Zlob.DNSChanger.Rtk and Smitfraud

K

KenBa

New member
I've been trying to get rid of malware for a couple of days (with smitrem, smitfraudfix, Spybot). Here's where I am now:

Computer sometimes gives me blank blue screen with normal boot. Sometimes boots ok but with error "RegSvr32 not found". (SAFE mode works ok). Still getting (bogus?) popups saying machine is infected. Network Connections in Control Panel is blank, so I'm on another computer now.

In the last attempt, I ran Spybot six times. It removed a bunch of problems, including Smitfraud-C.gp but can't get rid of Zlob.DNSChanger.Rtk.

Running XP Home, SP2 on an HP desktop.

Following are logs from Kaspersky and HJT (2.0.2)

Any help will be appreciated.

Thanks,

Ken

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, April 12, 2008 9:06:13 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 12/04/2008
Kaspersky Anti-Virus database records: 700844
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
M:\

Scan Statistics:
Total number of scanned objects: 149927
Number of viruses found: 28
Number of infected objects: 114
Number of suspicious objects: 0
Duration of the scan process: 02:18:11

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\SYSTEM32\DRIVERS\spools.exe Infected: Worm.Win32.Socks.by skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\config\system.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\software.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\default.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\Internet.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\gpld5.exe Infected: Trojan.Win32.Buzus.eca skipped
C:\WINDOWS\SYSTEM32\msram.dll Infected: not-a-virus:AdWare.Win32.BHO.ank skipped
C:\WINDOWS\SYSTEM32\cbxvttr.dll Infected: Packed.Win32.Monder.gen skipped
C:\WINDOWS\SYSTEM32\cbxuspq.dll Infected: Packed.Win32.Monder.gen skipped
C:\WINDOWS\SYSTEM32\vtUmLfdb.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.nmz skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\h323log.txt Object is locked skipped
C:\WINDOWS\WEB\def.htm Infected: not-virus:Hoax.HTML.Secureinvites.c skipped
C:\WINDOWS\Cookies\index.dat Object is locked skipped
C:\WINDOWS\Installer\{4059ea36-93ad-4ab2-a10a-c9ee0766d6e9}\zip.dll Infected: Trojan-Dropper.Win32.Agent.qfy skipped
C:\WINDOWS\SYSTEM\SBUtils\SBWebCtl.dll Infected: not-a-virus:AdWare.Win32.WindowEnhancer.d skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\mgsvflkw.dll Infected: not-a-virus:AdWare.Win32.Vapsup.dsx skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{6F9B501B-B75A-4352-8A1D-49FC931D7721}.bin Object is locked skipped
C:\WINDOWS\apoxqwfv.exe Infected: not-a-virus:AdWare.Win32.Vapsup.dsx skipped
C:\WINDOWS\temlxopqpkd.dll Infected: not-a-virus:AdWare.Win32.Vapsup.dsx skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1A931A7B.exe Infected: not-virus:BadJoke.Win16.Stupid.a skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1A931A7B.dll Infected: not-a-virus:AdWare.Win32.TimeSinc skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1A964478.EXE Infected: not-a-virus:AdWare.Win32.TimeSink skipped
C:\Program Files\HP\hpcoretech\hpcmerr.log Object is locked skipped
C:\Program Files\EarthLink\EarthLink Protection Control Center\logs\Aluria.Framework.Protection.AntiSpyware.SDK2.log Object is locked skipped
C:\Program Files\EarthLink\EarthLink Protection Control Center\logs\Aluria.Framework.Protection.AntiVirus.Authentium.log Object is locked skipped
C:\Recycled\NPROTECT\NPROTECT.LOG Object is locked skipped
C:\vwmelms.exe Infected: Worm.Win32.Socks.by skipped
C:\vssdv.exe Infected: Trojan-Clicker.Win32.Costrat.fl skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Log.LiveUpdate Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2008-04-12_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\ken\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\ken\Local Settings\History\History.IE5\MSHist012008041220080413\index.dat Object is locked skipped
C:\Documents and Settings\ken\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\ken\Local Settings\Temporary Internet Files\Content.IE5\5JCUP3CH\manda[1].htm Object is locked skipped
C:\Documents and Settings\ken\Local Settings\Temporary Internet Files\Content.IE5\5JCUP3CH\manda[2].htm Object is locked skipped
C:\Documents and Settings\ken\Local Settings\Temporary Internet Files\Content.IE5\ZEDTPN35\AccessMediaSetup[1].exe Infected: Trojan-Downloader.Win32.Delf.gpm skipped
C:\Documents and Settings\ken\Local Settings\Temporary Internet Files\Content.IE5\ZEDTPN35\AccessMediaSetup[2].exe Infected: Trojan-Downloader.Win32.Delf.gpm skipped
C:\Documents and Settings\ken\Local Settings\Temporary Internet Files\Content.IE5\ZEDTPN35\manda[1].htm Object is locked skipped
C:\Documents and Settings\ken\Local Settings\Temporary Internet Files\Content.IE5\ZEDTPN35\drv32[1].data/data0000.bin Infected: Trojan-Downloader.Win32.Delf.gpn skipped
C:\Documents and Settings\ken\Local Settings\Temporary Internet Files\Content.IE5\ZEDTPN35\drv32[1].data EmbeddedEXE: infected - 1 skipped
C:\Documents and Settings\ken\Local Settings\Temporary Internet Files\Content.IE5\ZEDTPN35\drv32[1].data ASPack: infected - 1 skipped
C:\Documents and Settings\ken\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\ken\Local Settings\Temp\~DFC7E8.tmp Object is locked skipped
C:\Documents and Settings\ken\Local Settings\Temp\696A.tmp Infected: Trojan-Downloader.Win32.Delf.gpm skipped
C:\Documents and Settings\ken\Local Settings\Temp\A8-tmp.exe Infected: Trojan-Downloader.Win32.Delf.gpm skipped
C:\Documents and Settings\ken\Local Settings\Temp\A8-tmpaoi.exe/data0000.bin Infected: Trojan-Downloader.Win32.Delf.gpn skipped
C:\Documents and Settings\ken\Local Settings\Temp\A8-tmpaoi.exe EmbeddedEXE: infected - 1 skipped
C:\Documents and Settings\ken\Local Settings\Temp\A8-tmpaoi.exe ASPack: infected - 1 skipped
C:\Documents and Settings\ken\My Documents\Downloads\smitfraudfix\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\ken\My Documents\Downloads\smitfraudfix\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\ken\My Documents\Downloads\smitfraudfix\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\ken\My Documents\Downloads\smitfraudfix\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\ken\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\ken\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\ken\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\ken\Application Data\Identities\{483DAFAC-90F0-49F6-96D9-337DDF5A3E93}\Microsoft\Outlook Express\alt.how-to.dbx/[From davidgrey@yahoo.com][Date Wed, 21 Jul 2004 22:28:19 GMT]/WhoreCam.scr Infected: Backdoor.Win32.Hackarmy.w skipped
C:\Documents and Settings\ken\Application Data\Identities\{483DAFAC-90F0-49F6-96D9-337DDF5A3E93}\Microsoft\Outlook Express\alt.how-to.dbx/[From susannah@hotmail.com][Date Tue, 03 Aug 2004 14:22:57 GMT]/Copy Infected: Backdoor.Win32.Hackarmy.w skipped
C:\Documents and Settings\ken\Application Data\Identities\{483DAFAC-90F0-49F6-96D9-337DDF5A3E93}\Microsoft\Outlook Express\alt.how-to.dbx/[From katyanderson@hotmail.com][Date Wed, 11 Aug 2004 20:14:26 GMT]/C:/New Infected: Backdoor.Win32.Hackarmy.w skipped
C:\Documents and Settings\ken\Application Data\Identities\{483DAFAC-90F0-49F6-96D9-337DDF5A3E93}\Microsoft\Outlook Express\alt.how-to.dbx Mail MS Outlook 5: infected - 3 skipped
C:\Documents and Settings\ken\Application Data\ApplicationHistory\elnk_pcc2.exe.93415475.ini.inuse Object is locked skipped
C:\Documents and Settings\ken\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\ken\ntuser.dat Object is locked skipped
C:\Documents and Settings\ken\cftmon.exe Infected: Worm.Win32.Socks.by skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\cftmon.exe Infected: Worm.Win32.Socks.by skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP475\A0065019.exe Infected: Trojan-Downloader.Win32.Small.ivo skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP475\A0065020.exe Infected: Trojan-Downloader.Win32.Agent.lxt skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP475\A0065021.exe Infected: Trojan-Downloader.Win32.Small.ivo skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP475\A0065031.exe Infected: Trojan-Downloader.Win32.Zlob.lbs skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP475\A0065038.exe Infected: Trojan-Downloader.Win32.Zlob.lbi skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP475\A0065039.dll Infected: not-virus:Hoax.Win32.Agent.bv skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP475\A0065040.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP475\A0065042.dll Infected: Trojan-Downloader.Win32.Zlob.lbm skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP475\A0065053.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.mcg skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP475\A0065055.exe Infected: Trojan-Downloader.Win32.Small.uhy skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP475\A0065056.exe Infected: Trojan.Win32.Buzus.eca skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP475\A0065068.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mcg skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP475\A0065071.exe Infected: Trojan-Downloader.Win32.Zlob.lbi skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP475\A0065077.dll Infected: not-a-virus:AdWare.Win32.Vapsup.dsx skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP475\A0065079.dll Infected: not-a-virus:AdWare.Win32.E404.x skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP475\A0065080.exe Infected: Trojan-Downloader.Win32.Small.ivo skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP475\A0065081.exe Infected: Trojan-Downloader.Win32.Small.ivo skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP475\A0065082.exe Infected: Trojan-Downloader.Win32.Small.ivo skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP475\A0065083.exe Infected: Trojan-Downloader.Win32.Small.ivo skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP475\A0065085.exe Infected: Trojan-Downloader.Win32.Zlob.lbi skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP474\A0065005.exe Infected: Trojan-Downloader.Win32.Zlob.lbi skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP474\A0065006.exe Infected: Trojan-Downloader.Win32.Zlob.lbs skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP476\A0065124.exe Infected: Worm.Win32.Socks.by skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP476\A0065126.exe Infected: Worm.Win32.Socks.by skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP476\A0065181.dll Infected: not-a-virus:AdWare.Win32.BHO.ank skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0065197.exe Infected: Trojan-Downloader.Win32.Zlob.lbs skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0065198.exe Infected: Worm.Win32.Socks.by skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0065205.dll Infected: not-virus:Hoax.Win32.Agent.bv skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0065206.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0065208.dll Infected: Trojan-Downloader.Win32.Zlob.lbm skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0065209.exe Infected: Trojan-Downloader.Win32.Zlob.lbi skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0065221.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mcg skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0066228.dll Infected: not-a-virus:AdWare.Win32.E404.x skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0067143.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mcg skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0066336.exe Infected: Worm.Win32.Socks.by skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0066337.exe Infected: Worm.Win32.Socks.by skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0067149.exe Infected: Worm.Win32.Socks.by skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0066351.exe Infected: Worm.Win32.Socks.by skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0066352.exe Infected: Worm.Win32.Socks.by skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0067153.exe Infected: Worm.Win32.Socks.by skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0066371.exe Infected: Worm.Win32.Socks.by skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0066372.exe Infected: Worm.Win32.Socks.by skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0066403.exe Infected: Worm.Win32.Socks.by skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0066440.dll Infected: Trojan-Downloader.Win32.Agent.lxt skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0066441.dll Infected: Trojan-Dropper.Win32.Agent.qfy skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0066442.exe Infected: Trojan-Downloader.Win32.Small.ivo skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0066443.exe Infected: Trojan-Downloader.Win32.Small.ivo skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0066444.exe Infected: Trojan-Downloader.Win32.Small.ivo skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0066445.exe Infected: Trojan-Downloader.Win32.Small.ivo skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0066654.exe Infected: Trojan-Downloader.Win32.Small.ivo skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0066671.exe Infected: Worm.Win32.Socks.by skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0066675.exe Infected: Worm.Win32.Socks.by skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0066722.dll Infected: not-a-virus:AdWare.Win32.TimeSink.h skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0066773.exe Infected: Trojan-Downloader.Win32.Zlob.lbs skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0066789.exe Infected: not-a-virus:FraudTool.Win32.VirusProtectPro.ac skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0066798.exe Infected: Worm.Win32.Socks.by skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0066802.exe Infected: Worm.Win32.Socks.by skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0066834.dll Infected: Trojan-Downloader.Win32.Zlob.lbm skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0066847.exe Infected: Trojan.Win32.Buzus.eca skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0066848.exe Infected: Trojan-Downloader.Win32.Small.uhy skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0066850.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.mcg skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0066851.exe Infected: Trojan-Downloader.Win32.Small.ivo skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0066852.exe Infected: Trojan-Downloader.Win32.Agent.lxt skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0066853.exe Infected: Trojan-Downloader.Win32.Small.ivo skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0066856.exe Infected: Trojan-Downloader.Win32.Zlob.lbs skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0066943.exe Infected: Worm.Win32.Socks.by skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0066947.exe Infected: Worm.Win32.Socks.by skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0067053.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mcg skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0067060.dll Infected: not-virus:Hoax.Win32.Agent.bv skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0067061.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0067065.exe Infected: Worm.Win32.Socks.by skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0067069.exe Infected: Worm.Win32.Socks.by skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0067128.DLL Infected: Trojan-Downloader.Win32.Zlob.lbm skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0067167.exe Infected: Worm.Win32.Socks.by skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0067171.exe Infected: Worm.Win32.Socks.by skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0067282.exe Infected: Worm.Win32.Socks.by skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0067283.exe Infected: Worm.Win32.Socks.by skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\change.log Object is locked skipped

Scan process completed.

========================================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:33:07 PM, on 4/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\drivers\spools.exe
C:\Documents and Settings\All Users\Application Data\fidgpovo\jifijkfi.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\zsnapypm.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Documents and Settings\ken\My Documents\Downloads\Hijackthis\HiJackThis.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
O2 - BHO: (no name) - {519741bd-937d-8f53-ceef-0667589c409a} - C:\WINDOWS\system32\apldbhlp.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5bc10ddb-ad5b-c7ac-978b-065cab031c70} - C:\WINDOWS\system32\SysAplProc.dll
O2 - BHO: (no name) - {6a97ae9e-574c-572e-a7ae-0107a44cebd6} - C:\WINDOWS\system32\kilqnldu.dll
O2 - BHO: (no name) - {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - (no file)
O2 - BHO: (no name) - {6f2ad5c3-9f19-c04e-a346-04aba5c7f664} - C:\WINDOWS\system32\MonHlpInfo.dll
O2 - BHO: (no name) - {7c109800-a5d5-438f-9640-18d17e168b88} - (no file)
O2 - BHO: (no name) - {a5045a07-281d-4640-8773-44603e7f19f0} - (no file)
O2 - BHO: (no name) - {af16a00d-d603-4a24-8bed-6ab79c827467} - (no file)
O2 - BHO: (no name) - {C5AF49A2-94F3-42BD-F434-2604812C897D} - (no file)
O2 - BHO: QuickTalk 2.1 - {cf26fac0-7d4e-46d8-ae64-b277b11443ac} - C:\WINDOWS\SYSTEM32\msram.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink\Toolbar\Toolbar.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Earthlink Protection Control Center] "C:\Program Files\EarthLink\EarthLink Protection Control Center\BIN\elnk_pcc2.exe" /tray
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKLM\..\Run: [ezgjorsp] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\ezgjorsp.dll"
O4 - HKLM\..\Run: [Winupdates] gpld5.exe
O4 - HKLM\..\Run: [ululkbor] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\ululkbor.dll"
O4 - HKLM\..\Run: [idqrcjsp] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\idqrcjsp.dll"
O4 - HKLM\..\Run: [erunyvez] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\erunyvez.dll"
O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\ken\cftmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKCU\..\Run: [gsxtaubs] C:\WINDOWS\system32\zsnapypm.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [PowerBar] "C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime
O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\ken\cftmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [NjNB7KnMLt] C:\Documents and Settings\All Users\Application Data\fidgpovo\jifijkfi.exe
O4 - HKUS\.DEFAULT\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'Default user')
O4 - Startup: HotSync Manager.lnk.disabled
O4 - Startup: OpenOffice.org 2.0.lnk.disabled
O4 - Global Startup: Folder Settings
O4 - Global Startup: desktop (1).ini
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: Kodak EasyShare software.lnk.disabled
O4 - Global Startup: Adobe Gamma Loader.lnk.disabled
O4 - Global Startup: Microsoft Broadband Networking.lnk.disabled
O4 - Global Startup: Microsoft Office Fast Start.lnk.disabled
O4 - Global Startup: Microsoft Office Find Fast Indexer.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk.disabled
O4 - Global Startup: Monitor.lnk.disabled
O4 - Global Startup: MySoftware NewsFlash.lnk.disabled
O4 - Global Startup: TextBridge Instant Access OCR.lnk.disabled
O4 - Global Startup: Watch.lnk.disabled
O4 - Global Startup: Windows Explorer.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: EarthLink Google Search - res://C:\Program Files\EarthLink\Toolbar\SearchUI.dll/search.html
O8 - Extra context menu item: Locate Spot on Map by GPS - C:\Program Files\Opanda\IExif 2.26\IExifMap.htm
O8 - Extra context menu item: SurfSaver &QuickSave - C:\Program Files\askSam\SurfSaver\QuickSave.htm
O8 - Extra context menu item: SurfSaver Sav&e... - C:\Program Files\askSam\SurfSaver\Add.htm
O8 - Extra context menu item: SurfSaver Searc&h... - C:\Program Files\askSam\SurfSaver\Search.htm
O8 - Extra context menu item: View Exif/GPS/IPTC with IExif - C:\Program Files\Opanda\IExif 2.26\IExifCom.htm
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O9 - Extra button: (no name) - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: SurfSaver - {A6418A39-8884-11D3-A846-00104B8825B9} - C:\PROGRAM FILES\ASKSAM\SURFSAVER\SURFBAR.DLL (HKCU)
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {0eb0e74a-2a76-4ab3-a7fb-9bd8c29f7f75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/qtinstall.info.apple.com/pthalo/us/win/QuickTimeFullInstaller.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{49BE91D8-FCA0-46FC-8874-4CD51CCBA9AC}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{931ADD26-E63B-4860-8955-96482105AA9C}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\..\{49BE91D8-FCA0-46FC-8874-4CD51CCBA9AC}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\..\{49BE91D8-FCA0-46FC-8874-4CD51CCBA9AC}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O18 - Protocol: asksam - {F9FF9EDA-4916-11D1-B6C1-002018305A61} - C:\PROGRAM FILES\ASKSAM\SURFSAVER\AS_AIPP.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - (no file)
O22 - SharedTaskScheduler: asparagine - {65bbf06c-ea06-4818-92a3-f3550d0e1004} - (no file)
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: ADSService - Aluria Software, a division of EarthLink, Inc. - C:\Program Files\Common Files\ADS\ADSService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EarthLinkSafeConnectAgent - Sana Security - C:\Program Files\EarthLink\EarthLink Protection Control Center\Sana\Bin\SanaAgent.exe
O23 - Service: ELNK Update Service (ELNKUpdateService) - EarthLink, Inc. - C:\Program Files\EarthLink\EarthLink Protection Control Center\bin\UpdateService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~3\NPROTECT.EXE
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ProtectionService - EarthLink, Inc. - C:\Program Files\EarthLink\EarthLink Protection Control Center\bin\ProtectionService.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~3\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

--
End of file - 12912 bytes
 
Hi KenBa

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://download.bleepingcomputer.com/lonny/Fixwareout.exe

  • Save it to your desktop and run it. Click Next, then Install, make sure Run fixit is checked and click Finish.
  • The fix will begin; follow the prompts.
  • You will be asked to reboot your computer; please do so.
  • Your system may take longer than usual to load; this is normal.
  • Once the desktop loads, post the text that will open (report.txt) and a new Hijackthis log in the forum please.
 
Shaba,

Thanks for the quick response. Here are the logs requested

Username "ken" - 04/14/2008 10:00:43 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check
HKLM\SOFTWARE\~\Winlogon\ "System"="kdjaa.exe"

Could not flush the DNS Resolver Cache: Function failed during execution.
System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....
~~~~~ Other
C:\WINDOWS\temp\kdjaa.ren 61952 06/13/2007

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SystemTray"="SysTray.Exe"
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"ADUserMon"="C:\\Program Files\\Iomega\\AutoDisk\\ADUserMon.exe"
"RemoteControl"="\"C:\\Program Files\\CyberLink DVD Solution\\PowerDVD\\PDVDServ.exe\""
"InCD"="C:\\Program Files\\Ahead\\InCD\\InCD.exe"
"Earthlink Protection Control Center"="\"C:\\Program Files\\EarthLink\\EarthLink Protection Control Center\\BIN\\elnk_pcc2.exe\" /tray"
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"ntuser"="C:\\WINDOWS\\system32\\drivers\\spools.exe"
"ezgjorsp"="regsvr32 /u \"C:\\Documents and Settings\\All Users\\Application Data\\ezgjorsp.dll\""
"Winupdates"="gpld5.exe"
"ululkbor"="regsvr32 /u \"C:\\Documents and Settings\\All Users\\Application Data\\ululkbor.dll\""
"idqrcjsp"="regsvr32 /u \"C:\\Documents and Settings\\All Users\\Application Data\\idqrcjsp.dll\""
"erunyvez"="regsvr32 /u \"C:\\Documents and Settings\\All Users\\Application Data\\erunyvez.dll\""
"autoload"="C:\\Documents and Settings\\ken\\cftmon.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"ntuser"="C:\\WINDOWS\\system32\\drivers\\spools.exe"
"gsxtaubs"="C:\\WINDOWS\\system32\\zsnapypm.exe"
"SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"
"MoneyAgent"="\"C:\\Program Files\\Microsoft Money\\System\\Money Express.exe\""
"PowerBar"="\"C:\\Program Files\\CyberLink DVD Solution\\Multimedia Launcher\\PowerBar.exe\" /AtBootTime"
"autoload"="C:\\Documents and Settings\\ken\\cftmon.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:12:11 AM, on 4/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\drivers\spools.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\gpld5.exe
C:\WINDOWS\system32\zsnapypm.exe
C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Documents and Settings\ken\My Documents\Downloads\Hijackthis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
O2 - BHO: (no name) - {519741bd-937d-8f53-ceef-0667589c409a} - C:\WINDOWS\system32\apldbhlp.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5bc10ddb-ad5b-c7ac-978b-065cab031c70} - C:\WINDOWS\system32\SysAplProc.dll
O2 - BHO: (no name) - {6a97ae9e-574c-572e-a7ae-0107a44cebd6} - C:\WINDOWS\system32\kilqnldu.dll
O2 - BHO: (no name) - {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - (no file)
O2 - BHO: (no name) - {6f2ad5c3-9f19-c04e-a346-04aba5c7f664} - C:\WINDOWS\system32\MonHlpInfo.dll
O2 - BHO: (no name) - {7c109800-a5d5-438f-9640-18d17e168b88} - (no file)
O2 - BHO: (no name) - {a5045a07-281d-4640-8773-44603e7f19f0} - (no file)
O2 - BHO: (no name) - {af16a00d-d603-4a24-8bed-6ab79c827467} - (no file)
O2 - BHO: (no name) - {C5AF49A2-94F3-42BD-F434-2604812C897D} - (no file)
O2 - BHO: QuickTalk 2.1 - {cf26fac0-7d4e-46d8-ae64-b277b11443ac} - C:\WINDOWS\SYSTEM32\msram.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink\Toolbar\Toolbar.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Earthlink Protection Control Center] "C:\Program Files\EarthLink\EarthLink Protection Control Center\BIN\elnk_pcc2.exe" /tray
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKLM\..\Run: [ezgjorsp] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\ezgjorsp.dll"
O4 - HKLM\..\Run: [Winupdates] gpld5.exe
O4 - HKLM\..\Run: [ululkbor] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\ululkbor.dll"
O4 - HKLM\..\Run: [idqrcjsp] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\idqrcjsp.dll"
O4 - HKLM\..\Run: [erunyvez] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\erunyvez.dll"
O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\ken\cftmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKCU\..\Run: [gsxtaubs] C:\WINDOWS\system32\zsnapypm.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [PowerBar] "C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime
O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\ken\cftmon.exe
O4 - HKUS\.DEFAULT\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'Default user')
O4 - Startup: HotSync Manager.lnk.disabled
O4 - Startup: OpenOffice.org 2.0.lnk.disabled
O4 - Global Startup: Folder Settings
O4 - Global Startup: desktop (1).ini
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: Kodak EasyShare software.lnk.disabled
O4 - Global Startup: Adobe Gamma Loader.lnk.disabled
O4 - Global Startup: Microsoft Broadband Networking.lnk.disabled
O4 - Global Startup: Microsoft Office Fast Start.lnk.disabled
O4 - Global Startup: Microsoft Office Find Fast Indexer.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk.disabled
O4 - Global Startup: Monitor.lnk.disabled
O4 - Global Startup: MySoftware NewsFlash.lnk.disabled
O4 - Global Startup: TextBridge Instant Access OCR.lnk.disabled
O4 - Global Startup: Watch.lnk.disabled
O4 - Global Startup: Windows Explorer.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: EarthLink Google Search - res://C:\Program Files\EarthLink\Toolbar\SearchUI.dll/search.html
O8 - Extra context menu item: Locate Spot on Map by GPS - C:\Program Files\Opanda\IExif 2.26\IExifMap.htm
O8 - Extra context menu item: SurfSaver &QuickSave - C:\Program Files\askSam\SurfSaver\QuickSave.htm
O8 - Extra context menu item: SurfSaver Sav&e... - C:\Program Files\askSam\SurfSaver\Add.htm
O8 - Extra context menu item: SurfSaver Searc&h... - C:\Program Files\askSam\SurfSaver\Search.htm
O8 - Extra context menu item: View Exif/GPS/IPTC with IExif - C:\Program Files\Opanda\IExif 2.26\IExifCom.htm
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O9 - Extra button: (no name) - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: SurfSaver - {A6418A39-8884-11D3-A846-00104B8825B9} - C:\PROGRAM FILES\ASKSAM\SURFSAVER\SURFBAR.DLL (HKCU)
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {0eb0e74a-2a76-4ab3-a7fb-9bd8c29f7f75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/qtinstall.info.apple.com/pthalo/us/win/QuickTimeFullInstaller.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{49BE91D8-FCA0-46FC-8874-4CD51CCBA9AC}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{931ADD26-E63B-4860-8955-96482105AA9C}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\..\{49BE91D8-FCA0-46FC-8874-4CD51CCBA9AC}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\..\{49BE91D8-FCA0-46FC-8874-4CD51CCBA9AC}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O18 - Protocol: asksam - {F9FF9EDA-4916-11D1-B6C1-002018305A61} - C:\PROGRAM FILES\ASKSAM\SURFSAVER\AS_AIPP.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - (no file)
O22 - SharedTaskScheduler: asparagine - {65bbf06c-ea06-4818-92a3-f3550d0e1004} - (no file)
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: ADSService - Aluria Software, a division of EarthLink, Inc. - C:\Program Files\Common Files\ADS\ADSService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EarthLinkSafeConnectAgent - Sana Security - C:\Program Files\EarthLink\EarthLink Protection Control Center\Sana\Bin\SanaAgent.exe
O23 - Service: ELNK Update Service (ELNKUpdateService) - EarthLink, Inc. - C:\Program Files\EarthLink\EarthLink Protection Control Center\bin\UpdateService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~3\NPROTECT.EXE
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ProtectionService - EarthLink, Inc. - C:\Program Files\EarthLink\EarthLink Protection Control Center\bin\ProtectionService.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~3\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

--
End of file - 12633 bytes
 
Hi

We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:

1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.

Now lets check some settings on your system.
(2000/XP) Only
In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Click the Networking tab. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically
Press OK twice to get out of the properties screen and reboot if it asks.
That option might not be available on some systems

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
 
Here's what I did.

Ran Spybot SD with Tea Timer disabled. Seven problems found and 7 fixed.

I tried to check my network connections but the screen comes up blank with the message: "Unable to retrieve list of Network Adapters. Make sure Network Connections services is enabled and running." I did not take any action on this.

Ran SDFix in Safe mode. Log below

Ran HJT. Log below
-------------------------------

SDFix: Version 1.171
Run by ken on Mon 04/14/2008 at 02:25 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default Schedule Service Path

Rebooting


Checking Files :

Trojan Files Found:

C:\VSSDV.EXE - Deleted
C:\813176~1 - Deleted
C:\smp.bat - Deleted
C:\WINDOWS\apoxqwfv.exe - Deleted
C:\WINDOWS\mgsvflkw.dll - Deleted
C:\WINDOWS\qdnkewfa.dll - Deleted
C:\WINDOWS\rs.txt - Deleted
C:\WINDOWS\system32\msram.dll - Deleted
C:\WINDOWS\vnbptxlf.dll - Deleted
C:\WINDOWS\Web\def.htm - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1351.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-14 14:33:54
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs = ??????????

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\Microsoft Broadband Networking\\MSBNUtil.exe"="C:\\Program Files\\Microsoft Broadband Networking\\MSBNUtil.exe:*:Enabled:Microsoft Broadband Network Utility"
"C:\\Program Files\\Microsoft Broadband Networking\\MSBNTray.exe"="C:\\Program Files\\Microsoft Broadband Networking\\MSBNTray.exe:*:Enabled:Microsoft Broadband Networking Tray"
"C:\\Program Files\\Microsoft Broadband Networking\\MSBNCfg.exe"="C:\\Program Files\\Microsoft Broadband Networking\\MSBNCfg.exe:*:Enabled:Microsoft Broadband Networking Setup"
"C:\\Program Files\\Microsoft Broadband Networking\\MSBNUpdate.exe"="C:\\Program Files\\Microsoft Broadband Networking\\MSBNUpdate.exe:*:Enabled:Microsoft Broadband Networking Update"
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"="C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe:*:Enabled:EasyShare"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\ttax.exe"="C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\updatemgr.exe"="C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"c:\\windows\\system32\\gpld5.exe"="c:\\windows\\system32\\gpld5.exe:*:Enabled:gpld5"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sat 19 Apr 2003 228 ..SH. --- "C:\AUTOEXEC.BAK"
Thu 8 Jun 2000 129,078 ..SH. --- "C:\LOGO.SYS"
Sat 20 Oct 2007 5,903,928 A..H. --- "C:\Program Files\Picasa2\setup.exe"
Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Fri 14 Sep 2007 0 A.SH. --- "C:\WINDOWS\DRM\Cache\Indiv01.tmp"
Mon 28 Jan 2008 2,097,488 A.SH. --- "C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP476\A0065157.exe"
Mon 28 Jan 2008 5,146,448 A.SH. --- "C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP476\A0065159.exe"
Mon 28 Jan 2008 1,404,240 A.SH. --- "C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP476\A0065164.exe"
Thu 15 May 2003 43,008 ...H. --- "C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe"
Tue 14 Oct 2003 574 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\ccReg_old.reg"
Tue 14 Oct 2003 6,415 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\CommonClient_old.reg"
Wed 5 May 2004 1,206 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\ccReg.reg"
Wed 5 May 2004 11,976 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\CommonClient.reg"
Tue 11 Jul 1995 112,128 ...HR --- "C:\Micron files transferred\Micron C\Program Files\The Microsoft Network\MVCL14N.DLL"
Tue 11 Jul 1995 51,712 ...HR --- "C:\Micron files transferred\Micron C\Program Files\The Microsoft Network\MVPR14N.DLL"
Tue 11 Jul 1995 77,312 ...HR --- "C:\Micron files transferred\Micron C\Program Files\The Microsoft Network\MVTTL14C.DLL"
Tue 11 Jul 1995 10,240 ...HR --- "C:\Micron files transferred\Micron C\Program Files\The Microsoft Network\MVUT14N.DLL"
Sun 8 Apr 2001 34,304 ...H. --- "C:\My Documents\On Track\_2001 (website)\04 Events\03 CART LBGP\~WRL0246.tmp"
Sun 11 Mar 2007 7,416,320 ...H. --- "C:\Documents and Settings\ken\My Documents\KNFB Newsletter\99-C December 99\~WRL1135.tmp"
Tue 5 Apr 2005 54,784 ...H. --- "C:\Documents and Settings\ken\Application Data\Microsoft\Word\~WRL0005.tmp"
Tue 5 Apr 2005 54,784 ...H. --- "C:\Documents and Settings\ken\Application Data\Microsoft\Word\~WRL2486.tmp"
Sun 8 Apr 2001 34,304 ...H. --- "C:\Backup from K Toshiba\Nov 8, 2002\My Documents\On Track\_2001\04 Events\03 CART LBGP\~WRL0246.tmp"

Finished!
------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:41:58 PM, on 4/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\regsvr32.exe
C:\WINDOWS\system32\regsvr32.exe
C:\WINDOWS\system32\gpld5.exe
C:\WINDOWS\system32\regsvr32.exe
C:\WINDOWS\system32\regsvr32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\zsnapypm.exe
C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Documents and Settings\ken\My Documents\Downloads\Hijackthis\HiJackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
O2 - BHO: (no name) - {519741bd-937d-8f53-ceef-0667589c409a} - C:\WINDOWS\system32\apldbhlp.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5bc10ddb-ad5b-c7ac-978b-065cab031c70} - C:\WINDOWS\system32\SysAplProc.dll
O2 - BHO: (no name) - {6a97ae9e-574c-572e-a7ae-0107a44cebd6} - C:\WINDOWS\system32\kilqnldu.dll
O2 - BHO: (no name) - {6f2ad5c3-9f19-c04e-a346-04aba5c7f664} - C:\WINDOWS\system32\MonHlpInfo.dll
O2 - BHO: (no name) - {a5045a07-281d-4640-8773-44603e7f19f0} - (no file)
O2 - BHO: (no name) - {af16a00d-d603-4a24-8bed-6ab79c827467} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink\Toolbar\Toolbar.dll
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Earthlink Protection Control Center] "C:\Program Files\EarthLink\EarthLink Protection Control Center\BIN\elnk_pcc2.exe" /tray
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ezgjorsp] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\ezgjorsp.dll"
O4 - HKLM\..\Run: [Winupdates] gpld5.exe
O4 - HKLM\..\Run: [ululkbor] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\ululkbor.dll"
O4 - HKLM\..\Run: [idqrcjsp] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\idqrcjsp.dll"
O4 - HKLM\..\Run: [erunyvez] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\erunyvez.dll"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [gsxtaubs] C:\WINDOWS\system32\zsnapypm.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [PowerBar] "C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime
O4 - Startup: HotSync Manager.lnk.disabled
O4 - Startup: OpenOffice.org 2.0.lnk.disabled
O4 - Global Startup: Folder Settings
O4 - Global Startup: desktop (1).ini
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: Kodak EasyShare software.lnk.disabled
O4 - Global Startup: Adobe Gamma Loader.lnk.disabled
O4 - Global Startup: Microsoft Broadband Networking.lnk.disabled
O4 - Global Startup: Microsoft Office Fast Start.lnk.disabled
O4 - Global Startup: Microsoft Office Find Fast Indexer.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk.disabled
O4 - Global Startup: Monitor.lnk.disabled
O4 - Global Startup: MySoftware NewsFlash.lnk.disabled
O4 - Global Startup: TextBridge Instant Access OCR.lnk.disabled
O4 - Global Startup: Watch.lnk.disabled
O4 - Global Startup: Windows Explorer.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: EarthLink Google Search - res://C:\Program Files\EarthLink\Toolbar\SearchUI.dll/search.html
O8 - Extra context menu item: Locate Spot on Map by GPS - C:\Program Files\Opanda\IExif 2.26\IExifMap.htm
O8 - Extra context menu item: SurfSaver &QuickSave - C:\Program Files\askSam\SurfSaver\QuickSave.htm
O8 - Extra context menu item: SurfSaver Sav&e... - C:\Program Files\askSam\SurfSaver\Add.htm
O8 - Extra context menu item: SurfSaver Searc&h... - C:\Program Files\askSam\SurfSaver\Search.htm
O8 - Extra context menu item: View Exif/GPS/IPTC with IExif - C:\Program Files\Opanda\IExif 2.26\IExifCom.htm
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O9 - Extra button: (no name) - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: SurfSaver - {A6418A39-8884-11D3-A846-00104B8825B9} - C:\PROGRAM FILES\ASKSAM\SURFSAVER\SURFBAR.DLL (HKCU)
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {0eb0e74a-2a76-4ab3-a7fb-9bd8c29f7f75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/qtinstall.info.apple.com/pthalo/us/win/QuickTimeFullInstaller.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{49BE91D8-FCA0-46FC-8874-4CD51CCBA9AC}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{931ADD26-E63B-4860-8955-96482105AA9C}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\..\{49BE91D8-FCA0-46FC-8874-4CD51CCBA9AC}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\..\{49BE91D8-FCA0-46FC-8874-4CD51CCBA9AC}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O18 - Protocol: asksam - {F9FF9EDA-4916-11D1-B6C1-002018305A61} - C:\PROGRAM FILES\ASKSAM\SURFSAVER\AS_AIPP.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: asparagine - {65bbf06c-ea06-4818-92a3-f3550d0e1004} - (no file)
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: ADSService - Aluria Software, a division of EarthLink, Inc. - C:\Program Files\Common Files\ADS\ADSService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EarthLinkSafeConnectAgent - Sana Security - C:\Program Files\EarthLink\EarthLink Protection Control Center\Sana\Bin\SanaAgent.exe
O23 - Service: ELNK Update Service (ELNKUpdateService) - EarthLink, Inc. - C:\Program Files\EarthLink\EarthLink Protection Control Center\bin\UpdateService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~3\NPROTECT.EXE
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ProtectionService - EarthLink, Inc. - C:\Program Files\EarthLink\EarthLink Protection Control Center\bin\ProtectionService.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~3\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

--
End of file - 11760 bytes
 
Hi

1. Download combofix from any of these links and save it to Desktop:
Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

If you have problems with Combofix usage, see here

Post:

- a fresh HijackThis log
- combofix report
 
I ran combofix. Following are logs from HJT and combofix

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:00:36 AM, on 4/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\zsnapypm.exe
C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\ken\My Documents\Downloads\Hijackthis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
O2 - BHO: (no name) - {519741bd-937d-8f53-ceef-0667589c409a} - C:\WINDOWS\system32\apldbhlp.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5bc10ddb-ad5b-c7ac-978b-065cab031c70} - C:\WINDOWS\system32\SysAplProc.dll
O2 - BHO: (no name) - {6a97ae9e-574c-572e-a7ae-0107a44cebd6} - C:\WINDOWS\system32\kilqnldu.dll
O2 - BHO: (no name) - {6f2ad5c3-9f19-c04e-a346-04aba5c7f664} - C:\WINDOWS\system32\MonHlpInfo.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink\Toolbar\Toolbar.dll
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Earthlink Protection Control Center] "C:\Program Files\EarthLink\EarthLink Protection Control Center\BIN\elnk_pcc2.exe" /tray
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [gsxtaubs] C:\WINDOWS\system32\zsnapypm.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [PowerBar] "C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime
O4 - Startup: HotSync Manager.lnk.disabled
O4 - Startup: OpenOffice.org 2.0.lnk.disabled
O4 - Global Startup: Folder Settings
O4 - Global Startup: desktop (1).ini
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: Kodak EasyShare software.lnk.disabled
O4 - Global Startup: Adobe Gamma Loader.lnk.disabled
O4 - Global Startup: Microsoft Broadband Networking.lnk.disabled
O4 - Global Startup: Microsoft Office Fast Start.lnk.disabled
O4 - Global Startup: Microsoft Office Find Fast Indexer.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk.disabled
O4 - Global Startup: Monitor.lnk.disabled
O4 - Global Startup: MySoftware NewsFlash.lnk.disabled
O4 - Global Startup: TextBridge Instant Access OCR.lnk.disabled
O4 - Global Startup: Watch.lnk.disabled
O4 - Global Startup: Windows Explorer.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: EarthLink Google Search - res://C:\Program Files\EarthLink\Toolbar\SearchUI.dll/search.html
O8 - Extra context menu item: Locate Spot on Map by GPS - C:\Program Files\Opanda\IExif 2.26\IExifMap.htm
O8 - Extra context menu item: SurfSaver &QuickSave - C:\Program Files\askSam\SurfSaver\QuickSave.htm
O8 - Extra context menu item: SurfSaver Sav&e... - C:\Program Files\askSam\SurfSaver\Add.htm
O8 - Extra context menu item: SurfSaver Searc&h... - C:\Program Files\askSam\SurfSaver\Search.htm
O8 - Extra context menu item: View Exif/GPS/IPTC with IExif - C:\Program Files\Opanda\IExif 2.26\IExifCom.htm
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O9 - Extra button: (no name) - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: SurfSaver - {A6418A39-8884-11D3-A846-00104B8825B9} - C:\PROGRAM FILES\ASKSAM\SURFSAVER\SURFBAR.DLL (HKCU)
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {0eb0e74a-2a76-4ab3-a7fb-9bd8c29f7f75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/qtinstall.info.apple.com/pthalo/us/win/QuickTimeFullInstaller.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{49BE91D8-FCA0-46FC-8874-4CD51CCBA9AC}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{931ADD26-E63B-4860-8955-96482105AA9C}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\..\{49BE91D8-FCA0-46FC-8874-4CD51CCBA9AC}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\..\{49BE91D8-FCA0-46FC-8874-4CD51CCBA9AC}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O18 - Protocol: asksam - {F9FF9EDA-4916-11D1-B6C1-002018305A61} - C:\PROGRAM FILES\ASKSAM\SURFSAVER\AS_AIPP.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: ADSService - Aluria Software, a division of EarthLink, Inc. - C:\Program Files\Common Files\ADS\ADSService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EarthLinkSafeConnectAgent - Sana Security - C:\Program Files\EarthLink\EarthLink Protection Control Center\Sana\Bin\SanaAgent.exe
O23 - Service: ELNK Update Service (ELNKUpdateService) - EarthLink, Inc. - C:\Program Files\EarthLink\EarthLink Protection Control Center\bin\UpdateService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~3\NPROTECT.EXE
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ProtectionService - EarthLink, Inc. - C:\Program Files\EarthLink\EarthLink Protection Control Center\bin\ProtectionService.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~3\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

--
End of file - 11066 bytes

--------------------------------------

ComboFix 08-04-14.2 - ken 2008-04-15 7:42:43.1 - FAT32x86 MINIMAL
Running from: C:\Documents and Settings\ken\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Downloaded Program Files\ODCTOOLS
C:\WINDOWS\start.exe
C:\WINDOWS\system32\cbxuspq.dll
C:\WINDOWS\system32\cbxvttr.dll
C:\WINDOWS\SYSTEM32\hklTuBeg.ini
C:\WINDOWS\SYSTEM32\hklTuBeg.ini2
C:\WINDOWS\SYSTEM32\Mmlklnnn.ini
C:\WINDOWS\SYSTEM32\Mmlklnnn.ini2
C:\WINDOWS\SYSTEM32\NqruBJjl.ini2
C:\WINDOWS\system32\vtUmLfdb.dll
C:\WINDOWS\system32\windows.scr
C:\WINDOWS\system32bdn.com
C:\WINDOWS\system32hxiwlgpm.dat
C:\WINDOWS\system32ssvchost.com
C:\WINDOWS\system32taack.dat
C:\WINDOWS\system32VBIEWER.OCX
C:\WINDOWS\Web\default.htt
C:\WINDOWS\winhelp.ini

.
((((((((((((((((((((((((( Files Created from 2008-03-15 to 2008-04-15 )))))))))))))))))))))))))))))))
.

2008-04-14 14:32 . 2008-04-14 14:32 <DIR> d-------- C:\WINDOWS\LastGood
2008-04-14 13:57 . 2008-04-14 13:58 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-14 13:50 . 2008-04-14 05:41 <DIR> d-------- C:\SDFix
2008-04-14 09:59 . 2008-04-14 09:59 <DIR> d-------- C:\fixwareout
2008-04-12 17:18 . 2008-04-12 17:18 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-04-12 17:18 . 2008-04-12 17:18 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2008-04-12 17:18 . 2008-04-12 17:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-12 16:47 . 2008-04-12 16:47 118,784 --a------ C:\WINDOWS\SYSTEM32\apldbhlp.dll
2008-04-12 16:47 . 2008-04-12 16:47 118,784 --a------ C:\Documents and Settings\All Users\Application Data\erunyvez.dll
2008-04-12 16:47 . 2008-04-12 16:47 98,304 --a------ C:\WINDOWS\SYSTEM32\tirshadm.exe
2008-04-12 12:34 . 2008-04-12 12:34 98,304 --a------ C:\WINDOWS\SYSTEM32\SysAplProc.dll
2008-04-12 12:34 . 2008-04-12 12:34 98,304 --a------ C:\Documents and Settings\All Users\Application Data\idqrcjsp.dll
2008-04-12 12:34 . 2008-04-12 12:34 90,112 --a------ C:\WINDOWS\SYSTEM32\vafqtenw.exe
2008-04-11 21:52 . 2008-04-11 21:52 102,400 --a------ C:\WINDOWS\SYSTEM32\MonHlpInfo.dll
2008-04-11 21:52 . 2008-04-11 21:52 102,400 --a------ C:\Documents and Settings\All Users\Application Data\ululkbor.dll
2008-04-11 21:51 . 2008-04-11 21:52 90,112 --a------ C:\WINDOWS\SYSTEM32\ylglsbkv.exe
2008-04-11 11:04 . 2008-04-12 16:31 3,064 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2008-04-10 23:48 . 2008-04-11 12:59 678 --a------ C:\WINDOWS\wininit.ini
2008-04-10 17:40 . 2008-04-10 17:40 <DIR> d-------- C:\Program Files\RogueRemover FREE
2008-04-10 15:40 . 2008-04-10 15:40 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-10 15:40 . 2008-04-10 15:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-10 11:05 . 2008-04-10 11:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-10 10:48 . 2008-04-10 10:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\fidgpovo
2008-04-10 10:48 . 2008-04-10 10:48 54,272 --a------ C:\WINDOWS\SYSTEM32\gpld5.exe
2008-04-10 10:47 . 2008-04-10 10:47 118,784 --a------ C:\WINDOWS\SYSTEM32\kilqnldu.dll
2008-04-10 10:47 . 2008-04-10 10:48 118,784 --a------ C:\Documents and Settings\All Users\Application Data\ezgjorsp.dll
2008-04-10 10:47 . 2008-04-10 10:47 102,400 --a------ C:\WINDOWS\SYSTEM32\zsnapypm.exe
2008-04-10 10:47 . 2008-04-10 10:47 33,792 --a------ C:\vakhthaq.exe.bak
2008-04-10 10:47 . 2008-04-10 10:47 13,312 --a------ C:\vwmelms.exe
2008-04-10 10:46 . 2008-04-10 10:46 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-10 10:46 . 2008-04-10 10:46 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-16 23:06 . 2008-03-16 23:06 <DIR> d-------- C:\Program Files\Foxit Software
2008-03-16 23:04 . 2008-03-16 23:04 <DIR> d-------- C:\Documents and Settings\ken\Apps

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-12 03:50 99,256 ----a-w C:\Documents and Settings\ken\Application Data\GDIPFONTCACHEV1.DAT
2004-10-01 21:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
2004-01-23 20:45 111 ----a-w C:\Documents and Settings\ken\Application Data\fusioncache.dat
2003-03-29 19:35 5,351 ----a-w C:\Program Files\Config.td5
2002-04-17 18:55 303,296 ----a-w C:\WINDOWS\FONTS\TBM53A3.TMP
2002-04-17 18:55 296,712 ----a-w C:\WINDOWS\FONTS\TBM5394.TMP
2002-04-17 18:55 288,496 ----a-w C:\WINDOWS\FONTS\TBM53A1.TMP
2002-04-17 18:55 226,748 ----a-w C:\WINDOWS\FONTS\TBM53A2.TMP
2001-11-09 22:07 354,216 ----a-w C:\WINDOWS\FONTS\TBM53A5.TMP
2001-05-05 05:45 73,711 ---ha-w C:\Program Files\asksam.GID
2000-08-24 12:40 334,944 ----a-w C:\WINDOWS\FONTS\TBM53B2.TMP
2000-06-16 18:26 271 --sh--w C:\Program Files\desktop.ini
2000-06-16 18:26 23,357 ---h--w C:\Program Files\folder.htt
2002-11-01 23:46 32 --sha-w C:\WINDOWS\SYSTEM\{78127A79-4C55-4465-AC23-045AC114EA55}.dat
2002-11-01 23:47 32 --sha-w C:\WINDOWS\SYSTEM\{7FF3A798-E941-4F17-AB01-322738C80EEF}.dat
2002-11-01 23:47 32 --sha-w C:\WINDOWS\SYSTEM\{DEC98A2D-4E63-4275-BCDC-4FC24E6ECB81}.dat
2002-11-01 23:47 32 --sha-w C:\WINDOWS\SYSTEM\{96705B62-8B9B-4E29-A21D-1D8DB69E9790}.dat
2002-11-01 23:48 32 --sha-w C:\WINDOWS\SYSTEM\{26AA5F9B-9393-49B0-9CF0-1F40E856C416}.dat
2002-11-01 23:49 32 --sha-w C:\WINDOWS\SYSTEM\{F2C4CEC0-AD10-4838-A3C2-237DF0E4D994}.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{519741bd-937d-8f53-ceef-0667589c409a}]
2008-04-12 16:47 118784 --a------ C:\WINDOWS\system32\apldbhlp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5bc10ddb-ad5b-c7ac-978b-065cab031c70}]
2008-04-12 12:34 98304 --a------ C:\WINDOWS\system32\SysAplProc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6a97ae9e-574c-572e-a7ae-0107a44cebd6}]
2008-04-10 10:47 118784 --a------ C:\WINDOWS\system32\kilqnldu.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6f2ad5c3-9f19-c04e-a346-04aba5c7f664}]
2008-04-11 21:52 102400 --a------ C:\WINDOWS\system32\MonHlpInfo.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24 1694208]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-20 14:18 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"gsxtaubs"="C:\WINDOWS\system32\zsnapypm.exe" [2008-04-10 10:47 102400]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\Money Express.exe" [1999-08-04 00:00 122940]
"PowerBar"="C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" [2004-04-21 10:26 86016]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 14:54 241664]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-02-17 10:05 59040]
"ADUserMon"="C:\Program Files\Iomega\AutoDisk\ADUserMon.exe" [2002-09-24 16:39 147456]
"RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-11-02 20:24 32768]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2006-03-16 02:00 1397760]
"Earthlink Protection Control Center"="C:\Program Files\EarthLink\EarthLink Protection Control Center\BIN\elnk_pcc2.exe" [2007-04-19 10:40 67352]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11 49152]

C:\Documents and Settings\ken\Start Menu\Programs\Startup\
HotSync Manager.lnk.disabled [2005-09-03 15:09:58 1382]
OpenOffice.org 2.0.lnk.disabled [2006-11-02 22:32:30 791]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
desktop (1).ini [2001-03-06 21:31:24 278]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-07-07 01:20:40 233472]
Adobe Reader Speed Launch.lnk.disabled [2006-02-20 17:11:02 1672]
Kodak EasyShare software.lnk.disabled [2007-01-01 21:36:22 1748]
Adobe Gamma Loader.lnk.disabled [2004-11-19 10:55:56 805]
Microsoft Broadband Networking.lnk.disabled [2008-04-12 12:30:12 2355]
Microsoft Office Fast Start.lnk.disabled [2003-11-09 21:29:44 348]
Microsoft Office Find Fast Indexer.lnk.disabled [2003-11-09 21:29:42 355]
Microsoft Office.lnk.disabled [2003-12-15 20:44:02 1536]
Monitor.lnk.disabled [2006-08-05 13:51:46 1627]
MySoftware NewsFlash.lnk.disabled [2003-12-16 16:51:06 1574]
TextBridge Instant Access OCR.lnk.disabled [2003-11-09 21:29:44 481]
Watch.lnk.disabled [2003-11-09 21:29:44 402]
Windows Explorer.lnk.disabled [2003-11-09 21:29:50 303]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpySweeper"=
"MoneyAgent"="C:\Program Files\Microsoft Money\System\Money Express.exe"
"Picasa Media Detector"=C:\Program Files\Picasa2\PicasaMediaDetector.exe
"PowerBar"="C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Deskup"=C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
"Iomega Drive Icons"=C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
"LGODDFU"="C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"RealTray"=C:\Program Files\Real\RealPlayer\realplay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"HPScanPatch"=C:\WINDOWS\SYSTEM32\HPScanFix.exe
"hpsysdrv"=C:\WINDOWS\SYSTEM32\hpsysdrv.exe
"Delay"=C:\WINDOWS\delayrun.exe
"USBMMKBD"=usbmmkbd.exe
"Hidserv"=Hidserv.exe run
"TimeSink Ad Client"="C:\Program Files\TimeSink\AdGateway\TSADBOT.EXE"
"RealJukeboxSystray"=C:\PROGRAM FILES\REAL\REALJUKEBOX\TSYSTRAY.EXE
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
"ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
"NPROTECT"=C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
"SideWinderTrayV4"=C:\PROGRA~1\MICROS~9\GAMECO~1\COMMON\SWTRAYV4.EXE
"Renovate"=C:\WINDOWS\SYSTEM32\RENOVATE.EXE
"Propel Accelerator"=C:\Program Files\EarthLink Accelerator\propelac.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Microsoft Broadband Networking\\MSBNUtil.exe"=
"C:\\Program Files\\Microsoft Broadband Networking\\MSBNTray.exe"=
"C:\\Program Files\\Microsoft Broadband Networking\\MSBNCfg.exe"=
"C:\\Program Files\\Microsoft Broadband Networking\\MSBNUpdate.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\windows\\system32\\gpld5.exe"=

R0 GRFILTER;CS NDIS Driver;C:\WINDOWS\system32\drivers\GRFILTER.sys [2006-11-10 14:11]
R3 crtaud;Conexant Riptide WDM Audio Driver;C:\WINDOWS\system32\drivers\crtaud.sys [2001-08-17 12:19]
R3 rpfun;Conexant Riptide Dummy Driver;C:\WINDOWS\system32\drivers\rpfun.sys [2001-08-17 12:19]
R3 rthwcls;Conexant Riptide Bus / Firmware Downloader;C:\WINDOWS\system32\drivers\rthwcls.sys [2001-08-17 12:19]
S2 AdobeActiveFileMonitor;Adobe Active File Monitor;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-04 04:47]
S2 BCMNTIO;BCMNTIO;C:\PROGRA~1\CHECKIT\DIAGNO~1\BCMNTIO.sys [2004-03-05 17:09]
S2 GRTdiMon;GR TDI Mon;C:\WINDOWS\system32\Drivers\GRTdiMon.sys [2006-11-10 14:11]
S2 MAPMEM;MAPMEM;C:\PROGRA~1\CHECKIT\DIAGNO~1\MAPMEM.sys [2004-03-05 17:09]
S2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-04 03:40]
S3 ADSFilter;ADSFilter - (EarthLink Filter Driver);C:\WINDOWS\system32\drivers\ADSFilter.sys [2006-11-20 08:44]
S3 ADSMonitor;ADSMonitor - (EarthLink Monitor Driver);C:\WINDOWS\system32\drivers\ADSMonitor.sys [2006-11-20 08:44]
S3 EarthLinkSafeConnectDriver;EarthLinkSafeConnectDriver;C:\Program Files\EarthLink\EarthLink Protection Control Center\Sana\Driver\platform_XP\SafeConnectDriver.sys [2006-10-16 16:33]
S3 EarthLinkSafeConnectShim;EarthLinkSafeConnectShim;C:\Program Files\EarthLink\EarthLink Protection Control Center\Sana\Driver\platform_XP\SafeConnectShim.sys [2006-10-16 16:33]
S3 islndis5;ISLNDIS5 Protocol Driver;C:\PROGRA~1\MIF7A5~1\ISLNDIS5.SYS [2004-07-19 16:07]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:WIN9X /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:WIN9X /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl
.
Contents of the 'Scheduled Tasks' folder
"2008-04-10 16:29:52 C:\WINDOWS\Tasks\PCHealth Scheduler for Data Collection.job"
- C:\WINDOWS\PCHEALTH\SUPPORT\PCHSCHD.EXE
"2007-10-23 00:08:02 C:\WINDOWS\Tasks\HP DArC Task #Hewlett-Packard#hp officejet 5500 series#1074819907.job"
- C:\Program Files\HP\hpcoretech\comp\hpdarc.exe6/#Hewlett-Packard#hp officejet 5500 series#1074819907
"2008-03-10 18:00:02 C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job"
- C:\Program Files\Norton SystemWorks\OBC.exe
"2008-03-24 06:00:02 C:\WINDOWS\Tasks\Symantec Drmc.job"
- C:\Program Files\Common Files\Symantec Shared\SymDrmc.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-15 07:50:40
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\tsd32.dll
.
Completion time: 2008-04-15 7:54:24 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-15 13:54:18

Pre-Run: 10,210,312,192 bytes free
Post-Run: 10,088,513,536 bytes free
.
2008-03-13 22:32:21 --- E O F ---
 
Hi

Open notepad and copy/paste the text in the codebox below into it:

Code: 
File::
C:\WINDOWS\SYSTEM32\apldbhlp.dll
C:\Documents and Settings\All Users\Application Data\erunyvez.dll
C:\WINDOWS\SYSTEM32\tirshadm.exe
C:\WINDOWS\SYSTEM32\SysAplProc.dll
C:\Documents and Settings\All Users\Application Data\idqrcjsp.dll
C:\WINDOWS\SYSTEM32\vafqtenw.exe
C:\WINDOWS\SYSTEM32\MonHlpInfo.dll
C:\Documents and Settings\All Users\Application Data\ululkbor.dll
C:\WINDOWS\SYSTEM32\ylglsbkv.exe
C:\WINDOWS\SYSTEM32\gpld5.exe
C:\WINDOWS\SYSTEM32\kilqnldu.dll
C:\Documents and Settings\All Users\Application Data\ezgjorsp.dll
C:\WINDOWS\SYSTEM32\zsnapypm.exe
C:\vakhthaq.exe.bak
C:\vwmelms.exe

Folder::
C:\Documents and Settings\All Users\Application Data\fidgpovo

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{519741bd-937d-8f53-ceef-0667589c409a}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5bc10ddb-ad5b-c7ac-978b-065cab031c70}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6a97ae9e-574c-572e-a7ae-0107a44cebd6}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6f2ad5c3-9f19-c04e-a346-04aba5c7f664}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"gsxtaubs"=-

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\windows\\system32\\gpld5.exe"=-

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScript.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
 
Ran Combofix with script, and HJT. Logs below.

With regard to my other, non malware problem, of having no network connections, I think I might know the cause. Before I started working with you I had problems running out of memory so deleted some stuff from Startup. Unfortunately I read somewhere that you could get rid of .Ink (INK) files and in trying to do this I've probably removed some .lnk (LNK) files from Startup. (Pretty dumb, I know) I won't do anything about this unless you instruct me to.

Ken

ComboFix 08-04-14.2 - ken 2008-04-15 12:42:29.2 - FAT32x86 MINIMAL
Running from: C:\Documents and Settings\ken\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\ken\Desktop\CFscript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\All Users\Application Data\erunyvez.dll
C:\Documents and Settings\All Users\Application Data\ezgjorsp.dll
C:\Documents and Settings\All Users\Application Data\idqrcjsp.dll
C:\Documents and Settings\All Users\Application Data\ululkbor.dll
C:\vakhthaq.exe.bak
C:\vwmelms.exe
C:\WINDOWS\SYSTEM32\apldbhlp.dll
C:\WINDOWS\SYSTEM32\gpld5.exe
C:\WINDOWS\SYSTEM32\kilqnldu.dll
C:\WINDOWS\SYSTEM32\MonHlpInfo.dll
C:\WINDOWS\SYSTEM32\SysAplProc.dll
C:\WINDOWS\SYSTEM32\tirshadm.exe
C:\WINDOWS\SYSTEM32\vafqtenw.exe
C:\WINDOWS\SYSTEM32\ylglsbkv.exe
C:\WINDOWS\SYSTEM32\zsnapypm.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\erunyvez.dll
C:\Documents and Settings\All Users\Application Data\ezgjorsp.dll
C:\Documents and Settings\All Users\Application Data\fidgpovo
C:\Documents and Settings\All Users\Application Data\fidgpovo\jifijkfi.exe
C:\Documents and Settings\All Users\Application Data\idqrcjsp.dll
C:\Documents and Settings\All Users\Application Data\ululkbor.dll
C:\vakhthaq.exe.bak
C:\vwmelms.exe
C:\WINDOWS\SYSTEM32\apldbhlp.dll
C:\WINDOWS\SYSTEM32\gpld5.exe
C:\WINDOWS\SYSTEM32\kilqnldu.dll
C:\WINDOWS\SYSTEM32\MonHlpInfo.dll
C:\WINDOWS\SYSTEM32\SysAplProc.dll
C:\WINDOWS\SYSTEM32\tirshadm.exe
C:\WINDOWS\SYSTEM32\vafqtenw.exe
C:\WINDOWS\SYSTEM32\ylglsbkv.exe
C:\WINDOWS\SYSTEM32\zsnapypm.exe

.
((((((((((((((((((((((((( Files Created from 2008-03-15 to 2008-04-15 )))))))))))))))))))))))))))))))
.

2008-04-14 14:32 . 2008-04-14 14:32 <DIR> d-------- C:\WINDOWS\LastGood
2008-04-14 13:57 . 2008-04-14 13:58 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-14 13:50 . 2008-04-14 05:41 <DIR> d-------- C:\SDFix
2008-04-14 09:59 . 2008-04-14 09:59 <DIR> d-------- C:\fixwareout
2008-04-12 17:18 . 2008-04-12 17:18 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-04-12 17:18 . 2008-04-12 17:18 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2008-04-12 17:18 . 2008-04-12 17:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-11 11:04 . 2008-04-12 16:31 3,064 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2008-04-10 23:48 . 2008-04-11 12:59 678 --a------ C:\WINDOWS\wininit.ini
2008-04-10 17:40 . 2008-04-10 17:40 <DIR> d-------- C:\Program Files\RogueRemover FREE
2008-04-10 15:40 . 2008-04-10 15:40 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-10 15:40 . 2008-04-10 15:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-10 11:05 . 2008-04-10 11:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-10 10:46 . 2008-04-10 10:46 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-10 10:46 . 2008-04-10 10:46 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-16 23:06 . 2008-03-16 23:06 <DIR> d-------- C:\Program Files\Foxit Software
2008-03-16 23:04 . 2008-03-16 23:04 <DIR> d-------- C:\Documents and Settings\ken\Apps

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-12 03:50 99,256 ----a-w C:\Documents and Settings\ken\Application Data\GDIPFONTCACHEV1.DAT
2004-10-01 21:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
2004-01-23 20:45 111 ----a-w C:\Documents and Settings\ken\Application Data\fusioncache.dat
2003-03-29 19:35 5,351 ----a-w C:\Program Files\Config.td5
2002-04-17 18:55 303,296 ----a-w C:\WINDOWS\FONTS\TBM53A3.TMP
2002-04-17 18:55 296,712 ----a-w C:\WINDOWS\FONTS\TBM5394.TMP
2002-04-17 18:55 288,496 ----a-w C:\WINDOWS\FONTS\TBM53A1.TMP
2002-04-17 18:55 226,748 ----a-w C:\WINDOWS\FONTS\TBM53A2.TMP
2001-11-09 22:07 354,216 ----a-w C:\WINDOWS\FONTS\TBM53A5.TMP
2001-05-05 05:45 73,711 ---ha-w C:\Program Files\asksam.GID
2000-08-24 12:40 334,944 ----a-w C:\WINDOWS\FONTS\TBM53B2.TMP
2000-06-16 18:26 271 --sh--w C:\Program Files\desktop.ini
2000-06-16 18:26 23,357 ---h--w C:\Program Files\folder.htt
2002-11-01 23:46 32 --sha-w C:\WINDOWS\SYSTEM\{78127A79-4C55-4465-AC23-045AC114EA55}.dat
2002-11-01 23:47 32 --sha-w C:\WINDOWS\SYSTEM\{7FF3A798-E941-4F17-AB01-322738C80EEF}.dat
2002-11-01 23:47 32 --sha-w C:\WINDOWS\SYSTEM\{DEC98A2D-4E63-4275-BCDC-4FC24E6ECB81}.dat
2002-11-01 23:47 32 --sha-w C:\WINDOWS\SYSTEM\{96705B62-8B9B-4E29-A21D-1D8DB69E9790}.dat
2002-11-01 23:48 32 --sha-w C:\WINDOWS\SYSTEM\{26AA5F9B-9393-49B0-9CF0-1F40E856C416}.dat
2002-11-01 23:49 32 --sha-w C:\WINDOWS\SYSTEM\{F2C4CEC0-AD10-4838-A3C2-237DF0E4D994}.dat
.

((((((((((((((((((((((((((((( snapshot@2008-04-15_ 7.53.47.63 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-15 13:49:52 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-15 18:34:36 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-04-15 13:51:06 32,768 --sha-w C:\WINDOWS\Cookies\index.dat
+ 2008-04-15 18:35:26 32,768 --sha-w C:\WINDOWS\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24 1694208]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-20 14:18 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\Money Express.exe" [1999-08-04 00:00 122940]
"PowerBar"="C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" [2004-04-21 10:26 86016]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 14:54 241664]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-02-17 10:05 59040]
"ADUserMon"="C:\Program Files\Iomega\AutoDisk\ADUserMon.exe" [2002-09-24 16:39 147456]
"RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-11-02 20:24 32768]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2006-03-16 02:00 1397760]
"Earthlink Protection Control Center"="C:\Program Files\EarthLink\EarthLink Protection Control Center\BIN\elnk_pcc2.exe" [2007-04-19 10:40 67352]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11 49152]

C:\Documents and Settings\ken\Start Menu\Programs\Startup\
HotSync Manager.lnk.disabled [2005-09-03 15:09:58 1382]
OpenOffice.org 2.0.lnk.disabled [2006-11-02 22:32:30 791]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
desktop (1).ini [2001-03-06 21:31:24 278]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-07-07 01:20:40 233472]
Adobe Reader Speed Launch.lnk.disabled [2006-02-20 17:11:02 1672]
Kodak EasyShare software.lnk.disabled [2007-01-01 21:36:22 1748]
Adobe Gamma Loader.lnk.disabled [2004-11-19 10:55:56 805]
Microsoft Broadband Networking.lnk.disabled [2008-04-12 12:30:12 2355]
Microsoft Office Fast Start.lnk.disabled [2003-11-09 21:29:44 348]
Microsoft Office Find Fast Indexer.lnk.disabled [2003-11-09 21:29:42 355]
Microsoft Office.lnk.disabled [2003-12-15 20:44:02 1536]
Monitor.lnk.disabled [2006-08-05 13:51:46 1627]
MySoftware NewsFlash.lnk.disabled [2003-12-16 16:51:06 1574]
TextBridge Instant Access OCR.lnk.disabled [2003-11-09 21:29:44 481]
Watch.lnk.disabled [2003-11-09 21:29:44 402]
Windows Explorer.lnk.disabled [2003-11-09 21:29:50 303]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpySweeper"=
"MoneyAgent"="C:\Program Files\Microsoft Money\System\Money Express.exe"
"Picasa Media Detector"=C:\Program Files\Picasa2\PicasaMediaDetector.exe
"PowerBar"="C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Deskup"=C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
"Iomega Drive Icons"=C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
"LGODDFU"="C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"RealTray"=C:\Program Files\Real\RealPlayer\realplay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"HPScanPatch"=C:\WINDOWS\SYSTEM32\HPScanFix.exe
"hpsysdrv"=C:\WINDOWS\SYSTEM32\hpsysdrv.exe
"Delay"=C:\WINDOWS\delayrun.exe
"USBMMKBD"=usbmmkbd.exe
"Hidserv"=Hidserv.exe run
"TimeSink Ad Client"="C:\Program Files\TimeSink\AdGateway\TSADBOT.EXE"
"RealJukeboxSystray"=C:\PROGRAM FILES\REAL\REALJUKEBOX\TSYSTRAY.EXE
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
"ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
"NPROTECT"=C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
"SideWinderTrayV4"=C:\PROGRA~1\MICROS~9\GAMECO~1\COMMON\SWTRAYV4.EXE
"Renovate"=C:\WINDOWS\SYSTEM32\RENOVATE.EXE
"Propel Accelerator"=C:\Program Files\EarthLink Accelerator\propelac.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Microsoft Broadband Networking\\MSBNUtil.exe"=
"C:\\Program Files\\Microsoft Broadband Networking\\MSBNTray.exe"=
"C:\\Program Files\\Microsoft Broadband Networking\\MSBNCfg.exe"=
"C:\\Program Files\\Microsoft Broadband Networking\\MSBNUpdate.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 GRFILTER;CS NDIS Driver;C:\WINDOWS\system32\drivers\GRFILTER.sys [2006-11-10 14:11]
R3 crtaud;Conexant Riptide WDM Audio Driver;C:\WINDOWS\system32\drivers\crtaud.sys [2001-08-17 12:19]
R3 rpfun;Conexant Riptide Dummy Driver;C:\WINDOWS\system32\drivers\rpfun.sys [2001-08-17 12:19]
R3 rthwcls;Conexant Riptide Bus / Firmware Downloader;C:\WINDOWS\system32\drivers\rthwcls.sys [2001-08-17 12:19]
S2 AdobeActiveFileMonitor;Adobe Active File Monitor;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-04 04:47]
S2 BCMNTIO;BCMNTIO;C:\PROGRA~1\CHECKIT\DIAGNO~1\BCMNTIO.sys [2004-03-05 17:09]
S2 GRTdiMon;GR TDI Mon;C:\WINDOWS\system32\Drivers\GRTdiMon.sys [2006-11-10 14:11]
S2 MAPMEM;MAPMEM;C:\PROGRA~1\CHECKIT\DIAGNO~1\MAPMEM.sys [2004-03-05 17:09]
S2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-04 03:40]
S3 ADSFilter;ADSFilter - (EarthLink Filter Driver);C:\WINDOWS\system32\drivers\ADSFilter.sys [2006-11-20 08:44]
S3 ADSMonitor;ADSMonitor - (EarthLink Monitor Driver);C:\WINDOWS\system32\drivers\ADSMonitor.sys [2006-11-20 08:44]
S3 EarthLinkSafeConnectDriver;EarthLinkSafeConnectDriver;C:\Program Files\EarthLink\EarthLink Protection Control Center\Sana\Driver\platform_XP\SafeConnectDriver.sys [2006-10-16 16:33]
S3 EarthLinkSafeConnectShim;EarthLinkSafeConnectShim;C:\Program Files\EarthLink\EarthLink Protection Control Center\Sana\Driver\platform_XP\SafeConnectShim.sys [2006-10-16 16:33]
S3 islndis5;ISLNDIS5 Protocol Driver;C:\PROGRA~1\MIF7A5~1\ISLNDIS5.SYS [2004-07-19 16:07]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:WIN9X /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:WIN9X /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl
.
Contents of the 'Scheduled Tasks' folder
"2008-04-10 16:29:52 C:\WINDOWS\Tasks\PCHealth Scheduler for Data Collection.job"
- C:\WINDOWS\PCHEALTH\SUPPORT\PCHSCHD.EXE
"2007-10-23 00:08:02 C:\WINDOWS\Tasks\HP DArC Task #Hewlett-Packard#hp officejet 5500 series#1074819907.job"
- C:\Program Files\HP\hpcoretech\comp\hpdarc.exe6/#Hewlett-Packard#hp officejet 5500 series#1074819907
"2008-03-10 18:00:02 C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job"
- C:\Program Files\Norton SystemWorks\OBC.exe
"2008-03-24 06:00:02 C:\WINDOWS\Tasks\Symantec Drmc.job"
- C:\Program Files\Common Files\Symantec Shared\SymDrmc.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-15 12:47:13
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\tsd32.dll
.
Completion time: 2008-04-15 12:48:18
ComboFix-quarantined-files.txt 2008-04-15 18:48:16
ComboFix2.txt 2008-04-15 13:54:26

Pre-Run: 10,048,077,824 bytes free
Post-Run: 10,020,093,952 bytes free
.
2008-03-13 22:32:21 --- E O F ---

-----------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:50:02 PM, on 4/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\ken\My Documents\Downloads\Hijackthis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink\Toolbar\Toolbar.dll
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Earthlink Protection Control Center] "C:\Program Files\EarthLink\EarthLink Protection Control Center\BIN\elnk_pcc2.exe" /tray
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [PowerBar] "C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime
O4 - Startup: HotSync Manager.lnk.disabled
O4 - Startup: OpenOffice.org 2.0.lnk.disabled
O4 - Global Startup: Folder Settings
O4 - Global Startup: desktop (1).ini
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: Kodak EasyShare software.lnk.disabled
O4 - Global Startup: Adobe Gamma Loader.lnk.disabled
O4 - Global Startup: Microsoft Broadband Networking.lnk.disabled
O4 - Global Startup: Microsoft Office Fast Start.lnk.disabled
O4 - Global Startup: Microsoft Office Find Fast Indexer.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk.disabled
O4 - Global Startup: Monitor.lnk.disabled
O4 - Global Startup: MySoftware NewsFlash.lnk.disabled
O4 - Global Startup: TextBridge Instant Access OCR.lnk.disabled
O4 - Global Startup: Watch.lnk.disabled
O4 - Global Startup: Windows Explorer.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: EarthLink Google Search - res://C:\Program Files\EarthLink\Toolbar\SearchUI.dll/search.html
O8 - Extra context menu item: Locate Spot on Map by GPS - C:\Program Files\Opanda\IExif 2.26\IExifMap.htm
O8 - Extra context menu item: SurfSaver &QuickSave - C:\Program Files\askSam\SurfSaver\QuickSave.htm
O8 - Extra context menu item: SurfSaver Sav&e... - C:\Program Files\askSam\SurfSaver\Add.htm
O8 - Extra context menu item: SurfSaver Searc&h... - C:\Program Files\askSam\SurfSaver\Search.htm
O8 - Extra context menu item: View Exif/GPS/IPTC with IExif - C:\Program Files\Opanda\IExif 2.26\IExifCom.htm
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O9 - Extra button: (no name) - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: SurfSaver - {A6418A39-8884-11D3-A846-00104B8825B9} - C:\PROGRAM FILES\ASKSAM\SURFSAVER\SURFBAR.DLL (HKCU)
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {0eb0e74a-2a76-4ab3-a7fb-9bd8c29f7f75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/qtinstall.info.apple.com/pthalo/us/win/QuickTimeFullInstaller.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{49BE91D8-FCA0-46FC-8874-4CD51CCBA9AC}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{931ADD26-E63B-4860-8955-96482105AA9C}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\..\{49BE91D8-FCA0-46FC-8874-4CD51CCBA9AC}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\..\{49BE91D8-FCA0-46FC-8874-4CD51CCBA9AC}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O18 - Protocol: asksam - {F9FF9EDA-4916-11D1-B6C1-002018305A61} - C:\PROGRAM FILES\ASKSAM\SURFSAVER\AS_AIPP.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: ADSService - Aluria Software, a division of EarthLink, Inc. - C:\Program Files\Common Files\ADS\ADSService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EarthLinkSafeConnectAgent - Sana Security - C:\Program Files\EarthLink\EarthLink Protection Control Center\Sana\Bin\SanaAgent.exe
O23 - Service: ELNK Update Service (ELNKUpdateService) - EarthLink, Inc. - C:\Program Files\EarthLink\EarthLink Protection Control Center\bin\UpdateService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~3\NPROTECT.EXE
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ProtectionService - EarthLink, Inc. - C:\Program Files\EarthLink\EarthLink Protection Control Center\bin\ProtectionService.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~3\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

--
End of file - 10545 bytes
 
Hi

Please download ATF Cleaner by Atribune and save
it to desktop.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit to close ATF-Cleaner.

Re-scan with kaspersky.

Post:

- a fresh HijackThis log
- kaspersky report
 
Shaba,

I ran ATF Fix. HJT log follows.

I could not run a Kaspersky scan because the computer can no longer run IE. (Earlier I told you I had removed some programs from Startup, accidentally disabling my network connections. I thought this was before I started working with you but it must have been after my initial Kaspersky scan)

Unfortunately I will be away from my problem desktop machine for about a week, starting today. Can we hold this thread open until I return? I'll check back here in the next couple of hours, before I leave.

Thanks,

Ken


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:36:41 AM, on 4/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Documents and Settings\ken\My Documents\Downloads\Hijackthis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink\Toolbar\Toolbar.dll
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Earthlink Protection Control Center] "C:\Program Files\EarthLink\EarthLink Protection Control Center\BIN\elnk_pcc2.exe" /tray
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [PowerBar] "C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime
O4 - Startup: HotSync Manager.lnk.disabled
O4 - Startup: OpenOffice.org 2.0.lnk.disabled
O4 - Global Startup: Folder Settings
O4 - Global Startup: desktop (1).ini
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: Kodak EasyShare software.lnk.disabled
O4 - Global Startup: Adobe Gamma Loader.lnk.disabled
O4 - Global Startup: Microsoft Broadband Networking.lnk.disabled
O4 - Global Startup: Microsoft Office Fast Start.lnk.disabled
O4 - Global Startup: Microsoft Office Find Fast Indexer.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk.disabled
O4 - Global Startup: Monitor.lnk.disabled
O4 - Global Startup: MySoftware NewsFlash.lnk.disabled
O4 - Global Startup: TextBridge Instant Access OCR.lnk.disabled
O4 - Global Startup: Watch.lnk.disabled
O4 - Global Startup: Windows Explorer.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: EarthLink Google Search - res://C:\Program Files\EarthLink\Toolbar\SearchUI.dll/search.html
O8 - Extra context menu item: Locate Spot on Map by GPS - C:\Program Files\Opanda\IExif 2.26\IExifMap.htm
O8 - Extra context menu item: SurfSaver &QuickSave - C:\Program Files\askSam\SurfSaver\QuickSave.htm
O8 - Extra context menu item: SurfSaver Sav&e... - C:\Program Files\askSam\SurfSaver\Add.htm
O8 - Extra context menu item: SurfSaver Searc&h... - C:\Program Files\askSam\SurfSaver\Search.htm
O8 - Extra context menu item: View Exif/GPS/IPTC with IExif - C:\Program Files\Opanda\IExif 2.26\IExifCom.htm
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O9 - Extra button: (no name) - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: SurfSaver - {A6418A39-8884-11D3-A846-00104B8825B9} - C:\PROGRAM FILES\ASKSAM\SURFSAVER\SURFBAR.DLL (HKCU)
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {0eb0e74a-2a76-4ab3-a7fb-9bd8c29f7f75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/qtinstall.info.apple.com/pthalo/us/win/QuickTimeFullInstaller.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{49BE91D8-FCA0-46FC-8874-4CD51CCBA9AC}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{931ADD26-E63B-4860-8955-96482105AA9C}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\..\{49BE91D8-FCA0-46FC-8874-4CD51CCBA9AC}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\..\{49BE91D8-FCA0-46FC-8874-4CD51CCBA9AC}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O18 - Protocol: asksam - {F9FF9EDA-4916-11D1-B6C1-002018305A61} - C:\PROGRAM FILES\ASKSAM\SURFSAVER\AS_AIPP.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: ADSService - Aluria Software, a division of EarthLink, Inc. - C:\Program Files\Common Files\ADS\ADSService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EarthLinkSafeConnectAgent - Sana Security - C:\Program Files\EarthLink\EarthLink Protection Control Center\Sana\Bin\SanaAgent.exe
O23 - Service: ELNK Update Service (ELNKUpdateService) - EarthLink, Inc. - C:\Program Files\EarthLink\EarthLink Protection Control Center\bin\UpdateService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~3\NPROTECT.EXE
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ProtectionService - EarthLink, Inc. - C:\Program Files\EarthLink\EarthLink Protection Control Center\bin\ProtectionService.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~3\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

--
End of file - 10544 bytes
 
Hi

Repair installation of IE might then help.

Sure we can and you can run this instead when you come back:

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Please post contents of that file in your next reply.
 
I'm back from my trip and back on the problem. I could not get IE working so I'm still downloading software to my laptop and transferring over.

Here is the log from Anti-Malware.

Ken


Malwarebytes' Anti-Malware 1.11
Database version: 599

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 187534
Time elapsed: 1 hour(s), 14 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 40

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\QooBox\Quarantine\C\vakhthaq.exe.bak.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\cbxuspq.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\cbxvttr.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\tirshadm.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\vafqtenw.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\ylglsbkv.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\zsnapypm.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Documents and Settings\All Users\Application Data\fidgpovo\jifijkfi.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP475\A0065019.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP475\A0065020.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP475\A0065021.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP475\A0065053.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP475\A0065055.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP475\A0065068.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP475\A0065080.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP475\A0065081.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP475\A0065082.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP475\A0065083.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0065221.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0067143.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0066440.dll (Trojan.DownLoader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0066442.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0066443.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0066444.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0066445.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0066654.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0066848.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0066850.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0066851.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0066852.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0066853.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0067053.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP478\A0067594.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP478\A0067595.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP479\A0067682.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP479\A0067693.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP479\A0067694.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP479\A0067695.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP479\A0067696.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\Log.log (Malware.Trace) -> Quarantined and deleted successfully.
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:27:17 AM, on 4/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\Program Files\Real\RealPlayer\realplay.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\Program Files\Common Files\MySoftware\NewsFlsh.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
E:\HiJackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink\Toolbar\Toolbar.dll
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Earthlink Protection Control Center] "C:\Program Files\EarthLink\EarthLink Protection Control Center\BIN\elnk_pcc2.exe" /tray
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\realplay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [PowerBar] "C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKUS\S-1-5-20\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [Printing Migration] rundll32.exe C:\WINDOWS\System32\spool\migrate.dll,ProcessWin9xNetworkPrinters (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [Printing Migration] rundll32.exe C:\WINDOWS\System32\spool\migrate.dll,ProcessWin9xNetworkPrinters (User 'Default user')
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: Folder Settings
O4 - Global Startup: desktop (1).ini
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O4 - Global Startup: Microsoft Office Fast Start.lnk = C:\MSOffice\Office\FASTBOOT.EXE
O4 - Global Startup: Microsoft Office Find Fast Indexer.lnk = C:\MSOffice\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Monitor.lnk = C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
O4 - Global Startup: MySoftware NewsFlash.lnk = C:\Program Files\Common Files\MySoftware\NewsFlsh.exe
O4 - Global Startup: TextBridge Instant Access OCR.lnk = C:\Program Files\TextBridge Classic\Bin\TBMenu.exe
O4 - Global Startup: Watch.lnk = C:\WINDOWS\TWAIN_32\A4S2_600\WATCH.EXE
O4 - Global Startup: Windows Explorer.lnk = C:\WINDOWS\EXPLORER.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: EarthLink Google Search - res://C:\Program Files\EarthLink\Toolbar\SearchUI.dll/search.html
O8 - Extra context menu item: Locate Spot on Map by GPS - C:\Program Files\Opanda\IExif 2.26\IExifMap.htm
O8 - Extra context menu item: SurfSaver &QuickSave - C:\Program Files\askSam\SurfSaver\QuickSave.htm
O8 - Extra context menu item: SurfSaver Sav&e... - C:\Program Files\askSam\SurfSaver\Add.htm
O8 - Extra context menu item: SurfSaver Searc&h... - C:\Program Files\askSam\SurfSaver\Search.htm
O8 - Extra context menu item: View Exif/GPS/IPTC with IExif - C:\Program Files\Opanda\IExif 2.26\IExifCom.htm
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O9 - Extra button: (no name) - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: SurfSaver - {A6418A39-8884-11D3-A846-00104B8825B9} - C:\PROGRAM FILES\ASKSAM\SURFSAVER\SURFBAR.DLL (HKCU)
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {0eb0e74a-2a76-4ab3-a7fb-9bd8c29f7f75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/qtinstall.info.apple.com/pthalo/us/win/QuickTimeFullInstaller.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{49BE91D8-FCA0-46FC-8874-4CD51CCBA9AC}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{931ADD26-E63B-4860-8955-96482105AA9C}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\..\{49BE91D8-FCA0-46FC-8874-4CD51CCBA9AC}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\..\{49BE91D8-FCA0-46FC-8874-4CD51CCBA9AC}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O18 - Protocol: asksam - {F9FF9EDA-4916-11D1-B6C1-002018305A61} - C:\PROGRAM FILES\ASKSAM\SURFSAVER\AS_AIPP.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: ADSService - Aluria Software, a division of EarthLink, Inc. - C:\Program Files\Common Files\ADS\ADSService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EarthLinkSafeConnectAgent - Sana Security - C:\Program Files\EarthLink\EarthLink Protection Control Center\Sana\Bin\SanaAgent.exe
O23 - Service: ELNK Update Service (ELNKUpdateService) - EarthLink, Inc. - C:\Program Files\EarthLink\EarthLink Protection Control Center\bin\UpdateService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~3\NPROTECT.EXE
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ProtectionService - EarthLink, Inc. - C:\Program Files\EarthLink\EarthLink Protection Control Center\bin\ProtectionService.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~3\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

--
End of file - 12563 bytes
 
Hi

Open HijackThis, click do a system scan only and checkmark these:

O17 - HKLM\System\CCS\Services\Tcpip\..\{49BE91D8-FCA0-46FC-8874-4CD51CCBA9AC}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{931ADD26-E63B-4860-8955-96482105AA9C}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\..\{49BE91D8-FCA0-46FC-8874-4CD51CCBA9AC}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\..\{49BE91D8-FCA0-46FC-8874-4CD51CCBA9AC}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222

Close all windows including browser and press fix checked.

Reboot.

Please download ATF Cleaner by Atribune and save
it to desktop.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit to close ATF-Cleaner.

Re-scan with kaspersky.

Post:

- a fresh HijackThis log
- kaspersky report
 
I fixed the entries as indicated. Ran ATF cleaner. Could not run Kaspersky since IE is not working. Here's the HijackThis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:12:38 PM, on 4/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\Program Files\Real\RealPlayer\realplay.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\Program Files\Common Files\MySoftware\NewsFlsh.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
E:\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink\Toolbar\Toolbar.dll
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Earthlink Protection Control Center] "C:\Program Files\EarthLink\EarthLink Protection Control Center\BIN\elnk_pcc2.exe" /tray
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\realplay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [PowerBar] "C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKUS\S-1-5-20\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [Printing Migration] rundll32.exe C:\WINDOWS\System32\spool\migrate.dll,ProcessWin9xNetworkPrinters (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [Printing Migration] rundll32.exe C:\WINDOWS\System32\spool\migrate.dll,ProcessWin9xNetworkPrinters (User 'Default user')
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: Folder Settings
O4 - Global Startup: desktop (1).ini
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O4 - Global Startup: Microsoft Office Fast Start.lnk = C:\MSOffice\Office\FASTBOOT.EXE
O4 - Global Startup: Microsoft Office Find Fast Indexer.lnk = C:\MSOffice\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Monitor.lnk = C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
O4 - Global Startup: MySoftware NewsFlash.lnk = C:\Program Files\Common Files\MySoftware\NewsFlsh.exe
O4 - Global Startup: TextBridge Instant Access OCR.lnk = C:\Program Files\TextBridge Classic\Bin\TBMenu.exe
O4 - Global Startup: Watch.lnk = C:\WINDOWS\TWAIN_32\A4S2_600\WATCH.EXE
O4 - Global Startup: Windows Explorer.lnk = C:\WINDOWS\EXPLORER.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: EarthLink Google Search - res://C:\Program Files\EarthLink\Toolbar\SearchUI.dll/search.html
O8 - Extra context menu item: Locate Spot on Map by GPS - C:\Program Files\Opanda\IExif 2.26\IExifMap.htm
O8 - Extra context menu item: SurfSaver &QuickSave - C:\Program Files\askSam\SurfSaver\QuickSave.htm
O8 - Extra context menu item: SurfSaver Sav&e... - C:\Program Files\askSam\SurfSaver\Add.htm
O8 - Extra context menu item: SurfSaver Searc&h... - C:\Program Files\askSam\SurfSaver\Search.htm
O8 - Extra context menu item: View Exif/GPS/IPTC with IExif - C:\Program Files\Opanda\IExif 2.26\IExifCom.htm
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O9 - Extra button: (no name) - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: SurfSaver - {A6418A39-8884-11D3-A846-00104B8825B9} - C:\PROGRAM FILES\ASKSAM\SURFSAVER\SURFBAR.DLL (HKCU)
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {0eb0e74a-2a76-4ab3-a7fb-9bd8c29f7f75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/qtinstall.info.apple.com/pthalo/us/win/QuickTimeFullInstaller.exe
O18 - Protocol: asksam - {F9FF9EDA-4916-11D1-B6C1-002018305A61} - C:\PROGRAM FILES\ASKSAM\SURFSAVER\AS_AIPP.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: ADSService - Aluria Software, a division of EarthLink, Inc. - C:\Program Files\Common Files\ADS\ADSService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EarthLinkSafeConnectAgent - Sana Security - C:\Program Files\EarthLink\EarthLink Protection Control Center\Sana\Bin\SanaAgent.exe
O23 - Service: ELNK Update Service (ELNKUpdateService) - EarthLink, Inc. - C:\Program Files\EarthLink\EarthLink Protection Control Center\bin\UpdateService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~3\NPROTECT.EXE
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ProtectionService - EarthLink, Inc. - C:\Program Files\EarthLink\EarthLink Protection Control Center\bin\ProtectionService.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~3\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

--
End of file - 11742 bytes
 
I was able to run IE in safe mode, so did in fact get a Kaspersky log. So this goes with the HJT in the previous message.
Ken

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, April 24, 2008 7:32:35 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 24/04/2008
Kaspersky Anti-Virus database records: 724982
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
M:\

Scan Statistics:
Total number of scanned objects: 150961
Number of viruses found: 32
Number of infected objects: 121
Number of suspicious objects: 0
Duration of the scan process: 02:15:18

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\config\system.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\software.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\default.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\Internet.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\config\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM Object is locked skipped
C:\WINDOWS\Cookies\index.dat Object is locked skipped
C:\WINDOWS\Installer\{4059ea36-93ad-4ab2-a10a-c9ee0766d6e9}\zip.dll Infected: Trojan-Dropper.Win32.Agent.qfy skipped
C:\WINDOWS\SYSTEM\SBUtils\SBWebCtl.dll Infected: not-a-virus:AdWare.Win32.WindowEnhancer.d skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1A931A7B.exe Infected: not-virus:BadJoke.Win16.Stupid.a skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1A931A7B.dll Infected: not-a-virus:AdWare.Win32.TimeSinc skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1A964478.EXE Infected: not-a-virus:AdWare.Win32.TimeSink skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\vtUmLfdb.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.nmz skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\gpld5.exe.vir Infected: Trojan.Win32.Buzus.eca skipped
C:\QooBox\Quarantine\C\vwmelms.exe.vir Infected: Worm.Win32.Socks.by skipped
C:\Documents and Settings\ken\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\ken\Local Settings\History\History.IE5\MSHist012008042420080425\index.dat Object is locked skipped
C:\Documents and Settings\ken\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\ken\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\ken\My Documents\Downloads\smitfraudfix\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\ken\My Documents\Downloads\smitfraudfix\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\ken\My Documents\Downloads\smitfraudfix\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\ken\My Documents\Downloads\smitfraudfix\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\ken\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\ken\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\ken\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\ken\Application Data\Identities\{483DAFAC-90F0-49F6-96D9-337DDF5A3E93}\Microsoft\Outlook Express\alt.how-to.dbx/[From davidgrey@yahoo.com][Date Wed, 21 Jul 2004 22:28:19 GMT]/WhoreCam.scr Infected: Backdoor.Win32.Hackarmy.w skipped
C:\Documents and Settings\ken\Application Data\Identities\{483DAFAC-90F0-49F6-96D9-337DDF5A3E93}\Microsoft\Outlook Express\alt.how-to.dbx/[From susannah@hotmail.com][Date Tue, 03 Aug 2004 14:22:57 GMT]/Copy Infected: Backdoor.Win32.Hackarmy.w skipped
C:\Documents and Settings\ken\Application Data\Identities\{483DAFAC-90F0-49F6-96D9-337DDF5A3E93}\Microsoft\Outlook Express\alt.how-to.dbx/[From katyanderson@hotmail.com][Date Wed, 11 Aug 2004 20:14:26 GMT]/C:/New Infected: Backdoor.Win32.Hackarmy.w skipped
C:\Documents and Settings\ken\Application Data\Identities\{483DAFAC-90F0-49F6-96D9-337DDF5A3E93}\Microsoft\Outlook Express\alt.how-to.dbx MailMSOutlook5: infected - 3 skipped
C:\Documents and Settings\ken\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\ken\ntuser.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP475\A0065028.dll Infected: Trojan-Downloader.Win32.Zlob.lcf skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP475\A0065031.exe Infected: Trojan-Downloader.Win32.Zlob.lbs skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP475\A0065038.exe Infected: Trojan-Downloader.Win32.Zlob.lbi skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP475\A0065039.dll Infected: not-virus:Hoax.Win32.Agent.bv skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP475\A0065040.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP475\A0065041.exe Infected: Trojan-Downloader.Win32.Zlob.lcd skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP475\A0065042.dll Infected: Trojan-Downloader.Win32.Zlob.lbm skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP475\A0065043.exe Infected: Trojan-Downloader.Win32.Zlob.lci skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP475\A0065056.exe Infected: Trojan.Win32.Buzus.eca skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP475\A0065070.exe Infected: Trojan-Downloader.Win32.Zlob.lbt skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP475\A0065071.exe Infected: Trojan-Downloader.Win32.Zlob.lbi skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP475\A0065077.dll Infected: not-a-virus:AdWare.Win32.Vapsup.dsx skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP475\A0065079.dll Infected: not-a-virus:AdWare.Win32.E404.x skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP475\A0065084.exe Infected: Trojan-Downloader.Win32.Zlob.lcj skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP475\A0065085.exe Infected: Trojan-Downloader.Win32.Zlob.lbi skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP474\A0065004.dll Infected: Trojan-Downloader.Win32.Zlob.lcf skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP474\A0065005.exe Infected: Trojan-Downloader.Win32.Zlob.lbi skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP474\A0065006.exe Infected: Trojan-Downloader.Win32.Zlob.lbs skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP476\A0065124.exe Infected: Worm.Win32.Socks.by skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP476\A0065126.exe Infected: Worm.Win32.Socks.by skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP476\A0065181.dll Infected: not-a-virus:AdWare.Win32.BHO.ank skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0065194.dll Infected: Trojan-Downloader.Win32.Zlob.lcf skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0065197.exe Infected: Trojan-Downloader.Win32.Zlob.lbs skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0065198.exe Infected: Worm.Win32.Socks.by skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0065205.dll Infected: not-virus:Hoax.Win32.Agent.bv skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0065206.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0065207.exe Infected: Trojan-Downloader.Win32.Zlob.lcd skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0065208.dll Infected: Trojan-Downloader.Win32.Zlob.lbm skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0065209.exe Infected: Trojan-Downloader.Win32.Zlob.lbi skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0065210.exe Infected: Trojan-Downloader.Win32.Zlob.lbt skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0065211.exe Infected: Trojan-Downloader.Win32.Zlob.lci skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0066228.dll Infected: not-a-virus:AdWare.Win32.E404.x skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0066229.exe Infected: Trojan-Downloader.Win32.Zlob.lcj skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0066336.exe Infected: Worm.Win32.Socks.by skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0066337.exe Infected: Worm.Win32.Socks.by skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0067149.exe Infected: Worm.Win32.Socks.by skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0066351.exe Infected: Worm.Win32.Socks.by skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0066352.exe Infected: Worm.Win32.Socks.by skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0067153.exe Infected: Worm.Win32.Socks.by skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0066371.exe Infected: Worm.Win32.Socks.by skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0066372.exe Infected: Worm.Win32.Socks.by skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0066403.exe Infected: Worm.Win32.Socks.by skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0066441.dll Infected: Trojan-Dropper.Win32.Agent.qfy skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0066446.exe Infected: not-virus:Hoax.Win32.Gavec.ax skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0066671.exe Infected: Worm.Win32.Socks.by skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0066675.exe Infected: Worm.Win32.Socks.by skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0066722.dll Infected: not-a-virus:AdWare.Win32.TimeSink.h skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0066773.exe Infected: Trojan-Downloader.Win32.Zlob.lbs skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0066789.exe Infected: not-a-virus:FraudTool.Win32.VirusProtectPro.ac skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0066798.exe Infected: Worm.Win32.Socks.by skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0066802.exe Infected: Worm.Win32.Socks.by skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0066833.dll Infected: Trojan-Downloader.Win32.Zlob.lcf skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0066834.dll Infected: Trojan-Downloader.Win32.Zlob.lbm skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0066847.exe Infected: Trojan.Win32.Buzus.eca skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0066856.exe Infected: Trojan-Downloader.Win32.Zlob.lbs skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0066943.exe Infected: Worm.Win32.Socks.by skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0066947.exe Infected: Worm.Win32.Socks.by skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0066966.dll Infected: Trojan-Downloader.Win32.Zlob.lcf skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0067060.dll Infected: not-virus:Hoax.Win32.Agent.bv skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0067061.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0067065.exe Infected: Worm.Win32.Socks.by skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0067069.exe Infected: Worm.Win32.Socks.by skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0067128.DLL Infected: Trojan-Downloader.Win32.Zlob.lbm skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0067167.exe Infected: Worm.Win32.Socks.by skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0067171.exe Infected: Worm.Win32.Socks.by skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0067282.exe Infected: Worm.Win32.Socks.by skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0067283.exe Infected: Worm.Win32.Socks.by skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0067376.exe Infected: Worm.Win32.Socks.by skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0067377.exe Infected: Worm.Win32.Socks.by skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0067433.exe Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0067521.exe Infected: Worm.Win32.Socks.by skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0067531.exe Infected: Worm.Win32.Socks.by skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0067532.sys Infected: Trojan-Clicker.Win32.Costrat.fn skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0067533.dll Infected: not-a-virus:AdWare.Win32.Vapsup.dsx skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0067534.dll Infected: Trojan.Win32.Agent.jvv skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0067535.dll Infected: Trojan.Win32.Agent.jvv skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0067536.exe Infected: Trojan-Clicker.Win32.Costrat.fl skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0067538.EXE Infected: not-a-virus:AdWare.Win32.Vapsup.dsx skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0067539.DLL Infected: not-a-virus:AdWare.Win32.Vapsup.dsx skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0067540.DLL Infected: not-a-virus:AdWare.Win32.Vapsup.dxh skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0067541.dll Infected: not-a-virus:AdWare.Win32.BHO.ank skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0067542.DLL Infected: not-a-virus:AdWare.Win32.Vapsup.dxj skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0067546.exe Infected: Trojan-Clicker.Win32.Costrat.fl skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0067548.exe Infected: not-a-virus:AdWare.Win32.Vapsup.dsx skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0067549.dll Infected: not-a-virus:AdWare.Win32.Vapsup.dsx skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0067550.dll Infected: not-a-virus:AdWare.Win32.Vapsup.dxh skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0067551.dll Infected: not-a-virus:AdWare.Win32.BHO.ank skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP477\A0067552.dll Infected: not-a-virus:AdWare.Win32.Vapsup.dxj skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP478\A0067596.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.nmz skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP479\A0067687.exe Infected: Worm.Win32.Socks.by skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP479\A0067689.exe Infected: Trojan.Win32.Buzus.eca skipped
C:\System Volume Information\_restore{FCFA0AE2-852C-4DBA-9CFA-9D58357F9E87}\RP480\change.log Object is locked skipped
C:\SDFix\backups\backups.zip/backups/backups.zip/backups/spools.exe Infected: Worm.Win32.Socks.by skipped
C:\SDFix\backups\backups.zip/backups/backups.zip/backups/zeqbqwp.sys Infected: Trojan-Clicker.Win32.Costrat.fn skipped
C:\SDFix\backups\backups.zip/backups/backups.zip/backups/temlxopqpkd.dll Infected: not-a-virus:AdWare.Win32.Vapsup.dsx skipped
C:\SDFix\backups\backups.zip/backups/backups.zip/backups/DrvRom.dll Infected: Trojan.Win32.Agent.jvv skipped
C:\SDFix\backups\backups.zip/backups/backups.zip/backups/RunOncePrx.dll Infected: Trojan.Win32.Agent.jvv skipped
C:\SDFix\backups\backups.zip/backups/backups.zip Infected: Trojan.Win32.Agent.jvv skipped
C:\SDFix\backups\backups.zip/backups/vssdv.exe Infected: Trojan-Clicker.Win32.Costrat.fl skipped
C:\SDFix\backups\backups.zip/backups/apoxqwfv.exe Infected: not-a-virus:AdWare.Win32.Vapsup.dsx skipped
C:\SDFix\backups\backups.zip/backups/mgsvflkw.dll Infected: not-a-virus:AdWare.Win32.Vapsup.dsx skipped
C:\SDFix\backups\backups.zip/backups/qdnkewfa.dll Infected: not-a-virus:AdWare.Win32.Vapsup.dxh skipped
C:\SDFix\backups\backups.zip/backups/msram.dll Infected: not-a-virus:AdWare.Win32.BHO.ank skipped
C:\SDFix\backups\backups.zip/backups/vnbptxlf.dll Infected: not-a-virus:AdWare.Win32.Vapsup.dxj skipped
C:\SDFix\backups\backups.zip/backups/def.htm Infected: not-virus:Hoax.HTML.Secureinvites.c skipped
C:\SDFix\backups\backups.zip ZIP: infected - 13 skipped

Scan process completed.
 
You must log in or register to reply here.
Back
Top