Tech Support Forum - View Single Post

woobiebv · 12-24-2007, 08:49 AM

New HJT-

Logfile of HijackThis v1.99.1
Scan saved at 10:45:02 AM, on 12/24/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\System32\S3tray2.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\WINDOWS\runservice.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Angel & Brian\My Documents\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://login.yahoo.com/config/mail?.intl=us
N2 - Netscape 6: user_pref("browser.startup.homepage", "www.mail.yahoo.com"); (C:\Documents and Settings\Angel & Brian\Application Data\Mozilla\Profiles\default\5kdkfr86.slt\prefs.js)
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Angel & Brian\Application Data\Mozilla\Profiles\default\5kdkfr86.slt\prefs.js)
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher\SCActiveBlock.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: VPN Client.lnk = ?
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: Yahoo! MahJong - http://download2.games.yahoo.com/gam...ts/y/ot0_x.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sd...SL/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Radialpoint Unicorn Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Verizon\PC Security Checkup\rpsupdaterR.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

Kaspersky scan -

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, December 24, 2007 10:41:59 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 24/12/2007
Kaspersky Anti-Virus database records: 493039
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 47653
Number of viruses found: 10
Number of infected objects: 12
Number of suspicious objects: 2
Duration of the scan process: 00:59:52

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WebBuyingAssistant.zip/v1.7.8/wbuninst.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WebBuyingAssistant.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\Angel & Brian\Application Data\Microsoft\Outlook\outcmd.dat Object is locked skipped
C:\Documents and Settings\Angel & Brian\Application Data\Microsoft\Templates\Normal.dot Object is locked skipped
C:\Documents and Settings\Angel & Brian\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Angel & Brian\Local Settings\Application Data\Microsoft\Outlook\outlook.pst Object is locked skipped
C:\Documents and Settings\Angel & Brian\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Angel & Brian\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Angel & Brian\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Angel & Brian\Local Settings\History\History.IE5\MSHist012007122420071225\index.dat Object is locked skipped
C:\Documents and Settings\Angel & Brian\Local Settings\Temp\~DF19B8.tmp Object is locked skipped
C:\Documents and Settings\Angel & Brian\Local Settings\Temp\~DF5AA4.tmp Object is locked skipped
C:\Documents and Settings\Angel & Brian\Local Settings\Temp\~DF5AB0.tmp Object is locked skipped
C:\Documents and Settings\Angel & Brian\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Angel & Brian\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Angel & Brian\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\backups\backup-20050620-184320-726.dll Infected: not-a-virus:AdWare.Win32.Coupons.h skipped
C:\Program Files\BigFix\__Data\emachines\__Local\Tmp\eMachine_Specific.dat Object is locked skipped
C:\Program Files\BigFix\__Data\emachines\__Local\Tmp\General.dat Object is locked skipped
C:\Program Files\BigFix\__Data\emachines\__Local\Tmp\Security.dat Object is locked skipped
C:\Program Files\BigFix\__Data\emachines\__Local\Tmp\Security_UK.dat Object is locked skipped
C:\Program Files\BigFix\__Data\emachines\__Local\Tmp\UK_Specific.dat Object is locked skipped
C:\Program Files\BigFix\__Data\emachines\__Local\Tmp\Urgent.dat Object is locked skipped
C:\Program Files\BigFix\__Data\emachines\__Local\Tmp\Virus.dat Object is locked skipped
C:\Program Files\BigFix\__Data\emachines\__Local\Tmp\Welcome.dat Object is locked skipped
C:\Program Files\QuickTime\qttask .exe Object is locked skipped
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP728\A0041510.ocx Infected: not-a-virus:AdWare.Win32.Coupons.h skipped
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP728\A0041511.dll Infected: Trojan.Win32.Pakes.akr skipped
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP728\A0041512.dll Infected: not-a-virus:AdWare.Win32.RK.d skipped
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP732\A0041646.exe Infected: not-a-virus:AdWare.Win32.RK.n skipped
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP795\A0044420.exe Infected: Trojan-Downloader.Win32.Osel.bx skipped
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP795\A0044426.exe Object is locked skipped
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP795\A0044427.exe Object is locked skipped
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP795\A0044428.exe Object is locked skipped
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP795\A0044429.exe Object is locked skipped
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP795\A0044430.exe Object is locked skipped
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP795\A0044431.exe Object is locked skipped
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP795\A0044432.exe Object is locked skipped
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP795\A0044433.exe Object is locked skipped
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP795\A0044434.exe Object is locked skipped
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP795\A0044435.exe Object is locked skipped
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP795\A0044436.exe Object is locked skipped
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP795\A0044437.exe Object is locked skipped
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP796\A0044449.ocx Infected: not-a-virus:AdWare.Win32.Coupons.h skipped
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP797\A0044462.exe Object is locked skipped
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP797\A0044471.exe Object is locked skipped
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP797\A0044472.exe Object is locked skipped
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP797\A0044473.exe Object is locked skipped
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP797\A0044474.exe Object is locked skipped
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP797\A0044475.exe Object is locked skipped
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP797\A0044476.exe Object is locked skipped
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP797\A0044478.exe Object is locked skipped
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP797\A0044479.exe Object is locked skipped
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP797\A0044480.exe Object is locked skipped
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP797\A0044481.exe Object is locked skipped
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP797\A0044482.exe Object is locked skipped
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP798\A0044545.exe Object is locked skipped
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP798\A0044546.exe Object is locked skipped
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP798\A0044547.exe Object is locked skipped
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP798\A0044548.exe Object is locked skipped
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP798\A0044549.exe Object is locked skipped
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP798\A0044550.exe Object is locked skipped
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP798\A0044551.exe Object is locked skipped
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP798\A0044552.exe Object is locked skipped
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP798\A0044553.exe Object is locked skipped
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP798\A0044554.exe Object is locked skipped
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP798\A0044555.exe Object is locked skipped
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP798\A0044563.exe Infected: not-a-virus:AdWare.Win32.Agent.vv skipped
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP798\A0044582.exe Object is locked skipped
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP798\A0044583.exe Object is locked skipped
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP798\A0044584.exe Object is locked skipped
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP798\A0044589.exe Object is locked skipped
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP798\A0044590.exe Object is locked skipped
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP798\A0044592.exe Object is locked skipped
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP798\A0044593.exe Object is locked skipped
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP798\A0044594.exe Object is locked skipped
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP798\A0044595.exe Object is locked skipped
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP798\A0044596.exe Object is locked skipped
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP798\A0044598.exe Object is locked skipped
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP798\A0044601.exe Object is locked skipped
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP798\A0044629.exe Object is locked skipped
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP798\A0044630.exe Object is locked skipped
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP800\A0044637.exe Object is locked skipped
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP800\A0044667.exe/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP800\A0044667.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP800\A0044669.exe Infected: not-a-virus:Downloader.Win32.WinFixer.x skipped
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP801\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\crap Infected: not-a-virus:AdWare.Win32.Agent.dk skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\mmf.sys Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Combofix log -

ComboFix 07-12-24.7 - Angel & Brian 2007-12-24 8:32:10.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.51 [GMT -5:00]
Running from: C:\Documents and Settings\Angel & Brian\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Angel & Brian\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\Program Files\WindowsUpdate\profsyrtyl.html
C:\WINDOWS\system32\accdd.bak2
C:\WINDOWS\system32\accdd.ini2
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\accdd.bak2
C:\WINDOWS\system32\accdd.ini2
C:\WINDOWS\system32\shls.dll

.
((((((((((((((((((((((((( Files Created from 2007-11-24 to 2007-12-24 )))))))))))))))))))))))))))))))
.

2007-12-22 10:52 . 2007-12-23 08:55 155,648 --a------ C:\WINDOWS\system32\NeroCheck .exe
2007-12-01 13:25 . 2007-12-23 08:57 <DIR> d-------- C:\Documents and Settings\Angel & Brian\Application Data\AVG7
2007-12-01 13:22 . 2007-12-01 13:22 <DIR> d-------- C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\AVG7
2007-12-01 13:21 . 2007-12-01 13:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-01 13:21 . 2007-12-02 08:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-12-01 13:05 . 2007-12-01 13:08 <DIR> d-------- C:\Program Files\digestIT 2004

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-24 01:27 --------- d-----w C:\Program Files\QuickTime
2007-12-23 14:44 --------- d-----w C:\Program Files\verizon
2007-12-23 14:44 --------- d-----w C:\Program Files\SpamScreener
2007-12-23 13:45 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2005-10-11 22:41 3,275 ----a-w C:\Program Files\hijackthis.log
2005-02-16 15:06 218,112 ----a-w C:\Program Files\HijackThis.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" []
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" []
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [2007-12-23 20:27]
"S3TRAY2"="S3tray2.exe" [2003-02-25 03:33 C:\WINDOWS\system32\S3tray2.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-01 13:22]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk - C:\Program Files\BigFix\BigFix.exe [2003-04-21 09:29:42]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 05:19:24]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 03:15:54]
VPN Client.lnk - C:\WINDOWS\Installer\{D25122BC-A60E-4663-B602-B01718F12044}\Icon3E5562ED7.ico [2007-08-04 09:08:57]

R2 LicCtrlService;LicCtrl Service;C:\WINDOWS\runservice.exe [2005-03-30 18:31]
S3 hamachi_oem;PlayLinc Adapter;C:\WINDOWS\System32\DRIVERS\gan_adapter.sys [2006-10-19 10:11]
S3 NPDORMW;NPDOR Media Driver;C:\WINDOWS\System32\Drivers\NPDORMW.sys []
S3 Radialpoint Security Services;Radialpoint Security Services;C:\WINDOWS\System32\dllhost.exe /Processid:{80098F68-1220-4F43-80A8-15C7395B8874} []

.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-24 08:36:30
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\System32\shls.dll
.
Completion time: 2007-12-24 8:37:11
C:\ComboFix2.txt ... 2007-12-23 20:52
C:\ComboFix3.txt ... 2007-12-23 20:45
.
2007-07-14 16:41:28 --- E O F ---

As far as system performance, I haven't had any more popups since AVG ran and found the Trojan downloaders the other morning. But I think still running slower than normal.

Thanks

Edit to add - zipped file also submitted: [4]-Submit_2007-12-24@8.31

12-24-2007, 08:49 AM	#9 (permalink)
woobiebv Registered User Join Date: Dec 2007 Posts: 11 OS: WIN XP	Re: New HJT logfile New HJT- Logfile of HijackThis v1.99.1 Scan saved at 10:45:02 AM, on 12/24/2007 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\WINDOWS\System32\S3tray2.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\WINDOWS\System32\CTsvcCDA.EXE C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\Program Files\BigFix\BigFix.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe C:\WINDOWS\runservice.exe C:\WINDOWS\system32\slserv.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\wuauclt.exe C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Microsoft Office\Office\WINWORD.EXE C:\WINDOWS\system32\NOTEPAD.EXE C:\WINDOWS\system32\NOTEPAD.EXE C:\Documents and Settings\Angel & Brian\My Documents\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://login.yahoo.com/config/mail?.intl=us N2 - Netscape 6: user_pref("browser.startup.homepage", "www.mail.yahoo.com"); (C:\Documents and Settings\Angel & Brian\Application Data\Mozilla\Profiles\default\5kdkfr86.slt\prefs.js) N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Angel & Brian\Application Data\Mozilla\Profiles\default\5kdkfr86.slt\prefs.js) O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher\SCActiveBlock.dll (file missing) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: VPN Client.lnk = ? O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing) O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing) O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com O16 - DPF: Yahoo! MahJong - http://download2.games.yahoo.com/gam...ts/y/ot0_x.cab O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sd...SL/tgctlcm.cab O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: Radialpoint Unicorn Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Verizon\PC Security Checkup\rpsupdaterR.exe O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe Kaspersky scan - ------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER REPORT Monday, December 24, 2007 10:41:59 AM Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600) Kaspersky Online Scanner version: 5.0.98.0 Kaspersky Anti-Virus database last update: 24/12/2007 Kaspersky Anti-Virus database records: 493039 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: A:\ C:\ D:\ Scan Statistics: Total number of scanned objects: 47653 Number of viruses found: 10 Number of infected objects: 12 Number of suspicious objects: 2 Duration of the scan process: 00:59:52 Infected Object Name / Virus Name / Last Action C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WebBuyingAssistant.zip/v1.7.8/wbuninst.exe Suspicious: Password-protected-EXE skipped C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WebBuyingAssistant.zip ZIP: suspicious - 1 skipped C:\Documents and Settings\Angel & Brian\Application Data\Microsoft\Outlook\outcmd.dat Object is locked skipped C:\Documents and Settings\Angel & Brian\Application Data\Microsoft\Templates\Normal.dot Object is locked skipped C:\Documents and Settings\Angel & Brian\Cookies\index.dat Object is locked skipped C:\Documents and Settings\Angel & Brian\Local Settings\Application Data\Microsoft\Outlook\outlook.pst Object is locked skipped C:\Documents and Settings\Angel & Brian\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\Angel & Brian\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\Angel & Brian\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\Angel & Brian\Local Settings\History\History.IE5\MSHist012007122420071225\index.dat Object is locked skipped C:\Documents and Settings\Angel & Brian\Local Settings\Temp\~DF19B8.tmp Object is locked skipped C:\Documents and Settings\Angel & Brian\Local Settings\Temp\~DF5AA4.tmp Object is locked skipped C:\Documents and Settings\Angel & Brian\Local Settings\Temp\~DF5AB0.tmp Object is locked skipped C:\Documents and Settings\Angel & Brian\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\Angel & Brian\NTUSER.DAT Object is locked skipped C:\Documents and Settings\Angel & Brian\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService.NT AUTHORITY\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\Program Files\backups\backup-20050620-184320-726.dll Infected: not-a-virus:AdWare.Win32.Coupons.h skipped C:\Program Files\BigFix\__Data\emachines\__Local\Tmp\eMachine_Specific.dat Object is locked skipped C:\Program Files\BigFix\__Data\emachines\__Local\Tmp\General.dat Object is locked skipped C:\Program Files\BigFix\__Data\emachines\__Local\Tmp\Security.dat Object is locked skipped C:\Program Files\BigFix\__Data\emachines\__Local\Tmp\Security_UK.dat Object is locked skipped C:\Program Files\BigFix\__Data\emachines\__Local\Tmp\UK_Specific.dat Object is locked skipped C:\Program Files\BigFix\__Data\emachines\__Local\Tmp\Urgent.dat Object is locked skipped C:\Program Files\BigFix\__Data\emachines\__Local\Tmp\Virus.dat Object is locked skipped C:\Program Files\BigFix\__Data\emachines\__Local\Tmp\Welcome.dat Object is locked skipped C:\Program Files\QuickTime\qttask .exe Object is locked skipped C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP728\A0041510.ocx Infected: not-a-virus:AdWare.Win32.Coupons.h skipped C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP728\A0041511.dll Infected: Trojan.Win32.Pakes.akr skipped C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP728\A0041512.dll Infected: not-a-virus:AdWare.Win32.RK.d skipped C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP732\A0041646.exe Infected: not-a-virus:AdWare.Win32.RK.n skipped C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP795\A0044420.exe Infected: Trojan-Downloader.Win32.Osel.bx skipped C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP795\A0044426.exe Object is locked skipped C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP795\A0044427.exe Object is locked skipped C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP795\A0044428.exe Object is locked skipped C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP795\A0044429.exe Object is locked skipped C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP795\A0044430.exe Object is locked skipped C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP795\A0044431.exe Object is locked skipped C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP795\A0044432.exe Object is locked skipped C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP795\A0044433.exe Object is locked skipped C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP795\A0044434.exe Object is locked skipped C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP795\A0044435.exe Object is locked skipped C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP795\A0044436.exe Object is locked skipped C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP795\A0044437.exe Object is locked skipped C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP796\A0044449.ocx Infected: not-a-virus:AdWare.Win32.Coupons.h skipped C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP797\A0044462.exe Object is locked skipped C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP797\A0044471.exe Object is locked skipped C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP797\A0044472.exe Object is locked skipped C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP797\A0044473.exe Object is locked skipped C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP797\A0044474.exe Object is locked skipped C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP797\A0044475.exe Object is locked skipped C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP797\A0044476.exe Object is locked skipped C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP797\A0044478.exe Object is locked skipped C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP797\A0044479.exe Object is locked skipped C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP797\A0044480.exe Object is locked skipped C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP797\A0044481.exe Object is locked skipped C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP797\A0044482.exe Object is locked skipped C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP798\A0044545.exe Object is locked skipped C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP798\A0044546.exe Object is locked skipped C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP798\A0044547.exe Object is locked skipped C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP798\A0044548.exe Object is locked skipped C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP798\A0044549.exe Object is locked skipped C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP798\A0044550.exe Object is locked skipped C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP798\A0044551.exe Object is locked skipped C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP798\A0044552.exe Object is locked skipped C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP798\A0044553.exe Object is locked skipped C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP798\A0044554.exe Object is locked skipped C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP798\A0044555.exe Object is locked skipped C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP798\A0044563.exe Infected: not-a-virus:AdWare.Win32.Agent.vv skipped C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP798\A0044582.exe Object is locked skipped C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP798\A0044583.exe Object is locked skipped C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP798\A0044584.exe Object is locked skipped C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP798\A0044589.exe Object is locked skipped C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP798\A0044590.exe Object is locked skipped C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP798\A0044592.exe Object is locked skipped C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP798\A0044593.exe Object is locked skipped C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP798\A0044594.exe Object is locked skipped C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP798\A0044595.exe Object is locked skipped C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP798\A0044596.exe Object is locked skipped C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP798\A0044598.exe Object is locked skipped C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP798\A0044601.exe Object is locked skipped C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP798\A0044629.exe Object is locked skipped C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP798\A0044630.exe Object is locked skipped C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP800\A0044637.exe Object is locked skipped C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP800\A0044667.exe/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP800\A0044667.exe NSIS: infected - 1 skipped C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP800\A0044669.exe Infected: not-a-virus:Downloader.Win32.WinFixer.x skipped C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP801\change.log Object is locked skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\Sti_Trace.log Object is locked skipped C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\default Object is locked skipped C:\WINDOWS\system32\config\default.LOG Object is locked skipped C:\WINDOWS\system32\config\SAM Object is locked skipped C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SECURITY Object is locked skipped C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\software Object is locked skipped C:\WINDOWS\system32\config\software.LOG Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\system Object is locked skipped C:\WINDOWS\system32\config\system.LOG Object is locked skipped C:\WINDOWS\system32\crap Infected: not-a-virus:AdWare.Win32.Agent.dk skipped C:\WINDOWS\system32\h323log.txt Object is locked skipped C:\WINDOWS\system32\mmf.sys Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\wiadebug.log Object is locked skipped C:\WINDOWS\wiaservc.log Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped Scan process completed. Combofix log - ComboFix 07-12-24.7 - Angel & Brian 2007-12-24 8:32:10.3 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.51 [GMT -5:00] Running from: C:\Documents and Settings\Angel & Brian\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Angel & Brian\Desktop\CFScript.txt * Created a new restore point FILE C:\Program Files\WindowsUpdate\profsyrtyl.html C:\WINDOWS\system32\accdd.bak2 C:\WINDOWS\system32\accdd.ini2 . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\system32\accdd.bak2 C:\WINDOWS\system32\accdd.ini2 C:\WINDOWS\system32\shls.dll . ((((((((((((((((((((((((( Files Created from 2007-11-24 to 2007-12-24 ))))))))))))))))))))))))))))))) . 2007-12-22 10:52 . 2007-12-23 08:55 155,648 --a------ C:\WINDOWS\system32\NeroCheck .exe 2007-12-01 13:25 . 2007-12-23 08:57 <DIR> d-------- C:\Documents and Settings\Angel & Brian\Application Data\AVG7 2007-12-01 13:22 . 2007-12-01 13:22 <DIR> d-------- C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\AVG7 2007-12-01 13:21 . 2007-12-01 13:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft 2007-12-01 13:21 . 2007-12-02 08:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7 2007-12-01 13:05 . 2007-12-01 13:08 <DIR> d-------- C:\Program Files\digestIT 2004 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-12-24 01:27 --------- d-----w C:\Program Files\QuickTime 2007-12-23 14:44 --------- d-----w C:\Program Files\verizon 2007-12-23 14:44 --------- d-----w C:\Program Files\SpamScreener 2007-12-23 13:45 --------- d-----w C:\Program Files\Common Files\Symantec Shared 2005-10-11 22:41 3,275 ----a-w C:\Program Files\hijackthis.log 2005-02-16 15:06 218,112 ----a-w C:\Program Files\HijackThis.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [] "Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [] "MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [2007-12-23 20:27] "S3TRAY2"="S3tray2.exe" [2003-02-25 03:33 C:\WINDOWS\system32\S3tray2.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-01 13:22] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ BigFix.lnk - C:\Program Files\BigFix\BigFix.exe [2003-04-21 09:29:42] HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 05:19:24] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 03:15:54] VPN Client.lnk - C:\WINDOWS\Installer\{D25122BC-A60E-4663-B602-B01718F12044}\Icon3E5562ED7.ico [2007-08-04 09:08:57] R2 LicCtrlService;LicCtrl Service;C:\WINDOWS\runservice.exe [2005-03-30 18:31] S3 hamachi_oem;PlayLinc Adapter;C:\WINDOWS\System32\DRIVERS\gan_adapter.sys [2006-10-19 10:11] S3 NPDORMW;NPDOR Media Driver;C:\WINDOWS\System32\Drivers\NPDORMW.sys [] S3 Radialpoint Security Services;Radialpoint Security Services;C:\WINDOWS\System32\dllhost.exe /Processid:{80098F68-1220-4F43-80A8-15C7395B8874} [] . ************************************************************************ catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-12-24 08:36:30 Windows 5.1.2600 Service Pack 1 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\system32\winlogon.exe -> C:\WINDOWS\System32\shls.dll . Completion time: 2007-12-24 8:37:11 C:\ComboFix2.txt ... 2007-12-23 20:52 C:\ComboFix3.txt ... 2007-12-23 20:45 . 2007-07-14 16:41:28 --- E O F --- As far as system performance, I haven't had any more popups since AVG ran and found the Trojan downloaders the other morning. But I think still running slower than normal. Thanks Edit to add - zipped file also submitted: [4]-Submit_2007-12-24@8.31 Last edited by woobiebv : 12-24-2007 at 08:51 AM.