PDA

View Full Version : .dll HELL!



Bluheart
2009-04-13, 12:52
The other night I was playing an online browser game I've played for two years. I was in Opera because I was attending to the account of someone I sit for. I only use Opera when I'm in his account so I don't confuse his with mine. I NEVER use Opera for anything else.

Suddenly my Zone Alarm said a program, e.exe, was asking permission for outbound. I thought that strange, then noticed it said this was the first time this program had asked to go outbound. I quickly denied it. :nono: Then something made me open ZA back up and check the location of that program and go change the name of it. I didn't want it to execute so I made it an .exe1 and closed it again. Then I opened it again and changed it to 225e.exe1.

I had had NOD32 installed but it had expired 2 days earlier. I was going to order new copies at a good price but it was going to take a few days to get to me. So I had installed AVG temporarily. AVG scanned it and passed it with flying colors but I wasn't impressed. So I uninstalled AVG and was attempting to install Kaspersky but by then I had .dll's firing off popups all over the place right and left with messages saying that Chrome said the image wasn't correct to check my installation disc. I couldn't do anything because I couldn't get the popups to stop. (I do NOT use IE. FF is my favorite but due to a graphics card problem right now I can't use it... long story.)

I finally got Kaspersky installed and it started picking out .dll's and putting them into quarantine. I searched on Google the name of some of them and they don't exist: gujugova.dll, mosoyami,dll, dahodozu.dll and a couple of others. Now when I reboot I get an error that says: RUNDLL Error Loading C:\System32\gujubova.dll The specified module could not be found. It also says the same thing for mosoyami.dll.

Kaspersky has me a bit confused. I don't know how to clear or quarantine these things it has found and there are A LOT of them. I keep getting popups from it of things that it has found and moved.

I don't seem to be having any more new events or should I say new names popping up now.

So that is where I stand. I'm sure I've left something out. If I think of anything important, I'll add it later.

I'll start now posting my reports.

Thanks!
Blu


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:20:49 AM, on 4/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\WEATHE~1\WEATHE~1.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Documents and Settings\c logan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\MiniMind\MiniMind.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Speed Disk\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\c logan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\c logan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\c logan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\c logan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\cidaemon.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O1 - Hosts: 82.98.231.89 browser-security.microsoft.com
O1 - Hosts: 82.98.231.89 best-click-scanner.info
O1 - Hosts: 82.98.231.89 antivirus-xp-pro-2009.com
O1 - Hosts: 82.98.231.89 microsoft.infosecuritycenter.com
O1 - Hosts: 82.98.231.89 microsoft.softwaresecurityhelp.com
O1 - Hosts: 82.98.231.89 onlinenotifyq.net
O1 - Hosts: 82.98.231.89 antivirusxp-pro-2009.com
O1 - Hosts: 82.98.231.89 microsoft.browser-security-center.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1f30e75d-30a5-46c1-8dec-5ebb9f71f9ed} - C:\WINDOWS\system32\yezumoyu.dll (file missing)
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\ievkbd.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {a3e3b016-e65d-4c15-84f8-392f6f4bda2a} - C:\WINDOWS\system32\yezumoyu.dll (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [000000af] rundll32.exe "C:\WINDOWS\system32\yilituze.dll",b
O4 - HKLM\..\Run: [00000e3a] rundll32.exe "C:\WINDOWS\system32\yilituze.dll",b
O4 - HKLM\..\Run: [WeatherMan] "C:\PROGRA~1\WEATHE~1\WEATHE~1.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe"
O4 - HKLM\..\Run: [CPM03333da6] Rundll32.exe "c:\windows\system32\mosoyami.dll",a
O4 - HKLM\..\Run: [numupidawi] Rundll32.exe "C:\WINDOWS\system32\gujubova.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Desktop Calendar] C:\Program Files\Desktop Calendar\Desktop Calendar.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\c logan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Startup: MiniMinder.lnk = C:\Program Files\MiniMind\MiniMind.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {30A3CCA5-F34C-4E87-BB57-5A2F2C935E14} (AMI DicomDir TreeView Control 2.0) - file:///H:/CDVIEWER/CdViewer.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1162171373921
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://sympatico.zone.msn.com/bingame/chnz/default/mjolauncher.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {C86FF4B0-AA1D-46D4-8612-025FB86583C7} (AstoundLauncher Control) - http://zone.msn.com/bingame/jobo/default/AstoundLauncher.cab#version=1,0,0,10
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/bingame/feed/default/SproutLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by102fd.bay102.hotmail.msn.com/activex/HMAtchmt.ocx
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd.dll,c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll c:\windows\system32\mosoyami.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\mosoyami.dll (file missing)
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\mosoyami.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Speed Disk\nopdb.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

--
End of file - 11793 bytes

Shaba
2009-04-14, 08:35
Hi Bluheart

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix


* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

Bluheart
2009-04-14, 11:49
Hi Shaba!

I'm off to run the ComboFix as you instructed. I really, really appreciate your quick response to my plea for assistance. :yahoo:

Thanks!
Blu

P.S. I determined that I must be a Conficker Zombie. I'm shocked because I've always done every update and even checked to see if there were updates when it didn't give me notices.

I found tonite that my auto updater had been turned OFF! I turned it back on and checked to see that there were no updates waiting for me.

According to Kaspersky, in the past TWO days, it has now blocked approximately 1,825 viruses, 13 trojans, and 170,743 malware. :thud: I watched the virus count increase while I was checking the totals. :sad:

Shaba
2009-04-14, 12:19
OK, I'll be waiting for logs :)

Bluheart
2009-04-14, 14:16
Hi Shaba,

As you requested...


ComboFix 09-04-14.06 - c logan 04/14/2009 5:56.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.598 [GMT -5:00]
Running from: c:\documents and settings\c logan\Desktop\ComboFix.exe
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated)
FW: ZoneAlarm Firewall *disabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\start.exe
c:\windows\system32\asitelig.ini
c:\windows\system32\dadeyisi.dll
c:\windows\SYSTEM32\ezutiliy.ini
c:\windows\system32\ezutiliy.ini2
c:\windows\system32\fenobeko.dll
c:\windows\system32\giletisa.dll
c:\windows\system32\lilofati.dll
c:\windows\system32\rodalilo.dll
c:\windows\system32\yilituze.dll
c:\windows\Web\default.htt

----- BITS: Possible infected sites -----

hxxp://82.98.235.205
hxxp://www.spiralfrog.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_OREANS32


((((((((((((((((((((((((( Files Created from 2009-03-14 to 2009-04-14 )))))))))))))))))))))))))))))))
.

2009-04-14 08:52 . 2006-03-03 04:42 73728 ----a-w C:\pv.exe
2009-04-12 07:02 . 2009-04-12 07:03 109568 ---ha-w c:\windows\system32\BITC.tmp
2009-04-12 04:09 . 2009-04-12 05:35 89601 ----a-w c:\windows\system32\drivers\klick.dat
2009-04-12 04:09 . 2009-04-12 05:35 101287 ----a-w c:\windows\system32\drivers\klin.dat
2009-04-12 04:05 . 2009-04-14 11:00 32 --sha-w c:\windows\system32\drivers\fidbox2.idx
2009-04-12 04:05 . 2009-04-14 11:00 32 --sha-w c:\windows\system32\drivers\fidbox2.dat
2009-04-12 04:05 . 2009-04-14 11:00 32 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-04-12 04:05 . 2009-04-14 11:00 32 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-04-12 04:05 . 2009-04-12 04:05 -------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-04-11 13:19 . 2009-04-11 13:19 50 ----a-w c:\windows\Weather.Ini
2009-04-11 12:55 . 2009-04-11 12:56 2560 ----a-w c:\windows\_MSRSTRT.EXE
2009-04-11 11:50 . 2009-04-11 11:50 -------- d-sh--w C:\FOUND.000
2009-04-11 10:14 . 2009-04-11 10:14 -------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-04-11 08:11 . 2009-04-11 08:11 0 --sha-w C:\timitulo.dll
2009-04-11 08:11 . 2009-04-11 08:11 0 --sha-w C:\tefupoko.dll
2009-04-11 08:11 . 2009-04-11 08:11 0 --sha-w C:\lidibaju.dll
2009-04-11 08:11 . 2009-04-11 08:11 0 --sha-w C:\hudukopo.dll
2009-04-11 08:11 . 2009-04-11 08:11 0 --sha-w C:\yozekute.dll
2009-04-11 08:11 . 2009-04-11 08:11 0 --sha-w C:\pasugusa.dll
2009-04-11 08:11 . 2009-04-11 08:11 0 --sha-w C:\gulidowu.dll
2009-04-11 08:11 . 2009-04-11 08:11 0 --sha-w C:\fubuveva.dll
2009-04-08 06:20 . 2009-04-08 06:20 10520 ------w c:\windows\system32\avgrsstx.dll.install_backup
2009-03-24 18:39 . 2009-03-24 18:39 -------- d-----w c:\documents and settings\c logan\Local Settings\Application Data\eMusic
2009-03-24 18:39 . 2009-03-24 18:39 -------- d-----w c:\documents and settings\c logan\Application Data\eMusic
2009-03-19 13:46 . 2009-03-19 13:46 -------- d-----w c:\documents and settings\c logan\Local Settings\Application Data\SpiralfrogClient

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-13 22:33 . 2009-04-13 22:33 -------- d-----w c:\program files\BurnAware Free
2009-04-13 09:20 . 2009-04-13 09:20 -------- d-----w c:\program files\Trend Micro
2009-04-13 09:17 . 2009-04-13 09:17 -------- d-----w c:\program files\ERUNT
2009-04-12 07:01 . 2009-01-12 07:01 62976 --sha-w c:\windows\SYSTEM32\bimawoyo.exe
2009-04-12 07:01 . 2009-01-12 07:01 62976 --sha-w c:\windows\SYSTEM32\bimawoyo.exe
2009-04-12 05:58 . 2009-01-12 05:58 62976 --sha-w c:\windows\SYSTEM32\dujujewo.exe
2009-04-12 05:58 . 2009-01-12 05:58 62976 --sha-w c:\windows\SYSTEM32\dujujewo.exe
2009-04-12 05:35 . 2008-01-29 22:29 33808 ----a-w c:\windows\system32\drivers\klbg.sys
2009-04-12 04:05 . 2009-04-12 04:05 -------- d-----w c:\program files\Kaspersky Lab
2009-04-11 23:14 . 2009-01-11 23:14 62976 --sha-w c:\windows\SYSTEM32\zorizena.exe
2009-04-11 23:14 . 2009-01-11 23:14 62976 --sha-w c:\windows\SYSTEM32\zorizena.exe
2009-04-11 14:48 . 2009-04-11 14:47 -------- d-----w c:\program files\WeatherMan
2009-04-11 13:28 . 2009-04-11 13:29 1597440 ------w c:\windows\Internet Logs\xDB17.tmp
2009-04-11 13:25 . 2009-01-11 13:25 62464 --sha-w c:\windows\SYSTEM32\yezuyaba.exe
2009-04-11 13:25 . 2009-01-11 13:25 62464 --sha-w c:\windows\SYSTEM32\yezuyaba.exe
2009-04-11 09:26 . 2009-01-11 09:26 64512 --sha-w c:\windows\SYSTEM32\tibayoze.exe
2009-04-11 09:26 . 2009-01-11 09:26 64512 --sha-w c:\windows\SYSTEM32\tibayoze.exe
2009-04-11 08:11 . 2009-04-11 08:11 0 --sha-w c:\program files\yayojeka.dll
2009-04-11 08:11 . 2009-04-11 08:11 0 --sha-w c:\program files\pewofesa.dll
2009-04-11 07:30 . 2009-01-11 07:30 64512 --sha-w c:\windows\SYSTEM32\kafunepi.exe
2009-04-11 07:30 . 2009-01-11 07:30 64512 --sha-w c:\windows\SYSTEM32\kafunepi.exe
2009-04-09 05:23 . 2009-04-09 05:23 -------- d-----w c:\program files\Common Files\Skype
2009-04-02 07:13 . 2007-02-17 02:50 27551379 ------w c:\windows\Internet Logs\tvDebug.zip
2009-03-24 18:39 . 2009-03-24 18:39 -------- d-----w c:\program files\eMusic Download Manager
2009-03-19 13:46 . 2009-03-19 13:46 -------- d-----w c:\program files\SpiralFrog
2009-03-11 03:10 . 2009-03-11 03:10 -------- d-----w c:\program files\DivX
2009-03-09 10:19 . 2009-03-06 05:30 410984 ----a-w c:\windows\SYSTEM32\deploytk.dll
2009-03-05 09:07 . 2009-03-05 09:07 -------- d-----w c:\documents and settings\All Users\Application Data\ESET
2009-02-27 13:11 . 2006-10-06 05:51 73584 ----a-w c:\documents and settings\c logan\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-02-25 18:43 . 2009-02-25 18:43 -------- d-----w c:\program files\SpywareBlaster
2009-02-25 03:32 . 2009-02-25 03:32 -------- d-----w c:\program files\XoftSpySE
2009-02-19 05:05 . 2009-02-19 05:04 -------- d-----w c:\documents and settings\c logan\Application Data\Move Networks
2009-02-09 11:13 . 2008-10-14 23:31 1846784 ------w c:\windows\SYSTEM32\dllcache\win32k.sys
2009-02-09 11:13 . 2006-10-06 03:01 1846784 ----a-w c:\windows\SYSTEM32\win32k.sys
2009-01-17 02:35 . 2006-10-06 02:59 3594752 ----a-w c:\windows\SYSTEM32\dllcache\mshtml.dll
2007-12-14 07:52 . 2007-12-14 07:52 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2006-10-06 02:50 . 2006-10-06 02:50 266 --sh--w c:\program files\desktop.ini
2006-10-06 02:50 . 2006-10-06 02:50 11079 ---h--w c:\program files\folder.htt
2006-08-08 21:28 . 2006-10-07 21:28 32 ----a-r c:\documents and settings\All Users\hash.dat
2008-10-06 03:2008-06-19 04:16 41:24 . c:\program files\mozilla firefox\components\jar50.dll
2008-10-06 03:2008-06-19 04:16 41:24 . c:\program files\mozilla firefox\components\jsd3250.dll
2008-10-06 03:2008-06-19 04:16 41:24 . c:\program files\mozilla firefox\components\myspell.dll
2008-10-06 03:2008-06-19 04:16 41:26 . c:\program files\mozilla firefox\components\spellchk.dll
2008-10-06 03:2008-06-19 04:16 41:26 . c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SlowFile Icon Overlay]
@="{7D688A77-C613-11D0-999B-00C04FD655E1}"
[HKEY_CLASSES_ROOT\CLSID\{7D688A77-C613-11D0-999B-00C04FD655E1}]
2008-06-17 18:02 8461312 ----a-w c:\windows\SYSTEM32\shell32.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"Desktop Calendar"="c:\program files\Desktop Calendar\Desktop Calendar.exe" [2004-08-16 917504]
"Google Update"="c:\documents and settings\c logan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-05 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Zone Labs Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2006-08-24 968696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-18 13574144]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-18 86016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" [2009-04-12 206088]
"CPM03333da6"="c:\windows\system32\mosoyami.dll" [N/A]
"nwiz"="nwiz.exe" - c:\windows\SYSTEM32\nwiz.exe [2008-09-18 1657376]

c:\documents and settings\c logan\Start Menu\Programs\Startup\
MiniMinder.lnk - c:\program files\MiniMind\MiniMind.exe [2006-12-27 237568]
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-9-9 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.VDOM"= vdowave.drv

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe
"iDailyDiary"="c:\progra~1\IDAILY~1\iDD.exe" /LOGMIN

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\ICQ\\Icq.exe"=
"c:\\Program Files\\Mozilla Firefox\\FIREFOX.EXE"=
"e:\\Ultima Online 9th Anniversary Collection\\client.exe"=
"e:\\Going To Upload\\Already Uploaded\\Fun Downloads\\Utilities\\abouttime.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"e:\\New Stuff\\Misc\\abouttime.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Skype\\Phone\\bak\\Skype.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\MsnMsgr.Exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Documents and Settings\\c logan\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=

S0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-04-12 33808]
S2 NProtectService;Norton Unerase Protection;c:\program files\Norton Utilities\NPROTECT.EXE [2001-08-10 135168]
S3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\DRIVERS\klim5.sys [2008-04-30 24592]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{31e4c120-54be-11db-8cf4-806d6172696f}]
\Shell\AutoRun\command - H:\autorun.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1390067357-1078145449-682003330-1004.job
- c:\documents and settings\c logan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-05 13:51]
.
- - - - ORPHANS REMOVED - - - -

BHO-{1f30e75d-30a5-46c1-8dec-5ebb9f71f9ed} - c:\windows\system32\yezumoyu.dll
BHO-{a3e3b016-e65d-4c15-84f8-392f6f4bda2a} - c:\windows\system32\yezumoyu.dll


.
------- Supplementary Scan -------
.
uStart Page =
mStart Page =
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: aol.com\free
DPF: DirectAnimation Java Classes - file://c:\windows\SYSTEM\dajava.cab
DPF: Internet Explorer Classes for Java - file://c:\windows\SYSTEM\iejava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab
FF - ProfilePath - c:\documents and settings\c logan\Application Data\Mozilla\Firefox\Profiles\8ayshjwb.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: keyword.URL - hxxp://search.myway.com/search/cfg_redir2.jhtml?action=config&id=XB&ptnrs=XB&st=DNS&url=AJmain.jhtml&searchfor=
FF - component: c:\documents and settings\c logan\Application Data\Mozilla\Firefox\Profiles\8ayshjwb.default\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}\platform\WINNT\components\ColorZilla.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - plugin: c:\documents and settings\c logan\Application Data\Mozilla\Firefox\Profiles\8ayshjwb.default\extensions\flashplugin@idm\platform\WINNT\plugins\npidmdcp.dll
FF - plugin: c:\program files\Microsoft Research\HDView for Firefox\nphdview.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdjvu.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-14 06:03
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2972)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\ZONELABS\VSMON.EXE
c:\program files\ADOBE\PHOTOSHOP ELEMENTS 4.0\PHOTOSHOPELEMENTSFILEAGENT.EXE
c:\windows\SYSTEM32\RUNDLL32.EXE
c:\program files\WEATHERMAN\WEATHERMAN.EXE
c:\program files\JAVA\JRE6\BIN\JQS.EXE
c:\windows\SYSTEM32\NVSVC32.EXE
c:\program files\SPEED DISK\NOPDB.EXE
.
**************************************************************************
.
Completion time: ~,10time:~,-3machine was rebootedCombobatch-by
ComboFix-quarantined-files.txt 2009-04-14 11:09

Pre-Run: 2,307,162,112 bytes free
Post-Run: 2,298,036,224 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout = 30
default = multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS = "Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

236 --- E O F --- 2009-02-26 04:07


I await your response.

Thanks! :)

Shaba
2009-04-14, 15:27
Please post also a fresh HijackThis log :)

Bluheart
2009-04-14, 22:57
Fresh off the press! :D:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:53:38 PM, on 4/14/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Speed Disk\nopdb.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\WEATHE~1\WEATHE~1.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\c logan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\MiniMind\MiniMind.exe
C:\Documents and Settings\c logan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\c logan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\c logan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\c logan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\c logan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\ievkbd.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [WeatherMan] "C:\PROGRA~1\WEATHE~1\WEATHE~1.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe"
O4 - HKLM\..\Run: [CPM03333da6] Rundll32.exe "c:\windows\system32\mosoyami.dll",a
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Desktop Calendar] C:\Program Files\Desktop Calendar\Desktop Calendar.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\c logan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Startup: MiniMinder.lnk = C:\Program Files\MiniMind\MiniMind.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {30A3CCA5-F34C-4E87-BB57-5A2F2C935E14} (AMI DicomDir TreeView Control 2.0) - file:///H:/CDVIEWER/CdViewer.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1162171373921
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://sympatico.zone.msn.com/bingame/chnz/default/mjolauncher.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {C86FF4B0-AA1D-46D4-8612-025FB86583C7} (AstoundLauncher Control) - http://zone.msn.com/bingame/jobo/default/AstoundLauncher.cab#version=1,0,0,10
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/bingame/feed/default/SproutLauncher.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by102fd.bay102.hotmail.msn.com/activex/HMAtchmt.ocx
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Speed Disk\nopdb.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

--
End of file - 10181 bytes

Shaba
2009-04-15, 07:12
Open notepad and copy/paste the text in the codebox below into it:


File::
C:\timitulo.dll
C:\tefupoko.dll
C:\lidibaju.dll
C:\hudukopo.dll
C:\yozekute.dll
C:\pasugusa.dll
C:\gulidowu.dll
C:\fubuveva.dll
c:\windows\SYSTEM32\bimawoyo.exe
c:\windows\SYSTEM32\dujujewo.exe
c:\windows\SYSTEM32\zorizena.exe
c:\windows\SYSTEM32\yezuyaba.exe
c:\windows\SYSTEM32\tibayoze.exe
c:\program files\yayojeka.dll
c:\program files\pewofesa.dll
c:\windows\SYSTEM32\kafunepi.exe


Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.

Bluheart
2009-04-15, 09:07
Hi Shaba,

This came with some bad and some good. It crashed my system twice during the same run. The 2nd time the notice came up, all of my icons disappeared from my desktop but it continued to run. Here is the copy of the results.

Thanks again for all you do! :)

Blu


ComboFix 09-04-15.08 - c logan 04/15/2009 0:36.2 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.181 [GMT -5:00]
Running from: c:\documents and settings\c logan\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\c logan\Desktop\CFScript.txt
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated)
FW: ZoneAlarm Firewall *enabled*
* Created a new restore point

FILE ::
C:\fubuveva.dll
C:\gulidowu.dll
C:\hudukopo.dll
C:\lidibaju.dll
C:\pasugusa.dll
c:\program files\pewofesa.dll
c:\program files\yayojeka.dll
C:\tefupoko.dll
C:\timitulo.dll
c:\windows\SYSTEM32\bimawoyo.exe
c:\windows\SYSTEM32\dujujewo.exe
c:\windows\SYSTEM32\kafunepi.exe
c:\windows\SYSTEM32\tibayoze.exe
c:\windows\SYSTEM32\yezuyaba.exe
c:\windows\SYSTEM32\zorizena.exe
C:\yozekute.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\fubuveva.dll
C:\gulidowu.dll
C:\hudukopo.dll
C:\lidibaju.dll
C:\pasugusa.dll
c:\program files\pewofesa.dll
c:\program files\yayojeka.dll
C:\tefupoko.dll
C:\timitulo.dll
c:\windows\SYSTEM32\bimawoyo.exe
c:\windows\SYSTEM32\dujujewo.exe
c:\windows\system32\hehewora.dll
c:\windows\SYSTEM32\kafunepi.exe
c:\windows\SYSTEM32\tibayoze.exe
c:\windows\SYSTEM32\yezuyaba.exe
c:\windows\SYSTEM32\zorizena.exe
C:\yozekute.dll

.
((((((((((((((((((((((((( Files Created from 2009-03-15 to 2009-04-15 )))))))))))))))))))))))))))))))
.

2009-04-14 20:53 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-14 20:53 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-14 20:53 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-14 20:53 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-14 20:53 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-14 20:53 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-14 20:53 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-14 20:53 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-14 20:53 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-14 20:52 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-14 20:52 . 2009-03-27 06:58 1203922 ------w c:\windows\system32\dllcache\sysmain.sdb
2009-04-14 20:52 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-14 11:05 . 2009-04-14 05:00 70144 ----a-w c:\windows\system32\ruyoweve.dll
2009-04-14 11:05 . 2009-04-14 05:00 70144 ----a-w c:\windows\system32\dahodozu.dll
2009-04-14 11:05 . 2009-04-14 05:00 70144 ----a-w c:\windows\system32\gujubova.dll
2009-04-12 07:02 . 2009-04-12 07:03 109568 ---ha-w c:\windows\system32\BITC.tmp
2009-04-12 04:09 . 2009-04-12 05:35 89601 ----a-w c:\windows\system32\drivers\klick.dat
2009-04-12 04:09 . 2009-04-12 05:35 101287 ----a-w c:\windows\system32\drivers\klin.dat
2009-04-12 04:05 . 2009-04-15 00:48 32 --sha-w c:\windows\system32\drivers\fidbox2.idx
2009-04-12 04:05 . 2009-04-15 00:48 32 --sha-w c:\windows\system32\drivers\fidbox2.dat
2009-04-12 04:05 . 2009-04-15 00:48 32 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-04-12 04:05 . 2009-04-15 00:48 32 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-04-12 04:05 . 2009-04-12 04:05 -------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-04-11 13:19 . 2009-04-11 13:19 50 ----a-w c:\windows\Weather.Ini
2009-04-11 12:55 . 2009-04-11 12:56 2560 ----a-w c:\windows\_MSRSTRT.EXE
2009-04-11 11:50 . 2009-04-11 11:50 -------- d-sh--w C:\FOUND.000
2009-04-11 10:14 . 2009-04-11 10:14 -------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-04-08 06:20 . 2009-04-08 06:20 10520 ------w c:\windows\system32\avgrsstx.dll.install_backup
2009-03-24 18:39 . 2009-03-24 18:39 -------- d-----w c:\documents and settings\c logan\Local Settings\Application Data\eMusic
2009-03-24 18:39 . 2009-03-24 18:39 -------- d-----w c:\documents and settings\c logan\Application Data\eMusic
2009-03-21 14:06 . 2009-03-21 14:06 989696 ------w c:\windows\system32\dllcache\kernel32.dll
2009-03-19 13:46 . 2009-03-19 13:46 -------- d-----w c:\documents and settings\c logan\Local Settings\Application Data\SpiralfrogClient

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-13 22:33 . 2009-04-13 22:33 -------- d-----w c:\program files\BurnAware Free
2009-04-13 09:20 . 2009-04-13 09:20 -------- d-----w c:\program files\Trend Micro
2009-04-13 09:17 . 2009-04-13 09:17 -------- d-----w c:\program files\ERUNT
2009-04-12 05:35 . 2008-01-29 22:29 33808 ----a-w c:\windows\system32\drivers\klbg.sys
2009-04-12 04:05 . 2009-04-12 04:05 -------- d-----w c:\program files\Kaspersky Lab
2009-04-11 14:48 . 2009-04-11 14:47 -------- d-----w c:\program files\WeatherMan
2009-04-11 13:28 . 2009-04-11 13:29 1597440 ------w c:\windows\Internet Logs\xDB17.tmp
2009-04-09 05:23 . 2009-04-09 05:23 -------- d-----w c:\program files\Common Files\Skype
2009-04-02 07:13 . 2007-02-17 02:50 27551379 ------w c:\windows\Internet Logs\tvDebug.zip
2009-03-24 18:39 . 2009-03-24 18:39 -------- d-----w c:\program files\eMusic Download Manager
2009-03-19 13:46 . 2009-03-19 13:46 -------- d-----w c:\program files\SpiralFrog
2009-03-11 03:10 . 2009-03-11 03:10 -------- d-----w c:\program files\DivX
2009-03-09 10:19 . 2009-03-06 05:30 410984 ----a-w c:\windows\SYSTEM32\deploytk.dll
2009-03-06 14:22 . 2006-10-06 03:00 284160 ----a-w c:\windows\SYSTEM32\pdh.dll
2009-03-05 09:07 . 2009-03-05 09:07 -------- d-----w c:\documents and settings\All Users\Application Data\ESET
2009-03-03 00:18 . 2006-10-06 03:01 826368 ----a-w c:\windows\SYSTEM32\wininet.dll
2009-03-03 00:18 . 2006-10-05 22:01 826368 ----a-w c:\windows\SYSTEM32\dllcache\wininet.dll
2009-02-28 04:54 . 2006-10-06 03:15 636072 ----a-w c:\windows\SYSTEM32\dllcache\iexplore.exe
2009-02-27 13:11 . 2006-10-06 05:51 73584 ----a-w c:\documents and settings\c logan\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-02-25 18:43 . 2009-02-25 18:43 -------- d-----w c:\program files\SpywareBlaster
2009-02-25 03:32 . 2009-02-25 03:32 -------- d-----w c:\program files\XoftSpySE
2009-02-20 10:20 . 2007-05-09 19:02 13824 ------w c:\windows\SYSTEM32\dllcache\ieudinit.exe
2009-02-20 10:20 . 2006-10-06 02:59 70656 ----a-w c:\windows\SYSTEM32\dllcache\ie4uinit.exe
2009-02-20 05:14 . 2006-10-06 02:59 161792 ----a-w c:\windows\SYSTEM32\dllcache\ieakui.dll
2009-02-19 05:05 . 2009-02-19 05:04 -------- d-----w c:\documents and settings\c logan\Application Data\Move Networks
2009-02-09 12:10 . 2006-10-06 02:59 729088 ----a-w c:\windows\SYSTEM32\lsasrv.dll
2009-02-09 12:10 . 2006-10-06 03:00 401408 ----a-w c:\windows\SYSTEM32\rpcss.dll
2009-02-09 12:10 . 2006-10-06 03:00 714752 ----a-w c:\windows\SYSTEM32\ntdll.dll
2009-02-09 12:10 . 2006-10-06 02:57 617472 ----a-w c:\windows\SYSTEM32\advapi32.dll
2009-02-09 11:13 . 2008-10-14 23:31 1846784 ------w c:\windows\SYSTEM32\dllcache\win32k.sys
2009-02-09 11:13 . 2006-10-06 03:01 1846784 ----a-w c:\windows\SYSTEM32\win32k.sys
2009-02-08 00:02 . 2008-10-14 23:30 2066048 ------w c:\windows\SYSTEM32\dllcache\ntkrnlpa.exe
2009-02-08 00:02 . 2004-08-04 03:59 2066048 ----a-w c:\windows\SYSTEM32\ntkrnlpa.exe
2009-02-06 11:11 . 2006-10-06 03:00 110592 ----a-w c:\windows\SYSTEM32\services.exe
2009-02-06 11:08 . 2008-10-14 23:31 2189056 ------w c:\windows\SYSTEM32\dllcache\ntoskrnl.exe
2009-02-06 11:08 . 2006-10-06 03:00 2189056 ----a-w c:\windows\SYSTEM32\ntoskrnl.exe
2009-02-06 11:06 . 2008-10-14 23:31 2145280 ------w c:\windows\SYSTEM32\dllcache\ntkrnlmp.exe
2009-02-06 10:39 . 2006-10-06 03:00 35328 ----a-w c:\windows\SYSTEM32\sc.exe
2009-02-06 10:39 . 2006-10-06 03:00 35328 ----a-w c:\windows\SYSTEM32\dllcache\sc.exe
2009-02-06 10:32 . 2008-10-14 23:30 2023936 ------w c:\windows\SYSTEM32\dllcache\ntkrpamp.exe
2009-02-03 19:59 . 2009-02-03 19:59 56832 ------w c:\windows\SYSTEM32\dllcache\secur32.dll
2009-02-03 19:59 . 2006-10-06 03:00 56832 ----a-w c:\windows\SYSTEM32\secur32.dll
2007-12-14 07:52 . 2007-12-14 07:52 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2006-10-06 02:50 . 2006-10-06 02:50 266 --sh--w c:\program files\desktop.ini
2006-10-06 02:50 . 2006-10-06 02:50 11079 ---h--w c:\program files\folder.htt
2006-08-08 21:28 . 2006-10-07 21:28 32 ----a-r c:\documents and settings\All Users\hash.dat
2008-10-06 03:2008-06-19 04:16 41:24 . c:\program files\mozilla firefox\components\jar50.dll
2008-10-06 03:2008-06-19 04:16 41:24 . c:\program files\mozilla firefox\components\jsd3250.dll
2008-10-06 03:2008-06-19 04:16 41:24 . c:\program files\mozilla firefox\components\myspell.dll
2008-10-06 03:2008-06-19 04:16 41:26 . c:\program files\mozilla firefox\components\spellchk.dll
2008-10-06 03:2008-06-19 04:16 41:26 . c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-04-14_11.03.52 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-15 00:50 . 2009-04-15 00:50 16384 c:\windows\TEMP\Perflib_Perfdata_178.dat
- 2006-10-06 03:45 . 2007-07-27 14:41 26488 c:\windows\SYSTEM32\spupdsvc.exe
+ 2006-10-06 03:45 . 2008-07-09 07:38 26488 c:\windows\SYSTEM32\spupdsvc.exe
+ 2006-12-13 21:20 . 2007-11-30 12:39 17272 c:\windows\SYSTEM32\spmsg.dll
+ 2006-10-06 03:00 . 2009-02-03 19:59 56832 c:\windows\SYSTEM32\secur32.dll
+ 2006-10-06 03:00 . 2009-02-06 10:39 35328 c:\windows\SYSTEM32\sc.exe
+ 2009-04-14 11:05 . 2009-04-14 05:00 70144 c:\windows\SYSTEM32\ruyoweve.dll
+ 2006-10-06 03:00 . 2009-02-20 18:09 44544 c:\windows\SYSTEM32\pngfilt.dll
- 2006-10-06 03:00 . 2008-12-20 22:15 44544 c:\windows\SYSTEM32\pngfilt.dll
+ 2006-10-06 03:00 . 2009-04-15 00:54 67312 c:\windows\SYSTEM32\perfc009.dat
- 2006-10-06 03:00 . 2009-02-02 13:45 67312 c:\windows\SYSTEM32\perfc009.dat
- 2006-10-06 03:14 . 2008-04-14 00:12 91648 c:\windows\SYSTEM32\mtxoci.dll
+ 2006-10-06 03:14 . 2008-06-12 14:23 91648 c:\windows\SYSTEM32\mtxoci.dll
- 2006-10-06 02:59 . 2008-04-14 00:12 66560 c:\windows\SYSTEM32\mtxclu.dll
+ 2006-10-06 02:59 . 2008-06-12 14:23 66560 c:\windows\SYSTEM32\mtxclu.dll
+ 2006-11-08 02:03 . 2009-02-20 18:09 52224 c:\windows\SYSTEM32\msfeedsbs.dll
- 2006-11-08 02:03 . 2008-12-20 22:15 52224 c:\windows\SYSTEM32\msfeedsbs.dll
+ 2006-10-06 03:14 . 2008-06-12 14:23 58880 c:\windows\SYSTEM32\msdtclog.dll
- 2006-10-06 03:14 . 2008-04-14 00:12 58880 c:\windows\SYSTEM32\msdtclog.dll
+ 2006-10-06 02:59 . 2009-02-20 18:09 27648 c:\windows\SYSTEM32\jsproxy.dll
- 2006-10-06 02:59 . 2008-12-20 22:15 27648 c:\windows\SYSTEM32\jsproxy.dll
+ 2006-11-07 08:26 . 2009-02-20 10:20 13824 c:\windows\SYSTEM32\ieudinit.exe
- 2006-11-07 08:26 . 2008-12-19 08:10 13824 c:\windows\SYSTEM32\ieudinit.exe
- 2006-10-06 02:59 . 2008-12-20 22:15 44544 c:\windows\SYSTEM32\iernonce.dll
+ 2006-10-06 02:59 . 2009-02-20 18:09 44544 c:\windows\SYSTEM32\iernonce.dll
+ 2006-10-06 02:59 . 2009-02-20 18:09 78336 c:\windows\SYSTEM32\ieencode.dll
+ 2006-10-06 02:59 . 2009-02-20 10:20 70656 c:\windows\SYSTEM32\ie4uinit.exe
- 2006-10-06 02:59 . 2008-12-19 08:10 70656 c:\windows\SYSTEM32\ie4uinit.exe
+ 2006-10-17 16:58 . 2009-02-20 18:09 63488 c:\windows\SYSTEM32\icardie.dll
- 2006-10-17 16:58 . 2008-12-20 22:15 63488 c:\windows\SYSTEM32\icardie.dll
+ 2009-04-14 11:05 . 2009-04-14 05:00 70144 c:\windows\SYSTEM32\gujubova.dll
+ 2009-02-03 19:59 . 2009-02-03 19:59 56832 c:\windows\SYSTEM32\dllcache\secur32.dll
+ 2006-10-06 03:00 . 2009-02-06 10:39 35328 c:\windows\SYSTEM32\dllcache\sc.exe
- 2006-10-06 03:00 . 2008-12-20 22:15 44544 c:\windows\SYSTEM32\dllcache\pngfilt.dll
+ 2006-10-06 03:00 . 2009-02-20 18:09 44544 c:\windows\SYSTEM32\dllcache\pngfilt.dll
+ 2008-06-12 14:23 . 2008-06-12 14:23 91648 c:\windows\SYSTEM32\dllcache\mtxoci.dll
+ 2008-06-12 14:23 . 2008-06-12 14:23 66560 c:\windows\SYSTEM32\dllcache\mtxclu.dll
- 2007-05-09 19:02 . 2008-12-20 22:15 52224 c:\windows\SYSTEM32\dllcache\msfeedsbs.dll
+ 2007-05-09 19:02 . 2009-02-20 18:09 52224 c:\windows\SYSTEM32\dllcache\msfeedsbs.dll
+ 2008-06-12 14:23 . 2008-06-12 14:23 58880 c:\windows\SYSTEM32\dllcache\msdtclog.dll
+ 2006-10-06 02:59 . 2009-02-20 18:09 27648 c:\windows\SYSTEM32\dllcache\jsproxy.dll
- 2006-10-06 02:59 . 2008-12-20 22:15 27648 c:\windows\SYSTEM32\dllcache\jsproxy.dll
+ 2007-05-09 19:02 . 2009-02-20 10:20 13824 c:\windows\SYSTEM32\dllcache\ieudinit.exe
- 2007-05-09 19:02 . 2008-12-19 08:10 13824 c:\windows\SYSTEM32\dllcache\ieudinit.exe
+ 2006-10-06 02:59 . 2009-02-20 18:09 44544 c:\windows\SYSTEM32\dllcache\iernonce.dll
- 2006-10-06 02:59 . 2008-12-20 22:15 44544 c:\windows\SYSTEM32\dllcache\iernonce.dll
+ 2009-02-20 18:09 . 2009-02-20 18:09 78336 c:\windows\SYSTEM32\dllcache\ieencode.dll
- 2006-10-06 02:59 . 2008-12-19 08:10 70656 c:\windows\SYSTEM32\dllcache\ie4uinit.exe
+ 2006-10-06 02:59 . 2009-02-20 10:20 70656 c:\windows\SYSTEM32\dllcache\ie4uinit.exe
- 2007-08-20 10:04 . 2008-12-20 22:15 63488 c:\windows\SYSTEM32\dllcache\icardie.dll
+ 2007-08-20 10:04 . 2009-02-20 18:09 63488 c:\windows\SYSTEM32\dllcache\icardie.dll
+ 2009-04-14 11:05 . 2009-04-14 05:00 70144 c:\windows\SYSTEM32\dahodozu.dll
+ 2009-04-14 21:12 . 2008-12-20 22:15 44544 c:\windows\ie7updates\KB963027-IE7\pngfilt.dll
+ 2009-04-14 21:12 . 2008-12-20 22:15 52224 c:\windows\ie7updates\KB963027-IE7\msfeedsbs.dll
+ 2009-04-14 21:12 . 2008-12-20 22:15 27648 c:\windows\ie7updates\KB963027-IE7\jsproxy.dll
+ 2009-04-14 21:12 . 2008-12-19 08:10 13824 c:\windows\ie7updates\KB963027-IE7\ieudinit.exe
+ 2009-04-14 21:12 . 2008-12-20 22:15 44544 c:\windows\ie7updates\KB963027-IE7\iernonce.dll
+ 2009-04-14 21:12 . 2008-04-14 00:11 81920 c:\windows\ie7updates\KB963027-IE7\ieencode.dll
+ 2009-04-14 21:12 . 2008-12-19 08:10 70656 c:\windows\ie7updates\KB963027-IE7\ie4uinit.exe
+ 2009-04-14 21:12 . 2008-12-20 22:15 63488 c:\windows\ie7updates\KB963027-IE7\icardie.dll
+ 2009-04-14 20:52 . 2008-05-03 11:55 2560 c:\windows\SYSTEM32\xpsp4res.dll
- 2006-10-06 03:01 . 2008-12-20 22:15 826368 c:\windows\SYSTEM32\wininet.dll
+ 2006-10-06 03:01 . 2009-03-03 00:18 826368 c:\windows\SYSTEM32\wininet.dll
- 2006-10-06 03:01 . 2008-04-14 00:12 354304 c:\windows\SYSTEM32\winhttp.dll
+ 2006-10-06 03:01 . 2008-12-16 12:30 354304 c:\windows\SYSTEM32\winhttp.dll
- 2006-10-06 03:01 . 2008-12-20 22:15 233472 c:\windows\SYSTEM32\webcheck.dll
+ 2006-10-06 03:01 . 2009-02-20 18:09 233472 c:\windows\SYSTEM32\webcheck.dll
+ 2006-10-06 03:14 . 2009-02-06 10:10 227840 c:\windows\SYSTEM32\wbem\wmiprvse.exe
+ 2006-10-06 03:14 . 2009-02-09 12:10 453120 c:\windows\SYSTEM32\wbem\wmiprvsd.dll
+ 2006-10-06 03:14 . 2009-02-09 12:10 473600 c:\windows\SYSTEM32\wbem\fastprox.dll
- 2006-10-06 03:01 . 2008-12-20 22:15 105984 c:\windows\SYSTEM32\url.dll
+ 2006-10-06 03:01 . 2009-02-20 18:09 105984 c:\windows\SYSTEM32\url.dll
+ 2006-10-06 03:00 . 2009-02-06 11:11 110592 c:\windows\SYSTEM32\services.exe
+ 2006-10-06 03:00 . 2009-02-09 12:10 401408 c:\windows\SYSTEM32\rpcss.dll
- 2006-10-06 03:00 . 2009-02-02 13:45 432356 c:\windows\SYSTEM32\perfh009.dat
+ 2006-10-06 03:00 . 2009-04-15 00:54 432356 c:\windows\SYSTEM32\perfh009.dat
- 2006-10-06 03:00 . 2008-04-14 00:12 284160 c:\windows\SYSTEM32\pdh.dll
+ 2006-10-06 03:00 . 2009-03-06 14:22 284160 c:\windows\SYSTEM32\pdh.dll
- 2006-10-06 03:00 . 2008-12-20 22:15 102912 c:\windows\SYSTEM32\occache.dll
+ 2006-10-06 03:00 . 2009-02-20 18:09 102912 c:\windows\SYSTEM32\occache.dll
+ 2006-10-06 03:00 . 2009-02-09 12:10 714752 c:\windows\SYSTEM32\ntdll.dll
+ 2006-10-06 02:59 . 2009-02-20 18:09 671232 c:\windows\SYSTEM32\mstime.dll
- 2006-10-06 02:59 . 2008-12-20 22:15 671232 c:\windows\SYSTEM32\mstime.dll
+ 2006-10-06 02:59 . 2009-02-20 18:09 193024 c:\windows\SYSTEM32\msrating.dll
- 2006-10-06 02:59 . 2008-12-20 22:15 193024 c:\windows\SYSTEM32\msrating.dll
+ 2006-10-06 02:59 . 2009-02-20 18:09 477696 c:\windows\SYSTEM32\mshtmled.dll
- 2006-10-06 02:59 . 2008-12-20 22:15 477696 c:\windows\SYSTEM32\mshtmled.dll
- 2006-11-08 02:03 . 2008-12-20 22:15 459264 c:\windows\SYSTEM32\msfeeds.dll
+ 2006-11-08 02:03 . 2009-02-20 18:09 459264 c:\windows\SYSTEM32\msfeeds.dll
- 2006-10-06 03:14 . 2008-04-14 00:12 161792 c:\windows\SYSTEM32\msdtcuiu.dll
+ 2006-10-06 03:14 . 2008-06-12 14:23 161792 c:\windows\SYSTEM32\msdtcuiu.dll
+ 2006-10-06 03:14 . 2008-06-12 14:23 956928 c:\windows\SYSTEM32\msdtctm.dll
- 2006-10-06 03:14 . 2008-04-14 00:12 956928 c:\windows\SYSTEM32\msdtctm.dll
+ 2006-10-06 03:14 . 2008-06-12 14:23 428032 c:\windows\SYSTEM32\msdtcprx.dll
+ 2006-10-06 02:59 . 2009-02-09 12:10 729088 c:\windows\SYSTEM32\lsasrv.dll
- 2006-10-06 02:59 . 2008-04-14 00:11 989696 c:\windows\SYSTEM32\kernel32.dll
+ 2006-10-06 02:59 . 2009-03-21 14:06 989696 c:\windows\SYSTEM32\kernel32.dll
+ 2006-10-17 16:57 . 2009-02-20 18:09 268288 c:\windows\SYSTEM32\iertutil.dll
+ 2006-10-06 02:59 . 2009-02-20 18:09 385024 c:\windows\SYSTEM32\iedkcs32.dll
- 2006-10-17 16:27 . 2008-12-20 22:15 383488 c:\windows\SYSTEM32\ieapfltr.dll
+ 2006-10-17 16:27 . 2009-02-20 18:09 383488 c:\windows\SYSTEM32\ieapfltr.dll
- 2006-10-06 02:59 . 2008-12-19 04:23 161792 c:\windows\SYSTEM32\ieakui.dll
+ 2006-10-06 02:59 . 2009-02-20 05:14 161792 c:\windows\SYSTEM32\ieakui.dll
+ 2006-10-06 02:59 . 2009-02-20 18:09 230400 c:\windows\SYSTEM32\ieaksie.dll
- 2006-10-06 02:59 . 2008-12-20 22:15 230400 c:\windows\SYSTEM32\ieaksie.dll
- 2006-10-06 02:59 . 2008-12-20 22:15 153088 c:\windows\SYSTEM32\ieakeng.dll
+ 2006-10-06 02:59 . 2009-02-20 18:09 153088 c:\windows\SYSTEM32\ieakeng.dll
+ 2006-10-06 02:59 . 2009-02-20 18:09 133120 c:\windows\SYSTEM32\extmgr.dll
- 2006-10-06 02:59 . 2008-12-20 22:15 133120 c:\windows\SYSTEM32\extmgr.dll
- 2006-10-06 02:58 . 2008-12-20 22:15 214528 c:\windows\SYSTEM32\dxtrans.dll
+ 2006-10-06 02:58 . 2009-02-20 18:09 214528 c:\windows\SYSTEM32\dxtrans.dll
+ 2006-10-06 02:58 . 2009-02-20 18:09 347136 c:\windows\SYSTEM32\dxtmsft.dll
- 2006-10-06 02:58 . 2008-12-20 22:15 347136 c:\windows\SYSTEM32\dxtmsft.dll
+ 2009-04-14 20:52 . 2008-04-21 12:08 215552 c:\windows\SYSTEM32\dllcache\wordpad.exe
+ 2009-04-14 20:53 . 2009-02-06 10:10 227840 c:\windows\SYSTEM32\dllcache\wmiprvse.exe
+ 2009-04-14 20:53 . 2009-02-09 12:10 453120 c:\windows\SYSTEM32\dllcache\wmiprvsd.dll
- 2006-10-05 22:01 . 2008-12-20 22:15 826368 c:\windows\SYSTEM32\dllcache\wininet.dll
+ 2006-10-05 22:01 . 2009-03-03 00:18 826368 c:\windows\SYSTEM32\dllcache\wininet.dll
+ 2008-12-16 12:30 . 2008-12-16 12:30 354304 c:\windows\SYSTEM32\dllcache\winhttp.dll
- 2006-10-06 03:01 . 2008-12-20 22:15 233472 c:\windows\SYSTEM32\dllcache\webcheck.dll
+ 2006-10-06 03:01 . 2009-02-20 18:09 233472 c:\windows\SYSTEM32\dllcache\webcheck.dll
+ 2006-10-05 22:01 . 2009-02-20 18:09 105984 c:\windows\SYSTEM32\dllcache\url.dll
- 2006-10-05 22:01 . 2008-12-20 22:15 105984 c:\windows\SYSTEM32\dllcache\url.dll
+ 2009-04-14 20:53 . 2009-02-06 11:11 110592 c:\windows\SYSTEM32\dllcache\services.exe
+ 2009-04-14 20:53 . 2009-02-09 12:10 401408 c:\windows\SYSTEM32\dllcache\rpcss.dll
+ 2009-04-14 20:53 . 2009-03-06 14:22 284160 c:\windows\SYSTEM32\dllcache\pdh.dll
+ 2006-10-06 03:00 . 2009-02-20 18:09 102912 c:\windows\SYSTEM32\dllcache\occache.dll
- 2006-10-06 03:00 . 2008-12-20 22:15 102912 c:\windows\SYSTEM32\dllcache\occache.dll
+ 2009-04-14 20:53 . 2009-02-09 12:10 714752 c:\windows\SYSTEM32\dllcache\ntdll.dll
- 2006-10-06 02:59 . 2008-12-20 22:15 671232 c:\windows\SYSTEM32\dllcache\mstime.dll
+ 2006-10-06 02:59 . 2009-02-20 18:09 671232 c:\windows\SYSTEM32\dllcache\mstime.dll
- 2006-10-06 02:59 . 2008-12-20 22:15 193024 c:\windows\SYSTEM32\dllcache\msrating.dll
+ 2006-10-06 02:59 . 2009-02-20 18:09 193024 c:\windows\SYSTEM32\dllcache\msrating.dll
- 2006-10-06 02:59 . 2008-12-20 22:15 477696 c:\windows\SYSTEM32\dllcache\mshtmled.dll
+ 2006-10-06 02:59 . 2009-02-20 18:09 477696 c:\windows\SYSTEM32\dllcache\mshtmled.dll
- 2007-05-09 19:02 . 2008-12-20 22:15 459264 c:\windows\SYSTEM32\dllcache\msfeeds.dll
+ 2007-05-09 19:02 . 2009-02-20 18:09 459264 c:\windows\SYSTEM32\dllcache\msfeeds.dll
+ 2008-06-12 14:23 . 2008-06-12 14:23 161792 c:\windows\SYSTEM32\dllcache\msdtcuiu.dll
+ 2008-06-12 14:23 . 2008-06-12 14:23 956928 c:\windows\SYSTEM32\dllcache\msdtctm.dll
+ 2008-06-12 14:23 . 2008-06-12 14:23 428032 c:\windows\SYSTEM32\dllcache\msdtcprx.dll
+ 2009-04-14 20:53 . 2009-02-09 12:10 729088 c:\windows\SYSTEM32\dllcache\lsasrv.dll
+ 2009-03-21 14:06 . 2009-03-21 14:06 989696 c:\windows\SYSTEM32\dllcache\kernel32.dll
+ 2006-10-06 03:15 . 2009-02-28 04:54 636072 c:\windows\SYSTEM32\dllcache\iexplore.exe
+ 2007-05-09 19:02 . 2009-02-20 18:09 268288 c:\windows\SYSTEM32\dllcache\iertutil.dll
+ 2006-10-06 02:59 . 2009-02-20 18:09 385024 c:\windows\SYSTEM32\dllcache\iedkcs32.dll
- 2007-05-09 19:02 . 2008-12-20 22:15 383488 c:\windows\SYSTEM32\dllcache\ieapfltr.dll
+ 2007-05-09 19:02 . 2009-02-20 18:09 383488 c:\windows\SYSTEM32\dllcache\ieapfltr.dll
+ 2006-10-06 02:59 . 2009-02-20 05:14 161792 c:\windows\SYSTEM32\dllcache\ieakui.dll
- 2006-10-06 02:59 . 2008-12-19 04:23 161792 c:\windows\SYSTEM32\dllcache\ieakui.dll
+ 2006-10-06 02:59 . 2009-02-20 18:09 230400 c:\windows\SYSTEM32\dllcache\ieaksie.dll
- 2006-10-06 02:59 . 2008-12-20 22:15 230400 c:\windows\SYSTEM32\dllcache\ieaksie.dll
+ 2006-10-06 02:59 . 2009-02-20 18:09 153088 c:\windows\SYSTEM32\dllcache\ieakeng.dll
- 2006-10-06 02:59 . 2008-12-20 22:15 153088 c:\windows\SYSTEM32\dllcache\ieakeng.dll
+ 2009-04-14 20:53 . 2009-02-09 12:10 473600 c:\windows\SYSTEM32\dllcache\fastprox.dll
- 2006-10-06 02:59 . 2008-12-20 22:15 133120 c:\windows\SYSTEM32\dllcache\extmgr.dll
+ 2006-10-06 02:59 . 2009-02-20 18:09 133120 c:\windows\SYSTEM32\dllcache\extmgr.dll
+ 2006-10-06 02:58 . 2009-02-20 18:09 214528 c:\windows\SYSTEM32\dllcache\dxtrans.dll
- 2006-10-06 02:58 . 2008-12-20 22:15 214528 c:\windows\SYSTEM32\dllcache\dxtrans.dll
+ 2006-10-06 02:58 . 2009-02-20 18:09 347136 c:\windows\SYSTEM32\dllcache\dxtmsft.dll
- 2006-10-06 02:58 . 2008-12-20 22:15 347136 c:\windows\SYSTEM32\dllcache\dxtmsft.dll
+ 2006-10-05 21:57 . 2009-02-20 18:09 124928 c:\windows\SYSTEM32\dllcache\advpack.dll
- 2006-10-05 21:57 . 2008-12-20 22:15 124928 c:\windows\SYSTEM32\dllcache\advpack.dll
+ 2009-04-14 20:53 . 2009-02-09 12:10 617472 c:\windows\SYSTEM32\dllcache\advapi32.dll
- 2006-10-06 02:57 . 2008-12-20 22:15 124928 c:\windows\SYSTEM32\advpack.dll
+ 2006-10-06 02:57 . 2009-02-20 18:09 124928 c:\windows\SYSTEM32\advpack.dll
- 2006-10-06 02:57 . 2008-04-14 00:11 617472 c:\windows\SYSTEM32\advapi32.dll
+ 2006-10-06 02:57 . 2009-02-09 12:10 617472 c:\windows\SYSTEM32\advapi32.dll
+ 2009-04-14 21:12 . 2008-12-20 22:15 826368 c:\windows\ie7updates\KB963027-IE7\wininet.dll
+ 2009-04-14 21:12 . 2008-12-20 22:15 233472 c:\windows\ie7updates\KB963027-IE7\webcheck.dll
+ 2009-04-14 21:12 . 2008-12-20 22:15 105984 c:\windows\ie7updates\KB963027-IE7\url.dll
+ 2009-04-14 21:12 . 2008-07-09 07:38 382840 c:\windows\ie7updates\KB963027-IE7\spuninst\updspapi.dll
+ 2009-04-14 21:12 . 2008-07-08 13:02 231288 c:\windows\ie7updates\KB963027-IE7\spuninst\spuninst.exe
+ 2009-04-14 21:12 . 2008-12-20 22:15 102912 c:\windows\ie7updates\KB963027-IE7\occache.dll
+ 2009-04-14 21:12 . 2008-12-20 22:15 671232 c:\windows\ie7updates\KB963027-IE7\mstime.dll
+ 2009-04-14 21:12 . 2008-12-20 22:15 193024 c:\windows\ie7updates\KB963027-IE7\msrating.dll
+ 2009-04-14 21:12 . 2008-12-20 22:15 477696 c:\windows\ie7updates\KB963027-IE7\mshtmled.dll
+ 2009-04-14 21:12 . 2008-12-20 22:15 459264 c:\windows\ie7updates\KB963027-IE7\msfeeds.dll
+ 2009-04-14 21:12 . 2008-12-19 04:25 634024 c:\windows\ie7updates\KB963027-IE7\iexplore.exe
+ 2009-04-14 21:12 . 2008-12-20 22:15 267776 c:\windows\ie7updates\KB963027-IE7\iertutil.dll
+ 2009-04-14 21:12 . 2008-12-20 22:15 384512 c:\windows\ie7updates\KB963027-IE7\iedkcs32.dll
+ 2009-04-14 21:12 . 2008-12-20 22:15 383488 c:\windows\ie7updates\KB963027-IE7\ieapfltr.dll
+ 2009-04-14 21:12 . 2008-12-19 04:23 161792 c:\windows\ie7updates\KB963027-IE7\ieakui.dll
+ 2009-04-14 21:12 . 2008-12-20 22:15 230400 c:\windows\ie7updates\KB963027-IE7\ieaksie.dll
+ 2009-04-14 21:12 . 2008-12-20 22:15 153088 c:\windows\ie7updates\KB963027-IE7\ieakeng.dll
+ 2009-04-14 21:12 . 2008-12-20 22:15 133120 c:\windows\ie7updates\KB963027-IE7\extmgr.dll
+ 2009-04-14 21:12 . 2008-12-20 22:15 214528 c:\windows\ie7updates\KB963027-IE7\dxtrans.dll
+ 2009-04-14 21:12 . 2008-12-20 22:15 347136 c:\windows\ie7updates\KB963027-IE7\dxtmsft.dll
+ 2009-04-14 21:12 . 2008-12-20 22:15 124928 c:\windows\ie7updates\KB963027-IE7\advpack.dll
+ 2006-10-06 03:01 . 2009-02-20 18:09 1160192 c:\windows\SYSTEM32\urlmon.dll
- 2006-10-06 03:01 . 2008-12-20 22:15 1160192 c:\windows\SYSTEM32\urlmon.dll
- 2006-10-06 03:00 . 2008-05-07 05:12 1288192 c:\windows\SYSTEM32\quartz.dll
+ 2006-10-06 03:00 . 2008-12-20 22:14 1288192 c:\windows\SYSTEM32\quartz.dll
+ 2006-10-06 03:00 . 2009-02-06 11:08 2189056 c:\windows\SYSTEM32\ntoskrnl.exe
- 2004-08-04 03:59 . 2008-08-14 09:33 2066048 c:\windows\SYSTEM32\ntkrnlpa.exe
+ 2004-08-04 03:59 . 2009-02-08 00:02 2066048 c:\windows\SYSTEM32\ntkrnlpa.exe
+ 2006-10-06 02:59 . 2009-02-20 18:09 3595264 c:\windows\SYSTEM32\mshtml.dll
+ 2006-11-08 02:03 . 2009-02-20 18:09 6066176 c:\windows\SYSTEM32\ieframe.dll
- 2006-09-06 04:01 . 2007-04-17 09:28 2455488 c:\windows\SYSTEM32\ieapfltr.dat
+ 2006-09-06 04:01 . 2008-07-09 14:25 2455488 c:\windows\SYSTEM32\ieapfltr.dat
- 2006-10-05 22:01 . 2008-12-20 22:15 1160192 c:\windows\SYSTEM32\dllcache\urlmon.dll
+ 2006-10-05 22:01 . 2009-02-20 18:09 1160192 c:\windows\SYSTEM32\dllcache\urlmon.dll
+ 2008-05-07 05:12 . 2008-12-20 22:14 1288192 c:\windows\SYSTEM32\dllcache\quartz.dll
- 2008-05-07 05:12 . 2008-05-07 05:12 1288192 c:\windows\SYSTEM32\dllcache\quartz.dll
+ 2008-10-14 23:31 . 2009-02-06 11:08 2189056 c:\windows\SYSTEM32\dllcache\ntoskrnl.exe
- 2008-10-14 23:30 . 2008-08-14 09:33 2023936 c:\windows\SYSTEM32\dllcache\ntkrpamp.exe
+ 2008-10-14 23:30 . 2009-02-06 10:32 2023936 c:\windows\SYSTEM32\dllcache\ntkrpamp.exe
+ 2008-10-14 23:30 . 2009-02-08 00:02 2066048 c:\windows\SYSTEM32\dllcache\ntkrnlpa.exe
- 2008-10-14 23:30 . 2008-08-14 09:33 2066048 c:\windows\SYSTEM32\dllcache\ntkrnlpa.exe
+ 2008-10-14 23:31 . 2009-02-06 11:06 2145280 c:\windows\SYSTEM32\dllcache\ntkrnlmp.exe
- 2008-10-14 23:31 . 2008-08-14 10:09 2145280 c:\windows\SYSTEM32\dllcache\ntkrnlmp.exe
+ 2006-10-06 02:59 . 2009-02-20 18:09 3595264 c:\windows\SYSTEM32\dllcache\mshtml.dll
+ 2007-05-09 19:02 . 2009-02-20 18:09 6066176 c:\windows\SYSTEM32\dllcache\ieframe.dll
- 2007-05-09 19:02 . 2007-04-17 09:28 2455488 c:\windows\SYSTEM32\dllcache\ieapfltr.dat
+ 2007-05-09 19:02 . 2008-07-09 14:25 2455488 c:\windows\SYSTEM32\dllcache\ieapfltr.dat
+ 2009-04-14 21:12 . 2008-12-20 22:15 1160192 c:\windows\ie7updates\KB963027-IE7\urlmon.dll
+ 2009-04-14 21:12 . 2009-01-17 02:35 3594752 c:\windows\ie7updates\KB963027-IE7\mshtml.dll
+ 2009-04-14 21:12 . 2008-12-20 22:15 6066688 c:\windows\ie7updates\KB963027-IE7\ieframe.dll
+ 2009-04-14 21:12 . 2007-04-17 09:28 2455488 c:\windows\ie7updates\KB963027-IE7\ieapfltr.dat
+ 2008-10-14 23:31 . 2009-02-06 11:08 2189056 c:\windows\Driver Cache\i386\ntoskrnl.exe
- 2008-10-14 23:30 . 2008-08-14 09:33 2023936 c:\windows\Driver Cache\i386\ntkrpamp.exe
+ 2008-10-14 23:30 . 2009-02-06 10:32 2023936 c:\windows\Driver Cache\i386\ntkrpamp.exe
- 2008-10-14 23:30 . 2008-08-14 09:33 2066048 c:\windows\Driver Cache\i386\ntkrnlpa.exe
+ 2008-10-14 23:30 . 2009-02-08 00:02 2066048 c:\windows\Driver Cache\i386\ntkrnlpa.exe
- 2008-10-14 23:31 . 2008-08-14 10:09 2145280 c:\windows\Driver Cache\i386\ntkrnlmp.exe
+ 2008-10-14 23:31 . 2009-02-06 11:06 2145280 c:\windows\Driver Cache\i386\ntkrnlmp.exe
+ 2009-04-14 01:01 . 2009-04-06 14:57 24921544 c:\windows\SYSTEM32\MRT.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SlowFile Icon Overlay]
@="{7D688A77-C613-11D0-999B-00C04FD655E1}"
[HKEY_CLASSES_ROOT\CLSID\{7D688A77-C613-11D0-999B-00C04FD655E1}]
2008-06-17 18:02 8461312 ----a-w c:\windows\SYSTEM32\shell32.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"Desktop Calendar"="c:\program files\Desktop Calendar\Desktop Calendar.exe" [2004-08-16 917504]
"Google Update"="c:\documents and settings\c logan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-05 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Zone Labs Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2006-08-24 968696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-18 13574144]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-18 86016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" [2009-04-12 206088]
"CPM03333da6"="c:\windows\system32\mosoyami.dll" [N/A]
"nwiz"="nwiz.exe" - c:\windows\SYSTEM32\nwiz.exe [2008-09-18 1657376]

c:\documents and settings\c logan\Start Menu\Programs\Startup\
MiniMinder.lnk - c:\program files\MiniMind\MiniMind.exe [2006-12-27 237568]
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-9-9 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.VDOM"= vdowave.drv

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe
"iDailyDiary"="c:\progra~1\IDAILY~1\iDD.exe" /LOGMIN

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\ICQ\\Icq.exe"=
"c:\\Program Files\\Mozilla Firefox\\FIREFOX.EXE"=
"e:\\Ultima Online 9th Anniversary Collection\\client.exe"=
"e:\\Going To Upload\\Already Uploaded\\Fun Downloads\\Utilities\\abouttime.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"e:\\New Stuff\\Misc\\abouttime.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Skype\\Phone\\bak\\Skype.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\MsnMsgr.Exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Documents and Settings\\c logan\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=

S0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-04-12 33808]
S2 NProtectService;Norton Unerase Protection;c:\program files\Norton Utilities\NPROTECT.EXE [2001-08-10 135168]
S3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\DRIVERS\klim5.sys [2008-04-30 24592]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{31e4c120-54be-11db-8cf4-806d6172696f}]
\Shell\AutoRun\command - H:\autorun.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1390067357-1078145449-682003330-1004.job
- c:\documents and settings\c logan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-05 13:51]
.
.
------- Supplementary Scan -------
.
uStart Page =
mStart Page =
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: aol.com\free
DPF: DirectAnimation Java Classes - file://c:\windows\SYSTEM\dajava.cab
DPF: Internet Explorer Classes for Java - file://c:\windows\SYSTEM\iejava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab
FF - ProfilePath - c:\documents and settings\c logan\Application Data\Mozilla\Firefox\Profiles\8ayshjwb.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: keyword.URL - hxxp://search.myway.com/search/cfg_redir2.jhtml?action=config&id=XB&ptnrs=XB&st=DNS&url=AJmain.jhtml&searchfor=
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-15 00:41
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-04-15 0:44
ComboFix-quarantined-files.txt 2009-04-15 05:44
ComboFix2.txt 2009-04-14 11:09

Pre-Run: 1,687,142,400 bytes free
Post-Run: 2,043,740,160 bytes free

465 --- E O F --- 2009-04-14 21:12

~~~~~HJT File Below~~~~~

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:57:42 AM, on 4/15/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\WEATHE~1\WEATHE~1.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\c logan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Speed Disk\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\c logan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\c logan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\c logan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\c logan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\c logan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Opera\opera.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\ievkbd.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [WeatherMan] "C:\PROGRA~1\WEATHE~1\WEATHE~1.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe"
O4 - HKLM\..\Run: [CPM03333da6] Rundll32.exe "c:\windows\system32\mosoyami.dll",a
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Desktop Calendar] C:\Program Files\Desktop Calendar\Desktop Calendar.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\c logan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Startup: MiniMinder.lnk = C:\Program Files\MiniMind\MiniMind.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {30A3CCA5-F34C-4E87-BB57-5A2F2C935E14} (AMI DicomDir TreeView Control 2.0) - file:///H:/CDVIEWER/CdViewer.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1162171373921
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://sympatico.zone.msn.com/bingame/chnz/default/mjolauncher.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {C86FF4B0-AA1D-46D4-8612-025FB86583C7} (AstoundLauncher Control) - http://zone.msn.com/bingame/jobo/default/AstoundLauncher.cab#version=1,0,0,10
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/bingame/feed/default/SproutLauncher.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by102fd.bay102.hotmail.msn.com/activex/HMAtchmt.ocx
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Speed Disk\nopdb.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

--
End of file - 10226 bytes

Shaba
2009-04-15, 11:23
Looking better but still some bad files.

Run this CFScript and post back a fresh HijackThis log and a fresh combofix log, please.


File::
c:\windows\system32\ruyoweve.dll
c:\windows\system32\dahodozu.dll
c:\windows\system32\gujubova.dl

Bluheart
2009-04-15, 13:26
Hi Shaba,

Once again... :)


ComboFix 09-04-15.08 - c logan 04/15/2009 5:01.3 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.176 [GMT -5:00]
Running from: c:\documents and settings\c logan\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\c logan\Desktop\CFScript.txt
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated)
FW: ZoneAlarm Firewall *enabled*
* Created a new restore point

FILE ::
c:\windows\system32\dahodozu.dll
c:\windows\system32\gujubova.dl
c:\windows\system32\ruyoweve.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\dahodozu.dll
c:\windows\system32\ruyoweve.dll

.
((((((((((((((((((((((((( Files Created from 2009-03-15 to 2009-04-15 )))))))))))))))))))))))))))))))
.

2009-04-14 20:53 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-14 20:53 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-14 20:53 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-14 20:53 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-14 20:53 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-14 20:53 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-14 20:53 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-14 20:53 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-14 20:53 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-14 20:52 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-14 20:52 . 2009-03-27 06:58 1203922 ------w c:\windows\system32\dllcache\sysmain.sdb
2009-04-14 20:52 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-12 07:02 . 2009-04-12 07:03 109568 ---ha-w c:\windows\system32\BITC.tmp
2009-04-12 04:09 . 2009-04-12 05:35 89601 ----a-w c:\windows\system32\drivers\klick.dat
2009-04-12 04:09 . 2009-04-12 05:35 101287 ----a-w c:\windows\system32\drivers\klin.dat
2009-04-12 04:05 . 2009-04-15 06:36 32 --sha-w c:\windows\system32\drivers\fidbox2.idx
2009-04-12 04:05 . 2009-04-15 06:36 32 --sha-w c:\windows\system32\drivers\fidbox2.dat
2009-04-12 04:05 . 2009-04-15 06:36 32 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-04-12 04:05 . 2009-04-15 06:36 32 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-04-12 04:05 . 2009-04-12 04:05 -------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-04-11 13:19 . 2009-04-11 13:19 50 ----a-w c:\windows\Weather.Ini
2009-04-11 12:55 . 2009-04-11 12:56 2560 ----a-w c:\windows\_MSRSTRT.EXE
2009-04-11 11:50 . 2009-04-11 11:50 -------- d-sh--w C:\FOUND.000
2009-04-11 10:14 . 2009-04-11 10:14 -------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-04-08 06:20 . 2009-04-08 06:20 10520 ------w c:\windows\system32\avgrsstx.dll.install_backup
2009-03-24 18:39 . 2009-03-24 18:39 -------- d-----w c:\documents and settings\c logan\Local Settings\Application Data\eMusic
2009-03-24 18:39 . 2009-03-24 18:39 -------- d-----w c:\documents and settings\c logan\Application Data\eMusic
2009-03-21 14:06 . 2009-03-21 14:06 989696 ------w c:\windows\system32\dllcache\kernel32.dll
2009-03-19 13:46 . 2009-03-19 13:46 -------- d-----w c:\documents and settings\c logan\Local Settings\Application Data\SpiralfrogClient

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-15 06:38 . 2007-02-17 02:50 28722327 ------w c:\windows\Internet Logs\tvDebug.zip
2009-04-15 05:57 . 2009-04-15 05:57 37533 ----a-w C:\ComboFix 2.txt
2009-04-13 22:33 . 2009-04-13 22:33 -------- d-----w c:\program files\BurnAware Free
2009-04-13 09:20 . 2009-04-13 09:20 -------- d-----w c:\program files\Trend Micro
2009-04-13 09:17 . 2009-04-13 09:17 -------- d-----w c:\program files\ERUNT
2009-04-12 05:35 . 2008-01-29 22:29 33808 ----a-w c:\windows\system32\drivers\klbg.sys
2009-04-12 04:05 . 2009-04-12 04:05 -------- d-----w c:\program files\Kaspersky Lab
2009-04-11 14:48 . 2009-04-11 14:47 -------- d-----w c:\program files\WeatherMan
2009-04-11 13:28 . 2009-04-11 13:29 1597440 ------w c:\windows\Internet Logs\xDB17.tmp
2009-04-09 05:23 . 2009-04-09 05:23 -------- d-----w c:\program files\Common Files\Skype
2009-03-24 18:39 . 2009-03-24 18:39 -------- d-----w c:\program files\eMusic Download Manager
2009-03-19 13:46 . 2009-03-19 13:46 -------- d-----w c:\program files\SpiralFrog
2009-03-11 03:10 . 2009-03-11 03:10 -------- d-----w c:\program files\DivX
2009-03-09 10:19 . 2009-03-06 05:30 410984 ----a-w c:\windows\SYSTEM32\deploytk.dll
2009-03-06 14:22 . 2006-10-06 03:00 284160 ----a-w c:\windows\SYSTEM32\pdh.dll
2009-03-05 09:07 . 2009-03-05 09:07 -------- d-----w c:\documents and settings\All Users\Application Data\ESET
2009-03-03 00:18 . 2006-10-06 03:01 826368 ----a-w c:\windows\SYSTEM32\wininet.dll
2009-03-03 00:18 . 2006-10-05 22:01 826368 ----a-w c:\windows\SYSTEM32\dllcache\wininet.dll
2009-02-28 04:54 . 2006-10-06 03:15 636072 ----a-w c:\windows\SYSTEM32\dllcache\iexplore.exe
2009-02-27 13:11 . 2006-10-06 05:51 73584 ----a-w c:\documents and settings\c logan\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-02-25 18:43 . 2009-02-25 18:43 -------- d-----w c:\program files\SpywareBlaster
2009-02-25 03:32 . 2009-02-25 03:32 -------- d-----w c:\program files\XoftSpySE
2009-02-20 10:20 . 2007-05-09 19:02 13824 ------w c:\windows\SYSTEM32\dllcache\ieudinit.exe
2009-02-20 10:20 . 2006-10-06 02:59 70656 ----a-w c:\windows\SYSTEM32\dllcache\ie4uinit.exe
2009-02-20 05:14 . 2006-10-06 02:59 161792 ----a-w c:\windows\SYSTEM32\dllcache\ieakui.dll
2009-02-19 05:05 . 2009-02-19 05:04 -------- d-----w c:\documents and settings\c logan\Application Data\Move Networks
2009-02-09 12:10 . 2006-10-06 02:59 729088 ----a-w c:\windows\SYSTEM32\lsasrv.dll
2009-02-09 12:10 . 2006-10-06 03:00 401408 ----a-w c:\windows\SYSTEM32\rpcss.dll
2009-02-09 12:10 . 2006-10-06 03:00 714752 ----a-w c:\windows\SYSTEM32\ntdll.dll
2009-02-09 12:10 . 2006-10-06 02:57 617472 ----a-w c:\windows\SYSTEM32\advapi32.dll
2009-02-09 11:13 . 2008-10-14 23:31 1846784 ------w c:\windows\SYSTEM32\dllcache\win32k.sys
2009-02-09 11:13 . 2006-10-06 03:01 1846784 ----a-w c:\windows\SYSTEM32\win32k.sys
2009-02-08 00:02 . 2008-10-14 23:30 2066048 ------w c:\windows\SYSTEM32\dllcache\ntkrnlpa.exe
2009-02-08 00:02 . 2004-08-04 03:59 2066048 ----a-w c:\windows\SYSTEM32\ntkrnlpa.exe
2009-02-06 11:11 . 2006-10-06 03:00 110592 ----a-w c:\windows\SYSTEM32\services.exe
2009-02-06 11:08 . 2008-10-14 23:31 2189056 ------w c:\windows\SYSTEM32\dllcache\ntoskrnl.exe
2009-02-06 11:08 . 2006-10-06 03:00 2189056 ----a-w c:\windows\SYSTEM32\ntoskrnl.exe
2009-02-06 11:06 . 2008-10-14 23:31 2145280 ------w c:\windows\SYSTEM32\dllcache\ntkrnlmp.exe
2009-02-06 10:39 . 2006-10-06 03:00 35328 ----a-w c:\windows\SYSTEM32\sc.exe
2009-02-06 10:39 . 2006-10-06 03:00 35328 ----a-w c:\windows\SYSTEM32\dllcache\sc.exe
2009-02-06 10:32 . 2008-10-14 23:30 2023936 ------w c:\windows\SYSTEM32\dllcache\ntkrpamp.exe
2009-02-03 19:59 . 2009-02-03 19:59 56832 ------w c:\windows\SYSTEM32\dllcache\secur32.dll
2009-02-03 19:59 . 2006-10-06 03:00 56832 ----a-w c:\windows\SYSTEM32\secur32.dll
2007-12-14 07:52 . 2007-12-14 07:52 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2006-10-06 02:50 . 2006-10-06 02:50 266 --sh--w c:\program files\desktop.ini
2006-10-06 02:50 . 2006-10-06 02:50 11079 ---h--w c:\program files\folder.htt
2006-08-08 21:28 . 2006-10-07 21:28 32 ----a-r c:\documents and settings\All Users\hash.dat
2008-10-06 03:2008-06-19 04:16 41:24 . c:\program files\mozilla firefox\components\jar50.dll
2008-10-06 03:2008-06-19 04:16 41:24 . c:\program files\mozilla firefox\components\jsd3250.dll
2008-10-06 03:2008-06-19 04:16 41:24 . c:\program files\mozilla firefox\components\myspell.dll
2008-10-06 03:2008-06-19 04:16 41:26 . c:\program files\mozilla firefox\components\spellchk.dll
2008-10-06 03:2008-06-19 04:16 41:26 . c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((( SnapShot_2009-04-15_05.42.02 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-15 06:38 . 2009-04-15 06:38 16384 c:\windows\TEMP\Perflib_Perfdata_80.dat
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SlowFile Icon Overlay]
@="{7D688A77-C613-11D0-999B-00C04FD655E1}"
[HKEY_CLASSES_ROOT\CLSID\{7D688A77-C613-11D0-999B-00C04FD655E1}]
2008-06-17 18:02 8461312 ----a-w c:\windows\SYSTEM32\shell32.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"Desktop Calendar"="c:\program files\Desktop Calendar\Desktop Calendar.exe" [2004-08-16 917504]
"Google Update"="c:\documents and settings\c logan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-05 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Zone Labs Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2006-08-24 968696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-18 13574144]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-18 86016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" [2009-04-12 206088]
"CPM03333da6"="c:\windows\system32\mosoyami.dll" [N/A]
"nwiz"="nwiz.exe" - c:\windows\SYSTEM32\nwiz.exe [2008-09-18 1657376]

c:\documents and settings\c logan\Start Menu\Programs\Startup\
MiniMinder.lnk - c:\program files\MiniMind\MiniMind.exe [2006-12-27 237568]
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-9-9 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.VDOM"= vdowave.drv

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe
"iDailyDiary"="c:\progra~1\IDAILY~1\iDD.exe" /LOGMIN

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\ICQ\\Icq.exe"=
"c:\\Program Files\\Mozilla Firefox\\FIREFOX.EXE"=
"e:\\Ultima Online 9th Anniversary Collection\\client.exe"=
"e:\\Going To Upload\\Already Uploaded\\Fun Downloads\\Utilities\\abouttime.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"e:\\New Stuff\\Misc\\abouttime.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Skype\\Phone\\bak\\Skype.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\MsnMsgr.Exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Documents and Settings\\c logan\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=

S0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-04-12 33808]
S2 NProtectService;Norton Unerase Protection;c:\program files\Norton Utilities\NPROTECT.EXE [2001-08-10 135168]
S3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\DRIVERS\klim5.sys [2008-04-30 24592]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{31e4c120-54be-11db-8cf4-806d6172696f}]
\Shell\AutoRun\command - H:\autorun.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1390067357-1078145449-682003330-1004.job
- c:\documents and settings\c logan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-05 13:51]
.
.
------- Supplementary Scan -------
.
uStart Page =
mStart Page =
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: aol.com\free
DPF: DirectAnimation Java Classes - file://c:\windows\SYSTEM\dajava.cab
DPF: Internet Explorer Classes for Java - file://c:\windows\SYSTEM\iejava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab
FF - ProfilePath - c:\documents and settings\c logan\Application Data\Mozilla\Firefox\Profiles\8ayshjwb.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: keyword.URL - hxxp://search.myway.com/search/cfg_redir2.jhtml?action=config&id=XB&ptnrs=XB&st=DNS&url=AJmain.jhtml&searchfor=
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-15 05:07
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-04-15 5:09
ComboFix-quarantined-files.txt 2009-04-15 10:09
ComboFix2.txt 2009-04-15 05:44

Pre-Run: 1,999,945,728 bytes free
Post-Run: 1,960,574,976 bytes free

208 --- E O F --- 2009-04-14 21:12



~~~~~HJT Log~~~~~

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:22:46 AM, on 4/15/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\WEATHE~1\WEATHE~1.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\c logan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\MiniMind\MiniMind.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Speed Disk\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\c logan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\c logan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\c logan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\c logan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\c logan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wscntfy.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\ievkbd.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [WeatherMan] "C:\PROGRA~1\WEATHE~1\WEATHE~1.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe"
O4 - HKLM\..\Run: [CPM03333da6] Rundll32.exe "c:\windows\system32\mosoyami.dll",a
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Desktop Calendar] C:\Program Files\Desktop Calendar\Desktop Calendar.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\c logan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Startup: MiniMinder.lnk = C:\Program Files\MiniMind\MiniMind.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {30A3CCA5-F34C-4E87-BB57-5A2F2C935E14} (AMI DicomDir TreeView Control 2.0) - file:///H:/CDVIEWER/CdViewer.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1162171373921
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://sympatico.zone.msn.com/bingame/chnz/default/mjolauncher.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {C86FF4B0-AA1D-46D4-8612-025FB86583C7} (AstoundLauncher Control) - http://zone.msn.com/bingame/jobo/default/AstoundLauncher.cab#version=1,0,0,10
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/bingame/feed/default/SproutLauncher.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by102fd.bay102.hotmail.msn.com/activex/HMAtchmt.ocx
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Speed Disk\nopdb.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

--
End of file - 10264 bytes

Bluheart
2009-04-15, 13:35
I see that one of the files that has been giving me problems is still in there but it's not been on your removal list.

O4 - HKLM\..\Run: [CPM03333da6] Rundll32.exe "c:\windows\system32\mosoyami.dll",a

Every time I reboot I get a popup saying:

RUNDLL
Error Loading C:\WINDOWS\System32\mosoyami.dll
The specified module could not be found.

There had been two of them but one of them stopped some time yesterday. It was for gujubova.dll.

Shaba
2009-04-15, 15:06
Yes that is a leftover.

You can fix it with HijackThis.

After that, please run a scan with Kaspersky and post back its log and a fresh HijackThis log.

Bluheart
2009-04-16, 00:51
Hi Shaba,

I ran a full scan since I wasn't sure what to do. I figured it was quicker to do that than to wait to ask you then do what you said. So ignore what drives you don't want.

I don't know why Kaskpersky says everything has been postponned. I'm not sure I like this program. When we are done :cleaning: my computer, I do want to talk about which programs are the worst and best.

Now on with the show...


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:38:31 PM, on 4/15/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\WEATHE~1\WEATHE~1.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\c logan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\MiniMind\MiniMind.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Speed Disk\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\c logan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\c logan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\c logan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\c logan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\c logan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\ievkbd.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [WeatherMan] "C:\PROGRA~1\WEATHE~1\WEATHE~1.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe"
O4 - HKLM\..\Run: [CPM03333da6] Rundll32.exe "c:\windows\system32\mosoyami.dll",a
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Desktop Calendar] C:\Program Files\Desktop Calendar\Desktop Calendar.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\c logan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Startup: MiniMinder.lnk = C:\Program Files\MiniMind\MiniMind.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {30A3CCA5-F34C-4E87-BB57-5A2F2C935E14} (AMI DicomDir TreeView Control 2.0) - file:///H:/CDVIEWER/CdViewer.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1162171373921
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://sympatico.zone.msn.com/bingame/chnz/default/mjolauncher.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {C86FF4B0-AA1D-46D4-8612-025FB86583C7} (AstoundLauncher Control) - http://zone.msn.com/bingame/jobo/default/AstoundLauncher.cab#version=1,0,0,10
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/bingame/feed/default/SproutLauncher.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by102fd.bay102.hotmail.msn.com/activex/HMAtchmt.ocx
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Speed Disk\nopdb.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

--
End of file - 10231 bytes

Bluheart
2009-04-16, 00:55
If you see the ones on the 12th that are on my E: drive that say they are a hoax, those are fun downloads from a website I have. Kaspersky has plucked some of them out and left the majority of them yet it flagged nearly all of them at some point or another. Some it finally decided to ignore for some reason.


~~~~~Kaspersky Scan~~~~~

Full Scan: completed 4/15/2009 1:58:42 PM (events: 150, objects: 898437, time: 04:26:53)
4/12/2009 12:58:23 AM Untreated: HEUR:Trojan.Win32.Generic C:\WINDOWS\SYSTEM32\vumuravo.dll Postponed
4/12/2009 12:58:07 AM Untreated: HEUR:Trojan.Win32.Generic C:\WINDOWS\SYSTEM32\mosoyami.dll Postponed
4/12/2009 12:50:09 AM Untreated: HEUR:Trojan.Win32.Generic C:\WINDOWS\SYSTEM32\ruyoweve.dll Postponed
4/12/2009 12:49:11 AM Untreated: HEUR:Trojan.Win32.Generic C:\WINDOWS\SYSTEM32\hehewora.dll Postponed
4/12/2009 12:48:19 AM Untreated: HEUR:Trojan.Win32.Generic C:\WINDOWS\SYSTEM32\bokajumi.dll Postponed
4/12/2009 12:39:35 AM Untreated: HEUR:Trojan.Win32.Generic C:\WINDOWS\SYSTEM32\niyihese.dll Postponed
4/12/2009 12:39:14 AM Untreated: HEUR:Trojan.Win32.Generic C:\WINDOWS\SYSTEM32\dahodozu.dll Postponed
4/12/2009 12:37:11 AM Untreated: HEUR:Trojan.Win32.Generic C:\WINDOWS\SYSTEM32\gujubova.dll Postponed
4/12/2009 12:36:48 AM Untreated: HEUR:Trojan.Win32.Generic C:\WINDOWS\SYSTEM32\topodone.dll Postponed
Full Scan: completed 4/15/2009 1:58:42 PM (events: 150, objects: 898437, time: 04:26:53)
4/12/2009 2:49:11 AM Untreated: not-a-virus:AdWare.Win32.WeatherBug.a e:\new stuff\most important\wxbugsetup6.07.0.24.zip/WxBugSetup6.07.0.24.exe/WiseSFXDropper/WISE0012.BIN Skipped by user
4/12/2009 2:49:11 AM Untreated: HEUR:Trojan.Win32.Generic C:\Documents and Settings\c logan\Local Settings\Temp\225e.exe1 Postponed
Full Scan: completed 4/15/2009 1:58:42 PM (events: 150, objects: 898437, time: 04:26:53)
4/12/2009 4:12:11 AM Untreated: not-a-virus:AdWare.Win32.Shopper.am e:\Music\true connect_ShareAccelerator.zip/zapu_setup_s1.exe/WISE0015.BIN/data0014/data0008 Postponed
4/12/2009 3:01:10 AM Untreated: HEUR:Trojan.Win32.Generic C:\WINDOWS\SYSTEM32\ruyoweve.dll Postponed
4/12/2009 3:01:08 AM Untreated: HEUR:Trojan.Win32.Generic C:\WINDOWS\SYSTEM32\hehewora.dll Postponed
4/12/2009 3:00:58 AM Untreated: HEUR:Trojan.Win32.Generic C:\WINDOWS\SYSTEM32\niyihese.dll Postponed
Full Scan: completed 4/15/2009 1:58:42 PM (events: 150, objects: 898437, time: 04:26:53)
4/12/2009 8:24:22 PM Untreated: HEUR:Trojan.Win32.Generic C:\Documents and Settings\c logan\Local Settings\Temp\225e.exe1 Written to report
4/12/2009 8:20:59 PM Untreated: not-a-virus:AdWare.Win32.WurldMedia.a J:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP498\A0165131.exe/WISE0014.BIN/WISE0013.BIN Skipped by user
4/12/2009 8:20:56 PM Untreated: not-a-virus:AdWare.Win32.Aureate J:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP498\A0165122.exe/WISE0025.BIN Skipped by user
4/12/2009 8:20:53 PM Untreated: not-a-virus:AdWare.Win32.Aureate J:\DL New\gozilla39.exe/WISE0025.BIN Skipped by user
4/12/2009 8:20:48 PM Untreated: not-a-virus:AdWare.Win32.Aureate H:\mirc2\download\cutmx1032b.exe/WISE0011.BIN/advert.dll Postponed
4/12/2009 8:20:47 PM Untreated: IRC-Worm.VBS.Melith H:\mirc2\download\album.mrc Postponed
4/12/2009 8:02:04 PM Untreated: not-a-virus:AdWare.Win32.WurldMedia.a J:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP498\A0165131.exe/WISE0014.BIN/WISE0013.BIN Postponed
4/12/2009 8:02:04 PM Untreated: not-a-virus:AdWare.Win32.Aureate J:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP498\A0165122.exe/WISE0025.BIN Postponed
4/12/2009 7:54:22 PM Untreated: not-a-virus:AdWare.Win32.WurldMedia.a J:\New Stuff\Music DL programs\Morph20 NEW.exe/WISE0014.BIN/WISE0013.BIN Postponed
4/12/2009 7:29:36 PM Untreated: not-a-virus:AdWare.Win32.Aureate J:\DL New\gozilla39.exe/WISE0025.BIN Postponed
4/12/2009 7:21:27 PM Untreated: not-a-virus:AdWare.Win32.Aureate.a J:\Going To Upload\Already Uploaded\Fun Downloads\Thinkers\youresp.zip/youresp.exe/WISE0019.BIN Postponed
4/12/2009 7:20:57 PM Untreated: not-a-virus:AdWare.Win32.Aureate J:\Going To Upload\Already Uploaded\Fun Downloads\Utilities\octopus.zip/Setup.EXE/WISE0019.BIN Postponed
4/12/2009 7:20:36 PM Untreated: Hoax.Win32.BadJoke.Stript J:\Going To Upload\Already Uploaded\Fun Downloads\Pranks\y2kcrashsimulator.zip/y2kcrash-nt5dem1.exe Postponed
4/12/2009 7:20:35 PM Untreated: Hoax.Win16.Pornovir J:\Going To Upload\Already Uploaded\Fun Downloads\Pranks\smile.zip/smile.exe Postponed
4/12/2009 7:20:35 PM Untreated: Hoax.DOS.BadJoke.Water.a J:\Going To Upload\Already Uploaded\Fun Downloads\Pranks\relievewater.zip/water.exe/ExePack Postponed
4/12/2009 7:20:34 PM Untreated: Hoax.Win32.BadJoke.Bugs.30 J:\Going To Upload\Already Uploaded\Fun Downloads\Pranks\bug.zip/bugs.exe Postponed
4/12/2009 7:18:22 PM Untreated: Hoax.Win16.BadJoke.Stupid.a J:\Going To Upload\Already Uploaded\Fun Downloads\open.zip/Open.exe Postponed
4/12/2009 7:18:17 PM Untreated: Hoax.Win32.BadJoke.Y2KChecker J:\Going To Upload\Already Uploaded\Fun Downloads\y2k.zip/Y2k.exe Postponed
4/12/2009 7:18:11 PM Untreated: Hoax.Win32.BadJoke.MovingMouse.a J:\Going To Upload\Already Uploaded\Fun Downloads\drunkmouse.zip/DrunkMouse.exe Postponed
4/12/2009 7:17:57 PM Untreated: Hoax.Win32.BadJoke.FakeDel.n J:\Going To Upload\Already Uploaded\Fun Downloads\fakedel.zip/fake_del.exe Postponed
4/12/2009 7:10:39 PM Untreated: Trojan-Downloader.Win32.PurityScan.cq I:\Documents and Settings\Cheryl\.housecall\Quarantine\win35.tmp.exe.bac_a02116/CryptFF.b/data0002/UPX Postponed
4/12/2009 7:10:39 PM Untreated: Trojan-Downloader.Win32.Busky.gen I:\Documents and Settings\Cheryl\.housecall\Quarantine\h91746.exe.bac_a02116/CryptFF.b Postponed
4/12/2009 7:10:39 PM Untreated: Trojan-Downloader.Win32.Busky.gen I:\Documents and Settings\Cheryl\.housecall\Quarantine\A0001801.exe.bac_a02116/CryptFF.b Postponed
4/12/2009 7:10:39 PM Untreated: Trojan-Downloader.Win32.Busky.gen I:\Documents and Settings\Cheryl\.housecall\Quarantine\A0001800.exe.bac_a02116/CryptFF.b Postponed
4/12/2009 6:49:27 PM Untreated: not-a-virus:AdWare.Win32.WeatherBug.a e:\new stuff\most important\wxbugsetup6.07.0.24.zip/WxBugSetup6.07.0.24.exe/WiseSFXDropper/WISE0012.BIN Postponed
4/12/2009 6:39:42 PM Untreated: not-a-virus:AdWare.Win32.WeatherBug.a e:\new stuff\Weatherbug Install\WxBugSetup6.07.0.24.exe/WiseSFXDropper/WISE0012.BIN Postponed
4/12/2009 6:38:33 PM Untreated: not-a-virus:AdWare.Win32.WurldMedia.a e:\new stuff\Music DL programs\Morph20 NEW.exe/WISE0014.BIN/WISE0013.BIN Postponed
4/12/2009 6:33:42 PM Untreated: not-a-virus:AdWare.Win32.Shopper.am e:\Music\true connect_ShareAccelerator.zip/zapu_setup_s1.exe/WISE0015.BIN/data0014/data0008 Postponed
4/12/2009 6:32:07 PM Untreated: Hoax.Win32.BadJoke.Stript e:\Going To Upload\Already Uploaded\Fun Downloads\Pranks\y2kcrashsimulator.zip/y2kcrash-nt5dem1.exe Postponed
4/12/2009 6:32:07 PM Untreated: Hoax.Win16.Pornovir e:\Going To Upload\Already Uploaded\Fun Downloads\Pranks\smile.zip/smile.exe Postponed
4/12/2009 6:32:07 PM Untreated: Hoax.DOS.BadJoke.Water.a e:\Going To Upload\Already Uploaded\Fun Downloads\Pranks\relievewater.zip/water.exe/ExePack Postponed
4/12/2009 6:32:07 PM Untreated: Hoax.Win32.BadJoke.Bugs.30 e:\Going To Upload\Already Uploaded\Fun Downloads\Pranks\bug.zip/bugs.exe Postponed
4/12/2009 6:32:01 PM Untreated: not-a-virus:AdWare.Win32.Aureate e:\Going To Upload\Already Uploaded\Fun Downloads\Utilities\octopus.zip/Setup.EXE/WISE0019.BIN Postponed
4/12/2009 6:31:51 PM Untreated: not-a-virus:AdWare.Win32.Aureate.a e:\Going To Upload\Already Uploaded\Fun Downloads\Thinkers\youresp.zip/youresp.exe/WISE0019.BIN Postponed
4/12/2009 6:31:32 PM Untreated: Hoax.Win32.BadJoke.FakeFormat.101 e:\Going To Upload\Already Uploaded\Fun Downloads\fakefmt.zip/fakefmt.exe Postponed
4/12/2009 6:31:30 PM Untreated: Hoax.Win16.BadJoke.Stupid.a e:\Going To Upload\Already Uploaded\Fun Downloads\open.zip/Open.exe Postponed
4/12/2009 6:31:29 PM Untreated: Hoax.Win32.BadJoke.Y2KChecker e:\Going To Upload\Already Uploaded\Fun Downloads\y2k.zip/Y2k.exe Postponed
4/12/2009 6:31:26 PM Untreated: Hoax.Win32.BadJoke.MovingMouse.a e:\Going To Upload\Already Uploaded\Fun Downloads\drunkmouse.zip/DrunkMouse.exe Postponed
4/12/2009 6:31:22 PM Untreated: Hoax.Win32.BadJoke.FakeDel.n e:\Going To Upload\Already Uploaded\Fun Downloads\fakedel.zip/fake_del.exe Postponed
4/12/2009 5:38:58 PM Untreated: not-a-virus:AdWare.Win32.WeatherBug.a e:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP498\A0165085.exe/WiseSFXDropper/WISE0012.BIN Postponed
4/12/2009 5:26:21 PM Untreated: not-a-virus:AdWare.Win32.AdMedia.g C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP498\A0165107.dll Postponed
4/12/2009 5:19:07 PM Untreated: HEUR:Trojan.Win32.Generic C:\Documents and Settings\c logan\Local Settings\Temp\225e.exe1 Postponed
4/12/2009 4:29:54 PM Untreated: not-a-virus:AdWare.Win32.WeatherBug.a e:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP498\A0165085.exe/WiseSFXDropper/WISE0012.BIN Postponed
4/12/2009 4:27:29 PM Untreated: not-a-virus:AdWare.Win32.AdMedia.g C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP498\A0165107.dll Postponed
Full Scan: completed 4/15/2009 1:58:42 PM (events: 150, objects: 898437, time: 04:26:53)
4/13/2009 5:46:24 PM Untreated: not-a-virus:AdWare.Win32.WeatherBug.a E:\New Stuff\Most Important\WxBugSetup6.07.0.24.zip/WxBugSetup6.07.0.24.exe/WiseSFXDropper/WISE0012.BIN Skipped by user
4/13/2009 5:46:16 PM Untreated: not-a-virus:AdWare.Win32.WeatherBug.a E:\New Stuff\Most Important\WxBugSetup6.07.0.24.zip/WxBugSetup6.07.0.24.exe/WiseSFXDropper/WISE0012.BIN Postponed
Full Scan: completed 4/15/2009 1:58:42 PM (events: 150, objects: 898437, time: 04:26:53)
4/14/2009 6:36:39 AM Untreated: HEUR:Trojan.Win32.Generic C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\IAKCMWO7\d[1].htm Postponed
4/14/2009 6:33:55 AM Untreated: HEUR:Trojan.Win32.Generic C:\WINDOWS\SYSTEM32\ruyoweve.dll Postponed
4/14/2009 6:33:53 AM Untreated: HEUR:Trojan.Win32.Generic C:\WINDOWS\SYSTEM32\dahodozu.dll Postponed
4/14/2009 6:33:53 AM Untreated: HEUR:Trojan.Win32.Generic C:\WINDOWS\SYSTEM32\hehewora.dll Postponed
4/14/2009 6:33:48 AM Untreated: HEUR:Trojan.Win32.Generic C:\WINDOWS\SYSTEM32\gujubova.dll Postponed
4/14/2009 6:33:14 AM Untreated: HEUR:Trojan.Win32.Generic C:\WINDOWS\SYSTEM32\topodone.dll Postponed
Full Scan: completed 4/15/2009 1:58:42 PM (events: 150, objects: 898437, time: 04:26:53)
4/15/2009 1:36:04 AM Untreated: HEUR:Trojan.Win32.Generic C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\IAKCMWO7\d[1].htm Written to report
4/15/2009 1:35:44 AM Untreated: HEUR:Trojan.Win32.Generic C:\WINDOWS\SYSTEM32\ruyoweve.dll Written to report
4/15/2009 1:35:23 AM Untreated: HEUR:Trojan.Win32.Generic C:\WINDOWS\SYSTEM32\dahodozu.dll Written to report
4/15/2009 1:18:34 AM Untreated: HEUR:Trojan.Win32.Generic C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\IAKCMWO7\d[1].htm Postponed
4/15/2009 1:16:58 AM Untreated: HEUR:Trojan.Win32.Generic C:\WINDOWS\SYSTEM32\ruyoweve.dll Postponed
4/15/2009 1:16:54 AM Untreated: HEUR:Trojan.Win32.Generic C:\WINDOWS\SYSTEM32\dahodozu.dll Postponed
4/15/2009 1:16:42 AM Untreated: HEUR:Trojan.Win32.Generic C:\WINDOWS\SYSTEM32\gujubova.dll Postponed
Full Scan: completed 4/15/2009 1:58:42 PM (events: 150, objects: 898437, time: 04:26:53)
4/15/2009 9:17:17 AM Untreated: HEUR:Trojan.Win32.Generic C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\IAKCMWO7\d[1].htm Written to report
4/15/2009 8:42:21 AM Untreated: not-a-virus:AdWare.Win32.AdMedia.g C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165366.dll Skipped by user
4/15/2009 8:16:16 AM Untreated: HEUR:Trojan.Win32.Generic C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\ruyoweve.dll.vir Postponed
4/15/2009 8:16:16 AM Untreated: HEUR:Trojan.Win32.Generic C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\dahodozu.dll.vir Postponed
4/15/2009 8:16:14 AM Untreated: HEUR:Trojan.Win32.Generic C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\hehewora.dll.vir Postponed
4/15/2009 8:15:47 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP497\A0163737.DLL Postponed
4/15/2009 8:15:45 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP497\A0163739.dll Postponed
4/15/2009 8:15:43 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP497\A0163738.DLL Postponed
4/15/2009 8:15:14 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP502\A0167334.dll Postponed
4/15/2009 8:15:12 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP502\A0167336.dll Postponed
4/15/2009 8:15:10 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP502\A0167335.dll Postponed
4/15/2009 8:14:56 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP502\A0167140.dll Postponed
4/15/2009 8:14:18 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165498.dll Postponed
4/15/2009 8:14:14 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165497.dll Postponed
4/15/2009 8:14:11 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165496.dll Postponed
4/15/2009 8:14:09 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165495.dll Postponed
4/15/2009 8:14:07 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165494.dll Postponed
4/15/2009 8:14:04 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165493.dll Postponed
4/15/2009 8:14:02 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165376.dll Postponed
4/15/2009 8:13:59 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165527.dll Postponed
4/15/2009 8:13:57 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165483.dll Postponed
4/15/2009 8:13:55 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165484.dll Postponed
4/15/2009 8:13:52 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165485.dll Postponed
4/15/2009 8:13:50 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165486.dll Postponed
4/15/2009 8:13:48 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165487.dll Postponed
4/15/2009 8:13:45 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165488.dll Postponed
4/15/2009 8:13:42 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165374.dll Postponed
4/15/2009 8:13:40 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165375.dll Postponed
4/15/2009 8:13:37 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165354.dll Postponed
4/15/2009 8:13:35 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165360.dll Postponed
4/15/2009 8:13:33 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165363.dll Postponed
4/15/2009 8:13:30 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165362.dll Postponed
4/15/2009 8:13:27 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165359.dll Postponed
4/15/2009 8:13:25 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165356.dll Postponed
4/15/2009 8:13:23 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165351.dll Postponed
4/15/2009 8:13:20 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165350.dll Postponed
4/15/2009 8:13:17 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165349.dll Postponed
4/15/2009 8:13:15 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165353.dll Postponed
4/15/2009 8:13:12 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165348.dll Postponed
4/15/2009 8:13:10 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165280.dll Postponed
4/15/2009 8:13:07 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165288.dll Postponed
4/15/2009 8:13:05 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165287.dll Postponed
4/15/2009 8:13:03 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165289.dll Postponed
4/15/2009 8:13:01 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165286.dll Postponed
4/15/2009 8:12:58 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165284.dll Postponed
4/15/2009 8:12:55 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165257.dll Postponed
4/15/2009 8:12:52 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165290.dll Postponed
4/15/2009 8:12:50 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165260.dll Postponed
4/15/2009 8:12:48 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165259.dll Postponed
4/15/2009 8:12:43 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165261.dll Postponed
4/15/2009 8:12:41 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165273.DLL Postponed
4/15/2009 8:12:40 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165258.dll Postponed
4/15/2009 8:12:37 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165650.dll Postponed
4/15/2009 8:12:35 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165648.dll Postponed
4/15/2009 8:12:29 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165379.dll Postponed
4/15/2009 8:12:27 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165378.dll Postponed
4/15/2009 8:12:25 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165377.dll Postponed
4/15/2009 8:12:21 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165373.dll Postponed
4/15/2009 8:12:18 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165372.dll Postponed
4/15/2009 8:12:17 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165371.dll Postponed
4/15/2009 8:12:14 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165369.dll Postponed
4/15/2009 8:12:11 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165370.dll Postponed
4/15/2009 8:12:09 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165368.dll Postponed
4/15/2009 8:12:03 AM Untreated: not-a-virus:AdWare.Win32.AdMedia.g C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165366.dll Postponed
4/15/2009 8:12:01 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165361.dll Postponed
4/15/2009 8:11:59 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165358.dll Postponed
4/15/2009 8:11:58 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165357.dll Postponed
4/15/2009 8:11:55 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165256.dll Postponed
4/15/2009 8:11:46 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP498\A0165207.dll Postponed
4/15/2009 8:11:43 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP498\A0165238.dll Postponed
4/15/2009 8:11:39 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP498\A0165237.dll Postponed
4/15/2009 8:11:37 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP498\A0165235.dll Postponed
4/15/2009 8:11:35 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP498\A0165236.dll Postponed
4/15/2009 8:11:33 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP498\A0165245.dll Postponed
4/15/2009 8:11:31 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP498\A0165243.dll Postponed
4/15/2009 8:11:28 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP498\A0165244.dll Postponed
4/15/2009 8:11:26 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP498\A0165226.dll Postponed
4/15/2009 8:11:23 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP498\A0165075.DLL Postponed
4/15/2009 8:11:20 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP498\A0165069.DLL Postponed
4/15/2009 8:11:18 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP498\A0165068.DLL Postponed
4/15/2009 8:11:14 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP498\A0164965.dll Postponed
4/15/2009 8:11:12 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP498\A0164957.dll Postponed
4/15/2009 8:11:09 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP498\A0164967.DLL Postponed
4/15/2009 8:11:00 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP498\A0164953.dll Postponed
4/15/2009 8:10:57 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP498\A0164950.dll Postponed
4/15/2009 8:10:56 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP498\A0164948.DLL Postponed
4/15/2009 8:10:53 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP498\A0164945.dll Postponed
4/15/2009 8:10:50 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP498\A0164941.dll Postponed
4/15/2009 8:10:48 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP498\A0165100.dll Postponed
4/15/2009 8:10:45 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP498\A0165101.dll Postponed
4/15/2009 8:10:38 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP498\A0165102.dll Postponed
4/15/2009 8:10:34 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP498\A0164979.dll Postponed
4/15/2009 8:10:04 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP503\A0167533.dll Postponed
4/15/2009 8:10:03 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP503\A0167532.dll Postponed
4/15/2009 8:10:03 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP503\A0167531.dll Postponed
4/15/2009 8:09:58 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP503\A0167455.dll Postponed
4/15/2009 8:09:55 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP503\A0167454.dll Postponed
4/15/2009 8:09:53 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP500\A0166842.dll Postponed
4/15/2009 8:09:50 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP500\A0166841.dll Postponed
4/15/2009 8:09:48 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP500\A0166839.dll Postponed
4/15/2009 8:09:46 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP500\A0166838.dll Postponed
4/15/2009 8:09:44 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP500\A0166840.dll Postponed
4/15/2009 8:09:37 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP500\A0165810.dll Postponed
4/15/2009 8:09:35 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP500\A0165809.dll Postponed
4/15/2009 8:09:32 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP500\A0165808.dll Postponed
4/15/2009 8:09:28 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP500\A0165806.dll Postponed
4/15/2009 8:09:28 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP500\A0165807.dll Postponed
4/15/2009 8:09:26 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP500\A0165799.dll Postponed
4/15/2009 8:09:22 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP500\A0165798.dll Postponed
4/15/2009 8:09:20 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP500\A0165797.dll Postponed
4/15/2009 8:09:18 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP500\A0165796.dll Postponed
4/15/2009 8:09:15 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP500\A0165795.dll Postponed
4/15/2009 8:09:13 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP500\A0165793.dll Postponed
4/15/2009 8:09:11 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP500\A0165792.dll Postponed
4/15/2009 8:09:08 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP500\A0165791.dll Postponed
4/15/2009 8:09:05 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP500\A0165790.dll Postponed
4/15/2009 8:09:03 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP500\A0165789.dll Postponed
4/15/2009 8:09:01 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP500\A0165785.dll Postponed
4/15/2009 8:08:59 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP500\A0165784.dll Postponed
4/15/2009 8:08:56 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP500\A0165783.dll Postponed
4/15/2009 8:08:54 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP500\A0165782.dll Postponed
4/15/2009 8:08:51 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP500\A0165781.dll Postponed
4/15/2009 8:08:48 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP500\A0165773.dll Postponed
4/15/2009 8:08:46 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP500\A0165772.dll Postponed
4/15/2009 8:08:44 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP500\A0165753.dll Postponed
4/15/2009 8:08:42 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP500\A0165752.dll Postponed
4/15/2009 8:08:39 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP500\A0165751.dll Postponed
4/15/2009 8:08:29 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP500\A0165740.dll Postponed
4/15/2009 8:08:26 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP500\A0165739.dll Postponed
4/15/2009 8:08:23 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP500\A0165738.dll Postponed
4/15/2009 8:08:21 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP500\A0165737.dll Postponed
4/15/2009 8:08:19 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP500\A0165736.dll Postponed
4/15/2009 8:08:16 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP500\A0165735.dll Postponed
4/15/2009 8:08:13 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP500\A0165734.dll Postponed
4/15/2009 8:08:11 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP500\A0165733.dll Postponed
4/15/2009 8:08:08 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP500\A0165732.dll Postponed
4/15/2009 8:08:06 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP500\A0165731.dll Postponed
4/15/2009 8:08:04 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP500\A0165726.dll Postponed
4/15/2009 8:08:01 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP500\A0165725.dll Postponed
4/15/2009 8:07:59 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP500\A0165722.dll Postponed
4/15/2009 8:07:57 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP500\A0165720.dll Postponed
4/15/2009 8:07:54 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP500\A0165721.dll Postponed
4/15/2009 7:24:28 AM Untreated: HEUR:Trojan.Win32.Generic C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\IAKCMWO7\d[1].htm Postponed
Full Scan: completed 4/15/2009 1:58:42 PM (events: 150, objects: 898437, time: 04:26:53)
4/15/2009 9:35:26 AM Untreated: not-a-virus:AdWare.Win32.AdMedia.g C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165366.dll Postponed
4/15/2009 9:41:23 AM Untreated: not-a-virus:AdWare.Win32.BargainBuddy.ab E:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP502\A0167351.exe/ic385.cab/NSTbbi7099.exe/data0002 Postponed
4/15/2009 9:42:12 AM Untreated: not-a-virus:AdWare.Win32.BargainBuddy.ab J:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP502\A0167352.exe/ic385.cab/NSTbbi7099.exe/data0002 Postponed
4/15/2009 10:25:40 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP500\A0165721.dll Postponed
4/15/2009 10:25:42 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP500\A0165720.dll Postponed
4/15/2009 10:25:44 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP500\A0165722.dll Postponed
4/15/2009 10:25:46 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP500\A0165725.dll Postponed
4/15/2009 10:25:49 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP500\A0165726.dll Postponed
4/15/2009 10:25:52 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP500\A0165731.dll Postponed
4/15/2009 10:25:54 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP500\A0165732.dll Postponed
4/15/2009 10:25:56 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP500\A0165733.dll Postponed
4/15/2009 10:25:58 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP500\A0165734.dll Postponed
4/15/2009 10:26:02 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP500\A0165735.dll Postponed
4/15/2009 10:26:04 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP500\A0165736.dll Postponed
4/15/2009 10:26:06 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP500\A0165737.dll Postponed
4/15/2009 10:26:08 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP500\A0165738.dll Postponed
4/15/2009 10:26:11 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP500\A0165739.dll Postponed
4/15/2009 10:26:13 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP500\A0165740.dll Postponed
4/15/2009 10:26:16 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP500\A0165751.dll Postponed
4/15/2009 10:26:19 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP500\A0165752.dll Postponed
4/15/2009 10:26:21 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP500\A0165753.dll Postponed
4/15/2009 10:26:23 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP500\A0165772.dll Postponed
4/15/2009 10:26:25 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP500\A0165773.dll Postponed
4/15/2009 10:26:28 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP500\A0165781.dll Postponed
4/15/2009 10:26:31 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP500\A0165782.dll Postponed
4/15/2009 10:26:33 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP500\A0165783.dll Postponed
4/15/2009 10:26:35 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP500\A0165784.dll Postponed
4/15/2009 10:26:37 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP500\A0165785.dll Postponed
4/15/2009 10:26:40 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP500\A0165789.dll Postponed
4/15/2009 10:26:42 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP500\A0165790.dll Postponed
4/15/2009 10:26:44 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP500\A0165791.dll Postponed
4/15/2009 10:26:48 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP500\A0165792.dll Postponed
4/15/2009 10:26:50 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP500\A0165793.dll Postponed
4/15/2009 10:26:52 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP500\A0165795.dll Postponed
4/15/2009 10:26:54 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP500\A0165796.dll Postponed
4/15/2009 10:26:57 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP500\A0165797.dll Postponed
4/15/2009 10:26:59 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP500\A0165798.dll Postponed
4/15/2009 10:27:02 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP500\A0165799.dll Postponed
4/15/2009 10:27:04 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP500\A0165806.dll Postponed
4/15/2009 10:27:06 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP500\A0165807.dll Postponed
4/15/2009 10:27:08 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP500\A0165808.dll Postponed
4/15/2009 10:27:11 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP500\A0165809.dll Postponed
4/15/2009 10:27:13 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP500\A0165810.dll Postponed
4/15/2009 10:27:15 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP500\A0166840.dll Postponed
4/15/2009 10:27:18 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP500\A0166838.dll Postponed
4/15/2009 10:27:20 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP500\A0166839.dll Postponed
4/15/2009 10:27:22 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP500\A0166841.dll Postponed
4/15/2009 10:27:23 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP500\A0166842.dll Postponed
4/15/2009 10:27:30 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP503\A0167531.dll Postponed
4/15/2009 10:27:33 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP503\A0167455.dll Postponed
4/15/2009 10:27:35 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP503\A0167454.dll Postponed
4/15/2009 10:27:35 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP503\A0167532.dll Postponed
4/15/2009 10:27:36 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP503\A0167533.dll Postponed
4/15/2009 10:28:07 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP498\A0165102.dll Postponed
4/15/2009 10:28:11 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP498\A0164979.dll Postponed
4/15/2009 10:28:16 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP498\A0165101.dll Postponed
4/15/2009 10:28:19 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP498\A0165100.dll Postponed
4/15/2009 10:28:21 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP498\A0164941.dll Postponed
4/15/2009 10:28:25 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP498\A0164945.dll Postponed
4/15/2009 10:28:27 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP498\A0164948.DLL Postponed
4/15/2009 10:28:29 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP498\A0164950.dll Postponed
4/15/2009 10:28:32 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP498\A0164953.dll Postponed
4/15/2009 10:28:40 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP498\A0164967.DLL Postponed
4/15/2009 10:28:43 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP498\A0164957.dll Postponed
4/15/2009 10:28:45 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP498\A0164965.dll Postponed
4/15/2009 10:28:49 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP498\A0165068.DLL Postponed
4/15/2009 10:28:51 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP498\A0165069.DLL Postponed
4/15/2009 10:28:54 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP498\A0165075.DLL Postponed
4/15/2009 10:28:57 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP498\A0165226.dll Postponed
4/15/2009 10:28:59 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP498\A0165244.dll Postponed
4/15/2009 10:29:02 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP498\A0165243.dll Postponed
4/15/2009 10:29:04 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP498\A0165245.dll Postponed
4/15/2009 10:29:06 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP498\A0165236.dll Postponed
4/15/2009 10:29:09 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP498\A0165235.dll Postponed
4/15/2009 10:29:11 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP498\A0165237.dll Postponed
4/15/2009 10:29:13 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP498\A0165238.dll Postponed
4/15/2009 10:29:16 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP498\A0165207.dll Postponed
4/15/2009 10:29:26 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165256.dll Postponed
4/15/2009 10:29:28 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165273.DLL Postponed
4/15/2009 10:29:30 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165258.dll Postponed
4/15/2009 10:29:31 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165261.dll Postponed
4/15/2009 10:29:33 AM Untreated: not-a-virus:AdWare.Win32.AdMedia.g C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165366.dll Postponed
4/15/2009 10:29:39 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165260.dll Postponed
4/15/2009 10:29:41 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165290.dll Postponed
4/15/2009 10:29:44 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165259.dll Postponed
4/15/2009 10:29:46 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165257.dll Postponed
4/15/2009 10:29:49 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165284.dll Postponed
4/15/2009 10:29:52 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165286.dll Postponed
4/15/2009 10:29:54 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165289.dll Postponed
4/15/2009 10:29:55 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165287.dll Postponed
4/15/2009 10:29:57 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165288.dll Postponed
4/15/2009 10:30:03 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165280.dll Postponed
4/15/2009 10:30:06 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165348.dll Postponed
4/15/2009 10:30:08 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165353.dll Postponed
4/15/2009 10:30:09 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165349.dll Postponed
4/15/2009 10:30:14 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165350.dll Postponed
4/15/2009 10:30:17 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165351.dll Postponed
4/15/2009 10:30:19 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165356.dll Postponed
4/15/2009 10:30:21 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165359.dll Postponed
4/15/2009 10:30:23 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165362.dll Postponed
4/15/2009 10:30:26 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165363.dll Postponed
4/15/2009 10:30:29 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165360.dll Postponed
4/15/2009 10:30:31 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165357.dll Postponed
4/15/2009 10:30:34 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165358.dll Postponed
4/15/2009 10:30:36 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165361.dll Postponed
4/15/2009 10:30:38 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165354.dll Postponed
4/15/2009 10:30:41 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165375.dll Postponed
4/15/2009 10:30:43 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165374.dll Postponed
4/15/2009 10:30:46 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165376.dll Postponed
4/15/2009 10:30:48 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165488.dll Postponed
4/15/2009 10:30:51 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165487.dll Postponed
4/15/2009 10:30:54 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165486.dll Postponed
4/15/2009 10:30:56 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165485.dll Postponed
4/15/2009 10:30:58 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165484.dll Postponed
4/15/2009 10:31:00 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165483.dll Postponed
4/15/2009 10:31:03 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165527.dll Postponed
4/15/2009 10:31:05 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165368.dll Postponed
4/15/2009 10:31:07 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165370.dll Postponed
4/15/2009 10:31:10 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165369.dll Postponed
4/15/2009 10:31:13 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165371.dll Postponed
4/15/2009 10:31:15 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165372.dll Postponed
4/15/2009 10:31:17 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165373.dll Postponed
4/15/2009 10:31:20 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165377.dll Postponed
4/15/2009 10:31:23 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165378.dll Postponed
4/15/2009 10:31:25 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165379.dll Postponed
4/15/2009 10:31:27 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165648.dll Postponed
4/15/2009 10:31:29 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165650.dll Postponed
4/15/2009 10:31:31 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165493.dll Postponed
4/15/2009 10:31:34 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165494.dll Postponed
4/15/2009 10:31:36 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165495.dll Postponed
4/15/2009 10:31:38 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165496.dll Postponed
4/15/2009 10:31:42 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165497.dll Postponed
4/15/2009 10:31:45 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP499\A0165498.dll Postponed
4/15/2009 10:32:43 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP502\A0167335.dll Postponed
4/15/2009 10:32:43 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP502\A0167140.dll Postponed
4/15/2009 10:32:52 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP502\A0167336.dll Postponed
4/15/2009 10:32:55 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP502\A0167334.dll Postponed
4/15/2009 10:33:13 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP497\A0163739.dll Postponed
4/15/2009 10:33:15 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP497\A0163737.DLL Postponed
4/15/2009 10:33:18 AM Untreated: HEUR:Trojan.Win32.Generic C:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP497\A0163738.DLL Postponed
4/15/2009 10:33:44 AM Untreated: HEUR:Trojan.Win32.Generic C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\hehewora.dll.vir Postponed
4/15/2009 10:33:46 AM Untreated: HEUR:Trojan.Win32.Generic C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\dahodozu.dll.vir Postponed
4/15/2009 10:33:47 AM Untreated: HEUR:Trojan.Win32.Generic C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\ruyoweve.dll.vir Postponed
4/15/2009 10:45:08 AM Untreated: not-a-virus:AdWare.Win32.BargainBuddy.ab E:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP502\A0167351.exe/ic385.cab/NSTbbi7099.exe/data0002 Postponed
4/15/2009 11:32:11 AM Untreated: not-a-virus:AdWare.Win32.Shopper.am E:\Music\true connect_ShareAccelerator.zip/zapu_setup_s1.exe/WISE0015.BIN/data0014/data0008 Postponed
4/15/2009 11:36:59 AM Untreated: not-a-virus:AdWare.Win32.WurldMedia.a E:\New Stuff\Music DL programs\Morph20 NEW.exe/WISE0014.BIN/WISE0013.BIN Postponed
4/15/2009 12:12:14 PM Untreated: not-a-virus:AdWare.Win32.Aureate.a J:\Going To Upload\Already Uploaded\Fun Downloads\Thinkers\youresp.zip/youresp.exe/WISE0019.BIN Postponed
4/15/2009 12:30:34 PM Untreated: not-a-virus:AdWare.Win32.WurldMedia.a J:\New Stuff\Music DL programs\Morph20 NEW.exe/WISE0014.BIN/WISE0013.BIN Postponed
4/15/2009 12:38:06 PM Untreated: not-a-virus:AdWare.Win32.WurldMedia.a J:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP503\A0167552.exe/WISE0014.BIN/WISE0013.BIN Postponed
4/15/2009 12:38:07 PM Untreated: not-a-virus:AdWare.Win32.BargainBuddy.ab J:\System Volume Information\_restore{EE7BD611-D6F2-4A2A-B9FB-93DDA7D96553}\RP502\A0167352.exe/ic385.cab/NSTbbi7099.exe/data0002 Postponed

Shaba
2009-04-16, 07:13
It depends on settings, too.

Delete these:

C:\WINDOWS\SYSTEM32\ruyoweve.dll
C:\WINDOWS\SYSTEM32\dahodozu.dll
E:\Music\true connect_ShareAccelerator.zip
E:\New Stuff\Music DL programs\Morph20 NEW.exe
J:\Going To Upload\Already Uploaded\Fun Downloads\Thinkers\youresp.zip
J:\New Stuff\Music DL programs\Morph20 NEW.exe

Empty Recycle Bin.

Other malware is in combofix quarantine or in system restore.

We will empty those later.

Still problems?

Bluheart
2009-04-16, 13:11
That true connect_ShareAccelerator.zip shows to have been created on Thursday, March 08, 2007, 2:20:39 AM, and modified Yesterday, April 15, 2009, 1:58:40 PM. I haven't downloaded anything recently except for what you have instructed me to. I'm not really sure where it came from. Needless to say, it's deleted now. I do know it's not the file that started this mess. I do think I know which one set off my fireworks.

I've had the file J:\Going To Upload\Already Uploaded\Fun Downloads\Thinkers\youresp.zip since Monday, October 18, 1999, 1:20:54 AM. this mess modified it Yesterday, April 15, 2009, 1:58:40 PM and made it a 1kb file. It's gone too now.

I can't find C:\WINDOWS\SYSTEM32\ruyoweve.dll or C:\WINDOWS\SYSTEM32\dahodozu.dll in that location or in the .dll cache folder either. I exposed that folder and peeked in there too.


I'm not having any more popups but I can tell my system is not quite back up to par yet. I have a fair amount of lagging going on for some reason. I'm having to boot a couple of times a day. I know I have a video card issue right now but this is worse than it was before I got infected.

I'm actually surprised I haven't lost more of my fun downloads programs than I have. I can always just go get them from my webpage so it's not a total loss. :bigthumb:

Thanks again for the time you are taking to help me thru this. I really do appreciate all you are doing for me. :)

Bluheart
2009-04-16, 13:40
Shaba,

I forgot, I still have this error when I reboot:


RUNDLL
Error Loading C:\WINDOWS\System32\mosoyami.dll
The specified module could not be found.


Thanks,
Blu

Shaba
2009-04-16, 18:59
Yes you can fix this entry:

O4 - HKLM\..\Run: [CPM03333da6] Rundll32.exe "c:\windows\system32\mosoyami.dll",a

As for those two files:

Open notepad and copy/paste the text in the codebox below into it:


File::
C:\WINDOWS\SYSTEM32\ruyoweve.dll
C:\WINDOWS\SYSTEM32\dahodozu.dll


Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.

Bluheart
2009-04-17, 02:05
Hi Shaba,

Well I couldn't find mosoyami.dll so rather than waste the time of waiting to ask you and then run it if you said to, I went out on a limb and put it in with the other two and ran the code. The good news is that the ones YOU put in the code are now totally gone from my computer. The bad news is that mosoyami.dll is still there. It seems to like it's home.

Now to business...


ComboFix 09-04-17.01 - c logan 04/16/2009 17:20.4 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.234 [GMT -5:00]
Running from: c:\documents and settings\c logan\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\c logan\Desktop\CFScript.txt
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated)
FW: ZoneAlarm Firewall *enabled*
* Created a new restore point

FILE ::
c:\windows\SYSTEM32\dahodozu.dll
c:\windows\SYSTEM32\mosoyami.dll
c:\windows\SYSTEM32\ruyoweve.dll
.

((((((((((((((((((((((((( Files Created from 2009-03-17 to 2009-04-17 )))))))))))))))))))))))))))))))
.

2009-04-14 20:53 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-14 20:53 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-14 20:53 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-14 20:53 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-14 20:53 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-14 20:53 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-14 20:53 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-14 20:53 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-14 20:53 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-14 20:52 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-14 20:52 . 2009-03-27 06:58 1203922 ------w c:\windows\system32\dllcache\sysmain.sdb
2009-04-14 20:52 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-12 07:02 . 2009-04-12 07:03 109568 ---ha-w c:\windows\system32\BITC.tmp
2009-04-12 04:09 . 2009-04-12 05:35 89601 ----a-w c:\windows\system32\drivers\klick.dat
2009-04-12 04:09 . 2009-04-12 05:35 101287 ----a-w c:\windows\system32\drivers\klin.dat
2009-04-12 04:05 . 2009-04-16 10:32 32 --sha-w c:\windows\system32\drivers\fidbox2.idx
2009-04-12 04:05 . 2009-04-16 10:32 32 --sha-w c:\windows\system32\drivers\fidbox2.dat
2009-04-12 04:05 . 2009-04-16 10:32 32 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-04-12 04:05 . 2009-04-16 10:32 32 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-04-12 04:05 . 2009-04-12 04:05 -------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-04-11 13:19 . 2009-04-11 13:19 50 ----a-w c:\windows\Weather.Ini
2009-04-11 12:55 . 2009-04-11 12:56 2560 ----a-w c:\windows\_MSRSTRT.EXE
2009-04-11 11:50 . 2009-04-11 11:50 -------- d-sh--w C:\FOUND.000
2009-04-11 10:14 . 2009-04-11 10:14 -------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-04-08 06:20 . 2009-04-08 06:20 10520 ------w c:\windows\system32\avgrsstx.dll.install_backup
2009-03-24 18:39 . 2009-03-24 18:39 -------- d-----w c:\documents and settings\c logan\Local Settings\Application Data\eMusic
2009-03-24 18:39 . 2009-03-24 18:39 -------- d-----w c:\documents and settings\c logan\Application Data\eMusic
2009-03-21 14:06 . 2009-03-21 14:06 989696 ------w c:\windows\system32\dllcache\kernel32.dll
2009-03-19 13:46 . 2009-03-19 13:46 -------- d-----w c:\documents and settings\c logan\Local Settings\Application Data\SpiralfrogClient

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-15 06:38 . 2007-02-17 02:50 28722327 ------w c:\windows\Internet Logs\tvDebug.zip
2009-04-15 05:57 . 2009-04-15 05:57 37533 ----a-w C:\ComboFix 2.txt
2009-04-13 22:33 . 2009-04-13 22:33 -------- d-----w c:\program files\BurnAware Free
2009-04-13 09:20 . 2009-04-13 09:20 -------- d-----w c:\program files\Trend Micro
2009-04-13 09:17 . 2009-04-13 09:17 -------- d-----w c:\program files\ERUNT
2009-04-12 05:35 . 2008-01-29 22:29 33808 ----a-w c:\windows\system32\drivers\klbg.sys
2009-04-12 04:05 . 2009-04-12 04:05 -------- d-----w c:\program files\Kaspersky Lab
2009-04-11 14:48 . 2009-04-11 14:47 -------- d-----w c:\program files\WeatherMan
2009-04-11 13:28 . 2009-04-11 13:29 1597440 ------w c:\windows\Internet Logs\xDB17.tmp
2009-04-09 05:23 . 2009-04-09 05:23 -------- d-----w c:\program files\Common Files\Skype
2009-03-11 03:10 . 2009-03-11 03:10 -------- d-----w c:\program files\DivX
2009-03-09 10:19 . 2009-03-06 05:30 410984 ----a-w c:\windows\SYSTEM32\deploytk.dll
2009-03-06 14:22 . 2006-10-06 03:00 284160 ----a-w c:\windows\SYSTEM32\pdh.dll
2009-03-05 09:07 . 2009-03-05 09:07 -------- d-----w c:\documents and settings\All Users\Application Data\ESET
2009-03-03 00:18 . 2006-10-06 03:01 826368 ----a-w c:\windows\SYSTEM32\wininet.dll
2009-03-03 00:18 . 2006-10-05 22:01 826368 ----a-w c:\windows\SYSTEM32\dllcache\wininet.dll
2009-02-28 04:54 . 2006-10-06 03:15 636072 ----a-w c:\windows\SYSTEM32\dllcache\iexplore.exe
2009-02-27 13:11 . 2006-10-06 05:51 73584 ----a-w c:\documents and settings\c logan\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-02-25 18:43 . 2009-02-25 18:43 -------- d-----w c:\program files\SpywareBlaster
2009-02-25 03:32 . 2009-02-25 03:32 -------- d-----w c:\program files\XoftSpySE
2009-02-20 10:20 . 2007-05-09 19:02 13824 ------w c:\windows\SYSTEM32\dllcache\ieudinit.exe
2009-02-20 10:20 . 2006-10-06 02:59 70656 ----a-w c:\windows\SYSTEM32\dllcache\ie4uinit.exe
2009-02-20 05:14 . 2006-10-06 02:59 161792 ----a-w c:\windows\SYSTEM32\dllcache\ieakui.dll
2009-02-19 05:05 . 2009-02-19 05:04 -------- d-----w c:\documents and settings\c logan\Application Data\Move Networks
2009-02-09 12:10 . 2006-10-06 02:59 729088 ----a-w c:\windows\SYSTEM32\lsasrv.dll
2009-02-09 12:10 . 2006-10-06 03:00 401408 ----a-w c:\windows\SYSTEM32\rpcss.dll
2009-02-09 12:10 . 2006-10-06 03:00 714752 ----a-w c:\windows\SYSTEM32\ntdll.dll
2009-02-09 12:10 . 2006-10-06 02:57 617472 ----a-w c:\windows\SYSTEM32\advapi32.dll
2009-02-09 11:13 . 2008-10-14 23:31 1846784 ------w c:\windows\SYSTEM32\dllcache\win32k.sys
2009-02-09 11:13 . 2006-10-06 03:01 1846784 ----a-w c:\windows\SYSTEM32\win32k.sys
2009-02-08 00:02 . 2008-10-14 23:30 2066048 ------w c:\windows\SYSTEM32\dllcache\ntkrnlpa.exe
2009-02-08 00:02 . 2004-08-04 03:59 2066048 ----a-w c:\windows\SYSTEM32\ntkrnlpa.exe
2009-02-06 11:11 . 2006-10-06 03:00 110592 ----a-w c:\windows\SYSTEM32\services.exe
2009-02-06 11:08 . 2008-10-14 23:31 2189056 ------w c:\windows\SYSTEM32\dllcache\ntoskrnl.exe
2009-02-06 11:08 . 2006-10-06 03:00 2189056 ----a-w c:\windows\SYSTEM32\ntoskrnl.exe
2009-02-06 11:06 . 2008-10-14 23:31 2145280 ------w c:\windows\SYSTEM32\dllcache\ntkrnlmp.exe
2009-02-06 10:39 . 2006-10-06 03:00 35328 ----a-w c:\windows\SYSTEM32\sc.exe
2009-02-06 10:39 . 2006-10-06 03:00 35328 ----a-w c:\windows\SYSTEM32\dllcache\sc.exe
2009-02-06 10:32 . 2008-10-14 23:30 2023936 ------w c:\windows\SYSTEM32\dllcache\ntkrpamp.exe
2009-02-03 19:59 . 2009-02-03 19:59 56832 ------w c:\windows\SYSTEM32\dllcache\secur32.dll
2009-02-03 19:59 . 2006-10-06 03:00 56832 ----a-w c:\windows\SYSTEM32\secur32.dll
2007-12-14 07:52 . 2007-12-14 07:52 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2006-10-06 02:50 . 2006-10-06 02:50 266 --sh--w c:\program files\desktop.ini
2006-10-06 02:50 . 2006-10-06 02:50 11079 ---h--w c:\program files\folder.htt
2006-08-08 21:28 . 2006-10-07 21:28 32 ----a-r c:\documents and settings\All Users\hash.dat
2008-10-06 03:2008-06-19 04:16 41:24 . c:\program files\mozilla firefox\components\jar50.dll
2008-10-06 03:2008-06-19 04:16 41:24 . c:\program files\mozilla firefox\components\jsd3250.dll
2008-10-06 03:2008-06-19 04:16 41:24 . c:\program files\mozilla firefox\components\myspell.dll
2008-10-06 03:2008-06-19 04:16 41:26 . c:\program files\mozilla firefox\components\spellchk.dll
2008-10-06 03:2008-06-19 04:16 41:26 . c:\program files\mozilla firefox\components\xpinstal.dll
2008-08-09 17:45 . 2008-08-09 17:45 32768 --sha-w c:\windows\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008080920080810\index.dat
.

((((((((((((((((((((((((((((( SnapShot_2009-04-15_05.42.02 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-16 10:34 . 2009-04-16 10:34 16384 c:\windows\TEMP\Perflib_Perfdata_7fc.dat
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SlowFile Icon Overlay]
@="{7D688A77-C613-11D0-999B-00C04FD655E1}"
[HKEY_CLASSES_ROOT\CLSID\{7D688A77-C613-11D0-999B-00C04FD655E1}]
2008-06-17 18:02 8461312 ----a-w c:\windows\SYSTEM32\shell32.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"Desktop Calendar"="c:\program files\Desktop Calendar\Desktop Calendar.exe" [2004-08-16 917504]
"Google Update"="c:\documents and settings\c logan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-05 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Zone Labs Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2006-08-24 968696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-18 13574144]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-18 86016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" [2009-04-12 206088]
"CPM03333da6"="c:\windows\system32\mosoyami.dll" [N/A]
"nwiz"="nwiz.exe" - c:\windows\SYSTEM32\nwiz.exe [2008-09-18 1657376]

c:\documents and settings\c logan\Start Menu\Programs\Startup\
MiniMinder.lnk - c:\program files\MiniMind\MiniMind.exe [2006-12-27 237568]
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-9-9 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.VDOM"= vdowave.drv

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe
"iDailyDiary"="c:\progra~1\IDAILY~1\iDD.exe" /LOGMIN

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\ICQ\\Icq.exe"=
"c:\\Program Files\\Mozilla Firefox\\FIREFOX.EXE"=
"e:\\Ultima Online 9th Anniversary Collection\\client.exe"=
"e:\\Going To Upload\\Already Uploaded\\Fun Downloads\\Utilities\\abouttime.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"e:\\New Stuff\\Misc\\abouttime.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Skype\\Phone\\bak\\Skype.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\MsnMsgr.Exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Documents and Settings\\c logan\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=

S0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-04-12 33808]
S2 NProtectService;Norton Unerase Protection;c:\program files\Norton Utilities\NPROTECT.EXE [2001-08-10 135168]
S3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\DRIVERS\klim5.sys [2008-04-30 24592]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{31e4c120-54be-11db-8cf4-806d6172696f}]
\Shell\AutoRun\command - H:\autorun.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1390067357-1078145449-682003330-1004.job
- c:\documents and settings\c logan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-05 13:51]
.
.
------- Supplementary Scan -------
.
uStart Page =
mStart Page =
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: aol.com\free
DPF: DirectAnimation Java Classes - file://c:\windows\SYSTEM\dajava.cab
DPF: Internet Explorer Classes for Java - file://c:\windows\SYSTEM\iejava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab
FF - ProfilePath - c:\documents and settings\c logan\Application Data\Mozilla\Firefox\Profiles\8ayshjwb.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: keyword.URL - hxxp://search.myway.com/search/cfg_redir2.jhtml?action=config&id=XB&ptnrs=XB&st=DNS&url=AJmain.jhtml&searchfor=
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-16 17:26
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2728)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-04-16 17:48
ComboFix-quarantined-files.txt 2009-04-16 22:48
ComboFix2.txt 2009-04-15 10:09
ComboFix3.txt 2009-04-15 05:44

Pre-Run: 1,793,523,712 bytes free
Post-Run: 1,601,241,088 bytes free

209 --- E O F --- 2009-04-14 21:12

Bluheart
2009-04-17, 02:07
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:52:03 PM, on 4/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\WEATHE~1\WEATHE~1.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\c logan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\MiniMind\MiniMind.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Speed Disk\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\c logan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\c logan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\c logan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\c logan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\c logan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\SYSTEM32\calc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\ievkbd.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [WeatherMan] "C:\PROGRA~1\WEATHE~1\WEATHE~1.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe"
O4 - HKLM\..\Run: [CPM03333da6] Rundll32.exe "c:\windows\system32\mosoyami.dll",a
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Desktop Calendar] C:\Program Files\Desktop Calendar\Desktop Calendar.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\c logan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Startup: MiniMinder.lnk = C:\Program Files\MiniMind\MiniMind.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {30A3CCA5-F34C-4E87-BB57-5A2F2C935E14} (AMI DicomDir TreeView Control 2.0) - file:///H:/CDVIEWER/CdViewer.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1162171373921
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://sympatico.zone.msn.com/bingame/chnz/default/mjolauncher.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {C86FF4B0-AA1D-46D4-8612-025FB86583C7} (AstoundLauncher Control) - http://zone.msn.com/bingame/jobo/default/AstoundLauncher.cab#version=1,0,0,10
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/bingame/feed/default/SproutLauncher.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by102fd.bay102.hotmail.msn.com/activex/HMAtchmt.ocx
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Speed Disk\nopdb.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

--
End of file - 10190 bytes


Thanks, :)
Blu

Shaba
2009-04-17, 08:16
You can't find this within hijackthis?

O4 - HKLM\..\Run: [CPM03333da6] Rundll32.exe "c:\windows\system32\mosoyami.dll",a

Bluheart
2009-04-17, 10:53
:red: Shaba... there it is. I don't know how I missed that. I even did a find for it and didn't find it. Well at least it IS there and has been nabbed!

So what is next now? I feel like I'm getting to the end of a book. :)

Shaba
2009-04-17, 14:41
Good :)

Well do you have any issues left?

Bluheart
2009-04-17, 15:47
Hi Shaba,

Unfortunately, mosoyami.dll has decided it really likes my system. It is still there. I just rebooted to check to see how it it is running and I got that same error.

I finally broke down and did a reinstall of my MiniMinder because it had become corrupt. It had holes in the body of the window. :scratch: Very strange looking.

My system is still running kind of funky like. When I reboot it's like everything sticks for a little bit and I can't do anything. I have a few programs that have windows that come up when I first reboot and I have to wait to be able to close them. There is probably a 1 minute or so frozen period there. That didn't happen before. I'm having to boot probably twice a day now as well. I do need a new graphics card. When I get into heavy graphics instances I start lagging and I have to reboot to clear my system however this has increased since this infection.

Make it all go away! :boxing:

Please? :laugh:

Thanks!

Bluheart
2009-04-17, 15:59
Oops I forgot to add some that came up on Kaspersky earlier. The first had the same thing twice. They are the following:


Detected: Virus HEUR: Trojan.Win32.Generic
Object: C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\IAKCMWO7\d[1].htm

Detected: Virus HEUR:Trojan.Script.Iframer
Object: http ://kqfzom.info/ariuwexzy/


I broke that 2nd one up because I didn't want to make it a clickable link in case someone reading decided to click it.

Blu

Shaba
2009-04-18, 09:58
That might be because kaspersky can restore it.

Fix it again in safe mode and let me know if it now stays away.

As for that virus, empty IE temporary internet files. That should do it.

Bluheart
2009-04-21, 07:06
Hi Shaba,

I had a busy weekend and Monday as well. Here's to finally getting back to business but it doesn't look very productive. :sad:

I booted up in safe mode with Kaspersky disabled and paused for an hour. Then I ran ComboFix with mosoyami.dll in it.


ComboFix 09-04-17.01 - c logan 04/20/2009 22:49.5 - FAT32x86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.828 [GMT -5:00]
Running from: c:\documents and settings\c logan\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\c logan\Desktop\CFScript.txt
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated)
FW: ZoneAlarm Firewall *enabled*

FILE ::
c:\windows\SYSTEM32\mosoyami.dll
.

((((((((((((((((((((((((( Files Created from 2009-03-21 to 2009-04-21 )))))))))))))))))))))))))))))))
.

2009-04-17 12:34 . 2009-04-17 12:34 193 ----a-w c:\windows\customizer.ini
2009-04-17 12:33 . 2004-03-09 05:00 200224 ----a-w c:\windows\system32\MCI32.OCX
2009-04-14 20:53 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-14 20:53 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-14 20:53 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-14 20:53 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-14 20:53 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-14 20:53 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-14 20:53 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-14 20:53 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-14 20:53 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-14 20:52 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-14 20:52 . 2009-03-27 06:58 1203922 ------w c:\windows\system32\dllcache\sysmain.sdb
2009-04-14 20:52 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-12 07:02 . 2009-04-12 07:03 109568 ---ha-w c:\windows\system32\BITC.tmp
2009-04-12 04:09 . 2009-04-12 05:35 89601 ----a-w c:\windows\system32\drivers\klick.dat
2009-04-12 04:09 . 2009-04-12 05:35 101287 ----a-w c:\windows\system32\drivers\klin.dat
2009-04-12 04:05 . 2009-04-21 03:47 32 --sha-w c:\windows\system32\drivers\fidbox2.idx
2009-04-12 04:05 . 2009-04-21 03:47 32 --sha-w c:\windows\system32\drivers\fidbox2.dat
2009-04-12 04:05 . 2009-04-21 03:47 32 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-04-12 04:05 . 2009-04-21 03:47 32 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-04-12 04:05 . 2009-04-12 04:05 -------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-04-11 13:19 . 2009-04-11 13:19 50 ----a-w c:\windows\Weather.Ini
2009-04-11 12:55 . 2009-04-11 12:56 2560 ----a-w c:\windows\_MSRSTRT.EXE
2009-04-11 10:14 . 2009-04-11 10:14 -------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-04-08 06:20 . 2009-04-08 06:20 10520 ------w c:\windows\system32\avgrsstx.dll.install_backup
2009-03-24 18:39 . 2009-03-24 18:39 -------- d-----w c:\documents and settings\c logan\Local Settings\Application Data\eMusic
2009-03-24 18:39 . 2009-03-24 18:39 -------- d-----w c:\documents and settings\c logan\Application Data\eMusic

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-17 15:40 . 2009-04-17 15:40 -------- d-----w c:\program files\AccuWeatherDesktop
2009-04-17 12:18 . 2007-02-17 02:50 29347685 ------w c:\windows\Internet Logs\tvDebug.zip
2009-04-15 05:57 . 2009-04-15 05:57 37533 ----a-w C:\ComboFix 2.txt
2009-04-13 22:33 . 2009-04-13 22:33 -------- d-----w c:\program files\BurnAware Free
2009-04-13 09:20 . 2009-04-13 09:20 -------- d-----w c:\program files\Trend Micro
2009-04-13 09:17 . 2009-04-13 09:17 -------- d-----w c:\program files\ERUNT
2009-04-12 05:35 . 2008-01-29 22:29 33808 ----a-w c:\windows\system32\drivers\klbg.sys
2009-04-12 04:05 . 2009-04-12 04:05 -------- d-----w c:\program files\Kaspersky Lab
2009-04-11 14:48 . 2009-04-11 14:47 -------- d-----w c:\program files\WeatherMan
2009-04-11 13:28 . 2009-04-11 13:29 1597440 ------w c:\windows\Internet Logs\xDB17.tmp
2009-04-09 05:23 . 2009-04-09 05:23 -------- d-----w c:\program files\Common Files\Skype
2009-03-21 14:06 . 2009-03-21 14:06 989696 ------w c:\windows\SYSTEM32\dllcache\kernel32.dll
2009-03-11 03:10 . 2009-03-11 03:10 -------- d-----w c:\program files\DivX
2009-03-09 10:19 . 2009-03-06 05:30 410984 ----a-w c:\windows\SYSTEM32\deploytk.dll
2009-03-06 14:22 . 2006-10-06 03:00 284160 ----a-w c:\windows\SYSTEM32\pdh.dll
2009-03-05 09:07 . 2009-03-05 09:07 -------- d-----w c:\documents and settings\All Users\Application Data\ESET
2009-03-03 00:18 . 2006-10-06 03:01 826368 ----a-w c:\windows\SYSTEM32\wininet.dll
2009-03-03 00:18 . 2006-10-05 22:01 826368 ----a-w c:\windows\SYSTEM32\dllcache\wininet.dll
2009-02-28 04:54 . 2006-10-06 03:15 636072 ----a-w c:\windows\SYSTEM32\dllcache\iexplore.exe
2009-02-27 13:11 . 2006-10-06 05:51 73584 ----a-w c:\documents and settings\c logan\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-02-25 18:43 . 2009-02-25 18:43 -------- d-----w c:\program files\SpywareBlaster
2009-02-25 03:32 . 2009-02-25 03:32 -------- d-----w c:\program files\XoftSpySE
2009-02-20 10:20 . 2007-05-09 19:02 13824 ------w c:\windows\SYSTEM32\dllcache\ieudinit.exe
2009-02-20 10:20 . 2006-10-06 02:59 70656 ----a-w c:\windows\SYSTEM32\dllcache\ie4uinit.exe
2009-02-20 05:14 . 2006-10-06 02:59 161792 ----a-w c:\windows\SYSTEM32\dllcache\ieakui.dll
2009-02-09 12:10 . 2006-10-06 02:59 729088 ----a-w c:\windows\SYSTEM32\lsasrv.dll
2009-02-09 12:10 . 2006-10-06 03:00 401408 ----a-w c:\windows\SYSTEM32\rpcss.dll
2009-02-09 12:10 . 2006-10-06 03:00 714752 ----a-w c:\windows\SYSTEM32\ntdll.dll
2009-02-09 12:10 . 2006-10-06 02:57 617472 ----a-w c:\windows\SYSTEM32\advapi32.dll
2009-02-09 11:13 . 2008-10-14 23:31 1846784 ------w c:\windows\SYSTEM32\dllcache\win32k.sys
2009-02-09 11:13 . 2006-10-06 03:01 1846784 ----a-w c:\windows\SYSTEM32\win32k.sys
2009-02-08 00:02 . 2008-10-14 23:30 2066048 ------w c:\windows\SYSTEM32\dllcache\ntkrnlpa.exe
2009-02-08 00:02 . 2004-08-04 03:59 2066048 ----a-w c:\windows\SYSTEM32\ntkrnlpa.exe
2009-02-06 11:11 . 2006-10-06 03:00 110592 ----a-w c:\windows\SYSTEM32\services.exe
2009-02-06 11:08 . 2008-10-14 23:31 2189056 ------w c:\windows\SYSTEM32\dllcache\ntoskrnl.exe
2009-02-06 11:08 . 2006-10-06 03:00 2189056 ----a-w c:\windows\SYSTEM32\ntoskrnl.exe
2009-02-06 11:06 . 2008-10-14 23:31 2145280 ------w c:\windows\SYSTEM32\dllcache\ntkrnlmp.exe
2009-02-06 10:39 . 2006-10-06 03:00 35328 ----a-w c:\windows\SYSTEM32\sc.exe
2009-02-06 10:39 . 2006-10-06 03:00 35328 ----a-w c:\windows\SYSTEM32\dllcache\sc.exe
2009-02-06 10:32 . 2008-10-14 23:30 2023936 ------w c:\windows\SYSTEM32\dllcache\ntkrpamp.exe
2009-02-03 19:59 . 2009-02-03 19:59 56832 ------w c:\windows\SYSTEM32\dllcache\secur32.dll
2009-02-03 19:59 . 2006-10-06 03:00 56832 ----a-w c:\windows\SYSTEM32\secur32.dll
2007-12-14 07:52 . 2007-12-14 07:52 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2006-10-06 02:50 . 2006-10-06 02:50 266 --sh--w c:\program files\desktop.ini
2006-10-06 02:50 . 2006-10-06 02:50 11079 ---h--w c:\program files\folder.htt
2006-08-08 21:28 . 2006-10-07 21:28 32 ----a-r c:\documents and settings\All Users\hash.dat
2008-10-06 03:2008-06-19 04:16 41:24 . c:\program files\mozilla firefox\components\jar50.dll
2008-10-06 03:2008-06-19 04:16 41:24 . c:\program files\mozilla firefox\components\jsd3250.dll
2008-10-06 03:2008-06-19 04:16 41:24 . c:\program files\mozilla firefox\components\myspell.dll
2008-10-06 03:2008-06-19 04:16 41:26 . c:\program files\mozilla firefox\components\spellchk.dll
2008-10-06 03:2008-06-19 04:16 41:26 . c:\program files\mozilla firefox\components\xpinstal.dll
2008-08-09 17:45 . 2008-08-09 17:45 32768 --sha-w c:\windows\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008080920080810\index.dat
.

((((((((((((((((((((((((((((( SnapShot_2009-04-15_05.42.02 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-10-06 03:09 . 2009-04-20 16:05 305264 c:\windows\SYSTEM32\FNTCACHE.DAT
- 2006-10-06 03:09 . 2009-03-11 22:45 305264 c:\windows\SYSTEM32\FNTCACHE.DAT
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SlowFile Icon Overlay]
@="{7D688A77-C613-11D0-999B-00C04FD655E1}"
[HKEY_CLASSES_ROOT\CLSID\{7D688A77-C613-11D0-999B-00C04FD655E1}]
2008-06-17 18:02 8461312 ----a-w c:\windows\SYSTEM32\shell32.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"Desktop Calendar"="c:\program files\Desktop Calendar\Desktop Calendar.exe" [2004-08-16 917504]
"Google Update"="c:\documents and settings\c logan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-05 133104]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-03-27 24103720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Zone Labs Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2006-08-24 968696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-18 13574144]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-18 86016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"CPM03333da6"="c:\windows\system32\mosoyami.dll" [N/A]
"nwiz"="nwiz.exe" - c:\windows\SYSTEM32\nwiz.exe [2008-09-18 1657376]

c:\documents and settings\c logan\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-9-9 113664]
MiniMinder.lnk - c:\program files\MiniMind\MiniMind.exe [2006-12-27 262144]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
AccuWeather.comr Desktop.lnk - c:\windows\Installer\{DEF1F36E-871C-4B5A-B42C-700A963B71FA}\_14092034.exe [2009-4-17 766]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.VDOM"= vdowave.drv

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe
"iDailyDiary"="c:\progra~1\IDAILY~1\iDD.exe" /LOGMIN

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\ICQ\\Icq.exe"=
"c:\\Program Files\\Mozilla Firefox\\FIREFOX.EXE"=
"e:\\Ultima Online 9th Anniversary Collection\\client.exe"=
"e:\\Going To Upload\\Already Uploaded\\Fun Downloads\\Utilities\\abouttime.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"e:\\New Stuff\\Misc\\abouttime.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Skype\\Phone\\bak\\Skype.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\MsnMsgr.Exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\c logan\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-04-12 33808]
R2 NProtectService;Norton Unerase Protection;c:\program files\Norton Utilities\NPROTECT.EXE [2001-08-10 135168]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\DRIVERS\klim5.sys [2008-04-30 24592]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{31e4c120-54be-11db-8cf4-806d6172696f}]
\Shell\AutoRun\command - H:\autorun.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1390067357-1078145449-682003330-1004.job
- c:\documents and settings\c logan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-05 13:51]
.
.
------- Supplementary Scan -------
.
uStart Page =
mStart Page =
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: aol.com\free
DPF: DirectAnimation Java Classes - file://c:\windows\SYSTEM\dajava.cab
DPF: Internet Explorer Classes for Java - file://c:\windows\SYSTEM\iejava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab
FF - ProfilePath - c:\documents and settings\c logan\Application Data\Mozilla\Firefox\Profiles\8ayshjwb.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: keyword.URL - hxxp://search.myway.com/search/cfg_redir2.jhtml?action=config&id=XB&ptnrs=XB&st=DNS&url=AJmain.jhtml&searchfor=
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-20 22:51
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-04-21 22:52
ComboFix-quarantined-files.txt 2009-04-21 03:52
ComboFix2.txt 2009-04-16 22:48
ComboFix3.txt 2009-04-15 10:09
ComboFix4.txt 2009-04-15 05:44

Pre-Run: 2,888,450,048 bytes free
Post-Run: 2,912,141,312 bytes free

204 --- E O F --- 2009-04-14 21:12

Bluheart
2009-04-21, 07:07
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:56:10 PM, on 4/20/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\ievkbd.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [WeatherMan] "C:\PROGRA~1\WEATHE~1\WEATHE~1.exe
O4 - HKLM\..\Run: [CPM03333da6] Rundll32.exe "c:\windows\system32\mosoyami.dll",a
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Desktop Calendar] C:\Program Files\Desktop Calendar\Desktop Calendar.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\c logan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: MiniMinder.lnk = C:\Program Files\MiniMind\MiniMind.exe
O4 - Global Startup: AccuWeather.comŽ Desktop.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {30A3CCA5-F34C-4E87-BB57-5A2F2C935E14} (AMI DicomDir TreeView Control 2.0) - file:///H:/CDVIEWER/CdViewer.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1162171373921
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://sympatico.zone.msn.com/bingame/chnz/default/mjolauncher.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {C86FF4B0-AA1D-46D4-8612-025FB86583C7} (AstoundLauncher Control) - http://zone.msn.com/bingame/jobo/default/AstoundLauncher.cab#version=1,0,0,10
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/bingame/feed/default/SproutLauncher.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by102fd.bay102.hotmail.msn.com/activex/HMAtchmt.ocx
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Speed Disk\nopdb.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

--
End of file - 7771 bytes


Thanks again,
Blu

Shaba
2009-04-21, 07:59
Please post back a fresh HijackThis log taken in normal mode.

Bluheart
2009-04-21, 10:48
Here you go.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:47:17 AM, on 4/21/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\WEATHE~1\WEATHE~1.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Documents and Settings\c logan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\AccuWeatherDesktop\AccuWeatherDesktop.exe
C:\Program Files\MiniMind\MiniMind.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Speed Disk\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\c logan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\c logan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\c logan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\c logan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\c logan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Opera\opera.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\ievkbd.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [WeatherMan] "C:\PROGRA~1\WEATHE~1\WEATHE~1.exe
O4 - HKLM\..\Run: [CPM03333da6] Rundll32.exe "c:\windows\system32\mosoyami.dll",a
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Desktop Calendar] C:\Program Files\Desktop Calendar\Desktop Calendar.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\c logan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: MiniMinder.lnk = C:\Program Files\MiniMind\MiniMind.exe
O4 - Global Startup: AccuWeather.comŽ Desktop.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {30A3CCA5-F34C-4E87-BB57-5A2F2C935E14} (AMI DicomDir TreeView Control 2.0) - file:///H:/CDVIEWER/CdViewer.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1162171373921
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://sympatico.zone.msn.com/bingame/chnz/default/mjolauncher.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {C86FF4B0-AA1D-46D4-8612-025FB86583C7} (AstoundLauncher Control) - http://zone.msn.com/bingame/jobo/default/AstoundLauncher.cab#version=1,0,0,10
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/bingame/feed/default/SproutLauncher.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by102fd.bay102.hotmail.msn.com/activex/HMAtchmt.ocx
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Speed Disk\nopdb.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

--
End of file - 10418 bytes

Shaba
2009-04-21, 13:02
Let's try this.

Disable both Kaspersky and ZoneAlarm and now fix that entry.

Let me know if it now stays away.

Bluheart
2009-04-21, 14:29
Hi Shaba,

Here goes nothing!


ComboFix 09-04-21.A1 - c logan 04/21/2009 6:18.7 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.412 [GMT -5:00]
Running from: c:\documents and settings\c logan\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\c logan\Desktop\CFScript.txt
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated)
FW: ZoneAlarm Firewall *disabled*
* Created a new restore point

FILE ::
c:\windows\SYSTEM32\mosoyami.dll
.

((((((((((((((((((((((((( Files Created from 2009-03-21 to 2009-04-21 )))))))))))))))))))))))))))))))
.

2009-04-17 12:34 . 2009-04-17 12:34 193 ----a-w c:\windows\customizer.ini
2009-04-17 12:33 . 2004-03-09 05:00 200224 ----a-w c:\windows\system32\MCI32.OCX
2009-04-14 20:53 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-14 20:53 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-14 20:53 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-14 20:53 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-14 20:53 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-14 20:53 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-14 20:53 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-14 20:53 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-14 20:53 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-14 20:52 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-14 20:52 . 2009-03-27 06:58 1203922 ------w c:\windows\system32\dllcache\sysmain.sdb
2009-04-14 20:52 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-12 07:02 . 2009-04-12 07:03 109568 ---ha-w c:\windows\system32\BITC.tmp
2009-04-12 04:09 . 2009-04-12 05:35 89601 ----a-w c:\windows\system32\drivers\klick.dat
2009-04-12 04:09 . 2009-04-12 05:35 101287 ----a-w c:\windows\system32\drivers\klin.dat
2009-04-12 04:05 . 2009-04-21 03:47 32 --sha-w c:\windows\system32\drivers\fidbox2.idx
2009-04-12 04:05 . 2009-04-21 03:47 32 --sha-w c:\windows\system32\drivers\fidbox2.dat
2009-04-12 04:05 . 2009-04-21 03:47 32 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-04-12 04:05 . 2009-04-21 03:47 32 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-04-12 04:05 . 2009-04-12 04:05 -------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-04-11 13:19 . 2009-04-11 13:19 50 ----a-w c:\windows\Weather.Ini
2009-04-11 12:55 . 2009-04-11 12:56 2560 ----a-w c:\windows\_MSRSTRT.EXE
2009-04-11 10:14 . 2009-04-11 10:14 -------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-04-08 06:20 . 2009-04-08 06:20 10520 ------w c:\windows\system32\avgrsstx.dll.install_backup
2009-03-24 18:39 . 2009-03-24 18:39 -------- d-----w c:\documents and settings\c logan\Local Settings\Application Data\eMusic
2009-03-24 18:39 . 2009-03-24 18:39 -------- d-----w c:\documents and settings\c logan\Application Data\eMusic

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-17 15:40 . 2009-04-17 15:40 -------- d-----w c:\program files\AccuWeatherDesktop
2009-04-17 12:18 . 2007-02-17 02:50 29347685 ------w c:\windows\Internet Logs\tvDebug.zip
2009-04-15 05:57 . 2009-04-15 05:57 37533 ----a-w C:\ComboFix 2.txt
2009-04-13 22:33 . 2009-04-13 22:33 -------- d-----w c:\program files\BurnAware Free
2009-04-13 09:20 . 2009-04-13 09:20 -------- d-----w c:\program files\Trend Micro
2009-04-13 09:17 . 2009-04-13 09:17 -------- d-----w c:\program files\ERUNT
2009-04-12 05:35 . 2008-01-29 22:29 33808 ----a-w c:\windows\system32\drivers\klbg.sys
2009-04-12 04:05 . 2009-04-12 04:05 -------- d-----w c:\program files\Kaspersky Lab
2009-04-11 14:48 . 2009-04-11 14:47 -------- d-----w c:\program files\WeatherMan
2009-04-11 13:28 . 2009-04-11 13:29 1597440 ------w c:\windows\Internet Logs\xDB17.tmp
2009-04-09 05:23 . 2009-04-09 05:23 -------- d-----w c:\program files\Common Files\Skype
2009-03-21 14:06 . 2009-03-21 14:06 989696 ------w c:\windows\SYSTEM32\dllcache\kernel32.dll
2009-03-11 03:10 . 2009-03-11 03:10 -------- d-----w c:\program files\DivX
2009-03-09 10:19 . 2009-03-06 05:30 410984 ----a-w c:\windows\SYSTEM32\deploytk.dll
2009-03-06 14:22 . 2006-10-06 03:00 284160 ----a-w c:\windows\SYSTEM32\pdh.dll
2009-03-05 09:07 . 2009-03-05 09:07 -------- d-----w c:\documents and settings\All Users\Application Data\ESET
2009-03-03 00:18 . 2006-10-06 03:01 826368 ----a-w c:\windows\SYSTEM32\wininet.dll
2009-03-03 00:18 . 2006-10-05 22:01 826368 ----a-w c:\windows\SYSTEM32\dllcache\wininet.dll
2009-02-28 04:54 . 2006-10-06 03:15 636072 ----a-w c:\windows\SYSTEM32\dllcache\iexplore.exe
2009-02-27 13:11 . 2006-10-06 05:51 73584 ----a-w c:\documents and settings\c logan\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-02-25 18:43 . 2009-02-25 18:43 -------- d-----w c:\program files\SpywareBlaster
2009-02-25 03:32 . 2009-02-25 03:32 -------- d-----w c:\program files\XoftSpySE
2009-02-20 10:20 . 2007-05-09 19:02 13824 ------w c:\windows\SYSTEM32\dllcache\ieudinit.exe
2009-02-20 10:20 . 2006-10-06 02:59 70656 ----a-w c:\windows\SYSTEM32\dllcache\ie4uinit.exe
2009-02-20 05:14 . 2006-10-06 02:59 161792 ----a-w c:\windows\SYSTEM32\dllcache\ieakui.dll
2009-02-09 12:10 . 2006-10-06 02:59 729088 ----a-w c:\windows\SYSTEM32\lsasrv.dll
2009-02-09 12:10 . 2006-10-06 03:00 401408 ----a-w c:\windows\SYSTEM32\rpcss.dll
2009-02-09 12:10 . 2006-10-06 03:00 714752 ----a-w c:\windows\SYSTEM32\ntdll.dll
2009-02-09 12:10 . 2006-10-06 02:57 617472 ----a-w c:\windows\SYSTEM32\advapi32.dll
2009-02-09 11:13 . 2008-10-14 23:31 1846784 ------w c:\windows\SYSTEM32\dllcache\win32k.sys
2009-02-09 11:13 . 2006-10-06 03:01 1846784 ----a-w c:\windows\SYSTEM32\win32k.sys
2009-02-08 00:02 . 2008-10-14 23:30 2066048 ------w c:\windows\SYSTEM32\dllcache\ntkrnlpa.exe
2009-02-08 00:02 . 2004-08-04 03:59 2066048 ----a-w c:\windows\SYSTEM32\ntkrnlpa.exe
2009-02-06 11:11 . 2006-10-06 03:00 110592 ----a-w c:\windows\SYSTEM32\services.exe
2009-02-06 11:08 . 2008-10-14 23:31 2189056 ------w c:\windows\SYSTEM32\dllcache\ntoskrnl.exe
2009-02-06 11:08 . 2006-10-06 03:00 2189056 ----a-w c:\windows\SYSTEM32\ntoskrnl.exe
2009-02-06 11:06 . 2008-10-14 23:31 2145280 ------w c:\windows\SYSTEM32\dllcache\ntkrnlmp.exe
2009-02-06 10:39 . 2006-10-06 03:00 35328 ----a-w c:\windows\SYSTEM32\sc.exe
2009-02-06 10:39 . 2006-10-06 03:00 35328 ----a-w c:\windows\SYSTEM32\dllcache\sc.exe
2009-02-06 10:32 . 2008-10-14 23:30 2023936 ------w c:\windows\SYSTEM32\dllcache\ntkrpamp.exe
2009-02-03 19:59 . 2009-02-03 19:59 56832 ------w c:\windows\SYSTEM32\dllcache\secur32.dll
2009-02-03 19:59 . 2006-10-06 03:00 56832 ----a-w c:\windows\SYSTEM32\secur32.dll
2007-12-14 07:52 . 2007-12-14 07:52 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2006-10-06 02:50 . 2006-10-06 02:50 266 --sh--w c:\program files\desktop.ini
2006-10-06 02:50 . 2006-10-06 02:50 11079 ---h--w c:\program files\folder.htt
2006-08-08 21:28 . 2006-10-07 21:28 32 ----a-r c:\documents and settings\All Users\hash.dat
2008-10-06 03:2008-06-19 04:16 41:24 . c:\program files\mozilla firefox\components\jar50.dll
2008-10-06 03:2008-06-19 04:16 41:24 . c:\program files\mozilla firefox\components\jsd3250.dll
2008-10-06 03:2008-06-19 04:16 41:24 . c:\program files\mozilla firefox\components\myspell.dll
2008-10-06 03:2008-06-19 04:16 41:26 . c:\program files\mozilla firefox\components\spellchk.dll
2008-10-06 03:2008-06-19 04:16 41:26 . c:\program files\mozilla firefox\components\xpinstal.dll
2008-08-09 17:45 . 2008-08-09 17:45 32768 --sha-w c:\windows\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008080920080810\index.dat
.

((((((((((((((((((((((((((((( SnapShot_2009-04-15_05.42.02 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-21 03:59 . 2009-04-21 03:59 16384 c:\windows\temp\Perflib_Perfdata_770.dat
+ 2006-10-06 03:09 . 2009-04-20 16:05 305264 c:\windows\SYSTEM32\FNTCACHE.DAT
- 2006-10-06 03:09 . 2009-03-11 22:45 305264 c:\windows\SYSTEM32\FNTCACHE.DAT
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SlowFile Icon Overlay]
@="{7D688A77-C613-11D0-999B-00C04FD655E1}"
[HKEY_CLASSES_ROOT\CLSID\{7D688A77-C613-11D0-999B-00C04FD655E1}]
2008-06-17 18:02 8461312 ----a-w c:\windows\SYSTEM32\shell32.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"Desktop Calendar"="c:\program files\Desktop Calendar\Desktop Calendar.exe" [2004-08-16 917504]
"Google Update"="c:\documents and settings\c logan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-05 133104]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-03-27 24103720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Zone Labs Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2006-08-24 968696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-18 13574144]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-18 86016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"CPM03333da6"="c:\windows\system32\mosoyami.dll" [N/A]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" [2009-04-12 206088]
"nwiz"="nwiz.exe" - c:\windows\SYSTEM32\nwiz.exe [2008-09-18 1657376]

c:\documents and settings\c logan\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-9-9 113664]
MiniMinder.lnk - c:\program files\MiniMind\MiniMind.exe [2006-12-27 262144]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
AccuWeather.comr Desktop.lnk - c:\windows\Installer\{DEF1F36E-871C-4B5A-B42C-700A963B71FA}\_14092034.exe [2009-4-17 766]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe
"iDailyDiary"="c:\progra~1\IDAILY~1\iDD.exe" /LOGMIN

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\ICQ\\Icq.exe"=
"c:\\Program Files\\Mozilla Firefox\\FIREFOX.EXE"=
"e:\\Ultima Online 9th Anniversary Collection\\client.exe"=
"e:\\Going To Upload\\Already Uploaded\\Fun Downloads\\Utilities\\abouttime.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"e:\\New Stuff\\Misc\\abouttime.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Skype\\Phone\\bak\\Skype.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\MsnMsgr.Exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\c logan\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

S0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-04-12 33808]
S2 NProtectService;Norton Unerase Protection;c:\program files\Norton Utilities\NPROTECT.EXE [2001-08-10 135168]
S3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\DRIVERS\klim5.sys [2008-04-30 24592]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{31e4c120-54be-11db-8cf4-806d6172696f}]
\Shell\AutoRun\command - H:\autorun.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1390067357-1078145449-682003330-1004.job
- c:\documents and settings\c logan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-05 13:51]
.
.
------- Supplementary Scan -------
.
uStart Page =
mStart Page =
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: aol.com\free
DPF: DirectAnimation Java Classes - file://c:\windows\SYSTEM\dajava.cab
DPF: Internet Explorer Classes for Java - file://c:\windows\SYSTEM\iejava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab
FF - ProfilePath - c:\documents and settings\c logan\Application Data\Mozilla\Firefox\Profiles\8ayshjwb.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: keyword.URL - hxxp://search.myway.com/search/cfg_redir2.jhtml?action=config&id=XB&ptnrs=XB&st=DNS&url=AJmain.jhtml&searchfor=
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-21 06:23
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3452)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-04-21 6:26
ComboFix-quarantined-files.txt 2009-04-21 11:26
ComboFix2.txt 2009-04-21 11:09
ComboFix3.txt 2009-04-21 03:52
ComboFix4.txt 2009-04-16 22:48
ComboFix5.txt 2009-04-21 11:17

Pre-Run: 1,231,568,896 bytes free
Post-Run: 1,146,716,160 bytes free

212 --- E O F --- 2009-04-14 21:12

Bluheart
2009-04-21, 14:30
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:27:43 AM, on 4/21/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\c logan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\AccuWeatherDesktop\AccuWeatherDesktop.exe
C:\Program Files\MiniMind\MiniMind.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Speed Disk\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\c logan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\c logan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\c logan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\c logan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\c logan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Opera\opera.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\ievkbd.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [WeatherMan] "C:\PROGRA~1\WEATHE~1\WEATHE~1.exe
O4 - HKLM\..\Run: [CPM03333da6] Rundll32.exe "c:\windows\system32\mosoyami.dll",a
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Desktop Calendar] C:\Program Files\Desktop Calendar\Desktop Calendar.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\c logan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: MiniMinder.lnk = C:\Program Files\MiniMind\MiniMind.exe
O4 - Global Startup: AccuWeather.comŽ Desktop.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {30A3CCA5-F34C-4E87-BB57-5A2F2C935E14} (AMI DicomDir TreeView Control 2.0) - file:///H:/CDVIEWER/CdViewer.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1162171373921
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://sympatico.zone.msn.com/bingame/chnz/default/mjolauncher.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {C86FF4B0-AA1D-46D4-8612-025FB86583C7} (AstoundLauncher Control) - http://zone.msn.com/bingame/jobo/default/AstoundLauncher.cab#version=1,0,0,10
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/bingame/feed/default/SproutLauncher.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by102fd.bay102.hotmail.msn.com/activex/HMAtchmt.ocx
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Speed Disk\nopdb.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

--
End of file - 10201 bytes


:sad: It's not going away.

Shaba
2009-04-21, 14:49
Let's try different approach.

See here (http://www.kellys-korner-xp.com/xp_msconfig.htm) how to disable it via msconfig.

You can alternatively disable it via spybot as you did with TeaTimer and
iDailyDiary.

Post back a fresh HijackThis log after that.

Bluheart
2009-04-21, 15:20
:yahoo:

Shaba!


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:14:44 AM, on 4/21/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\WEATHE~1\WEATHE~1.exe
C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Desktop Calendar\Desktop Calendar.exe
C:\Documents and Settings\c logan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\AccuWeatherDesktop\AccuWeatherDesktop.exe
C:\Program Files\MiniMind\MiniMind.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Speed Disk\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\ievkbd.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [WeatherMan] "C:\PROGRA~1\WEATHE~1\WEATHE~1.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Desktop Calendar] C:\Program Files\Desktop Calendar\Desktop Calendar.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\c logan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: MiniMinder.lnk = C:\Program Files\MiniMind\MiniMind.exe
O4 - Global Startup: AccuWeather.comŽ Desktop.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {30A3CCA5-F34C-4E87-BB57-5A2F2C935E14} (AMI DicomDir TreeView Control 2.0) - file:///H:/CDVIEWER/CdViewer.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1162171373921
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://sympatico.zone.msn.com/bingame/chnz/default/mjolauncher.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {C86FF4B0-AA1D-46D4-8612-025FB86583C7} (AstoundLauncher Control) - http://zone.msn.com/bingame/jobo/default/AstoundLauncher.cab#version=1,0,0,10
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/bingame/feed/default/SproutLauncher.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by102fd.bay102.hotmail.msn.com/activex/HMAtchmt.ocx
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Speed Disk\nopdb.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

--
End of file - 8760 bytes

I have read and reread and reread this over and over hunting for it even tho I KNOW where should be. I don't believe it! :thud:

My book is drawing to a close now. I can feel it! Now what?

Thanks!
Blu

Shaba
2009-04-21, 15:48
Great :)

Still some issues left?

Bluheart
2009-04-22, 21:52
Hi Shaba,

Unfortunately I have a problem with what I did that I can't seem to sort out. When I did the thing with msconfig it removed it from HJT but left it in the list of programs, just unchecked. After rebooting I got a popup window saying the following:


You have used the System Configuration Utility to make changes to the way Windows starts.

The System Configuration Utility is currently in Diagnostic or Selective Startup mode, causing this message to be displayed and the utility to run every time Windows starts.

Choose the Normal Startup mode on the General tab to start Windows normally and undo the changes you made using the System Configuration Utility.


Now if I choose the normal startup mode, it puts a check back on the mosoyami.dll and it's active again and it's back in HJT. So what do I do? My husband said maybe to go in thru DOS and remove it that way since that file can't be found. Can you do that with XP?

I'm just about ready to toss this thing in the driveway and run over it. :sad:

Thanks,
Blu

Shaba
2009-04-22, 22:03
Then I suggest that you restore it and disable it via spybot.

It can be found under Tools > System startup.

Bluheart
2009-04-23, 01:25
:D: :bigthumb:

Shaba I :bow: to you for finally finding the right solution! Persistance is the key! :yahoo:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:01:51 PM, on 4/22/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\c logan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\MiniMind\MiniMind.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Speed Disk\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\ievkbd.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Desktop Calendar] C:\Program Files\Desktop Calendar\Desktop Calendar.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\c logan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [iDailyDiary] "C:\PROGRA~1\IDAILY~1\iDD.exe" /LOGMIN
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: MiniMinder.lnk = C:\Program Files\MiniMind\MiniMind.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {30A3CCA5-F34C-4E87-BB57-5A2F2C935E14} (AMI DicomDir TreeView Control 2.0) - file:///H:/CDVIEWER/CdViewer.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1162171373921
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://sympatico.zone.msn.com/bingame/chnz/default/mjolauncher.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {C86FF4B0-AA1D-46D4-8612-025FB86583C7} (AstoundLauncher Control) - http://zone.msn.com/bingame/jobo/default/AstoundLauncher.cab#version=1,0,0,10
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/bingame/feed/default/SproutLauncher.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by102fd.bay102.hotmail.msn.com/activex/HMAtchmt.ocx
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Speed Disk\nopdb.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

--
End of file - 8700 bytes


I'm having some problems that I don't think are related to this issue. Such as last nite I was watching a movie online and I got a message that my virtual memory was too low and Windows was fixing that. A little later I got a message saying that I only had 177 Meg available on my C drive which isn't true. It has 2 gig. I immediately did a cleanup of that drive which only consisted of less than 1 Meg of data. I'm not sure how but it suddenly said I had 600+ Meg freespace and when I checked a little later it said I had 1.99 Gig. I've been watching it thru the day today and it has fluctuated some but nothing like last nite.

I will say that this is the quietest my HD has been in a long time. Usually my red light flashes a lot and I've always wondered why. Scans never showed anything. I guess my AVG just wasn't good enough to detect the bad programs. Which brings me to my most important question before we part ways. I want to know what you deem the best anti-virus software. I still don't quite understand Kaspersky but it seems to be pretty good. NOD32 was pretty good as well. You had helped my daughter, Devilsfrog, about a month ago when she got a computer killer virus. Unfortunately nothing could be done due to the type she got. She is still struggling trying to get it sorted out on a fresh reformat but it still seems really messed up. Anyway, each time you had her take the trojans/viruses over to her laptop by floppy to send them to test them, her NOD32 on that laptop would kill them before she had a chance to test them. So that tells me that NOD32 is excellent. I'm ready to buy... I just want to make sure I'm buying the best.

Thanks,
Blu

Shaba
2009-04-23, 08:07
Good :)

2 gigs still isn't much.

How big hard drive you have?

Bluheart
2009-04-23, 08:32
I can't remember how big that entire drive is but C drive was only partitioned into 20 gig. I wish it had been made 25 gig. I believe that is going to be fixed soon.

So where do we stand now? Are you going to tell me your opinion of the best software to get? :)

Shaba
2009-04-23, 09:02
I see :)

Yes I will unless some other issues left?

Bluheart
2009-04-26, 16:01
Hi Shaba,

I wanted to give it a few days to see if anything popped up and so far it things seem to be quiet on this homefront. Well besides the fact that I still have some programs that are corrupted that I'll have to reinstall... AGAIN. I had put them off as well to make sure everything was gone which it seems to be. :yahoo:

So I do believe we can now wrap things up so this event can go down in history as another case solved by you. :bow:

Thanks!
Blu

Shaba
2009-04-26, 16:49
Good :)

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Now lets uninstall ComboFix:

Click START then RUN
Now type Combofix /u in the runbox and click OK

Next we remove all used tools.

Please download OTCleanIt (http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe) and save it to desktop.

Double-click OTCleanIt.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.


Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

Disable and Enable System Restore. - If you are using Windows XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and re-enable system restore here:

Windows XP System Restore Guide (http://www.bleepingcomputer.com/forums/tutorial56.html)

Re-enable system restore with instructions from tutorial above

Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt

Change the Download unsigned ActiveX controls to Disable

Change the Initialize and script ActiveX controls not marked as safe to Disable

Change the Installation of desktop items to Prompt

Change the Launching programs and files in an IFRAME to Prompt

Change the Navigate sub-frames across different domains to Prompt

When all these settings have been made, click on the OK button.

If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

Update your AntiVirus Software and keep your other programs up-to-date Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector (http://secunia.com/software_inspector/)
F-secure Health Check (http://www.f-secure.com/weblog/archives/00001356.html)

Visit Microsoft''s Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com (http://www.windowsupdate.com) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Install Malwarebytes'' Anti-Malware - Malwarebytes'' Anti-Malware is a new and powerful anti-malware tool. It is
totally free but for real-time protection you will have to pay a small one-time fee. Tutorial on installing & using this product can be found below:

Malwarebytes' Anti-Malware Setup Guide (http://www.lognrock.com/forum/index.php?showtopic=6926)

Malwarebytes' Anti-Malware Scanning Guide (http://www.lognrock.com/forum/index.php?showtopic=6913)


Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/tutorials/tutorial49.html)


Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety

MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer. See also a hosts file tutorial here (http://malwareremoval.com/forum/viewtopic.php?t=22187)
Winpatrol (http://www.winpatrol.com/) <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)

Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place (http://forums.spybot.info/showthread.php?t=279)

Happy surfing and stay clean! :bigthumb:

Shaba
2009-04-30, 08:47
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.

Note: If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.