Virtumonde

C

Culture

New member
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, April 21, 2008 3:49:15 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 21/04/2008
Kaspersky Anti-Virus database records: 719022
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 165779
Number of viruses found: 25
Number of infected objects: 60
Number of suspicious objects: 3
Duration of the scan process: 02:25:53

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\AAA\Application Data\Mozilla\Firefox\Profiles\x4htbu9q.default\cert8.db Object is locked skipped
C:\Documents and Settings\AAA\Application Data\Mozilla\Firefox\Profiles\x4htbu9q.default\history.dat Object is locked skipped
C:\Documents and Settings\AAA\Application Data\Mozilla\Firefox\Profiles\x4htbu9q.default\key3.db Object is locked skipped
C:\Documents and Settings\AAA\Application Data\Mozilla\Firefox\Profiles\x4htbu9q.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\AAA\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\AAA\Local Settings\Application Data\AOL OCP\AIM\Storage\All Users\localStorage\common.cls Object is locked skipped
C:\Documents and Settings\AAA\Local Settings\Application Data\AOL OCP\AIM\Storage\data\the1debaser\localStorage\common.cls Object is locked skipped
C:\Documents and Settings\AAA\Local Settings\Application Data\Identities\{ECD87E02-F692-4A1E-A80A-9B52EC9836A6}\Microsoft\Outlook Express\Sent Items.dbx/[From "Tyler Grant" <tgrant@orc.ca>][Date Mon, 4 Feb 2008 07:54:15 -0500]/UNNAMED/RemoteDesktopControlInstall.exe Infected: not-a-virus:RemoteAdmin.Win32.RemoteDesktopControl.a skipped
C:\Documents and Settings\AAA\Local Settings\Application Data\Identities\{ECD87E02-F692-4A1E-A80A-9B52EC9836A6}\Microsoft\Outlook Express\Sent Items.dbx/[From "Tyler Grant" <tgrant@orc.ca>][Date Mon, 4 Feb 2008 07:54:15 -0500]/UNNAMED Infected: not-a-virus:RemoteAdmin.Win32.RemoteDesktopControl.a skipped
C:\Documents and Settings\AAA\Local Settings\Application Data\Identities\{ECD87E02-F692-4A1E-A80A-9B52EC9836A6}\Microsoft\Outlook Express\Sent Items.dbx Mail MS Outlook 5: infected - 2 skipped
C:\Documents and Settings\AAA\Local Settings\Application Data\Identities\{ECD87E02-F692-4A1E-A80A-9B52EC9836A6}\Microsoft\Outlook Express\Tyler.dbx/[From JiNN <jinnproduction@gmail.com>][Date Fri, 4 Apr 2008 21:32:50 -0800]/UNNAMED/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\AAA\Local Settings\Application Data\Identities\{ECD87E02-F692-4A1E-A80A-9B52EC9836A6}\Microsoft\Outlook Express\Tyler.dbx/[From JiNN <jinnproduction@gmail.com>][Date Fri, 4 Apr 2008 21:32:50 -0800]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\AAA\Local Settings\Application Data\Identities\{ECD87E02-F692-4A1E-A80A-9B52EC9836A6}\Microsoft\Outlook Express\Tyler.dbx Mail MS Outlook 5: suspicious - 2 skipped
C:\Documents and Settings\AAA\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\AAA\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\AAA\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\AAA\Local Settings\Application Data\Mozilla\Firefox\Profiles\x4htbu9q.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\AAA\Local Settings\Application Data\Mozilla\Firefox\Profiles\x4htbu9q.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\AAA\Local Settings\Application Data\Mozilla\Firefox\Profiles\x4htbu9q.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\AAA\Local Settings\Application Data\Mozilla\Firefox\Profiles\x4htbu9q.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\AAA\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\AAA\Local Settings\History\History.IE5\MSHist012008042120080422\index.dat Object is locked skipped
C:\Documents and Settings\AAA\Local Settings\Temp\BatSetup.exe Infected: not-a-virus:AdWare.Win32.Rabio.m skipped
C:\Documents and Settings\AAA\Local Settings\Temp\syswcc32.exe/data.rar/whInstaller.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\Documents and Settings\AAA\Local Settings\Temp\syswcc32.exe/data.rar/webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\Documents and Settings\AAA\Local Settings\Temp\syswcc32.exe/data.rar/whiehlpr.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\Documents and Settings\AAA\Local Settings\Temp\syswcc32.exe/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\Documents and Settings\AAA\Local Settings\Temp\syswcc32.exe RarSFX: infected - 4 skipped
C:\Documents and Settings\AAA\Local Settings\Temp\~DFC9CD.tmp Object is locked skipped
C:\Documents and Settings\AAA\Local Settings\Temp\~DFE073.tmp Object is locked skipped
C:\Documents and Settings\AAA\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\AAA\Local Settings\Temporary Internet Files\Content.IE5\6XYLDZO4\93e4c2046fcb4ac4bdc3dbbcc28127fb[1].zip/b155.exe Infected: Trojan.Win32.BHO.bhg skipped
C:\Documents and Settings\AAA\Local Settings\Temporary Internet Files\Content.IE5\6XYLDZO4\93e4c2046fcb4ac4bdc3dbbcc28127fb[1].zip ZIP: infected - 1 skipped
C:\Documents and Settings\AAA\Local Settings\Temporary Internet Files\Content.IE5\6XYLDZO4\kriv[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.pmw skipped
C:\Documents and Settings\AAA\Local Settings\Temporary Internet Files\Content.IE5\6XYLDZO4\syswcc32[1].exe/data.rar/whInstaller.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\Documents and Settings\AAA\Local Settings\Temporary Internet Files\Content.IE5\6XYLDZO4\syswcc32[1].exe/data.rar/webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\Documents and Settings\AAA\Local Settings\Temporary Internet Files\Content.IE5\6XYLDZO4\syswcc32[1].exe/data.rar/whiehlpr.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\Documents and Settings\AAA\Local Settings\Temporary Internet Files\Content.IE5\6XYLDZO4\syswcc32[1].exe/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\Documents and Settings\AAA\Local Settings\Temporary Internet Files\Content.IE5\6XYLDZO4\syswcc32[1].exe RarSFX: infected - 4 skipped
C:\Documents and Settings\AAA\Local Settings\Temporary Internet Files\Content.IE5\FBJ9L2VX\17PHolmes[1].cmt Infected: Trojan-Downloader.Win32.Homles.bi skipped
C:\Documents and Settings\AAA\Local Settings\Temporary Internet Files\Content.IE5\FBJ9L2VX\3cd898b13299cb4bc0d5dc64745518ed[1].zip/b156.exe Infected: not-a-virus:AdWare.Win32.Insider.f skipped
C:\Documents and Settings\AAA\Local Settings\Temporary Internet Files\Content.IE5\FBJ9L2VX\3cd898b13299cb4bc0d5dc64745518ed[1].zip ZIP: infected - 1 skipped
C:\Documents and Settings\AAA\Local Settings\Temporary Internet Files\Content.IE5\FBJ9L2VX\BatSetup[1].exe Infected: not-a-virus:AdWare.Win32.Rabio.m skipped
C:\Documents and Settings\AAA\Local Settings\Temporary Internet Files\Content.IE5\FBJ9L2VX\idkfa[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.pmx skipped
C:\Documents and Settings\AAA\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\AAA\Local Settings\Temporary Internet Files\Content.IE5\XRBJ1TBU\b433b5a80d2cb00f8f1c54387f9aa332[1].zip/b157.exe Infected: Trojan-Downloader.Win32.Agent.jih skipped
C:\Documents and Settings\AAA\Local Settings\Temporary Internet Files\Content.IE5\XRBJ1TBU\b433b5a80d2cb00f8f1c54387f9aa332[1].zip ZIP: infected - 1 skipped
C:\Documents and Settings\AAA\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\AAA\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Norman\Logs\nvc00004.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{0F65BE6B-68D0-4B00-BD4F-4FC8C52408FA}\RP1801\A0120007.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.plw skipped
C:\System Volume Information\_restore{0F65BE6B-68D0-4B00-BD4F-4FC8C52408FA}\RP1801\A0120061.dll Infected: not-a-virus:AdWare.Win32.Rabio.m skipped
C:\System Volume Information\_restore{0F65BE6B-68D0-4B00-BD4F-4FC8C52408FA}\RP1801\A0120065.exe Infected: Trojan-Downloader.Win32.PurityScan.fj skipped
C:\System Volume Information\_restore{0F65BE6B-68D0-4B00-BD4F-4FC8C52408FA}\RP1801\A0120066.dll Infected: not-a-virus:AdWare.Win32.PurityScan.hk skipped
C:\System Volume Information\_restore{0F65BE6B-68D0-4B00-BD4F-4FC8C52408FA}\RP1801\A0120068.dll Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped
C:\System Volume Information\_restore{0F65BE6B-68D0-4B00-BD4F-4FC8C52408FA}\RP1801\A0120071.exe/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped
C:\System Volume Information\_restore{0F65BE6B-68D0-4B00-BD4F-4FC8C52408FA}\RP1801\A0120071.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{0F65BE6B-68D0-4B00-BD4F-4FC8C52408FA}\RP1801\A0120077.exe Infected: Trojan-Downloader.Win32.Agent.ndt skipped
C:\System Volume Information\_restore{0F65BE6B-68D0-4B00-BD4F-4FC8C52408FA}\RP1801\A0120083.exe Infected: Trojan-Downloader.Win32.Agent.nft skipped
C:\System Volume Information\_restore{0F65BE6B-68D0-4B00-BD4F-4FC8C52408FA}\RP1801\A0120093.dll Infected: not-a-virus:AdWare.Win32.Rabio.m skipped
C:\System Volume Information\_restore{0F65BE6B-68D0-4B00-BD4F-4FC8C52408FA}\RP1801\A0120094.dll Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{0F65BE6B-68D0-4B00-BD4F-4FC8C52408FA}\RP1801\A0120095.exe Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{0F65BE6B-68D0-4B00-BD4F-4FC8C52408FA}\RP1801\A0120096.exe Infected: not-a-virus:AdWare.Win32.Insider.c skipped
C:\System Volume Information\_restore{0F65BE6B-68D0-4B00-BD4F-4FC8C52408FA}\RP1801\A0120097.exe Infected: not-a-virus:AdWare.Win32.Insider.c skipped
C:\System Volume Information\_restore{0F65BE6B-68D0-4B00-BD4F-4FC8C52408FA}\RP1801\A0120099.exe Infected: Trojan-Downloader.Win32.Agent.ezc skipped
C:\System Volume Information\_restore{0F65BE6B-68D0-4B00-BD4F-4FC8C52408FA}\RP1801\A0120102.exe Infected: not-a-virus:Monitor.Win32.NetMon.a skipped
C:\System Volume Information\_restore{0F65BE6B-68D0-4B00-BD4F-4FC8C52408FA}\RP1801\A0120103.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{0F65BE6B-68D0-4B00-BD4F-4FC8C52408FA}\RP1801\A0120104.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{0F65BE6B-68D0-4B00-BD4F-4FC8C52408FA}\RP1801\A0120105.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{0F65BE6B-68D0-4B00-BD4F-4FC8C52408FA}\RP1801\A0120106.exe/stream/data0002 Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\System Volume Information\_restore{0F65BE6B-68D0-4B00-BD4F-4FC8C52408FA}\RP1801\A0120106.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\System Volume Information\_restore{0F65BE6B-68D0-4B00-BD4F-4FC8C52408FA}\RP1801\A0120106.exe/stream Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\System Volume Information\_restore{0F65BE6B-68D0-4B00-BD4F-4FC8C52408FA}\RP1801\A0120106.exe NSIS: infected - 3 skipped
C:\System Volume Information\_restore{0F65BE6B-68D0-4B00-BD4F-4FC8C52408FA}\RP1801\A0120110.dll Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{0F65BE6B-68D0-4B00-BD4F-4FC8C52408FA}\RP1801\A0120111.exe Infected: Trojan-Downloader.Win32.Agent.ktb skipped
C:\System Volume Information\_restore{0F65BE6B-68D0-4B00-BD4F-4FC8C52408FA}\RP1801\A0120112.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.pmw skipped
C:\System Volume Information\_restore{0F65BE6B-68D0-4B00-BD4F-4FC8C52408FA}\RP1801\A0120122.exe Infected: Trojan-Downloader.Win32.Agent.lhu skipped
C:\System Volume Information\_restore{0F65BE6B-68D0-4B00-BD4F-4FC8C52408FA}\RP1801\A0120183.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.plw skipped
C:\System Volume Information\_restore{0F65BE6B-68D0-4B00-BD4F-4FC8C52408FA}\RP1801\A0120188.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.pmx skipped
C:\System Volume Information\_restore{0F65BE6B-68D0-4B00-BD4F-4FC8C52408FA}\RP1801\A0120190.exe Infected: Trojan.Win32.BHO.bhg skipped
C:\System Volume Information\_restore{0F65BE6B-68D0-4B00-BD4F-4FC8C52408FA}\RP1801\A0120191.exe Infected: not-a-virus:AdWare.Win32.Insider.f skipped
C:\System Volume Information\_restore{0F65BE6B-68D0-4B00-BD4F-4FC8C52408FA}\RP1801\A0120192.exe Infected: Trojan-Downloader.Win32.Agent.jih skipped
C:\System Volume Information\_restore{0F65BE6B-68D0-4B00-BD4F-4FC8C52408FA}\RP1801\A0120193.exe Infected: Trojan-Downloader.Win32.Homles.bi skipped
C:\System Volume Information\_restore{0F65BE6B-68D0-4B00-BD4F-4FC8C52408FA}\RP1802\change.log Object is locked skipped
C:\WINDOWS\b155.exe_old Infected: Trojan.Win32.BHO.bhg skipped
C:\WINDOWS\b156.exe_old Infected: not-a-virus:AdWare.Win32.Insider.f skipped
C:\WINDOWS\b157.exe_old Infected: Trojan-Downloader.Win32.Agent.jih skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{3ECC1DC6-D321-48B5-859D-965E321C4058}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
 
Hi Culture

Click here to download HJTInstall.exe
  • Save HJTInstall.exe to your desktop.
  • Doubleclick on the HJTInstall.exe icon on your desktop.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed, it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button, its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.
 
Thanks for your help!
--------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:13:25 AM, on 4/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Norman\Npm\bin\ELOGSVC.EXE
C:\Norman\Npm\Bin\Zanda.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\winself.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Norman\Npm\bin\ZLH.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Norman\Npm\bin\NJEEVES.EXE
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\AutoCAD 2006\acad.exe
C:\DOCUME~1\AAA\LOCALS~1\Temp\AdskCleanup.0001
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Common Files\Autodesk Shared\WSCommCntr1.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ca.red.clientapps.yahoo.com/customize/rogers/defaults/sb/*http://www.yahoo.com/search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ca.red.clientapps.yahoo.com/customize/rogers/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ca.red.clientapps.yahoo.com/customize/rogers/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: 38.115.131.131 sk2.slsk.org
O1 - Hosts: 38.115.131.131 www.slsk.org
O1 - Hosts: 38.115.131.131 mail.slsk.org
O1 - Hosts: 38.115.131.131 server.slsk.org
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\Npm\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [d0c7b7ad] rundll32.exe "C:\WINDOWS\system32\ctqilrmr.dll",b
O4 - HKLM\..\Run: [BMd3f48431] Rundll32.exe "C:\WINDOWS\system32\fwgyoryt.dll",s
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~1\NTXcontext.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\PROGRA~1\NEOTRA~1\NTXtoolbar.htm (file missing) (HKCU)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: C-DillaCdaC11BA - Unknown owner - C:\WINDOWS\system32\drivers\CDAC11BA.EXE (file missing)
O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Norman\Npm\bin\ELOGSVC.EXE
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: MSSysInterv (MSSysInterv1) - Unknown owner - C:\WINDOWS\winself.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\Npm\bin\NJEEVES.EXE
O23 - Service: Norman ZANDA - Norman ASA - C:\Norman\Npm\Bin\Zanda.exe
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Norman\Nvc\BIN\NVCSCHED.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

--
End of file - 9026 bytes
 
Hi

Rename HijackThis.exe to Culture.exe and post back a fresh HijackThis log, please :)
 
Thanks again!
--------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:45:41 AM, on 4/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Norman\Npm\bin\ELOGSVC.EXE
C:\Norman\Npm\Bin\Zanda.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Stardock\SDMCP.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Norman\Npm\bin\ZLH.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\winself.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Norman\Npm\bin\NJEEVES.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\AutoCAD 2006\acad.exe
C:\DOCUME~1\AAA\LOCALS~1\Temp\AdskCleanup.0001
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Common Files\Autodesk Shared\WSCommCntr1.exe
C:\Program Files\Adobe\Adobe Photoshop CS3\Photoshop.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\AAA\Desktop\Culture.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ca.red.clientapps.yahoo.com/customize/rogers/defaults/sb/*http://www.yahoo.com/search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ca.red.clientapps.yahoo.com/customize/rogers/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ca.red.clientapps.yahoo.com/customize/rogers/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: 38.115.131.131 sk2.slsk.org
O1 - Hosts: 38.115.131.131 www.slsk.org
O1 - Hosts: 38.115.131.131 mail.slsk.org
O1 - Hosts: 38.115.131.131 server.slsk.org
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: {8d223a92-5dcb-56ca-8234-adc48447a9b8} - {8b9a7448-4cda-4328-ac65-bcd529a322d8} - C:\WINDOWS\system32\fvvydotv.dll
O2 - BHO: (no name) - {9003BCF7-F4A1-45E9-9073-63ADC855D56D} - C:\WINDOWS\system32\yayyxWMc.dll (file missing)
O2 - BHO: (no name) - {D009ACDA-A149-4E79-BC22-9F3B37781CF4} - C:\WINDOWS\system32\nnnnKcYp.dll
O2 - BHO: (no name) - {DAA8A275-A679-4ACD-83FE-C0500F1FE405} - C:\WINDOWS\system32\efcDTLcY.dll (file missing)
O2 - BHO: (no name) - {DD256F7D-77D1-4456-8D89-A53CFC0E174D} - C:\WINDOWS\system32\opnkhEXN.dll (file missing)
O2 - BHO: (no name) - {F3AEF888-A3E2-44EB-BD85-F0C85BA7673F} - C:\WINDOWS\system32\ljJBsSKD.dll
O2 - BHO: (no name) - {FD41B102-A78E-4D3D-9AC0-BE4E4A8E6F3F} - C:\WINDOWS\system32\iiffCTNH.dll (file missing)
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\Npm\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [d0c7b7ad] rundll32.exe "C:\WINDOWS\system32\qiisfqor.dll",b
O4 - HKLM\..\Run: [BMd3f48431] Rundll32.exe "C:\WINDOWS\system32\fwgyoryt.dll",s
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~1\NTXcontext.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\PROGRA~1\NEOTRA~1\NTXtoolbar.htm (file missing) (HKCU)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
O20 - Winlogon Notify: ljJBsSKD - C:\WINDOWS\SYSTEM32\ljJBsSKD.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: C-DillaCdaC11BA - Unknown owner - C:\WINDOWS\system32\drivers\CDAC11BA.EXE (file missing)
O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Norman\Npm\bin\ELOGSVC.EXE
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: MSSysInterv (MSSysInterv1) - Unknown owner - C:\WINDOWS\winself.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\Npm\bin\NJEEVES.EXE
O23 - Service: Norman ZANDA - Norman ASA - C:\Norman\Npm\Bin\Zanda.exe
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Norman\Nvc\BIN\NVCSCHED.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

--
End of file - 10440 bytes
 
Hi

Create own folder for HijackThis to desktop and move it to that folder.

After that:

We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:

1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.

1. Download combofix from any of these links and save it to Desktop:
Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

If you have problems with Combofix usage, see here

Post:

- a fresh HijackThis log
- combofix report
 
ComboFix 08-04-22.5 - AAA 2008-04-23 11:34:22.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.228 [GMT -4:00]
Running from: C:\Documents and Settings\AAA\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\AAA\My Documents\SMBOLS~1
C:\Program Files\Temporary
C:\WINDOWS\conf.inf
C:\WINDOWS\cookies.ini
C:\WINDOWS\ky.sxc
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\cMWxyyay.ini
C:\WINDOWS\system32\cMWxyyay.ini2
C:\WINDOWS\system32\ctqilrmr.dll
C:\WINDOWS\system32\fvvydotv.dll
C:\WINDOWS\system32\fwgyoryt.dll
C:\WINDOWS\system32\HNTCffii.ini
C:\WINDOWS\system32\HNTCffii.ini2
C:\WINDOWS\system32\ljJBsSKD.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\nnnnKcYp.dll
C:\WINDOWS\system32\NXEhknpo.ini
C:\WINDOWS\system32\NXEhknpo.ini2
C:\WINDOWS\system32\pYcKnnnn.ini
C:\WINDOWS\system32\pYcKnnnn.ini2
C:\WINDOWS\system32\rmrliqtc.ini
C:\WINDOWS\system32\YcLTDcfe.ini
C:\WINDOWS\system32\YcLTDcfe.ini2
C:\WINDOWS\winself.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Legacy_NETWORK_MONITOR
-------\Legacy_MSSysInterv1
-------\Service_MSSysInterv1


((((((((((((((((((((((((( Files Created from 2008-03-23 to 2008-04-23 )))))))))))))))))))))))))))))))
.

2008-04-23 07:29 . 2008-04-23 07:31 <DIR> d-------- C:\Program Files\QuickTime
2008-04-23 07:29 . 2008-04-23 07:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-23 07:28 . 2008-04-23 07:28 <DIR> d-------- C:\Program Files\Apple Software Update
2008-04-23 07:28 . 2008-04-23 07:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-04-23 07:12 . 2008-04-23 11:24 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-22 09:15 . 2008-04-22 09:15 272,384 --a------ C:\WINDOWS\system32\opnkhEXN.dll_old
2008-04-22 07:17 . 2008-04-22 09:07 1,540,729 --ahs---- C:\WINDOWS\system32\pmnkcims.ini
2008-04-21 13:55 . 2008-04-21 13:56 <DIR> d-------- C:\Program Files\Absolute MP3 Splitter
2008-04-21 13:36 . 2008-04-21 13:36 <DIR> d-------- C:\Program Files\Free Audio Pack
2008-04-21 13:07 . 2008-02-11 14:56 19,512 --a------ C:\WINDOWS\system32\drivers\nvcw32mf.sys
2008-04-21 13:05 . 2008-04-21 13:05 <DIR> d-------- C:\Program Files\Safer Networking
2008-04-21 11:41 . 2008-04-21 11:41 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-21 11:41 . 2008-04-21 11:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-21 09:44 . 2008-04-22 09:43 490 --a------ C:\WINDOWS\wininit.ini
2008-04-21 08:52 . 2008-04-21 08:52 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-21 08:52 . 2008-04-21 09:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-21 07:00 . 2008-04-21 12:25 1,541,197 --ahs---- C:\WINDOWS\system32\roqfsiiq.ini
2008-04-20 10:39 . 2008-04-21 06:57 1,540,918 --ahs---- C:\WINDOWS\system32\vctgresj.ini
2008-04-19 11:00 . 2008-04-21 08:33 <DIR> d--hs---- C:\WINDOWS\QWFhIEFpciBDb25kaXRpb25pbmcgSW5jLg
2008-04-19 10:39 . 2008-04-19 22:06 1,540,635 --ahs---- C:\WINDOWS\system32\virlwdcq.ini
2008-04-19 10:36 . 2008-04-23 07:28 109,765 --a------ C:\WINDOWS\BMd3f48431.xml
2008-04-19 10:35 . 2008-04-19 10:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2008-04-18 10:29 . 2008-04-18 10:29 33,952 --a------ C:\WINDOWS\system32\drivers\oreans32.sys
2008-04-18 10:28 . 2008-04-18 10:28 <DIR> d-------- C:\WINDOWS\Nextgen Server Client
2008-04-14 20:43 . 2008-04-14 17:43 74,240 --------- C:\WINDOWS\b156.exe_old
2008-04-08 19:33 . 2008-04-08 16:33 68,096 --------- C:\WINDOWS\b155.exe_old
2008-04-03 08:01 . 2008-04-03 08:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-03 07:59 . 2008-04-03 07:59 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-03 07:55 . 2008-04-03 12:27 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-04-01 08:19 . 2008-04-01 08:19 <DIR> d-------- C:\Program Files\Sony
2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-03-25 14:09 . 2008-04-21 16:27 <DIR> d-------- C:\Documents and Settings\AAA\Application Data\U3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-18 14:39 --------- d-----w C:\Program Files\NeoTracePro
2008-04-18 12:39 --------- d-----w C:\Program Files\ICQ6
2008-04-09 06:26 --------- d-----w C:\Program Files\Soulseek
2008-04-06 17:56 --------- d-----w C:\Program Files\Java
2008-04-03 12:01 --------- d-----w C:\Program Files\Lavasoft
2008-04-03 11:53 --------- d-----w C:\Program Files\FreeCDRipper
2008-03-19 15:14 --------- d-----w C:\Documents and Settings\AAA\Application Data\ICQ
2008-03-19 14:49 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-19 11:14 --------- d-----w C:\Program Files\AIM6
2008-03-19 11:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-03-19 11:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2002-08-29 12:00 94,784 -csh--w C:\WINDOWS\twain.dll
2004-08-04 07:56 50,688 -csh--w C:\WINDOWS\twain_32.dll
1999-04-23 22:22 12 --sha-w C:\WINDOWS\system\WININETICMP32.drv
2004-08-04 07:56 413,696 --sha-w C:\WINDOWS\system32\msvcp60.dll
2004-08-04 07:56 11,776 -csha-w C:\WINDOWS\system32\regsvr32.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9003BCF7-F4A1-45E9-9073-63ADC855D56D}]
C:\WINDOWS\system32\yayyxWMc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DAA8A275-A679-4ACD-83FE-C0500F1FE405}]
C:\WINDOWS\system32\efcDTLcY.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DD256F7D-77D1-4456-8D89-A53CFC0E174D}]
C:\WINDOWS\system32\opnkhEXN.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD41B102-A78E-4D3D-9AC0-BE4E4A8E6F3F}]
C:\WINDOWS\system32\iiffCTNH.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" [ ]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-01-03 12:15 50528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\Smtray.exe" [2002-06-26 17:36 90112]
"IntelliType"="C:\Program Files\Microsoft Hardware\Keyboard\type32.exe" [2002-03-22 00:41 94208]
"POINTER"="point32.exe" []
"NvCplDaemon"="NvQTwk" []
"nwiz"="nwiz.exe" [2002-06-06 06:33 372736 C:\WINDOWS\system32\nwiz.exe]
"Norman ZANDA"="C:\Norman\Npm\bin\ZLH.exe" [2007-08-09 14:40 183352]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-10-10 01:28 36352]
"d0c7b7ad"="C:\WINDOWS\system32\qiisfqor.dll" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"1A:Stardock TrayMonitor"="" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart16.exe [2005-03-05 10:18:22 10872]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 16:05:56 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljJBsSKD]
ljJBsSKD.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
C:\Program Files\Common Files\Stardock\mcpstub.dll 2005-01-31 14:13 49152 C:\Program Files\Common Files\Stardock\MCPStub.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll
"vidc.wmv3"= C:\PROGRA~1\COMBIN~1\Filters\wmv9vcm.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher 2.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Exif Launcher 2.lnk
backup=C:\WINDOWS\pss\Exif Launcher 2.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\1A:Stardock TrayMonitor]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ADUserMon]
--a------ 2002-09-24 16:39 147456 C:\Program Files\Iomega\AutoDisk\ADUserMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
C:\Program Files\BitTorrent\bittorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Deskup]
C:\Program Files\Iomega\DriveIcons\deskup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
--------- 2002-09-12 13:13 1101824 C:\Program Files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Iomega Drive Icons]
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--a------ 2001-07-09 04:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2007-08-06 20:05 200704 C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer]
--a------ 2006-06-08 04:12 1003520 C:\Program Files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REGSHAVE]
--------- 2002-02-04 23:32 53248 C:\Program Files\REGSHAVE\REGSHAVE.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2004-08-10 07:50 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Soulseek\\slsk.exe"=
"C:\\Program Files\\BitLord\\BitLord.exe"=
"C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\GlobalSCAPE\\CuteFTP 8 Professional\\ftpte.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\ICQ6\\ICQ.exe"=

R0 BsStor;InCD Storage Helper Driver;C:\WINDOWS\system32\DRIVERS\bsstor.sys [2002-06-05 19:07]
R0 ppa;Iomega Parallel Port Filter Driver;C:\WINDOWS\system32\DRIVERS\ppa.sys [2001-08-17 13:53]
R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2008-04-18 10:29]
R2 BsUDF;InCD UDF Driver;C:\WINDOWS\system32\drivers\BsUDF.sys [2002-09-13 08:35]
R2 Ndiskio;Ndiskio;C:\Norman\Nse\bin\NDISKIO.SYS [2007-01-02 10:55]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]
S3 NvcMFlt;NvcMFlt;C:\WINDOWS\system32\DRIVERS\nvcw32mf.sys [2008-02-11 14:56]
S3 nvcoas;Norman Virus Control on-access component;C:\Norman\Nvc\bin\nvcoas.exe [2007-12-12 11:45]
S3 NVCScheduler;Norman Virus Control Scheduler;C:\Norman\Nvc\BIN\NVCSCHED.EXE [2007-05-23 13:23]
S3 RimSerPort;RIM Virtual Serial Port;C:\WINDOWS\system32\DRIVERS\RimSerial.sys [2006-06-30 16:10]
S3 SetupNTGLM7X;SetupNTGLM7X;D:\NTGLM7X.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5fdae37c-fa65-11dc-815e-0007e9d2b0ef}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-04-23 12:45:16 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-23 12:07:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
------------------------ Other Running Processes ------------------------
.
C:\Norman\npm\bin\elogsvc.exe
C:\Norman\npm\bin\Zanda.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Norman\npm\bin\Njeeves.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Stardock\sdmcp.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-04-23 12:16:52 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-23 16:16:39

Pre-Run: 398,508,032 bytes free
Post-Run: 1,348,395,008 bytes free

235 --- E O F --- 2008-04-09 07:16:10





===============




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:18:29 PM, on 4/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Norman\Npm\bin\ELOGSVC.EXE
C:\Norman\Npm\Bin\Zanda.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Norman\Npm\bin\NJEEVES.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Stardock\SDMCP.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\AAA\Desktop\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ca.red.clientapps.yahoo.com/customize/rogers/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ca.red.clientapps.yahoo.com/customize/rogers/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {9003BCF7-F4A1-45E9-9073-63ADC855D56D} - C:\WINDOWS\system32\yayyxWMc.dll (file missing)
O2 - BHO: (no name) - {DAA8A275-A679-4ACD-83FE-C0500F1FE405} - C:\WINDOWS\system32\efcDTLcY.dll (file missing)
O2 - BHO: (no name) - {DD256F7D-77D1-4456-8D89-A53CFC0E174D} - C:\WINDOWS\system32\opnkhEXN.dll (file missing)
O2 - BHO: (no name) - {FD41B102-A78E-4D3D-9AC0-BE4E4A8E6F3F} - C:\WINDOWS\system32\iiffCTNH.dll (file missing)
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\Npm\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [d0c7b7ad] rundll32.exe "C:\WINDOWS\system32\qiisfqor.dll",b
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~1\NTXcontext.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\PROGRA~1\NEOTRA~1\NTXtoolbar.htm (file missing) (HKCU)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
O20 - Winlogon Notify: ljJBsSKD - ljJBsSKD.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: C-DillaCdaC11BA - Unknown owner - C:\WINDOWS\system32\drivers\CDAC11BA.EXE (file missing)
O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Norman\Npm\bin\ELOGSVC.EXE
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\Npm\bin\NJEEVES.EXE
O23 - Service: Norman ZANDA - Norman ASA - C:\Norman\Npm\Bin\Zanda.exe
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Norman\Nvc\BIN\NVCSCHED.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

--
End of file - 8546 bytes
 
Hi

Open notepad and copy/paste the text in the codebox below into it:

Code: 
File::
C:\WINDOWS\system32\opnkhEXN.dll_old
C:\WINDOWS\system32\pmnkcims.ini
C:\WINDOWS\system32\roqfsiiq.ini
C:\WINDOWS\system32\vctgresj.ini
C:\WINDOWS\system32\virlwdcq.ini
C:\WINDOWS\BMd3f48431.xml
C:\WINDOWS\b156.exe_old
C:\WINDOWS\b155.exe_old

Folder::
C:\WINDOWS\QWFhIEFpciBDb25kaXRpb25pbmcgSW5jLg
C:\Documents and Settings\All Users\Application Data\Rabio

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9003BCF7-F4A1-45E9-9073-63ADC855D56D}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DAA8A275-A679-4ACD-83FE-C0500F1FE405}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DD256F7D-77D1-4456-8D89-A53CFC0E174D}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD41B102-A78E-4D3D-9AC0-BE4E4A8E6F3F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"d0c7b7ad"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljJBsSKD]

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScript.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
 
ComboFix 08-04-22.5 - AAA 2008-04-23 13:07:00.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.235 [GMT -4:00]
Running from: C:\Documents and Settings\AAA\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\AAA\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\b155.exe_old
C:\WINDOWS\b156.exe_old
C:\WINDOWS\BMd3f48431.xml
C:\WINDOWS\system32\opnkhEXN.dll_old
C:\WINDOWS\system32\pmnkcims.ini
C:\WINDOWS\system32\roqfsiiq.ini
C:\WINDOWS\system32\vctgresj.ini
C:\WINDOWS\system32\virlwdcq.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\AAA\Local Settings\Temporary Internet Files\bestwiner.stt
C:\Documents and Settings\AAA\Local Settings\Temporary Internet Files\CPV.stt
C:\Documents and Settings\All Users\Application Data\Rabio
C:\WINDOWS\b155.exe_old
C:\WINDOWS\b156.exe_old
C:\WINDOWS\BMd3f48431.xml
C:\WINDOWS\QWFhIEFpciBDb25kaXRpb25pbmcgSW5jLg
C:\WINDOWS\system32\opnkhEXN.dll_old
C:\WINDOWS\system32\pmnkcims.ini
C:\WINDOWS\system32\roqfsiiq.ini
C:\WINDOWS\system32\vctgresj.ini
C:\WINDOWS\system32\virlwdcq.ini

.
((((((((((((((((((((((((( Files Created from 2008-03-23 to 2008-04-23 )))))))))))))))))))))))))))))))
.

2008-04-23 07:29 . 2008-04-23 07:31 <DIR> d-------- C:\Program Files\QuickTime
2008-04-23 07:29 . 2008-04-23 07:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-23 07:28 . 2008-04-23 07:28 <DIR> d-------- C:\Program Files\Apple Software Update
2008-04-23 07:28 . 2008-04-23 07:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-04-23 07:12 . 2008-04-23 11:24 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-21 13:55 . 2008-04-21 13:56 <DIR> d-------- C:\Program Files\Absolute MP3 Splitter
2008-04-21 13:36 . 2008-04-21 13:36 <DIR> d-------- C:\Program Files\Free Audio Pack
2008-04-21 13:36 . 2005-02-24 12:10 2,084,864 --a------ C:\WINDOWS\system32\AudDesign.dll
2008-04-21 13:07 . 2008-02-11 14:56 19,512 --a------ C:\WINDOWS\system32\drivers\nvcw32mf.sys
2008-04-21 13:05 . 2008-04-21 13:05 <DIR> d-------- C:\Program Files\Safer Networking
2008-04-21 11:41 . 2008-04-21 11:41 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-21 11:41 . 2008-04-21 11:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-21 09:44 . 2008-04-22 09:43 490 --a------ C:\WINDOWS\wininit.ini
2008-04-21 08:52 . 2008-04-21 08:52 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-21 08:52 . 2008-04-21 09:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-18 10:29 . 2008-04-18 10:29 33,952 --a------ C:\WINDOWS\system32\drivers\oreans32.sys
2008-04-18 10:28 . 2008-04-18 10:28 <DIR> d-------- C:\WINDOWS\Nextgen Server Client
2008-04-03 08:01 . 2008-04-03 08:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-03 07:59 . 2008-04-03 07:59 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-03 07:55 . 2008-04-03 12:27 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-04-01 08:19 . 2008-04-01 08:19 <DIR> d-------- C:\Program Files\Sony
2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-03-25 14:09 . 2008-04-21 16:27 <DIR> d-------- C:\Documents and Settings\AAA\Application Data\U3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-18 14:39 --------- d-----w C:\Program Files\NeoTracePro
2008-04-18 12:39 --------- d-----w C:\Program Files\ICQ6
2008-04-09 06:26 --------- d-----w C:\Program Files\Soulseek
2008-04-06 17:56 --------- d-----w C:\Program Files\Java
2008-04-03 12:01 --------- d-----w C:\Program Files\Lavasoft
2008-04-03 11:53 --------- d-----w C:\Program Files\FreeCDRipper
2008-03-19 15:14 --------- d-----w C:\Documents and Settings\AAA\Application Data\ICQ
2008-03-19 14:49 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-19 11:14 --------- d-----w C:\Program Files\AIM6
2008-03-19 11:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-03-19 11:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-01 07:21 245,408 ----a-w C:\WINDOWS\system32\unicows.dll
2002-08-29 12:00 94,784 -csh--w C:\WINDOWS\twain.dll
2004-08-04 07:56 50,688 -csh--w C:\WINDOWS\twain_32.dll
1999-04-23 22:22 12 --sha-w C:\WINDOWS\system\WININETICMP32.drv
2004-08-04 07:56 413,696 --sha-w C:\WINDOWS\system32\msvcp60.dll
2004-08-04 07:56 11,776 -csha-w C:\WINDOWS\system32\regsvr32.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" [ ]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-01-03 12:15 50528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\Smtray.exe" [2002-06-26 17:36 90112]
"IntelliType"="C:\Program Files\Microsoft Hardware\Keyboard\type32.exe" [2002-03-22 00:41 94208]
"POINTER"="point32.exe" []
"NvCplDaemon"="NvQTwk" []
"nwiz"="nwiz.exe" [2002-06-06 06:33 372736 C:\WINDOWS\system32\nwiz.exe]
"Norman ZANDA"="C:\Norman\Npm\bin\ZLH.exe" [2007-08-09 14:40 183352]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-10-10 01:28 36352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"1A:Stardock TrayMonitor"="" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart16.exe [2005-03-05 10:18:22 10872]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 16:05:56 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
C:\Program Files\Common Files\Stardock\mcpstub.dll 2005-01-31 14:13 49152 C:\Program Files\Common Files\Stardock\MCPStub.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll
"vidc.wmv3"= C:\PROGRA~1\COMBIN~1\Filters\wmv9vcm.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher 2.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Exif Launcher 2.lnk
backup=C:\WINDOWS\pss\Exif Launcher 2.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\1A:Stardock TrayMonitor]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ADUserMon]
--a------ 2002-09-24 16:39 147456 C:\Program Files\Iomega\AutoDisk\ADUserMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
C:\Program Files\BitTorrent\bittorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Deskup]
C:\Program Files\Iomega\DriveIcons\deskup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
--------- 2002-09-12 13:13 1101824 C:\Program Files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Iomega Drive Icons]
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--a------ 2001-07-09 04:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2007-08-06 20:05 200704 C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer]
--a------ 2006-06-08 04:12 1003520 C:\Program Files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REGSHAVE]
--------- 2002-02-04 23:32 53248 C:\Program Files\REGSHAVE\REGSHAVE.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2004-08-10 07:50 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Soulseek\\slsk.exe"=
"C:\\Program Files\\BitLord\\BitLord.exe"=
"C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\GlobalSCAPE\\CuteFTP 8 Professional\\ftpte.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\ICQ6\\ICQ.exe"=

R0 BsStor;InCD Storage Helper Driver;C:\WINDOWS\system32\DRIVERS\bsstor.sys [2002-06-05 19:07]
R0 ppa;Iomega Parallel Port Filter Driver;C:\WINDOWS\system32\DRIVERS\ppa.sys [2001-08-17 13:53]
R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2008-04-18 10:29]
R2 BsUDF;InCD UDF Driver;C:\WINDOWS\system32\drivers\BsUDF.sys [2002-09-13 08:35]
R2 Ndiskio;Ndiskio;C:\Norman\Nse\bin\NDISKIO.SYS [2007-01-02 10:55]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]
S3 NvcMFlt;NvcMFlt;C:\WINDOWS\system32\DRIVERS\nvcw32mf.sys [2008-02-11 14:56]
S3 nvcoas;Norman Virus Control on-access component;C:\Norman\Nvc\bin\nvcoas.exe [2007-12-12 11:45]
S3 NVCScheduler;Norman Virus Control Scheduler;C:\Norman\Nvc\BIN\NVCSCHED.EXE [2007-05-23 13:23]
S3 RimSerPort;RIM Virtual Serial Port;C:\WINDOWS\system32\DRIVERS\RimSerial.sys [2006-06-30 16:10]
S3 SetupNTGLM7X;SetupNTGLM7X;D:\NTGLM7X.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5fdae37c-fa65-11dc-815e-0007e9d2b0ef}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-04-23 16:45:12 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-23 13:11:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 54

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
Completion time: 2008-04-23 13:16:37
ComboFix-quarantined-files.txt 2008-04-23 17:16:03
ComboFix2.txt 2008-04-23 16:16:52

Pre-Run: 1,362,661,376 bytes free
Post-Run: 1,347,825,664 bytes free

195 --- E O F --- 2008-04-09 07:16:10




============================




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:17:29 PM, on 4/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Norman\Npm\bin\ELOGSVC.EXE
C:\Norman\Npm\Bin\Zanda.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Norman\Npm\bin\NJEEVES.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Stardock\SDMCP.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\AAA\Desktop\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ca.red.clientapps.yahoo.com/customize/rogers/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ca.red.clientapps.yahoo.com/customize/rogers/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\Npm\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~1\NTXcontext.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\PROGRA~1\NEOTRA~1\NTXtoolbar.htm (file missing) (HKCU)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: C-DillaCdaC11BA - Unknown owner - C:\WINDOWS\system32\drivers\CDAC11BA.EXE (file missing)
O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Norman\Npm\bin\ELOGSVC.EXE
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\Npm\bin\NJEEVES.EXE
O23 - Service: Norman ZANDA - Norman ASA - C:\Norman\Npm\Bin\Zanda.exe
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Norman\Nvc\BIN\NVCSCHED.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

--
End of file - 7990 bytes
 
Hi

Please download ATF Cleaner by Atribune and save
it to desktop.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit to close ATF-Cleaner.

Re-scan with kaspersky.

Post:

- a fresh HijackThis log
- kaspersky report
 
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, April 23, 2008 3:17:04 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 23/04/2008
Kaspersky Anti-Virus database records: 723267
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 98039
Number of viruses found: 19
Number of infected objects: 30
Number of suspicious objects: 3
Duration of the scan process: 01:31:38

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\AAA\Application Data\Autodesk\WebServices\ws_CommCntr_20080423_0.log Object is locked skipped
C:\Documents and Settings\AAA\Application Data\Mozilla\Firefox\Profiles\x4htbu9q.default\cert8.db Object is locked skipped
C:\Documents and Settings\AAA\Application Data\Mozilla\Firefox\Profiles\x4htbu9q.default\history.dat Object is locked skipped
C:\Documents and Settings\AAA\Application Data\Mozilla\Firefox\Profiles\x4htbu9q.default\key3.db Object is locked skipped
C:\Documents and Settings\AAA\Application Data\Mozilla\Firefox\Profiles\x4htbu9q.default\parent.lock Object is locked skipped
C:\Documents and Settings\AAA\Application Data\Mozilla\Firefox\Profiles\x4htbu9q.default\search.sqlite Object is locked skipped
C:\Documents and Settings\AAA\Application Data\Mozilla\Firefox\Profiles\x4htbu9q.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\AAA\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\AAA\Local Settings\Application Data\ApplicationHistory\acad.exe.8a05fe32.ini.inuse Object is locked skipped
C:\Documents and Settings\AAA\Local Settings\Application Data\Identities\{ECD87E02-F692-4A1E-A80A-9B52EC9836A6}\Microsoft\Outlook Express\Sent Items.dbx/[From "Tyler Grant" <tgrant@orc.ca>][Date Mon, 4 Feb 2008 07:54:15 -0500]/UNNAMED/RemoteDesktopControlInstall.exe Infected: not-a-virus:RemoteAdmin.Win32.RemoteDesktopControl.a skipped
C:\Documents and Settings\AAA\Local Settings\Application Data\Identities\{ECD87E02-F692-4A1E-A80A-9B52EC9836A6}\Microsoft\Outlook Express\Sent Items.dbx/[From "Tyler Grant" <tgrant@orc.ca>][Date Mon, 4 Feb 2008 07:54:15 -0500]/UNNAMED Infected: not-a-virus:RemoteAdmin.Win32.RemoteDesktopControl.a skipped
C:\Documents and Settings\AAA\Local Settings\Application Data\Identities\{ECD87E02-F692-4A1E-A80A-9B52EC9836A6}\Microsoft\Outlook Express\Sent Items.dbx MailMSOutlook5: infected - 2 skipped
C:\Documents and Settings\AAA\Local Settings\Application Data\Identities\{ECD87E02-F692-4A1E-A80A-9B52EC9836A6}\Microsoft\Outlook Express\Tyler.dbx/[From JiNN <jinnproduction@gmail.com>][Date Fri, 4 Apr 2008 21:32:50 -0800]/UNNAMED/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\AAA\Local Settings\Application Data\Identities\{ECD87E02-F692-4A1E-A80A-9B52EC9836A6}\Microsoft\Outlook Express\Tyler.dbx/[From JiNN <jinnproduction@gmail.com>][Date Fri, 4 Apr 2008 21:32:50 -0800]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\AAA\Local Settings\Application Data\Identities\{ECD87E02-F692-4A1E-A80A-9B52EC9836A6}\Microsoft\Outlook Express\Tyler.dbx MailMSOutlook5: suspicious - 2 skipped
C:\Documents and Settings\AAA\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\AAA\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\AAA\Local Settings\Application Data\Mozilla\Firefox\Profiles\x4htbu9q.default\Cache\F124CC21d01 Object is locked skipped
C:\Documents and Settings\AAA\Local Settings\Application Data\Mozilla\Firefox\Profiles\x4htbu9q.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\AAA\Local Settings\Application Data\Mozilla\Firefox\Profiles\x4htbu9q.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\AAA\Local Settings\Application Data\Mozilla\Firefox\Profiles\x4htbu9q.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\AAA\Local Settings\Application Data\Mozilla\Firefox\Profiles\x4htbu9q.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\AAA\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\AAA\Local Settings\History\History.IE5\MSHist012008042320080424\index.dat Object is locked skipped
C:\Documents and Settings\AAA\Local Settings\Temp\AdskCleanup.0001.dir.0000\~efe2.tmp Object is locked skipped
C:\Documents and Settings\AAA\Local Settings\Temp\UNDB595A.ac$ Object is locked skipped
C:\Documents and Settings\AAA\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\AAA\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\AAA\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\AAA\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\FLEXnet\adobe_00080000_tsf.data Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\BitLord\Downloads\Vista Theme for XP icons, bootskin, windows view\icons\Vista_Anthracite_Pack_v1_31_UL_by_Nekh_Art_Studio.exe/data0062 Infected: not-a-virus:RiskTool.Win32.WFPDisabler.a skipped
C:\Program Files\BitLord\Downloads\Vista Theme for XP icons, bootskin, windows view\icons\Vista_Anthracite_Pack_v1_31_UL_by_Nekh_Art_Studio.exe NSIS: infected - 1 skipped
C:\Program Files\Common Files\Adobe\Adobe PCD\cache\cache.db Object is locked skipped
C:\Program Files\Common Files\Adobe\Adobe PCD\pcd.db Object is locked skipped
C:\Program Files\Common Files\Adobe\caps\caps.db Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\b155.exe_old.vir Infected: Trojan.Win32.BHO.bhg skipped
C:\QooBox\Quarantine\C\WINDOWS\b156.exe_old.vir Infected: not-a-virus:AdWare.Win32.Insider.f skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ljJBsSKD.dll.vir Infected: Packed.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\opnkhEXN.dll_old.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.qni skipped
C:\QooBox\Quarantine\catchme2008-04-23_115532.31.zip/nnnnKcYp.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qni skipped
C:\QooBox\Quarantine\catchme2008-04-23_115532.31.zip ZIP: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{0F65BE6B-68D0-4B00-BD4F-4FC8C52408FA}\RP1801\A0120007.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.plw skipped
C:\System Volume Information\_restore{0F65BE6B-68D0-4B00-BD4F-4FC8C52408FA}\RP1801\A0120061.dll Infected: not-a-virus:AdWare.Win32.Rabio.m skipped
C:\System Volume Information\_restore{0F65BE6B-68D0-4B00-BD4F-4FC8C52408FA}\RP1801\A0120077.exe Infected: Trojan-Downloader.Win32.Agent.ndt skipped
C:\System Volume Information\_restore{0F65BE6B-68D0-4B00-BD4F-4FC8C52408FA}\RP1801\A0120083.exe Infected: Trojan-Downloader.Win32.Agent.nft skipped
C:\System Volume Information\_restore{0F65BE6B-68D0-4B00-BD4F-4FC8C52408FA}\RP1801\A0120093.dll Infected: not-a-virus:AdWare.Win32.Rabio.m skipped
C:\System Volume Information\_restore{0F65BE6B-68D0-4B00-BD4F-4FC8C52408FA}\RP1801\A0120096.exe Infected: not-a-virus:AdWare.Win32.Insider.c skipped
C:\System Volume Information\_restore{0F65BE6B-68D0-4B00-BD4F-4FC8C52408FA}\RP1801\A0120106.exe/stream/data0002 Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\System Volume Information\_restore{0F65BE6B-68D0-4B00-BD4F-4FC8C52408FA}\RP1801\A0120106.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\System Volume Information\_restore{0F65BE6B-68D0-4B00-BD4F-4FC8C52408FA}\RP1801\A0120106.exe/stream Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\System Volume Information\_restore{0F65BE6B-68D0-4B00-BD4F-4FC8C52408FA}\RP1801\A0120106.exe NSIS: infected - 3 skipped
C:\System Volume Information\_restore{0F65BE6B-68D0-4B00-BD4F-4FC8C52408FA}\RP1801\A0120112.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.pmw skipped
C:\System Volume Information\_restore{0F65BE6B-68D0-4B00-BD4F-4FC8C52408FA}\RP1801\A0120183.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.plw skipped
C:\System Volume Information\_restore{0F65BE6B-68D0-4B00-BD4F-4FC8C52408FA}\RP1801\A0120184.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qgr skipped
C:\System Volume Information\_restore{0F65BE6B-68D0-4B00-BD4F-4FC8C52408FA}\RP1801\A0120186.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qok skipped
C:\System Volume Information\_restore{0F65BE6B-68D0-4B00-BD4F-4FC8C52408FA}\RP1801\A0120188.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.pmx skipped
C:\System Volume Information\_restore{0F65BE6B-68D0-4B00-BD4F-4FC8C52408FA}\RP1801\A0120190.exe Infected: Trojan.Win32.BHO.bhg skipped
C:\System Volume Information\_restore{0F65BE6B-68D0-4B00-BD4F-4FC8C52408FA}\RP1801\A0120191.exe Infected: not-a-virus:AdWare.Win32.Insider.f skipped
C:\System Volume Information\_restore{0F65BE6B-68D0-4B00-BD4F-4FC8C52408FA}\RP1802\A0120270.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qom skipped
C:\System Volume Information\_restore{0F65BE6B-68D0-4B00-BD4F-4FC8C52408FA}\RP1805\A0122506.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{0F65BE6B-68D0-4B00-BD4F-4FC8C52408FA}\RP1806\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.


================



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:17:58 PM, on 4/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Norman\Npm\bin\ELOGSVC.EXE
C:\Norman\Npm\Bin\Zanda.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Norman\Npm\bin\NJEEVES.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Stardock\SDMCP.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\AutoCAD 2006\acad.exe
C:\DOCUME~1\AAA\LOCALS~1\Temp\AdskCleanup.0001
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Common Files\Autodesk Shared\WSCommCntr1.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Adobe\Adobe Photoshop CS3\Photoshop.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Documents and Settings\AAA\Desktop\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ca.red.clientapps.yahoo.com/customize/rogers/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ca.red.clientapps.yahoo.com/customize/rogers/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\Npm\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~1\NTXcontext.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\PROGRA~1\NEOTRA~1\NTXtoolbar.htm (file missing) (HKCU)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: C-DillaCdaC11BA - Unknown owner - C:\WINDOWS\system32\drivers\CDAC11BA.EXE (file missing)
O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Norman\Npm\bin\ELOGSVC.EXE
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\Npm\bin\NJEEVES.EXE
O23 - Service: Norman ZANDA - Norman ASA - C:\Norman\Npm\Bin\Zanda.exe
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Norman\Nvc\BIN\NVCSCHED.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

--
End of file - 8449 bytes
 
Hi

Delete this mail:

C:\Documents and Settings\AAA\Local Settings\Application Data\Identities\{ECD87E02-F692-4A1E-A80A-9B52EC9836A6}\Microsoft\Outlook Express\Tyler.dbx/[From JiNN <jinnproduction@gmail.com>][Date Fri, 4 Apr 2008 21:32:50 -0800]/UNNAMED/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped

Empty this folder:

C:\QooBox\Quarantine\

Empty Recycle Bin.

All other viruses are in system restore and inactive.

I give you later instructions how to empty it.

Other than that, any problems left?
 
Hi

Then you're clean!

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Looking over your log, it seems you don't have any evidence of a third party firewall.

As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access to systems from the outside world. Firewalls protect against hackers and malicious intruders. I want you to download a free firewall NOW from one of these excellent vendors:

1) Comodo
2) Online Armor
3) Sunbelt/Kerio
4) Agnitum
5) ZoneAlarm (uncheck ZoneAlarm Spy Blocker during installation if you choose this one)

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. A malicious site could render Java content under older, vulnerable versions of Sun's software if the user has not removed them. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 6 and save it to your desktop.
  • Scroll down to where it saysThe Java SE Runtime Environment (JRE) allows end-users to run Java applications..
  • Click the Download button to the right.
  • Select Windows on platform combobox and check the box that says:
    Accept License Agreement. Click continue.
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u6-windows-i586-p.exe to install the newest version.

Now lets uninstall ComboFix:

  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK

Next we remove all used tools.

Please download OTCleanIt and save it to desktop.
  • Double-click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.

Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

  • Disable and Enable System Restore. - If you are using Windows XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

    You can find instructions on how to enable and re-enable system restore here:

    Windows XP System Restore Guide

Re-enable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialize and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  • Install Malwarebytes' Anti-Malware - Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
    totally free but for real-time protection you will have to pay a small one-time fee. Tutorial on installing & using this product can be found below:

    Malwarebytes' Anti-Malware Setup Guide

    Malwarebytes' Anti-Malware Scanning Guide

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety

  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
  • Comodo BOCLEAN <= Stop identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
  • Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
    Using Winpatrol to protect your computer from malicious software

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place

Happy surfing and stay clean!
 
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.

Note: If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.
 
You must log in or register to reply here.
Back
Top