Tech Support Forum - View Single Post - [SOLVED] Comp shutting down with BSOD and then restarting on its own

pmb116 · 06-06-2008, 04:51 PM

thank you once again here are the logs you asked for, the computer seems to be running good for the time being but i wont know how well until i can monitor it for an extended period of time
ComboFix 08-06-06.4 - Rob 2008-06-06 17:11:58.2 - NTFSx86

Running from: C:\Documents and Settings\Rob\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Rob\Desktop\CFScript.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\blackster.scr
C:\WINDOWS\system32\ctfmonb.bmp
C:\WINDOWS\system32\fennohfk.dll
C:\WINDOWS\system32\kfhonnef.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\nxepbvhg.dll

.
((((((((((((((((((((((((( Files Created from 2008-05-06 to 2008-06-06 )))))))))))))))))))))))))))))))
.

2008-06-06 17:12 . 2008-06-06 17:12 0 --a------ C:\WINDOWS\system32\kfhonnef.tmp
2008-06-06 03:27 . 2008-06-06 03:35 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-06-04 23:54 . 2008-06-04 23:54 <DIR> d-------- C:\WINDOWS\Sun
2008-06-04 23:54 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-04 23:53 . 2008-06-04 23:54 <DIR> d-------- C:\Program Files\Java
2008-06-04 23:53 . 2008-06-04 23:53 <DIR> d-------- C:\Program Files\Common Files\Java
2008-06-04 20:06 . 2008-06-04 20:15 96,966 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-06-04 20:06 . 2008-06-04 20:15 88,774 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-06-04 20:04 . 2008-06-04 20:04 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-06-04 20:04 . 2008-06-06 09:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-04 20:04 . 2008-06-06 17:15 1,440,800 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-04 20:04 . 2008-06-06 17:15 19,916 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-06-04 20:04 . 2008-06-06 17:15 18,208 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-06-04 20:04 . 2008-06-06 17:15 1,604 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-06-04 20:02 . 2008-06-04 20:02 <DIR> d-------- C:\kav
2008-06-04 19:33 . 2008-06-04 19:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-04 18:08 . 2008-06-04 18:08 <DIR> d-------- C:\Deckard
2008-06-01 00:43 . 2008-06-01 00:43 <DIR> d-------- C:\ie-spyad_zo
2008-06-01 00:38 . 2008-06-01 00:38 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-06-01 00:38 . 2008-06-04 17:59 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-01 00:38 . 2005-04-15 19:58 1,071,088 --a------ C:\WINDOWS\system32\MSCOMCTL.OCX
2008-06-01 00:38 . 2005-08-25 18:18 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL
2008-06-01 00:38 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2008-05-31 23:43 . 2008-05-31 23:43 <DIR> d-------- C:\Program Files\Panda Security
2008-05-31 03:21 . 2008-05-31 03:21 <DIR> d-------- C:\Documents and Settings\Rob\Application Data\AXPFixer
2008-05-30 23:51 . 2008-05-30 23:51 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-05-30 23:50 . 2008-05-30 23:50 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-30 23:25 . 2008-05-31 03:06 <DIR> d-------- C:\Program Files\Google
2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ C:\WINDOWS\system32\lsdelete.exe
2008-05-15 23:25 . 2008-06-06 17:17 4,712 --a------ C:\logfile

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-05 00:16 112,144 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
2008-06-04 23:33 --------- d-----w C:\Program Files\Lavasoft
2008-06-04 23:33 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-01 03:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-05-15 02:31 --------- d-----w C:\Program Files\World of Warcraft
2008-04-29 15:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 15:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 15:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-10 16:37 --------- d-----w C:\Program Files\MSXML 4.0
2008-04-09 04:47 --------- d-----w C:\Program Files\Kodak
2008-04-09 04:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kodak
2008-04-09 04:46 --------- d-----w C:\Program Files\Common Files\Kodak
.

((((((((((((((((((((((((((((( snapshot@2008-06-06_ 2.47.59.03 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-06 06:43:50 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-06 21:16:41 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2007-03-15 22:19:28 1,476,992 ----a-w C:\WINDOWS\system32\LegitCheckControl.dll
+ 2008-03-20 22

36 1,480,232 ----a-w C:\WINDOWS\system32\LegitCheckControl.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-10-04 11:20 50528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 14:42 1404928]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 05:59 122880 C:\WINDOWS\BCMSMMSG.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-06-28 12:43 8466432]
"nwiz"="nwiz.exe" [2007-06-28 12:43 1626112 C:\WINDOWS\system32\nwiz.exe]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06 40048]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-06-28 12:43 81920]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2008-02-08 18:36 227856]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Belkin Wireless USB Utility.lnk - C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe [2005-10-28 11:23:10 1404928]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-09-19 04:33:46 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-1.12.0.5595-to-1.12.1.5875-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.4.6314-to-2.0.5.6320-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.5.6320-to-2.0.6.6337-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.6.6337-to-2.0.7.6383-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.7.6383-to-2.0.8.6403-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.8.6403-to-2.0.10.6448-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.10.6448-to-2.0.12.6546-enUS-downloader.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.12.6546-enUS-downloader.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\kav\\kav7\\setup.exe"=
"C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\avp.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

.
Contents of the 'Scheduled Tasks' folder
"2008-05-21 04:43:00 C:\WINDOWS\Tasks\EasyShare Registration Task.job"
- C:\WINDOWS\system32\rundll32.exelC:\DOCUME~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.5.30.2.sxt _RegistrationOffer@16
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-06 17:17:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\WINDOWS\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-06-06 17:20:35 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-06 21:20:31
ComboFix2.txt 2008-06-06 06:48:30

Pre-Run: 1,992,859,648 bytes free
Post-Run: 1,981,542,400 bytes free

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, June 06, 2008 6:48:56 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 6/06/2008
Kaspersky Anti-Virus database records: 834859
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 35543
Number of viruses found: 4
Number of infected objects: 16
Number of suspicious objects: 0
Duration of the scan process: 00:56:44

Infected Object Name / Virus Name / Last Action
C:\Deckard\System Scanner\backup\DOCUME~1\Rob\LOCALS~1\Temp\.tt10.tmp/stream/data0007 Infected: not-a-virus:FraudTool.Win32.AdvancedXPFixer.a skipped
C:\Deckard\System Scanner\backup\DOCUME~1\Rob\LOCALS~1\Temp\.tt10.tmp/stream Infected: not-a-virus:FraudTool.Win32.AdvancedXPFixer.a skipped
C:\Deckard\System Scanner\backup\DOCUME~1\Rob\LOCALS~1\Temp\.tt10.tmp NSIS: infected - 2 skipped
C:\Deckard\System Scanner\backup\DOCUME~1\Rob\LOCALS~1\Temp\.tt12.tmp/stream/data0007 Infected: not-a-virus:FraudTool.Win32.AdvancedXPFixer.a skipped
C:\Deckard\System Scanner\backup\DOCUME~1\Rob\LOCALS~1\Temp\.tt12.tmp/stream Infected: not-a-virus:FraudTool.Win32.AdvancedXPFixer.a skipped
C:\Deckard\System Scanner\backup\DOCUME~1\Rob\LOCALS~1\Temp\.tt12.tmp NSIS: infected - 2 skipped
C:\Deckard\System Scanner\backup\DOCUME~1\Rob\LOCALS~1\Temp\.tt14.tmp Infected: Trojan-Dropper.Win32.NSIS.f skipped
C:\Deckard\System Scanner\backup\DOCUME~1\Rob\LOCALS~1\Temp\.tt16.tmp Infected: Trojan-Dropper.Win32.NSIS.f skipped
C:\Deckard\System Scanner\backup\DOCUME~1\Rob\LOCALS~1\Temp\.tt45.tmp Infected: Trojan-Dropper.Win32.NSIS.f skipped
C:\Deckard\System Scanner\backup\DOCUME~1\Rob\LOCALS~1\Temp\.tt8.tmp Infected: Trojan-Dropper.Win32.NSIS.f skipped
C:\Deckard\System Scanner\backup\DOCUME~1\Rob\LOCALS~1\Temp\.ttB.tmp Infected: Trojan-Dropper.Win32.NSIS.f skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\detected.idx Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\detected.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\eventlog.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\report.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Rob\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Rob\Desktop\[4]-Submit_2008-06-06@17.11.zip/nxepbvhg.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.yag skipped
C:\Documents and Settings\Rob\Desktop\[4]-Submit_2008-06-06@17.11.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Rob\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db Object is locked skipped
C:\Documents and Settings\Rob\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db.shadow Object is locked skipped
C:\Documents and Settings\Rob\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Rob\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Rob\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Rob\Local Settings\Temp\~DF6BC8.tmp Object is locked skipped
C:\Documents and Settings\Rob\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Rob\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Rob\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Rob\ntuser.dat.LOG Object is locked skipped
C:\QooBox\Quarantine\catchme2008-06-06_ 23008.32.zip/mssrv32.exe Infected: Trojan.Win32.Buzus.fit skipped
C:\QooBox\Quarantine\catchme2008-06-06_ 23008.32.zip ZIP: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{EC0AEA79-FB7A-4384-8F3D-449CF71EE0A8}\RP8\A0018270.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.yag skipped
C:\System Volume Information\_restore{EC0AEA79-FB7A-4384-8F3D-449CF71EE0A8}\RP9\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{21CA0A50-A257-4CD0-A5D5-192D727607C1}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.idx Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\HTTPERR\httperr1.log Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Logfile of HijackThis v1.99.1
Scan saved at 6:51:02 PM, on 6/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Rob\My Documents\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: Belkin Wireless USB Utility.lnk = C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD42/JSCDL/...ws-i586-jc.cab
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" -r (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

06-06-2008, 04:51 PM	#6 (permalink)
pmb116 Registered User Join Date: May 2008 Posts: 5 OS: xp	Re: Comp shutting down with BSOD and then restarting on its own thank you once again here are the logs you asked for, the computer seems to be running good for the time being but i wont know how well until i can monitor it for an extended period of time ComboFix 08-06-06.4 - Rob 2008-06-06 17:11:58.2 - NTFSx86 Running from: C:\Documents and Settings\Rob\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Rob\Desktop\CFScript.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\system32\blackster.scr C:\WINDOWS\system32\ctfmonb.bmp C:\WINDOWS\system32\fennohfk.dll C:\WINDOWS\system32\kfhonnef.ini C:\WINDOWS\system32\mcrh.tmp C:\WINDOWS\system32\nxepbvhg.dll . ((((((((((((((((((((((((( Files Created from 2008-05-06 to 2008-06-06 ))))))))))))))))))))))))))))))) . 2008-06-06 17:12 . 2008-06-06 17:12 0 --a------ C:\WINDOWS\system32\kfhonnef.tmp 2008-06-06 03:27 . 2008-06-06 03:35 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak 2008-06-04 23:54 . 2008-06-04 23:54 <DIR> d-------- C:\WINDOWS\Sun 2008-06-04 23:54 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl 2008-06-04 23:53 . 2008-06-04 23:54 <DIR> d-------- C:\Program Files\Java 2008-06-04 23:53 . 2008-06-04 23:53 <DIR> d-------- C:\Program Files\Common Files\Java 2008-06-04 20:06 . 2008-06-04 20:15 96,966 --a------ C:\WINDOWS\system32\drivers\klin.dat 2008-06-04 20:06 . 2008-06-04 20:15 88,774 --a------ C:\WINDOWS\system32\drivers\klick.dat 2008-06-04 20:04 . 2008-06-04 20:04 <DIR> d-------- C:\Program Files\Kaspersky Lab 2008-06-04 20:04 . 2008-06-06 09:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab 2008-06-04 20:04 . 2008-06-06 17:15 1,440,800 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat 2008-06-04 20:04 . 2008-06-06 17:15 19,916 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx 2008-06-04 20:04 . 2008-06-06 17:15 18,208 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat 2008-06-04 20:04 . 2008-06-06 17:15 1,604 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx 2008-06-04 20:02 . 2008-06-04 20:02 <DIR> d-------- C:\kav 2008-06-04 19:33 . 2008-06-04 19:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-06-04 18:08 . 2008-06-04 18:08 <DIR> d-------- C:\Deckard 2008-06-01 00:43 . 2008-06-01 00:43 <DIR> d-------- C:\ie-spyad_zo 2008-06-01 00:38 . 2008-06-01 00:38 <DIR> d-------- C:\Program Files\SpywareBlaster 2008-06-01 00:38 . 2008-06-04 17:59 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP 2008-06-01 00:38 . 2005-04-15 19:58 1,071,088 --a------ C:\WINDOWS\system32\MSCOMCTL.OCX 2008-06-01 00:38 . 2005-08-25 18:18 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL 2008-06-01 00:38 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX 2008-05-31 23:43 . 2008-05-31 23:43 <DIR> d-------- C:\Program Files\Panda Security 2008-05-31 03:21 . 2008-05-31 03:21 <DIR> d-------- C:\Documents and Settings\Rob\Application Data\AXPFixer 2008-05-30 23:51 . 2008-05-30 23:51 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft 2008-05-30 23:50 . 2008-05-30 23:50 <DIR> d-------- C:\Documents and Settings\Administrator 2008-05-30 23:25 . 2008-05-31 03:06 <DIR> d-------- C:\Program Files\Google 2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ C:\WINDOWS\system32\lsdelete.exe 2008-05-15 23:25 . 2008-06-06 17:17 4,712 --a------ C:\logfile . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-06-05 00:16 112,144 ----a-w C:\WINDOWS\system32\drivers\kl1.sys 2008-06-04 23:33 --------- d-----w C:\Program Files\Lavasoft 2008-06-04 23:33 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2008-06-01 03:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint 2008-05-15 02:31 --------- d-----w C:\Program Files\World of Warcraft 2008-04-29 15:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys 2008-04-29 15:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys 2008-04-29 15:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys 2008-04-10 16:37 --------- d-----w C:\Program Files\MSXML 4.0 2008-04-09 04:47 --------- d-----w C:\Program Files\Kodak 2008-04-09 04:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kodak 2008-04-09 04:46 --------- d-----w C:\Program Files\Common Files\Kodak . ((((((((((((((((((((((((((((( snapshot@2008-06-06_ 2.47.59.03 ))))))))))))))))))))))))))))))))))))))))) . - 2008-06-06 06:43:50 2,048 --s-a-w C:\WINDOWS\bootstat.dat + 2008-06-06 21:16:41 2,048 --s-a-w C:\WINDOWS\bootstat.dat - 2007-03-15 22:19:28 1,476,992 ----a-w C:\WINDOWS\system32\LegitCheckControl.dll + 2008-03-20 2236 1,480,232 ----a-w C:\WINDOWS\system32\LegitCheckControl.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208] "Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-10-04 11:20 50528] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 14:42 1404928] "BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 05:59 122880 C:\WINDOWS\BCMSMMSG.exe] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-06-28 12:43 8466432] "nwiz"="nwiz.exe" [2007-06-28 12:43 1626112 C:\WINDOWS\system32\nwiz.exe] "Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06 40048] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-06-28 12:43 81920] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784] "AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2008-02-08 18:36 227856] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Belkin Wireless USB Utility.lnk - C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe [2005-10-28 11:23:10 1404928] Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-09-19 04:33:46 282624] [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"= "C:\\Program Files\\World of Warcraft\\WoW-1.12.0.5595-to-1.12.1.5875-enUS-downloader.exe"= "C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"= "C:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"= "C:\\Program Files\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe"= "C:\\Program Files\\World of Warcraft\\WoW-2.0.4.6314-to-2.0.5.6320-enUS-downloader.exe"= "C:\\Program Files\\World of Warcraft\\WoW-2.0.5.6320-to-2.0.6.6337-enUS-downloader.exe"= "C:\\Program Files\\World of Warcraft\\WoW-2.0.6.6337-to-2.0.7.6383-enUS-downloader.exe"= "C:\\Program Files\\World of Warcraft\\WoW-2.0.7.6383-to-2.0.8.6403-enUS-downloader.exe"= "C:\\Program Files\\World of Warcraft\\WoW-2.0.8.6403-to-2.0.10.6448-enUS-downloader.exe"= "C:\\Program Files\\World of Warcraft\\WoW-2.0.10.6448-to-2.0.12.6546-enUS-downloader.exe"= "C:\\Program Files\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.12.6546-enUS-downloader.exe"= "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "C:\\Program Files\\AIM6\\aim6.exe"= "C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"= "C:\\kav\\kav7\\setup.exe"= "C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\avp.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3724:TCP"= 3724:TCP:Blizzard Downloader: 3724 . Contents of the 'Scheduled Tasks' folder "2008-05-21 04:43:00 C:\WINDOWS\Tasks\EasyShare Registration Task.job" - C:\WINDOWS\system32\rundll32.exelC:\DOCUME~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.5.30.2.sxt _RegistrationOffer@16 . ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-06 17:17:14 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Common Files\AOL\Loader\aolload.exe C:\WINDOWS\system32\verclsid.exe . ************************************************************************ . Completion time: 2008-06-06 17:20:35 - machine was rebooted ComboFix-quarantined-files.txt 2008-06-06 21:20:31 ComboFix2.txt 2008-06-06 06:48:30 Pre-Run: 1,992,859,648 bytes free Post-Run: 1,981,542,400 bytes free ------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER REPORT Friday, June 06, 2008 6:48:56 PM Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.98.0 Kaspersky Anti-Virus database last update: 6/06/2008 Kaspersky Anti-Virus database records: 834859 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: A:\ C:\ D:\ E:\ Scan Statistics: Total number of scanned objects: 35543 Number of viruses found: 4 Number of infected objects: 16 Number of suspicious objects: 0 Duration of the scan process: 00:56:44 Infected Object Name / Virus Name / Last Action C:\Deckard\System Scanner\backup\DOCUME~1\Rob\LOCALS~1\Temp\.tt10.tmp/stream/data0007 Infected: not-a-virus:FraudTool.Win32.AdvancedXPFixer.a skipped C:\Deckard\System Scanner\backup\DOCUME~1\Rob\LOCALS~1\Temp\.tt10.tmp/stream Infected: not-a-virus:FraudTool.Win32.AdvancedXPFixer.a skipped C:\Deckard\System Scanner\backup\DOCUME~1\Rob\LOCALS~1\Temp\.tt10.tmp NSIS: infected - 2 skipped C:\Deckard\System Scanner\backup\DOCUME~1\Rob\LOCALS~1\Temp\.tt12.tmp/stream/data0007 Infected: not-a-virus:FraudTool.Win32.AdvancedXPFixer.a skipped C:\Deckard\System Scanner\backup\DOCUME~1\Rob\LOCALS~1\Temp\.tt12.tmp/stream Infected: not-a-virus:FraudTool.Win32.AdvancedXPFixer.a skipped C:\Deckard\System Scanner\backup\DOCUME~1\Rob\LOCALS~1\Temp\.tt12.tmp NSIS: infected - 2 skipped C:\Deckard\System Scanner\backup\DOCUME~1\Rob\LOCALS~1\Temp\.tt14.tmp Infected: Trojan-Dropper.Win32.NSIS.f skipped C:\Deckard\System Scanner\backup\DOCUME~1\Rob\LOCALS~1\Temp\.tt16.tmp Infected: Trojan-Dropper.Win32.NSIS.f skipped C:\Deckard\System Scanner\backup\DOCUME~1\Rob\LOCALS~1\Temp\.tt45.tmp Infected: Trojan-Dropper.Win32.NSIS.f skipped C:\Deckard\System Scanner\backup\DOCUME~1\Rob\LOCALS~1\Temp\.tt8.tmp Infected: Trojan-Dropper.Win32.NSIS.f skipped C:\Deckard\System Scanner\backup\DOCUME~1\Rob\LOCALS~1\Temp\.ttB.tmp Infected: Trojan-Dropper.Win32.NSIS.f skipped C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\detected.idx Object is locked skipped C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\detected.rpt Object is locked skipped C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\eventlog.rpt Object is locked skipped C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\report.rpt Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\Rob\Cookies\index.dat Object is locked skipped C:\Documents and Settings\Rob\Desktop\[4]-Submit_2008-06-06@17.11.zip/nxepbvhg.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.yag skipped C:\Documents and Settings\Rob\Desktop\[4]-Submit_2008-06-06@17.11.zip ZIP: infected - 1 skipped C:\Documents and Settings\Rob\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db Object is locked skipped C:\Documents and Settings\Rob\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db.shadow Object is locked skipped C:\Documents and Settings\Rob\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\Rob\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\Rob\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\Rob\Local Settings\Temp\~DF6BC8.tmp Object is locked skipped C:\Documents and Settings\Rob\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped C:\Documents and Settings\Rob\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\Rob\NTUSER.DAT Object is locked skipped C:\Documents and Settings\Rob\ntuser.dat.LOG Object is locked skipped C:\QooBox\Quarantine\catchme2008-06-06_ 23008.32.zip/mssrv32.exe Infected: Trojan.Win32.Buzus.fit skipped C:\QooBox\Quarantine\catchme2008-06-06_ 23008.32.zip ZIP: infected - 1 skipped C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped C:\System Volume Information\_restore{EC0AEA79-FB7A-4384-8F3D-449CF71EE0A8}\RP8\A0018270.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.yag skipped C:\System Volume Information\_restore{EC0AEA79-FB7A-4384-8F3D-449CF71EE0A8}\RP9\change.log Object is locked skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\EventCache\{21CA0A50-A257-4CD0-A5D5-192D727607C1}.bin Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\Sti_Trace.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\default Object is locked skipped C:\WINDOWS\system32\config\default.LOG Object is locked skipped C:\WINDOWS\system32\config\Internet.evt Object is locked skipped C:\WINDOWS\system32\config\SAM Object is locked skipped C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SECURITY Object is locked skipped C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\software Object is locked skipped C:\WINDOWS\system32\config\software.LOG Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\system Object is locked skipped C:\WINDOWS\system32\config\system.LOG Object is locked skipped C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped C:\WINDOWS\system32\drivers\fidbox2.dat Object is locked skipped C:\WINDOWS\system32\drivers\fidbox2.idx Object is locked skipped C:\WINDOWS\system32\h323log.txt Object is locked skipped C:\WINDOWS\system32\LogFiles\HTTPERR\httperr1.log Object is locked skipped C:\WINDOWS\wiadebug.log Object is locked skipped C:\WINDOWS\wiaservc.log Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped Scan process completed. Logfile of HijackThis v1.99.1 Scan saved at 6:51:02 PM, on 6/6/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16640) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\WINDOWS\BCMSMMSG.exe C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Common Files\AOL\Loader\aolload.exe C:\WINDOWS\explorer.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\System32\svchost.exe C:\Documents and Settings\Rob\My Documents\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp O4 - Global Startup: Belkin Wireless USB Utility.lnk = C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD42/JSCDL/...ws-i586-jc.cab O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\ O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" -r (file missing) O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe