Zlob.Downloader.vcd Settings

Let's try another tool. You can go ahead and delete fix.reg from your Desktop.

Step # 1: Download and Run ComboFix

Please visit this webpage for download links, and instructions for running the tool: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Be sure to save ComboFix.exe to your Desktop

When the tool is finished, it will produce a report for you.

Please post the C:\ComboFix.txt in your next post/reply.
 
Let's try this:

Step # 1: Disable Ad-Aware 2007 Service
Please disable the Ad-Aware 2007 Service as it may interfere with the fix.
  • On your desktop, click Start.
  • Choose Run.
  • Type services.msc in the open box and click OK or press Enter.
  • Scroll down the list of services and double-click Ad-Aware 2007 Service.
  • In the service properties window that opens, click the STOP button.
  • Under Startup Type, use the pull down menu and select Manual from the list of options.
  • Click OK and exit the Services Control Manager.
  • Reboot your machine for the changes to take effect.
Once your log is clean you can re-enable those settings.


Step # 2: Download and run DAFT

Download Deckard's Association File Tool (DAFT) and save it to your desktop:
1. Double-click the daft.exe icon. Read the disclaimer and click OK.
2. Click on the Scan button.
3. If it finds faulty file associations, they will appear in red beside a checkbox. If this occurs, just place a tick in the boxes in question.
4. Click the Fix button.


After Step 2 is done, try running ComboFix again, if it works post the log ( C:\ComboFix.txt ) in your next post. If it doesn't work let me know and if DAFT shows any results/logs be sure to post those in your next post/reply as well.
 
ComboFix 08-03-25.1 - Sara 2008-03-26 8:23:25.1 - NTFSx86

It worked but I messed up I went down the list of instructions before reading the whole thing first and didnt copy the scan from daft. It had about 5 things in there to fix. Im sorry again. I tried to rescan but it said there was nothing to fix by then.


Running from: C:\Documents and Settings\Sara\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-02-26 to 2008-03-26 )))))))))))))))))))))))))))))))
.

2008-03-25 18:08 . 2008-03-25 18:08 4,608,744 --a------ C:\Program Files\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
2008-03-25 14:37 . 2008-03-25 14:37 <DIR> d-------- C:\Program Files\DVD Region+CSS Free
2008-03-25 14:37 . 2008-03-25 14:48 67 --a------ C:\WINDOWS\DVDRegionFree.INI
2008-03-24 13:22 . 2008-03-24 13:22 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-24 13:22 . 2008-03-24 13:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-24 12:53 . 2008-03-24 12:53 <DIR> d-------- C:\Program Files\ERUNT
2008-03-24 12:52 . 2008-03-24 12:53 791,393 --a------ C:\Program Files\erunt-setup.exe
2008-03-24 00:50 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-24 00:49 . 2008-03-24 00:50 <DIR> d-------- C:\Program Files\Java
2008-03-24 00:49 . 2008-03-24 00:49 <DIR> d-------- C:\Program Files\Common Files\Java
2008-03-23 17:41 . 2008-03-23 17:41 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-23 17:41 . 2008-03-23 17:41 <DIR> d-------- C:\Documents and Settings\Sara\Application Data\Malwarebytes
2008-03-23 17:41 . 2008-03-23 17:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-22 01:43 . 2008-03-22 01:43 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-03-21 20:20 . 2008-03-25 15:40 <DIR> d-------- C:\Documents and Settings\Sara\Application Data\SolSuite
2008-03-21 18:44 . 2008-03-21 18:44 691,545 --a------ C:\WINDOWS\unins000.exe
2008-03-21 18:44 . 2008-03-21 18:44 2,549 --a------ C:\WINDOWS\unins000.dat
2008-03-21 18:28 . 2008-03-23 17:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-21 18:27 . 2008-03-21 18:48 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-20 20:26 . 2008-03-21 17:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-03-20 20:15 . 2008-03-21 17:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-03-20 20:15 . 2008-03-20 20:15 38,473,056 --a------ C:\Program Files\CNET_VSP30days.exe
2008-03-20 20:09 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-03-20 20:09 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-03-20 12:41 . 2008-03-20 12:41 50 --a------ C:\WINDOWS\BRQIKMON.INI
2008-03-20 12:40 . 2008-03-21 14:50 <DIR> d-------- C:\Documents and Settings\Sara\Application Data\PC-FAX TX
2008-03-19 20:05 . 2004-12-03 01:26 188,416 --a------ C:\WINDOWS\system32\PDRVINST.DLL
2008-03-19 20:05 . 2006-01-17 01:03 126,976 --a------ C:\WINDOWS\system32\BrfxD05a.dll
2008-03-19 20:05 . 2005-06-02 01:09 86,016 --a------ C:\WINDOWS\system32\BrWebIns.dll
2008-03-19 20:05 . 2005-06-02 01:08 69,632 --a------ C:\WINDOWS\system32\BRWEBUP.EXE
2008-03-19 20:05 . 2001-11-15 01:00 6,224 --a------ C:\WINDOWS\CVRPAGE.BMP
2008-03-19 20:05 . 2008-03-21 14:50 0 --a------ C:\WINDOWS\brdfxspd.dat
2008-03-19 20:04 . 2008-03-19 20:04 <DIR> d-------- C:\Program Files\Common Files\ScanSoft Shared
2008-03-19 20:04 . 2008-03-19 20:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ScanSoft
2008-03-19 20:04 . 2003-09-24 11:36 27,019 --a------ C:\WINDOWS\maxlink.ini
2008-03-19 19:58 . 2008-03-19 19:58 0 --------- C:\Bro59.tmp
2008-03-19 19:55 . 2008-03-21 19:58 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-03-19 19:18 . 2008-03-19 20:06 <DIR> d-------- C:\Program Files\Brother
2008-03-19 09:48 . 2008-03-19 09:52 470 --a------ C:\WINDOWS\wininit.ini
2008-03-16 19:35 . 2008-03-16 19:36 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-03-15 16:10 . 2001-08-18 06:00 1,700,352 --------- C:\WINDOWS\system32\GdiPlus.dll
2008-03-15 16:10 . 2002-11-27 18:26 114,688 --------- C:\WINDOWS\system32\jpegcode.dll
2008-03-15 16:10 . 2002-09-06 18:54 53,248 --------- C:\WINDOWS\system32\AccWrap.dll
2008-03-15 16:10 . 2002-10-29 18:21 45,664 --------- C:\WINDOWS\system32\drivers\CoachVc.sys
2008-03-15 16:10 . 2002-11-22 19:45 41,952 --------- C:\WINDOWS\system32\drivers\CoachUsb.sys
2008-03-15 16:10 . 2002-11-21 12:14 39,424 --------- C:\WINDOWS\system32\CoachWia.dll
2008-03-15 16:10 . 2008-03-16 14:05 22 --a------ C:\Program Files\c310.zip
2008-03-15 10:06 . 2008-03-15 10:06 419 --a------ C:\WINDOWS\BRWMARK.INI
2008-03-15 10:06 . 2008-03-15 10:06 27 --a------ C:\WINDOWS\BRPP2KA.INI
2008-03-15 10:05 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-03-15 10:05 . 2004-08-03 23:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-03-15 10:05 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-03-15 10:05 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-03-15 10:00 . 2008-03-21 14:50 429 --a------ C:\WINDOWS\Brpfx04a.ini
2008-03-15 10:00 . 2008-03-20 12:40 153 --a------ C:\WINDOWS\brpcfx.ini
2008-03-15 10:00 . 2008-03-19 20:06 50 --a------ C:\WINDOWS\system32\bridf06a.dat
2008-03-15 09:59 . 2008-03-19 19:09 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-03-15 09:59 . 2006-02-24 17:27 1,492,480 --a------ C:\WINDOWS\system32\BrWia06a.dll
2008-03-15 09:59 . 2004-12-10 16:35 147,456 --a------ C:\WINDOWS\brunin03.dll
2008-03-15 09:59 . 2006-02-16 18:49 52,736 --a------ C:\WINDOWS\system32\brinsstr.dll
2008-03-15 09:59 . 2005-12-13 10:53 38,912 --a------ C:\WINDOWS\system32\BrUsi06a.dll
2008-03-15 09:59 . 2004-10-15 12:50 15,295 --a------ C:\WINDOWS\system32\drivers\BrScnUsb.sys
2008-03-15 09:57 . 2008-03-15 09:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-03-15 09:56 . 2008-03-19 20:04 <DIR> d-------- C:\Program Files\ScanSoft
2008-03-15 09:55 . 2008-03-15 09:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Brother
2008-03-08 11:09 . 2008-03-08 11:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-08 11:08 . 2008-03-08 11:08 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-27 09:38 . 2001-08-17 23:36 99,328 --a------ C:\WINDOWS\system32\srusd.dll
2008-02-27 09:38 . 2001-08-17 23:36 99,328 --a--c--- C:\WINDOWS\system32\dllcache\srusd.dll
2008-02-27 09:38 . 2001-08-17 23:36 71,680 --a------ C:\WINDOWS\system32\fnfilter.dll
2008-02-27 09:38 . 2001-08-17 23:36 71,680 --a--c--- C:\WINDOWS\system32\dllcache\fnfilter.dll
2008-02-27 09:38 . 2001-08-17 14:53 6,784 --a------ C:\WINDOWS\system32\drivers\serscan.sys
2008-02-27 09:38 . 2001-08-17 14:53 6,784 --a--c--- C:\WINDOWS\system32\dllcache\serscan.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-25 19:29 --------- d-----w C:\Program Files\RegScrubXP
2008-03-22 07:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-21 22:09 --------- d-----w C:\Documents and Settings\Sara\Application Data\AVG7
2008-03-20 22:03 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-20 18:06 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-20 14:47 --------- d-----w C:\Program Files\Incomplete
2008-03-20 02:05 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-20 02:05 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-19 14:44 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-03-17 04:58 --------- d-----w C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor
2008-03-08 17:09 --------- d-----w C:\Program Files\Lavasoft
2008-03-08 17:09 --------- d-----w C:\Documents and Settings\Sara\Application Data\Lavasoft
2008-02-27 22:57 729,088 ----a-w C:\WINDOWS\iun6002.exe
2008-02-15 04:49 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-06 20:20 --------- d-----w C:\Program Files\Diskeeper Corporation
2008-02-04 19:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-01-31 06:11 --------- d-----w C:\Program Files\OverDrive Media Console
2008-01-31 06:11 --------- d-----w C:\Documents and Settings\Sara\Application Data\OverDrive
2008-01-11 18:20 553,687 ----a-w C:\Program Files\jv16_regcleaner.exe
2008-01-11 18:07 593,556 ----a-w C:\Program Files\regscrubxpsetup_3.2.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-21 19:26 68856]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-27 12:01 145920]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= C:\Program Files\DVD Region+CSS Free\DVDShell.dll [2004-10-09 15:18 49152]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)
"21439:TCP"= 21439:TCP:BitComet 21439 TCP
"21439:UDP"= 21439:UDP:BitComet 21439 UDP
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\DRIVERS\BrScnUsb.sys [2004-10-15 12:50]
S2 UMAXPCLS;Print Port Scanner Driver;C:\WINDOWS\system32\DRIVERS\umaxpcls.sys [2001-08-17 15:58]
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe [2004-08-04 06:00]
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe [2004-08-04 06:00]
S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe [2004-08-04 06:00]
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe [2004-08-04 06:00]
S3 WUSB54GPV4SRV;Linksys Home Wireless-G USB Adaptor Driver;C:\WINDOWS\system32\DRIVERS\rt2500usb.sys [2005-10-17 21:50]
S3 ZD1211BU(WLAN);IEEE 802.11g USB Wireless LAN(WLAN);C:\WINDOWS\system32\DRIVERS\zd1211Bu.sys [2006-06-27 16:32]
S4 WUSB54Gv42SVC;WUSB54Gv42SVC;"C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv42.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

.
Contents of the 'Scheduled Tasks' folder
"2008-03-26 14:00:00 C:\WINDOWS\Tasks\AB7F8E61911401CD.job"
- c:\docume~1\sara\applic~1\bitsdu~1\Show First Intra.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-26 08:26:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\WINDOWS\system32\tcpsvcs.exe
.
**************************************************************************
.
Completion time: 2008-03-26 8:29:41 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-26 14:29:38
.
2008-03-22 07:44:35 --- E O F ---
 
Glad to hear that DAFT worked. :)

Seems your missing an important part of your operating system. Let's get it reinstalled in case you ever need it.
Nothing is going to change on your computer other than we are going to reinstall the Recovery Console.


Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System

KB310994.gif


Download the file & save it as it's originally named, to your desktop along with ComboFix.exe.

rc1.gif


Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.

Please do not reboot your machine until I have reviewed the log.
 
I read thru the install on combofix and it said for me to do this so I already downloaded the microsoft setup file and tried to drag into combofix like it said but it just jumps someplace else on my desktop and combofix wants to run. Do I let combofix go ahead and run again?
 
After dragging the setup file onto ComboFix, go ahead and follow these steps:

Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.
 
cf_rc txt

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
 
The Recovery Console log looks good. :) You can reboot your computer.

After you've rebooted your computer, follow the instructions below:



Step # 1: Download and Run NoLop
Please Download NoLop to your desktop from one of the links below...
Link 1
Link 2
Link 3
  • First close any other programs you have running as this will require a reboot
  • Double click NoLop.exe to run it.
  • Now click the button labelled "Search and Destroy"
    <<your computer will now be scanned for infected files>>
  • When scanning is finished you will be prompted to reboot only if infected, Click OK
  • Now click the "REBOOT" Button.
  • A Message should popup from NoLop. If not, double click the program again and it will finish.
  • Please post the contents of C:\NoLop.log
Note: If you receive an error, "mscomctl.ocx or one of its dependencies are not correctly registered," please download mscomctl.ocx to C:\WINDOWS\system32\ folder then rerun the program.


Step # 2: Run CFScript

Please delete the version of ComboFix you have on your computer, I need you to download the latest version of ComboFix by sUBs here and save it to your Desktop.


  • Then, please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code:
    KillAll::
    
    Registry::
    
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults]
    "http"=dword:00000003
    "https"=dword:00000003
    "ftp"=dword:00000003
    "file"=dword:00000003
    "@ivt"=dword:00000001

  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.


    CFScript.gif



  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


In your next post/reply, I need to see the following:

1. The NoLop Log
2. The ComboFix Log that appears after Step 2 has been completed.
3. A fresh HiJackThis Log


Use multiple posts if you can't fit everything into one post.
 
NoLop! Log by Skate_Punk_21

Fix running from: C:\Documents and Settings\Sara\Desktop
[3/27/2008]
[2:33:24 PM]

---Infection Files Found/Removed---
C:\WINDOWS\tasks\AB7F8E61911401CD.job

Beginning Removal...
Rebooting...
Removing Lop's Leftover Files/Folders...
Editing Registry...
**Fix Complete!**

---Listing AppData sub directories---

C:\Documents and Settings\Administrator\Application Data\Avg7
C:\Documents and Settings\Administrator\Application Data\Identities
C:\Documents and Settings\Administrator\Application Data\Microsoft
C:\Documents and Settings\Administrator\Application Data\Symantec
C:\Documents and Settings\All Users\Application Data\Adobe
C:\Documents and Settings\All Users\Application Data\Avg7
C:\Documents and Settings\All Users\Application Data\Brother
C:\Documents and Settings\All Users\Application Data\Cyberlink
C:\Documents and Settings\All Users\Application Data\Google
C:\Documents and Settings\All Users\Application Data\Grisoft
C:\Documents and Settings\All Users\Application Data\Installshield
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
C:\Documents and Settings\All Users\Application Data\Lavasoft
C:\Documents and Settings\All Users\Application Data\Malwarebytes
C:\Documents and Settings\All Users\Application Data\Mcafee
C:\Documents and Settings\All Users\Application Data\Microsoft
C:\Documents and Settings\All Users\Application Data\Microsoft Help
C:\Documents and Settings\All Users\Application Data\Nero
C:\Documents and Settings\All Users\Application Data\Playfirst
C:\Documents and Settings\All Users\Application Data\Scansoft
C:\Documents and Settings\All Users\Application Data\Siteadvisor
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
C:\Documents and Settings\All Users\Application Data\Temp -- EMPTY Directory
C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
C:\Documents and Settings\All Users\Application Data\Winferno
C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
C:\Documents and Settings\Default User\Application Data\Microsoft
C:\Documents and Settings\Localservice\Application Data\Avg7 -- EMPTY Directory
C:\Documents and Settings\Localservice\Application Data\Microsoft
C:\Documents and Settings\Networkservice\Application Data\Microsoft
C:\Documents and Settings\Networkservice\Application Data\Symantec
C:\Documents and Settings\Sara\Application Data\Adobe
C:\Documents and Settings\Sara\Application Data\Ahead
C:\Documents and Settings\Sara\Application Data\Avg7
C:\Documents and Settings\Sara\Application Data\Cyberlink
C:\Documents and Settings\Sara\Application Data\Google
C:\Documents and Settings\Sara\Application Data\Gtopala
C:\Documents and Settings\Sara\Application Data\Help
C:\Documents and Settings\Sara\Application Data\Identities
C:\Documents and Settings\Sara\Application Data\Lavasoft -- EMPTY Directory
C:\Documents and Settings\Sara\Application Data\Macromedia
C:\Documents and Settings\Sara\Application Data\Malwarebytes
C:\Documents and Settings\Sara\Application Data\Microsoft
C:\Documents and Settings\Sara\Application Data\Nero
C:\Documents and Settings\Sara\Application Data\Overdrive
C:\Documents and Settings\Sara\Application Data\Pc-fax Tx
C:\Documents and Settings\Sara\Application Data\Solsuite
C:\Documents and Settings\Sara\Application Data\Sun



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:55:43 PM, on 3/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\dmadmin.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Sara\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIC273~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

--
End of file - 5499 bytes
 
ComboFix 08-03-26.3 - Sara 2008-03-27 14:47:23.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.257 [GMT -6:00]
Running from: C:\Documents and Settings\Sara\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Sara\Desktop\cfscripttxt.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-02-27 to 2008-03-27 )))))))))))))))))))))))))))))))
.

2008-03-27 14:33 . 2008-03-27 14:35 <DIR> d-------- C:\NoLopBackups
2008-03-26 17:11 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-03-26 17:11 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-03-26 17:11 . 2004-08-03 22:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-03-26 17:11 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2008-03-25 18:08 . 2008-03-25 18:08 4,608,744 --a------ C:\Program Files\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
2008-03-25 14:37 . 2008-03-25 14:37 <DIR> d-------- C:\Program Files\DVD Region+CSS Free
2008-03-25 14:37 . 2008-03-27 14:13 67 --a------ C:\WINDOWS\DVDRegionFree.INI
2008-03-24 13:22 . 2008-03-24 13:22 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-24 13:22 . 2008-03-24 13:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-24 12:53 . 2008-03-24 12:53 <DIR> d-------- C:\Program Files\ERUNT
2008-03-24 12:52 . 2008-03-24 12:53 791,393 --a------ C:\Program Files\erunt-setup.exe
2008-03-24 00:50 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-24 00:49 . 2008-03-24 00:50 <DIR> d-------- C:\Program Files\Java
2008-03-24 00:49 . 2008-03-24 00:49 <DIR> d-------- C:\Program Files\Common Files\Java
2008-03-23 17:41 . 2008-03-23 17:41 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-23 17:41 . 2008-03-23 17:41 <DIR> d-------- C:\Documents and Settings\Sara\Application Data\Malwarebytes
2008-03-23 17:41 . 2008-03-23 17:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-22 01:43 . 2008-03-22 01:43 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-03-21 20:20 . 2008-03-25 15:40 <DIR> d-------- C:\Documents and Settings\Sara\Application Data\SolSuite
2008-03-21 18:44 . 2008-03-21 18:44 691,545 --a------ C:\WINDOWS\unins000.exe
2008-03-21 18:44 . 2008-03-21 18:44 2,549 --a------ C:\WINDOWS\unins000.dat
2008-03-21 18:28 . 2008-03-23 17:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-21 18:27 . 2008-03-21 18:48 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-20 20:26 . 2008-03-21 17:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-03-20 20:15 . 2008-03-21 17:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-03-20 20:15 . 2008-03-20 20:15 38,473,056 --a------ C:\Program Files\CNET_VSP30days.exe
2008-03-20 20:09 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-03-20 20:09 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-03-20 12:41 . 2008-03-20 12:41 50 --a------ C:\WINDOWS\BRQIKMON.INI
2008-03-20 12:40 . 2008-03-21 14:50 <DIR> d-------- C:\Documents and Settings\Sara\Application Data\PC-FAX TX
2008-03-19 20:05 . 2004-12-03 01:26 188,416 --a------ C:\WINDOWS\system32\PDRVINST.DLL
2008-03-19 20:05 . 2006-01-17 01:03 126,976 --a------ C:\WINDOWS\system32\BrfxD05a.dll
2008-03-19 20:05 . 2005-06-02 01:09 86,016 --a------ C:\WINDOWS\system32\BrWebIns.dll
2008-03-19 20:05 . 2005-06-02 01:08 69,632 --a------ C:\WINDOWS\system32\BRWEBUP.EXE
2008-03-19 20:05 . 2001-11-15 01:00 6,224 --a------ C:\WINDOWS\CVRPAGE.BMP
2008-03-19 20:05 . 2008-03-21 14:50 0 --a------ C:\WINDOWS\brdfxspd.dat
2008-03-19 20:04 . 2008-03-19 20:04 <DIR> d-------- C:\Program Files\Common Files\ScanSoft Shared
2008-03-19 20:04 . 2008-03-19 20:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ScanSoft
2008-03-19 20:04 . 2003-09-24 11:36 27,019 --a------ C:\WINDOWS\maxlink.ini
2008-03-19 19:58 . 2008-03-19 19:58 0 --------- C:\Bro59.tmp
2008-03-19 19:55 . 2008-03-21 19:58 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-03-19 19:18 . 2008-03-19 20:06 <DIR> d-------- C:\Program Files\Brother
2008-03-19 09:48 . 2008-03-19 09:52 470 --a------ C:\WINDOWS\wininit.ini
2008-03-16 19:35 . 2008-03-16 19:36 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-03-15 16:10 . 2001-08-18 06:00 1,700,352 --------- C:\WINDOWS\system32\GdiPlus.dll
2008-03-15 16:10 . 2002-11-27 18:26 114,688 --------- C:\WINDOWS\system32\jpegcode.dll
2008-03-15 16:10 . 2002-09-06 18:54 53,248 --------- C:\WINDOWS\system32\AccWrap.dll
2008-03-15 16:10 . 2002-10-29 18:21 45,664 --------- C:\WINDOWS\system32\drivers\CoachVc.sys
2008-03-15 16:10 . 2002-11-22 19:45 41,952 --------- C:\WINDOWS\system32\drivers\CoachUsb.sys
2008-03-15 16:10 . 2002-11-21 12:14 39,424 --------- C:\WINDOWS\system32\CoachWia.dll
2008-03-15 16:10 . 2008-03-16 14:05 22 --a------ C:\Program Files\c310.zip
2008-03-15 10:06 . 2008-03-15 10:06 419 --a------ C:\WINDOWS\BRWMARK.INI
2008-03-15 10:06 . 2008-03-15 10:06 27 --a------ C:\WINDOWS\BRPP2KA.INI
2008-03-15 10:05 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-03-15 10:05 . 2004-08-03 23:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-03-15 10:05 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-03-15 10:05 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-03-15 10:00 . 2008-03-21 14:50 429 --a------ C:\WINDOWS\Brpfx04a.ini
2008-03-15 10:00 . 2008-03-20 12:40 153 --a------ C:\WINDOWS\brpcfx.ini
2008-03-15 10:00 . 2008-03-19 20:06 50 --a------ C:\WINDOWS\system32\bridf06a.dat
2008-03-15 09:59 . 2008-03-19 19:09 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-03-15 09:59 . 2006-02-24 17:27 1,492,480 --a------ C:\WINDOWS\system32\BrWia06a.dll
2008-03-15 09:59 . 2004-12-10 16:35 147,456 --a------ C:\WINDOWS\brunin03.dll
2008-03-15 09:59 . 2006-02-16 18:49 52,736 --a------ C:\WINDOWS\system32\brinsstr.dll
2008-03-15 09:59 . 2005-12-13 10:53 38,912 --a------ C:\WINDOWS\system32\BrUsi06a.dll
2008-03-15 09:59 . 2004-10-15 12:50 15,295 --a------ C:\WINDOWS\system32\drivers\BrScnUsb.sys
2008-03-15 09:57 . 2008-03-15 09:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-03-15 09:56 . 2008-03-19 20:04 <DIR> d-------- C:\Program Files\ScanSoft
2008-03-15 09:55 . 2008-03-15 09:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Brother
2008-03-08 11:09 . 2008-03-08 11:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-08 11:08 . 2008-03-08 11:08 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-27 09:38 . 2001-08-17 23:36 99,328 --a------ C:\WINDOWS\system32\srusd.dll
2008-02-27 09:38 . 2001-08-17 23:36 99,328 --a--c--- C:\WINDOWS\system32\dllcache\srusd.dll
2008-02-27 09:38 . 2001-08-17 23:36 71,680 --a------ C:\WINDOWS\system32\fnfilter.dll
2008-02-27 09:38 . 2001-08-17 23:36 71,680 --a--c--- C:\WINDOWS\system32\dllcache\fnfilter.dll
2008-02-27 09:38 . 2001-08-17 14:53 6,784 --a------ C:\WINDOWS\system32\drivers\serscan.sys
2008-02-27 09:38 . 2001-08-17 14:53 6,784 --a--c--- C:\WINDOWS\system32\dllcache\serscan.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-27 20:43 --------- d-----w C:\Program Files\RegScrubXP
2008-03-22 07:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-21 22:09 --------- d-----w C:\Documents and Settings\Sara\Application Data\AVG7
2008-03-20 22:03 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-20 18:06 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-20 14:47 --------- d-----w C:\Program Files\Incomplete
2008-03-20 02:05 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-20 02:05 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-19 14:44 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-03-17 04:58 --------- d-----w C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor
2008-03-08 17:09 --------- d-----w C:\Program Files\Lavasoft
2008-03-08 17:09 --------- d-----w C:\Documents and Settings\Sara\Application Data\Lavasoft
2008-02-27 22:57 729,088 ----a-w C:\WINDOWS\iun6002.exe
2008-02-15 04:49 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-06 20:20 --------- d-----w C:\Program Files\Diskeeper Corporation
2008-02-04 19:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-01-31 06:11 --------- d-----w C:\Program Files\OverDrive Media Console
2008-01-31 06:11 --------- d-----w C:\Documents and Settings\Sara\Application Data\OverDrive
2008-01-11 18:20 553,687 ----a-w C:\Program Files\jv16_regcleaner.exe
2008-01-11 18:07 593,556 ----a-w C:\Program Files\regscrubxpsetup_3.2.exe
.

((((((((((((((((((((((((((((( snapshot@2008-03-26_ 8.29.25.67 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-03-27 20:49:53 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_6e4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-21 19:26 68856]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-27 12:01 145920]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= C:\PROGRA~1\DVD Region+CSS Free\DVDShell.dll [2004-10-09 15:18 49152]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)
"21439:TCP"= 21439:TCP:BitComet 21439 TCP
"21439:UDP"= 21439:UDP:BitComet 21439 UDP
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\DRIVERS\BrScnUsb.sys [2004-10-15 12:50]
S2 UMAXPCLS;Print Port Scanner Driver;C:\WINDOWS\system32\DRIVERS\umaxpcls.sys [2001-08-17 15:58]
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe [2004-08-04 06:00]
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe [2004-08-04 06:00]
S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe [2004-08-04 06:00]
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe [2004-08-04 06:00]
S3 WUSB54GPV4SRV;Linksys Home Wireless-G USB Adaptor Driver;C:\WINDOWS\system32\DRIVERS\rt2500usb.sys [2005-10-17 21:50]
S3 ZD1211BU(WLAN);IEEE 802.11g USB Wireless LAN(WLAN);C:\WINDOWS\system32\DRIVERS\zd1211Bu.sys [2006-06-27 16:32]
S4 WUSB54Gv42SVC;WUSB54Gv42SVC;"C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv42.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-27 14:50:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\WINDOWS\system32\tcpsvcs.exe
.
**************************************************************************
.
Completion time: 2008-03-27 14:53:44 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-27 20:53:39
ComboFix2.txt 2008-03-26 14:29:42
Pre-Run: 4,101,574,656 bytes free
Post-Run: 4,091,527,168 bytes free
.
2008-03-22 07:44:35 --- E O F ---
 
Hi again.

You need to do the ComboFix part again. The name of the file that you dropped and dragged into ComboFix.exe was wrong, it should be CFScript.txt, you had it as cfscripttxt.txt

Go ahead and delete cfscripttxt.txt from your desktop and follow the steps below, making sure that when you save it in the File Name box, you put just CFScript.txt . And also be sure that "All Files" is selected in the Save as Type box. :)


  • Then, please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code:
    KillAll::
    
    Registry::
    
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults]
    "http"=dword:00000003
    "https"=dword:00000003
    "ftp"=dword:00000003
    "file"=dword:00000003
    "@ivt"=dword:00000001

  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.


    CFScript.gif



  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


Post the resulting ComboFix log and a fresh HiJackThis log as well.
 
ComboFix 08-03-26.3 - Sara 2008-03-28 16:46:18.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.276 [GMT -6:00]
Running from: C:\Documents and Settings\Sara\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Sara\Desktop\cfscript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-28 )))))))))))))))))))))))))))))))
.

2008-03-27 14:33 . 2008-03-27 14:35 <DIR> d-------- C:\NoLopBackups
2008-03-26 17:11 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-03-26 17:11 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-03-26 17:11 . 2004-08-03 22:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-03-26 17:11 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2008-03-25 18:08 . 2008-03-25 18:08 4,608,744 --a------ C:\Program Files\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
2008-03-25 14:37 . 2008-03-27 14:13 67 --a------ C:\WINDOWS\DVDRegionFree.INI
2008-03-24 12:53 . 2008-03-24 12:53 <DIR> d-------- C:\Program Files\ERUNT
2008-03-24 12:52 . 2008-03-24 12:53 791,393 --a------ C:\Program Files\erunt-setup.exe
2008-03-24 00:50 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-24 00:49 . 2008-03-24 00:50 <DIR> d-------- C:\Program Files\Java
2008-03-24 00:49 . 2008-03-24 00:49 <DIR> d-------- C:\Program Files\Common Files\Java
2008-03-23 17:41 . 2008-03-23 17:41 <DIR> d-------- C:\Documents and Settings\Sara\Application Data\Malwarebytes
2008-03-23 17:41 . 2008-03-23 17:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-22 01:43 . 2008-03-22 01:43 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-03-21 20:20 . 2008-03-25 15:40 <DIR> d-------- C:\Documents and Settings\Sara\Application Data\SolSuite
2008-03-21 18:44 . 2008-03-21 18:44 691,545 --a------ C:\WINDOWS\unins000.exe
2008-03-21 18:44 . 2008-03-21 18:44 2,549 --a------ C:\WINDOWS\unins000.dat
2008-03-21 18:28 . 2008-03-23 17:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-21 18:27 . 2008-03-21 18:48 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-20 20:26 . 2008-03-21 17:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-03-20 20:15 . 2008-03-21 17:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-03-20 20:15 . 2008-03-20 20:15 38,473,056 --a------ C:\Program Files\CNET_VSP30days.exe
2008-03-20 20:09 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-03-20 20:09 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-03-20 12:41 . 2008-03-20 12:41 50 --a------ C:\WINDOWS\BRQIKMON.INI
2008-03-20 12:40 . 2008-03-21 14:50 <DIR> d-------- C:\Documents and Settings\Sara\Application Data\PC-FAX TX
2008-03-19 20:05 . 2004-12-03 01:26 188,416 --a------ C:\WINDOWS\system32\PDRVINST.DLL
2008-03-19 20:05 . 2006-01-17 01:03 126,976 --a------ C:\WINDOWS\system32\BrfxD05a.dll
2008-03-19 20:05 . 2005-06-02 01:09 86,016 --a------ C:\WINDOWS\system32\BrWebIns.dll
2008-03-19 20:05 . 2005-06-02 01:08 69,632 --a------ C:\WINDOWS\system32\BRWEBUP.EXE
2008-03-19 20:05 . 2001-11-15 01:00 6,224 --a------ C:\WINDOWS\CVRPAGE.BMP
2008-03-19 20:05 . 2008-03-28 15:29 0 --a------ C:\WINDOWS\brdfxspd.dat
2008-03-19 20:04 . 2008-03-19 20:04 <DIR> d-------- C:\Program Files\Common Files\ScanSoft Shared
2008-03-19 20:04 . 2008-03-19 20:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ScanSoft
2008-03-19 20:04 . 2003-09-24 11:36 27,019 --a------ C:\WINDOWS\maxlink.ini
2008-03-19 19:58 . 2008-03-19 19:58 0 --------- C:\Bro59.tmp
2008-03-19 19:55 . 2008-03-21 19:58 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-03-19 19:18 . 2008-03-19 20:06 <DIR> d-------- C:\Program Files\Brother
2008-03-19 09:48 . 2008-03-19 09:52 470 --a------ C:\WINDOWS\wininit.ini
2008-03-16 19:35 . 2008-03-16 19:36 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-03-15 16:10 . 2001-08-18 06:00 1,700,352 --------- C:\WINDOWS\system32\GdiPlus.dll
2008-03-15 16:10 . 2002-11-27 18:26 114,688 --------- C:\WINDOWS\system32\jpegcode.dll
2008-03-15 16:10 . 2002-09-06 18:54 53,248 --------- C:\WINDOWS\system32\AccWrap.dll
2008-03-15 16:10 . 2002-10-29 18:21 45,664 --------- C:\WINDOWS\system32\drivers\CoachVc.sys
2008-03-15 16:10 . 2002-11-22 19:45 41,952 --------- C:\WINDOWS\system32\drivers\CoachUsb.sys
2008-03-15 16:10 . 2002-11-21 12:14 39,424 --------- C:\WINDOWS\system32\CoachWia.dll
2008-03-15 16:10 . 2008-03-16 14:05 22 --a------ C:\Program Files\c310.zip
2008-03-15 10:06 . 2008-03-15 10:06 419 --a------ C:\WINDOWS\BRWMARK.INI
2008-03-15 10:06 . 2008-03-15 10:06 27 --a------ C:\WINDOWS\BRPP2KA.INI
2008-03-15 10:05 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-03-15 10:05 . 2004-08-03 23:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-03-15 10:05 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-03-15 10:05 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-03-15 10:00 . 2008-03-28 15:34 1,053 --a------ C:\WINDOWS\Brpfx04a.ini
2008-03-15 10:00 . 2008-03-20 12:40 153 --a------ C:\WINDOWS\brpcfx.ini
2008-03-15 10:00 . 2008-03-19 20:06 50 --a------ C:\WINDOWS\system32\bridf06a.dat
2008-03-15 09:59 . 2008-03-19 19:09 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-03-15 09:59 . 2006-02-24 17:27 1,492,480 --a------ C:\WINDOWS\system32\BrWia06a.dll
2008-03-15 09:59 . 2004-12-10 16:35 147,456 --a------ C:\WINDOWS\brunin03.dll
2008-03-15 09:59 . 2006-02-16 18:49 52,736 --a------ C:\WINDOWS\system32\brinsstr.dll
2008-03-15 09:59 . 2005-12-13 10:53 38,912 --a------ C:\WINDOWS\system32\BrUsi06a.dll
2008-03-15 09:59 . 2004-10-15 12:50 15,295 --a------ C:\WINDOWS\system32\drivers\BrScnUsb.sys
2008-03-15 09:57 . 2008-03-15 09:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-03-15 09:56 . 2008-03-19 20:04 <DIR> d-------- C:\Program Files\ScanSoft
2008-03-15 09:55 . 2008-03-15 09:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Brother
2008-03-08 11:09 . 2008-03-08 11:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-08 11:08 . 2008-03-08 11:08 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-28 21:35 --------- d-----w C:\Program Files\RegScrubXP
2008-03-22 21:49 86,528 ----a-w C:\WINDOWS\system32\VACFix.exe
2008-03-22 07:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-21 22:09 --------- d-----w C:\Documents and Settings\Sara\Application Data\AVG7
2008-03-20 22:03 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-20 18:06 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-20 14:47 --------- d-----w C:\Program Files\Incomplete
2008-03-20 02:05 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-20 02:05 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-19 14:44 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-03-17 04:58 --------- d-----w C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor
2008-03-15 23:16 82,432 ----a-w C:\WINDOWS\system32\IEDFix.exe
2008-03-12 19:55 40,730 ----a-w C:\WINDOWS\system32\superiorads-uninst.exe
2008-03-08 17:09 --------- d-----w C:\Program Files\Lavasoft
2008-03-08 17:09 --------- d-----w C:\Documents and Settings\Sara\Application Data\Lavasoft
2008-02-27 22:57 729,088 ----a-w C:\WINDOWS\iun6002.exe
2008-02-15 04:49 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-06 20:20 --------- d-----w C:\Program Files\Diskeeper Corporation
2008-02-04 19:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-01-31 06:11 --------- d-----w C:\Program Files\OverDrive Media Console
2008-01-31 06:11 --------- d-----w C:\Documents and Settings\Sara\Application Data\OverDrive
2008-01-11 18:20 553,687 ----a-w C:\Program Files\jv16_regcleaner.exe
2008-01-11 18:07 593,556 ----a-w C:\Program Files\regscrubxpsetup_3.2.exe
2007-12-27 18:02 32 --sha-w C:\WINDOWS\{0C12DB23-1BE2-4364-BFAA-6F5D9129BA61}.dat
2007-12-27 18:05 32 --sha-w C:\WINDOWS\{1B77EDC5-1688-4797-BA2D-7B17CF56CB30}.dat
2007-12-27 18:02 32 --sha-w C:\WINDOWS\{22BE5C96-6912-4844-B877-5B823AD9B260}.dat
2007-12-27 18:04 32 --sha-w C:\WINDOWS\{2E5205F4-C65A-4D26-8D21-D6A2DAA83314}.dat
2007-12-27 18:01 32 --sha-w C:\WINDOWS\{3BD78CE5-4886-4A8D-879E-D3604BF3CBE3}.dat
2007-12-27 18:04 32 --sha-w C:\WINDOWS\{A0337C34-3D4E-449C-8E79-A26151D03235}.dat
2007-12-27 18:02 32 --sha-w C:\WINDOWS\{C354F08C-4F05-4AFA-82AE-342DA03BB497}.dat
2007-12-27 18:02 32 --sha-w C:\WINDOWS\system32\{130E8F94-C662-49ED-AE40-05594E9EFB43}.dat
2007-12-27 18:04 32 --sha-w C:\WINDOWS\system32\{1E4A546D-C55E-4052-A7F5-AE0C5B7534F6}.dat
2007-12-27 18:04 32 --sha-w C:\WINDOWS\system32\{770AD5A9-EAE7-46E2-88C7-7BD6908E39CC}.dat
2007-12-27 18:05 32 --sha-w C:\WINDOWS\system32\{ACB29618-EEF3-4AD4-B2B2-5DBB667C35A1}.dat
2007-12-27 18:02 32 --sha-w C:\WINDOWS\system32\{C71E13F1-33A7-4A76-956F-D297C2A27665}.dat
2007-12-27 18:01 32 --sha-w C:\WINDOWS\system32\{CD413577-1356-422D-AA2E-64C023005796}.dat
2007-12-27 18:02 32 --sha-w C:\WINDOWS\system32\{D4CF1B07-7D22-43F2-A0AF-E389C73077DA}.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-21 19:26 68856]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-27 12:01 145920]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)
"21439:TCP"= 21439:TCP:BitComet 21439 TCP
"21439:UDP"= 21439:UDP:BitComet 21439 UDP
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\DRIVERS\BrScnUsb.sys [2004-10-15 12:50]
S2 UMAXPCLS;Print Port Scanner Driver;C:\WINDOWS\system32\DRIVERS\umaxpcls.sys [2001-08-17 15:58]
S3 WUSB54GPV4SRV;Linksys Home Wireless-G USB Adaptor Driver;C:\WINDOWS\system32\DRIVERS\rt2500usb.sys [2005-10-17 21:50]
S3 ZD1211BU(WLAN);IEEE 802.11g USB Wireless LAN(WLAN);C:\WINDOWS\system32\DRIVERS\zd1211Bu.sys [2006-06-27 16:32]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-28 16:49:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\WINDOWS\system32\tcpsvcs.exe
.
**************************************************************************
.
Completion time: 2008-03-28 16:53:18 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-28 22:53:14
ComboFix2.txt 2008-03-27 20:53:45
ComboFix3.txt 2008-03-26 14:29:42
Pre-Run: 4,056,543,232 bytes free
Post-Run: 4,046,598,144 bytes free
.
2008-03-22 07:44:35 --- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:54:45 PM, on 3/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\dmadmin.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Sara\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIC273~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

--
End of file - 5581 bytes
 
We are very close to being done. Just need to get rid of these lines in the HJT log and then you'll be good to go:

O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone

Let me ask some of my fellow helpers to see if they have any ideas. I'll be back as soon as I can.
 
Help its back I ran spybot and there is quite abit in there. I got the same message on my desktop and locked out of my task manager again
 
Post a fresh HiJackThis Log and the Spybot Log as well for me to look over. What does the message on your Desktop say?
 
Theres a link to down load a antispyware program displayed across my desktop




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:58:10 AM, on 3/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\All Users\Application Data\cxwzexmn\wlejavqz.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\slidqtgl.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Sara\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {255CC83D-D67A-4217-B804-1C46613A058A} - C:\WINDOWS\system32\jkkLFusr.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: GNX Bingo - {5B9512A7-C919-4035-A08D-8888AA6F5F7A} - C:\WINDOWS\svpekgongrk.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {94BC3D1D-22E9-4744-8ED1-3E08A3B74078} - C:\WINDOWS\system32\ssqPjgeB.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: stfngdvw - {BE39F01C-46FB-4111-9AE9-2F11DC22AF69} - C:\WINDOWS\stfngdvw.dll
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [xthmukzh] C:\WINDOWS\system32\slidqtgl.exe
O4 - HKLM\..\Policies\Explorer\Run: [ZEpzBKFgN1] C:\Documents and Settings\All Users\Application Data\cxwzexmn\wlejavqz.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIC273~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: ssqPjgeB - C:\WINDOWS\SYSTEM32\ssqPjgeB.dll
O21 - SSODL: sxfnewqb - {E665DDE3-DC65-4628-BAC7-0EDC4EACD70A} - C:\WINDOWS\sxfnewqb.dll
O21 - SSODL: fkdnrwsv - {7C0D3407-91CC-4800-B68F-7647E3608646} - C:\WINDOWS\fkdnrwsv.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

--
End of file - 6540 bytes




--- Search result list ---
Inet Delivery: [SBI $62162B60] User settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-842925246-413027322-839522115-1003\Software\Inet Delivery

Inet Delivery: [SBI $6DE54DE3] Uninstall settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-842925246-413027322-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Inet Delivery

Inet Delivery: [SBI $9C3D7D62] Program directory (Directory, nothing done)
C:\Program Files\Inet Delivery\

GoldenPalace.Casino: [SBI $A27AFA55] User settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-842925246-413027322-839522115-1003\Software\Golden Palace Casino PT

GoldenPalace.Casino: [SBI $59E76BAB] Uninstall settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-842925246-413027322-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Golden Palace Casino NEW

MagicControl.Agent: [SBI $535C1507] Uninstall settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-842925246-413027322-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mslagent

MagicControl.Agent: [SBI $F133B8D8] Program directory (Directory, nothing done)
C:\WINDOWS\mslagent\

SpySheriff: [SBI $F18F24AD] Class ID (Registry key, nothing done)
HKEY_USERS\S-1-5-21-842925246-413027322-839522115-1003\Software\Classes\CLSID\{0656A137-B161-CADD-9777-E37A75727E78}

SpySheriff: [SBI $D4B25EE3] Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{0656A137-B161-CADD-9777-E37A75727E78}

Smitfraud-C.: [SBI $99A9870C] Root class (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSVPS.MSVPSApp

Smitfraud-C.: [SBI $99A9870C] Class ID (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5B9512A7-C919-4035-A08D-8888AA6F5F7A}

Smitfraud-C.: [SBI $99A9870C] Browser helper object (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5B9512A7-C919-4035-A08D-8888AA6F5F7A}

Smitfraud-C.gp: [SBI $8419CDF5] Program directory (Directory, nothing done)
C:\Program Files\akl\

Virtumonde.dll: [SBI $8AEDD710] Library (File, nothing done)
C:\WINDOWS\system32\wvUlliGa.dll

Virtumonde.dll: [SBI $E6921A50] Browser helper object (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7283A96B-9275-499F-8AC8-F6338FD49561}

Virtumonde.dll: [SBI $E6921A50] Class ID (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7283A96B-9275-499F-8AC8-F6338FD49561}

Microsoft.WindowsSecurityCenter.TaskManager: [SBI $FD4267D3] Settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-842925246-413027322-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr

MediaUpdate: [SBI $407258B6] Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{B8C0220D-763D-49A4-95F4-61DFDEC66EE6}

Virtumonde: [SBI $3BE84E58] Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-842925246-413027322-839522115-1003\Software\mwc

Win32.Agent.ac: [SBI $DC5E831C] Settings (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{54645654-2225-4455-44A1-9F4543D34545}

Zlob.Downloader.vcd: [SBI $D8DF6192] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VideoPlugin
 
spybot

--- Search result list ---
Inet Delivery: [SBI $62162B60] User settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-842925246-413027322-839522115-1003\Software\Inet Delivery

Inet Delivery: [SBI $6DE54DE3] Uninstall settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-842925246-413027322-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Inet Delivery

Inet Delivery: [SBI $9C3D7D62] Program directory (Directory, nothing done)
C:\Program Files\Inet Delivery\

GoldenPalace.Casino: [SBI $A27AFA55] User settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-842925246-413027322-839522115-1003\Software\Golden Palace Casino PT

GoldenPalace.Casino: [SBI $59E76BAB] Uninstall settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-842925246-413027322-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Golden Palace Casino NEW

MagicControl.Agent: [SBI $535C1507] Uninstall settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-842925246-413027322-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mslagent

MagicControl.Agent: [SBI $F133B8D8] Program directory (Directory, nothing done)
C:\WINDOWS\mslagent\

SpySheriff: [SBI $F18F24AD] Class ID (Registry key, nothing done)
HKEY_USERS\S-1-5-21-842925246-413027322-839522115-1003\Software\Classes\CLSID\{0656A137-B161-CADD-9777-E37A75727E78}

SpySheriff: [SBI $D4B25EE3] Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{0656A137-B161-CADD-9777-E37A75727E78}

Smitfraud-C.: [SBI $99A9870C] Root class (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSVPS.MSVPSApp

Smitfraud-C.: [SBI $99A9870C] Class ID (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5B9512A7-C919-4035-A08D-8888AA6F5F7A}

Smitfraud-C.: [SBI $99A9870C] Browser helper object (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5B9512A7-C919-4035-A08D-8888AA6F5F7A}

Smitfraud-C.gp: [SBI $8419CDF5] Program directory (Directory, nothing done)
C:\Program Files\akl\

Virtumonde.dll: [SBI $8AEDD710] Library (File, nothing done)
C:\WINDOWS\system32\wvUlliGa.dll

Virtumonde.dll: [SBI $E6921A50] Browser helper object (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7283A96B-9275-499F-8AC8-F6338FD49561}

Virtumonde.dll: [SBI $E6921A50] Class ID (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7283A96B-9275-499F-8AC8-F6338FD49561}

Microsoft.WindowsSecurityCenter.TaskManager: [SBI $FD4267D3] Settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-842925246-413027322-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr

MediaUpdate: [SBI $407258B6] Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{B8C0220D-763D-49A4-95F4-61DFDEC66EE6}

Virtumonde: [SBI $3BE84E58] Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-842925246-413027322-839522115-1003\Software\mwc

Win32.Agent.ac: [SBI $DC5E831C] Settings (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{54645654-2225-4455-44A1-9F4543D34545}

Zlob.Downloader.vcd: [SBI $D8DF6192] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VideoPlugin


--- Spybot - Search & Destroy version: 1.5.2 (build: 20080128) ---

2008-01-28 blindman.exe (1.0.0.7)
2008-01-28 SDDelFile.exe (1.0.2.4)
2008-01-28 SDMain.exe (1.0.0.5)
2007-10-07 SDShred.exe (1.0.1.2)
2008-01-28 SDUpdate.exe (1.0.8.8)
2008-01-28 SDWinSec.exe (1.0.0.11)
2008-01-28 SpybotSD.exe (1.5.2.20)
2008-01-28 TeaTimer.exe (1.5.2.16)
2003-02-02 unins000.exe (51.6.0.0)
2008-03-21 unins001.exe (51.49.0.0)
2008-01-28 Update.exe (1.4.0.6)
2008-01-28 advcheck.dll (1.5.4.5)
2007-04-02 aports.dll (2.1.0.0)
2003-03-16 borlndmm.dll (7.0.4.453)
2003-03-16 delphimm.dll (7.0.4.453)
2007-11-17 DelZip179.dll (1.79.7.4)
2008-01-28 SDFiles.dll (1.5.1.19)
2008-01-28 SDHelper.dll (1.5.0.11)
2008-01-28 Tools.dll (2.1.3.3)
2003-03-16 UnzDll.dll (1.7.0.8)
2003-03-16 ZipDll.dll (1.7.0.8)
2008-03-26 Includes\Cookies.sbi (*)
2007-12-26 Includes\Dialer.sbi (*)
2008-03-26 Includes\DialerC.sbi (*)
2008-03-26 Includes\HeavyDuty.sbi (*)
2008-03-19 Includes\Hijackers.sbi (*)
2008-03-26 Includes\HijackersC.sbi (*)
2008-02-27 Includes\Keyloggers.sbi (*)
2008-03-26 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2008-03-26 Includes\Malware.sbi (*)
2008-03-26 Includes\MalwareC.sbi (*)
2008-03-26 Includes\PUPS.sbi (*)
2008-03-26 Includes\PUPSC.sbi (*)
2008-03-26 Includes\Revision.sbi (*)
2008-01-09 Includes\Security.sbi (*)
2008-03-26 Includes\SecurityC.sbi (*)
2008-03-19 Includes\Spybots.sbi (*)
2008-03-26 Includes\SpybotsC.sbi (*)
2007-11-06 Includes\Tracks.uti
2008-03-19 Includes\Trojans.sbi (*)
2008-03-26 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll



--- System information ---
Windows XP (Build: 2600) Service Pack 2 (5.1.2600)
/ Windows / SP1: Microsoft Internationalized Domain Names Mitigation APIs
/ Windows / SP1: Microsoft National Language Support Downlevel APIs
/ Windows Media Format 11 SDK: Hotfix for Windows Media Format 11 SDK (KB929399)
/ Windows Media Player 11: Security Update for Windows Media Player 11 (KB936782)
/ Windows Media Player 11: Hotfix for Windows Media Player 11 (KB939683)
/ Windows Media Player 6.4: Security Update for Windows Media Player 6.4 (KB925398)
/ Windows Media Player 9: Security Update for Windows Media Player 9 (KB936782)
/ Windows XP: Security Update for Windows XP (KB941569)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB938127)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB942615)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB944533)
/ Windows XP / SP10: Microsoft Compression Client Pack 1.0 for Windows XP
/ Windows XP / SP3: Windows XP Hotfix - KB873339
/ Windows XP / SP3: Windows XP Hotfix - KB885835
/ Windows XP / SP3: Windows XP Hotfix - KB885836
/ Windows XP / SP3: Windows XP Hotfix - KB886185
/ Windows XP / SP3: Windows XP Hotfix - KB887472
/ Windows XP / SP3: Windows XP Hotfix - KB888302
/ Windows XP / SP3: Windows XP Hotfix - KB890859
/ Windows XP / SP3: Windows XP Hotfix - KB891781
/ Windows XP / SP3: Security Update for Windows XP (KB893756)
/ Windows XP / SP3: Windows Installer 3.1 (KB893803)
/ Windows XP / SP3: Update for Windows XP (KB894391)
/ Windows XP / SP3: Security Update for Windows XP (KB896358)
/ Windows XP / SP3: Security Update for Windows XP (KB896423)
/ Windows XP / SP3: Security Update for Windows XP (KB896428)
/ Windows XP / SP3: Update for Windows XP (KB898461)
/ Windows XP / SP3: Security Update for Windows XP (KB899587)
/ Windows XP / SP3: Security Update for Windows XP (KB899591)
/ Windows XP / SP3: Update for Windows XP (KB900485)
/ Windows XP / SP3: Security Update for Windows XP (KB900725)
/ Windows XP / SP3: Security Update for Windows XP (KB901017)
/ Windows XP / SP3: Security Update for Windows XP (KB901214)
/ Windows XP / SP3: Security Update for Windows XP (KB902400)
/ Windows XP / SP3: Update for Windows XP (KB904942)
/ Windows XP / SP3: Security Update for Windows XP (KB905414)
/ Windows XP / SP3: Security Update for Windows XP (KB905749)
/ Windows XP / SP3: Security Update for Windows XP (KB908519)
/ Windows XP / SP3: Update for Windows XP (KB908531)
/ Windows XP / SP3: Update for Windows XP (KB910437)
/ Windows XP / SP3: Update for Windows XP (KB911280)
/ Windows XP / SP3: Security Update for Windows XP (KB911562)
/ Windows XP / SP3: Security Update for Windows XP (KB911927)
/ Windows XP / SP3: Security Update for Windows XP (KB913580)
/ Windows XP / SP3: Security Update for Windows XP (KB914388)
/ Windows XP / SP3: Security Update for Windows XP (KB914389)
/ Windows XP / SP3: Hotfix for Windows XP (KB915865)
/ Windows XP / SP3: Update for Windows XP (KB916595)
/ Windows XP / SP3: Security Update for Windows XP (KB917953)
/ Windows XP / SP3: Security Update for Windows XP (KB918118)
/ Windows XP / SP3: Security Update for Windows XP (KB918439)
/ Windows XP / SP3: Security Update for Windows XP (KB919007)
/ Windows XP / SP3: Security Update for Windows XP (KB920213)
/ Windows XP / SP3: Security Update for Windows XP (KB920670)
/ Windows XP / SP3: Security Update for Windows XP (KB920683)
/ Windows XP / SP3: Security Update for Windows XP (KB920685)
/ Windows XP / SP3: Update for Windows XP (KB920872)
/ Windows XP / SP3: Security Update for Windows XP (KB921503)
/ Windows XP / SP3: Update for Windows XP (KB922582)
/ Windows XP / SP3: Security Update for Windows XP (KB922819)
/ Windows XP / SP3: Security Update for Windows XP (KB923191)
/ Windows XP / SP3: Security Update for Windows XP (KB923414)
/ Windows XP / SP3: Security Update for Windows XP (KB923980)
/ Windows XP / SP3: Security Update for Windows XP (KB924270)
/ Windows XP / SP3: Security Update for Windows XP (KB924496)
/ Windows XP / SP3: Security Update for Windows XP (KB924667)
/ Windows XP / SP3: Security Update for Windows XP (KB925902)
/ Windows XP / SP3: Hotfix for Windows XP (KB926239)
/ Windows XP / SP3: Security Update for Windows XP (KB926255)
/ Windows XP / SP3: Security Update for Windows XP (KB926436)
/ Windows XP / SP3: Security Update for Windows XP (KB927779)
/ Windows XP / SP3: Security Update for Windows XP (KB927802)
/ Windows XP / SP3: Update for Windows XP (KB927891)
/ Windows XP / SP3: Security Update for Windows XP (KB928255)
/ Windows XP / SP3: Security Update for Windows XP (KB928843)
/ Windows XP / SP3: Security Update for Windows XP (KB929123)
/ Windows XP / SP3: Security Update for Windows XP (KB930178)
/ Windows XP / SP3: Update for Windows XP (KB930916)
/ Windows XP / SP3: Security Update for Windows XP (KB931261)
/ Windows XP / SP3: Security Update for Windows XP (KB931784)
/ Windows XP / SP3: Security Update for Windows XP (KB932168)
/ Windows XP / SP3: Security Update for Windows XP (KB933729)
/ Windows XP / SP3: Security Update for Windows XP (KB935839)
/ Windows XP / SP3: Security Update for Windows XP (KB935840)
/ Windows XP / SP3: Security Update for Windows XP (KB936021)
/ Windows XP / SP3: Update for Windows XP (KB936357)
/ Windows XP / SP3: Security Update for Windows XP (KB937894)
/ Windows XP / SP3: Security Update for Windows XP (KB938127)
/ Windows XP / SP3: Update for Windows XP (KB938828)
/ Windows XP / SP3: Security Update for Windows XP (KB938829)
/ Windows XP / SP3: Security Update for Windows XP (KB941202)
/ Windows XP / SP3: Security Update for Windows XP (KB941568)
/ Windows XP / SP3: Security Update for Windows XP (KB941644)
/ Windows XP / SP3: Security Update for Windows XP (KB942615)
/ Windows XP / SP3: Update for Windows XP (KB942763)
/ Windows XP / SP3: Update for Windows XP (KB942840)
/ Windows XP / SP3: Security Update for Windows XP (KB943055)
/ Windows XP / SP3: Security Update for Windows XP (KB943460)
/ Windows XP / SP3: Security Update for Windows XP (KB943485)
/ Windows XP / SP3: Security Update for Windows XP (KB944653)
/ Windows XP / SP3: Security Update for Windows XP (KB946026)
/ Windows XP / SP3: Update for Windows XP (KB946627)


--- Startup entries list ---
Located: HK_CU:Run, AVG7_Run
where: .DEFAULT...
command: C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE
file: C:\PROGRA~1\Grisoft\AVG7\avgw.exe
size: 145920
MD5: 736A6ED03365EC50815FF8ED6B2E2147

Located: HK_CU:Run, AVG7_Run
where: S-1-5-19...
command: C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE
file: C:\PROGRA~1\Grisoft\AVG7\avgw.exe
size: 145920
MD5: 736A6ED03365EC50815FF8ED6B2E2147

Located: HK_CU:Run, AVG7_Run
where: S-1-5-20...
command: C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE
file: C:\PROGRA~1\Grisoft\AVG7\avgw.exe
size: 145920
MD5: 736A6ED03365EC50815FF8ED6B2E2147

Located: HK_CU:Run, swg
where: S-1-5-21-842925246-413027322-839522115-1003...
command: C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
file: C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
size: 68856
MD5: E616A6A6E91B0A86F2F6217CDE835FFE

Located: HK_CU:Run, xthmukzh
where: S-1-5-21-842925246-413027322-839522115-1003...
command: C:\WINDOWS\system32\slidqtgl.exe
file: C:\WINDOWS\system32\slidqtgl.exe
size: 106496
MD5: 6BEA8428DA5FDAC8D2F7AE43CE319A37

Located: HK_CU:Run, AVG7_Run
where: S-1-5-18...
command: C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE
file: C:\PROGRA~1\Grisoft\AVG7\avgw.exe
size: 145920
MD5: 736A6ED03365EC50815FF8ED6B2E2147

Located: WinLogon, crypt32chain
command: crypt32.dll
file: crypt32.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, cryptnet
command: cryptnet.dll
file: cryptnet.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, cscdll
command: cscdll.dll
file: cscdll.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, igfxcui
command: igfxsrvc.dll
file: igfxsrvc.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, ScCertProp
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, Schedule
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, SensLogn
command: WlNotify.dll
file: WlNotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, ssqPjgeB
command: ssqPjgeB.dll
file: ssqPjgeB.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, termsrv
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, WgaLogon
command: WgaLogon.dll
file: WgaLogon.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, wlballoon
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
 
Back
Top