slow startup and popup browsers

Hi

Lot of work to do

First we'll need to backup registry:

Start -> Run -> regedit -> ok. Then File -> Export. Give it a name and press Save.

Save text below as fix.reg on Notepad (save it as all files (*.*)) on Desktop

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"svchost.exe"=-

It should look like this ->
reg.gif


Doubleclick fix.reg, press Yes and ok.

(In case you are unsure how to create a reg file, take a look here with screenshots.)

Open HijackThis, click do a system scan only and checkmark these:

R3 - URLSearchHook: (no name) - {FF593D2C-A0CC-F931-CD3E-FEBAAE3745C5} - C:\WINDOWS\system32\hykcm.dll
O2 - BHO: (no name) - {0AFEA888-B97B-4EDE-AC47-1FEE31D5CEE5} - C:\WINDOWS\system32\qomkjij.dll (file missing)
O2 - BHO: (no name) - {16BCF2D2-381D-DCEB-9B99-044F541745FE} - C:\WINDOWS\system32\pnkmfil.dll
O2 - BHO: (no name) - {237B2E53-E19A-4D74-AC64-9556D3F48795} - C:\WINDOWS\system32\ddayv.dll (file missing)
O2 - BHO: (no name) - {3245721D-0D65-4694-9102-8A281116BA7E} - C:\WINDOWS\system32\jkklk.dll (file missing)
O2 - BHO: (no name) - {529F76CD-EB73-E9DD-2820-BFCE68E8EDC3} - (no file)
O2 - BHO: (no name) - {68D5CF1D-EC5C-4bdd-A9EF-F0E517565D50} - C:\WINDOWS\system32\bwrxkgpi.dll (file missing)
O2 - BHO: (no name) - {6E4B23EE-D412-48BD-B133-60574061E429} - C:\WINDOWS\system32\opnnmjk.dll (file missing)
O2 - BHO: (no name) - {7DA39570-5FD2-4f18-94B4-20730CB3F727} - C:\WINDOWS\system32\vnrvlwbe.dll (file missing)
O2 - BHO: (no name) - {FF593D2C-A0CC-F931-CD3E-FEBAAE3745C5} - C:\WINDOWS\system32\hykcm.dll
O4 - HKCU\..\Run: [Sen] "C:\DOCUME~1\GREGOR~1\APPLIC~1\SSTEM3~1\wucrtupd.exe" -vt yazb
O4 - HKCU\..\Run: [Usljkoby] "C:\WINDOWS\?ppPatch\??anregw.exe" 99001122
O4 - HKCU\..\Run: [Mumfbxb] "C:\Documents and Settings\Gregory Lewin\Application Data\S?mantec\?poolsv.exe" 99001122
O4 - HKCU\..\Run: [koiq] C:\Program Files\Common Files\koiq\koiqm.exe

Close all windows including browser and press fix checked.

Please download the Killbox.
Unzip it to the desktop but do NOT run it yet.

Please run Killbox.

Select "Delete on Reboot".

Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\SYSTEM32\ntbmvkwy.dll
C:\WINDOWS\SYSTEM32\drvcoj.dll
C:\WINDOWS\SYSTEM32\hykcm.dll
C:\WINDOWS\SYSTEM32\rydzoih.dll
C:\WINDOWS\SYSTEM32\v6.exe
C:\WINDOWS\SYSTEM32\drvzej.dll
C:\WINDOWS\SYSTEM32\pmjaynxh.dll
C:\WINDOWS\SYSTEM32\egvbxejf.dll
C:\DOCUME~1\GREGOR~1\Application Data\winantiviruspro2006freeinstall[1].exe
C:\WINDOWS\SYSTEM32\iuugaixm.dll
C:\WINDOWS\SYSTEM32\axytbibh.dll
C:\WINDOWS\SYSTEM32\koukphaf.dll
C:\WINDOWS\SYSTEM32\fkkyursa.dll
C:\WINDOWS\SYSTEM32\pqllxfg.dll
C:\WINDOWS\SYSTEM32\iidomoux.dll
C:\WINDOWS\SYSTEM32\vgcoeiry.dll
C:\WINDOWS\SYSTEM32\winhld32.dll
C:\cawhd.exe
C:\WINDOWS\SYSTEM32\pnkmfil.dll
C:\WINDOWS\SYSTEM32\ofrlvek.dll
C:\qarv.exe
C:\WINDOWS\SYSTEM32\ktyfxbe.dll
C:\DOCUME~1\ALLUSE~1\Application Data\YAŽ>O3113>.sys
C:\Program Files\Common Files\svchost.exe

Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

Boot in safe mode

Delete these:

C:\Documents and Settings\Gregory Lewin\Application Data\Symantec
C:\Program Files\Common Files\koiq
C:\DOCUME~1\GREGOR~1\APPLIC~1\System32
C:\WINDOWS\àppPatch
C:\WINDOWS\koiq
C:\Program Files\Common Files\çasks

Empty Recycle Bin

Reboot

Re-run combofix

Send:

- a fresh HijackThis log
- combofix report
 
Slow start up and pop up browsers

Hi Shaba,

this is what I get when I double click the fix.reg

cannot import C:\Documents and Settings\desktop\fix.reg the specified file is not a registry scrip. you can only import Binary registry files from within the registry editor. Is this ok, should I continue?
 
Hi

Did you save it as all files (*.*)?

Yes, you can continue, we'll remove that registry entry later :)
 
slow start up and pop up browsers

thanks Shaba, yes, I named the file as All files in notepad but no *.* I don't have that option only as all files. Please find new combofix and hijack files.

ComboFix 07.01.31 - Running from: "C:\Documents and Settings\Gregory Lewin\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\svchost.exe


((((((((((((((((((((((((((((((( Files Created from 2007-01-08 to 2007-02-08 ))))))))))))))))))))))))))))))))))


2007-02-08 15:59 <DIR> d-------- C:\!KillBox
2007-02-06 18:34 108 ---hs---- C:\WINDOWS\WSYS049.SYS
2007-02-06 18:33 243,526 --a------ C:\WINDOWS\CoffeeCup Visual Site Designer Uninstaller.exe
2007-02-04 21:43 72,704 --a------ C:\WINDOWS\SYSTEM32\drvcoj.dll
2007-02-03 23:32 13 C:\DOCUME~1\ALLUSE~1\Application Data\YAŽ>O3113>.sys
2007-02-03 22:13 <DIR> d-------- C:\WINDOWS\Flash Menu Factory
2007-02-03 21:26 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2007-02-03 17:45 <DIR> d-------- C:\Program Files\ACW
2007-02-02 23:52 <DIR> d-------- C:\WINDOWS\ERDNT
2007-02-02 06:12 60,416 --a------ C:\WINDOWS\SYSTEM32\hykcm.dll
2007-02-02 06:12 <DIR> d-------- C:\WINDOWS\àppPatch
2007-02-01 17:27 <DIR> d-------- C:\VundoFix Backups
2007-01-31 20:47 95,232 --a------ C:\WINDOWS\SYSTEM32\rydzoih.dll
2007-01-31 20:46 8,704 --a------ C:\WINDOWS\SYSTEM32\v6.exe
2007-01-31 20:45 72,704 --a------ C:\WINDOWS\SYSTEM32\drvzej.dll
2007-01-30 23:57 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Yahoo! Companion
2007-01-30 19:52 76,412 --a------ C:\WINDOWS\SYSTEM32\pmjaynxh.dll
2007-01-30 04:01 76,412 --a------ C:\WINDOWS\SYSTEM32\egvbxejf.dll
2007-01-30 02:51 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2007-01-28 15:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\TechSmith
2007-01-28 15:41 <DIR> d-------- C:\Program Files\TechSmith
2007-01-28 15:40 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-01-28 14:33 88,280 --a------ C:\DOCUME~1\GREGOR~1\Application Data\winantiviruspro2006freeinstall[1].exe
2007-01-28 13:57 <DIR> d-------- C:\DOCUME~1\GREGOR~1\Application Data\Uniblue
2007-01-28 12:40 76,412 --a------ C:\WINDOWS\SYSTEM32\iuugaixm.dll
2007-01-28 11:25 <DIR> d-------- C:\WINDOWS\pss
2007-01-28 10:59 76,412 --a------ C:\WINDOWS\SYSTEM32\axytbibh.dll
2007-01-28 10:45 76,412 --a------ C:\WINDOWS\SYSTEM32\koukphaf.dll
2007-01-27 01:34 <DIR> d-------- C:\Program Files\Microsoft.NET
2007-01-27 00:39 620,123 --a------ C:\WINDOWS\SYSTEM32\RegistryCleanerSetup.exe
2007-01-27 00:30 76,412 --a------ C:\WINDOWS\SYSTEM32\fkkyursa.dll
2007-01-26 17:50 95,232 --a------ C:\WINDOWS\SYSTEM32\pqllxfg.dll
2007-01-25 17:59 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-01-25 03:07 <DIR> d-------- C:\WINDOWS\CAVTemp
2007-01-25 01:40 95,760 --a------ C:\WINDOWS\SYSTEM32\isafeif.dll
2007-01-25 01:40 75,280 --a------ C:\WINDOWS\SYSTEM32\vetredir.dll
2007-01-25 01:40 75,280 --a------ C:\WINDOWS\SYSTEM32\isafprod.dll
2007-01-25 01:40 629,216 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\vetefile.sys
2007-01-25 01:40 32,528 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\vetmonnt.sys
2007-01-25 01:40 26,640 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\vet-filt.sys
2007-01-25 01:40 21,648 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\vetfddnt.sys
2007-01-25 01:40 21,392 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\vet-rec.sys
2007-01-25 01:40 108,544 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\veteboot.sys
2007-01-25 01:39 <DIR> d-------- C:\Program Files\CA
2007-01-25 01:39 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\CA
2007-01-25 00:58 155,648 ---h----- C:\Program Files\Common Files\svchost.exe
2007-01-25 00:29 76,412 --a------ C:\WINDOWS\SYSTEM32\iidomoux.dll
2007-01-25 00:29 44,060 --a------ C:\WINDOWS\SYSTEM32\vgcoeiry.dll
2007-01-25 00:23 19,456 --a------ C:\WINDOWS\SYSTEM32\winhld32.dll
2007-01-25 00:19 74,240 --a------ C:\cawhd.exe
2007-01-25 00:19 73,728 --a------ C:\WINDOWS\SYSTEM32\out.dll
2007-01-25 00:16 96,256 --a------ C:\WINDOWS\SYSTEM32\ktyfxbe.dll
2007-01-25 00:16 71,680 --a------ C:\WINDOWS\SYSTEM32\pnkmfil.dll
2007-01-25 00:16 59,392 --a------ C:\WINDOWS\SYSTEM32\ofrlvek.dll
2007-01-25 00:16 45,568 --a------ C:\qarv.exe
2007-01-23 18:28 17,920 --a------ C:\WINDOWS\SYSTEM32\mdimon.dll
2007-01-20 12:26 <DIR> d-------- C:\WINDOWS\SYSTEM32\tmp


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-02-04 08:48 -------- d-------- C:\DOCUME~1\GREGOR~1\Application Data\voipstunt
2007-02-03 21:45 -------- d-------- C:\Program Files\google
2007-01-30 23:55 -------- d-------- C:\Program Files\yahoo!
2007-01-30 02:51 -------- d-------- C:\Program Files\Common Files\çasks
2007-01-29 00:47 -------- d-------- C:\Program Files\microsoft frontpage
2007-01-28 16:37 -------- d---s---- C:\DOCUME~1\GREGOR~1\Application Data\microsoft
2007-01-28 14:58 -------- d-------- C:\Program Files\java
2007-01-25 00:26 -------- d-------- C:\Program Files\limewire
2007-01-11 05:35 -------- d-------- C:\Program Files\ws_ftp
2006-12-31 20:57 -------- d-------- C:\DOCUME~1\GREGOR~1\Application Data\adobe
2006-12-31 20:49 -------- d-------- C:\Program Files\Common Files\adobe
2006-12-31 20:47 -------- d-------- C:\Program Files\Common Files\adobe systems shared
2006-12-31 20:24 -------- d--h----- C:\Program Files\installshield installation information
2006-12-31 07:17 -------- d-------- C:\DOCUME~1\GREGOR~1\Application Data\opera
2006-12-20 22:48 364544 --------- C:\WINDOWS\SYSTEM32\anpop.dll
2006-12-12 18:28 -------- d-------- C:\DOCUME~1\GREGOR~1\Application Data\àpppatch
2006-12-08 06:25 -------- d-------- C:\Program Files\windows media connect 2
2006-11-08 00:06 679424 --a------ C:\WINDOWS\SYSTEM32\inetcomm.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"DellSupport"="\"C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"
"VoipStunt"="\"E:\\VoipStunt\\VoipStunt.exe\" -nosplash -minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
"SoundMAXPnP"="C:\\Program Files\\Analog Devices\\SoundMAX\\SMax4PNP.exe"
"IntelMeM"="C:\\Program Files\\Intel\\Modem Event Monitor\\IntelMEM.exe"
"PCMService"="\"C:\\Program Files\\Dell\\Media Experience\\PCMService.exe\""
"UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"MMTray"="C:\\Program Files\\MusicMatch\\MusicMatch Jukebox\\mm_tray.exe"
"MoneyStartUp10.0"="\"C:\\Program Files\\Microsoft Money\\System\\Activation.exe\""
"SM1BG"="C:\\WINDOWS\\SM1BG.EXE"
"Iomega Automatic Backup 1.0.1"="C:\\Program Files\\Iomega\\Iomega Automatic Backup\\ibackup.exe"
"igfxtray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"igfxhkcmd"="C:\\WINDOWS\\system32\\hkcmd.exe"
"igfxpers"="C:\\WINDOWS\\system32\\igfxpers.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"cctray"="\"C:\\Program Files\\CA\\CA Internet Security Suite\\cctray\\cctray.exe\""
"CAVRID"="\"C:\\Program Files\\CA\\CA Internet Security Suite\\CA Anti-Virus\\CAVRID.exe\""
"UnlockerAssistant"="\"C:\\Program Files\\Unlocker\\UnlockerAssistant.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MICROS~4\\Office\\OSA9.EXE -b -l"
"item"="Microsoft Office"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SnagIt 8.lnk]
"backup"="C:\\WINDOWS\\pss\\SnagIt 8.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\TECHSM~1\\SNAGIT~1\\SnagIt32.exe "
"item"="SnagIt 8"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NapsterShell]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="napster"
"hkey"="HKLM"
"command"="C:\\Program Files\\Napster\\napster.exe /systray"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoipStunt]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="voipstunt"
"hkey"="HKCU"
"command"="\"E:\\voipstunt\\voipstunt.exe\" -nosplash -minimized"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{6E4B23EE-D412-48BD-B133-60574061E429}"=""
"{0AFEA888-B97B-4EDE-AC47-1FEE31D5CEE5}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"svchost.exe"="C:\\Program Files\\Common Files\\svchost.exe"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winhld32

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\RegCure.job
C:\WINDOWS\tasks\XoftSpySE.job

Completion time: 07-02-08 17:09:44
C:\ComboFix2.txt ... 07-02-06 18:04
 
slow start up and pop up browsers

Logfile of HijackThis v1.99.1
Scan saved at 4:53:45 PM, on 2/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\RioMSC.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Common Files\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
E:\VoipStunt\VoipStunt.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Documents and Settings\Gregory Lewin\Desktop\HJT.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://cgi.verizon.net/bookmarks/bmredir.asp?region=west&bw=dsl&cd=4.0&bm=ho_home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [Iomega Automatic Backup 1.0.1] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [VoipStunt] "E:\VoipStunt\VoipStunt.exe" -nosplash -minimized
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\WINDOWS\system32\shdocvw.dll (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://cgi.verizon.net/bookmarks/bmredir.asp?region=west&bw=dsl&cd=4.0&bm=ho_home
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://www.sidestep.com/get/k00719/sb02b.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1130445843046
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: winhld32 - C:\WINDOWS\SYSTEM32\winhld32.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
 
Hi

Did you do that killbox part at all? I mean because all the files are still there.

Please redo that part and exactly as I instructed below :)

Also do this:

Go to start -> run -> regedit -> ok

Find this key:

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]

Delete svchost.exe from that key

Re-run combofix

Send:

- a fresh HijackThis log
- combofix report
 
Slow start up and pop browsers

thanks Shaba, Files are deleted now. new files below

ComboFix 07.01.31 - Running from: "C:\Documents and Settings\Gregory Lewin\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2007-01-09 to 2007-02-09 ))))))))))))))))))))))))))))))))))


2007-02-08 15:59 <DIR> d-------- C:\!KillBox
2007-02-06 18:34 108 ---hs---- C:\WINDOWS\WSYS049.SYS
2007-02-06 18:33 243,526 --a------ C:\WINDOWS\CoffeeCup Visual Site Designer Uninstaller.exe
2007-02-03 23:32 13 C:\DOCUME~1\ALLUSE~1\Application Data\YAŽ>O3113>.sys
2007-02-03 22:13 <DIR> d-------- C:\WINDOWS\Flash Menu Factory
2007-02-03 21:26 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2007-02-03 17:45 <DIR> d-------- C:\Program Files\ACW
2007-02-02 23:52 <DIR> d-------- C:\WINDOWS\ERDNT
2007-02-02 06:12 <DIR> d-------- C:\WINDOWS\àppPatch
2007-02-01 17:27 <DIR> d-------- C:\VundoFix Backups
2007-01-30 23:57 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Yahoo! Companion
2007-01-30 02:51 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2007-01-28 15:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\TechSmith
2007-01-28 15:41 <DIR> d-------- C:\Program Files\TechSmith
2007-01-28 15:40 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-01-28 13:57 <DIR> d-------- C:\DOCUME~1\GREGOR~1\Application Data\Uniblue
2007-01-28 11:25 <DIR> d-------- C:\WINDOWS\pss
2007-01-27 01:34 <DIR> d-------- C:\Program Files\Microsoft.NET
2007-01-27 00:39 620,123 --a------ C:\WINDOWS\SYSTEM32\RegistryCleanerSetup.exe
2007-01-25 17:59 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-01-25 03:07 <DIR> d-------- C:\WINDOWS\CAVTemp
2007-01-25 01:40 95,760 --a------ C:\WINDOWS\SYSTEM32\isafeif.dll
2007-01-25 01:40 75,280 --a------ C:\WINDOWS\SYSTEM32\vetredir.dll
2007-01-25 01:40 75,280 --a------ C:\WINDOWS\SYSTEM32\isafprod.dll
2007-01-25 01:40 629,216 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\vetefile.sys
2007-01-25 01:40 32,528 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\vetmonnt.sys
2007-01-25 01:40 26,640 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\vet-filt.sys
2007-01-25 01:40 21,648 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\vetfddnt.sys
2007-01-25 01:40 21,392 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\vet-rec.sys
2007-01-25 01:40 108,544 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\veteboot.sys
2007-01-25 01:39 <DIR> d-------- C:\Program Files\CA
2007-01-25 01:39 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\CA
2007-01-25 00:19 73,728 --a------ C:\WINDOWS\SYSTEM32\out.dll
2007-01-23 18:28 17,920 --a------ C:\WINDOWS\SYSTEM32\mdimon.dll
2007-01-20 12:26 <DIR> d-------- C:\WINDOWS\SYSTEM32\tmp


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-02-04 08:48 -------- d-------- C:\DOCUME~1\GREGOR~1\Application Data\voipstunt
2007-02-03 21:45 -------- d-------- C:\Program Files\google
2007-01-30 23:55 -------- d-------- C:\Program Files\yahoo!
2007-01-30 02:51 -------- d-------- C:\Program Files\Common Files\çasks
2007-01-29 00:47 -------- d-------- C:\Program Files\microsoft frontpage
2007-01-28 16:37 -------- d---s---- C:\DOCUME~1\GREGOR~1\Application Data\microsoft
2007-01-28 14:58 -------- d-------- C:\Program Files\java
2007-01-25 00:26 -------- d-------- C:\Program Files\limewire
2007-01-11 05:35 -------- d-------- C:\Program Files\ws_ftp
2006-12-31 20:57 -------- d-------- C:\DOCUME~1\GREGOR~1\Application Data\adobe
2006-12-31 20:49 -------- d-------- C:\Program Files\Common Files\adobe
2006-12-31 20:47 -------- d-------- C:\Program Files\Common Files\adobe systems shared
2006-12-31 20:24 -------- d--h----- C:\Program Files\installshield installation information
2006-12-31 07:17 -------- d-------- C:\DOCUME~1\GREGOR~1\Application Data\opera
2006-12-20 22:48 364544 --------- C:\WINDOWS\SYSTEM32\anpop.dll
2006-12-12 18:28 -------- d-------- C:\DOCUME~1\GREGOR~1\Application Data\àpppatch


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"DellSupport"="\"C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"
"VoipStunt"="\"E:\\VoipStunt\\VoipStunt.exe\" -nosplash -minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
"SoundMAXPnP"="C:\\Program Files\\Analog Devices\\SoundMAX\\SMax4PNP.exe"
"IntelMeM"="C:\\Program Files\\Intel\\Modem Event Monitor\\IntelMEM.exe"
"PCMService"="\"C:\\Program Files\\Dell\\Media Experience\\PCMService.exe\""
"UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"MMTray"="C:\\Program Files\\MusicMatch\\MusicMatch Jukebox\\mm_tray.exe"
"MoneyStartUp10.0"="\"C:\\Program Files\\Microsoft Money\\System\\Activation.exe\""
"SM1BG"="C:\\WINDOWS\\SM1BG.EXE"
"Iomega Automatic Backup 1.0.1"="C:\\Program Files\\Iomega\\Iomega Automatic Backup\\ibackup.exe"
"igfxtray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"igfxhkcmd"="C:\\WINDOWS\\system32\\hkcmd.exe"
"igfxpers"="C:\\WINDOWS\\system32\\igfxpers.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"cctray"="\"C:\\Program Files\\CA\\CA Internet Security Suite\\cctray\\cctray.exe\""
"CAVRID"="\"C:\\Program Files\\CA\\CA Internet Security Suite\\CA Anti-Virus\\CAVRID.exe\""
"UnlockerAssistant"="\"C:\\Program Files\\Unlocker\\UnlockerAssistant.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MICROS~4\\Office\\OSA9.EXE -b -l"
"item"="Microsoft Office"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SnagIt 8.lnk]
"backup"="C:\\WINDOWS\\pss\\SnagIt 8.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\TECHSM~1\\SNAGIT~1\\SnagIt32.exe "
"item"="SnagIt 8"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NapsterShell]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="napster"
"hkey"="HKLM"
"command"="C:\\Program Files\\Napster\\napster.exe /systray"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoipStunt]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="voipstunt"
"hkey"="HKCU"
"command"="\"E:\\voipstunt\\voipstunt.exe\" -nosplash -minimized"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{6E4B23EE-D412-48BD-B133-60574061E429}"=""
"{0AFEA888-B97B-4EDE-AC47-1FEE31D5CEE5}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winhld32

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\RegCure.job
C:\WINDOWS\tasks\XoftSpySE.job

Completion time: 07-02-09 18:21:56
 
Slow start up and pop browsers

Logfile of HijackThis v1.99.1
Scan saved at 6:36:27 PM, on 2/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\RioMSC.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\WINDOWS\SM1BG.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
E:\VoipStunt\VoipStunt.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\PROGRA~1\MICROS~4\Office\OUTLOOK.EXE
C:\PROGRA~1\MICROS~4\Office\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Gregory Lewin\Desktop\HJT.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://cgi.verizon.net/bookmarks/bmredir.asp?region=west&bw=dsl&cd=4.0&bm=ho_home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [Iomega Automatic Backup 1.0.1] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [VoipStunt] "E:\VoipStunt\VoipStunt.exe" -nosplash -minimized
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\WINDOWS\system32\shdocvw.dll (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://cgi.verizon.net/bookmarks/bmredir.asp?region=west&bw=dsl&cd=4.0&bm=ho_home
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://www.sidestep.com/get/k00719/sb02b.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1130445843046
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: winhld32 - winhld32.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
 
Hi

Yes, they are :)

However, several folders needs to be deleted.

Delete these:

C:\WINDOWS\àppPatch (may look like ?ppPatch)
C:\Program Files\Common Files\çasks (may look like ?asks)
C:\DOCUME~1\GREGOR~1\Application Data\àpppatch (may look like ?pppatch)

Empty Recycle Bin

If you are unable to find them, let me know.

Re-run combofix

Send:

- a fresh HijackThis log
- combofix report
 
Slow start up and pop up browsers

Thank you Shaba, can't seem to find this one C:\DOCUME~1\GREGOR~1\Application Data\àpppatch

Here are the new reports. Please advise.

ComboFix 07.01.31 - Running from: "C:\Documents and Settings\Gregory Lewin\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2007-01-10 to 2007-02-10 ))))))))))))))))))))))))))))))))))


2007-02-10 09:37 <DIR> d-------- C:\WINDOWS\LastGood
2007-02-08 15:59 <DIR> d-------- C:\!KillBox
2007-02-06 18:34 108 ---hs---- C:\WINDOWS\WSYS049.SYS
2007-02-06 18:33 243,526 --a------ C:\WINDOWS\CoffeeCup Visual Site Designer Uninstaller.exe
2007-02-03 23:32 13 C:\DOCUME~1\ALLUSE~1\Application Data\YAŽ>O3113>.sys
2007-02-03 22:13 <DIR> d-------- C:\WINDOWS\Flash Menu Factory
2007-02-03 21:26 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2007-02-03 17:45 <DIR> d-------- C:\Program Files\ACW
2007-02-02 23:52 <DIR> d-------- C:\WINDOWS\ERDNT
2007-02-01 17:27 <DIR> d-------- C:\VundoFix Backups
2007-01-30 23:57 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Yahoo! Companion
2007-01-30 02:51 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2007-01-28 15:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\TechSmith
2007-01-28 15:41 <DIR> d-------- C:\Program Files\TechSmith
2007-01-28 15:40 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-01-28 13:57 <DIR> d-------- C:\DOCUME~1\GREGOR~1\Application Data\Uniblue
2007-01-28 11:25 <DIR> d-------- C:\WINDOWS\pss
2007-01-27 01:34 <DIR> d-------- C:\Program Files\Microsoft.NET
2007-01-27 00:39 620,123 --a------ C:\WINDOWS\SYSTEM32\RegistryCleanerSetup.exe
2007-01-25 17:59 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-01-25 03:07 <DIR> d-------- C:\WINDOWS\CAVTemp
2007-01-25 01:40 95,760 --a------ C:\WINDOWS\SYSTEM32\isafeif.dll
2007-01-25 01:40 75,280 --a------ C:\WINDOWS\SYSTEM32\vetredir.dll
2007-01-25 01:40 75,280 --a------ C:\WINDOWS\SYSTEM32\isafprod.dll
2007-01-25 01:40 629,216 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\vetefile.sys
2007-01-25 01:40 32,528 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\vetmonnt.sys
2007-01-25 01:40 26,640 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\vet-filt.sys
2007-01-25 01:40 21,648 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\vetfddnt.sys
2007-01-25 01:40 21,392 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\vet-rec.sys
2007-01-25 01:40 108,544 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\veteboot.sys
2007-01-25 01:39 <DIR> d-------- C:\Program Files\CA
2007-01-25 01:39 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\CA
2007-01-25 00:19 73,728 --a------ C:\WINDOWS\SYSTEM32\out.dll
2007-01-23 18:28 17,920 --a------ C:\WINDOWS\SYSTEM32\mdimon.dll
2007-01-20 12:26 <DIR> d-------- C:\WINDOWS\SYSTEM32\tmp


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-02-04 08:48 -------- d-------- C:\DOCUME~1\GREGOR~1\Application Data\voipstunt
2007-02-03 21:45 -------- d-------- C:\Program Files\google
2007-01-30 23:55 -------- d-------- C:\Program Files\yahoo!
2007-01-29 00:47 -------- d-------- C:\Program Files\microsoft frontpage
2007-01-28 16:37 -------- d---s---- C:\DOCUME~1\GREGOR~1\Application Data\microsoft
2007-01-28 14:58 -------- d-------- C:\Program Files\java
2007-01-25 00:26 -------- d-------- C:\Program Files\limewire
2007-01-11 05:35 -------- d-------- C:\Program Files\ws_ftp
2006-12-31 20:57 -------- d-------- C:\DOCUME~1\GREGOR~1\Application Data\adobe
2006-12-31 20:49 -------- d-------- C:\Program Files\Common Files\adobe
2006-12-31 20:47 -------- d-------- C:\Program Files\Common Files\adobe systems shared
2006-12-31 20:24 -------- d--h----- C:\Program Files\installshield installation information
2006-12-31 07:17 -------- d-------- C:\DOCUME~1\GREGOR~1\Application Data\opera
2006-12-20 22:48 364544 --------- C:\WINDOWS\SYSTEM32\anpop.dll
2006-12-12 18:28 -------- d-------- C:\DOCUME~1\GREGOR~1\Application Data\àpppatch


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"DellSupport"="\"C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"
"VoipStunt"="\"E:\\VoipStunt\\VoipStunt.exe\" -nosplash -minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
"SoundMAXPnP"="C:\\Program Files\\Analog Devices\\SoundMAX\\SMax4PNP.exe"
"IntelMeM"="C:\\Program Files\\Intel\\Modem Event Monitor\\IntelMEM.exe"
"PCMService"="\"C:\\Program Files\\Dell\\Media Experience\\PCMService.exe\""
"UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"MMTray"="C:\\Program Files\\MusicMatch\\MusicMatch Jukebox\\mm_tray.exe"
"MoneyStartUp10.0"="\"C:\\Program Files\\Microsoft Money\\System\\Activation.exe\""
"SM1BG"="C:\\WINDOWS\\SM1BG.EXE"
"Iomega Automatic Backup 1.0.1"="C:\\Program Files\\Iomega\\Iomega Automatic Backup\\ibackup.exe"
"igfxtray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"igfxhkcmd"="C:\\WINDOWS\\system32\\hkcmd.exe"
"igfxpers"="C:\\WINDOWS\\system32\\igfxpers.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"cctray"="\"C:\\Program Files\\CA\\CA Internet Security Suite\\cctray\\cctray.exe\""
"CAVRID"="\"C:\\Program Files\\CA\\CA Internet Security Suite\\CA Anti-Virus\\CAVRID.exe\""
"UnlockerAssistant"="\"C:\\Program Files\\Unlocker\\UnlockerAssistant.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MICROS~4\\Office\\OSA9.EXE -b -l"
"item"="Microsoft Office"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SnagIt 8.lnk]
"backup"="C:\\WINDOWS\\pss\\SnagIt 8.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\TECHSM~1\\SNAGIT~1\\SnagIt32.exe "
"item"="SnagIt 8"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NapsterShell]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="napster"
"hkey"="HKLM"
"command"="C:\\Program Files\\Napster\\napster.exe /systray"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoipStunt]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="voipstunt"
"hkey"="HKCU"
"command"="\"E:\\voipstunt\\voipstunt.exe\" -nosplash -minimized"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{6E4B23EE-D412-48BD-B133-60574061E429}"=""
"{0AFEA888-B97B-4EDE-AC47-1FEE31D5CEE5}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winhld32

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\RegCure.job
C:\WINDOWS\tasks\XoftSpySE.job

Completion time: 07-02-10 9:54:08
C:\ComboFix2.txt ... 07-02-09 18:21
 
Slow start up and pop up browsers

Logfile of HijackThis v1.99.1
Scan saved at 10:18:32 AM, on 2/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\RioMSC.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\WINDOWS\SM1BG.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
E:\VoipStunt\VoipStunt.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\PROGRA~1\MICROS~4\Office\OUTLOOK.EXE
C:\PROGRA~1\MICROS~4\Office\OUTLOOK.EXE
C:\PROGRA~1\MICROS~4\Office\OUTLOOK.EXE
C:\PROGRA~1\MICROS~4\Office\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\Documents and Settings\Gregory Lewin\Desktop\HJT.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://cgi.verizon.net/bookmarks/bmredir.asp?region=west&bw=dsl&cd=4.0&bm=ho_home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [Iomega Automatic Backup 1.0.1] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [VoipStunt] "E:\VoipStunt\VoipStunt.exe" -nosplash -minimized
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\WINDOWS\system32\shdocvw.dll (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://cgi.verizon.net/bookmarks/bmredir.asp?region=west&bw=dsl&cd=4.0&bm=ho_home
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://www.sidestep.com/get/k00719/sb02b.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1130445843046
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: winhld32 - winhld32.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
 
Hi

It should be C:\Documents and Settings\Gregory Lewin\Application Data\àpppatch. Now success?
 
Slow start up and pop up browsers

Hi Shaba,

I looked everywhere and did a search however, this is the bit I can't find anywhere "Application Data\àpppatch" in that folder. I'll keep looking.
 
Hi

Then we do this:

Save text below as remapp.bat on desktop (save as type = all files *.*)

@ECHO OFF
attrib -r -h C:\DOCUME~1\GREGOR~1\Application Data\àpppatch\*.*
del /a /f /q C:\DOCUME~1\GREGOR~1\Application Data\àpppatch\*.*
RD /s /q "C:\DOCUME~1\GREGOR~1\Application Data\àpppatch"

Doubleclick remapp.bat, click yes and ok; black dos window will flash, that's ok

(In case you are unsure how to create a batch file, take a look here with screenshots.)

Re-run combofix

Send:

- a fresh HijackThis log
- combofix report
 
Slow start up and pop up browsers

Thanks Shaba, I really appreciate your time helping me out with. PC is already working like new. See new combo and hijack file below.

ComboFix 07.01.31 - Running from: "C:\Documents and Settings\Gregory Lewin\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2007-01-11 to 2007-02-11 ))))))))))))))))))))))))))))))))))


2007-02-08 15:59 <DIR> d-------- C:\!KillBox
2007-02-06 18:34 108 ---hs---- C:\WINDOWS\WSYS049.SYS
2007-02-06 18:33 243,526 --a------ C:\WINDOWS\CoffeeCup Visual Site Designer Uninstaller.exe
2007-02-03 23:32 13 C:\DOCUME~1\ALLUSE~1\Application Data\YAŽ>O3113>.sys
2007-02-03 22:13 <DIR> d-------- C:\WINDOWS\Flash Menu Factory
2007-02-03 21:26 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2007-02-03 17:45 <DIR> d-------- C:\Program Files\ACW
2007-02-02 23:52 <DIR> d-------- C:\WINDOWS\ERDNT
2007-02-01 17:27 <DIR> d-------- C:\VundoFix Backups
2007-01-30 23:57 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Yahoo! Companion
2007-01-30 02:51 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2007-01-28 15:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\TechSmith
2007-01-28 15:41 <DIR> d-------- C:\Program Files\TechSmith
2007-01-28 15:40 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-01-28 13:57 <DIR> d-------- C:\DOCUME~1\GREGOR~1\Application Data\Uniblue
2007-01-28 11:25 <DIR> d-------- C:\WINDOWS\pss
2007-01-27 01:34 <DIR> d-------- C:\Program Files\Microsoft.NET
2007-01-27 00:39 620,123 --a------ C:\WINDOWS\SYSTEM32\RegistryCleanerSetup.exe
2007-01-25 17:59 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-01-25 03:07 <DIR> d-------- C:\WINDOWS\CAVTemp
2007-01-25 01:40 95,760 --a------ C:\WINDOWS\SYSTEM32\isafeif.dll
2007-01-25 01:40 75,280 --a------ C:\WINDOWS\SYSTEM32\vetredir.dll
2007-01-25 01:40 75,280 --a------ C:\WINDOWS\SYSTEM32\isafprod.dll
2007-01-25 01:40 629,216 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\vetefile.sys
2007-01-25 01:40 32,528 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\vetmonnt.sys
2007-01-25 01:40 26,640 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\vet-filt.sys
2007-01-25 01:40 21,648 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\vetfddnt.sys
2007-01-25 01:40 21,392 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\vet-rec.sys
2007-01-25 01:40 108,544 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\veteboot.sys
2007-01-25 01:39 <DIR> d-------- C:\Program Files\CA
2007-01-25 01:39 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\CA
2007-01-25 00:19 73,728 --a------ C:\WINDOWS\SYSTEM32\out.dll
2007-01-23 18:28 17,920 --a------ C:\WINDOWS\SYSTEM32\mdimon.dll
2007-01-20 12:26 <DIR> d-------- C:\WINDOWS\SYSTEM32\tmp


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-02-04 08:48 -------- d-------- C:\DOCUME~1\GREGOR~1\Application Data\voipstunt
2007-02-03 21:45 -------- d-------- C:\Program Files\google
2007-01-30 23:55 -------- d-------- C:\Program Files\yahoo!
2007-01-29 00:47 -------- d-------- C:\Program Files\microsoft frontpage
2007-01-28 16:37 -------- d---s---- C:\DOCUME~1\GREGOR~1\Application Data\microsoft
2007-01-28 14:58 -------- d-------- C:\Program Files\java
2007-01-25 00:26 -------- d-------- C:\Program Files\limewire
2007-01-11 05:35 -------- d-------- C:\Program Files\ws_ftp
2006-12-31 20:57 -------- d-------- C:\DOCUME~1\GREGOR~1\Application Data\adobe
2006-12-31 20:49 -------- d-------- C:\Program Files\Common Files\adobe
2006-12-31 20:47 -------- d-------- C:\Program Files\Common Files\adobe systems shared
2006-12-31 20:24 -------- d--h----- C:\Program Files\installshield installation information
2006-12-31 07:17 -------- d-------- C:\DOCUME~1\GREGOR~1\Application Data\opera
2006-12-20 22:48 364544 --------- C:\WINDOWS\SYSTEM32\anpop.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"DellSupport"="\"C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"
"VoipStunt"="\"E:\\VoipStunt\\VoipStunt.exe\" -nosplash -minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
"SoundMAXPnP"="C:\\Program Files\\Analog Devices\\SoundMAX\\SMax4PNP.exe"
"IntelMeM"="C:\\Program Files\\Intel\\Modem Event Monitor\\IntelMEM.exe"
"PCMService"="\"C:\\Program Files\\Dell\\Media Experience\\PCMService.exe\""
"UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"MMTray"="C:\\Program Files\\MusicMatch\\MusicMatch Jukebox\\mm_tray.exe"
"MoneyStartUp10.0"="\"C:\\Program Files\\Microsoft Money\\System\\Activation.exe\""
"SM1BG"="C:\\WINDOWS\\SM1BG.EXE"
"Iomega Automatic Backup 1.0.1"="C:\\Program Files\\Iomega\\Iomega Automatic Backup\\ibackup.exe"
"igfxtray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"igfxhkcmd"="C:\\WINDOWS\\system32\\hkcmd.exe"
"igfxpers"="C:\\WINDOWS\\system32\\igfxpers.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"cctray"="\"C:\\Program Files\\CA\\CA Internet Security Suite\\cctray\\cctray.exe\""
"CAVRID"="\"C:\\Program Files\\CA\\CA Internet Security Suite\\CA Anti-Virus\\CAVRID.exe\""
"UnlockerAssistant"="\"C:\\Program Files\\Unlocker\\UnlockerAssistant.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MICROS~4\\Office\\OSA9.EXE -b -l"
"item"="Microsoft Office"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SnagIt 8.lnk]
"backup"="C:\\WINDOWS\\pss\\SnagIt 8.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\TECHSM~1\\SNAGIT~1\\SnagIt32.exe "
"item"="SnagIt 8"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NapsterShell]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="napster"
"hkey"="HKLM"
"command"="C:\\Program Files\\Napster\\napster.exe /systray"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoipStunt]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="voipstunt"
"hkey"="HKCU"
"command"="\"E:\\voipstunt\\voipstunt.exe\" -nosplash -minimized"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{6E4B23EE-D412-48BD-B133-60574061E429}"=""
"{0AFEA888-B97B-4EDE-AC47-1FEE31D5CEE5}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winhld32

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\RegCure.job
C:\WINDOWS\tasks\XoftSpySE.job

Completion time: 07-02-11 14:11:40
 
Slow start up and pop up browsers

Logfile of HijackThis v1.99.1
Scan saved at 2:16:17 PM, on 2/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\RioMSC.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\WINDOWS\SM1BG.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
E:\VoipStunt\VoipStunt.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\PROGRA~1\MICROS~4\Office\OUTLOOK.EXE
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\MICROS~4\Office\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\Documents and Settings\Gregory Lewin\Desktop\HJT.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://cgi.verizon.net/bookmarks/bmredir.asp?region=west&bw=dsl&cd=4.0&bm=ho_home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [Iomega Automatic Backup 1.0.1] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [VoipStunt] "E:\VoipStunt\VoipStunt.exe" -nosplash -minimized
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\WINDOWS\system32\shdocvw.dll (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://cgi.verizon.net/bookmarks/bmredir.asp?region=west&bw=dsl&cd=4.0&bm=ho_home
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://www.sidestep.com/get/k00719/sb02b.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1130445843046
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: winhld32 - winhld32.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
 
Hi

Now it's gone :)

Please do an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:

    o Scan using the following Anti-Virus database:

    + Extended (If available otherwise Standard)

    o Scan Options:

    + Scan Archives
    + Scan Mail Bases
  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Send:

- a fresh HijackThis log
- kaspersky report
 
Slow start up and pop up browsers

Thank you Shaba see reports below.

Logfile of HijackThis v1.99.1
Scan saved at 3:52:48 PM, on 2/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\RioMSC.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\WINDOWS\SM1BG.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
E:\VoipStunt\VoipStunt.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\PROGRA~1\MICROS~4\Office\OUTLOOK.EXE
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\MICROS~4\Office\OUTLOOK.EXE
C:\Program Files\2X\ApplicationServer Client\APPServerClient.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\Documents and Settings\Gregory Lewin\Desktop\HJT.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://cgi.verizon.net/bookmarks/bmredir.asp?region=west&bw=dsl&cd=4.0&bm=ho_home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [Iomega Automatic Backup 1.0.1] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [VoipStunt] "E:\VoipStunt\VoipStunt.exe" -nosplash -minimized
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\WINDOWS\system32\shdocvw.dll (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://cgi.verizon.net/bookmarks/bmredir.asp?region=west&bw=dsl&cd=4.0&bm=ho_home
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://www.sidestep.com/get/k00719/sb02b.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1130445843046
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: winhld32 - winhld32.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
 
Slow start up and pop up browsers

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, February 12, 2007 3:43:00 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 12/02/2007
Kaspersky Anti-Virus database records: 267102
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 77812
Number of viruses found: 24
Number of infected objects: 155 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:36:31

Infected Object Name / Virus Name / Last Action
C:\!KillBox\axytbibh.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\!KillBox\cawhd.exe Infected: Trojan-Clicker.Win32.Costrat.af skipped
C:\!KillBox\drvcoj.dll Infected: not-virus:Hoax.Win32.Renos.gi skipped
C:\!KillBox\drvzej.dll Infected: not-virus:Hoax.Win32.Renos.gi skipped
C:\!KillBox\egvbxejf.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\!KillBox\fkkyursa.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\!KillBox\hykcm.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped
C:\!KillBox\iidomoux.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\!KillBox\iuugaixm.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\!KillBox\koukphaf.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\!KillBox\ktyfxbe.dll Infected: Trojan-Downloader.Win32.Busky.gen skipped
C:\!KillBox\ntbmvkwy.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\!KillBox\ofrlvek.dll Infected: Trojan-Downloader.Win32.Busky.gen skipped
C:\!KillBox\pmjaynxh.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\!KillBox\pnkmfil.dll Infected: Trojan-Downloader.Win32.Busky.gen skipped
C:\!KillBox\qarv.exe Infected: Trojan-Clicker.Win32.Agent.is skipped
C:\!KillBox\svchost.exe Infected: Trojan-Spy.Win32.Agent.or skipped
C:\!KillBox\v6.exe Infected: Trojan-Downloader.Win32.Tiny.fk skipped
C:\!KillBox\winantiviruspro2006freeinstall[1].exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\!KillBox\winhld32.dll Infected: Trojan.Win32.Agent.qt skipped
C:\Documents and Settings\Gregory Lewin\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\DSAgnt.log Object is locked skipped
C:\Documents and Settings\Gregory Lewin\Application Data\Microsoft\Outlook\outcmd.dat Object is locked skipped
C:\Documents and Settings\Gregory Lewin\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Gregory Lewin\Desktop\backups\backup-20070203-110746-687.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped
C:\Documents and Settings\Gregory Lewin\Desktop\backups\backup-20070203-110746-897.dll Infected: Trojan-Downloader.Win32.Busky.gen skipped
C:\Documents and Settings\Gregory Lewin\Desktop\backups\backup-20070208-155638-484.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped
C:\Documents and Settings\Gregory Lewin\Desktop\backups\backup-20070208-155638-502.dll Infected: Trojan-Downloader.Win32.Busky.gen skipped
C:\Documents and Settings\Gregory Lewin\Desktop\OiUninstaller.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.fk skipped
C:\Documents and Settings\Gregory Lewin\Desktop\OiUninstaller.exe/data0003 Infected: not-a-virus:AdWare.Win32.PurityScan.bu skipped
C:\Documents and Settings\Gregory Lewin\Desktop\OiUninstaller.exe NSIS: infected - 2 skipped
C:\Documents and Settings\Gregory Lewin\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_360.wmdb Object is locked skipped
C:\Documents and Settings\Gregory Lewin\Local Settings\Application Data\Microsoft\Outlook\outlook.pst Object is locked skipped
C:\Documents and Settings\Gregory Lewin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Gregory Lewin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Gregory Lewin\Local Settings\Application Data\ofrlvek.dll Infected: Trojan-Downloader.Win32.Busky.gen skipped
C:\Documents and Settings\Gregory Lewin\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Gregory Lewin\Local Settings\Temp\Perflib_Perfdata_388.dat Object is locked skipped
C:\Documents and Settings\Gregory Lewin\Local Settings\Temp\~DF68C7.tmp Object is locked skipped
C:\Documents and Settings\Gregory Lewin\Local Settings\Temp\~DF762A.tmp Object is locked skipped
C:\Documents and Settings\Gregory Lewin\Local Settings\Temp\~DF823.tmp Object is locked skipped
C:\Documents and Settings\Gregory Lewin\Local Settings\Temp\~DFD720.tmp Object is locked skipped
C:\Documents and Settings\Gregory Lewin\Local Settings\Temp\~DFD72D.tmp Object is locked skipped
C:\Documents and Settings\Gregory Lewin\Local Settings\Temp\~DFD905.tmp Object is locked skipped
C:\Documents and Settings\Gregory Lewin\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Gregory Lewin\ntuser.dat Object is locked skipped
C:\Documents and Settings\Gregory Lewin\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\RECYCLER\S-1-5-18\Dc1\system.dll Infected: not-a-virus:AdWare.Win32.Softomate.ac skipped
C:\RECYCLER\S-1-5-18\Dc1\Update.exe~ Infected: not-a-virus:AdWare.Win32.Softomate.ac skipped
C:\RECYCLER\S-1-5-18\Dc10\system.dll Infected: not-a-virus:AdWare.Win32.Softomate.ac skipped
C:\RECYCLER\S-1-5-18\Dc10\Update.exe Infected: not-a-virus:AdWare.Win32.Softomate.ac skipped
C:\RECYCLER\S-1-5-18\Dc11\system.dll Infected: not-a-virus:AdWare.Win32.Softomate.ac skipped
C:\RECYCLER\S-1-5-18\Dc11\Update.exe Infected: not-a-virus:AdWare.Win32.Softomate.ac skipped
C:\RECYCLER\S-1-5-18\Dc2\system.dll Infected: not-a-virus:AdWare.Win32.Softomate.ac skipped
C:\RECYCLER\S-1-5-18\Dc2\Update.exe Infected: not-a-virus:AdWare.Win32.Softomate.ac skipped
C:\RECYCLER\S-1-5-18\Dc3\system.dll Infected: not-a-virus:AdWare.Win32.Softomate.ac skipped
C:\RECYCLER\S-1-5-18\Dc3\Update.exe Infected: not-a-virus:AdWare.Win32.Softomate.ac skipped
C:\RECYCLER\S-1-5-18\Dc4\system.dll Infected: not-a-virus:AdWare.Win32.Softomate.ac skipped
C:\RECYCLER\S-1-5-18\Dc4\Update.exe Infected: not-a-virus:AdWare.Win32.Softomate.ac skipped
C:\RECYCLER\S-1-5-18\Dc5\system.dll Infected: not-a-virus:AdWare.Win32.Softomate.ac skipped
C:\RECYCLER\S-1-5-18\Dc5\Update.exe Infected: not-a-virus:AdWare.Win32.Softomate.ac skipped
C:\RECYCLER\S-1-5-18\Dc6\system.dll Infected: not-a-virus:AdWare.Win32.Softomate.ac skipped
C:\RECYCLER\S-1-5-18\Dc6\Update.exe Infected: not-a-virus:AdWare.Win32.Softomate.ac skipped
C:\RECYCLER\S-1-5-18\Dc7\system.dll Infected: not-a-virus:AdWare.Win32.Softomate.ac skipped
C:\RECYCLER\S-1-5-18\Dc7\Update.exe Infected: not-a-virus:AdWare.Win32.Softomate.ac skipped
C:\RECYCLER\S-1-5-18\Dc8\system.dll Infected: not-a-virus:AdWare.Win32.Softomate.ac skipped
C:\RECYCLER\S-1-5-18\Dc8\Update.exe Infected: not-a-virus:AdWare.Win32.Softomate.ac skipped
C:\RECYCLER\S-1-5-18\Dc9\system.dll Infected: not-a-virus:AdWare.Win32.Softomate.ac skipped
C:\RECYCLER\S-1-5-18\Dc9\Update.exe Infected: not-a-virus:AdWare.Win32.Softomate.ac skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP545\A0071178.exe Infected: Trojan-Downloader.Win32.Obfuscated.bh skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP545\A0071188.dll Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP545\A0071237.exe Infected: not-a-virus:AdWare.Win32.Softomate.af skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP546\A0072234.dll Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP546\A0072244.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP546\A0072625.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.fk skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP546\A0072625.exe/data0003 Infected: not-a-virus:AdWare.Win32.PurityScan.bu skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP546\A0072625.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP546\A0072726.dll Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP547\A0074899.dll Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP547\A0074909.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP548\A0074941.dll Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP548\A0074988.dll Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP548\A0074994.dll Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP552\A0075067.dll Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP552\A0075088.dll Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP552\A0075089.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.fk skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP552\A0075089.exe/data0003 Infected: not-a-virus:AdWare.Win32.PurityScan.bu skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP552\A0075089.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP557\A0077551.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP557\A0077553.exe Infected: not-a-virus:AdWare.Win32.PurityScan.fn skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP560\A0077815.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.fk skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP560\A0077815.exe/data0003 Infected: not-a-virus:AdWare.Win32.PurityScan.bu skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP560\A0077815.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP575\A0079860.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP580\A0079899.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.fk skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP580\A0079899.exe/data0003 Infected: not-a-virus:AdWare.Win32.PurityScan.bu skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP580\A0079899.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP580\A0079901.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP580\A0079919.dll Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP580\A0079938.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP583\A0079975.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP587\A0080110.exe Infected: Trojan.Win32.Agent.qt skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP589\A0080142.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP589\A0080152.exe Infected: Trojan.Win32.Agent.qt skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP589\A0080166.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gl skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP589\A0080167.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gl skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP589\A0080168.dll Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP589\A0080175.exe Infected: Trojan-Spy.Win32.Agent.or skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP589\A0080180.exe Infected: Packed.Win32.Klone.t skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP589\A0080182.dll Infected: not-a-virus:AdWare.Win32.Softomate.ac skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP589\A0080183.exe Infected: not-a-virus:AdWare.Win32.Softomate.ac skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP589\A0080184.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.fk skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP589\A0080184.exe/data0003 Infected: not-a-virus:AdWare.Win32.PurityScan.bu skipped
 
Slow start up and pop up browsers

the rest of kasperky report as it was too large


C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP589\A0080184.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP593\A0080327.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.fk skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP593\A0080327.exe/data0003 Infected: not-a-virus:AdWare.Win32.PurityScan.bu skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP593\A0080327.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP593\A0080337.exe Infected: Trojan-Spy.Win32.Agent.or skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP594\A0080376.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP594\A0080381.exe Infected: Trojan-Spy.Win32.Agent.or skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP595\A0080403.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.fk skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP595\A0080403.exe/data0003 Infected: not-a-virus:AdWare.Win32.PurityScan.bu skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP595\A0080403.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP595\A0080409.exe Infected: Trojan-Spy.Win32.Agent.or skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP595\A0080424.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.ab skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP595\A0080425.exe Infected: Trojan-Spy.Win32.Agent.or skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP595\A0080426.exe Infected: Trojan-Clicker.Win32.Agent.is skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP595\A0080427.dll Infected: not-a-virus:AdWare.Win32.Softomate.ac skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP595\A0080428.exe Infected: not-a-virus:AdWare.Win32.Softomate.ac skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP595\A0080429.dll Infected: not-a-virus:AdWare.Win32.Softomate.ac skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP595\A0080430.exe Infected: not-a-virus:AdWare.Win32.Softomate.ac skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP595\A0080448.dll Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP595\A0080449.exe Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP595\A0080503.exe Infected: Trojan-Spy.Win32.Agent.or skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP595\A0080507.exe Infected: Trojan-Spy.Win32.Agent.or skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP595\A0080514.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP595\A0080543.exe Infected: Trojan-Spy.Win32.Agent.or skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP603\A0080587.exe Infected: Trojan-Spy.Win32.Agent.or skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP603\A0080591.exe Infected: Trojan-Spy.Win32.Agent.or skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP603\A0080608.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.fk skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP603\A0080608.exe/data0003 Infected: not-a-virus:AdWare.Win32.PurityScan.bu skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP603\A0080608.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP603\A0080610.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP603\A0080611.dll Infected: Trojan-Downloader.Win32.Busky.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP603\A0080617.exe Infected: Trojan-Spy.Win32.Agent.or skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP603\A0080626.exe Infected: Trojan-Spy.Win32.Agent.or skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP603\A0080639.exe Infected: Trojan-Spy.Win32.Agent.or skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP603\A0080658.exe Infected: Trojan-Spy.Win32.Agent.or skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP603\A0080665.exe Infected: Trojan-Spy.Win32.Agent.or skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP603\A0080701.exe Infected: Trojan-Spy.Win32.Agent.or skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP603\A0080714.exe Infected: Trojan-Spy.Win32.Agent.or skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP603\A0080731.exe Infected: Trojan-Spy.Win32.Agent.or skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP604\A0080777.exe Infected: Trojan-Spy.Win32.Agent.or skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP605\A0081804.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP605\A0081805.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gl skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP607\A0081891.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP607\A0081902.exe Infected: Trojan-Downloader.Win32.TSUpdate.l skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP607\A0081903.exe Infected: Trojan-Downloader.Win32.TSUpdate.f skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP607\A0081912.exe Infected: Trojan-Spy.Win32.Agent.or skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP607\A0081938.exe Infected: Trojan-Spy.Win32.Agent.or skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP608\A0081968.dll Infected: not-virus:Hoax.Win32.Renos.gi skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP608\A0081972.exe Infected: Trojan-Spy.Win32.Agent.or skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP608\A0081981.exe Infected: Trojan-Spy.Win32.Agent.or skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP608\A0081999.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP608\A0082001.exe Infected: Trojan-Downloader.Win32.Tiny.fk skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP608\A0082002.dll Infected: not-virus:Hoax.Win32.Renos.gi skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP608\A0082003.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP608\A0082004.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP608\A0082005.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP608\A0082006.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP608\A0082007.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP608\A0082008.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP608\A0082009.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP608\A0082011.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP608\A0082012.dll Infected: Trojan.Win32.Agent.qt skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP608\A0082013.exe Infected: Trojan-Clicker.Win32.Costrat.af skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP608\A0082014.dll Infected: Trojan-Downloader.Win32.Busky.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP608\A0082015.dll Infected: Trojan-Downloader.Win32.Busky.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP608\A0082016.exe Infected: Trojan-Clicker.Win32.Agent.is skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP608\A0082017.dll Infected: Trojan-Downloader.Win32.Busky.gen skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP608\A0082018.exe Infected: Trojan-Spy.Win32.Agent.or skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP611\change.log Object is locked skipped
C:\VundoFix Backups\jkklk.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\VundoFix Backups\opnmnlk.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gl skipped
C:\VundoFix Backups\opnnmjk.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gl skipped
C:\VundoFix Backups\qomkjij.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gl skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\autosys.exe~ Infected: Trojan-Downloader.Win32.Obfuscated.bh skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\out.dll Infected: Trojan.Win32.Agent.adl skipped
C:\WINDOWS\SYSTEM32\v6.exe~ Infected: Trojan-Downloader.Win32.Tiny.fk skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.
 
You must log in or register to reply here.
Back
Top