PDA

View Full Version : My Name Says it all. (solved)



ColinHatesCoreCashedsk
2008-11-26, 14:45
My wife's computer caught a little bug. I've been trying everything I know to remove it, thinking I was actually an advanced user. The file core.cache.dsk is the main culprit, but I haven't been able to do anything to remove it. I followed the initial instructions I've seen in other people's posts here and turned off the live protection settings in order to run the download of HijackThis. I also tried to run Combo Fix before i realized that it was meant to be used with expert guidance. Here is the log file from Combo Fix and from HJT.

ComboFix 08-11-26.03 - Ann Collins 2008-11-26 7:03:19.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1429 [GMT -5:00]
Running from: c:\documents and settings\Ann Collins\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\temp\tn3
c:\windows\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2008-10-26 to 2008-11-26 )))))))))))))))))))))))))))))))
.

2008-11-26 07:05 . 2008-11-26 07:05 <DIR> d-------- c:\temp\tn3
2008-11-25 17:27 . 2008-11-26 07:05 932 --------- c:\windows\system32\drivers\core.cache.dsk
2008-11-25 14:03 . 2008-11-25 14:07 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-25 14:03 . 2008-11-25 16:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-25 13:51 . 2008-11-25 13:51 <DIR> d-------- c:\program files\Lavasoft
2008-11-25 13:51 . 2008-11-25 13:53 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-25 13:31 . 2008-11-26 06:35 380 --a------ c:\windows\Wininit.ini
2008-11-22 17:48 . 2008-11-22 17:48 <DIR> d-------- c:\program files\Windows Defender
2008-11-22 09:08 . 2008-11-22 09:08 <DIR> d-------- c:\documents and settings\Ann Collins\Application Data\NI.GSCNS
2008-11-22 09:00 . 2008-11-22 09:00 <DIR> d-------- c:\temp\FT62
2008-11-22 09:00 . 2008-11-22 09:00 86,272 --a------ c:\windows\system32\drivers\OsaFsLocc.sys
2008-11-07 17:16 . 2004-08-03 22:58 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2008-11-07 17:16 . 2004-08-03 22:58 15,104 --a--c--- c:\windows\system32\dllcache\usbscan.sys
2008-11-07 17:14 . 2008-11-07 17:14 <DIR> d-------- c:\program files\HP
2008-11-07 17:14 . 2008-11-07 17:14 <DIR> d-------- c:\program files\Common Files\Hewlett-Packard
2008-11-07 17:14 . 2004-03-18 16:53 278,584 --a------ c:\windows\system32\HPZidr12.dll
2008-11-07 17:14 . 2004-03-18 16:56 204,800 --a------ c:\windows\system32\HPZipr12.dll
2008-11-07 17:14 . 2004-03-18 16:39 94,208 --a------ c:\windows\system32\HPZipt12.dll
2008-11-07 17:14 . 2004-03-18 16:55 65,536 --a------ c:\windows\system32\HPZipm12.exe
2008-11-07 17:14 . 2004-03-18 16:38 61,440 --a------ c:\windows\system32\HPZinw12.exe
2008-11-07 17:14 . 2004-03-18 16:39 57,344 --a------ c:\windows\system32\HPZisn12.dll
2008-11-07 17:13 . 2008-11-07 17:13 <DIR> d-------- c:\temp\HP_WebRelease
2008-11-07 17:13 . 2008-11-26 07:05 <DIR> d-------- C:\temp
2008-11-07 17:13 . 2008-11-07 17:15 102,032 --a------ c:\windows\hpoins04.dat
2008-11-07 17:13 . 2004-06-22 04:20 17,218 --------- c:\windows\hpomdl04.dat
2008-11-06 18:24 . 2008-11-25 13:39 <DIR> d-------- c:\documents and settings\Ann Collins\Application Data\NCH Swift Sound
2008-11-06 18:24 . 2008-11-22 00:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\NCH Swift Sound

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-26 11:34 --------- d-----w c:\program files\Trend Micro
2008-11-25 18:50 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-25 18:38 --------- d-----w c:\program files\Yahoo!
2008-11-25 18:34 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-25 18:34 --------- d-----w c:\program files\NewTech Infosystems
2008-11-22 14:29 --------- d-----w c:\program files\Common Files\Adobe
2008-11-15 23:04 --------- d-----w c:\program files\Microsoft Silverlight
2008-11-13 01:13 --------- d-----w c:\program files\World of Warcraft
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-20 00:05 --------- d-----w c:\documents and settings\All Users\Application Data\Blizzard
2008-10-05 20:06 --------- d-----w c:\documents and settings\Ann Collins\Application Data\Move Networks
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-08-30 4670704]
"OE_OEM"="c:\program files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe" [2006-11-01 321040]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"pccguide.exe"="c:\program files\Trend Micro\Internet Security 14\pccguide.exe" [2007-08-16 1807696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-07 81920]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-07 8523776]
"IntelAudioStudio"="c:\program files\Intel Audio Studio\IntelAudioStudio.exe" [2005-08-09 8597586]
"nwiz"="nwiz.exe" [2007-12-07 c:\windows\system32\nwiz.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Belkin Wireless Utility.lnk - c:\program files\Belkin\Belkin 802.11g Wireless PCI Card Configuration Utility\Belkinwcui.exe [2008-08-07 1523712]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-10-15 01:04 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative WebCam Tray]
--------- 2005-10-27 05:00 299008 c:\program files\Creative\Shared Files\CamTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 09:50 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-03-25 03:28 144784 c:\program files\Java\jre1.6.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\VentSrv\\ventrilo_srv.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R1 OsaFsLocc;OsaFsLocc;c:\windows\system32\drivers\OsaFsLocc.sys [2008-11-22 86272]
R2 OsaFsLoc;OsaFsLoc;\??\c:\windows\system32\drivers\OsaFsLoc.sys [2008-04-13 11018]
R2 osaio;osaio;\??\c:\windows\system32\drivers\osaio.sys [2008-04-13 8704]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;\??\c:\progra~1\Belkin\BELKIN~1.11G\DNINDIS5.SYS [2008-08-07 17149]
S3 PciCon;PciCon;\??\D:\PciCon.sys []
S3 V0260VID;Live! Cam Vista IM;c:\windows\system32\DRIVERS\V0260Vid.sys [2008-05-17 178913]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c683b14a-ac5d-11dd-b2e6-001320eae77b}]
\Shell\AutoRun\command - F:\rcaeasyrip_setup.exe
\Shell\install\command - F:\rcaeasyrip_setup.exe
\Shell\usermanualEnglish\command - F:\rcaeasyrip_setup.exe /pdf_English
\Shell\usermanualFrench\command - F:\rcaeasyrip_setup.exe /pdf_French
\Shell\usermanualSpanish\command - F:\rcaeasyrip_setup.exe /pdf_Spanish

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder

2008-11-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]

2008-11-26 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-26 07:05:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\TEMP\io22woom.TMP 616448 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Windows Defender\MsMpEng.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\nvsvc32.exe
c:\progra~1\TRENDM~1\INTERN~1\PcCtlCom.exe
c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe
c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe
c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe
.
**************************************************************************
.
Completion time: 2008-11-26 7:08:30 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-26 12:07:50
ComboFix2.txt 2008-11-26 11:49:15

Pre-Run: 42,278,903,808 bytes free
Post-Run: 42,277,289,984 bytes free

147 --- E O F --- 2008-11-22 14:16:14


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:36:00 AM, on 11/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Belkin\Belkin 802.11g Wireless PCI Card Configuration Utility\Belkinwcui.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" TRAY
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe"
O4 - Global Startup: Belkin Wireless Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1208132491188
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {86BAF1D8-67D1-4AFF-9BAC-4DC3152BB7C1} (PccActX Control) - http://pccactivex.trendmicro.com/en/activex/PccActX.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 6779 bytes

Blender
2008-11-27, 21:47
Hi and welcome,

I'm looking over your log & will reply shortly with further instructions.

Blender
2008-11-27, 22:21
Hello again,

Please copy the following text to a new notepad file:


file::
c:\windows\system32\drivers\OsaFsLocc.sys

dirlook::
c:\temp\FT62
c:\documents and settings\Ann Collins\Application Data\NI.GSCNS

driver::
OsaFsLocc

filelook::
c:\windows\TEMP\io22woom.TMP


Save it to your desktop as cfscript.txt

Disable antimalware programs so they don't interfere.
Drag CFScript.txt on top of Combofix & drop it.
If Combofix wants internet access to download new version -- please allow.
If it wants internet access to download components from Microsoft, please allow.
Follow rest of the prompts.

Post the new log created & don't forget to re-enable antimalware programs.


Is F drive your mp3 player?
Know what this file is?

F:\rcaeasyrip_setup.exe

If not -- Plug in the F drive but don't open it.

Go to http://www.virustotal.com/en/indexf.html
Copy the following line into the white textbox:
F:\rcaeasyrip_setup.exe
Click Send.
Please post the results of this scan to this thread.
Please include the file size/MD5 information if available.

*note*
Please don't just open the F drive till we know what that exe file is as this may set off an autorun infection.

Unplug F drive when done scanning file.

Logs needed:

C:\combofix.txt
New Hijackthis log
Info from virus total regarding that file I asked to be scanned.

Let me know how system is running.

Thanks :)

ColinHatesCoreCashedsk
2008-11-28, 18:13
Thank you so very much. The virus appears to be gone. Of course, now this means it'll be harder for me to convince my wife that she needs a new computer, but that's probably for the best.

F Drive was my wife's MP3 player. When I plugged it in, it went to E: Drive instead, but I uploaded E:\rcaeasyrip_setup.exe to VirusTotal.

The three logs are below.

ComboFix 08-11-27.07 - Ann Collins 2008-11-28 10:42:16.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1556 [GMT -5:00]
Running from: c:\documents and settings\Ann Collins\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Ann Collins\Desktop\cfscript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\windows\system32\drivers\OsaFsLocc.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\temp\tn3
c:\windows\system32\drivers\core.cache.dsk
c:\windows\system32\drivers\OsaFsLocc.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_OSAFSLOCC
-------\Service_OsaFsLocc


((((((((((((((((((((((((( Files Created from 2008-10-28 to 2008-11-28 )))))))))))))))))))))))))))))))
.

2008-11-27 08:54 . 2008-11-27 08:54 230 --a------ c:\windows\system32\spupdsvc.inf
2008-11-26 07:29 . 2008-11-26 07:28 410,976 --a------ c:\windows\system32\deploytk.dll
2008-11-25 14:03 . 2008-11-25 14:07 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-25 14:03 . 2008-11-25 16:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-25 13:51 . 2008-11-25 13:51 <DIR> d-------- c:\program files\Lavasoft
2008-11-25 13:51 . 2008-11-25 13:53 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-25 13:31 . 2008-11-26 06:35 380 --a------ c:\windows\Wininit.ini
2008-11-22 17:48 . 2008-11-22 17:48 <DIR> d-------- c:\program files\Windows Defender
2008-11-22 09:08 . 2008-11-22 09:08 <DIR> d-------- c:\documents and settings\Ann Collins\Application Data\NI.GSCNS
2008-11-22 09:00 . 2008-11-22 09:00 <DIR> d-------- c:\temp\FT62
2008-11-07 17:16 . 2004-08-03 22:58 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2008-11-07 17:16 . 2004-08-03 22:58 15,104 --a--c--- c:\windows\system32\dllcache\usbscan.sys
2008-11-07 17:14 . 2008-11-07 17:14 <DIR> d-------- c:\program files\HP
2008-11-07 17:14 . 2008-11-07 17:14 <DIR> d-------- c:\program files\Common Files\Hewlett-Packard
2008-11-07 17:14 . 2004-03-18 16:53 278,584 --a------ c:\windows\system32\HPZidr12.dll
2008-11-07 17:14 . 2004-03-18 16:56 204,800 --a------ c:\windows\system32\HPZipr12.dll
2008-11-07 17:14 . 2004-03-18 16:39 94,208 --a------ c:\windows\system32\HPZipt12.dll
2008-11-07 17:14 . 2004-03-18 16:55 65,536 --a------ c:\windows\system32\HPZipm12.exe
2008-11-07 17:14 . 2004-03-18 16:38 61,440 --a------ c:\windows\system32\HPZinw12.exe
2008-11-07 17:14 . 2004-03-18 16:39 57,344 --a------ c:\windows\system32\HPZisn12.dll
2008-11-07 17:13 . 2008-11-07 17:13 <DIR> d-------- c:\temp\HP_WebRelease
2008-11-07 17:13 . 2008-11-28 10:42 <DIR> d-------- C:\temp
2008-11-07 17:13 . 2008-11-07 17:15 102,032 --a------ c:\windows\hpoins04.dat
2008-11-07 17:13 . 2004-06-22 04:20 17,218 --------- c:\windows\hpomdl04.dat
2008-11-06 18:24 . 2008-11-25 13:39 <DIR> d-------- c:\documents and settings\Ann Collins\Application Data\NCH Swift Sound
2008-11-06 18:24 . 2008-11-22 00:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\NCH Swift Sound

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-26 12:28 --------- d-----w c:\program files\Java
2008-11-26 11:34 --------- d-----w c:\program files\Trend Micro
2008-11-25 18:50 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-25 18:38 --------- d-----w c:\program files\Yahoo!
2008-11-25 18:34 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-25 18:34 --------- d-----w c:\program files\NewTech Infosystems
2008-11-22 14:29 --------- d-----w c:\program files\Common Files\Adobe
2008-11-15 23:04 --------- d-----w c:\program files\Microsoft Silverlight
2008-11-13 01:13 --------- d-----w c:\program files\World of Warcraft
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-20 00:05 --------- d-----w c:\documents and settings\All Users\Application Data\Blizzard
2008-10-05 20:06 --------- d-----w c:\documents and settings\Ann Collins\Application Data\Move Networks
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\TEMP\io22woom.TMP -- Invalid filepath or file no longer exist

---- Directory of c:\documents and settings\Ann Collins\Application Data\NI.GSCNS ----

2008-11-22 09:15 30 --a------ c:\documents and settings\Ann Collins\Application Data\NI.GSCNS\dl.ini
2008-11-22 09:15 23 --a------ c:\documents and settings\Ann Collins\Application Data\NI.GSCNS\settings.ini

---- Directory of c:\temp\FT62 ----

2008-11-22 09:00 1858 --a------ c:\temp\FT62\teTU.log


((((((((((((((((((((((((((((( snapshot@2008-11-26_ 6.48.40.45 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-08-13 22:39:20 71,680 ----a-w c:\windows\system32\admparse.dll
+ 2004-08-04 12:00:00 61,440 ----a-w c:\windows\system32\admparse.dll
- 2008-08-26 07:24:28 124,928 ----a-w c:\windows\system32\advpack.dll
+ 2004-08-04 12:00:00 99,840 ----a-w c:\windows\system32\advpack.dll
- 2008-02-16 09:32:03 1,024,000 ----a-w c:\windows\system32\browseui.dll
+ 2004-08-04 12:00:00 1,016,832 ----a-w c:\windows\system32\browseui.dll
- 2007-08-13 22:39:20 71,680 -c--a-w c:\windows\system32\dllcache\admparse.dll
+ 2004-08-04 12:00:00 61,440 -c--a-w c:\windows\system32\dllcache\admparse.dll
- 2008-08-26 07:24:28 124,928 -c----w c:\windows\system32\dllcache\advpack.dll
+ 2004-08-04 12:00:00 99,840 -c--a-w c:\windows\system32\dllcache\advpack.dll
- 2008-02-16 09:32:03 1,024,000 -c----w c:\windows\system32\dllcache\browseui.dll
+ 2004-08-04 12:00:00 1,016,832 -c--a-w c:\windows\system32\dllcache\browseui.dll
- 2007-08-13 22:54:10 33,792 -c--a-w c:\windows\system32\dllcache\custsat.dll
+ 2006-06-03 11:40:49 33,792 -c--a-w c:\windows\system32\dllcache\custsat.dll
- 2008-08-26 07:24:28 347,136 -c----w c:\windows\system32\dllcache\dxtmsft.dll
+ 2004-08-04 12:00:00 357,888 -c--a-w c:\windows\system32\dllcache\dxtmsft.dll
- 2008-08-26 07:24:28 214,528 -c----w c:\windows\system32\dllcache\dxtrans.dll
+ 2004-08-04 12:00:00 201,728 -c--a-w c:\windows\system32\dllcache\dxtrans.dll
- 2008-08-26 07:24:28 133,120 -c----w c:\windows\system32\dllcache\extmgr.dll
+ 2004-08-04 12:00:00 55,808 -c--a-w c:\windows\system32\dllcache\extmgr.dll
- 2007-08-13 22:18:02 60,416 -c--a-w c:\windows\system32\dllcache\hmmapi.dll
+ 2004-08-04 12:00:00 38,912 -c--a-w c:\windows\system32\dllcache\hmmapi.dll
- 2008-08-25 08:37:59 70,656 -c----w c:\windows\system32\dllcache\ie4uinit.exe
+ 2004-08-04 12:00:00 34,304 -c--a-w c:\windows\system32\dllcache\ie4uinit.exe
- 2008-08-26 07:24:28 153,088 -c----w c:\windows\system32\dllcache\ieakeng.dll
+ 2004-08-04 12:00:00 139,264 -c--a-w c:\windows\system32\dllcache\ieakeng.dll
- 2008-08-26 07:24:28 230,400 -c----w c:\windows\system32\dllcache\ieaksie.dll
+ 2004-08-04 12:00:00 216,576 -c--a-w c:\windows\system32\dllcache\ieaksie.dll
- 2008-08-23 05:54:51 161,792 -c----w c:\windows\system32\dllcache\ieakui.dll
+ 2004-08-04 12:00:00 221,184 -c--a-w c:\windows\system32\dllcache\ieakui.dll
- 2008-08-26 07:24:29 384,512 -c----w c:\windows\system32\dllcache\iedkcs32.dll
+ 2004-08-04 12:00:00 323,584 -c--a-w c:\windows\system32\dllcache\iedkcs32.dll
- 2007-08-13 22:44:02 69,120 -c--a-w c:\windows\system32\dllcache\iedw.exe
+ 2004-08-04 12:00:00 18,432 -c--a-w c:\windows\system32\dllcache\iedw.exe
- 2007-08-13 22:45:18 78,336 -c--a-w c:\windows\system32\dllcache\ieencode.dll
+ 2004-08-04 12:00:00 81,920 -c--a-w c:\windows\system32\dllcache\ieencode.dll
- 2007-08-13 22:54:10 191,488 -c--a-w c:\windows\system32\dllcache\iepeers.dll
+ 2004-08-04 12:00:00 249,344 -c--a-w c:\windows\system32\dllcache\iepeers.dll
- 2008-08-26 07:24:29 44,544 -c----w c:\windows\system32\dllcache\iernonce.dll
+ 2004-08-04 12:00:00 48,640 -c--a-w c:\windows\system32\dllcache\iernonce.dll
- 2007-08-13 22:39:12 55,296 -c--a-w c:\windows\system32\dllcache\iesetup.dll
+ 2004-08-04 12:00:00 62,976 -c--a-w c:\windows\system32\dllcache\iesetup.dll
- 2008-08-23 05:56:15 635,848 -c----w c:\windows\system32\dllcache\iexplore.exe
+ 2004-08-04 12:00:00 93,184 -c--a-w c:\windows\system32\dllcache\iexplore.exe
- 2007-08-13 22:36:06 36,352 -c--a-w c:\windows\system32\dllcache\imgutil.dll
+ 2004-08-04 12:00:00 35,840 -c--a-w c:\windows\system32\dllcache\imgutil.dll
- 2007-08-13 22:39:02 92,672 -c--a-w c:\windows\system32\dllcache\inseng.dll
+ 2004-08-04 12:00:00 96,256 -c--a-w c:\windows\system32\dllcache\inseng.dll
- 2007-08-13 22:38:04 491,520 -c--a-w c:\windows\system32\dllcache\jscript.dll
+ 2004-08-04 12:00:00 450,560 -c--a-w c:\windows\system32\dllcache\jscript.dll
- 2008-08-26 07:24:30 27,648 -c----w c:\windows\system32\dllcache\jsproxy.dll
+ 2004-08-04 12:00:00 15,872 -c--a-w c:\windows\system32\dllcache\jsproxy.dll
- 2007-08-13 22:44:18 40,960 -c--a-w c:\windows\system32\dllcache\licmgr10.dll
+ 2004-08-04 12:00:00 22,016 -c--a-w c:\windows\system32\dllcache\licmgr10.dll
- 2007-08-13 22:32:30 45,568 -c--a-w c:\windows\system32\dllcache\mshta.exe
+ 2004-08-04 12:00:00 29,184 -c--a-w c:\windows\system32\dllcache\mshta.exe
- 2008-08-27 08:24:32 3,593,216 -c----w c:\windows\system32\dllcache\mshtml.dll
+ 2004-08-04 12:00:00 3,003,392 -c--a-w c:\windows\system32\dllcache\mshtml.dll
- 2008-08-26 07:24:30 477,696 -c----w c:\windows\system32\dllcache\mshtmled.dll
+ 2004-08-04 12:00:00 448,512 -c--a-w c:\windows\system32\dllcache\mshtmled.dll
- 2007-08-13 22:01:12 48,128 -c--a-w c:\windows\system32\dllcache\mshtmler.dll
+ 2004-08-04 12:00:00 56,832 -c--a-w c:\windows\system32\dllcache\mshtmler.dll
- 2007-08-13 22:54:10 156,160 -c--a-w c:\windows\system32\dllcache\msls31.dll
+ 2004-08-04 12:00:00 146,432 -c--a-w c:\windows\system32\dllcache\msls31.dll
- 2008-08-26 07:24:30 193,024 -c----w c:\windows\system32\dllcache\msrating.dll
+ 2004-08-04 12:00:00 146,432 -c--a-w c:\windows\system32\dllcache\msrating.dll
- 2008-08-26 07:24:30 671,232 -c----w c:\windows\system32\dllcache\mstime.dll
+ 2004-08-04 12:00:00 530,432 -c--a-w c:\windows\system32\dllcache\mstime.dll
- 2008-08-26 07:24:30 102,912 -c----w c:\windows\system32\dllcache\occache.dll
+ 2004-08-04 12:00:00 96,256 -c--a-w c:\windows\system32\dllcache\occache.dll
- 2008-08-26 07:24:30 44,544 -c----w c:\windows\system32\dllcache\pngfilt.dll
+ 2004-08-04 12:00:00 39,424 -c--a-w c:\windows\system32\dllcache\pngfilt.dll
- 2008-02-16 09:32:08 1,499,136 -c----w c:\windows\system32\dllcache\shdocvw.dll
+ 2006-09-04 06:08:01 1,494,016 -c--a-w c:\windows\system32\dllcache\shdocvw.dll
- 2008-02-16 09:32:08 474,112 -c----w c:\windows\system32\dllcache\shlwapi.dll
+ 2005-09-02 23:52:06 473,600 -c--a-w c:\windows\system32\dllcache\shlwapi.dll
- 2008-08-26 07:24:30 105,984 -c----w c:\windows\system32\dllcache\url.dll
+ 2004-08-04 12:00:00 37,888 -c--a-w c:\windows\system32\dllcache\url.dll
- 2008-08-26 07:24:31 1,159,680 -c----w c:\windows\system32\dllcache\urlmon.dll
+ 2004-08-04 12:00:00 601,088 -c--a-w c:\windows\system32\dllcache\urlmon.dll
- 2007-08-13 22:54:10 413,696 -c--a-w c:\windows\system32\dllcache\vbscript.dll
+ 2004-08-04 12:00:00 417,792 -c--a-w c:\windows\system32\dllcache\vbscript.dll
- 2007-07-12 23:31:54 765,952 -c--a-w c:\windows\system32\dllcache\vgx.dll
+ 2007-06-26 15:13:22 851,968 -c--a-w c:\windows\system32\dllcache\vgx.dll
- 2008-08-26 07:24:31 233,472 -c----w c:\windows\system32\dllcache\webcheck.dll
+ 2004-08-04 12:00:00 276,480 -c--a-w c:\windows\system32\dllcache\webcheck.dll
- 2008-08-26 07:24:31 826,368 -c----w c:\windows\system32\dllcache\wininet.dll
+ 2004-08-04 12:00:00 656,384 -c--a-w c:\windows\system32\dllcache\wininet.dll
- 2008-08-26 07:24:28 347,136 ----a-w c:\windows\system32\dxtmsft.dll
+ 2004-08-04 12:00:00 357,888 ----a-w c:\windows\system32\dxtmsft.dll
- 2008-08-26 07:24:28 214,528 ----a-w c:\windows\system32\dxtrans.dll
+ 2004-08-04 12:00:00 201,728 ----a-w c:\windows\system32\dxtrans.dll
- 2008-08-26 07:24:28 133,120 ------w c:\windows\system32\extmgr.dll
+ 2004-08-04 12:00:00 55,808 ----a-w c:\windows\system32\extmgr.dll
- 2008-08-25 08:37:59 70,656 ------w c:\windows\system32\ie4uinit.exe
+ 2004-08-04 12:00:00 34,304 ----a-w c:\windows\system32\ie4uinit.exe
- 2008-08-26 07:24:28 153,088 ------w c:\windows\system32\ieakeng.dll
+ 2004-08-04 12:00:00 139,264 ----a-w c:\windows\system32\ieakeng.dll
- 2008-08-26 07:24:28 230,400 ------w c:\windows\system32\ieaksie.dll
+ 2004-08-04 12:00:00 216,576 ----a-w c:\windows\system32\ieaksie.dll
- 2008-08-23 05:54:51 161,792 ------w c:\windows\system32\ieakui.dll
+ 2004-08-04 12:00:00 221,184 ----a-w c:\windows\system32\ieakui.dll
- 2008-08-26 07:24:29 384,512 ------w c:\windows\system32\iedkcs32.dll
+ 2004-08-04 12:00:00 323,584 ----a-w c:\windows\system32\iedkcs32.dll
- 2007-08-13 22:45:18 78,336 ----a-w c:\windows\system32\ieencode.dll
+ 2004-08-04 12:00:00 81,920 ----a-w c:\windows\system32\ieencode.dll
- 2007-08-13 22:54:10 191,488 ----a-w c:\windows\system32\iepeers.dll
+ 2004-08-04 12:00:00 249,344 ----a-w c:\windows\system32\iepeers.dll
- 2008-08-26 07:24:29 44,544 ------w c:\windows\system32\iernonce.dll
+ 2004-08-04 12:00:00 48,640 ----a-w c:\windows\system32\iernonce.dll
- 2007-08-13 22:39:12 55,296 ----a-w c:\windows\system32\iesetup.dll
+ 2004-08-04 12:00:00 62,976 ----a-w c:\windows\system32\iesetup.dll
- 2007-08-13 22:36:06 36,352 ----a-w c:\windows\system32\imgutil.dll
+ 2004-08-04 12:00:00 35,840 ----a-w c:\windows\system32\imgutil.dll
- 2007-08-13 22:39:02 92,672 ----a-w c:\windows\system32\inseng.dll
+ 2004-08-04 12:00:00 96,256 ----a-w c:\windows\system32\inseng.dll
- 2008-03-25 05:28:39 135,168 ----a-w c:\windows\system32\java.exe
+ 2008-11-26 12:29:00 144,792 ----a-w c:\windows\system32\java.exe
- 2008-03-25 05:28:43 135,168 ----a-w c:\windows\system32\javaw.exe
+ 2008-11-26 12:29:00 144,792 ----a-w c:\windows\system32\javaw.exe
- 2008-03-25 06:37:01 139,264 ----a-w c:\windows\system32\javaws.exe
+ 2008-11-26 12:29:00 148,888 ----a-w c:\windows\system32\javaws.exe
- 2007-08-13 22:38:04 491,520 ----a-w c:\windows\system32\jscript.dll
+ 2004-08-04 12:00:00 450,560 ----a-w c:\windows\system32\jscript.dll
- 2008-08-26 07:24:30 27,648 ------w c:\windows\system32\jsproxy.dll
+ 2004-08-04 12:00:00 15,872 ----a-w c:\windows\system32\jsproxy.dll
- 2007-08-13 22:44:18 40,960 ----a-w c:\windows\system32\licmgr10.dll
+ 2004-08-04 12:00:00 22,016 ----a-w c:\windows\system32\licmgr10.dll
- 2007-08-13 22:32:30 45,568 ----a-w c:\windows\system32\mshta.exe
+ 2004-08-04 12:00:00 29,184 ----a-w c:\windows\system32\mshta.exe
- 2008-08-27 08:24:32 3,593,216 ----a-w c:\windows\system32\mshtml.dll
+ 2004-08-04 12:00:00 3,003,392 ----a-w c:\windows\system32\mshtml.dll
- 2008-08-26 07:24:30 477,696 ----a-w c:\windows\system32\mshtmled.dll
+ 2004-08-04 12:00:00 448,512 ----a-w c:\windows\system32\mshtmled.dll
- 2007-08-13 22:01:12 48,128 ----a-w c:\windows\system32\mshtmler.dll
+ 2004-08-04 12:00:00 56,832 ----a-w c:\windows\system32\mshtmler.dll
- 2007-08-13 22:54:10 156,160 ----a-w c:\windows\system32\msls31.dll
+ 2004-08-04 12:00:00 146,432 ----a-w c:\windows\system32\msls31.dll
- 2008-08-26 07:24:30 193,024 ----a-w c:\windows\system32\msrating.dll
+ 2004-08-04 12:00:00 146,432 ----a-w c:\windows\system32\msrating.dll
- 2008-08-26 07:24:30 671,232 ------w c:\windows\system32\mstime.dll
+ 2004-08-04 12:00:00 530,432 ----a-w c:\windows\system32\mstime.dll
- 2008-08-26 07:24:30 102,912 ----a-w c:\windows\system32\occache.dll
+ 2004-08-04 12:00:00 96,256 ----a-w c:\windows\system32\occache.dll
- 2008-08-26 07:24:30 44,544 ----a-w c:\windows\system32\pngfilt.dll
+ 2004-08-04 12:00:00 39,424 ----a-w c:\windows\system32\pngfilt.dll
- 2008-02-16 09:32:08 1,499,136 ----a-w c:\windows\system32\shdocvw.dll
+ 2006-09-04 06:08:01 1,494,016 ----a-w c:\windows\system32\shdocvw.dll
- 2008-02-16 09:32:08 474,112 ----a-w c:\windows\system32\shlwapi.dll
+ 2005-09-02 23:52:06 473,600 ----a-w c:\windows\system32\shlwapi.dll
- 2008-08-26 07:24:30 105,984 ----a-w c:\windows\system32\url.dll
+ 2004-08-04 12:00:00 37,888 ----a-w c:\windows\system32\url.dll
- 2008-08-26 07:24:31 1,159,680 ----a-w c:\windows\system32\urlmon.dll
+ 2004-08-04 12:00:00 601,088 ----a-w c:\windows\system32\urlmon.dll
- 2007-08-13 22:54:10 413,696 ----a-w c:\windows\system32\vbscript.dll
+ 2004-08-04 12:00:00 417,792 ----a-w c:\windows\system32\vbscript.dll
- 2008-08-26 07:24:31 233,472 ----a-w c:\windows\system32\webcheck.dll
+ 2004-08-04 12:00:00 276,480 ----a-w c:\windows\system32\webcheck.dll
- 2008-08-26 07:24:31 826,368 ----a-w c:\windows\system32\wininet.dll
+ 2004-08-04 12:00:00 656,384 ----a-w c:\windows\system32\wininet.dll
+ 2008-11-28 15:45:23 16,384 ----atw c:\windows\temp\Perflib_Perfdata_2c8.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-08-30 4670704]
"OE_OEM"="c:\program files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe" [2006-11-01 321040]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"pccguide.exe"="c:\program files\Trend Micro\Internet Security 14\pccguide.exe" [2007-08-16 1807696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-07 81920]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-07 8523776]
"IntelAudioStudio"="c:\program files\Intel Audio Studio\IntelAudioStudio.exe" [2005-08-09 8597586]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-26 136600]
"nwiz"="nwiz.exe" [2007-12-07 c:\windows\system32\nwiz.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Belkin Wireless Utility.lnk - c:\program files\Belkin\Belkin 802.11g Wireless PCI Card Configuration Utility\Belkinwcui.exe [2008-08-07 1523712]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-10-15 01:04 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative WebCam Tray]
--------- 2005-10-27 05:00 299008 c:\program files\Creative\Shared Files\CamTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 09:50 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-03-25 03:28 144784 c:\program files\Java\jre1.6.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\VentSrv\\ventrilo_srv.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R2 OsaFsLoc;OsaFsLoc;\??\c:\windows\system32\drivers\OsaFsLoc.sys [2008-04-13 11018]
R2 osaio;osaio;\??\c:\windows\system32\drivers\osaio.sys [2008-04-13 8704]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;\??\c:\progra~1\Belkin\BELKIN~1.11G\DNINDIS5.SYS [2008-08-07 17149]
S3 PciCon;PciCon;\??\D:\PciCon.sys []
S3 V0260VID;Live! Cam Vista IM;c:\windows\system32\DRIVERS\V0260Vid.sys [2008-05-17 178913]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c683b14a-ac5d-11dd-b2e6-001320eae77b}]
\Shell\AutoRun\command - F:\rcaeasyrip_setup.exe
\Shell\install\command - F:\rcaeasyrip_setup.exe
\Shell\usermanualEnglish\command - F:\rcaeasyrip_setup.exe /pdf_English
\Shell\usermanualFrench\command - F:\rcaeasyrip_setup.exe /pdf_French
\Shell\usermanualSpanish\command - F:\rcaeasyrip_setup.exe /pdf_Spanish
.
Contents of the 'Scheduled Tasks' folder

2008-11-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]

2008-11-28 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-28 10:44:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(968)
c:\windows\system32\NTMARTA.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Windows Defender\MsMpEng.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\rundll32.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\progra~1\TRENDM~1\INTERN~1\PcCtlCom.exe
c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe
c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe
c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe
.
**************************************************************************
.
Completion time: 2008-11-28 10:47:02 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-28 15:46:45
ComboFix2.txt 2008-11-26 12:08:31
ComboFix3.txt 2008-11-26 11:49:15

Pre-Run: 41,987,133,440 bytes free
Post-Run: 42,064,666,624 bytes free

334 --- E O F --- 2008-11-22 14:16:14


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:55:34 AM, on 11/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Belkin\Belkin 802.11g Wireless PCI Card Configuration Utility\Belkinwcui.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" TRAY
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe"
O4 - Global Startup: Belkin Wireless Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1208132491188
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {86BAF1D8-67D1-4AFF-9BAC-4DC3152BB7C1} (PccActX Control) - http://pccactivex.trendmicro.com/en/activex/PccActX.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 6538 bytes

File rcaeasyrip_setup.exe_ received on 11.28.2008 16:59:40 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/37 (0%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 38 and 55 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2008.11.28.2 2008.11.28 -
AntiVir 7.9.0.36 2008.11.28 -
Authentium 5.1.0.4 2008.11.28 -
Avast 4.8.1281.0 2008.11.27 -
AVG 8.0.0.199 2008.11.28 -
BitDefender 7.2 2008.11.28 -
CAT-QuickHeal 10.00 2008.11.28 -
ClamAV 0.94.1 2008.11.28 -
DrWeb 4.44.0.09170 2008.11.28 -
eSafe 7.0.17.0 2008.11.27 -
eTrust-Vet 31.6.6234 2008.11.28 -
Ewido 4.0 2008.11.28 -
F-Prot 4.4.4.56 2008.11.27 -
F-Secure 8.0.14332.0 2008.11.28 -
Fortinet 3.117.0.0 2008.11.28 -
GData 19 2008.11.28 -
Ikarus T3.1.1.45.0 2008.11.28 -
K7AntiVirus 7.10.537 2008.11.28 -
Kaspersky 7.0.0.125 2008.11.28 -
McAfee 5447 2008.11.27 -
McAfee+Artemis 5447 2008.11.27 -
Microsoft 1.4104 2008.11.28 -
NOD32 3648 2008.11.28 -
Norman 5.80.02 2008.11.28 -
Panda 9.0.0.4 2008.11.28 -
PCTools 4.4.2.0 2008.11.28 -
Prevx1 V2 2008.11.28 -
Rising 21.05.42.00 2008.11.28 -
SecureWeb-Gateway 6.7.6 2008.11.28 -
Sophos 4.36.0 2008.11.28 -
Sunbelt 3.1.1832.2 2008.11.27 -
Symantec 10 2008.11.28 -
TheHacker 6.3.1.1.166 2008.11.28 -
TrendMicro 8.700.0.1004 2008.11.28 -
VBA32 3.12.8.9 2008.11.28 -
ViRobot 2008.11.28.1491 2008.11.28 -
VirusBuster 4.5.11.0 2008.11.27 -
Additional information
File size: 6528493 bytes
MD5...: 45905b6b891c86e9066721fcb9e3f6dd
SHA1..: 6e09fc5f40ddd573068bdd7b1a1139b639d274c8
SHA256: 57d2082785752f1bee0c0e1dc4a0f0fe9618ac0689fab79738ba97465de1520f
SHA512: 98e14042e67f29d2666be4987439c6dd9cac1b11b14f70cd7460818fd93877ad
85eeb8c29e2c8e02d86a37dc3f09231393f917f376467ffa1f812b1bbeec85ff

ssdeep: 98304:5pI++QZ46rCi3iWCTQMmgKWZcfi5W1NSMM27VSKIGcC9Yv3Nwp9QlmXiIA
6m8yBw:hwidwQMmCZcCWfSMMESKINj47Xq8yO

PEiD..: -
TrID..: File type identification
Win32 Executable Generic (38.4%)
Win32 Dynamic Link Library (generic) (34.1%)
Win16/32 Executable Delphi generic (9.3%)
Generic Win/DOS Executable (9.0%)
DOS Executable Generic (9.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x409a58
timedatestamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992)
machinetype.......: 0x14c (I386)

( 8 sections )
name viradd virsiz rawdsiz ntrpy md5
CODE 0x1000 0x9174 0x9200 6.57 ea92e1415bc80e2738e334267ebbb921
DATA 0xb000 0x24c 0x400 2.74 f96da19d2571a42bdff1b9e8bd62ec99
BSS 0xc000 0xe48 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.idata 0xd000 0x950 0xa00 4.43 bb5485bf968b970e5ea81292af2acdba
.tls 0xe000 0x8 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rdata 0xf000 0x18 0x200 0.20 9ba824905bf9c7922b6fc87a38b74366
.reloc 0x10000 0x8b4 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rsrc 0x11000 0x53d8 0x5400 3.72 249a0adfc3bcc989ee03fe8c3c5b190d

( 8 imports )
> kernel32.dll: DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetModuleHandleA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, ExitProcess, CreateFileA, CloseHandle
> user32.dll: MessageBoxA
> oleaut32.dll: VariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysAllocStringLen
> advapi32.dll: RegQueryValueExA, RegOpenKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA
> kernel32.dll: WriteFile, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, Sleep, SizeofResource, SetLastError, SetFilePointer, SetErrorMode, SetEndOfFile, RemoveDirectoryA, ReadFile, LockResource, LoadResource, LoadLibraryA, IsDBCSLeadByte, GetWindowsDirectoryA, GetVersionExA, GetUserDefaultLangID, GetSystemInfo, GetSystemDefaultLCID, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeProcess, GetEnvironmentVariableA, GetCurrentProcess, GetCommandLineA, GetACP, InterlockedExchange, FormatMessageA, FindResourceA, DeleteFileA, CreateProcessA, CreateFileA, CreateDirectoryA, CloseHandle
> user32.dll: TranslateMessage, SetWindowLongA, PeekMessageA, MsgWaitForMultipleObjects, MessageBoxA, LoadStringA, ExitWindowsEx, DispatchMessageA, DestroyWindow, CreateWindowExA, CallWindowProcA, CharPrevA
> comctl32.dll: InitCommonControls
> advapi32.dll: AdjustTokenPrivileges

( 0 exports )

Blender
2008-11-30, 15:44
Hi,

Good to hear that worked well.
You uninstall IE7?

c:\qoobox\quarantine\c\windows\system32\drivers\OsaFsLocc.sys.vir

Can you upload the above file to this site please:

http://www.uploadmalware.com

Leave URL in space provided so I can ID who the file belongs to.

---------------------------

I'd like to do an online scan before we finish cleaning up the tools and such.
This scanner simply reports -- no cleaning.
Whatever it finds we'll deal with here.

If you already have used Kaspersky online scanner, please uninstall it via add/remove programs because this is a new version I need you to download.

Please do a scan with Kaspersky Online Scanner (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html)

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
The program will install and then begin downloading the latest definition files.
After the files have been downloaded on the left side of the page in the Scan section select My Computer
This will start the program and scan your system.
The scan will take a while, so be patient and let it run.
Once the scan is complete, click on View scan report
Now, click on the Save Report as button.
Save the file to your desktop.
Copy and paste that information in your next post.


Graphics tutorial available here if needed:

http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif

Best to disable onboard antivirus before running the scan so to avoid conflicts.
Don't forget to turn it back on and please avoid surfing/downloading etc while scanning because your active protection is off.

--------------------------------------

While waiting for me to get back --
Your Acrobat reader is out of date & vulnerable to attack.
Best to uninstall it & install the new version.
If you don't want toolbars offered -- uncheck that option before hitting the "install" button.
Alternative to Acrobat is FoxIt reader. Lighter & less add-ons.
http://www.foxitsoftware.com/pdf/rd_intro.php
(click the free download link)

Same goes for QuickTime. Uninstall old & install new if yours is older than current version.
If you don't need iTunes -- choose the player without iTunes.

Thanks :)

ColinHatesCoreCashedsk
2008-12-06, 03:21
Sorry it took so long to get back to you, work was hell this week. We had uninstalled IE7, yes. The file is downloading for Kaspersky. Before that, I did a run through with Trend and it also identified the file you wanted me to upload and quarantined some of its apparent friends, but failed to deal with that file. I already uploaded that file to the site you asked for. I'll upload the results from Kaspersky once it runs.

ColinHatesCoreCashedsk
2008-12-06, 03:32
Sorry it took so long to get back to you, work was hell this week. We had uninstalled IE7, yes. The file is downloading for Kaspersky. Before that, I did a run through with Trend and it also identified the file you wanted me to upload and quarantined some of its apparent friends, but failed to deal with that file. I already uploaded that file to the site you asked for. I'll upload the results from Kaspersky once it runs.

I actually uploaded it twice, btw. I titled it My Name Says it all, like the thread, the second time. First time I put the URL for the threat in it.

Blender
2008-12-06, 06:05
Thanks for the file Colin,

I'll watch for your reply when you get the Kaspersky scan done.

Thanks :)

ColinHatesCoreCashedsk
2008-12-06, 06:33
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, December 5, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, December 05, 2008 19:45:58
Records in database: 1439220


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
C:\
D:\

Scan statistics
Files scanned 66799
Threat name 1
Infected objects 1
Suspicious objects 0
Duration of the scan 01:13:34

File name Threat name Threats count
C:\Program Files\Trend Micro\Internet Security 14\Quarantine\6C.tmp Infected: Trojan.Win32.VB.hew 1

The selected area was scanned.

Blender
2008-12-06, 10:04
Hi,

Log looks good.
You can empty out your Quarantine from within Trend Micro.

If all is still well please do the following:
Click start> run> type combofix /u then hit enter.
Follow the prompts.
It will delete the files/folders it dropped along with the quarantined stuff.
It will also re-hide system files if needed & reset your system restore to remove infected restore points & create a fresh clean one.

here is some great information to help you stay clean and safe online:
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html

If you want to help speed up your system Miekiemoes has some great information here:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html

Keep well & surf safe! :)

ColinHatesCoreCashedsk
2008-12-06, 21:08
Thanks for all your help!

Blender
2008-12-08, 13:38
You're welcome,

Glad to have helped.

Take care :)