Symantic pop ups for email errors on mail I'm not sending

T

Tanner2059

New member
I have updated Windows XP Service Pack, Downloaded & updated spybot-S&D,ran and fixed, Ran on-line eTrust Antivirus which said I was clear, Ran Spybot in safe mode & fixed and rescanned and got an ok. I am still having the problem, can you PLEASE help!! I am also being told that the e-mails I am sending look strange (ah after every word)
Below is my HijackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 6:05:31 PM, on 5/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Cursors\lsasrv.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\sfabevdbya.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\kvfrfadqxdlf.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\gazcgye.exe
C:\WINDOWS\system32\wwrrpdom.exe
C:\WINDOWS\system32\nfmj.exe
C:\WINDOWS\system32\lei.exe
C:\WINDOWS\system32\emoczomzdfxu.exe
C:\WINDOWS\system32\jg.exe
C:\WINDOWS\system32\xebybjxbhf.exe
C:\WINDOWS\system32\e.exe
C:\WINDOWS\system32\ljghko.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\OPScan.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.rfcu.com/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SmartShopper - {2BA1C226-EC1B-4471-A65F-D0688AC6EE3A} - C:\Program Files\SmartShopper\Bin\1.0.11.0\SmrtShpr.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [dgwjx] C:\WINDOWS\system32\dgwjx.exe
O4 - HKLM\..\Run: [mefutwruzp] C:\WINDOWS\system32\mefutwruzp.exe
O4 - HKLM\..\Run: [katpw] C:\WINDOWS\system32\katpw.exe
O4 - HKLM\..\Run: [lgxszrf] C:\WINDOWS\system32\lgxszrf.exe
O4 - HKLM\..\Run: [vzzzgatza] C:\WINDOWS\system32\vzzzgatza.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [tdledcgpkp] C:\WINDOWS\system32\tdledcgpkp.exe
O4 - HKLM\..\Run: [zaoubtdkdqht] C:\WINDOWS\system32\zaoubtdkdqht.exe
O4 - HKLM\..\Run: [nbsnugpdck] C:\WINDOWS\system32\nbsnugpdck.exe
O4 - HKLM\..\Run: [kvfrfadqxdlf] C:\WINDOWS\system32\kvfrfadqxdlf.exe
O4 - HKLM\..\Run: [gazcgye] C:\WINDOWS\system32\gazcgye.exe
O4 - HKLM\..\Run: [wwrrpdom] C:\WINDOWS\system32\wwrrpdom.exe
O4 - HKLM\..\Run: [nfmj] C:\WINDOWS\system32\nfmj.exe
O4 - HKLM\..\Run: [lei] C:\WINDOWS\system32\lei.exe
O4 - HKLM\..\Run: [emoczomzdfxu] C:\WINDOWS\system32\emoczomzdfxu.exe
O4 - HKLM\..\Run: [jg] C:\WINDOWS\system32\jg.exe
O4 - HKLM\..\Run: [xebybjxbhf] C:\WINDOWS\system32\xebybjxbhf.exe
O4 - HKLM\..\Run: [e] C:\WINDOWS\system32\e.exe
O4 - HKLM\..\Run: [hrhzxwgbcb] C:\WINDOWS\system32\hrhzxwgbcb.exe
O4 - HKLM\..\Run: [bvcfakuear] C:\WINDOWS\system32\bvcfakuear.exe
O4 - HKLM\..\Run: [q] C:\WINDOWS\system32\q.exe
O4 - HKLM\..\Run: [suw] C:\WINDOWS\system32\suw.exe
O4 - HKLM\..\Run: [y] C:\WINDOWS\system32\y.exe
O4 - HKLM\..\Run: [tof] C:\WINDOWS\system32\tof.exe
O4 - HKLM\..\Run: [oyjknbjxx] C:\WINDOWS\system32\oyjknbjxx.exe
O4 - HKLM\..\Run: [c] C:\WINDOWS\system32\c.exe
O4 - HKLM\..\Run: [mxagporylril] C:\WINDOWS\system32\mxagporylril.exe
O4 - HKLM\..\Run: [oebcxl] C:\WINDOWS\system32\oebcxl.exe
O4 - HKLM\..\Run: [sfr] C:\WINDOWS\system32\sfr.exe
O4 - HKLM\..\Run: [ljghko] C:\WINDOWS\system32\ljghko.exe
O4 - HKLM\..\Run: [cdvulrq] C:\WINDOWS\system32\cdvulrq.exe
O4 - HKLM\..\Run: [vfgwsl] C:\WINDOWS\system32\vfgwsl.exe
O4 - HKLM\..\Run: [sfabevdbya] C:\WINDOWS\system32\sfabevdbya.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: SmartShopper - Compare travel rates - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEBF} - C:\Program Files\SmartShopper\Bin\1.0.11.0\SmrtShpr.dll (file missing)
O9 - Extra button: SmartShopper - Compare product prices - {92731A49-62CA-42fa-B405-B8169C032082} - C:\Program Files\SmartShopper\Bin\1.0.11.0\SmrtShpr.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1123072568984
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/player.virtools.com/downloads/player/Install3.0/Installer.exe
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Local Security Authority Server (LSaServ) - Unknown owner - C:\WINDOWS\Cursors\lsasrv.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Print Spooler Service (uufsyaio24j) - Unknown owner - C:\WINDOWS\system32\vfgwsl.exe
 
Hello tanner and welcome to the Forums :)

You a HUGE malware collection there. Very nasty infections...

One or more of the identified infections is a backdoor trojan :sick:

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

I can help you in the cleaning if you don't want to reformat but there is a possibility that we can't get you 100% clean.

Please let us know what you have decided to do in your next post:bigthumb:
 
I think I'd like your help first

I would like to try to fix it first myself with your help and not do any financial transactions on this computer. Does that sound ok or would you recommend something else? And again THANK YOU for all your advise!
 
Ok I'll be happy to help you :)

Download SDFix and save it to your desktop.

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
  • In Safe Mode, right click the SDFix.zip folder and choose Extract All,
  • Open the extracted folder and double click RunThis.bat to start the script.
  • Type Y to begin the script.
  • It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • Your system will take longer that normal to restart as the fixtool will be running and removing files.
  • When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
  • Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log
 
Here are the reports

SDFix: Version 1.85

Run by Administrator - Tue 05/29/2007 - 19:02:53.01

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
qa4n5a0njkiozgy8

ImagePath:
C:\WINDOWS\system32\e.exe /service

qa4n5a0njkiozgy8 - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\SYSTEM32\E.EXE - Deleted
C:\WINDOWS\SYSTEM32\EMOCZO~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\GAZCGYE.EXE - Deleted
C:\WINDOWS\SYSTEM32\JG.EXE - Deleted
C:\WINDOWS\SYSTEM32\LEI.EXE - Deleted
C:\WINDOWS\SYSTEM32\NFMJ.EXE - Deleted
C:\WINDOWS\SYSTEM32\WWRRPDOM.EXE - Deleted
C:\WINDOWS\SYSTEM32\XEBYBJ~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\ZZXKCA~1.EXE - Deleted



Removing Temp Files...

ADS Check:

Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"="C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe:*:Enabled:NIE - Toshiba Software Upgrades Engine"
"C:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"="C:\\TOSHIBA\\Ivp\\ISM\\pinger.exe:*:Enabled:Toshiba Software Upgrades Pinger"
"C:\\Program Files\\StickyNote\\StickyNote.exe"="C:\\Program Files\\StickyNote\\StickyNote.exe:*:Disabled:Architecture launch vehicle"
"C:\\WINDOWS\\system32\\mmc.exe"="C:\\WINDOWS\\system32\\mmc.exe:*:Enabled:Microsoft Management Console"
"C:\\WINDOWS\\system32\\mshta.exe"="C:\\WINDOWS\\system32\\mshta.exe:*:Enabled:Microsoft (R) HTML Application host"
"C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWUCli.exe"="C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWUCli.exe:*:Enabled:HP Software Update Client"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Disabled:RealPlayer"
"C:\\Program Files\\Netscape\\Netscape\\Netscp.exe"="C:\\Program Files\\Netscape\\Netscape\\Netscp.exe:*:Disabled:Netscape"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Disabled:Internet Explorer"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Disabled:ActiveSync Application"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Disabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Disabled:ActiveSync RAPI Manager"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Disabled:iTunes"
"C:\\WINDOWS\\system32\\fxsclnt.exe"="C:\\WINDOWS\\system32\\fxsclnt.exe:*:Disabled:Microsoft Fax Console"
"C:\\My Games\\SmallBall Baseball\\smallball.exe"="C:\\My Games\\SmallBall Baseball\\smallball.exe:*:Disabled:SmallBall BaseBall"
"C:\\Program Files\\Common Files\\AOL\\1160837709\\ee\\aim6.exe"="C:\\Program Files\\Common Files\\AOL\\1160837709\\ee\\aim6.exe:*:Disabled:AIM"
"C:\\Program Files\\Common Files\\AOL\\1153431725\\ee\\aim6.exe"="C:\\Program Files\\Common Files\\AOL\\1153431725\\ee\\aim6.exe:*:Disabled:AIM"
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"="C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe:*:Disabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"="C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe:*:Disabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe:*:Disabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe:*:Disabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Disabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Disabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\1136297231\\EE\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1136297231\\EE\\AOLServiceHost.exe:*:Disabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Disabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Disabled:AOL Application Loader"
"C:\\Program Files\\Common Files\\AOL\\1160837709\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1160837709\\ee\\aolsoftware.exe:*:Disabled:AOL Services"
"C:\\Program Files\\Common Files\\AOL\\1153431725\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1153431725\\ee\\aolsoftware.exe:*:Disabled:AOL Services"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe:*:Disabled:AOLTopSpeed"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe:*:Disabled:AOLTsMon"
"C:\\Program Files\\Netscape\\Netscape Browser\\netscape.exe"="C:\\Program Files\\Netscape\\Netscape Browser\\netscape.exe:*:Disabled:Netscape"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes:

C:\WINDOWS\CdaC14BA.DLL
C:\My Games\Backspin Billiards\BackspinBilliards.exe
C:\My Games\Casino Island To Go\CasinoIsland.exe
C:\My Games\Jigsaw365\Jigsaw365.exe
C:\My Games\Luxor\Luxor.exe
C:\My Games\Pearl Harbor - Zero Hour\phz.exe
C:\My Games\RocketBowl\RocketBowl.exe
C:\My Games\Saints & Sinners Bingo\SSBingo.exe
C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe
C:\WINDOWS\CdaC13BA.EXE
C:\WINDOWS\Cursors\lsasrv.exe
C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp
C:\Documents and Settings\Kristen Tanner\Application Data\Microsoft\Word\~WRL0017.tmp
C:\Documents and Settings\Kristen Tanner\Application Data\Microsoft\Word\~WRL0838.tmp
C:\Documents and Settings\Kristen Tanner\Application Data\Microsoft\Word\~WRL2255.tmp
C:\Documents and Settings\Kristen Tanner\Application Data\Microsoft\Word\~WRL2527.tmp
C:\Documents and Settings\Kristen Tanner\Application Data\Microsoft\Word\~WRL3308.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CS0061914D-C97C-4033-A11A-D7D09CA3D32A.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CS008DCC8D-592D-4079-BBB9-FEA9D73D0BA3.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CS03843955-AA88-4197-BCC1-7ECC687BF1C3.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CS051ADE1D-B5C1-4F75-9185-17E1C7ADD964.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CS07BD0C8B-99A1-48B5-9821-F42D09C5747A.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CS0B2F179D-BB3D-4E37-BDF9-118BF854446C.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CS0C6860B9-CC27-4F4F-981A-D6C3A4F0B2E7.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CS16EE658E-1852-432C-ADD3-AF6CFAF0F23C.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CS1772DB21-B32D-41BF-A4AB-0BF59FD141A9.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CS19D2238C-B62F-479D-BF20-5985EA8ABB79.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CS1DBA1470-F3A6-49E6-944D-3E73C6EA1C20.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CS21232AFF-1D12-455D-9A12-22272A16526F.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CS2255DD0B-3A80-4A86-9E5A-29B13766DA74.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CS293D142F-603F-4667-B92C-23E2FC0F65C1.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CS2D4E06E8-7699-4BFA-8424-3E6D7E88E4A7.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CS2DC691FD-13E3-4E11-A7A6-933F7CF33690.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CS2DF6F5E8-B26F-4CE5-B747-951D76867254.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CS2E888710-0D9B-44F4-99DB-FDB3649BAE66.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CS302B09FC-88DF-4B88-B44D-DABB9253D225.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CS36251B62-260E-44F2-9E81-9D277D9B5FB5.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CS3A0EE5A2-6FE5-47A8-A921-E0D9CD577D2D.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CS3D490063-D593-460B-8FDD-34EF49C9886D.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CS403D94FB-5D0F-45FD-BEDF-571ABF77A9A0.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CS43100527-8826-4171-A391-B5FDD92526AA.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CS433EF925-E246-42F0-B44A-BECB87FDCEF8.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CS43741566-0AED-46E4-BDC2-5DA864173193.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CS455920B7-F7E9-452F-BD22-EC323838F3D8.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CS47678197-D58E-419A-AEE9-ECC757D4BE5D.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CS49987721-86A3-4837-9BF1-5E24EA7AC94B.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CS49AF072F-F909-4AFA-B1F0-527EAC77122E.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CS4CA8967F-3189-4EDA-A2ED-0CD4ADD91976.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CS5252DF08-FBBD-4118-BC24-AF2940A242C8.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CS52A16CD9-1206-40AD-99E3-DB95ABB943F9.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CS5344AEC3-6499-4863-B53E-21EAB21E154A.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CS53DB7E19-3AEB-4E66-A923-6909B31C630E.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CS546D7E4C-6FB8-4116-AFD0-4C86DFC115C8.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CS54DFB80E-9D95-421C-B372-C267ECC43352.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CS56968A1D-DB9D-4692-A096-76320A73CE09.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CS570C621B-2DC7-48AD-9DD8-E039927BB136.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CS5B53CD83-7D1C-461F-B0EE-9CA28302B8F6.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CS6020B3D8-079D-4173-A3BE-118CC72B3BE9.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CS6221C8C4-BC9F-4D28-902C-1AEC5E744726.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CS6253BA6F-27EA-49CC-A6C1-D2F088B83D9D.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CS6938F295-4D24-4DE3-95D7-7ADFA8F3C777.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CS6AB0C5E2-B209-4384-A5D0-263172292222.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CS6B31D138-FA6D-4435-8CDC-5BD87436092F.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CS6B9B97DA-197A-4620-998B-F1ACD9F4B09A.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CS6BF8606A-CF7F-4FBD-9595-2218C69347E0.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CS6F551BAD-1AA4-4E05-A33F-63D6B3416C25.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CS702168D0-C1FE-4188-894E-EEEC363C1969.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CS71DAD852-5B72-4EC3-9A8F-FE02BFD5B946.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CS730955B5-8908-4B49-9BA5-68E4462E08C5.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CS7A3D8944-4B95-4B84-8A39-3E095B8D4CA4.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CS7F7C5BC4-8A09-405D-86D9-43C09C142EB8.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CS7FB00869-6FC8-4A33-8532-B55C23D1103C.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CS81981E37-2B01-47FB-8341-20C0A79DF160.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CS826903E1-0570-42A1-BDB4-4C1A63EE29F2.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CS870091DF-7AF5-4CFA-AD2B-926BA0550DD8.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CS89072317-B097-40A5-A58D-BC330334636C.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CS8A207B69-A3FA-47ED-8CEC-33BF347E5F3E.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CS8AC43A70-C348-4238-8BBC-90F32419413D.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CS96630064-E154-4D2E-AA1E-21953C942A99.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CS97EA1E3B-8A47-4693-9099-B4EA0A209B0D.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CS9DB73CA7-F6B7-4214-BF05-5BEFA5B0FD29.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CS9F0DC990-D828-4C91-A0A3-0FC3384C98CC.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CS9F781870-7B42-4D33-B736-0280143E4EA8.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CSA42ADB72-24AA-4A24-BC71-E332ED98AF9C.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CSA600B53F-7DDF-449C-B4E7-D603852B9D90.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CSA8DBA3BF-DE88-4E3B-88E3-90991082A0FD.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CSA98B90EC-ADE8-45FA-AC8E-AAB71D1B3CD3.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CSAC33BFFB-5968-4067-B957-5D422C2DE4C2.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CSAC4C4CA0-365A-4355-ADFD-AA7914C17FAA.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CSB0876D92-3DBD-42F6-995E-46BB1A0123BB.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CSB3D83D99-1941-4265-83F9-2B3367E76E3D.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CSB3F0F153-BDC9-47C5-AE34-9E3F6B19743C.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CSB58BE04C-DAAC-44F2-A72C-E0F6636D472C.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CSB68673FD-A177-4BDC-91FF-09F7917DE012.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CSB704769E-2799-4942-9ECC-684A37CF2ECE.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CSB9A8EE90-2FFE-479C-A2BD-2DED9D27B7B3.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CSBE40E804-DB17-44BA-BDE1-AF20E4E00EC3.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CSC3E497EF-9BCE-43FF-B3CA-F2AA922D5C12.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CSC4BF270B-E5B9-48B8-8F4B-9A5268269D80.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CSC646F9EB-4174-483D-8C78-BDBD4D7E9678.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CSC914A26A-03F5-488B-87A1-8CECB6FBA848.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CSCB40CE5D-5970-45D0-9929-A48AEA6EF1AF.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CSD3F84B3D-B790-40C3-B16A-07B1B620F0C5.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CSD80884F2-FCC1-42F9-8CA9-6C5B5ED0046A.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CSD9817FD6-E4CC-40DF-B30A-2377E3954CEC.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CSE1574C39-3896-42F5-B984-70C8A9F944F1.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CSE3568553-895E-4CE8-A395-8538F5D907B8.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CSE3F0E8B6-F4C3-4238-B51D-E5A47B9B1DE2.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CSE4BD3BC2-7AC1-4113-8813-BF8AB64EDDC2.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CSEB8EFDE7-8CFB-4CBA-8B13-DBE38451C1BF.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CSEE7A5533-9C73-4D10-A7CF-47B83ACD91EF.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CSF000121A-9F90-4194-9B25-FB50BFB0EB15.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CSF2BE3213-F2AB-4DA1-A3CE-BB784A30DB7A.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CSF3278911-0515-4F6D-8DF0-4EAF6DC36534.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CSF3F4B1FB-764D-480E-862E-FCC948F7B3E7.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CSF589FB27-954A-4BD7-A6AF-40AAB942D7B6.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CSF8166C95-93E4-404F-95B8-533C183E6DF2.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\CSF91EF3CA-9331-48B5-AD60-1ACC33F3885D.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\~WRD0598.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\~WRD1368.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\~WRD1878.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\~WRD2026.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\~WRD2113.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\~WRD2126.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\~WRD2312.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\~WRD2440.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\~WRD2521.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\~WRD3074.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\~WRD3322.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\~WRD3362.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\~WRD3866.tmp
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\~WRD3901.tmp
C
 
continued

:\Documents and Settings\Kristen Tanner\My Documents\~WRL0018.tmp
C:\Documents and Settings\Kristen Tanner\My Documents\~WRL0056.tmp
C:\Documents and Settings\Kristen Tanner\My Documents\~WRL0220.tmp
C:\Documents and Settings\Kristen Tanner\My Documents\~WRL0545.tmp
C:\Documents and Settings\Kristen Tanner\My Documents\~WRL0605.tmp
C:\Documents and Settings\Kristen Tanner\My Documents\~WRL0724.tmp
C:\Documents and Settings\Kristen Tanner\My Documents\~WRL0807.tmp
C:\Documents and Settings\Kristen Tanner\My Documents\~WRL0838.tmp
C:\Documents and Settings\Kristen Tanner\My Documents\~WRL0909.tmp
C:\Documents and Settings\Kristen Tanner\My Documents\~WRL1172.tmp
C:\Documents and Settings\Kristen Tanner\My Documents\~WRL1277.tmp
C:\Documents and Settings\Kristen Tanner\My Documents\~WRL1514.tmp
C:\Documents and Settings\Kristen Tanner\My Documents\~WRL1557.tmp
C:\Documents and Settings\Kristen Tanner\My Documents\~WRL1764.tmp
C:\Documents and Settings\Kristen Tanner\My Documents\~WRL1793.tmp
C:\Documents and Settings\Kristen Tanner\My Documents\~WRL1854.tmp
C:\Documents and Settings\Kristen Tanner\My Documents\~WRL2278.tmp
C:\Documents and Settings\Kristen Tanner\My Documents\~WRL2660.tmp
C:\Documents and Settings\Kristen Tanner\My Documents\~WRL2676.tmp
C:\Documents and Settings\Kristen Tanner\My Documents\~WRL2805.tmp
C:\Documents and Settings\Kristen Tanner\My Documents\~WRL2858.tmp
C:\Documents and Settings\Kristen Tanner\My Documents\~WRL2944.tmp
C:\Documents and Settings\Kristen Tanner\My Documents\~WRL3015.tmp
C:\Documents and Settings\Kristen Tanner\My Documents\~WRL3132.tmp
C:\Documents and Settings\Kristen Tanner\My Documents\~WRL3204.tmp
C:\Documents and Settings\Kristen Tanner\My Documents\~WRL3717.tmp
C:\Documents and Settings\Kristen Tanner\My Documents\~WRL3782.tmp
C:\Documents and Settings\Kristen Tanner\My Documents\~WRL3871.tmp
C:\Documents and Settings\Kristen Tanner\My Documents\SSE 05-06\Fall 06-07\~WRL2456.tmp
C:\Documents and Settings\Kristen Tanner\My Documents\SSE 05-06\Fall 06-07\~WRL3836.tmp

Finished
Logfile of HijackThis v1.99.1
Scan saved at 7:19:26 PM, on 5/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Cursors\lsasrv.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\dgwjx.exe
C:\WINDOWS\system32\mefutwruzp.exe
C:\WINDOWS\system32\katpw.exe
C:\WINDOWS\system32\lgxszrf.exe
C:\WINDOWS\system32\vzzzgatza.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\tdledcgpkp.exe
C:\WINDOWS\system32\zaoubtdkdqht.exe
C:\WINDOWS\system32\nbsnugpdck.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\system32\nbsnugpdck.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SmartShopper - {2BA1C226-EC1B-4471-A65F-D0688AC6EE3A} - C:\Program Files\SmartShopper\Bin\1.0.11.0\SmrtShpr.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [dgwjx] C:\WINDOWS\system32\dgwjx.exe
O4 - HKLM\..\Run: [mefutwruzp] C:\WINDOWS\system32\mefutwruzp.exe
O4 - HKLM\..\Run: [katpw] C:\WINDOWS\system32\katpw.exe
O4 - HKLM\..\Run: [lgxszrf] C:\WINDOWS\system32\lgxszrf.exe
O4 - HKLM\..\Run: [vzzzgatza] C:\WINDOWS\system32\vzzzgatza.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [tdledcgpkp] C:\WINDOWS\system32\tdledcgpkp.exe
O4 - HKLM\..\Run: [zaoubtdkdqht] C:\WINDOWS\system32\zaoubtdkdqht.exe
O4 - HKLM\..\Run: [nbsnugpdck] C:\WINDOWS\system32\nbsnugpdck.exe
O4 - HKLM\..\Run: [kvfrfadqxdlf] C:\WINDOWS\system32\kvfrfadqxdlf.exe
O4 - HKLM\..\Run: [bvcfakuear] C:\WINDOWS\system32\bvcfakuear.exe
O4 - HKLM\..\Run: [q] C:\WINDOWS\system32\q.exe
O4 - HKLM\..\Run: [suw] C:\WINDOWS\system32\suw.exe
O4 - HKLM\..\Run: [y] C:\WINDOWS\system32\y.exe
O4 - HKLM\..\Run: [tof] C:\WINDOWS\system32\tof.exe
O4 - HKLM\..\Run: [oyjknbjxx] C:\WINDOWS\system32\oyjknbjxx.exe
O4 - HKLM\..\Run: [c] C:\WINDOWS\system32\c.exe
O4 - HKLM\..\Run: [mxagporylril] C:\WINDOWS\system32\mxagporylril.exe
O4 - HKLM\..\Run: [oebcxl] C:\WINDOWS\system32\oebcxl.exe
O4 - HKLM\..\Run: [sfr] C:\WINDOWS\system32\sfr.exe
O4 - HKLM\..\Run: [ljghko] C:\WINDOWS\system32\ljghko.exe
O4 - HKLM\..\RunServices: [dgwjx] C:\WINDOWS\system32\dgwjx.exe
O4 - HKLM\..\RunServices: [zaoubtdkdqht] C:\WINDOWS\system32\zaoubtdkdqht.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: SmartShopper - Compare travel rates - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEBF} - C:\Program Files\SmartShopper\Bin\1.0.11.0\SmrtShpr.dll (file missing)
O9 - Extra button: SmartShopper - Compare product prices - {92731A49-62CA-42fa-B405-B8169C032082} - C:\Program Files\SmartShopper\Bin\1.0.11.0\SmrtShpr.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1123072568984
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/player.virtools.com/downloads/player/Install3.0/Installer.exe
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Print Spooler Service (eopiioyw4ajuhza2) - Unknown owner - C:\WINDOWS\system32\nbsnugpdck.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Local Security Authority Server (LSaServ) - Unknown owner - C:\WINDOWS\Cursors\lsasrv.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
 
Ok we'll continue :)


Please run a GMER Rootkit scan:

Download GMER's application from here:
http://www.gmer.net/gmer.zip

Unzip it and start the GMER.exe
Click the Rootkit tab and click the Scan button.

Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply.

Warning ! Please, do not select the "Show all" checkbox during the scan.

If you're having problems with running GMER.exe, try it in safe mode.
 
GMER Results

GMER 1.0.12.12244 - http://www.gmer.net
Rootkit scan 2007-05-30 20:13:59
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.12 ----

SSDT 85AC4640 ZwConnectPort
SSDT 85B94E00 ZwOpenProcess
SSDT 85AB9428 ZwOpenThread

---- Kernel code sections - GMER 1.0.12 ----

? C:\WINDOWS\system32\DRIVERS\update.sys

---- User code sections - GMER 1.0.12 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[3548] USER32.dll!DialogBoxParamW 7E42555F 5 Bytes JMP 42F0F205 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3548] USER32.dll!DialogBoxIndirectParamW 7E432032 5 Bytes JMP 4309FF9F C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3548] USER32.dll!MessageBoxIndirectA 7E43A04A 5 Bytes JMP 4309FF20 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3548] USER32.dll!DialogBoxParamA 7E43B10C 5 Bytes JMP 4309FF64 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3548] USER32.dll!MessageBoxExW 7E4505D8 5 Bytes JMP 4309FEAC C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3548] USER32.dll!MessageBoxExA 7E4505FC 5 Bytes JMP 4309FEE6 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3548] USER32.dll!DialogBoxIndirectParamA 7E456B50 5 Bytes JMP 4309FFDA C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3548] USER32.dll!MessageBoxIndirectW 7E4662AB 5 Bytes JMP 42F315D2 C:\WINDOWS\system32\IEFRAME.dll

---- Devices - GMER 1.0.12 ----

Device \FileSystem\Udfs \UdfsCdRom IRP_MJ_FILE_SYSTEM_CONTROL [EE3769BA] tfsnifs.sys
Device \FileSystem\Udfs \UdfsDisk IRP_MJ_FILE_SYSTEM_CONTROL [EE3769BA] tfsnifs.sys
Device \FileSystem\Cdfs \Cdfs IRP_MJ_FILE_SYSTEM_CONTROL [EE376852] tfsnifs.sys

---- EOF - GMER 1.0.12 ----
 
Ok...

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply along with a fresh HijackThis log.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
 
Hijack this log

Logfile of HijackThis v1.99.1
Scan saved at 7:19:26 PM, on 5/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Cursors\lsasrv.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\dgwjx.exe
C:\WINDOWS\system32\mefutwruzp.exe
C:\WINDOWS\system32\katpw.exe
C:\WINDOWS\system32\lgxszrf.exe
C:\WINDOWS\system32\vzzzgatza.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\tdledcgpkp.exe
C:\WINDOWS\system32\zaoubtdkdqht.exe
C:\WINDOWS\system32\nbsnugpdck.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\system32\nbsnugpdck.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SmartShopper - {2BA1C226-EC1B-4471-A65F-D0688AC6EE3A} - C:\Program Files\SmartShopper\Bin\1.0.11.0\SmrtShpr.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [dgwjx] C:\WINDOWS\system32\dgwjx.exe
O4 - HKLM\..\Run: [mefutwruzp] C:\WINDOWS\system32\mefutwruzp.exe
O4 - HKLM\..\Run: [katpw] C:\WINDOWS\system32\katpw.exe
O4 - HKLM\..\Run: [lgxszrf] C:\WINDOWS\system32\lgxszrf.exe
O4 - HKLM\..\Run: [vzzzgatza] C:\WINDOWS\system32\vzzzgatza.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [tdledcgpkp] C:\WINDOWS\system32\tdledcgpkp.exe
O4 - HKLM\..\Run: [zaoubtdkdqht] C:\WINDOWS\system32\zaoubtdkdqht.exe
O4 - HKLM\..\Run: [nbsnugpdck] C:\WINDOWS\system32\nbsnugpdck.exe
O4 - HKLM\..\Run: [kvfrfadqxdlf] C:\WINDOWS\system32\kvfrfadqxdlf.exe
O4 - HKLM\..\Run: [bvcfakuear] C:\WINDOWS\system32\bvcfakuear.exe
O4 - HKLM\..\Run: [q] C:\WINDOWS\system32\q.exe
O4 - HKLM\..\Run: [suw] C:\WINDOWS\system32\suw.exe
O4 - HKLM\..\Run: [y] C:\WINDOWS\system32\y.exe
O4 - HKLM\..\Run: [tof] C:\WINDOWS\system32\tof.exe
O4 - HKLM\..\Run: [oyjknbjxx] C:\WINDOWS\system32\oyjknbjxx.exe
O4 - HKLM\..\Run: [c] C:\WINDOWS\system32\c.exe
O4 - HKLM\..\Run: [mxagporylril] C:\WINDOWS\system32\mxagporylril.exe
O4 - HKLM\..\Run: [oebcxl] C:\WINDOWS\system32\oebcxl.exe
O4 - HKLM\..\Run: [sfr] C:\WINDOWS\system32\sfr.exe
O4 - HKLM\..\Run: [ljghko] C:\WINDOWS\system32\ljghko.exe
O4 - HKLM\..\RunServices: [dgwjx] C:\WINDOWS\system32\dgwjx.exe
O4 - HKLM\..\RunServices: [zaoubtdkdqht] C:\WINDOWS\system32\zaoubtdkdqht.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: SmartShopper - Compare travel rates - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEBF} - C:\Program Files\SmartShopper\Bin\1.0.11.0\SmrtShpr.dll (file missing)
O9 - Extra button: SmartShopper - Compare product prices - {92731A49-62CA-42fa-B405-B8169C032082} - C:\Program Files\SmartShopper\Bin\1.0.11.0\SmrtShpr.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1123072568984
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/player.virtools.com/downloads/player/Install3.0/Installer.exe
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Print Spooler Service (eopiioyw4ajuhza2) - Unknown owner - C:\WINDOWS\system32\nbsnugpdck.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Local Security Authority Server (LSaServ) - Unknown owner - C:\WINDOWS\Cursors\lsasrv.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
 
combofix scan

"Kristen Tanner" - 2007-05-31 16:18:58 Service Pack 2
ComboFix 07-05.27.BV - Running from: "C:\Documents and Settings\Kristen Tanner\Desktop\"


((((((((((((((((((((((((((((((( Files Created from 2007-04-28 to 2007-05-31 ))))))))))))))))))))))))))))))))))


2007-05-31 16:14 66,560 --------- C:\WINDOWS\system32\uznqfcfj.exe
2007-05-31 15:34 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-05-22 06:08 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-05-21 20:50 <DIR> d--hs---- C:\found.000
2007-05-21 17:25 28,672 --a------ C:\WINDOWS\system32\drivers\CO_Mon.sys
2007-05-19 10:07 <DIR> d-------- C:\60a8ea97af3d4aeaea
2007-05-15 06:19 <DIR> d--h----- C:\DOCUME~1\KRISTE~1\APPLIC~1\Move Networks
2007-05-15 05:57 66,560 --a------ C:\WINDOWS\system32\zaoubtdkdqht.exe
2007-05-15 05:57 66,560 --a------ C:\WINDOWS\system32\nbsnugpdck.exe
2007-05-08 22:52 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-05-01 06:05 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2007-04-10 17:51 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Office Genuine Advantage
2007-04-02 17:35 <DIR> d-------- C:\Program Files\MySpace
2007-04-02 17:35 <DIR> d-------- C:\DOCUME~1\KRISTE~1\APPLIC~1\MySpace


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-29 12:23:32 112 ----a-w C:\WINDOWS\popcinfo.dat
2007-05-26 00:06:58 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-05-20 17:57:14 -------- d-----w C:\Program Files\Plaxo
2007-05-04 12:21:12 -------- d-----w C:\Program Files\Wal-Mart Music Downloads Store
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-13 11:39:27 -------- d-----w C:\DOCUME~1\KRISTE~1\APPLIC~1\AdobeUM
2007-04-13 11:39:22 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-04-10 19:07:18 -------- d-----w C:\Program Files\Netscape
2007-04-10 19:02:58 15,734 ----a-w C:\WINDOWS\mozver.dat
2007-04-10 19:02:34 -------- d-----w C:\Program Files\AOD
2007-04-10 18:54:19 -------- d-----w C:\DOCUME~1\KRISTE~1\APPLIC~1\Netscape
2007-04-07 18:38:54 -------- d-----w C:\Program Files\Symantec
2007-03-28 22:41:32 517,848 ----a-w C:\WINDOWS\system32\SymNeti.dll
2007-03-28 22:41:28 132,824 ----a-w C:\WINDOWS\system32\SymRedir.dll
2007-03-28 22:41:26 266,552 ----a-w C:\WINDOWS\system32\drivers\symtdi.sys
2007-03-28 22:41:24 18,904 ----a-w C:\WINDOWS\system32\drivers\symredrv.sys
2007-03-28 22:41:20 37,016 ----a-w C:\WINDOWS\system32\drivers\symids.sys
2007-03-28 22:41:18 47,192 ----a-w C:\WINDOWS\system32\drivers\symndis.sys
2007-03-28 22:41:14 171,928 ----a-w C:\WINDOWS\system32\drivers\symfw.sys
2007-03-28 22:41:12 11,480 ----a-w C:\WINDOWS\system32\drivers\symdns.sys
2007-03-28 01:19:19 -------- d-----w C:\Program Files\The Print Shop 20
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
2007-03-05 17:34:28 676,224 ----a-w C:\WINDOWS\system32\OGACheckControl.DLL


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{2BA1C226-EC1B-4471-A65F-D0688AC6EE3A}=C:\Program Files\SmartShopper\Bin\1.0.11.0\SmrtShpr.dll []
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{5CA3D70E-1895-11CF-8E15-001234567890}=C:\WINDOWS\system32\dla\tfswshx.dll [2004-07-14 05:04]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll [2006-11-09 16:21]
{BDF3E430-B101-42AD-A544-FADC6B084872}=C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll [2005-10-19 13:54]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AGRSMMSG"="AGRSMMSG.exe" []
"NDSTray.exe"="NDSTray.exe" []
"CeEKEY"="C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe" [2004-08-06 18:14]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 18:32]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-01-07 15:14]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2005-04-22 20:19]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 05:40]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"zaoubtdkdqht"=C:\WINDOWS\system32\zaoubtdkdqht.exe
"nbsnugpdck"=C:\WINDOWS\system32\nbsnugpdck.exe
"uznqfcfj"=C:\WINDOWS\system32\uznqfcfj.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eFax DllCmd 4.0.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\eFax DllCmd 4.0.lnk
backup=C:\WINDOWS\pss\eFax DllCmd 4.0.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eFax Tray Menu 4.0.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\eFax Tray Menu 4.0.lnk
backup=C:\WINDOWS\pss\eFax Tray Menu 4.0.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Event Reminder.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Event Reminder.lnk
backup=C:\WINDOWS\pss\Event Reminder.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkbMonitor.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NkbMonitor.exe.lnk
backup=C:\WINDOWS\pss\NkbMonitor.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Post-it® Software Notes Lite.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Post-it® Software Notes Lite.lnk
backup=C:\WINDOWS\pss\Post-it® Software Notes Lite.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Kristen Tanner^Start Menu^Programs^Startup^Desktop Weather 4.lnk]
path=C:\Documents and Settings\Kristen Tanner\Start Menu\Programs\Startup\Desktop Weather 4.lnk
backup=C:\WINDOWS\pss\Desktop Weather 4.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Kristen Tanner^Start Menu^Programs^Startup^Event Reminder.lnk]
path=C:\Documents and Settings\Kristen Tanner\Start Menu\Programs\Startup\Event Reminder.lnk
backup=C:\WINDOWS\pss\Event Reminder.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Kristen Tanner^Start Menu^Programs^Startup^StickyNote.lnk]
path=C:\Documents and Settings\Kristen Tanner\Start Menu\Programs\Startup\StickyNote.lnk
backup=C:\WINDOWS\pss\StickyNote.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
C:\Program Files\Apoint2K\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CeEPOWER]
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloantoCalculator]
"C:\Program Files\Cloanto\Calculator\calculator.exe" /s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloantoSoftwareManager]
"C:\Program Files\Common Files\Cloanto\Software Manager\softmngr.exe" /s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW4]
"C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzButton]
C:\Program Files\EzButton\EzButton.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1160837709\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
"C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
"C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LtMoh]
C:\Program Files\ltmoh\Ltmoh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
"C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mozilla Quick Launch]
"C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\My Web Search Bar]
rundll32 C:\PROGRA~1\MYWEBS~1\bar\3.bin\MWSBAR.DLL,S

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]
C:\PROGRA~1\MYWEBS~1\bar\3.bin\mwsoemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Notebook Maximizer]
C:\Program Files\Notebook Maximizer\maximizer_startup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PadTouch]
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pinger]
C:\TOSHIBA\IVP\ISM\pinger.exe /run

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PlaxoUpdate]
C:\Program Files\Plaxo\2.11.1.5\PlaxoHelper.exe -a

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView]
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPNF]
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
C:\Program Files\Windows Media Player\WMPNSCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YeppStudioAgent]
C:\Program Files\Samsung\Samsung Media Studio\SamsungMediaStudioAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZoomingHook]
c:\WINDOWS\System32\ZoomingHook.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*

*Newly Created Service* - QA4N5A0NJKIOZGY8

Contents of the 'Scheduled Tasks' folder
2007-05-28 15:28:01 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-05-31 20:17:42 C:\WINDOWS\tasks\MP Scheduled Scan.job
2007-05-31 00:13:34 C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer - Kristen Tanner.job
2007-05-28 16:00:03 C:\WINDOWS\tasks\Norton SystemWorks One Button Checkup.job
2007-05-08 10:11:01 C:\WINDOWS\tasks\Symantec Drmc.job

********************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-31 16:25:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


********************************************************************

Completion time: 2007-05-31 16:26:34
C:\ComboFix2.txt ... 2007-05-31 15:34

--- E O F ---
 
Hi again, we'll continue :)

Let's remove the buggers....

Please download the Suspicious file Packer from Safer-Networking.Org and unzip it to your desktop.

Run SFP.exe.

Please copy the following lines into the Step 1: Paste Text window:
C:\WINDOWS\Cursors\lsasrv.exe
Click to expand...
then click "Continue".

This will create a .cab file on your desktop named requested-files[Date/Time].cab

Please go to this forum
There's no need to register. Just start a new topic in the Uploads section, titled "File for Mr_JAk3".
Copy the link of this topic to the message.

Use the Attachment box to upload the cab file from your desktop.

NOTE: You will not see the files that have been uploaded (including the ones you upload yourself) as they only show to the authorised users who can download them

Thank you :bigthumb:

You should print these instructions or save these to a text file. Follow these instructions carefully.

Download ATF Cleaner by Atribune to your desktop.
Do NOT run yet.

Download Dr.Web CureIt to the desktop -> ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Please download the Killbox.
Unzip it to the desktop but do NOT run it yet.

Make your hidden files visible:
  • Go to My Computer
  • Select the Tools menu and click Folder Options
  • Click the View tab.
  • Checkmark the "Display the contents of system folders"
  • Under the Hidden files and folders select "Show hidden files and folders"
  • Uncheck "Hide protected operating system files"
  • Click Apply and then the OK and close My Computer.

Please disconnect your computer from the internet.

==================

Open Control Panel -> Add/Remove programs -> Remove all the of the following or similar entries if found:

SmartShopper

and any other programs you didn't install or don't recognize - if your not sure please ask first

Use the process viewer in Hijackthis, Config, Misc Tools, Process Viewer, to unload the following running processes.[/b] If something isn't found, please continue with the next process in the list.

C:\WINDOWS\Cursors\lsasrv.exe
C:\WINDOWS\system32\dgwjx.exe
C:\WINDOWS\system32\mefutwruzp.exe
C:\WINDOWS\system32\katpw.exe
C:\WINDOWS\system32\lgxszrf.exe
C:\WINDOWS\system32\vzzzgatza.exe
C:\WINDOWS\system32\tdledcgpkp.exe
C:\WINDOWS\system32\zaoubtdkdqht.exe
C:\WINDOWS\system32\nbsnugpdck.exe
C:\WINDOWS\system32\nbsnugpdck.exe

Disable the bad services
  • Start
  • Run
  • Type services.msc to the field and press enter.
  • A window opens, scroll down to Print Spooler Service
  • Rightclick it and choose Stop
  • Then choose Properties
  • Set Startup to Disabled
  • Click Apply and OK.
  • Scroll down to Local Security Authority Server (LSaServ)
  • Rightclick it and choose Stop
  • Then choose Properties
  • Set Startup to Disabled
  • Click Apply and OK.

Then, open HijackThis.
  • Open the Misc Tools section
  • Delete an NT service
  • Copy the following line to the box and press OK; Print Spooler Service
  • Answer Yes
  • Press Delete an NT service again.
  • Copy the following line to the box and press OK; Local Security Authority Server
  • Answer Yes
  • Close HIjackThis

Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: SmartShopper - {2BA1C226-EC1B-4471-A65F-D0688AC6EE3A} - C:\Program Files\SmartShopper\Bin\1.0.11.0\SmrtShpr.dll (file missing)
O4 - HKLM\..\Run: [dgwjx] C:\WINDOWS\system32\dgwjx.exe
O4 - HKLM\..\Run: [mefutwruzp] C:\WINDOWS\system32\mefutwruzp.exe
O4 - HKLM\..\Run: [katpw] C:\WINDOWS\system32\katpw.exe
O4 - HKLM\..\Run: [lgxszrf] C:\WINDOWS\system32\lgxszrf.exe
O4 - HKLM\..\Run: [vzzzgatza] C:\WINDOWS\system32\vzzzgatza.exe
O4 - HKLM\..\Run: [tdledcgpkp] C:\WINDOWS\system32\tdledcgpkp.exe
O4 - HKLM\..\Run: [zaoubtdkdqht] C:\WINDOWS\system32\zaoubtdkdqht.exe
O4 - HKLM\..\Run: [nbsnugpdck] C:\WINDOWS\system32\nbsnugpdck.exe
O4 - HKLM\..\Run: [kvfrfadqxdlf] C:\WINDOWS\system32\kvfrfadqxdlf.exe
O4 - HKLM\..\Run: [bvcfakuear] C:\WINDOWS\system32\bvcfakuear.exe
O4 - HKLM\..\Run: [q] C:\WINDOWS\system32\q.exe
O4 - HKLM\..\Run: [suw] C:\WINDOWS\system32\suw.exe
O4 - HKLM\..\Run: [y] C:\WINDOWS\system32\y.exe
O4 - HKLM\..\Run: [tof] C:\WINDOWS\system32\tof.exe
O4 - HKLM\..\Run: [oyjknbjxx] C:\WINDOWS\system32\oyjknbjxx.exe
O4 - HKLM\..\Run: [c] C:\WINDOWS\system32\c.exe
O4 - HKLM\..\Run: [mxagporylril] C:\WINDOWS\system32\mxagporylril.exe
O4 - HKLM\..\Run: [oebcxl] C:\WINDOWS\system32\oebcxl.exe
O4 - HKLM\..\Run: [sfr] C:\WINDOWS\system32\sfr.exe
O4 - HKLM\..\Run: [ljghko] C:\WINDOWS\system32\ljghko.exe
O4 - HKLM\..\RunServices: [dgwjx] C:\WINDOWS\system32\dgwjx.exe
O4 - HKLM\..\RunServices: [zaoubtdkdqht] C:\WINDOWS\system32\zaoubtdkdqht.exe
O9 - Extra button: SmartShopper - Compare travel rates - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEBF} - C:\Program Files\SmartShopper\Bin\1.0.11.0\SmrtShpr.dll (file missing)
O9 - Extra button: SmartShopper - Compare product prices - {92731A49-62CA-42fa-B405-B8169C032082} - C:\Program Files\SmartShopper\Bin\1.0.11.0\SmrtShpr.dll (file missing)
O23 - Service: Print Spooler Service (eopiioyw4ajuhza2) - Unknown owner - C:\WINDOWS\system32\nbsnugpdck.exe
O23 - Service: Local Security Authority Server (LSaServ) - Unknown owner - C:\WINDOWS\Cursors\lsasrv.exe

Please run Killbox.

Select "Delete on Reboot".

Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\WINDOWS\Cursors\lsasrv.exe
C:\WINDOWS\system32\dgwjx.exe
C:\WINDOWS\system32\mefutwruzp.exe
C:\WINDOWS\system32\katpw.exe
C:\WINDOWS\system32\lgxszrf.exe
C:\WINDOWS\system32\vzzzgatza.exe
C:\WINDOWS\system32\tdledcgpkp.exe
C:\WINDOWS\system32\zaoubtdkdqht.exe
C:\WINDOWS\system32\nbsnugpdck.exe
C:\WINDOWS\system32\kvfrfadqxdlf.exe
C:\WINDOWS\system32\bvcfakuear.exe
C:\WINDOWS\system32\q.exe
C:\WINDOWS\system32\suw.exe
C:\WINDOWS\system32\y.exe
C:\WINDOWS\system32\tof.exe
C:\WINDOWS\system32\oyjknbjxx.exe
C:\WINDOWS\system32\c.exe
C:\WINDOWS\system32\mxagporylril.exe
C:\WINDOWS\system32\oebcxl.exe
C:\WINDOWS\system32\sfr.exe
C:\WINDOWS\system32\ljghko.exe
Click to expand...
Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

Select "All Files".

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

Restart your computer to the safe mode:
  • Restart your computer
  • Start tapping the F8 key when the computer restarts.
  • When the start menu opens, choose Safe mode
  • Press Enter. The computer then begins to start in Safe mode.

Go to the My Computer and delete the following folders (if present):
C:\Program Files\SmartShopper

Run ATF Cleaner
  • Under Main choose: Select All
    Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
  • Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

[/list]
Run a scan with Dr.Web CureIt
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, you should now mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found
    check.gif
  • If so, click it and then click the next icon right below and select Move incurable
  • After the scan, in the menu, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot the computer in Normal Mode,

================

Reconnect you computer to the Internet.

When you're ready, please post the following logs to here:
- Cure-it report
- a fresh HijackThis log
 
Stuck

I didn't understand how to "unload" the processes in Hijackthis. There was a kill button, is that it? Also the option to "stop" the "Local Security Authoritiy Server" was not available (gray).
 
Hello :)

Yes select the process and then hit the "Kill" button.

It is ok if the "Stop" button is greyed, the service is stopped then. You may continue.

Don't hesitate to ask if you have any other questions :)
 
New HijackThis log

FYI - Print Spooler Service & Local Security Authority Server were "not found in registry" so in HijackThis I was not able to complete that step but went on from there.

Logfile of HijackThis v1.99.1
Scan saved at 4:19:25 PM, on 6/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunServices: [nbsnugpdck] C:\WINDOWS\system32\nbsnugpdck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: SmartShopper - Compare travel rates - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEBF} - C:\Program Files\SmartShopper\Bin\1.0.11.0\SmrtShpr.dll (file missing)
O9 - Extra button: SmartShopper - Compare product prices - {92731A49-62CA-42fa-B405-B8169C032082} - C:\Program Files\SmartShopper\Bin\1.0.11.0\SmrtShpr.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1123072568984
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/player.virtools.com/downloads/player/Install3.0/Installer.exe
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
 
Cure-it report

inst.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\SUD4024;Probably BACKDOOR.Trojan;Incurable.Moved.;
inst.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_2.2.78.1;Probably BACKDOOR.Trojan;Incurable.Moved.;
inst.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_2.3.30.1;Probably BACKDOOR.Trojan;Incurable.Moved.;
aolsetup.exe;C:\Program Files\AIM6\services\softwareUpdate\ver2_13_13_7;Probably BACKDOOR.Trojan;Incurable.Moved.;
Process.exe;C:\SDFix\apps;Tool.Prockill;Incurable.Moved.;
 
Hi again, we'll continue :)

Sorry for the delay, I wasn't on the reach of my pc yesterday.

Looks much better.

You should print these instructions or save these to a text file. Follow these instructions carefully.

Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.

O4 - HKLM\..\RunServices: [nbsnugpdck] C:\WINDOWS\system32\nbsnugpdck.exe
O9 - Extra button: SmartShopper - Compare travel rates - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEBF} - C:\Program Files\SmartShopper\Bin\1.0.11.0\SmrtShpr.dll (file missing)
O9 - Extra button: SmartShopper - Compare product prices - {92731A49-62CA-42fa-B405-B8169C032082} - C:\Program Files\SmartShopper\Bin\1.0.11.0\SmrtShpr.dll (file missing)

Yes[/b].
[/list]Restart the computer.

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    • Extended (if available otherwise Standard)
    • Scan Options:
    • Scan Archives
      Scan Mail Bases
  • Click OK
  • Now under select a target to scan:
    • Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.


================

When you're ready, please post the following logs to here:
- a fresh HijackThis log
- Kaspersky log
 
Done...Kaspersky file and...

Please don't apologize!! I am so grateful for the help!

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, June 03, 2007 1:09:15 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 3/06/2007
Kaspersky Anti-Virus database records: 336692
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 113863
Number of viruses found: 6
Number of infected objects: 36 / 0
Number of suspicious objects: 0
Duration of the scan process: 02:08:00

Infected Object Name / Virus Name / Last Action
C:\!KillBox\lsasrv.exe Infected: Backdoor.Win32.Agent.ape skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-01102007-223543.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2007-06-03_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\Kristen Tanner\Application Data\$_hpcst$.hpc Object is locked skipped
C:\Documents and Settings\Kristen Tanner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Kristen Tanner\Desktop\requested-files[2007-06-01_07_01].cab/C:/WINDOWS/Cursors/lsasrv.exe Infected: Backdoor.Win32.Agent.ape skipped
C:\Documents and Settings\Kristen Tanner\Desktop\requested-files[2007-06-01_07_01].cab CAB: infected - 1 skipped
C:\Documents and Settings\Kristen Tanner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Kristen Tanner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Kristen Tanner\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{1BADA6DE-F59B-4712-8D98-BD380A8C0567} Object is locked skipped
C:\Documents and Settings\Kristen Tanner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Kristen Tanner\Local Settings\Temp\WCESLog.log Object is locked skipped
C:\Documents and Settings\Kristen Tanner\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Kristen Tanner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Kristen Tanner\My Documents\Program Installation files\CursorManiaSetup2.1.50.3-3.exe/mwsSetup.CommonCodebase.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.as skipped
C:\Documents and Settings\Kristen Tanner\My Documents\Program Installation files\CursorManiaSetup2.1.50.3-3.exe CAB: infected - 1 skipped
C:\Documents and Settings\Kristen Tanner\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Kristen Tanner\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\AOL\SmileyCentralPFSetup2.1.50.3-3.exe/mwsSetup.CommonCodebase.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.as skipped
C:\Program Files\AOL\SmileyCentralPFSetup2.1.50.3-3.exe CAB: infected - 1 skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPPolicy.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPStart.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPStop.log Object is locked skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\AVError.log Object is locked skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\07F264F4.exe Infected: Trojan.Win32.Agent.ame skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0AF91C7A.exe Infected: Trojan.Win32.Agent.ame skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0B136C5E.exe Infected: Trojan.Win32.Agent.ame skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0B17165A.exe Infected: Trojan.Win32.Agent.ame skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0B276848.exe Infected: Trojan.Win32.Agent.ame skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0B2A1244.exe Infected: Trojan.Win32.Agent.ame skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0BA64DBC.exe Infected: Trojan.Win32.Agent.ame skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0BD4198A.exe Infected: Trojan.Win32.Agent.ame skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0BE46B78.exe Infected: Trojan.Win32.Agent.ame skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0BEB3F70.exe Infected: Trojan.Win32.Agent.ame skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0BEE696D.exe Infected: Trojan.Win32.Agent.ame skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\23C8378F.exe Infected: Trojan.Win32.Agent.ame skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\284F7B57.exe Infected: Trojan.Win32.Agent.ame skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\2C9472E4.exe Infected: Trojan.Win32.Agent.ame skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\43E962D4.htm Infected: Trojan-Downloader.VBS.Small.co skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\45470974.exe Infected: Trojan.Win32.Agent.ame skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\61EE4DEE.exe Infected: Trojan.Win32.Agent.ame skipped
C:\SDFix\backups\backups.zip/backups/e.exe Infected: Trojan.Win32.Pakes.q skipped
C:\SDFix\backups\backups.zip/backups/emoczomzdfxu.exe Infected: Trojan.Win32.Pakes.q skipped
C:\SDFix\backups\backups.zip/backups/gazcgye.exe Infected: Trojan.Win32.Pakes.q skipped
C:\SDFix\backups\backups.zip/backups/jg.exe Infected: Trojan.Win32.Pakes.q skipped
C:\SDFix\backups\backups.zip/backups/lei.exe Infected: Trojan.Win32.Pakes.q skipped
C:\SDFix\backups\backups.zip/backups/nfmj.exe Infected: Trojan.Win32.Pakes.q skipped
C:\SDFix\backups\backups.zip/backups/wwrrpdom.exe Infected: Trojan.Win32.Pakes.q skipped
C:\SDFix\backups\backups.zip/backups/xebybjxbhf.exe Infected: Trojan.Win32.Pakes.q skipped
C:\SDFix\backups\backups.zip/backups/zzxkcacnmb.exe Infected: Trojan.Win32.Pakes.q skipped
C:\SDFix\backups\backups.zip ZIP: infected - 9 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\mgsb.exe/data0001 Infected: not-a-virus:AdTool.Win32.MyWebSearch.ak skipped
C:\WINDOWS\system32\mgsb.exe Inno: infected - 1 skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
 
HijackThis file

Logfile of HijackThis v1.99.1
Scan saved at 5:01:40 PM, on 6/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: SmartShopper - Compare travel rates - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEBF} - C:\Program Files\SmartShopper\Bin\1.0.11.0\SmrtShpr.dll (file missing)
O9 - Extra button: SmartShopper - Compare product prices - {92731A49-62CA-42fa-B405-B8169C032082} - C:\Program Files\SmartShopper\Bin\1.0.11.0\SmrtShpr.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1123072568984
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/player.virtools.com/downloads/player/Install3.0/Installer.exe
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
 
You must log in or register to reply here.
Back
Top