Minor threats - Can't get rid of them

D

demonic_angel

New member
Hi..I just scanned my computer, and spybot came up with
advertising.com, cpxinteractive, mediaplex, and statcounter. I've had these before, and I removed them, but they keep coming back.

Here's my HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 10:55:42 PM, on 2007-09-04
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\NMSSvc.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Last.fm\LastFM.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
D:\Program Files\BitComet\BitComet.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\HI JACK!\scanner.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - D:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - D:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\system32\NMSSvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

I have bitcomet running because I'm downloading some music off a safe site.
 
sorry, I should have said that the things come back after a short while.. Lately my computers been bogged down, and I need to shut off msn to run another other big programs.
 
Those helped a little, not alot though. I find that it was after I got a few viruses and removed them. I think there's still somethng left bogging down my computer. Also, (also from the virus), when I doulbe click my c or d drive, it takes me to a select program list, and I can't set explorer as the default
 
When I double click c or d drive, it opens a choose program list...I have to choose internet explorer to open it. but when I right click, and press open, it opens normally without the list.

also..I checked msconfig to see if I could turn any thing off to make my computer run faster on startup...and I saw "c0nime" , "cmdbcs", "mppds", and "upxdnd". I think these were the virses that were on my computer before, and I thought I got rid of them with one of you guy's help. They're still on the startup list though.
 
Hi Shabba,

Here's my HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 8:27:09 AM, on 2007-09-07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\NMSSvc.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\Last.fm\LastFM.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\HI JACK!\scanner.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - D:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - D:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\system32\NMSSvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
 
Hi

1. Download combofix from one of these links:
Link1
Link2
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Post:

- a fresh HijackThis log
- combofix report
 
Hi Shaba

Here's the ComboFix Log:

ComboFix 07-09-09.4 - "Darrell Lau" 2007-09-08 18:06:42.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.241 [GMT -8:00]
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
c:\autorun.inf
C:\DOCUME~1\DARREL~1\APPLIC~1\macromedia\Flash Player\#SharedObjects\FUL6DN8S\www.broadcaster.com
C:\DOCUME~1\DARREL~1\APPLIC~1\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\DOCUME~1\DARREL~1\APPLIC~1\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\WINDOWS\kb726255.log
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\Packet.dll
C:\WINDOWS\system32\WanPacket.dll
C:\WINDOWS\system32\wpcap.dll
d:\autorun.inf
D:\Autorun.inf


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_NPF
-------\NPF


((((((((((((((((((((((((( Files Created from 2007-08-09 to 2007-09-09 )))))))))))))))))))))))))))))))
.

2007-09-08 18:06 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-07 22:20 <DIR> d-------- C:\DOCUME~1\DARREL~1\APPLIC~1\mIRC
2007-09-03 16:05 <DIR> d-------- C:\DOCUME~1\DARREL~1\APPLIC~1\WinRAR
2007-08-24 22:25 53,248 --a------ C:\WINDOWS\system32\ImageOle.dll
2007-08-24 22:24 <DIR> d-------- C:\DOCUME~1\DARREL~1\APPLIC~1\InstallShield

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-07 08:26 --------- d-------- C:\Program Files\HI JACK!
2007-08-24 22:24 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-08 16:11 359040 --a------ C:\WINDOWS\system32\drivers\tcpip.sys
2007-08-06 03:10 --------- d--h----- C:\DOCUME~1\DARREL~1\APPLIC~1\ijjigame
2007-08-02 18:36 --------- d-------- C:\Program Files\Monkey's Audio
2007-08-02 17:45 --------- d-------- C:\Program Files\eRightSoft
2007-07-30 07:07 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2007-07-24 21:26 --------- d-------- C:\DOCUME~1\DARREL~1\APPLIC~1\Skype
2007-07-23 19:25 --------- d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-07-23 19:24 --------- d-------- C:\Program Files\Apple Software Update
2007-07-23 19:24 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-07-10 19:22 --------- d-------- C:\Program Files\DAEMON Tools
2007-07-10 19:13 682232 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-07-10 19:08 --------- d-------- C:\Program Files\winMd5Sum
2007-07-10 19:00 --------- d-------- C:\Program Files\Last.fm
2007-06-25 13:59 139264 --a------ C:\WINDOWS\War3Unin.exe
2006-11-05 13:52 9232 --a------ C:\DOCUME~1\DARREL~1\mqdmmdfl.sys
2006-11-05 13:52 92064 --a------ C:\DOCUME~1\DARREL~1\mqdmmdm.sys
2006-11-05 13:52 79328 --a------ C:\DOCUME~1\DARREL~1\mqdmserd.sys
2006-11-05 13:52 66656 --a------ C:\DOCUME~1\DARREL~1\mqdmbus.sys
2006-11-05 13:52 6208 --a------ C:\DOCUME~1\DARREL~1\mqdmcmnt.sys
2006-11-05 13:52 5936 --a------ C:\DOCUME~1\DARREL~1\mqdmwhnt.sys
2006-11-05 13:52 4048 --a------ C:\DOCUME~1\DARREL~1\mqdmcr.sys
2006-11-05 13:52 25600 --a------ C:\DOCUME~1\DARREL~1\usbsermptxp.sys
2006-11-05 13:52 22768 --a------ C:\DOCUME~1\DARREL~1\usbsermpt.sys
2005-05-16 20:48 87608 --a------ C:\DOCUME~1\DARREL~1\APPLIC~1\inst.exe
2005-05-16 20:48 47360 --a------ C:\DOCUME~1\DARREL~1\APPLIC~1\pcouffin.sys
2006-05-03 09:06:54 163,328 --sh--r C:\WINDOWS\system32\flvDX.dll
2007-02-21 10:47:16 31,232 --sh--r C:\WINDOWS\system32\msfDX.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="D:\Program Files\QuickTime\qttask.exe" [2007-07-23 19:20]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 11:54]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2007-07-02 12:53:11]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{36CD708B-6077-4C02-9377-D73EAA495A0F}"= C:\WINDOWS\WinHttp.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Last.fm Helper.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Last.fm Helper.lnk
backup=C:\WINDOWS\pss\Last.fm Helper.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NOD32 Control Center.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NOD32 Control Center.lnk
backup=C:\WINDOWS\pss\NOD32 Control Center.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Darrell Lau^Start Menu^Programs^Startup^Xfire.lnk]
path=C:\Documents and Settings\Darrell Lau\Start Menu\Programs\Startup\Xfire.lnk
backup=C:\WINDOWS\pss\Xfire.lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\8u3]
C:\DOCUME~1\DARREL~1\LOCALS~1\Temp\c0nime.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVPSrv]
C:\WINDOWS\AVPSrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AWMON]
"C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitComet]
"D:\Program Files\BitComet\BitComet.exe" /tray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cmdbcs]
C:\WINDOWS\cmdbcs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DC1300 Monitor]
D:\Program Files\DC1300\DCMnt1_0\DC1300mi.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus Photo R300 Series]
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\itype]
"C:\Program Files\Microsoft IntelliType Pro\itype.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mppds]
C:\WINDOWS\mppds.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msccrt]
C:\WINDOWS\msccrt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nod32kui]
"C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"D:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\upxdnd]
C:\WINDOWS\upxdnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
"D:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WeatherEye]
C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye

R2 NMSSvc;Intel(R) NMS;C:\WINDOWS\system32\NMSSvc.exe
R3 NMSCFG;NIC Management Service Configuration Driver;\??\C:\WINDOWS\system32\drivers\NMSCFG.SYS
S3 DC1300;DC 1300 WDM Video Capture;C:\WINDOWS\system32\Drivers\BSC504AV.SYS
S3 motmodem;Motorola USB CDC ACM Driver;C:\WINDOWS\system32\DRIVERS\motmodem.sys
S3 rtl8029;Realtek RTL8029(AS)-based PCI Ethernet Adapter NT Driver;C:\WINDOWS\system32\DRIVERS\RTL8029.SYS
S3 USBCamera;DC 1300 Still Image Capture;C:\WINDOWS\system32\Drivers\BscBulk.sys
S4 D428BA68;D428BA68;C:\WINDOWS\system32\8C4ED30.EXE -k


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\SETUP.EXE

.
Contents of the 'Scheduled Tasks' folder
"2007-09-05 05:19:46 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2006-12-25 11:48:20 C:\WINDOWS\Tasks\Microsoft_Hardware_Launch_IType_exe.job"
- C:\Program Files\Microsoft IntelliType Pro\itype.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-08 18:11:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-08 18:13:35 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-08 18:13
.
--- E O F ---
 
Heres the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 18:18, on 9/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NMSSvc.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\HI JACK!\scanner.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - D:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - D:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\system32\NMSSvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe



Thanks
 
Hi

Enable this via msconfig (startup tab -> checkmark):

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nod32kui]

First we'll need to backup registry:

Start -> Run -> regedit -> ok. Then File -> Export. Give it a name and press Save.

Save text below as fix.reg on Notepad (save it as all files (*.*)) on Desktop

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\8u3]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVPSrv]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cmdbcs]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mppds]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msccrt]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\upxdnd]

It should look like this ->
reg.gif


Doubleclick fix.reg, press Yes and ok.

(In case you are unsure how to create a reg file, take a look here with screenshots.)

Re-run combofix

Post:

- a fresh HijackThis log
- combofix report
 
Hi

Here's the Combofix log:

ComboFix 07-09-09.4 - "Darrell Lau" 2007-09-09 18:17:01.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.236 [GMT -8:00]
.

((((((((((((((((((((((((( Files Created from 2007-08-10 to 2007-09-10 )))))))))))))))))))))))))))))))
.

2007-09-08 18:06 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-07 22:20 <DIR> d-------- C:\DOCUME~1\DARREL~1\APPLIC~1\mIRC
2007-09-03 16:05 <DIR> d-------- C:\DOCUME~1\DARREL~1\APPLIC~1\WinRAR
2007-08-24 22:25 53,248 --a------ C:\WINDOWS\system32\ImageOle.dll
2007-08-24 22:24 <DIR> d-------- C:\DOCUME~1\DARREL~1\APPLIC~1\InstallShield

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-08 23:25 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2007-09-08 18:18 --------- d-------- C:\Program Files\HI JACK!
2007-08-24 22:24 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-08 16:11 359040 --a------ C:\WINDOWS\system32\drivers\tcpip.sys
2007-08-06 03:10 --------- d--h----- C:\DOCUME~1\DARREL~1\APPLIC~1\ijjigame
2007-08-02 18:36 --------- d-------- C:\Program Files\Monkey's Audio
2007-08-02 17:45 --------- d-------- C:\Program Files\eRightSoft
2007-07-24 21:26 --------- d-------- C:\DOCUME~1\DARREL~1\APPLIC~1\Skype
2007-07-23 19:25 --------- d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-07-23 19:24 --------- d-------- C:\Program Files\Apple Software Update
2007-07-23 19:24 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-07-10 19:22 --------- d-------- C:\Program Files\DAEMON Tools
2007-07-10 19:13 682232 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-07-10 19:08 --------- d-------- C:\Program Files\winMd5Sum
2007-07-10 19:00 --------- d-------- C:\Program Files\Last.fm
2007-06-25 13:59 139264 --a------ C:\WINDOWS\War3Unin.exe
2006-11-05 13:52 9232 --a------ C:\DOCUME~1\DARREL~1\mqdmmdfl.sys
2006-11-05 13:52 92064 --a------ C:\DOCUME~1\DARREL~1\mqdmmdm.sys
2006-11-05 13:52 79328 --a------ C:\DOCUME~1\DARREL~1\mqdmserd.sys
2006-11-05 13:52 66656 --a------ C:\DOCUME~1\DARREL~1\mqdmbus.sys
2006-11-05 13:52 6208 --a------ C:\DOCUME~1\DARREL~1\mqdmcmnt.sys
2006-11-05 13:52 5936 --a------ C:\DOCUME~1\DARREL~1\mqdmwhnt.sys
2006-11-05 13:52 4048 --a------ C:\DOCUME~1\DARREL~1\mqdmcr.sys
2006-11-05 13:52 25600 --a------ C:\DOCUME~1\DARREL~1\usbsermptxp.sys
2006-11-05 13:52 22768 --a------ C:\DOCUME~1\DARREL~1\usbsermpt.sys
2005-05-16 20:48 87608 --a------ C:\DOCUME~1\DARREL~1\APPLIC~1\inst.exe
2005-05-16 20:48 47360 --a------ C:\DOCUME~1\DARREL~1\APPLIC~1\pcouffin.sys
2006-05-03 09:06:54 163,328 --sh--r C:\WINDOWS\system32\flvDX.dll
2007-02-21 10:47:16 31,232 --sh--r C:\WINDOWS\system32\msfDX.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="D:\Program Files\QuickTime\qttask.exe" [2007-07-23 19:20]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 11:54]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2007-07-02 12:53:11]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{36CD708B-6077-4C02-9377-D73EAA495A0F}"= C:\WINDOWS\WinHttp.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Last.fm Helper.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Last.fm Helper.lnk
backup=C:\WINDOWS\pss\Last.fm Helper.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NOD32 Control Center.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NOD32 Control Center.lnk
backup=C:\WINDOWS\pss\NOD32 Control Center.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Darrell Lau^Start Menu^Programs^Startup^Xfire.lnk]
path=C:\Documents and Settings\Darrell Lau\Start Menu\Programs\Startup\Xfire.lnk
backup=C:\WINDOWS\pss\Xfire.lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AWMON]
"C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitComet]
"D:\Program Files\BitComet\BitComet.exe" /tray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DC1300 Monitor]
D:\Program Files\DC1300\DCMnt1_0\DC1300mi.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus Photo R300 Series]
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\itype]
"C:\Program Files\Microsoft IntelliType Pro\itype.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nod32kui]
"C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"D:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
"D:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WeatherEye]
C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye

R2 NMSSvc;Intel(R) NMS;C:\WINDOWS\system32\NMSSvc.exe
R3 NMSCFG;NIC Management Service Configuration Driver;\??\C:\WINDOWS\system32\drivers\NMSCFG.SYS
S3 DC1300;DC 1300 WDM Video Capture;C:\WINDOWS\system32\Drivers\BSC504AV.SYS
S3 motmodem;Motorola USB CDC ACM Driver;C:\WINDOWS\system32\DRIVERS\motmodem.sys
S3 rtl8029;Realtek RTL8029(AS)-based PCI Ethernet Adapter NT Driver;C:\WINDOWS\system32\DRIVERS\RTL8029.SYS
S3 USBCamera;DC 1300 Still Image Capture;C:\WINDOWS\system32\Drivers\BscBulk.sys
S4 D428BA68;D428BA68;C:\WINDOWS\system32\8C4ED30.EXE -k


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\SETUP.EXE

.
Contents of the 'Scheduled Tasks' folder
"2007-09-05 05:19:46 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2006-12-25 11:48:20 C:\WINDOWS\Tasks\Microsoft_Hardware_Launch_IType_exe.job"
- C:\Program Files\Microsoft IntelliType Pro\itype.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-09 18:19:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-09 18:20:59
C:\ComboFix-quarantined-files.txt ... 2007-09-09 18:20
C:\ComboFix2.txt ... 2007-09-08 18:13
.
--- E O F ---

HJT:

Logfile of HijackThis v1.99.1
Scan saved at 6:26:18 PM, on 9/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\NMSSvc.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\HI JACK!\scanner.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - D:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - D:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\system32\NMSSvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
 
Hi

You didn't enable this via msconfig:

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nod32kui

Name is nod32kui, checkmark it on startup tab

After that, please post back a fresh HijackThis log, please :)
 
Hi Shaba

Sorry about that; Here's the log:

Logfile of HijackThis v1.99.1
Scan saved at 8:08:18 PM, on 9/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\WINDOWS\system32\NMSSvc.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Last.fm\LastFM.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\HI JACK!\scanner.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - D:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - D:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\system32\NMSSvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

Thanks
 
yes it does now, thanks xD

I'm not sure if those virus files are still on my computer or not =T I checked msconfig, and they're not there. Any way to check for sure?\

Thanks
 
Hi

Then we'll continue this way:

Please do an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:

    o Scan using the following Anti-Virus database:

    + Extended (If available otherwise Standard)

    o Scan Options:

    + Scan Archives
    + Scan Mail Bases
  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Post:

- a fresh HijackThis log
- kaspersky report
 
Holy crap...this is bad

Wednesday, September 12, 2007 3:26:29 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.1
Kaspersky Anti-Virus database last update: 12/09/2007
Kaspersky Anti-Virus database records: 412690


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
E:\
F:\
G:\

Scan Statistics
Total number of scanned objects 65645
Number of viruses found 21
Number of infected objects 43
Number of suspicious objects 2
Duration of the scan process 01:38:55

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\cc299263c1fbc6e1dc2382b484baa392_ff4796c2-f9e6-404d-80be-655d3f0173c8 Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobVideoActiveXObject4.zip/uninst.exe Suspicious: Password-protected-EXE skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobVideoActiveXObject4.zip ZIP: suspicious - 1 skipped

C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped

C:\Documents and Settings\Darrell Lau\.housecall6.6\Quarantine\aslati.dll.bac_a01080 Infected: Trojan-PSW.Win32.OnLineGames.oe skipped

C:\Documents and Settings\Darrell Lau\.housecall6.6\Quarantine\AVPSrv.dll.bac_a01788 Infected: Trojan-PSW.Win32.OnLineGames.es skipped

C:\Documents and Settings\Darrell Lau\.housecall6.6\Quarantine\BinNice.dll.bac_a02988 Infected: Trojan-PSW.Win32.OnLineGames.qr skipped

C:\Documents and Settings\Darrell Lau\.housecall6.6\Quarantine\cmdbcs.dll.bac_a01080 Infected: Trojan-PSW.Win32.OnLineGames.sa skipped

C:\Documents and Settings\Darrell Lau\.housecall6.6\Quarantine\k11162139338.exe.bac_a01788 Infected: Trojan-Spy.Win32.Iespy.au skipped

C:\Documents and Settings\Darrell Lau\.housecall6.6\Quarantine\ksosaw.dll.bac_a01080 Infected: Trojan-PSW.Win32.OnLineGames.oe skipped

C:\Documents and Settings\Darrell Lau\.housecall6.6\Quarantine\ksys.sys.bac_a02988 Infected: Rootkit.Win32.Agent.eb skipped

C:\Documents and Settings\Darrell Lau\.housecall6.6\Quarantine\lauyfi.dll.bac_a01080 Infected: Trojan-PSW.Win32.OnLineGames.sa skipped

C:\Documents and Settings\Darrell Lau\.housecall6.6\Quarantine\mh102.dll.bac_a01080 Infected: Trojan-PSW.Win32.OnLineGames.ql skipped

C:\Documents and Settings\Darrell Lau\.housecall6.6\Quarantine\mppds.dll.bac_a01080 Infected: Trojan-PSW.Win32.OnLineGames.oe skipped

C:\Documents and Settings\Darrell Lau\.housecall6.6\Quarantine\msccrt.dll.bac_a01080 Infected: Trojan-PSW.Win32.OnLineGames.oe skipped

C:\Documents and Settings\Darrell Lau\.housecall6.6\Quarantine\nslookupi.exe.bac_a01080 Infected: Backdoor.Win32.Agent.alh skipped

C:\Documents and Settings\Darrell Lau\.housecall6.6\Quarantine\nwizqjsj.dll.bac_a03228 Infected: Trojan-PSW.Win32.OnLineGames.ug skipped

C:\Documents and Settings\Darrell Lau\.housecall6.6\Quarantine\p.exe.bac_a02988 Infected: Trojan-Downloader.Win32.Small.eih skipped

C:\Documents and Settings\Darrell Lau\.housecall6.6\Quarantine\qokyrn.dll.bac_a01080 Infected: Trojan-PSW.Win32.OnLineGames.oe skipped

C:\Documents and Settings\Darrell Lau\.housecall6.6\Quarantine\rising.exe.vir.bac_a01080 Infected: Backdoor.Win32.Agent.ahj skipped

C:\Documents and Settings\Darrell Lau\.housecall6.6\Quarantine\smbdbp.dll.bac_a01080 Infected: Trojan-PSW.Win32.OnLineGames.oe skipped

C:\Documents and Settings\Darrell Lau\.housecall6.6\Quarantine\upxdnd.dll.bac_a01788 Infected: Trojan-PSW.Win32.OnLineGames.sx skipped

C:\Documents and Settings\Darrell Lau\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Darrell Lau\Local Settings\Application Data\Last.fm\Client\container.log Object is locked skipped

C:\Documents and Settings\Darrell Lau\Local Settings\Application Data\Last.fm\Client\lastfmhelper.log Object is locked skipped

C:\Documents and Settings\Darrell Lau\Local Settings\Application Data\Microsoft\Messenger\eternal_lasting_love@hotmail.com\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped

C:\Documents and Settings\Darrell Lau\Local Settings\Application Data\Microsoft\Messenger\eternal_lasting_love@hotmail.com\SharingMetadata\pending.dat Object is locked skipped

C:\Documents and Settings\Darrell Lau\Local Settings\Application Data\Microsoft\Messenger\eternal_lasting_love@hotmail.com\SharingMetadata\Working\database_3098_E065_98E0_2AD4\dfsr.db Object is locked skipped

C:\Documents and Settings\Darrell Lau\Local Settings\Application Data\Microsoft\Messenger\eternal_lasting_love@hotmail.com\SharingMetadata\Working\database_3098_E065_98E0_2AD4\fsr.log Object is locked skipped

C:\Documents and Settings\Darrell Lau\Local Settings\Application Data\Microsoft\Messenger\eternal_lasting_love@hotmail.com\SharingMetadata\Working\database_3098_E065_98E0_2AD4\fsrtmp.log Object is locked skipped

C:\Documents and Settings\Darrell Lau\Local Settings\Application Data\Microsoft\Messenger\eternal_lasting_love@hotmail.com\SharingMetadata\Working\database_3098_E065_98E0_2AD4\tmp.edb Object is locked skipped

C:\Documents and Settings\Darrell Lau\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Darrell Lau\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Darrell Lau\Local Settings\Application Data\Microsoft\Windows Live Contacts\eternal_lasting_love@hotmail.com\real\members.stg Object is locked skipped

C:\Documents and Settings\Darrell Lau\Local Settings\Application Data\Microsoft\Windows Live Contacts\eternal_lasting_love@hotmail.com\shadow\members.stg Object is locked skipped

C:\Documents and Settings\Darrell Lau\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Darrell Lau\Local Settings\History\History.IE5\MSHist012007091220070913\index.dat Object is locked skipped

C:\Documents and Settings\Darrell Lau\Local Settings\Temp\~DFDB6C.tmp Object is locked skipped

C:\Documents and Settings\Darrell Lau\Local Settings\Temp\~DFDB99.tmp Object is locked skipped

C:\Documents and Settings\Darrell Lau\Local Settings\Temp\~DFDF0B.tmp Object is locked skipped

C:\Documents and Settings\Darrell Lau\Local Settings\Temp\~DFDF61.tmp Object is locked skipped

C:\Documents and Settings\Darrell Lau\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Darrell Lau\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Darrell Lau\NTUSER.DAT.LOG Object is locked skipped

C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
 
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService.NT AUTHORITY\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService.NT AUTHORITY\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Terence\Application Data\desktop.ini Object is locked skipped

C:\Documents and Settings\Terence\Application Data\Lavasoft\Ad-Aware\description.ini Object is locked skipped

C:\Documents and Settings\Terence\Application Data\Lavasoft\Ad-Aware\settings.awc Object is locked skipped

C:\Documents and Settings\Terence\Application Data\Lavasoft\Ad-Aware\stats.awd Object is locked skipped

C:\Documents and Settings\Terence\Application Data\Macromedia\Fireworks MX\AnswersPanel\Answers.swf Object is locked skipped

C:\Documents and Settings\Terence\Application Data\Macromedia\Fireworks MX\AnswersPanel\lib.swf Object is locked skipped

C:\Documents and Settings\Terence\Application Data\Macromedia\Fireworks MX\AnswersPanel\panel.swf Object is locked skipped

C:\Documents and Settings\Terence\Application Data\Macromedia\Fireworks MX\AnswersPanel\shim.swf Object is locked skipped

C:\Documents and Settings\Terence\Application Data\Macromedia\Fireworks MX\AnswersPanel\shim_init.xml Object is locked skipped

C:\Documents and Settings\Terence\Application Data\Macromedia\Fireworks MX\Fireworks Color List.txt Object is locked skipped

C:\Documents and Settings\Terence\Application Data\Macromedia\Fireworks MX\Fireworks Language.txt Object is locked skipped

C:\Documents and Settings\Terence\Application Data\Macromedia\Fireworks MX\Fireworks MX Preferences.txt Object is locked skipped

C:\Documents and Settings\Terence\Application Data\Macromedia\Fireworks MX\Fireworks Panel Prefs.xml Object is locked skipped

C:\Documents and Settings\Terence\Application Data\Macromedia\Fireworks MX\Fireworks.ini Object is locked skipped

C:\Documents and Settings\Terence\Application Data\Macromedia\Fireworks MX\Fireworks.mch Object is locked skipped

C:\Documents and Settings\Terence\Application Data\Macromedia\Fireworks MX\Font Map.txt Object is locked skipped

C:\Documents and Settings\Terence\Application Data\Macromedia\Fireworks MX\Nav Menu\Styles.stl Object is locked skipped

C:\Documents and Settings\Terence\Application Data\Macromedia\Fireworks MX\Project_Log.htm Object is locked skipped

C:\Documents and Settings\Terence\Application Data\Macromedia\Fireworks MX\Styles\Style Defaults.stl Object is locked skipped

C:\Documents and Settings\Terence\Application Data\Macromedia\Fireworks MX\URL Libraries\URLs.htm Object is locked skipped

C:\Documents and Settings\Terence\Application Data\Macromedia\Fireworks MX\Web_Log.htm Object is locked skipped

C:\Documents and Settings\Terence\Application Data\Macromedia\Flash Player\localhost\#FireworksMX\general.sol Object is locked skipped

C:\Documents and Settings\Terence\Application Data\Macromedia\Flash Player\localhost\#FireworksMX\panel.sol Object is locked skipped

C:\Documents and Settings\Terence\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#local\settings.sol Object is locked skipped

C:\Documents and Settings\Terence\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol Object is locked skipped

C:\Documents and Settings\Terence\Application Data\Microsoft\CLR Security Config\v1.1.4322\security.config Object is locked skipped

C:\Documents and Settings\Terence\Application Data\Microsoft\CLR Security Config\v1.1.4322\security.config.cch Object is locked skipped

C:\Documents and Settings\Terence\Application Data\Microsoft\CryptnetUrlCache\Content\2BBA88436E92E1ABCED8E68D74DC5B38 Object is locked skipped

C:\Documents and Settings\Terence\Application Data\Microsoft\CryptnetUrlCache\Content\3C83474D61E624A4F9844DF935AFE217 Object is locked skipped

C:\Documents and Settings\Terence\Application Data\Microsoft\CryptnetUrlCache\Content\486CC6AFD08942336C61FCD401C4A1D1 Object is locked skipped

C:\Documents and Settings\Terence\Application Data\Microsoft\CryptnetUrlCache\Content\60E31627FDA0A46932B0E5948949F2A5 Object is locked skipped

C:\Documents and Settings\Terence\Application Data\Microsoft\CryptnetUrlCache\Content\696F3DE637E6DE85B458996D49D759AD Object is locked skipped

C:\Documents and Settings\Terence\Application Data\Microsoft\CryptnetUrlCache\Content\71644221AC231DBD2359C18EBB2118DC Object is locked skipped

C:\Documents and Settings\Terence\Application Data\Microsoft\CryptnetUrlCache\Content\74BFD122C0875EC75DBE5C6DB4C59019 Object is locked skipped

C:\Documents and Settings\Terence\Application Data\Microsoft\CryptnetUrlCache\Content\7C8A03C4580C6B04FDF34357F3474EDC Object is locked skipped

C:\Documents and Settings\Terence\Application Data\Microsoft\CryptnetUrlCache\Content\904590238400AD963F77FAAAADC9BAB5 Object is locked skipped

C:\Documents and Settings\Terence\Application Data\Microsoft\CryptnetUrlCache\Content\A44F4E7CB3133FF765C39A53AD8FCFDD Object is locked skipped
 
You must log in or register to reply here.
Back
Top