Malware invasion - help, please

V

valeriejane

New member
Despite running F Secure, Windows Defender and Spybot, my desktop computer was invaded yesterday.

Spybot is disabled and won't launch.
IE re-directs to other sites.
If I try to access Microsoft sites, or help sites, that computer immediately shuts down and re-starts.

F Secure will scan but doesn't find any problems. Same with Windows Defender, though updating WD is blocked.
Trying to access the Smitfraudfix site crashed the computer again.
Downloading Smitfraudfix on to a stick (I have moved to a laptop) and trying to run it on the desktop gave the 'SmitfraufFix.exe has encountered a problem and needs to close' and that I can 'tell Microsoft about this problem'.

HJT will not install.

I'd be soooo grateful for help with this, please.
 
Hi valeriejane

Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt
  • Save both reports to your desktop. Post them back to your topic.
 
DDS Report on Malware Invasion

Hi Blade81,

Many thanks for looking at the problem:


DDS (Version 1.1.0) - NTFSx86
Run by Val at 8:21:23.04 on 23/12/2008
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.1024.605 [GMT 0:00]

AV: Norton Internet Security *On-access scanning enabled* (Updated)
AV: F-Secure Internet Security 2009 9.00 *On-access scanning enabled* (Updated)
FW: F-Secure Internet Security 2009 9.00 *enabled*
FW: Norton Internet Security *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE
C:\WINDOWS\htpatch.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\LTSMMSG.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\Program Files\F-Secure Internet Security\Common\FCH32.EXE
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\MXOALDR.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\UPSMON\UPSMON.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsqh.exe
C:\Program Files\F-Secure Internet Security\Common\FAMEH32.EXE
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\F-Secure Internet Security\FSPC\fspc.exe
C:\Program Files\Spybot\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\F-Secure Internet Security\FSGUI\fsguidll.exe
C:\Program Files\UPSMON\UPSMON_Service.Exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\F-Secure Internet Security\FSAUA\program\fsaua.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\F-Secure Internet Security\FSAUA\program\fsus.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Val\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uWindow Title = Microsoft Internet Explorer provided by PIPEX
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
mDefault_Page_URL = hxxp://www.dial.pipex.com/
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot\spybot~1\SDHelper.dll
BHO: ST: {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - c:\program files\msn apps\st\01.03.0000.1005\en-xu\stmain.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
BHO: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
BHO: MSNToolBandBHO: {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - c:\program files\msn apps\msn toolbar\msn toolbar\01.02.5000.1021\en-us\msntb.dll
TB: MSN: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - c:\program files\msn apps\msn toolbar\msn toolbar\01.02.5000.1021\en-us\msntb.dll
TB: &Google: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot\spybot - search & destroy\TeaTimer.exe
mRun: [HTpatch] c:\windows\htpatch.exe
mRun: [ezShieldProtector for Px] c:\windows\system32\ezSP_Px.exe
mRun: [StorageGuard] "c:\program files\veritas software\update manager\sgtray.exe" /r
mRun: [RegisterDropHandler] c:\progra~1\textbr~1.0\bin\REGIST~1.EXE
mRun: [nwiz] nwiz.exe /install
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [LTSMMSG] LTSMMSG.exe
mRun: [InstantAccess] c:\progra~1\textbr~1.0\bin\INSTAN~1.EXE /h
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [MaxtorOneTouch] c:\program files\maxtor\onetouch\utils\Onetouch.exe
mRun: [MXOBG] c:\windows\MXOALDR.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [POINTER] point32.exe
mRun: [UPSMON] c:\program files\upsmon\UPSMON.exe
mRun: [ms] c:\program files\microsoft\svhost32.exe
mRun: [<NO NAME>]
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [lphc1c2j0eec7] c:\windows\system32\lphc1c2j0eec7.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [F-Secure Manager] "c:\program files\f-secure internet security\common\FSM32.EXE" /splash
mRun: [F-Secure TNB] "c:\program files\f-secure internet security\fsgui\TNBUtil.exe" /CHECKALL /WAITFORSW
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRunServices: [RegisterDropHandler] c:\progra~1\textbr~1.0\bin\REGIST~1.EXE
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\val\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\MSOFFICE.EXE
StartupFolder: c:\docume~1\val\startm~1\programs\startup\office~1.lnk - c:\program files\microsoft office\office\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~2.lnk - c:\program files\microsoft office\office\FINDFAST.EXE
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {200DB664-75B5-47c0-8B45-A44ACCF73C00} - {D68926FD-18FD-4B0E-A1C7-917D13FAB760} - c:\program files\f-secure internet security\fspc\fspcmsie.dll
IE: {200DB664-75B5-47c0-8B45-A44ACCF73F01} - {D68926FD-18FD-4B0E-A1C7-917D13FAB760} - c:\program files\f-secure internet security\fspc\fspcmsie.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot\spybot~1\SDHelper.dll
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: c:\program files\f-secure internet security\fsps\program\FSLSP.DLL
Trusted Zone: sony-europe.com
Trusted Zone: sonystyle-europe.com
Trusted Zone: vaio-link.com
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} -
Notify: winpdc32 - winpdc32.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - c:\progra~1\wifd1f~1\MpShHook.dll

============= SERVICES / DRIVERS ===============

R0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [2008-11-3 30856]
R0 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [2008-11-3 79904]
R1 F-Secure HIPS;F-Secure HIPS Driver;\??\c:\program files\f-secure internet security\hips\drivers\fshs.sys [2008-11-3 66720]
R2 F-Secure Gatekeeper Handler Starter;FSGKHS;"c:\program files\f-secure internet security\anti-virus\fsgk32st.exe" [2008-11-3 215648]
R2 Symantec Core LC;Symantec Core LC;"c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe" [2005-9-9 826512]
R2 WinDefend;Windows Defender;"c:\program files\windows defender\MsMpEng.exe" [2006-11-3 13592]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;\??\c:\program files\f-secure internet security\anti-virus\minifilter\fsgk.sys [2008-11-3 72288]
R3 FSORSPClient;F-Secure ORSP Client;"c:\program files\f-secure internet security\orsp client\fsorsp.exe" [2008-11-3 55904]
R3 PhTVTune;Sony TV Tuner (4830) WDM TVTuner;c:\windows\system32\drivers\PhTVTune.sys [2003-3-10 27520]
S2 NtmlSvc;NtmlSvc;c:\windows\system32\svchost.exe -k netsvcs [2002-12-4 14336]
S3 F-Secure BlackLight Sensor;F-Secure BlackLight Sensor;c:\windows\temp\f-secure\anti-virus\fsblsrv.exe []
S3 LucentSoftModem;Lucent Technologies Soft Modem;c:\windows\system32\drivers\LTSM.sys [2002-8-1 815819]
S3 US122;US122 Driver;c:\windows\system32\drivers\US122.sys [2004-7-30 217472]
S3 US122DL;US122 Firmware Downloader;c:\windows\system32\drivers\US122DL.sys [2004-7-30 17277]
S3 Us122WdmService;US122 Wdm Audio;c:\windows\system32\drivers\US122Wdm.sys [2004-7-30 86648]
S4 F-Secure Filter;F-Secure File System Filter;\??\c:\program files\f-secure internet security\anti-virus\win2k\FSfilter.sys [2008-11-3 39776]
S4 F-Secure Recognizer;F-Secure File System Recognizer;\??\c:\program files\f-secure internet security\anti-virus\win2k\FSrec.sys [2008-11-3 25184]

=============== Created Last 30 ================

2008-12-18 19:53 <DIR> --d----- c:\program files\Hijack This
2008-12-18 14:39 <DIR> --d----- c:\program files\Val
2008-12-18 09:13 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2008-12-18 07:40 149 a------- c:\windows\wininit.ini
2008-12-12 22:30 54,156 a---h--- c:\windows\QTFont.qfn
2008-12-12 22:30 1,409 a------- c:\windows\QTFont.for
2008-11-26 08:36 <DIR> --d----- c:\program files\Kodak

==================== Find3M ====================

2008-12-22 13:39 2,581 a------- c:\windows\panose.bin
2008-12-12 13:05 155 a------- C:\43566574.bat
2008-11-03 16:30 30,856 a------- c:\windows\system32\drivers\fsbts.sys
2008-09-25 09:26 90,112 a------- c:\windows\DUMP85ba.tmp

============= FINISH: 8:22:10.05 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Version 1.0)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 31/05/2003 14:12:20
System Uptime: 23/12/2008 08:09:18 (0 hours ago)

Motherboard: ASUSTeK Computer INC. | | P4S533VL
Processor: Intel(R) Pentium(R) 4 CPU 3.06GHz | PGA 478 | 3059/133mhz
Processor: Intel(R) Pentium(R) 4 CPU 3.06GHz | PGA 478 | 3059/133mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 28 GiB total, 2.149 GiB free.
D: is FIXED (NTFS) - 121 GiB total, 39.627 GiB free.
E: is Removable
F: is CDROM ()
G: is CDROM ()
H: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1890: 01/11/2008 16:22:05 - System Checkpoint
RP1891: 02/11/2008 23:39:03 - System Checkpoint
RP1892: 03/11/2008 16:00:09 - is 9.00 build 148 Installation
RP1893: 04/11/2008 16:59:21 - System Checkpoint
RP1894: 05/11/2008 17:57:31 - System Checkpoint
RP1895: 06/11/2008 19:40:46 - System Checkpoint
RP1896: 07/11/2008 19:56:34 - System Checkpoint
RP1897: 08/11/2008 21:42:58 - System Checkpoint
RP1898: 10/11/2008 10:35:21 - System Checkpoint
RP1899: 11/11/2008 12:22:23 - System Checkpoint
RP1900: 12/11/2008 14:11:46 - System Checkpoint
RP1901: 13/11/2008 15:06:36 - System Checkpoint
RP1902: 14/11/2008 16:38:33 - System Checkpoint
RP1903: 15/11/2008 16:56:46 - System Checkpoint
RP1904: 16/11/2008 19:52:26 - System Checkpoint
RP1905: 17/11/2008 20:32:31 - System Checkpoint
RP1906: 18/11/2008 21:27:01 - System Checkpoint
RP1907: 19/11/2008 21:39:31 - System Checkpoint
RP1908: 20/11/2008 23:34:15 - System Checkpoint
RP1909: 22/11/2008 01:16:36 - System Checkpoint
RP1910: 23/11/2008 02:11:32 - System Checkpoint
RP1911: 24/11/2008 06:35:04 - System Checkpoint
RP1912: 25/11/2008 08:15:02 - System Checkpoint
RP1913: 26/11/2008 08:17:00 - System Checkpoint
RP1914: 27/11/2008 18:25:23 - System Checkpoint
RP1915: 28/11/2008 20:25:44 - System Checkpoint
RP1916: 29/11/2008 23:40:19 - System Checkpoint
RP1917: 01/12/2008 00:28:50 - System Checkpoint
RP1918: 02/12/2008 01:28:23 - System Checkpoint
RP1919: 03/12/2008 01:52:54 - System Checkpoint
RP1920: 04/12/2008 02:16:24 - System Checkpoint
RP1921: 05/12/2008 16:31:48 - System Checkpoint
RP1922: 06/12/2008 17:13:46 - System Checkpoint
RP1923: 07/12/2008 18:42:04 - System Checkpoint
RP1924: 08/12/2008 21:15:56 - System Checkpoint
RP1925: 09/12/2008 23:21:31 - System Checkpoint
RP1926: 10/12/2008 23:36:01 - System Checkpoint
RP1927: 12/12/2008 00:08:30 - System Checkpoint
RP1928: 13/12/2008 02:10:56 - System Checkpoint
RP1929: 14/12/2008 02:58:28 - System Checkpoint
RP1930: 15/12/2008 03:22:05 - System Checkpoint
RP1931: 16/12/2008 03:46:28 - System Checkpoint
RP1932: 17/12/2008 05:55:22 - System Checkpoint

==== Installed Programs ======================


ABBYY FineReader 5.0 Sprint Plus
Actinic Link for QuickBooks
Actinic Payment Service Providers Component v9
Actinic Shared SSL Service Providers Component V9
Actinic System Files
Actinic v9
Adobe Acrobat 8 Standard
Adobe Acrobat 8.1.2 Security Update 1 (KB403742)
Adobe Acrobat 8.1.2 Standard
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Color Common Settings
Adobe ExtendScript Toolkit 2
Adobe Flash Player ActiveX
Adobe PageMaker 7.0
Adobe PhotoDeluxe Home Edition 4.0
Adobe Photoshop 7.0
Adobe Photoshop Elements 2.0
Adobe Setup
Agere Systems AC'97 Modem
AllWebMenus PRO v4
Belarc Advisor 6.0
Click to DVD 1.1
Corel Uninstaller
CutePDF Writer 2.6
Easy CD & DVD Creator 6
EndItAll 2.0
EPSON Copy Utility
EPSON Photo Print
EPSON Scan
EPSON Smart Panel
EPSON TWAIN 5
Extensis PhotoFrame 2.0
F-Secure Internet Security 2009
Giga Pocket 5.0
Giga Pocket Demo Movie
Google Earth
Google SketchUp 6
Google Toolbar for Internet Explorer
HP Color LaserJet 3600 (02/27/2007 61.063.461.41)
HP Update
ISP Selector
ISP Selector (English)
Kazoo Player
Lucent Technologies Soft Modem AMR
Macromedia Dreamweaver 2
Macromedia Dreamweaver 4
Macromedia Dreamweaver 8
Macromedia Extension Manager
Macromedia Fireworks 2
Macromedia Fireworks 4
Macromedia Shockwave Player
MailWasher Pro
Maxtor OneTouch
Microsoft .NET Framework 1.1
Microsoft Data Access Components KB870669
Microsoft IntelliPoint 4.1
Microsoft Office 97, Professional Edition
Microsoft Office Outlook 2003
MoodLogic
MSN Messenger 7.0
MSN Toolbar
Music Visualizer Library 1.4.00
Network Smart Capture
NVIDIA Windows 2000/XP Display Drivers
OpenMG Limited Patch 4.0-04-06-21-01
OpenMG Secure Module 4.0.00
Perf4870 Reference Guide
PictureGear Studio 1.0
PowerDVD
QuickTime
RealOne Player
Recovery for Outlook Express
ScanToWeb
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB903235)
SilverFast Epson-SE
SilverFast SE CD Documentation 6.2.0
SonicStage 2.1.00
Sony DV Shared Library
SPSS 14.0 for Windows
Spybot - Search & Destroy
Steinberg Cubase LE
Studio Content CD
Studio DV
Terrapin FTP
Test Prep 2.0
TextBridge Pro 8.0
TOSHIBA Manuals
Turbo Lister 2
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
UPSMON Plus for Windows
US-122
USB Storage Adapter FX (MXO)
VAIO Action Setup
VAIO BrightColor Wallpaper
VAIO Clock Screen Saver
VAIO DeepSea Wallpaper
VAIO music transfer 1.1
VAIO Online Registration (English)
VAIO System Information
VAIO Web Phone
VERITAS RecordNow
VERITAS Update Manager
VOR
WebEx
WebFldrs XP
Windows Defender
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinMX
WinZip

==== Event Viewer Messages From Past Week ========

18/12/2008 04:05:39, error: PlugPlayManager [11] - The device Root\LEGACY_FSBL\0000 disappeared from the system without first being prepared for removal.
16/12/2008 18:21:53, error: System Error [1003] - Error code 1000008e, parameter1 c0000005, parameter2 ec54ac7c, parameter3 ec5617f0, parameter4 00000000.
18/12/2008 09:47:59, error: System Error [1003] - Error code 1000008e, parameter1 c0000005, parameter2 ed6eab75, parameter3 ed3c37f0, parameter4 00000000.
18/12/2008 09:54:54, error: System Error [1003] - Error code 1000008e, parameter1 c0000005, parameter2 ed775b75, parameter3 ec1d17f0, parameter4 00000000.
18/12/2008 10:09:33, error: Print [19] - Sharing printer failed + 1722, Printer HP LaserJet 2100 share name Printer.
18/12/2008 10:09:59, error: System Error [1003] - Error code 1000008e, parameter1 c0000005, parameter2 ed8efb75, parameter3 ec3a97f0, parameter4 00000000.
18/12/2008 10:17:46, error: System Error [1003] - Error code 1000008e, parameter1 c0000005, parameter2 eda79b75, parameter3 ed6f77f0, parameter4 00000000.
18/12/2008 10:18:45, error: System Error [1003] - Error code 1000008e, parameter1 c0000005, parameter2 ed612b75, parameter3 ec3da7f0, parameter4 00000000.
18/12/2008 10:21:16, error: System Error [1003] - Error code 1000008e, parameter1 c0000005, parameter2 ed54db75, parameter3 ec1ad7f0, parameter4 00000000.
18/12/2008 10:30:47, error: System Error [1003] - Error code 1000008e, parameter1 c0000005, parameter2 edd66b75, parameter3 ed1e07f0, parameter4 00000000.
18/12/2008 10:37:37, error: System Error [1003] - Error code 1000008e, parameter1 c0000005, parameter2 edd6eb75, parameter3 ed1a27f0, parameter4 00000000.
18/12/2008 14:36:53, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
18/12/2008 14:36:56, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
18/12/2008 14:37:41, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
18/12/2008 18:47:02, error: NetBT [4321] - The name "MSHOME :1d" could not be registered on the Interface with IP address 192.168.0.2. The machine with the IP address 192.168.0.4 did not allow the name to be claimed by this machine.
19/12/2008 10:40:17, error: System Error [1003] - Error code 1000008e, parameter1 c0000005, parameter2 eddacb75, parameter3 ec8d37f0, parameter4 00000000.
19/12/2008 10:57:37, error: System Error [1003] - Error code 1000008e, parameter1 c0000005, parameter2 ede91b75, parameter3 ecda77f0, parameter4 00000000.
19/12/2008 12:52:02, error: System Error [1003] - Error code 1000008e, parameter1 c0000005, parameter2 edd93b75, parameter3 ed4f57f0, parameter4 00000000.
20/12/2008 09:04:13, error: System Error [1003] - Error code 1000008e, parameter1 c0000005, parameter2 ed6e3b75, parameter3 eb40d7f0, parameter4 00000000.
20/12/2008 10:13:33, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
20/12/2008 10:26:32, error: System Error [1003] - Error code 1000008e, parameter1 c0000005, parameter2 ed7c5b75, parameter3 ece6b7f0, parameter4 00000000.
22/12/2008 08:01:01, error: System Error [1003] - Error code 1000008e, parameter1 c0000005, parameter2 ed7a8b75, parameter3 ec2f77f0, parameter4 00000000.

==== End Of File ===========================
 
Hi

You seem to have both Norton and F-Secure installed there. Multiple antivirus products may conflict with each other and cause instability. That's why it's recommended to have only one installed in same system. Decide which one you want to keep.


Disable Spybot's TeaTimer to make sure it won't interfere with fixes. You can re-enable it when you're clean again:
  • Run Spybot-S&D in Advanced Mode
  • If it is not already set to do this, go to the Mode menu
    select
    Advanced Mode
  • On the left hand side, click on Tools
  • Then click on the Resident icon in the list
  • Uncheck
    Resident TeaTimer
     and OK any prompts.
  • Restart your computer

Download ResetTeaTimer.bat to the Desktop (right click the link and select save)
http://downloads.subratam.org/ResetTeaTimer.bat
Double click ResetTeaTimer.bat to remove all entries set by TeaTimer (and preventing TeaTimer to restore them upon reactivation).



Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
 
Stuck

I noticed the Norton files in the list. The computer came with Norton but it gave me problems so I changed to F Secure about 3 years ago, and thought I'd uninstalled Norton.

Norton is not listed in my choices to Uninstall in the add/Remove programmes within the control panel, and only has an option to setup in my Start> All Programmes list.

There are 2 folders Norton Ativirus and Norton Antivirus Setup in my C> Program Files - should I delete these, will that get rid of anything running in the background?

Another problem: Spybot will not launch, not even in safe mode ...... would it help to temporarily (try to!) uninstall Spybot?

Thanks,

Val
 
Hi Val

Better try official Norton removal tool here.

Yes, you may temporarily uninstall Spybot.
 
Half way through the first stage..........

I was able to run the Norton removal tool, but I am unable to uninstall Spybot, even in Safe Mode.

I get the error message

"An error occurred while trying to remove Spybot - Search and Destroy. It may have already been uninstalled. Would you like to remove Spybot Search and Destroy from the Add or Remove programs list?".

It won't run, either, for me to disable TeaTimer.

Any ideas?

Thanks,

Val
 
Hi

Guess we have to leave TeaTimer on for now then. Move on to ComboFix part :santa:
 
Merry Christmas and will get back after the w/e

Need to concentrate on this so not likely to get the chance now for a couple of days.

Just want to wish you all the best and let you know how much we all appreciate your dedication & help.

Hope you have a lovely Christmas.

Val
 
Combofix won't run

Of course when I connect to the bleepingcomputer/combofix website the computer immediately shuts down.

So I downloaded both the Combofix and Recovery utilites on to a floppy, transferred both to the problem computer, followed all the instructions and tried to start Combofix.

It won't run ~ whatever the problem is on that computer, it is blocking

updates to F secure
access to websites
any programmes that might help fix the problem.....including Combofix.

Have you come across this before? Am I going to have to wipe the hard drive? I hope not.

Thanks, Val
 
Hi

Please rename ComboFix.exe -> CombiFxx.exe and try running it.
 
Hi

Ok. Please try run renamed ComboFix in safe mode.


Download GMER and save it your desktop:
  • Extract it to your desktop and double-click GMER.exe
  • Click rootkit-tab and then scan.
  • Don't check
    Show All
    box while scanning in progress!
  • When scanning is ready, click Copy.
  • This copies log to clipboard
  • Post log in your reply.
 
Step 1: Renamed Combofix in Safe mode

Hi Blade81,

Combofix worked in safe mode!!!

Here is the log:

ComboFix 08-12-26.03 - Val 2008-12-27 16:54:23.1 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1024.822 [GMT 0:00]
Running from: c:\documents and settings\Val\Desktop\CombiFxx.exe
AV: F-Secure Internet Security 2009 9.00 *On-access scanning disabled* (Updated)
FW: F-Secure Internet Security 2009 9.00 *enabled*

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\.log
c:\windows\Fonts\acrsecB.fon
c:\windows\Fonts\acrsecI.fon
c:\windows\smdat32m.sys
c:\windows\system32\124909
c:\windows\system32\drivers\TDSSmhlt.sys
c:\windows\system32\Drivers\TDSSmqlt.sys
c:\windows\system32\lphc1c2j0eec7.exe
c:\windows\system32\lsprst7.dll
c:\windows\system32\nsprs.dll
c:\windows\system32\serauth1.dll
c:\windows\system32\serauth2.dll
c:\windows\system32\ssprs.dll
c:\windows\system32\TDSSbutv.log
c:\windows\system32\TDSShlxr.dat
c:\windows\system32\TDSSlxwp.dll
c:\windows\system32\TDSSnmxh.dll
c:\windows\system32\TDSSoiqn.dll
c:\windows\system32\TDSSorvd.dat
c:\windows\system32\TDSSorvd.dll
c:\windows\system32\TDSSrtql.dll
c:\windows\system32\TDSSxfum.dll
c:\windows\system32\winver.exe
c:\windows\winhelp.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSserv.sys
-------\Legacy_TDSSserv.sys
-------\Legacy_NTMLSVC
-------\Service_NtmlSvc


((((((((((((((((((((((((( Files Created from 2008-11-27 to 2008-12-27 )))))))))))))))))))))))))))))))
.

2008-12-23 18:27 . 2008-12-23 18:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2008-12-18 19:53 . 2008-12-18 19:53 <DIR> d-------- c:\program files\Hijack This
2008-12-18 14:39 . 2008-12-18 14:39 <DIR> d-------- c:\program files\Val
2008-12-18 09:13 . 2008-12-18 09:13 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-18 07:40 . 2008-12-18 07:40 149 --a------ c:\windows\wininit.ini
2008-12-12 22:30 . 2008-12-12 22:30 54,156 --ah----- c:\windows\QTFont.qfn
2008-12-12 22:30 . 2008-12-12 22:30 1,409 --a------ c:\windows\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-27 12:50 --------- d-----w c:\documents and settings\Val\Application Data\MailWasherPro
2008-12-23 18:29 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-23 12:04 --------- d-----w c:\program files\SPSS
2008-12-22 13:39 2,581 ----a-w c:\windows\panose.bin
2008-12-18 09:15 --------- d-----w c:\program files\Spybot
2008-12-18 09:13 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-18 02:15 --------- d-----w c:\program files\F-Secure Internet Security
2008-12-12 13:05 155 ----a-w C:\43566574.bat
2008-12-10 08:31 --------- d-----w c:\program files\Actinic V9
2008-12-08 09:32 --------- d-----w c:\program files\CuteFTP
2008-12-08 09:30 --------- d-----w c:\program files\Common Files\Adobe
2008-12-08 08:18 --------- d-----w c:\program files\Actinic
2008-11-26 08:36 --------- d-----w c:\program files\Kodak
2008-11-03 18:29 --------- d-----w c:\program files\SearchRelevant
2008-11-03 16:30 30,856 ----a-w c:\windows\system32\drivers\fsbts.sys
2008-11-03 16:01 --------- d-----w c:\documents and settings\All Users\Application Data\F-Secure
2008-11-03 15:59 --------- d-----w c:\documents and settings\All Users\Application Data\fssg
2008-11-03 15:54 --------- d-----w c:\program files\F Secure
2008-10-29 19:08 --------- d-----w c:\program files\Pinnacle
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-26 68856]
"SpybotSD TeaTimer"="c:\program files\Spybot\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HTpatch"="c:\windows\htpatch.exe" [2002-10-31 28672]
"ezShieldProtector for Px"="c:\windows\system32\ezSP_Px.exe" [2002-08-20 40960]
"StorageGuard"="c:\program files\VERITAS Software\Update Manager\sgtray.exe" [2002-06-18 155648]
"RegisterDropHandler"="c:\progra~1\TEXTBR~1.0\Bin\REGIST~1.EXE" [1998-12-14 23040]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-05-02 4640768]
"InstantAccess"="c:\progra~1\TEXTBR~1.0\Bin\INSTAN~1.EXE" [1999-12-14 37376]
"MaxtorOneTouch"="c:\program files\Maxtor\OneTouch\utils\Onetouch.exe" [2004-12-22 823296]
"MXOBG"="c:\windows\MXOALDR.EXE" [2005-10-18 94208]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-02-19 98304]
"UPSMON"="c:\program files\UPSMON\UPSMON.exe" [2005-03-30 429568]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"F-Secure Manager"="c:\program files\F-Secure Internet Security\Common\FSM32.EXE" [2008-06-25 182936]
"F-Secure TNB"="c:\program files\F-Secure Internet Security\FSGUI\TNBUtil.exe" [2008-06-25 957024]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-22 620152]
"nwiz"="nwiz.exe" [2003-05-02 c:\windows\system32\nwiz.exe]
"LTSMMSG"="LTSMMSG.exe" [2002-07-20 c:\windows\LTSMMSG.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2003-02-14 c:\windows\AGRSMMSG.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"RegisterDropHandler"="c:\progra~1\TEXTBR~1.0\Bin\REGIST~1.EXE" [1998-12-14 23040]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\Val\Start Menu\Programs\Startup\
Microsoft Office Shortcut Bar.Lnk [2008-09-20 765]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1996-11-20 51984]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2002-12-04 113664]
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1996-11-20 111376]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winpdc32]
2008-07-26 12:19 33280 c:\windows\system32\winpdc32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.dvsd"= miroDV2avi.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\WinMX\\WinMX.exe"=
"c:\\Program Files\\Real\\RealOne Player\\realplay.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Terrapin FTP\\ftp95.exe"=
"c:\\Program Files\\Actinic V9\\Catalog.exe"=

R0 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [2008-11-03 79904]
R2 WinDefend;Windows Defender;"c:\program files\Windows Defender\MsMpEng.exe" [2006-11-03 13592]
S0 fsbts;fsbts;c:\windows\system32\Drivers\fsbts.sys [2008-11-03 30856]
S1 F-Secure HIPS;F-Secure HIPS Driver;\??\c:\program files\F-Secure Internet Security\HIPS\drivers\fshs.sys [2008-11-03 66720]
S3 F-Secure BlackLight Sensor;F-Secure BlackLight Sensor;c:\windows\TEMP\F-Secure\Anti-Virus\fsblsrv.exe []
S3 F-Secure Gatekeeper;F-Secure Gatekeeper;\??\c:\program files\F-Secure Internet Security\Anti-Virus\minifilter\fsgk.sys [2008-11-03 72288]
S3 FSORSPClient;F-Secure ORSP Client;"c:\program files\F-Secure Internet Security\ORSP Client\fsorsp.exe" [2008-11-03 55904]
S3 LucentSoftModem;Lucent Technologies Soft Modem;c:\windows\system32\DRIVERS\LTSM.sys [2002-08-01 815819]
S3 PhTVTune;Sony TV Tuner (4830) WDM TVTuner;c:\windows\system32\DRIVERS\PhTVTune.sys [2003-03-10 27520]
S3 US122;US122 Driver;c:\windows\system32\Drivers\US122.sys [2004-07-30 217472]
S3 US122DL;US122 Firmware Downloader;c:\windows\system32\Drivers\US122DL.sys [2004-07-30 17277]
S3 Us122WdmService;US122 Wdm Audio;c:\windows\system32\Drivers\US122Wdm.sys [2004-07-30 86648]
S4 F-Secure Filter;F-Secure File System Filter;\??\c:\program files\F-Secure Internet Security\Anti-Virus\Win2K\FSfilter.sys [2008-11-03 39776]
S4 F-Secure Recognizer;F-Secure File System Recognizer;\??\c:\program files\F-Secure Internet Security\Anti-Virus\Win2K\FSrec.sys [2008-11-03 25184]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2008-12-22 c:\windows\Tasks\Disk Defragmenter.job
- c:\documents and settings\All Users\Start Menu\Programs\Accessories\System Tools\Disk Defragmenter.lnk [2002-12-04 19:16]

2008-12-27 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]

2008-12-27 c:\windows\Tasks\Spybot - Search & Destroy.job
- c:\progra~1\SPYBOT~1\SpybotSD.exe [2008-07-07 09:42]

2008-12-23 c:\windows\Tasks\System Restore.job
- c:\windows\system32\Restore\rstrui.exe [2004-08-04 07:56]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-POINTER - point32.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
LSP: c:\program files\F-Secure Internet Security\FSPS\program\FSLSP.DLL
Trusted Zone: *.sony-europe.com
Trusted Zone: *.sonystyle-europe.com
Trusted Zone: *.vaio-link.com

O16 -: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

O16 -: UKOnLineSigningApplet - hxxps://customs.hmrc.gov.uk/gg/UKOnLineSigningApplet.cab
c:\windows\Downloaded Program Files\UKOnLineSigningApplet.osd

c:\windows\Downloaded Program Files\RdxIE.dll - O16 -: {56336BCB-3D8A-11D6-A00B-0050DA18DE71}
hxxp://207.188.7.150/038ee7240e2da384e606/netzip/RdxIE601.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-27 17:01:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HTpatch = c:\windows\htpatch.exe?ows\CurrentVersion\Run???\??????Z????`??Z???Z`??Z???????????????Z???Z???Z???Z$??????Z???????????????Z???????????Z???w????(????3?w???w?????3?w ??w???Z:???????d???r??Z1??Z???Zd??????Z?-?Z????z??w8h?Z\2?Z?1?Zhtinst.INI?Z?u?Z????d???????0G?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(272)
c:\windows\system32\winpdc32.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Internet Explorer\iexplore.exe
.
**************************************************************************
.
Completion time: 2008-12-27 17:06:14 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-27 17:06:11

Pre-Run: 3,003,777,024 bytes free
Post-Run: 3,490,111,488 bytes free

210


I haven't run GMER yet, will await instructions.

Val
 
Good. Let's leave GMER for now.

Are you now able to disable TeaTimer? If not, do disabling by fixing an entry with hjt by following instructions below. Otherwise you may skip over hjt part

Start hjt, do a system scan, check (if found, following one appears little differently in the log):
04 [SpybotSD TeaTimer] c:\program files\spybot\spybot - search & destroy\TeaTimer.exe

Close browsers and fix checked.



Open notepad and copy/paste the text in the quotebox below into it:

Code: 
File::
C:\43566574.bat
c:\windows\system32\winpdc32.dll

Folder::
c:\program files\SearchRelevant

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winpdc32]


Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

CFScriptB-4.gif


Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.


Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


* Go here to run an online scanner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is UNchecked and the option Scan unwanted applications is checkmarked.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic, along with a new HijackThis log & above mentioned ComboFix log.
 
Wow!

Yes - was able to launch Spybot and disable Teatimer.

Combofix ran in normal (not just Safe) mode.

It didn't have to end any processes.

Combofix log2.txt:

ComboFix 08-12-26.03 - Val 2008-12-27 22:01:03.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1024.629 [GMT 0:00]
Running from: c:\documents and settings\Val\Desktop\CombiFxx.exe
Command switches used :: h:\computer fix stuff\CFScript.txt
AV: F-Secure Internet Security 2009 9.00 *On-access scanning disabled* (Updated)
FW: F-Secure Internet Security 2009 9.00 *disabled*
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\43566574.bat
c:\windows\system32\winpdc32.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\43566574.bat
c:\program files\SearchRelevant
c:\windows\system32\winpdc32.dll

.
((((((((((((((((((((((((( Files Created from 2008-11-27 to 2008-12-27 )))))))))))))))))))))))))))))))
.

2008-12-23 18:27 . 2008-12-23 18:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2008-12-18 19:53 . 2008-12-18 19:53 <DIR> d-------- c:\program files\Hijack This
2008-12-18 14:39 . 2008-12-18 14:39 <DIR> d-------- c:\program files\Val
2008-12-18 09:13 . 2008-12-18 09:13 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-18 07:40 . 2008-12-18 07:40 149 --a------ c:\windows\wininit.ini
2008-12-12 22:30 . 2008-12-12 22:30 54,156 --ah----- c:\windows\QTFont.qfn
2008-12-12 22:30 . 2008-12-12 22:30 1,409 --a------ c:\windows\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-27 21:48 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-27 12:50 --------- d-----w c:\documents and settings\Val\Application Data\MailWasherPro
2008-12-23 18:29 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-23 12:04 --------- d-----w c:\program files\SPSS
2008-12-22 13:39 2,581 ----a-w c:\windows\panose.bin
2008-12-18 09:15 --------- d-----w c:\program files\Spybot
2008-12-18 02:15 --------- d-----w c:\program files\F-Secure Internet Security
2008-12-10 08:31 --------- d-----w c:\program files\Actinic V9
2008-12-08 09:32 --------- d-----w c:\program files\CuteFTP
2008-12-08 09:30 --------- d-----w c:\program files\Common Files\Adobe
2008-12-08 08:18 --------- d-----w c:\program files\Actinic
2008-11-26 08:36 --------- d-----w c:\program files\Kodak
2008-11-03 16:30 30,856 ----a-w c:\windows\system32\drivers\fsbts.sys
2008-11-03 16:01 --------- d-----w c:\documents and settings\All Users\Application Data\F-Secure
2008-11-03 15:59 --------- d-----w c:\documents and settings\All Users\Application Data\fssg
2008-11-03 15:54 --------- d-----w c:\program files\F Secure
2008-10-29 19:08 --------- d-----w c:\program files\Pinnacle
2008-10-16 14:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 14:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 14:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 14:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 14:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 14:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 14:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 14:08 34,328 ----a-w c:\windows\system32\wups.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-26 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HTpatch"="c:\windows\htpatch.exe" [2002-10-31 28672]
"ezShieldProtector for Px"="c:\windows\system32\ezSP_Px.exe" [2002-08-20 40960]
"StorageGuard"="c:\program files\VERITAS Software\Update Manager\sgtray.exe" [2002-06-18 155648]
"RegisterDropHandler"="c:\progra~1\TEXTBR~1.0\Bin\REGIST~1.EXE" [1998-12-14 23040]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-05-02 4640768]
"InstantAccess"="c:\progra~1\TEXTBR~1.0\Bin\INSTAN~1.EXE" [1999-12-14 37376]
"MaxtorOneTouch"="c:\program files\Maxtor\OneTouch\utils\Onetouch.exe" [2004-12-22 823296]
"MXOBG"="c:\windows\MXOALDR.EXE" [2005-10-18 94208]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-02-19 98304]
"UPSMON"="c:\program files\UPSMON\UPSMON.exe" [2005-03-30 429568]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"F-Secure Manager"="c:\program files\F-Secure Internet Security\Common\FSM32.EXE" [2008-06-25 182936]
"F-Secure TNB"="c:\program files\F-Secure Internet Security\FSGUI\TNBUtil.exe" [2008-06-25 957024]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-22 620152]
"nwiz"="nwiz.exe" [2003-05-02 c:\windows\system32\nwiz.exe]
"LTSMMSG"="LTSMMSG.exe" [2002-07-20 c:\windows\LTSMMSG.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2003-02-14 c:\windows\AGRSMMSG.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"RegisterDropHandler"="c:\progra~1\TEXTBR~1.0\Bin\REGIST~1.EXE" [1998-12-14 23040]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\Val\Start Menu\Programs\Startup\
Microsoft Office Shortcut Bar.Lnk [2008-09-20 765]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1996-11-20 51984]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2002-12-04 113664]
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1996-11-20 111376]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.dvsd"= miroDV2avi.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\WinMX\\WinMX.exe"=
"c:\\Program Files\\Real\\RealOne Player\\realplay.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Terrapin FTP\\ftp95.exe"=
"c:\\Program Files\\Actinic V9\\Catalog.exe"=

R0 fsbts;fsbts;c:\windows\system32\Drivers\fsbts.sys [2008-11-03 30856]
R0 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [2008-11-03 79904]
R1 F-Secure HIPS;F-Secure HIPS Driver;\??\c:\program files\F-Secure Internet Security\HIPS\drivers\fshs.sys [2008-11-03 66720]
R2 WinDefend;Windows Defender;"c:\program files\Windows Defender\MsMpEng.exe" [2006-11-03 13592]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;\??\c:\program files\F-Secure Internet Security\Anti-Virus\minifilter\fsgk.sys [2008-11-03 72288]
R3 FSORSPClient;F-Secure ORSP Client;"c:\program files\F-Secure Internet Security\ORSP Client\fsorsp.exe" [2008-11-03 55904]
R3 PhTVTune;Sony TV Tuner (4830) WDM TVTuner;c:\windows\system32\DRIVERS\PhTVTune.sys [2003-03-10 27520]
S3 F-Secure BlackLight Sensor;F-Secure BlackLight Sensor;c:\windows\TEMP\F-Secure\Anti-Virus\fsblsrv.exe []
S3 LucentSoftModem;Lucent Technologies Soft Modem;c:\windows\system32\DRIVERS\LTSM.sys [2002-08-01 815819]
S3 US122;US122 Driver;c:\windows\system32\Drivers\US122.sys [2004-07-30 217472]
S3 US122DL;US122 Firmware Downloader;c:\windows\system32\Drivers\US122DL.sys [2004-07-30 17277]
S3 Us122WdmService;US122 Wdm Audio;c:\windows\system32\Drivers\US122Wdm.sys [2004-07-30 86648]
S4 F-Secure Filter;F-Secure File System Filter;\??\c:\program files\F-Secure Internet Security\Anti-Virus\Win2K\FSfilter.sys [2008-11-03 39776]
S4 F-Secure Recognizer;F-Secure File System Recognizer;\??\c:\program files\F-Secure Internet Security\Anti-Virus\Win2K\FSrec.sys [2008-11-03 25184]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

*Newly Created Service* - UPSMONSERVICE
.
Contents of the 'Scheduled Tasks' folder

2008-12-22 c:\windows\Tasks\Disk Defragmenter.job
- c:\documents and settings\All Users\Start Menu\Programs\Accessories\System Tools\Disk Defragmenter.lnk [2002-12-04 19:16]

2008-12-27 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]

2008-12-27 c:\windows\Tasks\Scheduled scanning task.job
- c:\progra~1\F-SECU~1\ANTI-V~1\fsav.exe [2008-06-25 13:41]

2008-12-27 c:\windows\Tasks\Spybot - Search & Destroy.job
- c:\progra~1\SPYBOT~1\SpybotSD.exe [2008-07-07 09:42]

2008-12-23 c:\windows\Tasks\System Restore.job
- c:\windows\system32\Restore\rstrui.exe [2004-08-04 07:56]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
LSP: c:\program files\F-Secure Internet Security\FSPS\program\FSLSP.DLL
Trusted Zone: *.sony-europe.com
Trusted Zone: *.sonystyle-europe.com
Trusted Zone: *.vaio-link.com

O16 -: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

O16 -: UKOnLineSigningApplet - hxxps://customs.hmrc.gov.uk/gg/UKOnLineSigningApplet.cab
c:\windows\Downloaded Program Files\UKOnLineSigningApplet.osd
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-27 22:06:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HTpatch = c:\windows\htpatch.exe?ows\CurrentVersion\Run???\??????Z????`??Z???Z`??Z???????????????Z???Z???Z???Z$??????Z???????????????Z???????????Z???w????(????3?w???w?????3?w ??w???Z:???????d???r??Z1??Z???Zd??????Z?-?Z????z??w8h?Z\2?Z?1?Zhtinst.INI?Z?u?Z????d???????0G?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(588)
c:\program files\F-Secure Internet Security\FWES\Program\fsdc32.dll

- - - - - - - > 'lsass.exe'(644)
c:\program files\F-Secure Internet Security\FSPS\program\FSLSP.DLL
c:\program files\F-Secure Internet Security\FWES\Program\fsdc32.dll

- - - - - - - > 'csrss.exe'(564)
c:\program files\F-Secure Internet Security\FWES\Program\fsdc32.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
c:\program files\F-Secure Internet Security\Common\FSMA32.EXE
c:\program files\F-Secure Internet Security\Anti-Virus\fsgk32.exe
c:\program files\F-Secure Internet Security\Common\FSMB32.EXE
c:\windows\system32\wdfmgr.exe
c:\program files\F-Secure Internet Security\Common\FCH32.EXE
c:\program files\F-Secure Internet Security\Common\FAMEH32.EXE
c:\program files\F-Secure Internet Security\Anti-Virus\fsqh.exe
c:\program files\F-Secure Internet Security\FSPC\fspc.exe
c:\program files\F-Secure Internet Security\FSAUA\program\fsaua.exe
c:\program files\F-Secure Internet Security\Anti-Virus\fssm32.exe
c:\program files\F-Secure Internet Security\FWES\program\fsdfwd.exe
c:\program files\F-Secure Internet Security\FSAUA\program\fsus.exe
c:\progra~1\F-SECU~1\ANTI-V~1\fsav32.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\F-SECU~1\Common\FSM32.EXE
c:\program files\Microsoft Office\Office\MSOFFICE.EXE
c:\program files\UPSMON\UPSMON_Service.exe
c:\progra~1\F-SECU~1\FSGUI\fsguidll.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
**************************************************************************
.
Completion time: 2008-12-27 22:13:21 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-27 22:13:14
ComboFix2.txt 2008-12-27 17:06:15

Pre-Run: 2,443,509,760 bytes free
Post-Run: 2,380,857,344 bytes free

220



ESET is taking a while to run:

Hmm ...30 minutes in, 63 threats found so far. Maybe not all are serious threats, but my 'security' obviously needs a review...............

# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3719 (20081227)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=7422db453a4376429ab161212d224818
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2008-12-27 11:10:34
# local_time=2008-12-27 11:10:34 (+0000, GMT Standard Time)
# country="United Kingdom"
# osver=5.1.2600 NT Service Pack 2
# scanned=384568
# found=132
# scan_time=2895
C:\Documents and Settings\Val\My Documents\Existing folders\My Music\02 Light My Fire.wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan F2F7199733169E9137920CEBFF0998D4
C:\Documents and Settings\Val\My Documents\Existing folders\My Music\05 Track 5.wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan 5A002442DB48F4C76C882C8AD3F8A14E
C:\Documents and Settings\Val\My Documents\Existing folders\My Music\14 Midnight at the Oases.wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan AF3802193C6BC5C95815443CED2405FE
C:\Documents and Settings\Val\My Documents\Existing folders\My Music\albinoni adagio g minor.wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan 37B771A7938CFE87E664E68DB159ED7C
C:\Documents and Settings\Val\My Documents\Existing folders\My Music\masquerade1.wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan 650EC5AFEEE0DFCA93D0A6C13EF91DFE
C:\Documents and Settings\Val\My Documents\Existing folders\My Music\perdono.wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan 15F19A0CF873A2E2A9513475ED2FFCD6
C:\Documents and Settings\Val\My Documents\Existing folders\My Music\Breed 77\Cultura\04 - A Matter Of Time.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan 28271C1A26FB6AE4D9132F47931C4C05
C:\Documents and Settings\Val\My Documents\Existing folders\My Music\Breed 77\Cultura\05 - World's On Fire.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan C0CA92D934A415709EA6804C37C19373
C:\Documents and Settings\Val\My Documents\Existing folders\My Music\unknown artist\unknown album\01 - Track01.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan 017BCEDB4151F9C8B8BDC4EE9A3B8142
C:\Documents and Settings\Val\My Documents\Existing folders\My Music\unknown artist\unknown album\02 - Track02.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan 21A6D0BB5AA964F33F32B3C3DF314415
C:\Documents and Settings\Val\My Documents\Existing folders\My Music\unknown artist\unknown album\03 - Track03.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan 241AE689B8A77269328E6CA88E18491D
C:\Documents and Settings\Val\My Documents\Existing folders\My Music\unknown artist\unknown album\04 - Track04.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan C5446B4F6E4A6ABC8BBEA0238800CB70
C:\Documents and Settings\Val\My Documents\Existing folders\My Music\unknown artist\unknown album\05 - Track05.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan 8D86100EC48DAA398BCEF96F95C2567B
C:\Documents and Settings\Val\My Documents\Existing folders\My Music\unknown artist\unknown album\06 - Track06.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan 942F9DD555BA9F5204833ACAF57D39C4
C:\Documents and Settings\Val\My Documents\Existing folders\My Music\unknown artist\unknown album\07 - Track07.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan 3B1AA8C6DEF9A1F98EE22DCC26996B4A
C:\Documents and Settings\Val\My Documents\Existing folders\My Music\unknown artist\unknown album\08 - Track08.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan 2DF56C89C4B2D5D6E347936FD7185569
C:\Documents and Settings\Val\My Documents\Existing folders\My Music\unknown artist\unknown album\09 - Track09.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan 4D59AE09388AF7636184F42A11BF059A
C:\Documents and Settings\Val\My Documents\Existing folders\My Music\unknown artist\unknown album\10 - Track10 (1).mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan E9B2D339EA0D01CB1596199C16554F37
C:\Documents and Settings\Val\My Documents\Existing folders\My Music\unknown artist\unknown album\10 - Track10.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan DC14F290B77B948430F8D08B5DF7AF8F
C:\Documents and Settings\Val\My Documents\Existing folders\My Music\unknown artist\unknown album\11 - Track11.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan 12B2D8247A8DA3376282FD23CF7D34FE
C:\Documents and Settings\Val\My Documents\Existing folders\My Music\unknown artist\unknown album\12 - Track12.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan BBDF707EB19A292A184EB22CB0A2D450
C:\Documents and Settings\Val\My Documents\Existing folders\My Music\unknown artist\unknown album\Pagan Poetry.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan DE11C01632D9C6CC3867AE27A854A13E
C:\Documents and Settings\Val\My Documents\Existing folders\My Music\unknown artist\unknown album\Play Dead.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan 070E3E47A2E701AB6C36F7E61FB53E45
C:\Documents and Settings\Val\My Documents\Existing folders\My Pictures\My Music\02 Light My Fire.wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan AB56C903C50156776C15C1414B5BA3E2
C:\Documents and Settings\Val\My Documents\Existing folders\My Pictures\My Music\05 Track 5.wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan AE6E058CD0FDDE33A342AB87CACB0090
C:\Documents and Settings\Val\My Documents\Existing folders\My Pictures\My Music\14 Midnight at the Oases.wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan 679BA331AB9EF7454C9FB7519F048757
C:\Documents and Settings\Val\My Documents\Existing folders\My Pictures\My Music\albinoni adagio g minor.wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan D0CBE8E25FF1449B0E5C1FB8DF6E7F2C
C:\Documents and Settings\Val\My Documents\Existing folders\My Pictures\My Music\masquerade1.wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan 487E9E783176EF67590127BE3BC15FD5
C:\Documents and Settings\Val\My Documents\Existing folders\My Pictures\My Music\perdono.wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan A896F75DCE270391D2E0C17C9B7FC43C
C:\Documents and Settings\Val\My Documents\Existing folders\My Pictures\My Music\unknown artist\unknown album\Pagan Poetry.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan 4977EC85C2AA62372075599FD0BBF6D3
C:\Documents and Settings\Val\My Documents\Existing folders\My Pictures\My Music\unknown artist\unknown album\Play Dead.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan 87D18C08B1C1AD801DF3EB64F22DC47C
C:\MSOFFICE\WINWORD\TEMPLATE\EYE - Girl.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan AD3CBA5928776758B901DB2504E242AC
C:\MSOFFICE\WINWORD\TEMPLATE\rocknrollsong.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan CB267BA4891D0F851AD157EE2D738BDA
C:\Program Files\Movie Maker\sample.asf a variant of WMA/TrojanDownloader.GetCodec.gen trojan DBF1C2BD314121077DAEE038F1763D8D
C:\Program Files\Roxio\Easy CD Creator 6\PMStudio\Themes\Baby.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan 2ECFB344046FA6D41D379139425D7F6E
C:\Program Files\Roxio\Easy CD Creator 6\PMStudio\Themes\Birthday.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan C97104AFCC506C67F4EA8F84BBEF8F7F
C:\Program Files\Roxio\Easy CD Creator 6\PMStudio\Themes\Butterflies.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan C5EA0C5262096184AA94F715AF966006
C:\Program Files\Roxio\Easy CD Creator 6\PMStudio\Themes\christmast.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan D0FD10F9B4ADF92E92A070524E286864
C:\Program Files\Roxio\Easy CD Creator 6\PMStudio\Themes\Fall.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan CBC5D2BAAC7909A9678DB15D4258F93C
C:\Program Files\Roxio\Easy CD Creator 6\PMStudio\Themes\Food.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan D71BD6F280361A27EF8670BFEE049281
C:\Program Files\Roxio\Easy CD Creator 6\PMStudio\Themes\Generic.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan 6AFAE4971913540D36F6D3DCAE16487D
C:\Program Files\Roxio\Easy CD Creator 6\PMStudio\Themes\Golf.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan 4873320830A21F32F08865F583C4EBF6
C:\Program Files\Roxio\Easy CD Creator 6\PMStudio\Themes\HalloweenNight.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan CE594EE35A1F0BEADC206EF495F00A21
C:\Program Files\Roxio\Easy CD Creator 6\PMStudio\Themes\IslandVacation.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan 8389DB5C49050DEAAEE08779FAF8071D
C:\Program Files\Roxio\Easy CD Creator 6\PMStudio\Themes\Kids.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan 89EA64BEDBE39B7F23FF168A71D564F3
C:\Program Files\Roxio\Easy CD Creator 6\PMStudio\Themes\Kids2.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan 08563A1C39836F687A0362D4691A8438
C:\Program Files\Roxio\Easy CD Creator 6\PMStudio\Themes\PinkRose.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan 611DC00B5E96B1C1BF5A75E27CCEDB67
C:\Program Files\Roxio\Easy CD Creator 6\PMStudio\Themes\Romance.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan EA8D56EC463A0D4FCAD40986E3D6EC80
C:\Program Files\Roxio\Easy CD Creator 6\PMStudio\Themes\RTR.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan 6F842CD7CEE3267A1576D91B13FE9CDB
C:\Program Files\Roxio\Easy CD Creator 6\PMStudio\Themes\SpecialReport.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan 842D500D87E3CA8B908EB69BF880C5C7
C:\Program Files\Roxio\Easy CD Creator 6\PMStudio\Themes\Sport.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan AF8CAC59ABB3575B46301ABA92293B07
C:\Program Files\Roxio\Easy CD Creator 6\PMStudio\Themes\Travel.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan 4E1E4873757A5BDD17242098FE8C3D6B
C:\Program Files\Roxio\Easy CD Creator 6\PMStudio\Themes\Vacation.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan CAE48E43289C2B936FDD401077274305
C:\Program Files\Roxio\Easy CD Creator 6\PMStudio\Themes\Winter.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan DF0358E646D8F2B2C726EB8FD312B309
C:\Program Files\Roxio\Easy CD Creator 6\PMStudio\Themes\XSport.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan F9273FC048C9CE2F316CEFBEA4ACEB27
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSlxwp.dll.vir Win32/Agent.ODG trojan 697DE522509C28C9998D9933E3FA6FB7
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSoiqn.dll.vir Win32/Agent.ODG trojan 279870E583A509406AC7E1727AD26F06
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSorvd.dll.vir Win32/Agent.ODG trojan 3F28E5E6A394E7F668D701B1F7125B64
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSrtql.dll.vir Win32/Agent.OIK trojan 0EAF34F90B433A3C5642ECEA7FD70D1F
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSxfum.dll.vir Win32/Agent.OIK trojan 151FF4CDF759481534A1535F0F03160D
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\__.zip Win32/Agent.ODG trojan 660C4C5289238B0BE7763D290A2E4FAD
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\__.zip »ZIP »TDSSmhlt.sys Win32/Agent.ODG trojan 00000000000000000000000000000000
C:\TEMP\NCasePackage.0xe Win32/Adware.180Solutions application 5C3D1C02455E35822FBB5942C748DEC1
C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Video\copycd.wmv a variant of WMA/TrojanDownloader.GetCodec.gen trojan F0E367F932F7924B1C139FF29EEA548E
C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Video\mdlib.wmv a variant of WMA/TrojanDownloader.GetCodec.gen trojan 72E64E20E42CF2F40F107EE1C214EFA1
C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Video\nuskin.wmv a variant of WMA/TrojanDownloader.GetCodec.gen trojan AC675B168D65920977816694AB75921A
C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Video\rtuner.wmv a variant of WMA/TrojanDownloader.GetCodec.gen trojan CCD8628A9708A2C8F41EC7DA8BA29AA8
C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Video\viz.wmv a variant of WMA/TrojanDownloader.GetCodec.gen trojan 2329C5820BC3BD9162D6E1160153AAE7
C:\WINDOWS\system32\dms.0ll Win32/PSW.Lineage.NCL trojan 37840417E14C48E05BB558E60CE86273
C:\WINDOWS\system32\oobe\images\title.wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan 106FF3979082366E5CFBD0063031B01D
D:\Christopher\Creed\Weathered\06 My Sacrifice.wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan 1FB39DCB5BE75EE70B18E53AF81AA29D
D:\Christopher\Metallica\Garage, Inc. Disc 1\09 Whiskey in the Jar.wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan 8D7E3FE718F4A09DB5999306FBDCEB61
D:\Christopher\Placebo\Black Market Music\01 Taste in Men.wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan A1EB11E6F27975A751C23F3622D52533
D:\Christopher\Unknown Artist\Unknown Album (07-05-2005 09-35-02)\01 Enter Sandman.wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan 59BE4D346704E8F3CD6D0FD4F81FE8D8
D:\Christopher\Unknown Artist\Unknown Album (07-05-2005 09-35-02)\02 To the Moon & Back.wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan 562E74966793087B712B97B7CEE0FB1A
D:\Christopher\Unknown Artist\Unknown Album (30-12-2003 15-52-47)\lily was here.wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan 2B4C21F2E59842E7F83ECA6A0E6743E1
D:\Christopher\Unknown Artist\Unknown Album (30-12-2003 15-52-47)\masquerade.wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan 71F1259C523010C005F3BBE2245AF387
D:\Val's Favourites 2\02 Light My Fire.wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan FB91BDDC2B8BBC8F8B07C0806E8D23EC
D:\Val's Favourites 2\05 Primer Amor (Interlude).wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan D7EFFCF4CFF6C2AA1D956E234AA3A65B
D:\Val's Favourites 2\11 ForgetHer.wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan E2F2B2CA89674AEEB7265206EAC44C3C
D:\Val's Favourites 2\Cream\BBC Sessions\15 Strange Brew [#].wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan 2F240F518487F64CCE8CF5943B3C47F0
D:\Val's Favourites 2\Cream\BBC Sessions\17 Tales of Brave Ulysses [#].wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan 98C218FEFBD0F80A61591E8B1D9F5DB1
D:\Val's Favourites 2\Cream\BBC Sessions\23 Sunshine of Your Love [#].wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan 577C85FD8371B714111D7EC4E3E04ABB
D:\Val's Favourites 2\Django Reinhardt\Complete, Vol. 18- 1949-50 I'll Never Be the Same Disc 1\02 El Manisero (Peanuts Vendor).wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan 2A996B1804AB379CCAED88D6540EDAB4
D:\Val's Favourites 2\Mina\Del Mio Meglio\01 Io Vivro (Senza Te).wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan 27195A078B7053BDFAB93CD6702DEF8A
D:\Val's Favourites 2\Mina\Del Mio Meglio\09 Bugiardo E Incosciente.wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan 5D7B1F36FE0B07D78CF5504F6D5762DC
D:\Val's Favourites 2\Mina\Del Mio Meglio\10 Insieme.wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan CBD0608E8C048D0B7FAF397D36098A36
D:\Val's Favourites 2\Mina\Del Mio Meglio\12 Non Credere.wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan 0E7DE4EB11A5B8D6616082552F3177DA
D:\Val's Favourites 2\Unknown Artist\Unknown Album (05-11-2007 14-20-07)\10 10 Track 10.wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan AEB133A9076787C57EA0724FF6EF8197
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-03)\01 01 Track 1.wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan 32F2ADAD45E3CAE01E4320296C18DC47
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-03)\02 02 Track 2.wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan D8A23B8A5A2687A80E7382E3166D651E
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-03)\03 03 Track 3.wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan E6E934B3D9C639708A41558661AD75E1
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-03)\04 04 Track 4.wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan 1C4092F7BD34F9AB410D0F6554EE1A0B
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-03)\05 05 Track 5.wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan E0D3551193B31B8F98E0008D0CBFEDEF
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-03)\06 06 Track 6.wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan BB74F0EE83D4BDC8408DF2D524378609
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-03)\07 07 Track 7.wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan 69D19EE60848149100E821A508B62BC1
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-03)\08 08 Track 8.wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan A76C9C56C0AA8D61247C4B67B46D75C3
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-03)\09 09 Track 9.wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan 6DEF730F4EF5803BE41033CA9F8F130A
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-03)\10 10 Track 10.wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan 32DC24038774AFABF1E058407ADB5BC9
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-03)\11 11 Track 11.wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan EF19269CEBC2CA9E6527DD83BC628BBF
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-03)\12 12 Track 12.wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan F408C713A796F693449C3340E65D8DC6
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-03)\13 13 Track 13.wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan 7E636A4E22A0F2109BBB4201F6A697C0
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-03)\14 14 Track 14.wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan 8340FEF27423946ACCEBE87143941CC9
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-03)\15 15 Track 15.wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan BD1EAFFF0F00883F12C869C55E41EDFB
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-03)\16 16 Track 16.wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan 9FADF9C8DC99B3AC69058DA18F917F53
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-04)\01 01 Track 1.wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan B23838EC7AB7AF9F6BC8408B3A594493
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-04)\02 02 Track 2.wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan ECE45BD7D6C64ABD0E291A40534A2419
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-04)\03 03 Track 3.wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan 38318F05583667308A0C13AD4B882F3D
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-04)\04 04 Track 4.wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan E069672B781FB1E682AE3A51C4157807
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-04)\05 05 Track 5.wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan 34D49D1E7C5508BB655531C8E76FEDED
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-04)\06 06 Track 6.wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan 2713C02F1DCCC5C3741A1ADC1F777472
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-04)\17 17 Track 17.wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan 841B8DFB19C3CE853A8D5D454CE594BA
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-04)\18 18 Track 18.wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan 06F32F29048BB9B03B02B7625831C717
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-04)\19 19 Track 19.wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan E1636ADC9749017EE839ABF37EFBE5CA
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-04)\20 20 Track 20.wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan CDB35E443571C95A6C83E93A3C19487C
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-04)\21 21 Track 21.wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan FD850ECF70655F47D06FAE177DBA131F
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-04)\22 22 Track 22.wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan 8BE00DD12F95BE70B111F4ACF8847CF7
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-04)\23 23 Track 23.wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan 28822CDBC166AE0311F65A32ADD95E56
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-04)\24 24 Track 24.wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan B28ACDE836F54A6480C2591B87E18F75
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-04)\25 25 Track 25.wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan F03FFCC32BFEAAF8DC6A2C2C95684DB7
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-04)\26 26 Track 26.wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan 32E615E2C6DDDBCE346C63A2D5E39833
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-04)\27 27 Track 27.wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan 80D78629D0DF10ADC35C95E68EF7A9F4
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-04)\28 28 Track 28.wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan 26E8080D6E10F3CA0E6C98079189FDF7
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-04)\29 29 Track 29.wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan D923B9BD9D88516EA09F1A18A5909B10
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-04)\30 30 Track 30.wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan 7FBD88A82831E4E8349DF99CE11650B8
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-04)\31 31 Track 31.wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan DEDB465D132C350182D73D8A3FE7BDD0
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-04)\32 32 Track 32.wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan 72EC91CAE988E9C10ED5A7C0B8C0770A
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-04)\33 33 Track 33.wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan 9B175BC49440497E68DAC7D83FC75DCC
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-04)\34 34 Track 34.wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan 9DB8A752EB8233CDFB4FED9AE4C685C5
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-04)\35 35 Track 35.wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan 6DCAD70A7F92C832E6A61FADB7999A71
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-04)\36 36 Track 36.wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan E2B35358FB69E17DBEDD7BD877161B2F
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-04)\37 37 Track 37.wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan 5B07B540084C68FE9F6A9B57D86C1DEC



HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:14:12, on 27/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe
C:\WINDOWS\htpatch.exe
C:\WINDOWS\LTSMMSG.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\MXOALDR.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\UPSMON\UPSMON.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\UPSMON\UPSMON_Service.Exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\F-Secure Internet Security\Common\FSLAUNCH.EXE
C:\Documents and Settings\Val\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [MXOBG] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UPSMON] C:\Program Files\UPSMON\UPSMON.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure Internet Security\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Microsoft Office Shortcut Bar.Lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: Parental... - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure Internet Security\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\F-Secure Internet Security\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Parental... - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\F-Secure Internet Security\FSPC\fspcmsie.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Ftp - {35D77FA0-5F09-4FFF-832F-ABC35F7AAE08} - C:\Program Files\Terrapin FTP\ftp95.exe (HKCU)
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.dial.pipex.com/
O15 - Trusted Zone: *.sony-europe.com
O15 - Trusted Zone: *.sonystyle-europe.com
O15 - Trusted Zone: *.vaio-link.com
O16 - DPF: UKOnLineSigningApplet - https://customs.hmrc.gov.uk/gg/UKOnLineSigningApplet.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28578.cab
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/OnlineScanner.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://spssevents.webex.com/client/T24L/event/ieatgpc.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://liveca04.rightnowtech.com/7020-b369h/rnl/java/RntX.cab
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: F-Secure BlackLight Sensor - Unknown owner - C:\WINDOWS\TEMP\F-Secure\Anti-Virus\fsblsrv.exe (file missing)
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
O23 - Service: F-Secure ORSP Client (FSORSPClient) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\ORSP Client\fsorsp.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: UPSMONService - Unknown owner - C:\Program Files\UPSMON\UPSMON_Service.Exe

--
End of file - 11797 bytes


Val
 
Hi

Looks like there're some false positives among the ESET findings.


We need to execute an OTMoveIt3 script
  1. Please download OTMoveIt3 by OldTimer and save it to your desktop.
  2. Double click theOTMoveIt3 icon on your desktop.
  3. Paste the following code under the Paste Fix Here area. Do not include the word
    Code
    .
    Code: 
    :Files
C:\Documents and Settings\Val\My Documents\Existing folders\My Music\02 Light My Fire.wma
C:\Documents and Settings\Val\My Documents\Existing folders\My Music\05 Track 5.wma
C:\Documents and Settings\Val\My Documents\Existing folders\My Music\14 Midnight at the Oases.wma
C:\Documents and Settings\Val\My Documents\Existing folders\My Music\albinoni adagio g minor.wma
C:\Documents and Settings\Val\My Documents\Existing folders\My Music\masquerade1.wma
C:\Documents and Settings\Val\My Documents\Existing folders\My Music\perdono.wma
C:\Documents and Settings\Val\My Documents\Existing folders\My Music\Breed 77\Cultura\04 - A Matter Of Time.mp3
C:\Documents and Settings\Val\My Documents\Existing folders\My Music\Breed 77\Cultura\05 - World's On Fire.mp3
C:\Documents and Settings\Val\My Documents\Existing folders\My Music\unknown artist\unknown album\01 - Track01.mp3
C:\Documents and Settings\Val\My Documents\Existing folders\My Music\unknown artist\unknown album\02 - Track02.mp3
C:\Documents and Settings\Val\My Documents\Existing folders\My Music\unknown artist\unknown album\03 - Track03.mp3
C:\Documents and Settings\Val\My Documents\Existing folders\My Music\unknown artist\unknown album\04 - Track04.mp3
C:\Documents and Settings\Val\My Documents\Existing folders\My Music\unknown artist\unknown album\05 - Track05.mp3
C:\Documents and Settings\Val\My Documents\Existing folders\My Music\unknown artist\unknown album\06 - Track06.mp3
C:\Documents and Settings\Val\My Documents\Existing folders\My Music\unknown artist\unknown album\07 - Track07.mp3
C:\Documents and Settings\Val\My Documents\Existing folders\My Music\unknown artist\unknown album\08 - Track08.mp3
C:\Documents and Settings\Val\My Documents\Existing folders\My Music\unknown artist\unknown album\09 - Track09.mp3
C:\Documents and Settings\Val\My Documents\Existing folders\My Music\unknown artist\unknown album\10 - Track10 (1).mp3
C:\Documents and Settings\Val\My Documents\Existing folders\My Music\unknown artist\unknown album\10 - Track10.mp3
C:\Documents and Settings\Val\My Documents\Existing folders\My Music\unknown artist\unknown album\11 - Track11.mp3
C:\Documents and Settings\Val\My Documents\Existing folders\My Music\unknown artist\unknown album\12 - Track12.mp3
C:\Documents and Settings\Val\My Documents\Existing folders\My Music\unknown artist\unknown album\Pagan Poetry.mp3
C:\Documents and Settings\Val\My Documents\Existing folders\My Music\unknown artist\unknown album\Play Dead.mp3
C:\Documents and Settings\Val\My Documents\Existing folders\My Pictures\My Music\02 Light My Fire.wma
C:\Documents and Settings\Val\My Documents\Existing folders\My Pictures\My Music\05 Track 5.wma
C:\Documents and Settings\Val\My Documents\Existing folders\My Pictures\My Music\14 Midnight at the Oases.wma
C:\Documents and Settings\Val\My Documents\Existing folders\My Pictures\My Music\albinoni adagio g minor.wma
C:\Documents and Settings\Val\My Documents\Existing folders\My Pictures\My Music\masquerade1.wma
C:\Documents and Settings\Val\My Documents\Existing folders\My Pictures\My Music\perdono.wma
C:\Documents and Settings\Val\My Documents\Existing folders\My Pictures\My Music\unknown artist\unknown album\Pagan Poetry.mp3
C:\Documents and Settings\Val\My Documents\Existing folders\My Pictures\My Music\unknown artist\unknown album\Play Dead.mp3
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSlxwp.dll.vir
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSoiqn.dll.vir
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSorvd.dll.vir
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSrtql.dll.vir
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSxfum.dll.vir
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\__.zip
C:\TEMP\NCasePackage.0xe
C:\WINDOWS\system32\dms.0ll
D:\Christopher\Creed\Weathered\06 My Sacrifice.wma
D:\Christopher\Metallica\Garage, Inc. Disc 1\09 Whiskey in the Jar.wma
D:\Christopher\Placebo\Black Market Music\01 Taste in Men.wma
D:\Christopher\Unknown Artist\Unknown Album (07-05-2005 09-35-02)\01 Enter Sandman.wma
D:\Christopher\Unknown Artist\Unknown Album (07-05-2005 09-35-02)\02 To the Moon & Back.wma
D:\Christopher\Unknown Artist\Unknown Album (30-12-2003 15-52-47)\lily was here.wma
D:\Christopher\Unknown Artist\Unknown Album (30-12-2003 15-52-47)\masquerade.wma
D:\Val's Favourites 2\02 Light My Fire.wma
D:\Val's Favourites 2\05 Primer Amor (Interlude).wma
D:\Val's Favourites 2\11 ForgetHer.wma
D:\Val's Favourites 2\Cream\BBC Sessions\15 Strange Brew [#].wma
D:\Val's Favourites 2\Cream\BBC Sessions\17 Tales of Brave Ulysses [#].wma
D:\Val's Favourites 2\Cream\BBC Sessions\23 Sunshine of Your Love [#].wma
D:\Val's Favourites 2\Django Reinhardt\Complete, Vol. 18- 1949-50 I'll Never Be the Same Disc 1\02 El Manisero (Peanuts Vendor).wma
D:\Val's Favourites 2\Mina\Del Mio Meglio\01 Io Vivro (Senza Te).wma
D:\Val's Favourites 2\Mina\Del Mio Meglio\09 Bugiardo E Incosciente.wma
D:\Val's Favourites 2\Mina\Del Mio Meglio\10 Insieme.wma
D:\Val's Favourites 2\Mina\Del Mio Meglio\12 Non Credere.wma
D:\Val's Favourites 2\Unknown Artist\Unknown Album (05-11-2007 14-20-07)\10 10 Track 10.wma
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-03)\01 01 Track 1.wma
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-03)\02 02 Track 2.wma
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-03)\03 03 Track 3.wma
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-03)\04 04 Track 4.wma
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-03)\05 05 Track 5.wma
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-03)\06 06 Track 6.wma
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-03)\07 07 Track 7.wma
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-03)\08 08 Track 8.wma
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-03)\09 09 Track 9.wma
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-03)\10 10 Track 10.wma
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-03)\11 11 Track 11.wma
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-03)\12 12 Track 12.wma
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-03)\13 13 Track 13.wma
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-03)\14 14 Track 14.wma
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-03)\15 15 Track 15.wma
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-03)\16 16 Track 16.wma
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-04)\01 01 Track 1.wma
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-04)\02 02 Track 2.wma
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-04)\03 03 Track 3.wma
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-04)\04 04 Track 4.wma
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-04)\05 05 Track 5.wma
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-04)\06 06 Track 6.wma
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-04)\17 17 Track 17.wma
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-04)\18 18 Track 18.wma
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-04)\19 19 Track 19.wma
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-04)\20 20 Track 20.wma
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-04)\21 21 Track 21.wma
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-04)\22 22 Track 22.wma
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-04)\23 23 Track 23.wma
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-04)\24 24 Track 24.wma
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-04)\25 25 Track 25.wma
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-04)\26 26 Track 26.wma
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-04)\27 27 Track 27.wma
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-04)\28 28 Track 28.wma
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-04)\29 29 Track 29.wma
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-04)\30 30 Track 30.wma
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-04)\31 31 Track 31.wma
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-04)\32 32 Track 32.wma
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-04)\33 33 Track 33.wma
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-04)\34 34 Track 34.wma
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-04)\35 35 Track 35.wma
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-04)\36 36 Track 36.wma
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-04)\37 37 Track 37.wma
  4. Push the large MoveIt button.
  5. OTMI3 may ask to reboot the machine. Please do so if asked.
  6. Copy/Paste the contents under the Results line here in your next reply with a fresh hjt log. How's the system running now?
  7. If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
 
Much better

Hi,

OTMI3 didn't ask me to re-boot.

Results:

========== FILES ==========
C:\Documents and Settings\Val\My Documents\Existing folders\My Music\02 Light My Fire.wma moved successfully.
C:\Documents and Settings\Val\My Documents\Existing folders\My Music\05 Track 5.wma moved successfully.
C:\Documents and Settings\Val\My Documents\Existing folders\My Music\14 Midnight at the Oases.wma moved successfully.
C:\Documents and Settings\Val\My Documents\Existing folders\My Music\albinoni adagio g minor.wma moved successfully.
C:\Documents and Settings\Val\My Documents\Existing folders\My Music\masquerade1.wma moved successfully.
C:\Documents and Settings\Val\My Documents\Existing folders\My Music\perdono.wma moved successfully.
C:\Documents and Settings\Val\My Documents\Existing folders\My Music\Breed 77\Cultura\04 - A Matter Of Time.mp3 moved successfully.
C:\Documents and Settings\Val\My Documents\Existing folders\My Music\Breed 77\Cultura\05 - World's On Fire.mp3 moved successfully.
C:\Documents and Settings\Val\My Documents\Existing folders\My Music\unknown artist\unknown album\01 - Track01.mp3 moved successfully.
C:\Documents and Settings\Val\My Documents\Existing folders\My Music\unknown artist\unknown album\02 - Track02.mp3 moved successfully.
C:\Documents and Settings\Val\My Documents\Existing folders\My Music\unknown artist\unknown album\03 - Track03.mp3 moved successfully.
C:\Documents and Settings\Val\My Documents\Existing folders\My Music\unknown artist\unknown album\04 - Track04.mp3 moved successfully.
C:\Documents and Settings\Val\My Documents\Existing folders\My Music\unknown artist\unknown album\05 - Track05.mp3 moved successfully.
C:\Documents and Settings\Val\My Documents\Existing folders\My Music\unknown artist\unknown album\06 - Track06.mp3 moved successfully.
C:\Documents and Settings\Val\My Documents\Existing folders\My Music\unknown artist\unknown album\07 - Track07.mp3 moved successfully.
C:\Documents and Settings\Val\My Documents\Existing folders\My Music\unknown artist\unknown album\08 - Track08.mp3 moved successfully.
C:\Documents and Settings\Val\My Documents\Existing folders\My Music\unknown artist\unknown album\09 - Track09.mp3 moved successfully.
C:\Documents and Settings\Val\My Documents\Existing folders\My Music\unknown artist\unknown album\10 - Track10 (1).mp3 moved successfully.
C:\Documents and Settings\Val\My Documents\Existing folders\My Music\unknown artist\unknown album\10 - Track10.mp3 moved successfully.
C:\Documents and Settings\Val\My Documents\Existing folders\My Music\unknown artist\unknown album\11 - Track11.mp3 moved successfully.
C:\Documents and Settings\Val\My Documents\Existing folders\My Music\unknown artist\unknown album\12 - Track12.mp3 moved successfully.
C:\Documents and Settings\Val\My Documents\Existing folders\My Music\unknown artist\unknown album\Pagan Poetry.mp3 moved successfully.
C:\Documents and Settings\Val\My Documents\Existing folders\My Music\unknown artist\unknown album\Play Dead.mp3 moved successfully.
C:\Documents and Settings\Val\My Documents\Existing folders\My Pictures\My Music\02 Light My Fire.wma moved successfully.
C:\Documents and Settings\Val\My Documents\Existing folders\My Pictures\My Music\05 Track 5.wma moved successfully.
C:\Documents and Settings\Val\My Documents\Existing folders\My Pictures\My Music\14 Midnight at the Oases.wma moved successfully.
C:\Documents and Settings\Val\My Documents\Existing folders\My Pictures\My Music\albinoni adagio g minor.wma moved successfully.
C:\Documents and Settings\Val\My Documents\Existing folders\My Pictures\My Music\masquerade1.wma moved successfully.
C:\Documents and Settings\Val\My Documents\Existing folders\My Pictures\My Music\perdono.wma moved successfully.
C:\Documents and Settings\Val\My Documents\Existing folders\My Pictures\My Music\unknown artist\unknown album\Pagan Poetry.mp3 moved successfully.
C:\Documents and Settings\Val\My Documents\Existing folders\My Pictures\My Music\unknown artist\unknown album\Play Dead.mp3 moved successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSlxwp.dll.vir moved successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSoiqn.dll.vir moved successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSorvd.dll.vir moved successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSrtql.dll.vir moved successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSxfum.dll.vir moved successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\__.zip moved successfully.
C:\TEMP\NCasePackage.0xe moved successfully.
C:\WINDOWS\system32\dms.0ll moved successfully.
D:\Christopher\Creed\Weathered\06 My Sacrifice.wma moved successfully.
D:\Christopher\Metallica\Garage, Inc. Disc 1\09 Whiskey in the Jar.wma moved successfully.
D:\Christopher\Placebo\Black Market Music\01 Taste in Men.wma moved successfully.
D:\Christopher\Unknown Artist\Unknown Album (07-05-2005 09-35-02)\01 Enter Sandman.wma moved successfully.
D:\Christopher\Unknown Artist\Unknown Album (07-05-2005 09-35-02)\02 To the Moon & Back.wma moved successfully.
D:\Christopher\Unknown Artist\Unknown Album (30-12-2003 15-52-47)\lily was here.wma moved successfully.
D:\Christopher\Unknown Artist\Unknown Album (30-12-2003 15-52-47)\masquerade.wma moved successfully.
D:\Val's Favourites 2\02 Light My Fire.wma moved successfully.
D:\Val's Favourites 2\05 Primer Amor (Interlude).wma moved successfully.
D:\Val's Favourites 2\11 ForgetHer.wma moved successfully.
D:\Val's Favourites 2\Cream\BBC Sessions\15 Strange Brew [#].wma moved successfully.
D:\Val's Favourites 2\Cream\BBC Sessions\17 Tales of Brave Ulysses [#].wma moved successfully.
D:\Val's Favourites 2\Cream\BBC Sessions\23 Sunshine of Your Love [#].wma moved successfully.
D:\Val's Favourites 2\Django Reinhardt\Complete, Vol. 18- 1949-50 I'll Never Be the Same Disc 1\02 El Manisero (Peanuts Vendor).wma moved successfully.
D:\Val's Favourites 2\Mina\Del Mio Meglio\01 Io Vivro (Senza Te).wma moved successfully.
D:\Val's Favourites 2\Mina\Del Mio Meglio\09 Bugiardo E Incosciente.wma moved successfully.
D:\Val's Favourites 2\Mina\Del Mio Meglio\10 Insieme.wma moved successfully.
D:\Val's Favourites 2\Mina\Del Mio Meglio\12 Non Credere.wma moved successfully.
D:\Val's Favourites 2\Unknown Artist\Unknown Album (05-11-2007 14-20-07)\10 10 Track 10.wma moved successfully.
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-03)\01 01 Track 1.wma moved successfully.
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-03)\02 02 Track 2.wma moved successfully.
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-03)\03 03 Track 3.wma moved successfully.
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-03)\04 04 Track 4.wma moved successfully.
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-03)\05 05 Track 5.wma moved successfully.
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-03)\06 06 Track 6.wma moved successfully.
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-03)\07 07 Track 7.wma moved successfully.
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-03)\08 08 Track 8.wma moved successfully.
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-03)\09 09 Track 9.wma moved successfully.
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-03)\10 10 Track 10.wma moved successfully.
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-03)\11 11 Track 11.wma moved successfully.
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-03)\12 12 Track 12.wma moved successfully.
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-03)\13 13 Track 13.wma moved successfully.
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-03)\14 14 Track 14.wma moved successfully.
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-03)\15 15 Track 15.wma moved successfully.
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-03)\16 16 Track 16.wma moved successfully.
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-04)\01 01 Track 1.wma moved successfully.
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-04)\02 02 Track 2.wma moved successfully.
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-04)\03 03 Track 3.wma moved successfully.
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-04)\04 04 Track 4.wma moved successfully.
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-04)\05 05 Track 5.wma moved successfully.
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-04)\06 06 Track 6.wma moved successfully.
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-04)\17 17 Track 17.wma moved successfully.
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-04)\18 18 Track 18.wma moved successfully.
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-04)\19 19 Track 19.wma moved successfully.
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-04)\20 20 Track 20.wma moved successfully.
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-04)\21 21 Track 21.wma moved successfully.
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-04)\22 22 Track 22.wma moved successfully.
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-04)\23 23 Track 23.wma moved successfully.
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-04)\24 24 Track 24.wma moved successfully.
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-04)\25 25 Track 25.wma moved successfully.
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-04)\26 26 Track 26.wma moved successfully.
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-04)\27 27 Track 27.wma moved successfully.
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-04)\28 28 Track 28.wma moved successfully.
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-04)\29 29 Track 29.wma moved successfully.
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-04)\30 30 Track 30.wma moved successfully.
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-04)\31 31 Track 31.wma moved successfully.
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-04)\32 32 Track 32.wma moved successfully.
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-04)\33 33 Track 33.wma moved successfully.
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-04)\34 34 Track 34.wma moved successfully.
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-04)\35 35 Track 35.wma moved successfully.
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-04)\36 36 Track 36.wma moved successfully.
D:\Val's Favourites 2\Unknown Artist\Unknown Album (09-09-2007 21-23-04)\37 37 Track 37.wma moved successfully.

OTMoveIt3 by OldTimer - Version 1.0.7.2 log created on 12282008_105135


New HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:05:17, on 28/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe
C:\WINDOWS\htpatch.exe
C:\WINDOWS\LTSMMSG.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\MXOALDR.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\UPSMON\UPSMON.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\UPSMON\UPSMON_Service.Exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE
C:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE
C:\Program Files\F-Secure Internet Security\Common\FCH32.EXE
C:\Program Files\F-Secure Internet Security\Common\FAMEH32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsqh.exe
C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe
C:\Program Files\F-Secure Internet Security\FSGUI\fsguidll.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Val\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [MXOBG] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UPSMON] C:\Program Files\UPSMON\UPSMON.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure Internet Security\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Microsoft Office Shortcut Bar.Lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: Parental... - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure Internet Security\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\F-Secure Internet Security\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Parental... - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\F-Secure Internet Security\FSPC\fspcmsie.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Ftp - {35D77FA0-5F09-4FFF-832F-ABC35F7AAE08} - C:\Program Files\Terrapin FTP\ftp95.exe (HKCU)
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.dial.pipex.com/
O15 - Trusted Zone: *.sony-europe.com
O15 - Trusted Zone: *.sonystyle-europe.com
O15 - Trusted Zone: *.vaio-link.com
O16 - DPF: UKOnLineSigningApplet - https://customs.hmrc.gov.uk/gg/UKOnLineSigningApplet.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28578.cab
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/OnlineScanner.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://spssevents.webex.com/client/T24L/event/ieatgpc.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://liveca04.rightnowtech.com/7020-b369h/rnl/java/RntX.cab
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: F-Secure BlackLight Sensor - Unknown owner - C:\WINDOWS\TEMP\F-Secure\Anti-Virus\fsblsrv.exe (file missing)
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
O23 - Service: F-Secure ORSP Client (FSORSPClient) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\ORSP Client\fsorsp.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: UPSMONService - Unknown owner - C:\Program Files\UPSMON\UPSMON_Service.Exe

--
End of file - 12363 bytes


Computer seems to run faster.
F Secure has been able to update to 27/12, but says it has an 'automatic updates malfunction', might need a re-boot
I am still posting from the laptop, but I can now connect to this site from the 'problem' computer
Haven't tested everything............ but I'm very impressed!

Val
 
Hi

Please reboot the system to see if F-secure problem goes away. If it doesn't you have to reinstall F-secure since the infection probably harmed it in some way.

Let me know how it goes :)
 
You must log in or register to reply here.
Back
Top