Help--infected with Smitfraud-C and Zeno Search

BronxBoy · May 29, 2008

Hi-
My laptop has been infected with some bad stuff that I can't get rid of. It causes numerous pop-ups to continually pop-up at a frantic rate. I installed SpyBot and ran it numerous times, and it always comes ends by listing these problems:

-Smitfraud-C.CoreService
(SBI $9C656B9A) Data
C:\\WINDOWS\system32\drivers\core.cache.dsk

-Zeno Search
(SBI $7E6E3149) Text file
C:\\WINDOWS/system32\msnav32.ax

-Zeon Search
(SBI $93386031) Text file
C:\\WINDOWS\system32\zxdnt3d.cfg

However, SpyBot seems unable to get rid of them. It says the problems are fixed, but when I reboot and scan again, they're still there.

I also installed and ran SmitfaudFix, but it hasn't helped either.

I of course want to get rid of them, and I also want to make sure that the bad stuff hasn't gotten into my external hard drive or flash drive (if that's possible).

I'll appreciate anything you can do. Thanks.

Blade81 · May 29, 2008

I think you missed BEFORE you POST (READ this Procedure BEFORE Requesting Assistance) sticky.

Follow the instructions there and post a fresh hjt log.

BronxBoy · May 30, 2008

HJT log

Sorry about that...I'm new to this stuff, and I thought I'd wait for you to ask for something before I sent the wrong thing.

Below is my HJT log. I was also going to send a Kaspersky log, but I can't get all the way through the Kaspersky scan...twice I got to almost 100% of the process (after sitting through it for a couple of hours) and then AOL froze up on me or disconnected and I lost the whole thing. I can't use the wireless connection because that keeps dropping out on me.

Thanks for taking a look at this.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:47:26, on 5/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Maxtor\Sync\SyncServices.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Patchlink\Update Agent\GRAVITIXSERVICE.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\WINDOWS\system32\tcntaxdn.exe
C:\WINDOWS\System32\Rundll32.exe
C:\PROGRA~1\COMMON~1\YSTEM3~1\dvdplay.exe
C:\Program Files\Common Files\W?nSxS\?explore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\QdrPack\QdrPack16.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\QdrModule\QdrModule17.exe
c:\windows\system32\jqwnw64j.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\AOL Companion\companion.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\Common Files\AOL\ACS\acsd.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {25340342-330E-4395-A8B4-5CE97F6BC0D8} - C:\WINDOWS\system32\efcButrR.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {56AAAD03-1EF9-4B07-8196-12F1C125F7AD} - C:\WINDOWS\system32\awtrOiJD.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: mysidesearch browser optimizer - {7605204a-1bf2-6b53-2777-53f8a87e9669} - C:\WINDOWS\system32\{81f3a1e4-cd23-1d59-1798-24c78d1a1745}.dll (file missing)
O2 - BHO: MySidesearch Search Assistant - {9506910A-0F94-4ea1-B567-7070428B8B2B} - C:\WINDOWS\system32\mysidesearch_sidebar.dll
O2 - BHO: (no name) - {AE6DE148-55F9-2173-FF4E-7AA2E69B4A92} - C:\WINDOWS\system32\xzej.dll
O2 - BHO: (no name) - {D2376FB3-3D0D-414D-83AA-3AD6AD6B111F} - C:\WINDOWS\system32\byXQGyab.dll (file missing)
O2 - BHO: (no name) - {DF71DBA4-D312-448B-85AD-B0D5F85D16BD} - C:\WINDOWS\system32\iifgExuV.dll (file missing)
O2 - BHO: gooochi browser optimizer - {fdd7b81d-1edc-978a-e1d9-513b08695f89} - C:\WINDOWS\system32\{35a6ae75-c06a-1fc9-e65b-9ee1f3540a3c}.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [UC_Start] C:\IBMTools\Updater\ucstartup.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [NAV CfgWiz] C:\PROGRA~1\NORTON~1\Cfgwiz.exe /R
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [{74-4C-CB-B9-DW}] c:\windows\system32\jqwnw64j.exe DWram
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\tcntaxdn.exe DWram
O4 - HKLM\..\Run: [{c3f670a7-1bb7-5093-12d3-d28162845729}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{35a6ae75-c06a-1fc9-e65b-9ee1f3540a3c}.dll" DllStart
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Uahe] "C:\PROGRA~1\COMMON~1\YSTEM3~1\dvdplay.exe" -vt ndrv
O4 - HKCU\..\Run: [Dkdtq] "C:\Program Files\Common Files\W?nSxS\?explore.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [QdrPack16] "C:\Program Files\QdrPack\QdrPack16.exe"
O4 - HKCU\..\Run: [QdrModule17] "C:\Program Files\QdrModule\QdrModule17.exe"
O4 - S-1-5-18 Startup: Deewoo.lnk = C:\WINDOWS\system32\tcntaxdn.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: DW_Start.lnk = C:\WINDOWS\system32\jqwnw64j.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Deewoo.lnk = C:\WINDOWS\system32\tcntaxdn.exe (User 'Default user')
O4 - .DEFAULT Startup: DW_Start.lnk = C:\WINDOWS\system32\jqwnw64j.exe (User 'Default user')
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\tcntaxdn.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\jqwnw64j.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java141\jre\bin\NPJPI141.dll
O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java141\jre\bin\NPJPI141.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.plus2 (HKLM)
O15 - ESC Trusted Zone: *.plus2 (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{76674D0C-EB84-4025-AE6C-D3FF85E2F124}: Domain = nypd.org
O17 - HKLM\System\CS3\Services\Tcpip\..\{1CE7884D-80C3-47AA-B268-D1CC09462736}: NameServer = 205.188.146.145
O18 - Filter hijack: text/html - {07851C6A-1C43-41d9-8319-BC89154A8C00} - C:\Program Files\RcvSystem\httpdchk.dll
O20 - Winlogon Notify: byXQGyab - byXQGyab.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: PatchLink Update - Patchlink Corporation - C:\Program Files\Patchlink\Update Agent\GRAVITIXSERVICE.exe
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 12395 bytes

--------------------------------------------------------------------------------
Get trade secrets for amazing burgers. Watch "Cooking with Tyler Florence" on AOL Food.

Blade81 · May 30, 2008

Hi

It's ok. We can try Kaspersky scanner later

1. Download combofix from any of these links and save it to Desktop:
Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log & a fresh hjt log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

If you have problems with Combofix usage, see here

BronxBoy · Jun 1, 2008

ComboFix log

Hi-
Here's the ComboFix log...HJT log to follow in a few minutes. Thanks, George

ComboFix 08-05-29.1 - NYP 2008-05-31 23:04:39.1 - NTFSx86
Running from: C:\Documents and Settings\NYP\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\NYP\My Documents\STEM32~1
C:\Documents and Settings\NYP\My Documents\YSTEM~1
C:\Documents and Settings\NYP\Start Menu\Programs\Internet Speed Monitor
C:\Documents and Settings\NYP\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\NYP\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\Program Files\Common Files\wnsxs~1
C:\Program Files\Common Files\wnsxs~1\?explore.exe
C:\Program Files\Common Files\ystem3~1
C:\Program Files\Common Files\ystem3~1\?ystem32\
C:\Program Files\Common Files\ystem3~1\dvdplay.exe
C:\Program Files\ISM
C:\Program Files\ISM\ism.exe
C:\Program Files\ISM\Uninstall.exe
C:\Program Files\outerinfo
C:\Program Files\outerinfo\FF\chrome.manifest
C:\Program Files\outerinfo\FF\components\FF.dll
C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\outerinfo\FF\install.rdf
C:\Program Files\outerinfo\OiUninstaller.exe
C:\Program Files\outerinfo\outerinfo.ico
C:\Program Files\QdrDrive
C:\Program Files\QdrDrive\qdrloader.exe
C:\Program Files\QdrModule
C:\Program Files\QdrModule\dicer.gz
C:\Program Files\QdrModule\dicy.gz
C:\Program Files\QdrModule\kwdy.gz
C:\Program Files\QdrModule\mainladupd.exe
C:\Program Files\QdrModule\pckr.dat
C:\Program Files\QdrModule\QdrModule16.exe
C:\Program Files\QdrModule\QdrModule17.exe
C:\Program Files\QdrPack
C:\Program Files\QdrPack\dicts.gz
C:\Program Files\QdrPack\dictys.gz
C:\Program Files\QdrPack\QdrPack15.exe
C:\Program Files\QdrPack\QdrPack16.exe
C:\Program Files\QdrPack\trgts.gz
C:\Program Files\RcvSystem
C:\Program Files\RcvSystem\httpdchk.dll
C:\Program Files\Spcron
C:\Program Files\Spcron\Spcron.dll
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\BM5bb47f8a.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\b1
C:\WINDOWS\system32\DJiOrtwa.ini
C:\WINDOWS\system32\DJiOrtwa.ini2
C:\WINDOWS\system32\drivers\rawwann.sys
C:\WINDOWS\system32\dsigyqlk.ini
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\n3
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\RrtuBcfe.ini
C:\WINDOWS\system32\RrtuBcfe.ini2
C:\WINDOWS\system32\rwwnw64d.exe
C:\WINDOWS\system32\VuxEgfii.ini
C:\WINDOWS\system32\VuxEgfii.ini2
C:\WINDOWS\system32\x4
C:\WINDOWS\system32\x4\demw136.exe
C:\WINDOWS\system32\xzej.dll
C:\WINDOWS\system32\zxdnt3d.cfg

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_RAWWANN
-------\Service_rawwann

((((((((((((((((((((((((( Files Created from 2008-05-01 to 2008-06-01 )))))))))))))))))))))))))))))))
.

2008-05-31 23:13 . 2008-05-31 23:13 21 --a------ C:\WINDOWS\system32\zxdnt3d.cfg
2008-05-30 01:46 . 2008-05-30 01:46 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-30 01:34 . 2008-05-30 01:34 49,162 --a------ C:\WINDOWS\system32\jqwnw64j.exe
2008-05-30 01:01 . 2008-05-30 01:04 63,918 --a------ C:\WINDOWS\system32\{35a6ae75-c06a-1fc9-e65b-9ee1f3540a3c}.dll-uninst.exe
2008-05-30 01:00 . 2008-05-30 01:01 401,976 --a------ C:\WINDOWS\system32\g29.exe
2008-05-30 00:42 . 2008-05-30 00:42 13,942 --a------ C:\WINDOWS\system32\iphone-011.ico
2008-05-30 00:11 . 2008-05-30 00:11 4,286 --a------ C:\WINDOWS\system32\Jamster.ico
2008-05-29 20:59 . 2008-05-29 21:00 200,779 --a------ C:\WINDOWS\system32\rcntrkdm.exe
2008-05-29 20:59 . 2008-05-29 20:59 88,961 --a------ C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe
2008-05-29 20:58 . 2008-05-29 20:59 298,308 --a------ C:\WINDOWS\system32\gside.exe
2008-05-28 23:28 . 2008-05-28 23:28 9,662 --a------ C:\WINDOWS\system32\pinkip.ico
2008-05-28 20:22 . 2008-05-28 20:22 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-28 20:22 . 2008-05-28 20:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-27 22:25 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-05-27 22:25 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-05-27 22:25 . 2008-05-27 13:54 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-05-27 22:25 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-05-27 22:25 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\404Fix.exe
2008-05-27 22:25 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-05-27 22:25 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-05-27 22:25 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-05-27 21:48 . 2008-05-27 21:48 167,976 --a------ C:\WINDOWS\system32\drivers\core.cache.dsk
2008-05-27 19:53 . 2008-05-27 21:32 6,044 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-27 19:43 . 2008-05-27 19:43 200,767 --a------ C:\WINDOWS\system32\tcntaxdn.exe
2008-05-27 19:43 . 2008-05-27 19:43 862 --a------ C:\WINDOWS\system32\winpfz33.sys
2008-05-27 09:34 . 2008-05-27 09:34 370,688 --a------ C:\WINDOWS\system32\{35a6ae75-c06a-1fc9-e65b-9ee1f3540a3c}.dll
2008-05-25 17:14 . 2008-05-31 22:40 2,184 --a------ C:\WINDOWS\system32\wpa.dbl
2008-05-24 09:14 . 2008-05-31 22:43 54,202 --a------ C:\VETlog.dmp
2008-05-11 00:11 . 2008-05-11 00:11 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico
2008-05-02 10:22 . 2008-05-02 10:22 <DIR> d-------- C:\WINDOWS\rffi
2008-05-02 10:22 . 2008-05-02 15:21 <DIR> d-------- C:\Program Files\Common Files\rffi
2008-05-02 10:12 . 2008-05-02 10:12 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-02 10:12 . 2008-05-02 10:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-02 10:08 . 2008-05-02 10:08 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-02 10:08 . 2008-05-02 10:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-02 10:07 . 2008-05-02 10:07 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-01 08:40 . 2008-05-01 05:40 68,608 --------- C:\WINDOWS\b155.exe_old
2008-05-01 08:00 . 2008-05-01 05:00 273,408 --------- C:\WINDOWS\b148.exe_old

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{25340342-330E-4395-A8B4-5CE97F6BC0D8}]
C:\WINDOWS\system32\efcButrR.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{56AAAD03-1EF9-4B07-8196-12F1C125F7AD}]
C:\WINDOWS\system32\awtrOiJD.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7605204a-1bf2-6b53-2777-53f8a87e9669}]
C:\WINDOWS\system32\{81f3a1e4-cd23-1d59-1798-24c78d1a1745}.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9506910A-0F94-4ea1-B567-7070428B8B2B}]
2008-03-27 11:35 333824 --a------ C:\WINDOWS\system32\mysidesearch_sidebar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DF71DBA4-D312-448B-85AD-B0D5F85D16BD}]
C:\WINDOWS\system32\iifgExuV.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fdd7b81d-1edc-978a-e1d9-513b08695f89}]
2008-05-27 09:34 370688 --a------ C:\WINDOWS\system32\{35a6ae75-c06a-1fc9-e65b-9ee1f3540a3c}.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IBM RecordNow!"="" []
"tgcmd"="" []
"ibmmessages"="C:\Program Files\IBM\Messages By IBM\ibmmessages.exe" [2003-07-21 19:00 540672]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [2005-02-24 14:57 2506752]
"Uahe"="C:\PROGRA~1\COMMON~1\YSTEM3~1\dvdplay.exe" [ ]
"Dkdtq"="C:\Program Files\Common Files\W?nSxS\?explore.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"QdrPack16"="C:\Program Files\QdrPack\QdrPack16.exe" [ ]
"QdrModule17"="C:\Program Files\QdrModule\QdrModule17.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-01-12 19:41 98304]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-25 00:50 139320]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-09-23 00:00 94208]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 13:48 147514]
"UpdateManager"="c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 05:01 110592]
"UC_Start"="C:\IBMTools\Updater\ucstartup.exe" [2003-03-17 19:27 32768]
"TpShocks"="TpShocks.exe" [2003-09-04 03:02 77824 C:\WINDOWS\system32\TpShocks.exe]
"TPKMAPHELPER"="C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" [2003-09-02 17:56 897024]
"TPHOTKEY"="C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2003-08-07 19:57 94208]
"TP4EX"="tp4ex.exe" [2002-09-04 05:05 53248 C:\WINDOWS\system32\TP4EX.exe]
"tgcmd"="" []
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-08-28 15:11 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-08-28 15:10 512000]
"S3TRAY2"="S3Tray2.exe" [2001-10-12 03:32 69632 C:\WINDOWS\system32\S3Tray2.exe]
"QCWLICON"="C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [2003-10-11 06:07 53248]
"NAV CfgWiz"="C:\PROGRA~1\NORTON~1\Cfgwiz.exe" [ ]
"ibmmessages"="C:\Program Files\IBM\Messages By IBM\ibmmessages.exe" [2003-07-21 19:00 540672]
"EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2003-07-18 06:02 208896]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-10-22 05:04 114741]
"ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [ ]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [ ]
"BMMLREF"="C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE" [2003-07-11 05:34 20480]
"BMMGAG"="C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2003-07-11 05:34 94208]
"BluetoothAuthenticationAgent"="irprops.cpl" [2004-08-04 03:56 380416 C:\WINDOWS\system32\irprops.cpl]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-09-12 01:10 335872]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 20:24 28672 C:\WINDOWS\system32\Ati2mdxx.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2003-06-27 12:53 88363 C:\WINDOWS\AGRSMMSG.exe]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-03-05 09:11 26112]
"mxomssmenu"="C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe" [2007-09-06 18:53 169264]
"{74-4C-CB-B9-DW}"="c:\windows\system32\rwwnw64d.exe" [ ]
"{c3f670a7-1bb7-5093-12d3-d28162845729}"="C:\WINDOWS\system32\{35a6ae75-c06a-1fc9-e65b-9ee1f3540a3c}.dll" [2008-05-27 09:34 370688]
"ExploreUpdSched"="C:\WINDOWS\system32\tcntaxdn.exe" [2008-05-27 19:43 200767]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2005-03-05 11:14:48 36954]
AOL Companion.lnk - C:\Program Files\AOL Companion\companion.exe [2005-03-05 11:16:49 229450]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byXQGyab]
byXQGyab.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=

R0 Shockprf;Shockprf;C:\WINDOWS\system32\drivers\Shockprf.sys [2003-09-11 14:03]
R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\system32\drivers\IBMBLDID.SYS [2003-10-11 06:07]
R1 TPPWR;TPPWR;C:\WINDOWS\system32\drivers\Tppwr.sys [2003-07-11 05:34]
R2 Maxtor Sync Service;Maxtor Service;"C:\Program Files\Maxtor\Sync\SyncServices.exe" [2007-09-28 16:24]
R2 ShockMgr;ShockMgr;C:\WINDOWS\system32\drivers\ShockMgr.sys [2003-07-24 17:26]
S3 ANC;ANC;C:\WINDOWS\system32\drivers\ANC.SYS [2003-10-11 06:07]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{23460d10-da2a-11dc-b4f9-00038a000015}]
\Shell\Auto\command - E:\Start.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4c38c4e0-eea7-11db-b44f-00038a000015}]
\Shell\Auto\command - Start.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

.
Contents of the 'Scheduled Tasks' folder
"2004-05-21 07:04:32 C:\WINDOWS\Tasks\BMMTask.job"
- C:\PROGRA~1\ThinkPad\UTILIT~1\BMMTASK.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-31 23:13:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\zxdnt3d.cfg 21 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Patchlink\Update Agent\GravitixService.exe
C:\WINDOWS\system32\QCONSVC.EXE
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\system32\TpKmpSvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Qoobox\Quarantine\C\WINDOWS\system32\rwwnw64d.exe.virft.VC8
C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2008-05-31 23:18:45 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-01 03:18:38

Pre-Run: 16,899,358,720 bytes free
Post-Run: 16,874,016,768 bytes free

258 --- E O F --- 2008-05-16 00:57:31

--------------------------------------------------------------------------------
Get trade secrets for amazing burgers. Watch "Cooking with Tyler Florence" on AOL Food.

BronxBoy · Jun 1, 2008

HJT log

Hi--here's a fresh HJT log. Thanks again for taking the time to check it out.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:22:20, on 5/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Maxtor\Sync\SyncServices.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Patchlink\Update Agent\GRAVITIXSERVICE.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\WINDOWS\System32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\AOL Companion\companion.exe
C:\WINDOWS\system32\tcntaxdn.exe
c:\windows\system32\rwwnw64d.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\Common Files\AOL\ACS\acsd.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {25340342-330E-4395-A8B4-5CE97F6BC0D8} - C:\WINDOWS\system32\efcButrR.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {56AAAD03-1EF9-4B07-8196-12F1C125F7AD} - C:\WINDOWS\system32\awtrOiJD.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: mysidesearch browser optimizer - {7605204a-1bf2-6b53-2777-53f8a87e9669} - C:\WINDOWS\system32\{81f3a1e4-cd23-1d59-1798-24c78d1a1745}.dll (file missing)
O2 - BHO: MySidesearch Search Assistant - {9506910A-0F94-4ea1-B567-7070428B8B2B} - C:\WINDOWS\system32\mysidesearch_sidebar.dll
O2 - BHO: (no name) - {DF71DBA4-D312-448B-85AD-B0D5F85D16BD} - C:\WINDOWS\system32\iifgExuV.dll (file missing)
O2 - BHO: gooochi browser optimizer - {fdd7b81d-1edc-978a-e1d9-513b08695f89} - C:\WINDOWS\system32\{35a6ae75-c06a-1fc9-e65b-9ee1f3540a3c}.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [UC_Start] C:\IBMTools\Updater\ucstartup.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [NAV CfgWiz] C:\PROGRA~1\NORTON~1\Cfgwiz.exe /R
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [{74-4C-CB-B9-DW}] c:\windows\system32\rwwnw64d.exe DWram
O4 - HKLM\..\Run: [{c3f670a7-1bb7-5093-12d3-d28162845729}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{35a6ae75-c06a-1fc9-e65b-9ee1f3540a3c}.dll" DllStart
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Uahe] "C:\PROGRA~1\COMMON~1\YSTEM3~1\dvdplay.exe" -vt ndrv
O4 - HKCU\..\Run: [Dkdtq] "C:\Program Files\Common Files\W?nSxS\?explore.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [QdrPack16] "C:\Program Files\QdrPack\QdrPack16.exe"
O4 - HKCU\..\Run: [QdrModule17] "C:\Program Files\QdrModule\QdrModule17.exe"
O4 - S-1-5-18 Startup: Deewoo.lnk = C:\WINDOWS\system32\tcntaxdn.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: DW_Start.lnk = C:\WINDOWS\system32\rwwnw64d.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Deewoo.lnk = C:\WINDOWS\system32\tcntaxdn.exe (User 'Default user')
O4 - .DEFAULT Startup: DW_Start.lnk = C:\WINDOWS\system32\rwwnw64d.exe (User 'Default user')
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\tcntaxdn.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\rwwnw64d.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java141\jre\bin\NPJPI141.dll
O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java141\jre\bin\NPJPI141.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.plus2 (HKLM)
O15 - ESC Trusted Zone: *.plus2 (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1CE7884D-80C3-47AA-B268-D1CC09462736}: NameServer = 205.188.146.145
O17 - HKLM\System\CCS\Services\Tcpip\..\{76674D0C-EB84-4025-AE6C-D3FF85E2F124}: Domain = nypd.org
O17 - HKLM\System\CS2\Services\Tcpip\..\{1CE7884D-80C3-47AA-B268-D1CC09462736}: NameServer = 205.188.146.145
O20 - Winlogon Notify: byXQGyab - byXQGyab.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: PatchLink Update - Patchlink Corporation - C:\Program Files\Patchlink\Update Agent\GRAVITIXSERVICE.exe
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 12312 bytes

--------------------------------------------------------------------------------
Get trade secrets for amazing burgers. Watch "Cooking with Tyler Florence" on AOL Food.

Blade81 · Jun 1, 2008

Hi

It seems Windows internal firewall is switched off. Please try to enable it if you don't have any other firewall installed.

Start hjt, do a system scan, check:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O4 - S-1-5-18 Startup: Deewoo.lnk = C:\WINDOWS\system32\tcntaxdn.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: DW_Start.lnk = C:\WINDOWS\system32\rwwnw64d.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Deewoo.lnk = C:\WINDOWS\system32\tcntaxdn.exe (User 'Default user')
O4 - .DEFAULT Startup: DW_Start.lnk = C:\WINDOWS\system32\rwwnw64d.exe (User 'Default user')
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\tcntaxdn.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\rwwnw64d.exe

Close browsers and other windows. Click fix checked.

Open notepad and copy/paste the text in the quotebox below into it:

Code:

File::
C:\WINDOWS\system32\zxdnt3d.cfg
C:\WINDOWS\system32\jqwnw64j.exe
C:\WINDOWS\system32\{35a6ae75-c06a-1fc9-e65b-9ee1f3540a3c}.dll-uninst.exe
C:\WINDOWS\system32\g29.exe
C:\WINDOWS\system32\iphone-011.ico
C:\WINDOWS\system32\Jamster.ico
C:\WINDOWS\system32\rcntrkdm.exe
C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe
C:\WINDOWS\system32\gside.exe
C:\WINDOWS\system32\pinkip.ico
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\tcntaxdn.exe
C:\WINDOWS\system32\winpfz33.sys
C:\WINDOWS\system32\{35a6ae75-c06a-1fc9-e65b-9ee1f3540a3c}.dll
C:\WINDOWS\b155.exe_old
C:\WINDOWS\b148.exe_old
C:\WINDOWS\system32\rwwnw64d.exe

DirLook::
C:\WINDOWS\rffi

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{25340342-330E-4395-A8B4-5CE97F6BC0D8}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{56AAAD03-1EF9-4B07-8196-12F1C125F7AD}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7605204a-1bf2-6b53-2777-53f8a87e9669}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9506910A-0F94-4ea1-B567-7070428B8B2B}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DF71DBA4-D312-448B-85AD-B0D5F85D16BD}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fdd7b81d-1edc-978a-e1d9-513b08695f89}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Uahe"=-
"Dkdtq"=-
"QdrPack16"=-
"QdrModule17"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"{74-4C-CB-B9-DW}"=-
"{c3f670a7-1bb7-5093-12d3-d28162845729}"=-
"ExploreUpdSched"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byXQGyab]

Save this as
CFScript

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.

Run Kaspersky online scanner and post back its report & a fresh hjt log (without forgetting above meantioned ComboFix resultant log).

BronxBoy · Jun 3, 2008

A couple of questions...

Hi-
Before I try to do this, I have a couple of questions:

1. You wrote: "It seems Windows internal firewall is switched off. Please try to enable it if you don't have any other firewall installed."
How do I enable the firewall?

2. You wrote:
"Start hjt, do a system scan, check:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O4 - S-1-5-18 Startup: Deewoo.lnk = C:\WINDOWS\system32\tcntaxdn.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: DW_Start.lnk = C:\WINDOWS\system32\rwwnw64d.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Deewoo.lnk = C:\WINDOWS\system32\tcntaxdn.exe (User 'Default user')
O4 - .DEFAULT Startup: DW_Start.lnk = C:\WINDOWS\system32\rwwnw64d.exe (User 'Default user')
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\tcntaxdn.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\rwwnw64d.exe"

What kind of check should I do? Am I checking to see if those lines are in the log?
Thanks, George

Blade81 · Jun 3, 2008

1) Enable Windows Firewall in Windows XP SP2
1. Click Start, click Run, type Firewall.cpl, and then click OK.
2. On the General tab, click On (recommended), and then click OK.

2) You have to place a checkmark on those entries I listed in HijackThis program and then after closing browser windows, click 'fix checked' -button in HijackThis

BronxBoy · Jun 4, 2008

Saving as CF, and dragging into ComboFix

Hi-

I enabled the firewall. I then did the hjt system scan, and clicked and fixed the items you listed. I then opened Notepad and pasted the items you told me into it.

However, I don't know how to save it as CF Script, or how to drag and drop it into ComboFix. ComboFix just seems to run when I click on it, but I don't see a way to drag anything into it.

If you could just walk me through saving it as CF Script and dragging it into ComboFix, I'd appreciate it. Sorry for the trouble, I'm a beginner at this.

Thanks, George

Blade81 · Jun 4, 2008

Hi George

Please find needed CFScript.txt attached to this post. Download it to your desktop and drag the file by holding left mouse button down the CFScript.txt file over ComboFix.exe and release the button. Just like in the screenshot of my previous post

Attention this CFScript.txt file suits only for BronxBoy's case. Using it to some other case may ruin the system!

BronxBoy · Jun 4, 2008

Thanks

Thanks, I'll try it. For some reason I can't see the screenshot / picture in your previous post, but I'll try to follow your instructions.

BronxBoy · Jun 4, 2008

ComboFix log

Hi-I did ComboFix with the CF script you sent me--here's the log. I will try to do the other logs and post them shortly. Thanks, George

ComboFix 08-06-03.4 - NYP 2008-06-04 17:07:29.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.183 [GMT -4:00]
Running from: C:\Documents and Settings\NYP\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\NYP\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\b148.exe_old
C:\WINDOWS\b155.exe_old
C:\WINDOWS\system32\{35a6ae75-c06a-1fc9-e65b-9ee1f3540a3c}.dll
C:\WINDOWS\system32\{35a6ae75-c06a-1fc9-e65b-9ee1f3540a3c}.dll-uninst.exe
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\g29.exe
C:\WINDOWS\system32\gside.exe
C:\WINDOWS\system32\iphone-011.ico
C:\WINDOWS\system32\Jamster.ico
C:\WINDOWS\system32\jqwnw64j.exe
C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe
C:\WINDOWS\system32\pinkip.ico
C:\WINDOWS\system32\rcntrkdm.exe
C:\WINDOWS\system32\rwwnw64d.exe
C:\WINDOWS\system32\tcntaxdn.exe
C:\WINDOWS\system32\winpfz33.sys
C:\WINDOWS\system32\zxdnt3d.cfg
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\b148.exe_old
C:\WINDOWS\b155.exe_old
C:\WINDOWS\system32\{35a6ae75-c06a-1fc9-e65b-9ee1f3540a3c}.dll-uninst.exe
C:\WINDOWS\system32\{35a6ae75-c06a-1fc9-e65b-9ee1f3540a3c}.dll
C:\WINDOWS\system32\g29.exe
C:\WINDOWS\system32\gside.exe
C:\WINDOWS\system32\iphone-011.ico
C:\WINDOWS\system32\Jamster.ico
C:\WINDOWS\system32\jqwnw64j.exe
C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe
C:\WINDOWS\system32\pinkip.ico
C:\WINDOWS\system32\rcntrkdm.exe
C:\WINDOWS\system32\tcntaxdn.exe
C:\WINDOWS\system32\winpfz33.sys

.
((((((((((((((((((((((((( Files Created from 2008-05-04 to 2008-06-04 )))))))))))))))))))))))))))))))
.

2008-06-01 00:02 . 2008-06-01 00:02 95,833 --a------ C:\WINDOWS\system32\{81f3a1e4-cd23-1d59-1798-24c78d1a1745}.dll-uninst.exe
2008-05-30 01:46 . 2008-05-30 01:46 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-28 20:22 . 2008-05-28 20:22 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-28 20:22 . 2008-05-28 20:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-27 22:25 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-05-27 22:25 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-05-27 22:25 . 2008-05-27 13:54 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-05-27 22:25 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-05-27 22:25 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\404Fix.exe
2008-05-27 22:25 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-05-27 22:25 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-05-27 22:25 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-05-27 19:53 . 2008-05-27 21:32 6,044 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-25 17:14 . 2008-06-04 15:46 2,184 --a------ C:\WINDOWS\system32\wpa.dbl
2008-05-24 09:14 . 2008-06-04 16:37 51,868 --a------ C:\VETlog.dmp
2008-05-19 09:55 . 2008-05-19 09:55 439,808 --a------ C:\WINDOWS\system32\{81f3a1e4-cd23-1d59-1798-24c78d1a1745}.dll
2008-05-11 00:11 . 2008-05-11 00:11 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-02 19:21 --------- d-----w C:\Program Files\Common Files\rffi
2008-05-02 14:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-02 14:12 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-02 14:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-02 14:08 --------- d-----w C:\Program Files\Lavasoft
2008-05-02 14:07 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\dllcache\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\WINDOWS\rffi ----

2008-05-02 10:22 2318 --a------ C:\WINDOWS\rffi\rffi.dat
2002-07-26 17:02 153088 --a------ C:\WINDOWS\rffi\wu

((((((((((((((((((((((((((((( snapshot@2008-05-31_23.18.13.36 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-01 03:11:03 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-04 20:46:49 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-01 04:02:17 95,833 ----a-w C:\WINDOWS\system32\{81f3a1e4-cd23-1d59-1798-24c78d1a1745}.dll-uninst.exe
+ 2008-05-19 13:55:20 439,808 ----a-w C:\WINDOWS\system32\{81f3a1e4-cd23-1d59-1798-24c78d1a1745}.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IBM RecordNow!"="" []
"tgcmd"="" []
"ibmmessages"="C:\Program Files\IBM\Messages By IBM\ibmmessages.exe" [2003-07-21 19:00 540672]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [2005-02-24 14:57 2506752]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-01-12 19:41 98304]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-25 00:50 139320]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-09-23 00:00 94208]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 13:48 147514]
"UpdateManager"="c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 05:01 110592]
"UC_Start"="C:\IBMTools\Updater\ucstartup.exe" [2003-03-17 19:27 32768]
"TpShocks"="TpShocks.exe" [2003-09-04 03:02 77824 C:\WINDOWS\system32\TpShocks.exe]
"TPKMAPHELPER"="C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" [2003-09-02 17:56 897024]
"TPHOTKEY"="C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2003-08-07 19:57 94208]
"TP4EX"="tp4ex.exe" [2002-09-04 05:05 53248 C:\WINDOWS\system32\TP4EX.exe]
"tgcmd"="" []
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-08-28 15:11 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-08-28 15:10 512000]
"S3TRAY2"="S3Tray2.exe" [2001-10-12 03:32 69632 C:\WINDOWS\system32\S3Tray2.exe]
"QCWLICON"="C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [2003-10-11 06:07 53248]
"NAV CfgWiz"="C:\PROGRA~1\NORTON~1\Cfgwiz.exe" [ ]
"ibmmessages"="C:\Program Files\IBM\Messages By IBM\ibmmessages.exe" [2003-07-21 19:00 540672]
"EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2003-07-18 06:02 208896]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-10-22 05:04 114741]
"ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [ ]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [ ]
"BMMLREF"="C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE" [2003-07-11 05:34 20480]
"BMMGAG"="C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2003-07-11 05:34 94208]
"BluetoothAuthenticationAgent"="irprops.cpl" [2004-08-04 03:56 380416 C:\WINDOWS\system32\irprops.cpl]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-09-12 01:10 335872]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 20:24 28672 C:\WINDOWS\system32\Ati2mdxx.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2003-06-27 12:53 88363 C:\WINDOWS\AGRSMMSG.exe]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-03-05 09:11 26112]
"mxomssmenu"="C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe" [2007-09-06 18:53 169264]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2005-03-05 11:14:48 36954]
AOL Companion.lnk - C:\Program Files\AOL Companion\companion.exe [2005-03-05 11:16:49 229450]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=

R0 Shockprf;Shockprf;C:\WINDOWS\system32\drivers\Shockprf.sys [2003-09-11 14:03]
R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\system32\drivers\IBMBLDID.SYS [2003-10-11 06:07]
R1 TPPWR;TPPWR;C:\WINDOWS\system32\drivers\Tppwr.sys [2003-07-11 05:34]
R2 Maxtor Sync Service;Maxtor Service;"C:\Program Files\Maxtor\Sync\SyncServices.exe" [2007-09-28 16:24]
R2 ShockMgr;ShockMgr;C:\WINDOWS\system32\drivers\ShockMgr.sys [2003-07-24 17:26]
S3 ANC;ANC;C:\WINDOWS\system32\drivers\ANC.SYS [2003-10-11 06:07]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{23460d10-da2a-11dc-b4f9-00038a000015}]
\Shell\Auto\command - E:\Start.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4c38c4e0-eea7-11db-b44f-00038a000015}]
\Shell\Auto\command - Start.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

.
Contents of the 'Scheduled Tasks' folder
"2004-05-21 07:04:32 C:\WINDOWS\Tasks\BMMTask.job"
- C:\PROGRA~1\ThinkPad\UTILIT~1\BMMTASK.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-04 17:10:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\Ati2evxx.dll
.
Completion time: 2008-06-04 17:14:11
ComboFix-quarantined-files.txt 2008-06-04 21:13:56
ComboFix2.txt 2008-06-04 20:15:08
ComboFix3.txt 2008-06-01 03:18:46

Pre-Run: 16,851,755,008 bytes free
Post-Run: 16,834,056,192 bytes free

174 --- E O F --- 2008-05-16 00:57:31

BronxBoy · Jun 5, 2008

Kaspersky log

Hi-Here's my Kaspersky log. George

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, June 04, 2008 21:25:41
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 4/06/2008
Kaspersky Anti-Virus database records: 829611
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 65497
Number of viruses found: 44
Number of infected objects: 110
Number of suspicious objects: 0
Duration of the scan process: 02:00:46

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Network Associates\BOPDATA\_Date-20080604_Time-164858638_EnterceptExceptions.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\BOPDATA\_Date-20080604_Time-164858638_EnterceptRules.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\Agent_LAPTOP-MD5410.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\PrdMgr_LAPTOP-MD5410.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\AccessProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\BufferOverflowProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\OnAccessScanLog.txt Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NYP\.jpi_cache\jar\1.0\java.jar-df21902-61e8a5cc.zip/GetAccess.class Infected: Trojan-Downloader.Java.OpenConnection.aj skipped
C:\Documents and Settings\NYP\.jpi_cache\jar\1.0\java.jar-df21902-61e8a5cc.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.aj skipped
C:\Documents and Settings\NYP\.jpi_cache\jar\1.0\java.jar-df21902-61e8a5cc.zip/NewSecurityClassLoader.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\NYP\.jpi_cache\jar\1.0\java.jar-df21902-61e8a5cc.zip/NewURLClassLoader.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\NYP\.jpi_cache\jar\1.0\java.jar-df21902-61e8a5cc.zip ZIP: infected - 4 skipped
C:\Documents and Settings\NYP\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NYP\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\NYP\Desktop\SmitfraudFix.exe/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\NYP\Desktop\SmitfraudFix.exe RAR: infected - 1 skipped
C:\Documents and Settings\NYP\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NYP\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NYP\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NYP\Local Settings\History\History.IE5\MSHist012008060420080605\index.dat Object is locked skipped
C:\Documents and Settings\NYP\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NYP\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NYP\ntuser.dat.LOG Object is locked skipped
C:\IBMTOOLS\APPS\RRPC\RRPC\superinstall.EXE/IGWSE2SAS2.1WM2.1.EXE/HOTVIEW.EXE Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 skipped
C:\IBMTOOLS\APPS\RRPC\RRPC\superinstall.EXE/IGWSE2SAS2.1WM2.1.EXE/VNCHOOKS.DLL Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 skipped
C:\IBMTOOLS\APPS\RRPC\RRPC\superinstall.EXE/IGWSE2SAS2.1WM2.1.EXE Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 skipped
C:\IBMTOOLS\APPS\RRPC\RRPC\superinstall.EXE ZIP: infected - 3 skipped
C:\Program Files\Patchlink\Update Agent\Patchlink Update Agent.log Object is locked skipped
C:\QooBox\Quarantine\C\Program Files\Common Files\WNSXS~1\іexplore.exe.vir Infected: not-a-virus:AdWare.Win32.PurityScan.id skipped
C:\QooBox\Quarantine\C\Program Files\Common Files\YSTEM3~1\dvdplay.exe.vir Infected: Trojan-Downloader.Win32.PurityScan.fk skipped
C:\QooBox\Quarantine\C\Program Files\Outerinfo\FF\components\FF.dll.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped
C:\QooBox\Quarantine\C\Program Files\Outerinfo\OiUninstaller.exe.vir/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.hh skipped
C:\QooBox\Quarantine\C\Program Files\Outerinfo\OiUninstaller.exe.vir NSIS: infected - 1 skipped
C:\QooBox\Quarantine\C\Program Files\QdrModule\mainladupd.exe.vir/stream/data0001 Infected: not-a-virus:AdWare.Win32.AdBand.af skipped
C:\QooBox\Quarantine\C\Program Files\QdrModule\mainladupd.exe.vir/stream Infected: not-a-virus:AdWare.Win32.AdBand.af skipped
C:\QooBox\Quarantine\C\Program Files\QdrModule\mainladupd.exe.vir NSIS: infected - 2 skipped
C:\QooBox\Quarantine\C\Program Files\QdrModule\QdrModule16.exe.vir Infected: not-a-virus:AdWare.Win32.AdBand.ac skipped
C:\QooBox\Quarantine\C\Program Files\QdrModule\QdrModule17.exe.vir Infected: not-a-virus:AdWare.Win32.AdBand.af skipped
C:\QooBox\Quarantine\C\Program Files\QdrPack\QdrPack15.exe.vir Infected: not-a-virus:AdWare.Win32.AdBand.z skipped
C:\QooBox\Quarantine\C\WINDOWS\b155.exe_old.vir Infected: Trojan.Win32.BHO.blh skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\rawwann.sys.zip/rawwann.sys Infected: Trojan.Win32.Pakes.cwd skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\rawwann.sys.zip ZIP: infected - 1 skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\g29.exe.vir/stream/data0002 Infected: not-a-virus:AdWare.Win32.Agent.byy skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\g29.exe.vir/stream Infected: not-a-virus:AdWare.Win32.Agent.byy skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\g29.exe.vir NSIS: infected - 2 skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\jqwnw64j.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.am skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\rcntrkdm.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.bc skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\rwwnw64d.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.am skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\tcntaxdn.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.ax skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\x4\demw136.exe.vir Infected: Trojan-Downloader.Win32.Small.uuw skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\xzej.dll.vir Infected: not-a-virus:AdWare.Win32.PurityScan.if skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP397\A0109262.exe Infected: Trojan-Downloader.Win32.Homles.bj skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP398\A0109266.exe Infected: Trojan-Downloader.Win32.Homles.bk skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP398\A0109312.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.ax skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP398\A0109329.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.am skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP398\A0109338.exe Infected: Trojan.Win32.BHO.bkm skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP398\A0109344.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.bc skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP399\A0109401.exe Infected: Trojan-Downloader.Win32.Homles.bj skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110392.exe Infected: not-a-virus:AdWare.Win32.Rond.e skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110393.exe Infected: Trojan.Win32.Agent.lke skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110394.exe Infected: not-a-virus:AdWare.Win32.Insider.c skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110395.exe Infected: not-a-virus:AdWare.Win32.Insider.c skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110396.exe Infected: not-a-virus:AdWare.Win32.Insider.f skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110398.exe Infected: Trojan-Downloader.Win32.Agent.ezc skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110399.exe Infected: Trojan-Downloader.Win32.Agent.jih skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110400.exe/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110400.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110401.exe Infected: Trojan-Downloader.Win32.TSUpdate.n skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110402.exe Infected: Trojan-Downloader.Win32.TSUpdate.p skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110403.exe Infected: Trojan-Downloader.Win32.TSUpdate.f skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110405.exe Infected: not-a-virus:AdWare.Win32.Rond.d skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110407.exe Infected: Trojan.Win32.Scapur.k skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110408.DLL Infected: not-a-virus:AdWare.Win32.FunWeb.e skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110411.exe Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110412.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.am skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110421.dll Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110423.exe Infected: Trojan.Win32.BHO.blh skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110424.exe Infected: Trojan-Downloader.Win32.Homles.bk skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110429.exe Infected: Trojan-Downloader.Win32.Agent.ndt skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110430.exe Infected: Trojan-Downloader.Win32.TSUpdate.l skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110466.exe Infected: Trojan-Downloader.Win32.Agent.qqn skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP401\A0111658.exe Infected: not-a-virus:AdWare.Win32.PurityScan.hl skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP401\A0111676.dll Infected: not-a-virus:AdWare.Win32.PurityScan.hk skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP401\A0111718.dll Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP401\A0111799.exe Infected: Trojan-Downloader.Win32.PurityScan.fj skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP401\A0111800.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.bc skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP404\A0115215.dll Infected: not-a-virus:AdWare.Win32.Agent.byy skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP404\A0115216.exe Infected: Trojan-Downloader.Win32.PurityScan.fk skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP404\A0115217.dll Infected: not-a-virus:AdWare.Win32.PurityScan.hk skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP404\A0115219.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.bc skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP404\A0115454.exe Infected: Trojan-Downloader.Win32.PurityScan.fk skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP404\A0115455.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.ax skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP405\A0115802.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.ax skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP405\A0115803.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.am skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP405\A0115804.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.Agent.byy skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP405\A0115804.exe/stream Infected: not-a-virus:AdWare.Win32.Agent.byy skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP405\A0115804.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP405\A0115805.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.am skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP405\A0115811.dll Infected: Trojan.Win32.BHO.cmd skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP405\A0115814.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.ax skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP405\A0118006.exe Infected: not-a-virus:AdWare.Win32.PurityScan.hl skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP405\A0118007.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.hh skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP405\A0118007.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP405\A0118953.dll Infected: not-a-virus:AdWare.Win32.Agent.byy skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP406\A0119069.exe Infected: not-a-virus:AdWare.Win32.PurityScan.id skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP406\A0119070.exe Infected: Trojan-Downloader.Win32.PurityScan.fk skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP406\A0119073.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.hh skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP406\A0119073.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP406\A0119076.dll Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP406\A0119078.exe/stream/data0001 Infected: not-a-virus:AdWare.Win32.AdBand.af skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP406\A0119078.exe/stream Infected: not-a-virus:AdWare.Win32.AdBand.af skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP406\A0119078.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP406\A0119079.exe Infected: not-a-virus:AdWare.Win32.AdBand.ac skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP406\A0119080.exe Infected: not-a-virus:AdWare.Win32.AdBand.af skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP406\A0119081.exe Infected: not-a-virus:AdWare.Win32.AdBand.z skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP406\A0119086.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.am skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP406\A0119087.dll Infected: not-a-virus:AdWare.Win32.PurityScan.if skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP406\A0119094.exe Infected: Trojan-Downloader.Win32.Small.uuw skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP407\A0119377.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.Agent.byy skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP407\A0119377.exe/stream Infected: not-a-virus:AdWare.Win32.Agent.byy skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP407\A0119377.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP407\A0119381.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.am skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP407\A0119384.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.bc skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP407\A0119385.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.ax skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP407\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{A6FBED68-5847-492B-AA35-35249DE4C3B9}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{0400BCEB-CF7C-4AA8-AF2F-9179705E720C}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\HTTPERR\httperr1.log Object is locked skipped
C:\WINDOWS\system32\MsDtc\MSDTC.LOG Object is locked skipped
C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log Object is locked skipped
C:\WINDOWS\system32\pnVes18\pnVes182328.exe Infected: Trojan-Downloader.Win32.VB.ebf skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\{81f3a1e4-cd23-1d59-1798-24c78d1a1745}.dll Infected: Trojan.Win32.BHO.cmd skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

BronxBoy · Jun 5, 2008

Fresh hjt log

Hi-Here's a fresh hjt log. Thanks for looking at all this. George

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:32:06, on 6/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Maxtor\Sync\SyncServices.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\TpShocks.exe
C:\Program Files\Patchlink\Update Agent\GRAVITIXSERVICE.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\AOL Companion\companion.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [UC_Start] C:\IBMTools\Updater\ucstartup.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [NAV CfgWiz] C:\PROGRA~1\NORTON~1\Cfgwiz.exe /R
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java141\jre\bin\NPJPI141.dll
O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java141\jre\bin\NPJPI141.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.plus2 (HKLM)
O15 - ESC Trusted Zone: *.plus2 (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{76674D0C-EB84-4025-AE6C-D3FF85E2F124}: Domain = nypd.org
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: PatchLink Update - Patchlink Corporation - C:\Program Files\Patchlink\Update Agent\GRAVITIXSERVICE.exe
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 9945 bytes

Blade81 · Jun 5, 2008

Hi George

Clear Java's cache. Then run ComboFix again with the new script provided as an attachment.

After that re-run Kaspersky scanner and post back its report, a fresh hjt log and ComboFix log.

Attention this CFScript.txt file suits only for BronxBoy's case. Using it to some other case may ruin the system!

BronxBoy · Jun 7, 2008

New ComboFix log

Hi-Here's my new ComboFix log.

ComboFix 08-06-03.4 - NYP 2008-06-06 20:47:53.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.196 [GMT -4:00]
Running from: C:\Documents and Settings\NYP\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\NYP\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\{81f3a1e4-cd23-1d59-1798-24c78d1a1745}.dll
C:\WINDOWS\system32\{81f3a1e4-cd23-1d59-1798-24c78d1a1745}.dll-uninst.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\{81f3a1e4-cd23-1d59-1798-24c78d1a1745}.dll-uninst.exe
C:\WINDOWS\system32\{81f3a1e4-cd23-1d59-1798-24c78d1a1745}.dll
C:\WINDOWS\system32\pnVes18
C:\WINDOWS\system32\pnVes18\pnVes182328.exe

.
((((((((((((((((((((((((( Files Created from 2008-05-07 to 2008-06-07 )))))))))))))))))))))))))))))))
.

2008-05-30 01:46 . 2008-05-30 01:46 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-28 20:22 . 2008-05-28 20:22 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-28 20:22 . 2008-05-28 20:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-27 22:25 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-05-27 22:25 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-05-27 22:25 . 2008-05-27 13:54 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-05-27 22:25 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-05-27 22:25 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\404Fix.exe
2008-05-27 22:25 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-05-27 22:25 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-05-27 22:25 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-05-27 19:53 . 2008-05-27 21:32 6,044 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-25 17:14 . 2008-06-06 20:24 2,184 --a------ C:\WINDOWS\system32\wpa.dbl
2008-05-24 09:14 . 2008-06-04 16:37 51,868 --a------ C:\VETlog.dmp
2008-05-11 00:11 . 2008-05-11 00:11 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-02 19:21 --------- d-----w C:\Program Files\Common Files\rffi
2008-05-02 14:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-02 14:12 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-02 14:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-02 14:08 --------- d-----w C:\Program Files\Lavasoft
2008-05-02 14:07 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\dllcache\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
.

((((((((((((((((((((((((((((( snapshot@2008-05-31_23.18.13.36 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-01 03:11:03 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-07 00:41:09 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IBM RecordNow!"="" []
"tgcmd"="" []
"ibmmessages"="C:\Program Files\IBM\Messages By IBM\ibmmessages.exe" [2003-07-21 19:00 540672]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [2005-02-24 14:57 2506752]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-01-12 19:41 98304]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-25 00:50 139320]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-09-23 00:00 94208]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 13:48 147514]
"UpdateManager"="c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 05:01 110592]
"UC_Start"="C:\IBMTools\Updater\ucstartup.exe" [2003-03-17 19:27 32768]
"TpShocks"="TpShocks.exe" [2003-09-04 03:02 77824 C:\WINDOWS\system32\TpShocks.exe]
"TPKMAPHELPER"="C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" [2003-09-02 17:56 897024]
"TPHOTKEY"="C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2003-08-07 19:57 94208]
"TP4EX"="tp4ex.exe" [2002-09-04 05:05 53248 C:\WINDOWS\system32\TP4EX.exe]
"tgcmd"="" []
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-08-28 15:11 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-08-28 15:10 512000]
"S3TRAY2"="S3Tray2.exe" [2001-10-12 03:32 69632 C:\WINDOWS\system32\S3Tray2.exe]
"QCWLICON"="C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [2003-10-11 06:07 53248]
"NAV CfgWiz"="C:\PROGRA~1\NORTON~1\Cfgwiz.exe" [ ]
"ibmmessages"="C:\Program Files\IBM\Messages By IBM\ibmmessages.exe" [2003-07-21 19:00 540672]
"EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2003-07-18 06:02 208896]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-10-22 05:04 114741]
"ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [ ]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [ ]
"BMMLREF"="C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE" [2003-07-11 05:34 20480]
"BMMGAG"="C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2003-07-11 05:34 94208]
"BluetoothAuthenticationAgent"="irprops.cpl" [2004-08-04 03:56 380416 C:\WINDOWS\system32\irprops.cpl]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-09-12 01:10 335872]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 20:24 28672 C:\WINDOWS\system32\Ati2mdxx.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2003-06-27 12:53 88363 C:\WINDOWS\AGRSMMSG.exe]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-03-05 09:11 26112]
"mxomssmenu"="C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe" [2007-09-06 18:53 169264]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2005-03-05 11:14:48 36954]
AOL Companion.lnk - C:\Program Files\AOL Companion\companion.exe [2005-03-05 11:16:49 229450]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=

R0 Shockprf;Shockprf;C:\WINDOWS\system32\drivers\Shockprf.sys [2003-09-11 14:03]
R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\system32\drivers\IBMBLDID.SYS [2003-10-11 06:07]
R1 TPPWR;TPPWR;C:\WINDOWS\system32\drivers\Tppwr.sys [2003-07-11 05:34]
R2 Maxtor Sync Service;Maxtor Service;"C:\Program Files\Maxtor\Sync\SyncServices.exe" [2007-09-28 16:24]
R2 ShockMgr;ShockMgr;C:\WINDOWS\system32\drivers\ShockMgr.sys [2003-07-24 17:26]
S3 ANC;ANC;C:\WINDOWS\system32\drivers\ANC.SYS [2003-10-11 06:07]

.
Contents of the 'Scheduled Tasks' folder
"2004-05-21 07:04:32 C:\WINDOWS\Tasks\BMMTask.job"
- C:\PROGRA~1\ThinkPad\UTILIT~1\BMMTASK.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-06 20:51:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\Ati2evxx.dll
.
Completion time: 2008-06-06 20:54:04
ComboFix-quarantined-files.txt 2008-06-07 00:53:45
ComboFix2.txt 2008-06-04 21:14:13
ComboFix3.txt 2008-06-04 20:15:08
ComboFix4.txt 2008-06-01 03:18:46

Pre-Run: 16,815,140,864 bytes free
Post-Run: 16,797,974,528 bytes free

135 --- E O F --- 2008-05-16 00:57:31

BronxBoy · Jun 7, 2008

New HJT log

Here's my new hjt log. I don't have time to do the Kaspersky tonight but will do it in the next day or two and post it. Thanks for all your help. George

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:00:21, on 6/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Maxtor\Sync\SyncServices.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Patchlink\Update Agent\GRAVITIXSERVICE.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\AOL Companion\companion.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [UC_Start] C:\IBMTools\Updater\ucstartup.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [NAV CfgWiz] C:\PROGRA~1\NORTON~1\Cfgwiz.exe /R
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java141\jre\bin\NPJPI141.dll
O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java141\jre\bin\NPJPI141.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.plus2 (HKLM)
O15 - ESC Trusted Zone: *.plus2 (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{76674D0C-EB84-4025-AE6C-D3FF85E2F124}: Domain = nypd.org
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: PatchLink Update - Patchlink Corporation - C:\Program Files\Patchlink\Update Agent\GRAVITIXSERVICE.exe
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 9896 bytes

Blade81 · Jun 7, 2008

Hi

Let's get back to this after you've got Kaspersky report ready

BronxBoy · Jun 8, 2008

Fresh Kasperksy log

Hi-Here's a fresh Kaspersky log. Thanks, George

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, June 08, 2008 01:53:52
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 7/06/2008
Kaspersky Anti-Virus database records: 836968
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 65646
Number of viruses found: 42
Number of infected objects: 107
Number of suspicious objects: 0
Duration of the scan process: 02:12:48

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Network Associates\BOPDATA\_Date-20080607_Time-093321021_EnterceptExceptions.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\BOPDATA\_Date-20080607_Time-093321021_EnterceptRules.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\Agent_LAPTOP-MD5410.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\PrdMgr_LAPTOP-MD5410.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\AccessProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\BufferOverflowProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\OnAccessScanLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\OnDemandScanLog.txt Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NYP\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NYP\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\NYP\Desktop\SmitfraudFix.exe/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\NYP\Desktop\SmitfraudFix.exe RAR: infected - 1 skipped
C:\Documents and Settings\NYP\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NYP\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NYP\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NYP\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NYP\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NYP\ntuser.dat.LOG Object is locked skipped
C:\IBMTOOLS\APPS\RRPC\RRPC\superinstall.EXE/IGWSE2SAS2.1WM2.1.EXE/HOTVIEW.EXE Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 skipped
C:\IBMTOOLS\APPS\RRPC\RRPC\superinstall.EXE/IGWSE2SAS2.1WM2.1.EXE/VNCHOOKS.DLL Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 skipped
C:\IBMTOOLS\APPS\RRPC\RRPC\superinstall.EXE/IGWSE2SAS2.1WM2.1.EXE Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 skipped
C:\IBMTOOLS\APPS\RRPC\RRPC\superinstall.EXE ZIP: infected - 3 skipped
C:\QooBox\Quarantine\C\Program Files\Common Files\WNSXS~1\іexplore.exe.vir Infected: not-a-virus:AdWare.Win32.PurityScan.id skipped
C:\QooBox\Quarantine\C\Program Files\Common Files\YSTEM3~1\dvdplay.exe.vir Infected: Trojan-Downloader.Win32.PurityScan.fk skipped
C:\QooBox\Quarantine\C\Program Files\Outerinfo\FF\components\FF.dll.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped
C:\QooBox\Quarantine\C\Program Files\Outerinfo\OiUninstaller.exe.vir/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.hh skipped
C:\QooBox\Quarantine\C\Program Files\Outerinfo\OiUninstaller.exe.vir NSIS: infected - 1 skipped
C:\QooBox\Quarantine\C\Program Files\QdrModule\mainladupd.exe.vir/stream/data0001 Infected: not-a-virus:AdWare.Win32.AdBand.af skipped
C:\QooBox\Quarantine\C\Program Files\QdrModule\mainladupd.exe.vir/stream Infected: not-a-virus:AdWare.Win32.AdBand.af skipped
C:\QooBox\Quarantine\C\Program Files\QdrModule\mainladupd.exe.vir NSIS: infected - 2 skipped
C:\QooBox\Quarantine\C\Program Files\QdrModule\QdrModule16.exe.vir Infected: not-a-virus:AdWare.Win32.AdBand.ac skipped
C:\QooBox\Quarantine\C\Program Files\QdrModule\QdrModule17.exe.vir Infected: not-a-virus:AdWare.Win32.AdBand.af skipped
C:\QooBox\Quarantine\C\Program Files\QdrPack\QdrPack15.exe.vir Infected: not-a-virus:AdWare.Win32.AdBand.z skipped
C:\QooBox\Quarantine\C\WINDOWS\b155.exe_old.vir Infected: Trojan.Win32.BHO.blh skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\rawwann.sys.zip/rawwann.sys Infected: Trojan.Win32.Pakes.cwd skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\rawwann.sys.zip ZIP: infected - 1 skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\g29.exe.vir/stream/data0002 Infected: not-a-virus:AdWare.Win32.Agent.byy skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\g29.exe.vir/stream Infected: not-a-virus:AdWare.Win32.Agent.byy skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\g29.exe.vir NSIS: infected - 2 skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\jqwnw64j.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.am skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\pnVes18\pnVes182328.exe.vir Infected: Trojan-Downloader.Win32.VB.ebf skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\rcntrkdm.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.bc skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\rwwnw64d.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.am skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\tcntaxdn.exe.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.ax skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\x4\demw136.exe.vir Infected: Trojan-Downloader.Win32.Small.uuw skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\xzej.dll.vir Infected: not-a-virus:AdWare.Win32.PurityScan.if skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\{81f3a1e4-cd23-1d59-1798-24c78d1a1745}.dll.vir Infected: Trojan.Win32.BHO.cmd skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP397\A0109262.exe Infected: Trojan-Downloader.Win32.Homles.bj skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP398\A0109266.exe Infected: Trojan-Downloader.Win32.Homles.bk skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP398\A0109312.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.ax skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP398\A0109329.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.am skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP398\A0109338.exe Infected: Trojan.Win32.BHO.bkm skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP398\A0109344.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.bc skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP399\A0109401.exe Infected: Trojan-Downloader.Win32.Homles.bj skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110392.exe Infected: not-a-virus:AdWare.Win32.Rond.e skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110393.exe Infected: Trojan.Win32.Agent.lke skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110394.exe Infected: not-a-virus:AdWare.Win32.Insider.c skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110395.exe Infected: not-a-virus:AdWare.Win32.Insider.c skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110396.exe Infected: not-a-virus:AdWare.Win32.Insider.f skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110398.exe Infected: Trojan-Downloader.Win32.Agent.ezc skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110399.exe Infected: Trojan-Downloader.Win32.Agent.jih skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110400.exe/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110400.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110401.exe Infected: Trojan-Downloader.Win32.TSUpdate.n skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110402.exe Infected: Trojan-Downloader.Win32.TSUpdate.p skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110403.exe Infected: Trojan-Downloader.Win32.TSUpdate.f skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110405.exe Infected: not-a-virus:AdWare.Win32.Rond.d skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110407.exe Infected: Trojan.Win32.Scapur.k skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110408.DLL Infected: not-a-virus:AdWare.Win32.FunWeb.e skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110411.exe Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110412.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.am skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110421.dll Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110423.exe Infected: Trojan.Win32.BHO.blh skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110424.exe Infected: Trojan-Downloader.Win32.Homles.bk skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110429.exe Infected: Trojan-Downloader.Win32.Agent.ndt skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110430.exe Infected: Trojan-Downloader.Win32.TSUpdate.l skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP400\A0110466.exe Infected: Trojan-Downloader.Win32.Agent.qqn skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP401\A0111658.exe Infected: not-a-virus:AdWare.Win32.PurityScan.hl skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP401\A0111676.dll Infected: not-a-virus:AdWare.Win32.PurityScan.hk skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP401\A0111718.dll Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP401\A0111799.exe Infected: Trojan-Downloader.Win32.PurityScan.fj skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP401\A0111800.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.bc skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP404\A0115215.dll Infected: not-a-virus:AdWare.Win32.Agent.byy skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP404\A0115216.exe Infected: Trojan-Downloader.Win32.PurityScan.fk skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP404\A0115217.dll Infected: not-a-virus:AdWare.Win32.PurityScan.hk skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP404\A0115219.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.bc skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP404\A0115454.exe Infected: Trojan-Downloader.Win32.PurityScan.fk skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP404\A0115455.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.ax skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP405\A0115802.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.ax skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP405\A0115803.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.am skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP405\A0115804.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.Agent.byy skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP405\A0115804.exe/stream Infected: not-a-virus:AdWare.Win32.Agent.byy skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP405\A0115804.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP405\A0115805.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.am skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP405\A0115811.dll Infected: Trojan.Win32.BHO.cmd skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP405\A0115814.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.ax skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP405\A0118006.exe Infected: not-a-virus:AdWare.Win32.PurityScan.hl skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP405\A0118007.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.hh skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP405\A0118007.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP405\A0118953.dll Infected: not-a-virus:AdWare.Win32.Agent.byy skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP406\A0119069.exe Infected: not-a-virus:AdWare.Win32.PurityScan.id skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP406\A0119070.exe Infected: Trojan-Downloader.Win32.PurityScan.fk skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP406\A0119073.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.hh skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP406\A0119073.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP406\A0119076.dll Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP406\A0119078.exe/stream/data0001 Infected: not-a-virus:AdWare.Win32.AdBand.af skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP406\A0119078.exe/stream Infected: not-a-virus:AdWare.Win32.AdBand.af skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP406\A0119078.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP406\A0119079.exe Infected: not-a-virus:AdWare.Win32.AdBand.ac skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP406\A0119080.exe Infected: not-a-virus:AdWare.Win32.AdBand.af skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP406\A0119081.exe Infected: not-a-virus:AdWare.Win32.AdBand.z skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP406\A0119086.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.am skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP406\A0119087.dll Infected: not-a-virus:AdWare.Win32.PurityScan.if skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP406\A0119094.exe Infected: Trojan-Downloader.Win32.Small.uuw skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP407\A0119377.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.Agent.byy skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP407\A0119377.exe/stream Infected: not-a-virus:AdWare.Win32.Agent.byy skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP407\A0119377.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP407\A0119381.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.am skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP407\A0119384.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.bc skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP407\A0119385.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.ax skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP408\A0119519.exe Infected: Trojan-Downloader.Win32.VB.ebf skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP408\A0119520.dll Infected: Trojan.Win32.BHO.cmd skipped
C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP408\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{2158A4FB-F612-4C8E-9BF0-AEB9A63EC7DA}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\HTTPERR\httperr1.log Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Help--infected with Smitfraud-C and Zeno Search

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

New member

New member

New member

Security Expert: Emeritus

New member

New member

Security Expert: Emeritus

New member