Tech Support Forum - View Single Post - Wizards: Spyware removal, Malicious Software, Sys Integrity

totonoz · 10-09-2006, 01:26 AM

Hello Again Glaswegian:

I did everything you advised but was unable to remove:

04 - Startup: .protected
04 - Global Startup: .protected

unable to delete the file:
04 - Startup: .protected (or 04 - Global Startup: .protected)
The file may be in use. Use Task Manager to shutdown the program and run HijackThis again to delete the file.

I had no idea what needed to be ended in order to be able to remove these 2 items. Please advise.

Here are my logs:

Witcher Family - 06-10-08 23

47.89 Service Pack 2
ComboFix 06.09.28 - Running from: "C:\Documents and Settings\Witcher Family\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-09-08 to 2006-10-08 ))))))))))))))))))))))))))))))))))

2006-10-08 22:32 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-10-03 07:58 94,720 --a------ C:\WINDOWS\system32\lkqfuyc.dll
2006-10-03 07:58 72,704 --a------ C:\WINDOWS\system32\aufzbmk.dll
2006-09-27 15:52 94,208 --a------ C:\WINDOWS\system32\ipkypkl.dll
2006-09-27 15:52 73,216 --a------ C:\WINDOWS\system32\wzgamdh.dll

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-10-08 23:02 -------- d-------- C:\Program Files\BellSouth Internet Tools
2006-10-08 22:32 -------- d-------- C:\Program Files\Grisoft
2006-10-08 22:28 -------- d-------- C:\Program Files\CleanUp!
2006-10-08 00:16 -------- d-------- C:\Program Files\HijackThis
2006-10-08 00:12 -------- d-------- C:\Program Files\SpywareBlaster
2006-09-19 02:10 -------- d---s---- C:\Documents and Settings\Witcher Family\Application Data\Microsoft
2006-09-17 16:41 -------- d-------- C:\Program Files\fsupport
2006-09-06 20:35 -------- d-------- C:\Program Files\Yahoo!
2006-09-06 20:27 31248 --a------ C:\WINDOWS\system32\drivers\tmpreflt.sys
2006-09-06 20:27 197648 --a------ C:\WINDOWS\system32\drivers\tmxpflt.sys
2006-09-06 20:09 1051456 --a------ C:\WINDOWS\system32\drivers\VsapiNT.sys
2006-09-06 16:31 165376 --a------ C:\WINDOWS\system32\SpoonUninstall.exe
2006-09-05 17:03 94720 --a------ C:\WINDOWS\system32\lwyinsf.dll
2006-09-05 17:03 72192 --a------ C:\WINDOWS\system32\dbvywxf.dll
2006-09-05 16:53 -------- d-------- C:\Program Files\Wal-Mart Music Downloads Store
2006-08-21 23:07 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-08-21 23:07 -------- d-------- C:\Program Files\LGUsbDriver
2006-08-21 22:07 -------- d-------- C:\Program Files\BitPim
2006-08-21 07:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 04:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-21 04:14 128896 --a------ C:\WINDOWS\system32\drivers\fltmgr.sys
2006-08-18 09:00 -------- d-------- C:\Program Files\Lavasoft
2006-08-18 09:00 -------- d-------- C:\Documents and Settings\Witcher Family\Application Data\Lavasoft
2006-08-17 23:56 88280 --a------ C:\Documents and Settings\Witcher Family\Application Data\winantiviruspro2006freeinstall[1].exe
2006-08-17 23:34 21504 --a------ C:\WINDOWS\system32\7b0b52a3.exe
2006-08-13 08:26 -------- d-------- C:\Program Files\Internet Explorer
2006-08-11 11:06 -------- d-------- C:\Program Files\The Weather Channel FW
2006-08-11 11:04 -------- d-------- C:\Program Files\DVDFab Decrypter
2006-07-27 08:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-21 03:24 72704 --a------ C:\WINDOWS\system32\hlink.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="\"C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup"
"OE_OEM"="\"C:\\Program Files\\Trend Micro\\Internet Security 12\\TMAS_OE\\TMAS_OEMon.exe\""
"MoneyAgent"="\"C:\\Program Files\\Microsoft Money\\System\\mnyexpr.exe\""
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"7b0b52a3.exe"="C:\\Documents and Settings\\Witcher Family\\Local Settings\\Application Data\\7b0b52a3.exe"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\\WINDOWS\\ehome\\ehtray.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"SigmatelSysTrayApp"="stsystra.exe"
"IAAnotif"="C:\\Program Files\\Intel\\Intel Matrix Storage Manager\\iaanotif.exe"
"ATIPTA"="\"C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe\""
"DVDLauncher"="\"C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\""
"ISUSPM Startup"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\isuspm.exe\" -startup"
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"MimBoot"="C:\\PROGRA~1\\MUSICM~1\\MUSICM~3\\mimboot.exe"
"MMTray"="\"C:\\Program Files\\Musicmatch\\Musicmatch Jukebox\\mm_tray.exe\""
"pccguide.exe"="\"C:\\Program Files\\Trend Micro\\Internet Security 12\\pccguide.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"blspcloader"="\"C:\\Program Files\\BellSouth Internet Tools\\blsloader.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"7b0b52a3.exe"="C:\\WINDOWS\\system32\\7b0b52a3.exe"
"lwyinsf.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\lwyinsf.dll,fbzswoc"
"ipkypkl.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\ipkypkl.dll,uplrvb"
"lkqfuyc.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\lkqfuyc.dll,apjhql"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"InstallVisualStyle"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,\
63,65,73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,5c,52,6f,79,61,6c,65,2e,\
6d,73,73,74,79,6c,65,73,00
"InstallTheme"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,63,65,\
73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,2e,74,68,65,6d,65,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\FRU Task #Hewlett-Packard#hp psc 2170 series#1136860704.job
C:\WINDOWS\tasks\FRU Task #Hewlett-Packard#hp psc 2170 series#1136917043.job
C:\WINDOWS\tasks\MP Scheduled Scan.job

Completion time: 06-10-08 23:07:42.18
ComboFix.txt

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 00:39 06-10-09

+ Scan result:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Security Add-On -> Adware.Generic : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Explorer Security Plugin 2006 -> Adware.IntCodec : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Public Messenger ver 2.03 -> Adware.IntCodec : Cleaned with backup (quarantined).
HKU\S-1-5-21-3755144598-1082263548-3627520477-1005\Software\Internet Security -> Adware.IntCodec : Cleaned with backup (quarantined).
C:\Documents and Settings\Witcher Family\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\omfg.class-5a8a5bd2-39542523.class -> Downloader.OpenStream.y : Cleaned with backup (quarantined).
F:\Documents and Settings\Witcher Family\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\omfg.class-5a8a5bd2-39542523.class -> Downloader.OpenStream.y : Cleaned with backup (quarantined).
C:\Program Files\DIGStream\digstream.exe -> Not-A-Virus.Downloader.Win32.DigStream : Cleaned with backup (quarantined).
C:\Documents and Settings\Witcher Family\Application Data\winantiviruspro2006freeinstall[1].exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).
F:\Documents and Settings\Witcher Family\Application Data\winantiviruspro2006freeinstall[1].exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).
F:\Documents and Settings\Witcher Family\Cookies\witcher family@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned.
F:\Documents and Settings\Witcher Family\Cookies\witcher family@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
F:\Documents and Settings\Witcher Family\Cookies\witcher family@www.burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
F:\Documents and Settings\Witcher Family\Cookies\witcher family@com[1].txt -> TrackingCookie.Com : Cleaned.
F:\Documents and Settings\Witcher Family\Cookies\witcher family@e-2dj6wfkoqgdjcgo.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned.
F:\Documents and Settings\Witcher Family\Cookies\witcher family@e-2dj6wgkiqgc5mgq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
F:\Documents and Settings\Witcher Family\Cookies\witcher family@e-2dj6wgkyeocpslo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
F:\Documents and Settings\Witcher Family\Cookies\witcher family@e-2dj6wjkoehdzclp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
F:\Documents and Settings\Witcher Family\Cookies\witcher family@e-2dj6wjl4cnd5geq.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned.
F:\Documents and Settings\Witcher Family\Cookies\witcher family@e-2dj6wjl4uodpwhq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
F:\Documents and Settings\Witcher Family\Cookies\witcher family@e-2dj6wjl4wncjglq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
F:\Documents and Settings\Witcher Family\Cookies\witcher family@e-2dj6wjnycncjgcq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
F:\Documents and Settings\Witcher Family\Cookies\witcher family@server.iad.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned.
F:\Documents and Settings\Witcher Family\Cookies\witcher family@stat.onestat[2].txt -> TrackingCookie.Onestat : Cleaned.
F:\Documents and Settings\Witcher Family\Cookies\witcher family@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
F:\Documents and Settings\Witcher Family\Cookies\witcher family@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP362\A0025607.dll -> Trojan.Agent.qg : Cleaned with backup (quarantined).
C:\Documents and Settings\Witcher Family\Local Settings\Application Data\13648af6.exe -> Trojan.Dialer.ay : Cleaned with backup (quarantined).

::Report end

Incident Status Location

Dialer:dialer.avv Not disinfected c:\windows\downloaded program files\gdnUS2218.exe
Adware:Adware/SystemDoctor Not disinfected C:\Documents and Settings\Witcher Family\Local Settings\Application Data\7b0b52a3.exe
Adware:Adware/Itbill Not disinfected C:\Program Files\fsupport\notifier.exe
Virus:Eicar.Mod Not disinfected C:\Program Files\Trend Micro\Internet Security 12\tmhelp.chm[/PCC12/Test_virus.htm]
Adware:Adware/SystemDoctor Not disinfected C:\WINDOWS\system32\7b0b52a3.exe
Spyware:Cookie/Belnk Not disinfected F:\Documents and Settings\Witcher Family\Cookies\witcher family@belnk[1].txt
Spyware:Cookie/Cgi-bin Not disinfected F:\Documents and Settings\Witcher Family\Cookies\witcher family@cgi-bin[1].txt
Spyware:Cookie/Belnk Not disinfected F:\Documents and Settings\Witcher Family\Cookies\witcher family@dist.belnk[2].txt
Spyware:Cookie/RealMedia Not disinfected F:\Documents and Settings\Witcher Family\Cookies\witcher family@realmedia[2].txt
Spyware:Cookie/Atwola Not disinfected F:\Documents and Settings\Witcher Family\Local Settings\Temp\Cookies\witcher family@atwola[1].txt

Logfile of HijackThis v1.99.1
Scan saved at 02:09, on 06-10-09
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\BellSouth Internet Tools\blsloader.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BlspcHlpr Class - {15C9938F-CB96-496D-800A-B827F2E34EA1} - C:\Program Files\BellSouth Internet Tools\blspc.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [blspcloader] "C:\Program Files\BellSouth Internet Tools\blsloader.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: .protected
O4 - Global Startup: .protected
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - https://scan.safety.live.com/resourc...scbase3401.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1136964384875
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {7E9522CF-6B95-46D6-8E2F-7638F507313F} (BLS_SpeedOP.systemcheck) - http://www.fastaccess.drivers.bellso...ls_speedop.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

10-09-2006, 01:26 AM	#5 (permalink)
totonoz Registered User Join Date: Sep 2006 Posts: 7 OS: XP	Hello Again Glaswegian: I did everything you advised but was unable to remove: 04 - Startup: .protected 04 - Global Startup: .protected unable to delete the file: 04 - Startup: .protected (or 04 - Global Startup: .protected) The file may be in use. Use Task Manager to shutdown the program and run HijackThis again to delete the file. I had no idea what needed to be ended in order to be able to remove these 2 items. Please advise. Here are my logs: Witcher Family - 06-10-08 2347.89 Service Pack 2 ComboFix 06.09.28 - Running from: "C:\Documents and Settings\Witcher Family\Desktop" ((((((((((((((((((((((((((((((( Files Created from 2006-09-08 to 2006-10-08 )))))))))))))))))))))))))))))))))) 2006-10-08 22:32 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys 2006-10-03 07:58 94,720 --a------ C:\WINDOWS\system32\lkqfuyc.dll 2006-10-03 07:58 72,704 --a------ C:\WINDOWS\system32\aufzbmk.dll 2006-09-27 15:52 94,208 --a------ C:\WINDOWS\system32\ipkypkl.dll 2006-09-27 15:52 73,216 --a------ C:\WINDOWS\system32\wzgamdh.dll (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2006-10-08 23:02 -------- d-------- C:\Program Files\BellSouth Internet Tools 2006-10-08 22:32 -------- d-------- C:\Program Files\Grisoft 2006-10-08 22:28 -------- d-------- C:\Program Files\CleanUp! 2006-10-08 00:16 -------- d-------- C:\Program Files\HijackThis 2006-10-08 00:12 -------- d-------- C:\Program Files\SpywareBlaster 2006-09-19 02:10 -------- d---s---- C:\Documents and Settings\Witcher Family\Application Data\Microsoft 2006-09-17 16:41 -------- d-------- C:\Program Files\fsupport 2006-09-06 20:35 -------- d-------- C:\Program Files\Yahoo! 2006-09-06 20:27 31248 --a------ C:\WINDOWS\system32\drivers\tmpreflt.sys 2006-09-06 20:27 197648 --a------ C:\WINDOWS\system32\drivers\tmxpflt.sys 2006-09-06 20:09 1051456 --a------ C:\WINDOWS\system32\drivers\VsapiNT.sys 2006-09-06 16:31 165376 --a------ C:\WINDOWS\system32\SpoonUninstall.exe 2006-09-05 17:03 94720 --a------ C:\WINDOWS\system32\lwyinsf.dll 2006-09-05 17:03 72192 --a------ C:\WINDOWS\system32\dbvywxf.dll 2006-09-05 16:53 -------- d-------- C:\Program Files\Wal-Mart Music Downloads Store 2006-08-21 23:07 -------- d--h----- C:\Program Files\InstallShield Installation Information 2006-08-21 23:07 -------- d-------- C:\Program Files\LGUsbDriver 2006-08-21 22:07 -------- d-------- C:\Program Files\BitPim 2006-08-21 07:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll 2006-08-21 04:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe 2006-08-21 04:14 128896 --a------ C:\WINDOWS\system32\drivers\fltmgr.sys 2006-08-18 09:00 -------- d-------- C:\Program Files\Lavasoft 2006-08-18 09:00 -------- d-------- C:\Documents and Settings\Witcher Family\Application Data\Lavasoft 2006-08-17 23:56 88280 --a------ C:\Documents and Settings\Witcher Family\Application Data\winantiviruspro2006freeinstall[1].exe 2006-08-17 23:34 21504 --a------ C:\WINDOWS\system32\7b0b52a3.exe 2006-08-13 08:26 -------- d-------- C:\Program Files\Internet Explorer 2006-08-11 11:06 -------- d-------- C:\Program Files\The Weather Channel FW 2006-08-11 11:04 -------- d-------- C:\Program Files\DVDFab Decrypter 2006-07-27 08:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll 2006-07-21 03:24 72704 --a------ C:\WINDOWS\system32\hlink.dll (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) Note empty entries are not shown [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DellSupport"="\"C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup" "OE_OEM"="\"C:\\Program Files\\Trend Micro\\Internet Security 12\\TMAS_OE\\TMAS_OEMon.exe\"" "MoneyAgent"="\"C:\\Program Files\\Microsoft Money\\System\\mnyexpr.exe\"" "MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background" "7b0b52a3.exe"="C:\\Documents and Settings\\Witcher Family\\Local Settings\\Application Data\\7b0b52a3.exe" "ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray"="C:\\WINDOWS\\ehome\\ehtray.exe" "SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe" "SigmatelSysTrayApp"="stsystra.exe" "IAAnotif"="C:\\Program Files\\Intel\\Intel Matrix Storage Manager\\iaanotif.exe" "ATIPTA"="\"C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe\"" "DVDLauncher"="\"C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\"" "ISUSPM Startup"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\isuspm.exe\" -startup" "ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start" "MimBoot"="C:\\PROGRA~1\\MUSICM~1\\MUSICM~3\\mimboot.exe" "MMTray"="\"C:\\Program Files\\Musicmatch\\Musicmatch Jukebox\\mm_tray.exe\"" "pccguide.exe"="\"C:\\Program Files\\Trend Micro\\Internet Security 12\\pccguide.exe\"" "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe" "NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe" "blspcloader"="\"C:\\Program Files\\BellSouth Internet Tools\\blsloader.exe\"" "TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot" "Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide" "7b0b52a3.exe"="C:\\WINDOWS\\system32\\7b0b52a3.exe" "lwyinsf.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\lwyinsf.dll,fbzswoc" "ipkypkl.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\ipkypkl.dll,uplrvb" "lkqfuyc.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\lkqfuyc.dll,apjhql" "!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI] "Installed"="1" "NoChange"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS] "Installed"="1" [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components] "DeskHtmlVersion"=dword:00000110 "DeskHtmlMinorVersion"=dword:00000005 "Settings"=dword:00000001 "GeneralFlags"=dword:00000001 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="My Current Home Page" "Flags"=dword:00000002 "Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\ 00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00 "CurrentState"=hex:04,00,00,40 "OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\ ff,ff,04,00,00,00 "RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\ 00,00,01,00,00,00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks] "{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook" "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5" [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system] "dontdisplaylastusername"=dword:00000000 "legalnoticecaption"="" "legalnoticetext"="" "shutdownwithoutlogon"=dword:00000001 "undockwithoutlogon"=dword:00000001 "InstallVisualStyle"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,\ 63,65,73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,5c,52,6f,79,61,6c,65,2e,\ 6d,73,73,74,79,6c,65,73,00 "InstallTheme"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,63,65,\ 73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,2e,74,68,65,6d,65,00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] "NoCDBurning"=dword:00000000 [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] "PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}" "CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}" "WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}" "SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}" "WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}" HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll Contents of the 'Scheduled Tasks' folder C:\WINDOWS\tasks\FRU Task #Hewlett-Packard#hp psc 2170 series#1136860704.job C:\WINDOWS\tasks\FRU Task #Hewlett-Packard#hp psc 2170 series#1136917043.job C:\WINDOWS\tasks\MP Scheduled Scan.job Completion time: 06-10-08 23:07:42.18 ComboFix.txt --------------------------------------------------------- AVG Anti-Spyware - Scan Report --------------------------------------------------------- + Created at: 00:39 06-10-09 + Scan result: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Security Add-On -> Adware.Generic : Cleaned with backup (quarantined). HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Explorer Security Plugin 2006 -> Adware.IntCodec : Cleaned with backup (quarantined). HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Public Messenger ver 2.03 -> Adware.IntCodec : Cleaned with backup (quarantined). HKU\S-1-5-21-3755144598-1082263548-3627520477-1005\Software\Internet Security -> Adware.IntCodec : Cleaned with backup (quarantined). C:\Documents and Settings\Witcher Family\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\omfg.class-5a8a5bd2-39542523.class -> Downloader.OpenStream.y : Cleaned with backup (quarantined). F:\Documents and Settings\Witcher Family\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\omfg.class-5a8a5bd2-39542523.class -> Downloader.OpenStream.y : Cleaned with backup (quarantined). C:\Program Files\DIGStream\digstream.exe -> Not-A-Virus.Downloader.Win32.DigStream : Cleaned with backup (quarantined). C:\Documents and Settings\Witcher Family\Application Data\winantiviruspro2006freeinstall[1].exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined). F:\Documents and Settings\Witcher Family\Application Data\winantiviruspro2006freeinstall[1].exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined). F:\Documents and Settings\Witcher Family\Cookies\witcher family@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned. F:\Documents and Settings\Witcher Family\Cookies\witcher family@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned. F:\Documents and Settings\Witcher Family\Cookies\witcher family@www.burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned. F:\Documents and Settings\Witcher Family\Cookies\witcher family@com[1].txt -> TrackingCookie.Com : Cleaned. F:\Documents and Settings\Witcher Family\Cookies\witcher family@e-2dj6wfkoqgdjcgo.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned. F:\Documents and Settings\Witcher Family\Cookies\witcher family@e-2dj6wgkiqgc5mgq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned. F:\Documents and Settings\Witcher Family\Cookies\witcher family@e-2dj6wgkyeocpslo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned. F:\Documents and Settings\Witcher Family\Cookies\witcher family@e-2dj6wjkoehdzclp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned. F:\Documents and Settings\Witcher Family\Cookies\witcher family@e-2dj6wjl4cnd5geq.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned. F:\Documents and Settings\Witcher Family\Cookies\witcher family@e-2dj6wjl4uodpwhq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned. F:\Documents and Settings\Witcher Family\Cookies\witcher family@e-2dj6wjl4wncjglq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned. F:\Documents and Settings\Witcher Family\Cookies\witcher family@e-2dj6wjnycncjgcq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned. F:\Documents and Settings\Witcher Family\Cookies\witcher family@server.iad.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned. F:\Documents and Settings\Witcher Family\Cookies\witcher family@stat.onestat[2].txt -> TrackingCookie.Onestat : Cleaned. F:\Documents and Settings\Witcher Family\Cookies\witcher family@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned. F:\Documents and Settings\Witcher Family\Cookies\witcher family@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned. C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP362\A0025607.dll -> Trojan.Agent.qg : Cleaned with backup (quarantined). C:\Documents and Settings\Witcher Family\Local Settings\Application Data\13648af6.exe -> Trojan.Dialer.ay : Cleaned with backup (quarantined). ::Report end Incident Status Location Dialer:dialer.avv Not disinfected c:\windows\downloaded program files\gdnUS2218.exe Adware:Adware/SystemDoctor Not disinfected C:\Documents and Settings\Witcher Family\Local Settings\Application Data\7b0b52a3.exe Adware:Adware/Itbill Not disinfected C:\Program Files\fsupport\notifier.exe Virus:Eicar.Mod Not disinfected C:\Program Files\Trend Micro\Internet Security 12\tmhelp.chm[/PCC12/Test_virus.htm] Adware:Adware/SystemDoctor Not disinfected C:\WINDOWS\system32\7b0b52a3.exe Spyware:Cookie/Belnk Not disinfected F:\Documents and Settings\Witcher Family\Cookies\witcher family@belnk[1].txt Spyware:Cookie/Cgi-bin Not disinfected F:\Documents and Settings\Witcher Family\Cookies\witcher family@cgi-bin[1].txt Spyware:Cookie/Belnk Not disinfected F:\Documents and Settings\Witcher Family\Cookies\witcher family@dist.belnk[2].txt Spyware:Cookie/RealMedia Not disinfected F:\Documents and Settings\Witcher Family\Cookies\witcher family@realmedia[2].txt Spyware:Cookie/Atwola Not disinfected F:\Documents and Settings\Witcher Family\Local Settings\Temp\Cookies\witcher family@atwola[1].txt Logfile of HijackThis v1.99.1 Scan saved at 02:09, on 06-10-09 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\ehome\ehtray.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\WINDOWS\stsystra.exe C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe C:\Program Files\QuickTime\qttask.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\BellSouth Internet Tools\blsloader.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\Program Files\Dell Support\DSAgnt.exe C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe C:\Program Files\Microsoft Money\System\mnyexpr.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\Program Files\Nikon\PictureProject\NkbMonitor.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe C:\WINDOWS\system32\svchost.exe C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\system32\dllhost.exe C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\eHome\ehmsas.exe C:\Program Files\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: BlspcHlpr Class - {15C9938F-CB96-496D-800A-B827F2E34EA1} - C:\Program Files\BellSouth Internet Tools\blspc.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [blspcloader] "C:\Program Files\BellSouth Internet Tools\blsloader.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Startup: .protected O4 - Global Startup: .protected O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe O4 - Global Startup: hpoddt01.exe.lnk = ? O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - https://scan.safety.live.com/resourc...scbase3401.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1136964384875 O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab O16 - DPF: {7E9522CF-6B95-46D6-8E2F-7638F507313F} (BLS_SpeedOP.systemcheck) - http://www.fastaccess.drivers.bellso...ls_speedop.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe