Zlob.Downloader.vcd Settings

trvlr3 · Mar 29, 2008

--- Browser helper object list ---
{02478D38-C3F9-4EFB-9B51-7695ECA05670} (Yahoo! Toolbar Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Yahoo! Toolbar Helper
description: Yahoo Companion!
classification: Legitimate
known filename: Ycomp*_*_*_*.dll
info link: http://companion.yahoo.com/
info source: TonyKlein
Path: C:\Program Files\Yahoo!\Companion\Installs\cpn\
Long name: yt.dll
Short name:
Date (created): 12/30/2007 11:18:14 PM
Date (last access): 1/15/2008 1:21:34 PM
Date (last write): 10/26/2006 12:28:40 PM
Filesize: 440384
Attributes: archive
MD5: 2785037CE05B63D5607C9D5DFB2FEEE4
CRC32: 9ED93A02
Version: 2006.10.26.1

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Adobe PDF Reader Link Helper
description: Adobe Acrobat reader
classification: Legitimate
known filename: AcroIEhelper.ocx AcroIEhelper.dll
info link: http://www.adobe.com/products/acrobat/readstep2.html
info source: TonyKlein
Path: C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\
Long name: AcroIEHelper.dll
Short name:
Date (created): 10/23/2006 12:08:42 AM
Date (last access): 2/7/2008 12:23:28 PM
Date (last write): 10/23/2006 12:08:42 AM
Filesize: 62080
Attributes: archive
MD5: C11F6A1F61481E24BE3FDC06EA6F7D2A
CRC32: E388508F
Version: 8.0.0.456

{255CC83D-D67A-4217-B804-1C46613A058A} ()
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name:
Path: C:\WINDOWS\system32\
Long name: jkkLFusr.dll

{53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Spybot-S&D IE Protection
description: Spybot-S&D IE Browser plugin
classification: Legitimate
known filename: SDhelper.dll
info link: http://spybot.eon.net.au/
info source: Patrick M. Kolla
Path: C:\PROGRA~1\Spybot - Search & Destroy\
Long name: SDHelper.dll
Short name:
Date (created): 3/16/2003 1:02:00 AM
Date (last access): 3/21/2008 6:48:46 PM
Date (last write): 1/28/2008 11:43:28 AM
Filesize: 1554256
Attributes: archive
MD5: 5248E02EFBCB64D328647CD00E384B85
CRC32: C1B426A9
Version: 1.5.0.11

{5B9512A7-C919-4035-A08D-8888AA6F5F7A} (GNX Bingo)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: GNX Bingo
Path: C:\WINDOWS\
Long name: svpekgongrk.dll
Short name: SVPEKG~1.DLL
Date (created): 3/28/2008 7:09:06 PM
Date (last access): 3/28/2008 7:09:06 PM
Date (last write): 3/28/2008 6:19:44 PM
Filesize: 249856
Attributes: archive
MD5: B2A7B92248D42AD2EF8A53E99FA053F2
CRC32: 42951D78

{7283A96B-9275-499F-8AC8-F6338FD49561} ()
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name:
Path: C:\WINDOWS\system32\
Long name: wvUlliGa.dll
Short name:
Date (created): 3/29/2008 12:59:58 AM
Date (last access): 3/29/2008 12:59:58 AM
Date (last write): 3/29/2008 1:00:00 AM
Filesize: 268288
Attributes: archive
MD5: E659B3A914231D5936782738CAF56DDE
CRC32: 42E83E1C

{72853161-30C5-4D22-B7F9-0BBC1D38A37E} (Groove GFS Browser Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Groove GFS Browser Helper
Path: C:\PROGRA~1\MICROS~2\Office12\
Long name: GrooveShellExtensions.dll
Short name: GRA8E1~1.DLL
Date (created): 10/27/2006 2:48:42 AM
Date (last access): 1/15/2008 1:21:34 PM
Date (last write): 10/27/2006 2:48:42 AM
Filesize: 2210608
Attributes: archive
MD5: 786DD1892B553EFE5A004AC39775C851
CRC32: AAD965C9
Version: 12.0.4518.1014

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: SSVHelper Class
Path: C:\Program Files\Java\jre1.6.0_05\bin\
Long name: ssv.dll
Short name:
Date (created): 3/24/2008 12:49:54 AM
Date (last access): 2/22/2008 2:33:32 AM
Date (last write): 2/22/2008 4:25:20 AM
Filesize: 509328
Attributes: archive
MD5: 5B42CB6A121256465B251840FDB1B2FE
CRC32: 6EF0BCE9
Version: 6.0.50.13

{94BC3D1D-22E9-4744-8ED1-3E08A3B74078} ()
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name:
Path: C:\WINDOWS\system32\
Long name: ssqPjgeB.dll
Short name:
Date (created): 3/28/2008 7:08:52 PM
Date (last access): 3/28/2008 7:08:52 PM
Date (last write): 3/28/2008 7:08:52 PM
Filesize: 40448
Attributes: archive
MD5: D58CE94DB3F69AF062E81433E13AE1B7
CRC32: 75FA4495

{AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Google Toolbar Helper
description: Google toolbar
classification: Open for discussion
known filename: googletoolbar.dll googletoolbar*.dll (* = number) googletoolbar_en_*.**-big.dll Googletoolbar_en_*.*.**-deleon.dll
info link: http://toolbar.google.com/
info source: TonyKlein
Path: c:\program files\google\
Long name: GoogleToolbar1.dll
Short name: GOOGLE~1.DLL
Date (created): 1/4/2008 11:51:40 PM
Date (last access): 1/15/2008 1:21:34 PM
Date (last write): 1/4/2008 11:51:40 PM
Filesize: 2403392
Attributes: readonly archive
MD5: 6319F2D4708DBCAE37CFA03DA10782C0
CRC32: D51D8296
Version: 4.0.1601.4978

{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (Google Toolbar Notifier BHO)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Google Toolbar Notifier BHO
Path: C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\
Long name: swg.dll
Short name:
Date (created): 1/21/2008 7:26:02 PM
Date (last access): 1/21/2008 7:26:02 PM
Date (last write): 1/21/2008 7:26:02 PM
Filesize: 323568
Attributes: archive
MD5: 907325051CE9D96D6F0F2766050AD6B2
CRC32: 9287C995
Version: 2.0.1121.2472

--- ActiveX list ---
{8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_05
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
description: Sun Java
classification: Legitimate
known filename: %PROGRAM FILES%\JabaSoft\JRE\*\Bin\npjava131.dll
info link:
info source: Patrick M. Kolla
Path: C:\Program Files\Java\jre1.6.0_05\bin\
Long name: npjpi160_05.dll
Short name:
Date (created): 2/22/2008 2:33:32 AM
Date (last access): 2/22/2008 2:33:32 AM
Date (last write): 2/22/2008 4:25:20 AM
Filesize: 132496
Attributes: archive
MD5: 4FDFB86D78994BD71CBB779A7809E9CD
CRC32: 5A0EB880
Version: 6.0.50.13

{8FFBE65D-2C9C-4669-84BD-5829DC0B603C} ()
DPF name:
CLSID name:
Installer: C:\WINDOWS\Downloaded Program Files\erma.inf
Codebase: http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
description:
classification: Open for discussion
known filename:
info link:
info source: Safer Networking Ltd.

{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_05
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
Path: C:\Program Files\Java\jre1.6.0_05\bin\
Long name: npjpi160_05.dll
Short name:
Date (created): 2/22/2008 2:33:32 AM
Date (last access): 2/22/2008 2:33:32 AM
Date (last write): 2/22/2008 4:25:20 AM
Filesize: 132496
Attributes: archive
MD5: 4FDFB86D78994BD71CBB779A7809E9CD
CRC32: 5A0EB880
Version: 6.0.50.13

{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_05
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
description:
classification: Legitimate
known filename: npjpi150_06.dll
info link:
info source: Safer Networking Ltd.
Path: C:\Program Files\Java\jre1.6.0_05\bin\
Long name: npjpi160_05.dll
Short name:
Date (created): 2/22/2008 2:33:32 AM
Date (last access): 2/22/2008 2:33:32 AM
Date (last write): 2/22/2008 4:25:20 AM
Filesize: 132496
Attributes: archive
MD5: 4FDFB86D78994BD71CBB779A7809E9CD
CRC32: 5A0EB880
Version: 6.0.50.13

trvlr3 · Mar 29, 2008

--- Process list ---
PID: 0 ( 0) [System]
PID: 664 ( 4) \SystemRoot\System32\smss.exe
size: 50688
PID: 740 ( 664) \??\C:\WINDOWS\system32\csrss.exe
size: 6144
PID: 764 ( 664) \??\C:\WINDOWS\system32\winlogon.exe
size: 502272
PID: 808 ( 764) C:\WINDOWS\system32\services.exe
size: 108032
MD5: C6CE6EEC82F187615D1002BB3BB50ED4
PID: 820 ( 764) C:\WINDOWS\system32\lsass.exe
size: 13312
MD5: 84885F9B82F4D55C6146EBF6065D75D2
PID: 992 ( 808) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1072 ( 808) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1184 ( 808) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1268 ( 808) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1396 ( 808) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1564 (1528) C:\WINDOWS\Explorer.EXE
size: 1033216
MD5: 97BD6515465659FF8F3B7BE375B2EA87
PID: 1648 ( 808) C:\WINDOWS\system32\spoolsv.exe
size: 57856
MD5: DA81EC57ACD4CDC3D4C51CF3D409AF9F
PID: 1904 (1564) C:\Documents and Settings\All Users\Application Data\cxwzexmn\wlejavqz.exe
size: 36864
MD5: 4687FCD92CACF6684507D9AFBC400AA8
PID: 1912 (1564) C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
size: 68856
MD5: E616A6A6E91B0A86F2F6217CDE835FFE
PID: 1936 (1564) C:\WINDOWS\system32\slidqtgl.exe
size: 106496
MD5: 6BEA8428DA5FDAC8D2F7AE43CE319A37
PID: 1968 ( 808) C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
size: 353280
MD5: 5F4ED1DBA7E1EAECBA443A53DA176485
PID: 1996 ( 808) C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
size: 49664
MD5: 30A14F65DB477DC00A64A5A24E96919C
PID: 2032 ( 808) C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
size: 352768
MD5: F59C5100CB16DB794D5710E8B00629B1
PID: 180 ( 808) C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
size: 921600
MD5: E5BECCD165752E7EC3C8A642A542B4EB
PID: 248 ( 808) C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
size: 145184
MD5: 5A432A042DAE460ABE7199B758E8606C
PID: 564 ( 808) C:\WINDOWS\system32\tcpsvcs.exe
size: 19456
MD5: 32933B07FC16D9F778BEE12545FA1B1A
PID: 592 ( 808) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 696 ( 808) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 724 ( 808) C:\WINDOWS\System32\dmadmin.exe
size: 224768
MD5: 554C7CB178FE3BD12450B81AD63ADBC3
PID: 444 ( 808) C:\WINDOWS\System32\alg.exe
size: 44544
MD5: F1958FBF86D5C004CF19A5951A9514B7
PID: 2100 (1564) C:\Program Files\internet explorer\iexplore.exe
size: 625664
MD5: 2703D940A62B731AA220529DD7331A78
PID: 3496 (1564) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
size: 5146448
MD5: 2ECA8CDEED7C82F879E766DA92A3561A
PID: 3736 (1564) C:\WINDOWS\system32\rundll32.exe
size: 33280
MD5: DA285490BBD8A1D0CE6623577D5BA1FF
PID: 4 ( 0) System

--- Browser start & search pages list ---
Spybot - Search & Destroy browser pages report, 3/29/2008 1:29:28 AM

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\windows\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\@
http://home.microsoft.com/access/autosearch.asp?p=%s
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
C:\windows\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://go.microsoft.com/fwlink/?LinkId=69157
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm

--- Winsock Layered Service Provider list ---
Protocol 0: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 1: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 2: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 3: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 4: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 5: MSAFD Tcpip [TCP/IPv6]
GUID: {F9EAB0C0-26D4-11D0-BBBF-00AA006C34E4}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IPv6 protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 6: MSAFD Tcpip [UDP/IPv6]
GUID: {F9EAB0C0-26D4-11D0-BBBF-00AA006C34E4}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IPv6 protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 7: MSAFD Tcpip [RAW/IPv6]
GUID: {F9EAB0C0-26D4-11D0-BBBF-00AA006C34E4}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IPv6 protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 8: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{6514068E-3682-456E-A6D7-27AEF95FA408}] SEQPACKET 9
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 9: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{6514068E-3682-456E-A6D7-27AEF95FA408}] DATAGRAM 9
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 10: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{5852F9DE-140E-472E-AF6D-1AC369EF1F5F}] SEQPACKET 7
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 11: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{5852F9DE-140E-472E-AF6D-1AC369EF1F5F}] DATAGRAM 7
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 12: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{66414A4B-9911-47D3-860E-F0C85BB7C63C}] SEQPACKET 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 13: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{66414A4B-9911-47D3-860E-F0C85BB7C63C}] DATAGRAM 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 14: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{0FDA2B4C-50FB-4AF8-B982-346D2729E66D}] SEQPACKET 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 15: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{0FDA2B4C-50FB-4AF8-B982-346D2729E66D}] DATAGRAM 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 16: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{67811F43-AD80-47A7-B10F-9AF79C487D7E}] SEQPACKET 6
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 17: MSAFD NetBIOS [\Device\NetBT_Tcpip6_{67811F43-AD80-47A7-B10F-9AF79C487D7E}] DATAGRAM 6
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 18: MSAFD NetBIOS [\Device\NetBT_Tcpip_{6514068E-3682-456E-A6D7-27AEF95FA408}] SEQPACKET 10
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 19: MSAFD NetBIOS [\Device\NetBT_Tcpip_{6514068E-3682-456E-A6D7-27AEF95FA408}] DATAGRAM 10
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 20: MSAFD NetBIOS [\Device\NetBT_Tcpip_{5852F9DE-140E-472E-AF6D-1AC369EF1F5F}] SEQPACKET 8
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 21: MSAFD NetBIOS [\Device\NetBT_Tcpip_{5852F9DE-140E-472E-AF6D-1AC369EF1F5F}] DATAGRAM 8
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 22: MSAFD NetBIOS [\Device\NetBT_Tcpip_{0FDA2B4C-50FB-4AF8-B982-346D2729E66D}] SEQPACKET 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 23: MSAFD NetBIOS [\Device\NetBT_Tcpip_{0FDA2B4C-50FB-4AF8-B982-346D2729E66D}] DATAGRAM 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 24: MSAFD NetBIOS [\Device\NetBT_Tcpip_{66414A4B-9911-47D3-860E-F0C85BB7C63C}] SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 25: MSAFD NetBIOS [\Device\NetBT_Tcpip_{66414A4B-9911-47D3-860E-F0C85BB7C63C}] DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 26: MSAFD NetBIOS [\Device\NetBT_Tcpip_{80A25BA6-188D-4798-8D99-09841D0806FF}] SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 27: MSAFD NetBIOS [\Device\NetBT_Tcpip_{80A25BA6-188D-4798-8D99-09841D0806FF}] DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 28: MSAFD NetBIOS [\Device\NetBT_Tcpip_{82AFFB4B-277D-4F98-BC5A-4392F3F321E8}] SEQPACKET 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 29: MSAFD NetBIOS [\Device\NetBT_Tcpip_{82AFFB4B-277D-4F98-BC5A-4392F3F321E8}] DATAGRAM 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Namespace Provider 0: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP

Namespace Provider 1: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS

Namespace Provider 2: Network Location Awareness (NLA) Namespace
GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: NLA-Namespace

Namespace Provider 3: PNRP Cloud Namespace Provider
GUID: {03FE89CE-766D-4976-B9C1-BB9BC42C7B4D}
Filename: C:\WINDOWS\system32\pnrpnsp.dll

Namespace Provider 4: PNRP Name Namespace Provider
GUID: {03FE89CD-766D-4976-B9C1-BB9BC42C7B4D}
Filename: C:\WINDOWS\system32\pnrpnsp.dll

km2357 · Mar 29, 2008

Delete ComboFix.exe from your Desktop and download an updated version from here and save it to your Desktop.

Next, run ComboFix and post back the ComboFix Log.

Also, run MalwareBytes' AntiMalware again. Before running a full scan, be sure to click Updates, then Check for Updates to make sure you have the latest definitions.

Step # 1: Download and Run a RegFix

Download the file here and save it to your Desktop. Double-click it and when it asks you if you want to merge, click Ok/Yes

Reboot your Computer.

In your next post, I need to see the following:

1. ComboFix Log.
2. MalwareBytes' Log
3. A fresh HiJackThis Log

Use multiple posts if need be to fit them all in.

trvlr3 · Mar 30, 2008

Kinda had a hard time it locked me out of my documents but finally got to the logs to copy them. It has downloaded all the same programs plus more again

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:40:19 PM, on 3/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\dmadmin.exe
C:\Documents and Settings\All Users\Application Data\cxwzexmn\wlejavqz.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\tutqlozo.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Sara\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware Reboot] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [nfhqfoas] C:\WINDOWS\system32\tutqlozo.exe
O4 - HKLM\..\Policies\Explorer\Run: [ZEpzBKFgN1] C:\Documents and Settings\All Users\Application Data\cxwzexmn\wlejavqz.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIC273~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

--
End of file - 4609 bytes

trvlr3 · Mar 30, 2008

Malwarebytes' Anti-Malware 1.09
Database version: 563

Scan type: Full Scan (C:\|)
Objects scanned: 211954
Time elapsed: 51 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 16
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\system32\ssqPjgeB.dll (Trojan.FakeAlert) -> Unloaded module successfully.
C:\WINDOWS\fkdnrwsv.dll (Trojan.FakeAlert) -> Unloaded module successfully.
C:\WINDOWS\sxfnewqb.dll (Trojan.FakeAlert) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{94bc3d1d-22e9-4744-8ed1-3e08a3b74078} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{94bc3d1d-22e9-4744-8ed1-3e08a3b74078} (Trojan.FakeAlert) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ssqpjgeb (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\AdvRemoteDbg (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ONESTEP_SEARCH_SERVICE (Adware.OneStepSearch) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{7c0d3407-91cc-4800-b68f-7647e3608646} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{be39f01c-46fb-4111-9ae9-2f11dc22af69} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e665dde3-dc65-4628-bac7-0edc4eacd70a} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{5b9512a7-c919-4035-a08d-8888aa6f5f7a} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5b9512a7-c919-4035-a08d-8888aa6f5f7a} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\stfngdvw.bleo (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\stfngdvw.ToolBar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\MSVPS.MSVPSApp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VideoPlugin (Trojan.Fakealert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{94bc3d1d-22e9-4744-8ed1-3e08a3b74078} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\fkdnrwsv (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{be39f01c-46fb-4111-9ae9-2f11dc22af69} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\sxfnewqb (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\system32smp (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

Files Infected:
c:\WINDOWS\system32\ssqPjgeB.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\System Volume Information\_restore{CC3F1C1E-C032-4245-B818-E8D2A45D6868}\RP9\A0001820.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32smp\msrc.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\dwltqnmx.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\fkdnrwsv.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\stfngdvw.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\sxfnewqb.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\svpekgongrk.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.

trvlr3 · Mar 30, 2008

ComboFix 08-03-29.1 - Sara 2008-03-29 21:40:08.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.226 [GMT -6:00]
Running from: C:\Documents and Settings\Sara\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\a.bat
C:\WINDOWS\base64.tmp
C:\WINDOWS\bdn.com
C:\WINDOWS\FVProtect.exe
C:\WINDOWS\iTunesMusic.exe
C:\WINDOWS\mssecu.exe
C:\WINDOWS\system32\PXHNmnmp.ini2
C:\WINDOWS\system32\rsuFLkkj.ini
C:\WINDOWS\system32\rsuFLkkj.ini2
C:\WINDOWS\system32akttzn.exe
C:\WINDOWS\system32anticipator.dll
C:\WINDOWS\system32awtoolb.dll
C:\WINDOWS\system32bdn.com
C:\WINDOWS\system32bsva-egihsg52.exe
C:\WINDOWS\system32dpcproxy.exe
C:\WINDOWS\system32emesx.dll
C:\WINDOWS\system32h@tkeysh@@k.dll
C:\WINDOWS\system32hoproxy.dll
C:\WINDOWS\system32hxiwlgpm.dat
C:\WINDOWS\system32hxiwlgpm.exe
C:\WINDOWS\system32medup012.dll
C:\WINDOWS\system32medup020.dll
C:\WINDOWS\system32msgp.exe
C:\WINDOWS\system32msnbho.dll
C:\WINDOWS\system32mssecu.exe
C:\WINDOWS\system32msvchost.exe
C:\WINDOWS\system32mtr2.exe
C:\WINDOWS\system32mwin32.exe
C:\WINDOWS\system32netode.exe
C:\WINDOWS\system32newsd32.exe
C:\WINDOWS\system32ps1.exe
C:\WINDOWS\system32psof1.exe
C:\WINDOWS\system32psoft1.exe
C:\WINDOWS\system32regc64.dll
C:\WINDOWS\system32regm64.dll
C:\WINDOWS\system32Rundl1.exe
C:\WINDOWS\system32sncntr.exe
C:\WINDOWS\system32ssurf022.dll
C:\WINDOWS\system32ssvchost.com
C:\WINDOWS\system32ssvchost.exe
C:\WINDOWS\system32sysreq.exe
C:\WINDOWS\system32taack.dat
C:\WINDOWS\system32taack.exe
C:\WINDOWS\system32temp#01.exe
C:\WINDOWS\system32thun.dll
C:\WINDOWS\system32thun32.dll
C:\WINDOWS\system32VBIEWER.OCX
C:\WINDOWS\system32vbsys2.dll
C:\WINDOWS\system32vcatchpi.dll
C:\WINDOWS\system32winlogonpc.exe
C:\WINDOWS\system32winsystem.exe
C:\WINDOWS\system32WINWGPX.EXE
C:\WINDOWS\userconfig9x.dll
C:\WINDOWS\winsystem.exe
C:\WINDOWS\zip1.tmp
C:\WINDOWS\zip2.tmp
C:\WINDOWS\zip3.tmp
C:\WINDOWS\zipped.tmp

.
((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-30 )))))))))))))))))))))))))))))))
.

2008-03-29 21:36 . 2008-03-29 21:36 <DIR> d-------- C:\Program Files\PC-Cleaner
2008-03-29 21:16 . 2008-03-29 21:16 106,496 --a------ C:\WINDOWS\system32\zylunifg.exe
2008-03-29 00:55 . 2008-03-29 00:55 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-29 00:25 . 2008-03-29 00:25 106,496 --a------ C:\WINDOWS\system32\slidqtgl.exe
2008-03-28 22:10 . 2008-03-28 22:10 98,304 --a------ C:\WINDOWS\system32\uzafibet.exe
2008-03-28 21:14 . 2004-08-03 22:58 5,504 --a------ C:\WINDOWS\system32\drivers\MSTEE.sys
2008-03-28 21:14 . 2004-08-03 22:58 5,504 --a--c--- C:\WINDOWS\system32\dllcache\mstee.sys
2008-03-28 21:11 . 2004-08-04 00:56 90,624 --a------ C:\WINDOWS\system32\kswdmcap.ax
2008-03-28 19:08 . 2008-03-28 19:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\cxwzexmn
2008-03-28 19:08 . 2008-03-28 19:08 110,592 --a------ C:\WINDOWS\system32\yrytyhar.exe
2008-03-27 14:33 . 2008-03-27 14:35 <DIR> d-------- C:\NoLopBackups
2008-03-26 17:11 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-03-26 17:11 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-03-26 17:11 . 2004-08-03 22:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-03-26 17:11 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2008-03-25 18:08 . 2008-03-25 18:08 4,608,744 --a------ C:\Program Files\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
2008-03-25 14:37 . 2008-03-27 14:13 67 --a------ C:\WINDOWS\DVDRegionFree.INI
2008-03-24 12:53 . 2008-03-24 12:53 <DIR> d-------- C:\Program Files\ERUNT
2008-03-24 12:52 . 2008-03-24 12:53 791,393 --a------ C:\Program Files\erunt-setup.exe
2008-03-24 00:50 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-24 00:49 . 2008-03-24 00:50 <DIR> d-------- C:\Program Files\Java
2008-03-24 00:49 . 2008-03-24 00:49 <DIR> d-------- C:\Program Files\Common Files\Java
2008-03-23 17:41 . 2008-03-23 17:41 <DIR> d-------- C:\Documents and Settings\Sara\Application Data\Malwarebytes
2008-03-23 17:41 . 2008-03-23 17:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-22 14:32 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-03-22 14:32 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-03-22 14:32 . 2008-03-22 15:49 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-03-22 14:32 . 2008-03-15 17:16 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-03-22 14:32 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-03-22 14:32 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-03-22 14:32 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-03-22 14:32 . 2008-03-22 18:18 1,140 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-22 01:43 . 2008-03-22 01:43 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-03-21 20:20 . 2008-03-25 15:40 <DIR> d-------- C:\Documents and Settings\Sara\Application Data\SolSuite
2008-03-21 18:44 . 2008-03-21 18:44 691,545 --a------ C:\WINDOWS\unins000.exe
2008-03-21 18:44 . 2008-03-21 18:44 2,549 --a------ C:\WINDOWS\unins000.dat
2008-03-21 18:28 . 2008-03-28 19:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-21 18:27 . 2008-03-21 18:48 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-20 20:26 . 2008-03-21 17:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-03-20 20:15 . 2008-03-21 17:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-03-20 20:15 . 2008-03-20 20:15 38,473,056 --a------ C:\Program Files\CNET_VSP30days.exe
2008-03-20 20:09 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-03-20 20:09 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-03-20 12:41 . 2008-03-20 12:41 50 --a------ C:\WINDOWS\BRQIKMON.INI
2008-03-20 12:40 . 2008-03-21 14:50 <DIR> d-------- C:\Documents and Settings\Sara\Application Data\PC-FAX TX
2008-03-19 20:05 . 2004-12-03 01:26 188,416 --a------ C:\WINDOWS\system32\PDRVINST.DLL
2008-03-19 20:05 . 2006-01-17 01:03 126,976 --a------ C:\WINDOWS\system32\BrfxD05a.dll
2008-03-19 20:05 . 2005-06-02 01:09 86,016 --a------ C:\WINDOWS\system32\BrWebIns.dll
2008-03-19 20:05 . 2005-06-02 01:08 69,632 --a------ C:\WINDOWS\system32\BRWEBUP.EXE
2008-03-19 20:05 . 2001-11-15 01:00 6,224 --a------ C:\WINDOWS\CVRPAGE.BMP
2008-03-19 20:05 . 2008-03-28 15:29 0 --a------ C:\WINDOWS\brdfxspd.dat
2008-03-19 20:04 . 2008-03-19 20:04 <DIR> d-------- C:\Program Files\Common Files\ScanSoft Shared
2008-03-19 20:04 . 2008-03-19 20:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ScanSoft
2008-03-19 20:04 . 2003-09-24 11:36 27,019 --a------ C:\WINDOWS\maxlink.ini
2008-03-19 19:58 . 2008-03-19 19:58 0 --------- C:\Bro59.tmp
2008-03-19 19:55 . 2008-03-21 19:58 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-03-19 19:18 . 2008-03-19 20:06 <DIR> d-------- C:\Program Files\Brother
2008-03-19 09:48 . 2008-03-29 10:18 696 --a------ C:\WINDOWS\wininit.ini
2008-03-16 19:35 . 2008-03-16 19:36 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-03-15 16:10 . 2001-08-18 06:00 1,700,352 --a------ C:\WINDOWS\system32\GdiPlus.dll
2008-03-15 16:10 . 2002-11-27 18:26 114,688 --a------ C:\WINDOWS\system32\jpegcode.dll
2008-03-15 16:10 . 2002-09-06 18:54 53,248 --a------ C:\WINDOWS\system32\AccWrap.dll
2008-03-15 16:10 . 2002-10-29 18:21 45,664 --------- C:\WINDOWS\system32\drivers\CoachVc.sys
2008-03-15 16:10 . 2002-11-22 19:45 41,952 --------- C:\WINDOWS\system32\drivers\CoachUsb.sys
2008-03-15 16:10 . 2002-11-21 12:14 39,424 --a------ C:\WINDOWS\system32\CoachWia.dll
2008-03-15 16:10 . 2008-03-16 14:05 22 --a------ C:\Program Files\c310.zip
2008-03-15 10:06 . 2008-03-15 10:06 419 --a------ C:\WINDOWS\BRWMARK.INI
2008-03-15 10:06 . 2008-03-15 10:06 27 --a------ C:\WINDOWS\BRPP2KA.INI
2008-03-15 10:05 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-03-15 10:05 . 2004-08-03 23:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-03-15 10:05 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-03-15 10:05 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-03-15 10:00 . 2008-03-28 15:34 1,053 --a------ C:\WINDOWS\Brpfx04a.ini
2008-03-15 10:00 . 2008-03-20 12:40 153 --a------ C:\WINDOWS\brpcfx.ini
2008-03-15 10:00 . 2008-03-19 20:06 50 --a------ C:\WINDOWS\system32\bridf06a.dat
2008-03-15 09:59 . 2008-03-19 19:09 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-03-15 09:59 . 2006-02-24 17:27 1,492,480 --a------ C:\WINDOWS\system32\BrWia06a.dll
2008-03-15 09:59 . 2004-12-10 16:35 147,456 --a------ C:\WINDOWS\brunin03.dll
2008-03-15 09:59 . 2006-02-16 18:49 52,736 --a------ C:\WINDOWS\system32\brinsstr.dll
2008-03-15 09:59 . 2005-12-13 10:53 38,912 --a------ C:\WINDOWS\system32\BrUsi06a.dll
2008-03-15 09:59 . 2004-10-15 12:50 15,295 --a------ C:\WINDOWS\system32\drivers\BrScnUsb.sys
2008-03-15 09:57 . 2008-03-15 09:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-03-15 09:56 . 2008-03-19 20:04 <DIR> d-------- C:\Program Files\ScanSoft
2008-03-15 09:55 . 2008-03-15 09:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Brother
2008-03-08 11:09 . 2008-03-08 11:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-08 11:08 . 2008-03-08 11:08 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-27 09:38 . 2001-08-17 23:36 99,328 --a------ C:\WINDOWS\system32\srusd.dll
2008-02-27 09:38 . 2001-08-17 23:36 99,328 --a--c--- C:\WINDOWS\system32\dllcache\srusd.dll
2008-02-27 09:38 . 2001-08-17 23:36 71,680 --a------ C:\WINDOWS\system32\fnfilter.dll
2008-02-27 09:38 . 2001-08-17 23:36 71,680 --a--c--- C:\WINDOWS\system32\dllcache\fnfilter.dll
2008-02-27 09:38 . 2001-08-17 14:53 6,784 --a------ C:\WINDOWS\system32\drivers\serscan.sys
2008-02-27 09:38 . 2001-08-17 14:53 6,784 --a--c--- C:\WINDOWS\system32\dllcache\serscan.sys
2008-02-14 13:06 . 2008-02-14 22:49 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-14 11:50 . 2008-03-25 13:50 <DIR> d-------- C:\Downloads
2008-02-06 19:22 . 2008-03-12 13:55 40,730 --a------ C:\WINDOWS\system32\superiorads-uninst.exe
2008-02-04 13:43 . 2008-02-04 13:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PlayFirst

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-30 03:37 --------- d-----w C:\Program Files\RegScrubXP
2008-03-22 07:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-21 22:09 --------- d-----w C:\Documents and Settings\Sara\Application Data\AVG7
2008-03-20 22:03 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-20 18:06 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-20 14:47 --------- d-----w C:\Program Files\Incomplete
2008-03-20 02:05 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-20 02:05 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-19 14:44 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-03-17 04:58 --------- d-----w C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor
2008-03-08 17:09 --------- d-----w C:\Program Files\Lavasoft
2008-03-08 17:09 --------- d-----w C:\Documents and Settings\Sara\Application Data\Lavasoft
2008-02-27 22:57 729,088 ----a-w C:\WINDOWS\iun6002.exe
2008-02-06 20:20 --------- d-----w C:\Program Files\Diskeeper Corporation
2008-01-31 06:11 --------- d-----w C:\Program Files\OverDrive Media Console
2008-01-31 06:11 --------- d-----w C:\Documents and Settings\Sara\Application Data\OverDrive
2008-01-11 18:20 553,687 ----a-w C:\Program Files\jv16_regcleaner.exe
2008-01-11 18:07 593,556 ----a-w C:\Program Files\regscrubxpsetup_3.2.exe
2007-12-27 18:02 32 --sha-w C:\WINDOWS\{0C12DB23-1BE2-4364-BFAA-6F5D9129BA61}.dat
2007-12-27 18:05 32 --sha-w C:\WINDOWS\{1B77EDC5-1688-4797-BA2D-7B17CF56CB30}.dat
2007-12-27 18:02 32 --sha-w C:\WINDOWS\{22BE5C96-6912-4844-B877-5B823AD9B260}.dat
2007-12-27 18:04 32 --sha-w C:\WINDOWS\{2E5205F4-C65A-4D26-8D21-D6A2DAA83314}.dat
2007-12-27 18:01 32 --sha-w C:\WINDOWS\{3BD78CE5-4886-4A8D-879E-D3604BF3CBE3}.dat
2007-12-27 18:04 32 --sha-w C:\WINDOWS\{A0337C34-3D4E-449C-8E79-A26151D03235}.dat
2007-12-27 18:02 32 --sha-w C:\WINDOWS\{C354F08C-4F05-4AFA-82AE-342DA03BB497}.dat
2007-12-27 18:02 32 --sha-w C:\WINDOWS\system32\{130E8F94-C662-49ED-AE40-05594E9EFB43}.dat
2007-12-27 18:04 32 --sha-w C:\WINDOWS\system32\{1E4A546D-C55E-4052-A7F5-AE0C5B7534F6}.dat
2007-12-27 18:04 32 --sha-w C:\WINDOWS\system32\{770AD5A9-EAE7-46E2-88C7-7BD6908E39CC}.dat
2007-12-27 18:05 32 --sha-w C:\WINDOWS\system32\{ACB29618-EEF3-4AD4-B2B2-5DBB667C35A1}.dat
2007-12-27 18:02 32 --sha-w C:\WINDOWS\system32\{C71E13F1-33A7-4A76-956F-D297C2A27665}.dat
2007-12-27 18:01 32 --sha-w C:\WINDOWS\system32\{CD413577-1356-422D-AA2E-64C023005796}.dat
2007-12-27 18:02 32 --sha-w C:\WINDOWS\system32\{D4CF1B07-7D22-43F2-A0AF-E389C73077DA}.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-21 19:26 68856]
"nfhqfoas"="C:\WINDOWS\system32\tutqlozo.exe" [2008-03-29 21:43 106496]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-27 12:01 145920]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"ZEpzBKFgN1"= C:\Documents and Settings\All Users\Application Data\cxwzexmn\wlejavqz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP

eer Name Resolution Protocol (PNRP)
"21439:TCP"= 21439:TCP:BitComet 21439 TCP
"21439:UDP"= 21439:UDP:BitComet 21439 UDP
"3389:TCP"= 3389:TCP

xpsp2res.dll,-22009

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\DRIVERS\BrScnUsb.sys [2004-10-15 12:50]
S2 UMAXPCLS;Print Port Scanner Driver;C:\WINDOWS\system32\DRIVERS\umaxpcls.sys [2001-08-17 15:58]
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe [2004-08-04 06:00]
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe [2004-08-04 06:00]
S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe [2004-08-04 06:00]
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe [2004-08-04 06:00]
S3 WUSB54GPV4SRV;Linksys Home Wireless-G USB Adaptor Driver;C:\WINDOWS\system32\DRIVERS\rt2500usb.sys [2005-10-17 21:50]
S3 ZD1211BU(WLAN);IEEE 802.11g USB Wireless LAN(WLAN);C:\WINDOWS\system32\DRIVERS\zd1211Bu.sys [2006-06-27 16:32]
S4 WUSB54Gv42SVC;WUSB54Gv42SVC;"C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv42.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-29 21:43:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-03-29 21:46:07 - machine was rebooted [Sara]
ComboFix-quarantined-files.txt 2008-03-30 03:46:03
ComboFix2.txt 2008-03-28 22:53:19
ComboFix3.txt 2008-03-27 20:53:45
ComboFix4.txt 2008-03-26 14:29:42
Pre-Run: 4,008,738,816 bytes free
Post-Run: 4,000,813,056 bytes free
.
2008-03-22 07:44:35 --- E O F ---

km2357 · Mar 30, 2008

Try to stay offline as much as possible unless you are checking this thread for my instructions.

Step # 1: Add/Remove Programs

Go to Start-Settings-Control Panel, click on Add Remove Programs. If any of the following programs are listed there, click on the program to highlight it, and click on remove. Then close the Control Panel.

PC-Cleaner
PCCleaner
PC-Cleaner 2007
PC-Cleaner 2008
PCCleaner 2007
PCCleaner 2008

If any of the above are found, uninstall them.

Step # 2: Run CFScript

Please delete the version of ComboFix you have on your computer, I need you to download the latest version of ComboFix by sUBs here and save it to your Desktop.

Also delete the CFScript.txt from your Desktop, you will be creating and running a new one.

Then, please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

Code:

KillAll::

File::

C:\WINDOWS\system32\zylunifg.exe
C:\WINDOWS\system32\superiorads-uninst.exe
C:\WINDOWS\system32\slidqtgl.exe
C:\WINDOWS\system32\uzafibet.exe
C:\WINDOWS\system32\yrytyhar.exe
C:\WINDOWS\system32\tutqlozo.exe

Folder::

C:\Program Files\PC-Cleaner
C:\Documents and Settings\All Users\Application Data\cxwzexmn
C:\NoLopBackups

Registry::

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nfhqfoas"=-
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"ZEpzBKFgN1"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"21439:TCP"=-
"21439:UDP"=-

Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

In your next post/reply, I need to see the following:

1. ComboFix Log that appears after Step 2 has been done.
2. A fresh HiJackThis Log.

trvlr3 · Mar 31, 2008

ComboFix 08-03-30.3 - Sara 2008-03-31 10:18:38.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.261 [GMT -6:00]
Running from: C:\Documents and Settings\Sara\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Sara\Desktop\cfscript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\slidqtgl.exe
C:\WINDOWS\system32\superiorads-uninst.exe
C:\WINDOWS\system32\tutqlozo.exe
C:\WINDOWS\system32\uzafibet.exe
C:\WINDOWS\system32\yrytyhar.exe
C:\WINDOWS\system32\zylunifg.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\cxwzexmn
C:\Documents and Settings\All Users\Application Data\cxwzexmn\wlejavqz.exe
C:\Documents and Settings\Sara\Desktopblackbird.jpg
C:\Documents and Settings\Sara\DesktopEditorFKWP1.5.exe
C:\Documents and Settings\Sara\DesktopEditorFKWP2.0.exe
C:\Documents and Settings\Sara\Desktopfilemanagerclient.exe
C:\Documents and Settings\Sara\Desktopfkwp1.5.exe
C:\Documents and Settings\Sara\Desktopfkwp2.0.exe
C:\Documents and Settings\Sara\Desktopfwebd.exe
C:\Documents and Settings\Sara\DesktopFWebdEditor.exe
C:\Documents and Settings\Sara\DesktopTrojan.Win32.BlackBird.exe
C:\Documents and Settings\Sara\Desktopvirii
C:\NoLopBackups
C:\NoLopBackups\AB7F8E61911401CD.job.01.infected
C:\Program Files\akl
C:\Program Files\akl\akl.dll
C:\Program Files\akl\akl.exe
C:\Program Files\akl\uninstall.exe
C:\Program Files\akl\unsetup.exe
C:\Program Files\Inet Delivery
C:\Program Files\Inet Delivery\inetdl.exe
C:\Program Files\Inet Delivery\intdel.exe
C:\WINDOWS\a.bat
C:\WINDOWS\base64.tmp
C:\WINDOWS\bdn.com
C:\WINDOWS\FVProtect.exe
C:\WINDOWS\iTunesMusic.exe
C:\WINDOWS\mslagent
C:\WINDOWS\mslagent\2_mslagent.dll
C:\WINDOWS\mslagent\mslagent.exe
C:\WINDOWS\mslagent\uninstall.exe
C:\WINDOWS\mssecu.exe
C:\WINDOWS\system32\slidqtgl.exe
C:\WINDOWS\system32\superiorads-uninst.exe
C:\WINDOWS\system32\tutqlozo.exe
C:\WINDOWS\system32\yrytyhar.exe
C:\WINDOWS\system32\zylunifg.exe
C:\WINDOWS\system32akttzn.exe
C:\WINDOWS\system32anticipator.dll
C:\WINDOWS\system32awtoolb.dll
C:\WINDOWS\system32bdn.com
C:\WINDOWS\system32bsva-egihsg52.exe
C:\WINDOWS\system32dpcproxy.exe
C:\WINDOWS\system32emesx.dll
C:\WINDOWS\system32h@tkeysh@@k.dll
C:\WINDOWS\system32hoproxy.dll
C:\WINDOWS\system32hxiwlgpm.dat
C:\WINDOWS\system32hxiwlgpm.exe
C:\WINDOWS\system32medup012.dll
C:\WINDOWS\system32medup020.dll
C:\WINDOWS\system32msgp.exe
C:\WINDOWS\system32msnbho.dll
C:\WINDOWS\system32mssecu.exe
C:\WINDOWS\system32msvchost.exe
C:\WINDOWS\system32mtr2.exe
C:\WINDOWS\system32mwin32.exe
C:\WINDOWS\system32netode.exe
C:\WINDOWS\system32newsd32.exe
C:\WINDOWS\system32ps1.exe
C:\WINDOWS\system32psof1.exe
C:\WINDOWS\system32psoft1.exe
C:\WINDOWS\system32regc64.dll
C:\WINDOWS\system32regm64.dll
C:\WINDOWS\system32Rundl1.exe
C:\WINDOWS\system32smp
C:\WINDOWS\system32smp\msrc.exe
C:\WINDOWS\system32sncntr.exe
C:\WINDOWS\system32ssurf022.dll
C:\WINDOWS\system32ssvchost.com
C:\WINDOWS\system32ssvchost.exe
C:\WINDOWS\system32sysreq.exe
C:\WINDOWS\system32taack.dat
C:\WINDOWS\system32taack.exe
C:\WINDOWS\system32temp#01.exe
C:\WINDOWS\system32thun.dll
C:\WINDOWS\system32thun32.dll
C:\WINDOWS\system32VBIEWER.OCX
C:\WINDOWS\system32vbsys2.dll
C:\WINDOWS\system32vcatchpi.dll
C:\WINDOWS\system32winlogonpc.exe
C:\WINDOWS\system32winsystem.exe
C:\WINDOWS\system32WINWGPX.EXE
C:\WINDOWS\userconfig9x.dll
C:\WINDOWS\Web\def.htm
C:\WINDOWS\winsystem.exe
C:\WINDOWS\zip1.tmp
C:\WINDOWS\zip2.tmp
C:\WINDOWS\zip3.tmp
C:\WINDOWS\zipped.tmp

.
((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-31 )))))))))))))))))))))))))))))))
.

2008-03-30 15:33 . 2008-03-30 15:33 90,112 --a------ C:\WINDOWS\system32\kdsryfeh.exe
2008-03-30 11:09 . 2008-03-30 11:09 110,592 --a------ C:\WINDOWS\system32\lajunirw.exe
2008-03-30 08:20 . 2008-03-30 08:20 114,688 --a------ C:\WINDOWS\system32\otmvajkd.exe
2008-03-29 23:53 . 2008-03-29 23:53 110,592 --a------ C:\WINDOWS\system32\ktyhybch.exe
2008-03-29 00:55 . 2008-03-29 00:55 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-28 21:14 . 2004-08-03 22:58 5,504 --a------ C:\WINDOWS\system32\drivers\MSTEE.sys
2008-03-28 21:14 . 2004-08-03 22:58 5,504 --a--c--- C:\WINDOWS\system32\dllcache\mstee.sys
2008-03-28 21:11 . 2004-08-04 00:56 90,624 --a------ C:\WINDOWS\system32\kswdmcap.ax
2008-03-26 17:11 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-03-26 17:11 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-03-26 17:11 . 2004-08-03 22:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-03-26 17:11 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2008-03-25 18:08 . 2008-03-25 18:08 4,608,744 --a------ C:\Program Files\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
2008-03-25 14:37 . 2008-03-27 14:13 67 --a------ C:\WINDOWS\DVDRegionFree.INI
2008-03-24 12:53 . 2008-03-24 12:53 <DIR> d-------- C:\Program Files\ERUNT
2008-03-24 12:52 . 2008-03-24 12:53 791,393 --a------ C:\Program Files\erunt-setup.exe
2008-03-24 00:50 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-24 00:49 . 2008-03-24 00:50 <DIR> d-------- C:\Program Files\Java
2008-03-24 00:49 . 2008-03-24 00:49 <DIR> d-------- C:\Program Files\Common Files\Java
2008-03-23 17:41 . 2008-03-23 17:41 <DIR> d-------- C:\Documents and Settings\Sara\Application Data\Malwarebytes
2008-03-23 17:41 . 2008-03-23 17:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-22 14:32 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-03-22 14:32 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-03-22 14:32 . 2008-03-22 15:49 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-03-22 14:32 . 2008-03-15 17:16 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-03-22 14:32 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-03-22 14:32 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-03-22 14:32 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-03-22 14:32 . 2008-03-22 18:18 1,140 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-22 01:43 . 2008-03-22 01:43 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-03-21 20:20 . 2008-03-25 15:40 <DIR> d-------- C:\Documents and Settings\Sara\Application Data\SolSuite
2008-03-21 18:44 . 2008-03-21 18:44 691,545 --a------ C:\WINDOWS\unins000.exe
2008-03-21 18:44 . 2008-03-21 18:44 2,549 --a------ C:\WINDOWS\unins000.dat
2008-03-21 18:28 . 2008-03-30 19:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-21 18:27 . 2008-03-21 18:48 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-20 20:26 . 2008-03-21 17:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-03-20 20:15 . 2008-03-21 17:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-03-20 20:15 . 2008-03-20 20:15 38,473,056 --a------ C:\Program Files\CNET_VSP30days.exe
2008-03-20 20:09 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-03-20 20:09 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-03-20 12:41 . 2008-03-20 12:41 50 --a------ C:\WINDOWS\BRQIKMON.INI
2008-03-20 12:40 . 2008-03-21 14:50 <DIR> d-------- C:\Documents and Settings\Sara\Application Data\PC-FAX TX
2008-03-19 20:05 . 2004-12-03 01:26 188,416 --a------ C:\WINDOWS\system32\PDRVINST.DLL
2008-03-19 20:05 . 2006-01-17 01:03 126,976 --a------ C:\WINDOWS\system32\BrfxD05a.dll
2008-03-19 20:05 . 2005-06-02 01:09 86,016 --a------ C:\WINDOWS\system32\BrWebIns.dll
2008-03-19 20:05 . 2005-06-02 01:08 69,632 --a------ C:\WINDOWS\system32\BRWEBUP.EXE
2008-03-19 20:05 . 2001-11-15 01:00 6,224 --a------ C:\WINDOWS\CVRPAGE.BMP
2008-03-19 20:05 . 2008-03-28 15:29 0 --a------ C:\WINDOWS\brdfxspd.dat
2008-03-19 20:04 . 2008-03-19 20:04 <DIR> d-------- C:\Program Files\Common Files\ScanSoft Shared
2008-03-19 20:04 . 2008-03-19 20:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ScanSoft
2008-03-19 20:04 . 2003-09-24 11:36 27,019 --a------ C:\WINDOWS\maxlink.ini
2008-03-19 19:58 . 2008-03-19 19:58 0 --------- C:\Bro59.tmp
2008-03-19 19:55 . 2008-03-21 19:58 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-03-19 19:18 . 2008-03-19 20:06 <DIR> d-------- C:\Program Files\Brother
2008-03-19 09:48 . 2008-03-29 10:18 696 --a------ C:\WINDOWS\wininit.ini
2008-03-16 19:35 . 2008-03-16 19:36 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-03-15 16:10 . 2001-08-18 06:00 1,700,352 --a------ C:\WINDOWS\system32\GdiPlus.dll
2008-03-15 16:10 . 2002-11-27 18:26 114,688 --a------ C:\WINDOWS\system32\jpegcode.dll
2008-03-15 16:10 . 2002-09-06 18:54 53,248 --a------ C:\WINDOWS\system32\AccWrap.dll
2008-03-15 16:10 . 2002-10-29 18:21 45,664 --------- C:\WINDOWS\system32\drivers\CoachVc.sys
2008-03-15 16:10 . 2002-11-22 19:45 41,952 --------- C:\WINDOWS\system32\drivers\CoachUsb.sys
2008-03-15 16:10 . 2002-11-21 12:14 39,424 --a------ C:\WINDOWS\system32\CoachWia.dll
2008-03-15 16:10 . 2008-03-16 14:05 22 --a------ C:\Program Files\c310.zip
2008-03-15 10:06 . 2008-03-15 10:06 419 --a------ C:\WINDOWS\BRWMARK.INI
2008-03-15 10:06 . 2008-03-15 10:06 27 --a------ C:\WINDOWS\BRPP2KA.INI
2008-03-15 10:05 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-03-15 10:05 . 2004-08-03 23:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-03-15 10:05 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-03-15 10:05 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-03-15 10:00 . 2008-03-28 15:34 1,053 --a------ C:\WINDOWS\Brpfx04a.ini
2008-03-15 10:00 . 2008-03-20 12:40 153 --a------ C:\WINDOWS\brpcfx.ini
2008-03-15 10:00 . 2008-03-19 20:06 50 --a------ C:\WINDOWS\system32\bridf06a.dat
2008-03-15 09:59 . 2008-03-19 19:09 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-03-15 09:59 . 2006-02-24 17:27 1,492,480 --a------ C:\WINDOWS\system32\BrWia06a.dll
2008-03-15 09:59 . 2004-12-10 16:35 147,456 --a------ C:\WINDOWS\brunin03.dll
2008-03-15 09:59 . 2006-02-16 18:49 52,736 --a------ C:\WINDOWS\system32\brinsstr.dll
2008-03-15 09:59 . 2005-12-13 10:53 38,912 --a------ C:\WINDOWS\system32\BrUsi06a.dll
2008-03-15 09:59 . 2004-10-15 12:50 15,295 --a------ C:\WINDOWS\system32\drivers\BrScnUsb.sys
2008-03-15 09:57 . 2008-03-15 09:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-03-15 09:56 . 2008-03-19 20:04 <DIR> d-------- C:\Program Files\ScanSoft
2008-03-15 09:55 . 2008-03-15 09:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Brother
2008-03-08 11:09 . 2008-03-08 11:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-08 11:08 . 2008-03-08 11:08 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-27 09:38 . 2001-08-17 23:36 99,328 --a------ C:\WINDOWS\system32\srusd.dll
2008-02-27 09:38 . 2001-08-17 23:36 99,328 --a--c--- C:\WINDOWS\system32\dllcache\srusd.dll
2008-02-27 09:38 . 2001-08-17 23:36 71,680 --a------ C:\WINDOWS\system32\fnfilter.dll
2008-02-27 09:38 . 2001-08-17 23:36 71,680 --a--c--- C:\WINDOWS\system32\dllcache\fnfilter.dll
2008-02-27 09:38 . 2001-08-17 14:53 6,784 --a------ C:\WINDOWS\system32\drivers\serscan.sys
2008-02-27 09:38 . 2001-08-17 14:53 6,784 --a--c--- C:\WINDOWS\system32\dllcache\serscan.sys
2008-02-14 13:06 . 2008-02-14 22:49 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-14 11:50 . 2008-03-25 13:50 <DIR> d-------- C:\Downloads
2008-02-04 13:43 . 2008-02-04 13:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PlayFirst

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-30 18:41 --------- d-----w C:\Program Files\RegScrubXP
2008-03-22 07:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-21 22:09 --------- d-----w C:\Documents and Settings\Sara\Application Data\AVG7
2008-03-20 22:03 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-20 18:06 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-20 14:47 --------- d-----w C:\Program Files\Incomplete
2008-03-20 02:05 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-20 02:05 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-19 14:44 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-03-17 04:58 --------- d-----w C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor
2008-03-08 17:09 --------- d-----w C:\Program Files\Lavasoft
2008-03-08 17:09 --------- d-----w C:\Documents and Settings\Sara\Application Data\Lavasoft
2008-02-27 22:57 729,088 ----a-w C:\WINDOWS\iun6002.exe
2008-02-06 20:20 --------- d-----w C:\Program Files\Diskeeper Corporation
2008-01-31 06:11 --------- d-----w C:\Program Files\OverDrive Media Console
2008-01-31 06:11 --------- d-----w C:\Documents and Settings\Sara\Application Data\OverDrive
2008-01-11 18:20 553,687 ----a-w C:\Program Files\jv16_regcleaner.exe
2008-01-11 18:07 593,556 ----a-w C:\Program Files\regscrubxpsetup_3.2.exe
2007-12-27 18:02 32 --sha-w C:\WINDOWS\{0C12DB23-1BE2-4364-BFAA-6F5D9129BA61}.dat
2007-12-27 18:05 32 --sha-w C:\WINDOWS\{1B77EDC5-1688-4797-BA2D-7B17CF56CB30}.dat
2007-12-27 18:02 32 --sha-w C:\WINDOWS\{22BE5C96-6912-4844-B877-5B823AD9B260}.dat
2007-12-27 18:04 32 --sha-w C:\WINDOWS\{2E5205F4-C65A-4D26-8D21-D6A2DAA83314}.dat
2007-12-27 18:01 32 --sha-w C:\WINDOWS\{3BD78CE5-4886-4A8D-879E-D3604BF3CBE3}.dat
2007-12-27 18:04 32 --sha-w C:\WINDOWS\{A0337C34-3D4E-449C-8E79-A26151D03235}.dat
2007-12-27 18:02 32 --sha-w C:\WINDOWS\{C354F08C-4F05-4AFA-82AE-342DA03BB497}.dat
2007-12-27 18:02 32 --sha-w C:\WINDOWS\system32\{130E8F94-C662-49ED-AE40-05594E9EFB43}.dat
2007-12-27 18:04 32 --sha-w C:\WINDOWS\system32\{1E4A546D-C55E-4052-A7F5-AE0C5B7534F6}.dat
2007-12-27 18:04 32 --sha-w C:\WINDOWS\system32\{770AD5A9-EAE7-46E2-88C7-7BD6908E39CC}.dat
2007-12-27 18:05 32 --sha-w C:\WINDOWS\system32\{ACB29618-EEF3-4AD4-B2B2-5DBB667C35A1}.dat
2007-12-27 18:02 32 --sha-w C:\WINDOWS\system32\{C71E13F1-33A7-4A76-956F-D297C2A27665}.dat
2007-12-27 18:01 32 --sha-w C:\WINDOWS\system32\{CD413577-1356-422D-AA2E-64C023005796}.dat
2007-12-27 18:02 32 --sha-w C:\WINDOWS\system32\{D4CF1B07-7D22-43F2-A0AF-E389C73077DA}.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-21 19:26 68856]
"monhsoca"="C:\WINDOWS\system32\kdsryfeh.exe" [2008-03-30 15:33 90112]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-27 12:01 145920]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP

eer Name Resolution Protocol (PNRP)
"3389:TCP"= 3389:TCP

xpsp2res.dll,-22009

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\DRIVERS\BrScnUsb.sys [2004-10-15 12:50]
S2 UMAXPCLS;Print Port Scanner Driver;C:\WINDOWS\system32\DRIVERS\umaxpcls.sys [2001-08-17 15:58]
S3 MBAMCatchMe;MBAMCatchMe;C:\Program Files\Malwarebytes' Anti-Malware\catchme.sys [2008-03-19 18:31]
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe [2004-08-04 06:00]
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe [2004-08-04 06:00]
S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe [2004-08-04 06:00]
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe [2004-08-04 06:00]
S3 WUSB54GPV4SRV;Linksys Home Wireless-G USB Adaptor Driver;C:\WINDOWS\system32\DRIVERS\rt2500usb.sys [2005-10-17 21:50]
S3 ZD1211BU(WLAN);IEEE 802.11g USB Wireless LAN(WLAN);C:\WINDOWS\system32\DRIVERS\zd1211Bu.sys [2006-06-27 16:32]
S4 WUSB54Gv42SVC;WUSB54Gv42SVC;"C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv42.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-31 10:21:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\WINDOWS\system32\tcpsvcs.exe
.
**************************************************************************
.
Completion time: 2008-03-31 10:24:53 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-31 16:24:48
ComboFix2.txt 2008-03-30 03:46:08
ComboFix3.txt 2008-03-28 22:53:19
ComboFix4.txt 2008-03-27 20:53:45
ComboFix5.txt 2008-03-26 14:29:42
Pre-Run: 4,106,502,144 bytes free
Post-Run: 4,095,488,000 bytes free
.
2008-03-22 07:44:35 --- E O F ---

trvlr3 · Mar 31, 2008

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:26:53 AM, on 3/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\dmadmin.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\kdsryfeh.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Sara\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [monhsoca] C:\WINDOWS\system32\kdsryfeh.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIC273~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

--
End of file - 4329 bytes

km2357 · Mar 31, 2008

ComboFix got rid of a lot of stuff again, I'm going to have you run another CFScript to get some more. Have you been keeping your computer offline as much as possible?

Step # 1: Run CFScript

Please delete the version of ComboFix you have on your computer, I need you to download the latest version of ComboFix by sUBs here and save it to your Desktop.

Also delete the CFScript.txt from your Desktop, you will be creating and running a new one.

Then, please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

Code:

KillAll::

File::

C:\WINDOWS\system32\kdsryfeh.exe
C:\WINDOWS\system32\lajunirw.exe
C:\WINDOWS\system32\otmvajkd.exe
C:\WINDOWS\system32\ktyhybch.exe

Registry::

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"monhsoca"=-

Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

In your next post/reply, I need to see the following:

1. ComboFix log that appears after Step 1.
2. A fresh HiJackThis Log.

trvlr3 · Mar 31, 2008

ComboFix 08-03-30.4 - Sara 2008-03-31 13:20:18.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.242 [GMT -6:00]
Running from: C:\Documents and Settings\Sara\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Sara\Desktop\cfscript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\kdsryfeh.exe
C:\WINDOWS\system32\ktyhybch.exe
C:\WINDOWS\system32\lajunirw.exe
C:\WINDOWS\system32\otmvajkd.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\kdsryfeh.exe
C:\WINDOWS\system32\ktyhybch.exe
C:\WINDOWS\system32\lajunirw.exe
C:\WINDOWS\system32\otmvajkd.exe

.
((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-31 )))))))))))))))))))))))))))))))
.

2008-03-29 00:55 . 2008-03-29 00:55 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-28 21:14 . 2004-08-03 22:58 5,504 --a------ C:\WINDOWS\system32\drivers\MSTEE.sys
2008-03-28 21:14 . 2004-08-03 22:58 5,504 --a--c--- C:\WINDOWS\system32\dllcache\mstee.sys
2008-03-28 21:11 . 2004-08-04 00:56 90,624 --a------ C:\WINDOWS\system32\kswdmcap.ax
2008-03-26 17:11 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-03-26 17:11 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-03-26 17:11 . 2004-08-03 22:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-03-26 17:11 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2008-03-25 18:08 . 2008-03-25 18:08 4,608,744 --a------ C:\Program Files\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
2008-03-25 14:37 . 2008-03-27 14:13 67 --a------ C:\WINDOWS\DVDRegionFree.INI
2008-03-24 12:53 . 2008-03-24 12:53 <DIR> d-------- C:\Program Files\ERUNT
2008-03-24 12:52 . 2008-03-24 12:53 791,393 --a------ C:\Program Files\erunt-setup.exe
2008-03-24 00:50 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-24 00:49 . 2008-03-24 00:50 <DIR> d-------- C:\Program Files\Java
2008-03-24 00:49 . 2008-03-24 00:49 <DIR> d-------- C:\Program Files\Common Files\Java
2008-03-23 17:41 . 2008-03-23 17:41 <DIR> d-------- C:\Documents and Settings\Sara\Application Data\Malwarebytes
2008-03-23 17:41 . 2008-03-23 17:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-22 14:32 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-03-22 14:32 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-03-22 14:32 . 2008-03-22 15:49 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-03-22 14:32 . 2008-03-15 17:16 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-03-22 14:32 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-03-22 14:32 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-03-22 14:32 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-03-22 14:32 . 2008-03-22 18:18 1,140 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-22 01:43 . 2008-03-22 01:43 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-03-21 20:20 . 2008-03-25 15:40 <DIR> d-------- C:\Documents and Settings\Sara\Application Data\SolSuite
2008-03-21 18:44 . 2008-03-21 18:44 691,545 --a------ C:\WINDOWS\unins000.exe
2008-03-21 18:44 . 2008-03-21 18:44 2,549 --a------ C:\WINDOWS\unins000.dat
2008-03-21 18:28 . 2008-03-31 13:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-21 18:27 . 2008-03-21 18:48 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-20 20:26 . 2008-03-21 17:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-03-20 20:15 . 2008-03-21 17:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-03-20 20:15 . 2008-03-20 20:15 38,473,056 --a------ C:\Program Files\CNET_VSP30days.exe
2008-03-20 20:09 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-03-20 20:09 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-03-20 12:41 . 2008-03-20 12:41 50 --a------ C:\WINDOWS\BRQIKMON.INI
2008-03-20 12:40 . 2008-03-21 14:50 <DIR> d-------- C:\Documents and Settings\Sara\Application Data\PC-FAX TX
2008-03-19 20:05 . 2004-12-03 01:26 188,416 --a------ C:\WINDOWS\system32\PDRVINST.DLL
2008-03-19 20:05 . 2006-01-17 01:03 126,976 --a------ C:\WINDOWS\system32\BrfxD05a.dll
2008-03-19 20:05 . 2005-06-02 01:09 86,016 --a------ C:\WINDOWS\system32\BrWebIns.dll
2008-03-19 20:05 . 2005-06-02 01:08 69,632 --a------ C:\WINDOWS\system32\BRWEBUP.EXE
2008-03-19 20:05 . 2001-11-15 01:00 6,224 --a------ C:\WINDOWS\CVRPAGE.BMP
2008-03-19 20:05 . 2008-03-28 15:29 0 --a------ C:\WINDOWS\brdfxspd.dat
2008-03-19 20:04 . 2008-03-19 20:04 <DIR> d-------- C:\Program Files\Common Files\ScanSoft Shared
2008-03-19 20:04 . 2008-03-19 20:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ScanSoft
2008-03-19 20:04 . 2003-09-24 11:36 27,019 --a------ C:\WINDOWS\maxlink.ini
2008-03-19 19:58 . 2008-03-19 19:58 0 --------- C:\Bro59.tmp
2008-03-19 19:55 . 2008-03-21 19:58 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-03-19 19:18 . 2008-03-19 20:06 <DIR> d-------- C:\Program Files\Brother
2008-03-19 09:48 . 2008-03-29 10:18 696 --a------ C:\WINDOWS\wininit.ini
2008-03-16 19:35 . 2008-03-16 19:36 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-03-15 16:10 . 2001-08-18 06:00 1,700,352 --a------ C:\WINDOWS\system32\GdiPlus.dll
2008-03-15 16:10 . 2002-11-27 18:26 114,688 --a------ C:\WINDOWS\system32\jpegcode.dll
2008-03-15 16:10 . 2002-09-06 18:54 53,248 --a------ C:\WINDOWS\system32\AccWrap.dll
2008-03-15 16:10 . 2002-10-29 18:21 45,664 --------- C:\WINDOWS\system32\drivers\CoachVc.sys
2008-03-15 16:10 . 2002-11-22 19:45 41,952 --------- C:\WINDOWS\system32\drivers\CoachUsb.sys
2008-03-15 16:10 . 2002-11-21 12:14 39,424 --a------ C:\WINDOWS\system32\CoachWia.dll
2008-03-15 16:10 . 2008-03-16 14:05 22 --a------ C:\Program Files\c310.zip
2008-03-15 10:06 . 2008-03-15 10:06 419 --a------ C:\WINDOWS\BRWMARK.INI
2008-03-15 10:06 . 2008-03-15 10:06 27 --a------ C:\WINDOWS\BRPP2KA.INI
2008-03-15 10:05 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-03-15 10:05 . 2004-08-03 23:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-03-15 10:05 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-03-15 10:05 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-03-15 10:00 . 2008-03-28 15:34 1,053 --a------ C:\WINDOWS\Brpfx04a.ini
2008-03-15 10:00 . 2008-03-20 12:40 153 --a------ C:\WINDOWS\brpcfx.ini
2008-03-15 10:00 . 2008-03-19 20:06 50 --a------ C:\WINDOWS\system32\bridf06a.dat
2008-03-15 09:59 . 2008-03-19 19:09 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-03-15 09:59 . 2006-02-24 17:27 1,492,480 --a------ C:\WINDOWS\system32\BrWia06a.dll
2008-03-15 09:59 . 2004-12-10 16:35 147,456 --a------ C:\WINDOWS\brunin03.dll
2008-03-15 09:59 . 2006-02-16 18:49 52,736 --a------ C:\WINDOWS\system32\brinsstr.dll
2008-03-15 09:59 . 2005-12-13 10:53 38,912 --a------ C:\WINDOWS\system32\BrUsi06a.dll
2008-03-15 09:59 . 2004-10-15 12:50 15,295 --a------ C:\WINDOWS\system32\drivers\BrScnUsb.sys
2008-03-15 09:57 . 2008-03-15 09:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-03-15 09:56 . 2008-03-19 20:04 <DIR> d-------- C:\Program Files\ScanSoft
2008-03-15 09:55 . 2008-03-15 09:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Brother
2008-03-08 11:09 . 2008-03-08 11:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-08 11:08 . 2008-03-08 11:08 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-27 09:38 . 2001-08-17 23:36 99,328 --a------ C:\WINDOWS\system32\srusd.dll
2008-02-27 09:38 . 2001-08-17 23:36 99,328 --a--c--- C:\WINDOWS\system32\dllcache\srusd.dll
2008-02-27 09:38 . 2001-08-17 23:36 71,680 --a------ C:\WINDOWS\system32\fnfilter.dll
2008-02-27 09:38 . 2001-08-17 23:36 71,680 --a--c--- C:\WINDOWS\system32\dllcache\fnfilter.dll
2008-02-27 09:38 . 2001-08-17 14:53 6,784 --a------ C:\WINDOWS\system32\drivers\serscan.sys
2008-02-27 09:38 . 2001-08-17 14:53 6,784 --a--c--- C:\WINDOWS\system32\dllcache\serscan.sys
2008-02-14 13:06 . 2008-02-14 22:49 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-14 11:50 . 2008-03-25 13:50 <DIR> d-------- C:\Downloads
2008-02-04 13:43 . 2008-02-04 13:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PlayFirst

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-30 18:41 --------- d-----w C:\Program Files\RegScrubXP
2008-03-22 07:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-21 22:09 --------- d-----w C:\Documents and Settings\Sara\Application Data\AVG7
2008-03-20 22:03 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-20 18:06 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-20 14:47 --------- d-----w C:\Program Files\Incomplete
2008-03-20 02:05 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-20 02:05 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-19 14:44 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-03-17 04:58 --------- d-----w C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor
2008-03-08 17:09 --------- d-----w C:\Program Files\Lavasoft
2008-03-08 17:09 --------- d-----w C:\Documents and Settings\Sara\Application Data\Lavasoft
2008-02-27 22:57 729,088 ----a-w C:\WINDOWS\iun6002.exe
2008-02-06 20:20 --------- d-----w C:\Program Files\Diskeeper Corporation
2008-01-31 06:11 --------- d-----w C:\Program Files\OverDrive Media Console
2008-01-31 06:11 --------- d-----w C:\Documents and Settings\Sara\Application Data\OverDrive
2008-01-11 18:20 553,687 ----a-w C:\Program Files\jv16_regcleaner.exe
2008-01-11 18:07 593,556 ----a-w C:\Program Files\regscrubxpsetup_3.2.exe
2007-12-27 18:02 32 --sha-w C:\WINDOWS\{0C12DB23-1BE2-4364-BFAA-6F5D9129BA61}.dat
2007-12-27 18:05 32 --sha-w C:\WINDOWS\{1B77EDC5-1688-4797-BA2D-7B17CF56CB30}.dat
2007-12-27 18:02 32 --sha-w C:\WINDOWS\{22BE5C96-6912-4844-B877-5B823AD9B260}.dat
2007-12-27 18:04 32 --sha-w C:\WINDOWS\{2E5205F4-C65A-4D26-8D21-D6A2DAA83314}.dat
2007-12-27 18:01 32 --sha-w C:\WINDOWS\{3BD78CE5-4886-4A8D-879E-D3604BF3CBE3}.dat
2007-12-27 18:04 32 --sha-w C:\WINDOWS\{A0337C34-3D4E-449C-8E79-A26151D03235}.dat
2007-12-27 18:02 32 --sha-w C:\WINDOWS\{C354F08C-4F05-4AFA-82AE-342DA03BB497}.dat
2007-12-27 18:02 32 --sha-w C:\WINDOWS\system32\{130E8F94-C662-49ED-AE40-05594E9EFB43}.dat
2007-12-27 18:04 32 --sha-w C:\WINDOWS\system32\{1E4A546D-C55E-4052-A7F5-AE0C5B7534F6}.dat
2007-12-27 18:04 32 --sha-w C:\WINDOWS\system32\{770AD5A9-EAE7-46E2-88C7-7BD6908E39CC}.dat
2007-12-27 18:05 32 --sha-w C:\WINDOWS\system32\{ACB29618-EEF3-4AD4-B2B2-5DBB667C35A1}.dat
2007-12-27 18:02 32 --sha-w C:\WINDOWS\system32\{C71E13F1-33A7-4A76-956F-D297C2A27665}.dat
2007-12-27 18:01 32 --sha-w C:\WINDOWS\system32\{CD413577-1356-422D-AA2E-64C023005796}.dat
2007-12-27 18:02 32 --sha-w C:\WINDOWS\system32\{D4CF1B07-7D22-43F2-A0AF-E389C73077DA}.dat
.

((((((((((((((((((((((((((((( snapshot@2008-03-31_10.24.20.04 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-03-31 19:22:29 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_6e4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-21 19:26 68856]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-27 12:01 145920]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP

eer Name Resolution Protocol (PNRP)
"3389:TCP"= 3389:TCP

xpsp2res.dll,-22009

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\DRIVERS\BrScnUsb.sys [2004-10-15 12:50]
S2 UMAXPCLS;Print Port Scanner Driver;C:\WINDOWS\system32\DRIVERS\umaxpcls.sys [2001-08-17 15:58]
S3 MBAMCatchMe;MBAMCatchMe;C:\Program Files\Malwarebytes' Anti-Malware\catchme.sys [2008-03-19 18:31]
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe [2004-08-04 06:00]
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe [2004-08-04 06:00]
S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe [2004-08-04 06:00]
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe [2004-08-04 06:00]
S3 WUSB54GPV4SRV;Linksys Home Wireless-G USB Adaptor Driver;C:\WINDOWS\system32\DRIVERS\rt2500usb.sys [2005-10-17 21:50]
S3 ZD1211BU(WLAN);IEEE 802.11g USB Wireless LAN(WLAN);C:\WINDOWS\system32\DRIVERS\zd1211Bu.sys [2006-06-27 16:32]
S4 WUSB54Gv42SVC;WUSB54Gv42SVC;"C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv42.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-31 13:22:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\WINDOWS\system32\tcpsvcs.exe
.
**************************************************************************
.
Completion time: 2008-03-31 13:26:53 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-31 19:26:50
ComboFix2.txt 2008-03-31 16:24:55
ComboFix3.txt 2008-03-30 03:46:08
ComboFix4.txt 2008-03-28 22:53:19
ComboFix5.txt 2008-03-27 20:53:45
Pre-Run: 4,136,407,040 bytes free
Post-Run: 4,130,152,448 bytes free
.
2008-03-22 07:44:35 --- E O F ---

trvlr3 · Mar 31, 2008

There were no programs in the control panel add/remove programs that were on the list. I unplug the cable from the computer so no one can go on line

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:58:16 PM, on 3/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\dmadmin.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Sara\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIC273~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

--
End of file - 4198 bytes

km2357 · Apr 1, 2008

Your latest HJT and ComboFix Logs look good.

I want you to run Kaspersky one more time and post the results from the scan, so can we see if anything else is hiding on your computer and get rid of it. And also let me know how your computer is doing now.

Step # 1: Run Kaspersky Online Scan
Please do an online scan with Kaspersky WebScanner

You must be using Internet Explorer, Kaspersky does not work with Firefox

Click Accept

You will be promted to install an ActiveX component from Kaspersky,
Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make sure that the following are selected:
- Scan using the following Anti-Virus database:
- Extended (if available otherwise Standard)
- Scan Options:
- Scan Archives Scan Mail Bases
Click OK
Now under select a target to scan:
- Select My Computer
The program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Once finished, save the log to your Desktop as filename KAV.txt

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

trvlr3 · Apr 1, 2008

comuter is better since the last combofix. The link hasnt come back to my desktop and the other programs havent downloaded themselves anymore thank you

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, March 31, 2008 9:27:18 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 31/03/2008
Kaspersky Anti-Virus database records: 675122
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 201720
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 02:32:14

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Sara\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Sara\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Sara\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Sara\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Sara\Local Settings\History\History.IE5\MSHist012008033120080401\index.dat Object is locked skipped
C:\Documents and Settings\Sara\Local Settings\Temp\~DF7542.tmp Object is locked skipped
C:\Documents and Settings\Sara\Local Settings\Temp\~DF754D.tmp Object is locked skipped
C:\Documents and Settings\Sara\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Sara\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Sara\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Grisoft\AVG7\avg7log.log Object is locked skipped
C:\Program Files\Grisoft\AVG7\avg7log.log.lck Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{CC3F1C1E-C032-4245-B818-E8D2A45D6868}\RP12\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{10AD9FA4-2A21-4945-A21A-C9D84DEB75A0}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_6e4.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\WINDOWS\SYSTEM\EGDHTML_1020.dll Object is locked skipped
D:\System Volume Information\_restore{CC3F1C1E-C032-4245-B818-E8D2A45D6868}\RP12\change.log Object is locked skipped

Scan process completed.

km2357 · Apr 1, 2008

The Kaspersky Log came back clean and you mention that your computer is running fine, it looks like you are good to go.

You can delete the following files off your Desktop (if found):

Kav.txt
daft.exe
NoLop.exe
Fix-Protocol-zones-ranges.reg

To remove ComboFix, do the following:

Go to Start > Run - type in ComboFix /u & click OK

Empty your Recyle Bin.

A Firewall is an essential part of computer security and you do not appear to have one running on your system. There are several firewalls that provide better protection than the Windows SP2 firewall.Do not attempt to run two software firewalls since like running two antivirus programs, they will possibly cause problems and conflict with each other.

There are a few firewalls available for free that appear to be good and easy to use:

Please download and install only one!

Once the firewall is installed, check to see that the Windows Firewall is disabled. To do so follow these steps:

1. Click Start, click Run, type Firewall.cpl, and then click OK.
2. On the General tab, check to see if Off (not recommended) is checkmarked/ticked, if it is not, then checkmark/tick the box and click OK

Please take the time to read my All Clean Post.

Please follow these simple steps in order to keep your computer clean and secure:

This is a good time to clear your existing system restore points and establish a new clean restore point:
- Go to Start > All Programs > Accessories > System Tools > System Restore
- Select Create a restore point, and Ok it.
- Next, go to Start > Run and type in cleanmgr
- Select the More options tab
- Choose the option to clean up system restore and OK it.
- This will remove all restore points except the new one you just created.
.

Clearing your restore points is not something you should do on a regular basis. Normally, this process only needs to be done after clearing out an infestation of malware.
Make your Internet Explorer more secure This can be done by following these simple instructions:
- From within Internet Explorer click on the Tools menu and then click on Options.
- Click once on the Security tab
- Click once on the Internet icon so it becomes highlighted.
- Click once on the Custom Level button.
  - Change the Download signed ActiveX controls to Prompt
  - Change the Download unsigned ActiveX controls to Disable
  - Change the Initialize and script ActiveX controls not marked as safe to Disable
  - Change the Installation of desktop items to Prompt
  - Change the Launching programs and files in an IFRAME to Prompt
  - Change the Navigate sub frames across different domains to Prompt
- When all these settings have been made, click on the OK button.
- If it asks you if you want to save the settings, press the Yes button.
- Next press the Apply button and then the OK to exit the Internet Properties page.
Set correct settings for files that should be hidden in Windows XP
- Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
- Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
- If unchecked please checkHide protected operating system files (Recommended)
- If necessary check "Display content of system folders"
- If necessary Uncheck Hide file extensions for known file types.
- Click OK
Use An Antivirus Software and Keep It Updated - It is very important that your computer has an antivirus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a day. If you do not update your antivirus software, then it will not be able to catch any of the new variants that may come out.
Visit Microsoft's Windows Update Site Frequently It is important that you visit Microsoft Windows Update regularly. This will ensure your computer has the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install SpywareBlaster SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. An article on anti-malware products with links for this program and others can be found here:
Computer Safety on line Anti Malware
Use an alternative instant messenger program.Trillian and Miranda IM These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
Please read Tony Klein's excellent article: How I got Infected in the First Place
Please read Understanding Spyware, Browser Hijackers, and Dialers
Please read Simple and easy ways to keep your computer safe and secure on the Internet
If you are using Internet Explorer, please consider using an alternate browser: Mozilla's Firefox or
Opera.
If you decide to use either FireFox or Opera, it is very important that you keep them up to date and check frequently for updates of the browser of your choice.
Update all these programs regularly Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
If your computer was infected by a website, a program, IM, MSN, or p2p, check this site because it is Time To Fight Back.

Follow these steps and your potential for being infected again will reduce dramatically.

Here's a good website to read about Malware prevention:

http://users.telenet.be/bluepatchy/miekiemoes/prevention.html

Good luck!

Please reply one last time so that I know you have read my post and this thread can be closed.

trvlr3 · Apr 1, 2008

I have done all that is posted for me to do just have to read thru the posts that are there. All is good now thank you so much for your help.

km2357 · Apr 1, 2008

You're welcome. Glad I was able to help.

Zlob.Downloader.vcd Settings

trvlr3

New member

trvlr3

New member

km2357

Security Expert -Emeritus

trvlr3

New member

trvlr3

New member

trvlr3

New member

km2357

Security Expert -Emeritus

trvlr3

New member

trvlr3

New member

km2357

Security Expert -Emeritus

trvlr3

New member

trvlr3

New member

km2357

Security Expert -Emeritus

trvlr3

New member

km2357

Security Expert -Emeritus

trvlr3

New member

km2357

Security Expert -Emeritus