

========== FILES ==========
DllUnregisterServer procedure not found in C:\WINDOWS\system32\awtqrppp.dll
C:\WINDOWS\system32\awtqrppp.dll NOT unregistered.
C:\WINDOWS\system32\awtqrppp.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\pmnnLCrS.dll
C:\WINDOWS\system32\pmnnLCrS.dll NOT unregistered.
C:\WINDOWS\system32\pmnnLCrS.dll moved successfully.
C:\WINDOWS\system32\yemfxgta.ini moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\ssqPjjkL.dll
C:\WINDOWS\system32\ssqPjjkL.dll NOT unregistered.
C:\WINDOWS\system32\ssqPjjkL.dll moved successfully.
========== REGISTRY ==========
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows\\"AppInit_DLLs"|"" /E : value set successfully!

OTMoveIt3 by OldTimer - Version 1.0.5.0 log created on 10262008_132727


Malwarebytes' Anti-Malware 1.30
Database version: 1324
Windows 5.1.2600 Service Pack 3

10/26/2008 2:26:41 PM
mbam-log-2008-10-26 (14-26-41).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|)
Objects scanned: 128843
Time elapsed: 36 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 41

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instbndlkeyldr (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\fwghsqta.exe.vir (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\buhxcxqt.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\ciiqpnrx.exe.vir (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\ciykxnca.exe.vir (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\csqxfwul.exe.vir (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\fwprsmfd.exe.vir (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\gvkndtue.exe.vir (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\jkkJBQjJ.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\jmftvjnv.exe.vir (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\opnlLDuU.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\pavsklje.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\rbgfqlcx.exe.vir (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\rlrowdqi.exe.vir (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\smffjftf.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\vaydqfaw.exe.vir (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\vtUnoopN.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\wlkofv.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\ycdsagta.exe.vir (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\ati1xsxxx.sys.vir (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{ED1AD764-6EE8-45D8-B9BD-559926E4C6F0}\RP169\A0018622.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{ED1AD764-6EE8-45D8-B9BD-559926E4C6F0}\RP169\A0018626.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{ED1AD764-6EE8-45D8-B9BD-559926E4C6F0}\RP169\A0018627.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{ED1AD764-6EE8-45D8-B9BD-559926E4C6F0}\RP169\A0018628.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{ED1AD764-6EE8-45D8-B9BD-559926E4C6F0}\RP169\A0018629.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{ED1AD764-6EE8-45D8-B9BD-559926E4C6F0}\RP169\A0018633.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{ED1AD764-6EE8-45D8-B9BD-559926E4C6F0}\RP169\A0018634.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{ED1AD764-6EE8-45D8-B9BD-559926E4C6F0}\RP169\A0018637.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{ED1AD764-6EE8-45D8-B9BD-559926E4C6F0}\RP169\A0018638.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{ED1AD764-6EE8-45D8-B9BD-559926E4C6F0}\RP169\A0018639.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{ED1AD764-6EE8-45D8-B9BD-559926E4C6F0}\RP169\A0018641.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{ED1AD764-6EE8-45D8-B9BD-559926E4C6F0}\RP169\A0018642.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{ED1AD764-6EE8-45D8-B9BD-559926E4C6F0}\RP169\A0018643.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{ED1AD764-6EE8-45D8-B9BD-559926E4C6F0}\RP169\A0018644.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{ED1AD764-6EE8-45D8-B9BD-559926E4C6F0}\RP169\A0018645.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{ED1AD764-6EE8-45D8-B9BD-559926E4C6F0}\RP169\A0018648.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{ED1AD764-6EE8-45D8-B9BD-559926E4C6F0}\RP169\A0018649.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{ED1AD764-6EE8-45D8-B9BD-559926E4C6F0}\RP169\A0018651.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{ED1AD764-6EE8-45D8-B9BD-559926E4C6F0}\RP169\A0018652.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\_OTMoveIt\MovedFiles\10262008_132727\WINDOWS\system32\awtqrppp.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\_OTMoveIt\MovedFiles\10262008_132727\WINDOWS\system32\pmnnLCrS.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\_OTMoveIt\MovedFiles\10262008_132727\WINDOWS\system32\ssqPjjkL.dll (Trojan.Vundo) -> Quarantined and deleted successfully.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:31:46 PM, on 10/26/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
C:\Program Files\Trend Micro\HijackThis\Jetsetter1999.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Belkin Wireless USB Utility.lnk = C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1222561858000
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5403/mcfscan.cab
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 4850 bytes


No more pop-ups of naked women! Yeah!

peku006
2008-10-26, 21:06
Hi Jetsetter1999

it seems you don't have any evidence of an anti-virus software........why ?

1 - Remove bad HijackThis entries

Run HijackThis
Click on the Scan button
Put a check beside all of the items listed below (if present):


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE


Close all open windows and browsers/email, etc...
Click on the "Fix Checked" button
When completed, close the application.

2 - Clean temp files

Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.Double-click ATF Cleaner.exe to open it.

Under Main choose:
[b]Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

if you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

if you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.


Click Exit on the Main menu to close the program


3 - Kaspersky Online Scan

Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.

Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Mail databases Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply.

4 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

5 - Status Check
Please reply with


1. the Kaspersky online scanner report
2. a fresh HijackThis log

Thanks peku006

Jetsetter1999
2008-10-26, 21:19
Hi Peku,
I uninstalled my antivirus program to download ComboFix. I downloaded Antivir, Commodo and Spyware Blaster but I haven't installed them yet. I thought I should wait until I'm done here.

peku006
2008-10-26, 21:24
Hi

Ok :)

Jetsetter1999
2008-10-27, 00:14
Hi there!

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, October 26, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, October 26, 2008 18:03:46
Records in database: 1348597
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan statistics:
Files scanned: 86985
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 01:36:39


File name / Threat name / Threats count
C:\Program Files\Common Files\Real\Toolbar\RealBar.dll Infected: not-a-virus:AdWare.Win32.MegaSearch.s 1

The selected area was scanned.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:09:29 PM, on 10/26/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Trend Micro\HijackThis\Jetsetter1999.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Belkin Wireless USB Utility.lnk = C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1222561858000
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} (Java Plug-in 1.4.2_03) -
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5403/mcfscan.cab
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 4680 bytes

peku006
2008-10-27, 09:09
Hi Jetsetter1999

Please delete this file using Windows Explorer(if present):

C:\Program Files\Common Files\Real\Toolbar\RealBar.dll

Please Install Antivirus and Firewall.....now

Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

Please reply with

a fresh HijackThis log

How is the computer running now ?

Thanks peku006

Jetsetter1999
2008-10-27, 09:32
Hi Peku!
My pc seems to be running great. It's quieter and faster than it's ever been! Antivir did find some files. Should I be concerned about that or is it another false positive?


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:27:00 AM, on 10/27/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\COMODO\SafeSurf\cssurf.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\Program Files\Trend Micro\HijackThis\Jetsetter1999.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comodo.com/search/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [COMODO SafeSurf] "C:\Program Files\COMODO\SafeSurf\cssurf.exe" -s
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Belkin Wireless USB Utility.lnk = C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1222561858000
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} (Java Plug-in 1.4.2_03) -
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5403/mcfscan.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll C:\WINDOWS\system32\cssdll32.dll
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 6400 bytes

peku006
2008-10-27, 10:19
Hi Jetsetter1999

Can you tell me which files and where they are located?

Jetsetter1999
2008-10-27, 10:52
Hi Peku,



Avira AntiVir Personal
Report file date: Sunday, October 26, 2008 21:07

Scanning for 1708013 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 3) [5.1.2600]
Boot mode: Normally booted
Username: SYSTEM
Computer name: STROOP-GALE

Version information:
BUILD.DAT : 8.1.0.331 16934 Bytes 8/12/2008 11:46:00
AVSCAN.EXE : 8.1.4.7 315649 Bytes 6/26/2008 14:57:53
AVSCAN.DLL : 8.1.4.0 40705 Bytes 5/26/2008 13:56:40
LUKE.DLL : 8.1.4.5 164097 Bytes 6/12/2008 18:44:19
LUKERES.DLL : 8.1.4.0 12033 Bytes 5/26/2008 13:58:52
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 7/18/2007 18:36:36
ANTIVIR1.VDF : 7.0.5.1 8182784 Bytes 6/24/2008 19:53:28
ANTIVIR2.VDF : 7.0.7.59 4366336 Bytes 10/19/2008 23:18:28
ANTIVIR3.VDF : 7.0.7.93 198656 Bytes 10/26/2008 03:28:32
Engineversion : 8.2.0.9
AEVDF.DLL : 8.1.0.6 102772 Bytes 10/15/2008 15:49:38
AESCRIPT.DLL : 8.1.1.9 319867 Bytes 10/16/2008 20:52:04
AESCN.DLL : 8.1.1.3 123252 Bytes 10/15/2008 15:49:38
AERDL.DLL : 8.1.1.2 438644 Bytes 9/18/2008 18:03:16
AEPACK.DLL : 8.1.2.4 369014 Bytes 10/15/2008 15:49:38
AEOFFICE.DLL : 8.1.0.29 196988 Bytes 10/23/2008 19:19:54
AEHEUR.DLL : 8.1.0.63 1479032 Bytes 10/23/2008 19:19:54
AEHELP.DLL : 8.1.1.2 115062 Bytes 10/15/2008 15:49:36
AEGEN.DLL : 8.1.0.42 319861 Bytes 10/24/2008 19:02:00
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/15/2008 15:49:36
AECORE.DLL : 8.1.2.8 172406 Bytes 10/24/2008 19:02:00
AEBB.DLL : 8.1.0.3 53618 Bytes 10/15/2008 15:49:34
AVWINLL.DLL : 1.0.0.12 15105 Bytes 7/9/2008 14:40:05
AVPREF.DLL : 8.0.2.0 38657 Bytes 5/16/2008 15:28:01
AVREP.DLL : 7.0.0.1 155688 Bytes 6/30/2008 20:35:20
AVREG.DLL : 8.0.0.1 33537 Bytes 5/9/2008 17:26:40
AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 14:29:23
AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 6/12/2008 18:27:49
SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/22/2008 23:28:02
SMTPLIB.DLL : 1.2.0.23 28929 Bytes 6/12/2008 18:49:40
NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 18:05:10
RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 6/12/2008 19:48:07
RCTEXT.DLL : 8.0.52.0 86273 Bytes 6/27/2008 19:34:37

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: C:\Program Files\Avira\AntiVir PersonalEdition Classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:, D:,
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Sunday, October 26, 2008 21:07

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'taskmgr.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'Belkinwcui.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'cssurf.exe' - '1' Module(s) have been scanned
Scan process 'iPodService.exe' - '1' Module(s) have been scanned
Scan process 'wscntfy.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'tcpsvcs.exe' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'gearsec.exe' - '1' Module(s) have been scanned
Scan process 'cmdagent.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
28 processes with 28 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!
[WARNING] System error [21]: The device is not ready.
Master boot sector HD2
[INFO] No virus was found!
[WARNING] System error [21]: The device is not ready.
Master boot sector HD3
[INFO] No virus was found!
[WARNING] System error [21]: The device is not ready.
Master boot sector HD4
[INFO] No virus was found!
[WARNING] System error [21]: The device is not ready.

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!

Starting to scan the registry.
The registry was scanned ( '63' files ).


Starting the file scan:

Begin scan in 'C:\' <PRESARIO>
C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eZulaHotText.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
[NOTE] The detection was classified as suspicious.
[NOTE] The file was moved to '497a14e6.qua'!
C:\System Volume Information\_restore{ED1AD764-6EE8-45D8-B9BD-559926E4C6F0}\RP166\A0018492.exe
[DETECTION] Contains recognition pattern of the DIAL/90112 dialer
[NOTE] The file was moved to '49355fc1.qua'!
C:\System Volume Information\_restore{ED1AD764-6EE8-45D8-B9BD-559926E4C6F0}\RP169\A0018724.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '49355fd3.qua'!
C:\System Volume Information\_restore{ED1AD764-6EE8-45D8-B9BD-559926E4C6F0}\RP169\A0018725.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '49355fd9.qua'!
C:\System Volume Information\_restore{ED1AD764-6EE8-45D8-B9BD-559926E4C6F0}\RP169\A0018726.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '49355fdc.qua'!
Begin scan in 'D:\' <PRESARIO_RP>


End of the scan: Monday, October 27, 2008 02:49
Used time: 5:42:24 Hour(s)

The scan has been done completely.

5765 Scanning directories
282673 Files were scanned
4 viruses and/or unwanted programs were found
1 Files were classified as suspicious:
0 files were deleted
0 files were repaired
5 files were moved to quarantine
0 files were renamed
2 Files cannot be scanned
282666 Files not concerned
12812 Archives were scanned
6 Warnings
5 Notes

peku006
2008-10-27, 11:06
Hi Jetsetter1999

Empty this folder:

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery

After that.............

Congratulations, your log looks clean! :)

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Next we remove all used tools.


Double-click OTMoveIt3.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.

Disable and Enable System Restore. - If you are using Windows XP or Vista then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and re-enable system restore here:

Windows XP System Restore Guide (http://www.bleepingcomputer.com/forums/tutorial56.html)

Re-enable system restore with instructions from tutorial above

Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt

Change the Download unsigned ActiveX controls to Disable

Change the Initialize and script ActiveX controls not marked as safe to Disable

Change the Installation of desktop items to Prompt

Change the Launching programs and files in an IFRAME to Prompt

Change the Navigate sub-frames across different domains to Prompt

When all these settings have been made, click on the OK button.

If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

Update your AntiVirus Software and keep your other programs up-to-date
Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector (http://secunia.com/software_inspector/)
F-secure Health Check (http://www.f-secure.com/weblog/archives/00001356.html)

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com (http://www.windowsupdate.com) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Install Malwarebytes' Anti-Malware - Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
totally free but for real-time protection you will have to pay a small one-time fee. Tutorial on installing & using this product can be found below:

Malwarebytes' Anti-Malware Setup Guide (http://bfccomputers.com/index.php?showtopic=1644)

Malwarebytes' Anti-Malware Scanning Guide (http://bfccomputers.com/index.php?showtopic=1645)

Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/tutorials/tutorial49.html)

Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety

MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Winpatrol (http://www.winpatrol.com/) <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)

Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place (http://castlecops.com/postlite7736-.html)

Happy surfing and stay clean!

Jetsetter1999
2008-10-27, 11:41
Peku,
Thank you so much for all of your help. My pc works better than it did when I bought it! This is an amazing forum and I'm so glad I found Spybot. Thank you for all your time and effort and I hope I never have to talk to you again! :wav: