Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 




Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > HijackThis Log Help > Resolved HJT Threads
help removing trojan and adware help removing trojan and adware
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read

Resolved HJT Threads Resolved spyware and popup issues.

 
Page 2 of 2 < 1 2
 
Thread Tools
Old 10-20-2007, 07:40 PM   #21 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 21,354
OS: XP


Re: help removing trojan and adware
Take a look in this folder - C:\ComboFix

Do you see a file named - WinDir.dat

If you can find the file, please upload it to here :> http://www.bleepingcomputer.com/subm....php?channel=4

It'll hopefully shed some light as to what went on
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 10-20-2007, 08:51 PM   #22 (permalink)
Registered User
 
Join Date: Oct 2007
Posts: 16
OS: xp


Re: help removing trojan and adware
i found the file and i uploaded it and it says that i successfully submitted it.
import1 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 10-20-2007, 09:00 PM   #23 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 21,354
OS: XP


Re: help removing trojan and adware
Please wait a while. I shall take a peek at it now
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 10-20-2007, 09:24 PM   #24 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 21,354
OS: XP


Re: help removing trojan and adware
The file is incomplete. Looks like one of your security programs is killing the process & preventing it from running. As a result, we ended with an incomplete file. ComboFix kept waiting & waiting for the file to complete.

Okay, I made some amendments to ComboFix. Please grab an updated copy from here :> http://download.bleepingcomputer.com...a/ComboFix.exe

Run it using the CFScript that was prescribed earlier
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 10-21-2007, 12:15 PM   #25 (permalink)
Registered User
 
Join Date: Oct 2007
Posts: 16
OS: xp


Re: help removing trojan and adware
combofix worked that time. here are the three logs requested:

COMBOFIX LOG

ComboFix 07-10-21.2 - Administrator 2007-10-21 11:21:52.8 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.214 [GMT -4:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\system32\jkkjk.dll
C:\WINDOWS\system32\vlyagipz.dll
C:\WINDOWS\winshow.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Desktop\internet.lnk
C:\Documents and Settings\Administrator\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Administrator\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Administrator\Favorites\Online Security Guide.lnk
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\WINDOWS\system32\bmjrkcpd.exe
C:\WINDOWS\system32\dnuotnia.exe
C:\WINDOWS\system32\exhnxkbx.dllbox
C:\WINDOWS\system32\igltkuey.dllbox
C:\WINDOWS\system32\iydwwkrn.exe
C:\WINDOWS\system32\krqxhqiu.dllbox
C:\WINDOWS\system32\njfptqbv.exe
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\rv1
C:\WINDOWS\system32\rv1\gccb83122.exe
C:\WINDOWS\system32\rvffbxqr.exe
C:\WINDOWS\system32\tbfnlwrl.dllbox
C:\WINDOWS\system32\vgnfjqww.exe
C:\WINDOWS\system32\vlyagipz.dll
C:\WINDOWS\system32\vlyagipz.dllbox
C:\WINDOWS\system32\wpwjfbnk.exe
C:\WINDOWS\system32\xfktctqa.dllbox
C:\WINDOWS\system32\xlxofnhk.exe
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2007-09-21 to 2007-10-21 )))))))))))))))))))))))))))))))
.

2007-10-17 08:14 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-17 03:04 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-10-16 09:12 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-10-15 21:03 <DIR> d-------- C:\Deckard
2007-10-15 20:48 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-10-14 20:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-14 18:50 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-14 18:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-13 23:12 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2007-10-13 23:12 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2007-10-13 23:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-10-13 23:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-13 22:59 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-13 11:21 <DIR> d-------- C:\Docum
2007-10-13 10:52 <DIR> d-------- C:\Program Files\CONEXANT
2007-10-12 11:50 492,544 --a------ C:\WINDOWS\system32\WRLogonNtf(2).dll
2007-10-12 11:49 <DIR> d-------- C:\Program Files\Webroot
2007-10-12 11:49 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Webroot
2007-10-12 11:49 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Webroot
2007-10-08 16:53 <DIR> d-------- C:\WINDOWS\system32\zipz2
2007-10-08 16:53 <DIR> d-------- C:\WINDOWS\system32\vMW10a
2007-10-08 16:53 <DIR> d-------- C:\WINDOWS\system32\ss1
2007-10-08 16:53 <DIR> d-------- C:\WINDOWS\system32\bbc1
2007-09-28 10:19 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-09-28 10:16 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-09-27 18:21 <DIR> d-------- C:\WINDOWS\pss
2007-09-27 17:28 <DIR> d-------- C:\Program Files\QuickTime
2007-09-27 17:21 <DIR> d-------- C:\Program Files\Apple Software Update
2007-09-27 17:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-21 15:19 --------- d-----w C:\Documents and Settings\Administrator\Application Data\ComcastToolbar
2007-10-21 15:19 --------- d-----w C:\Documents and Settings\Administrator\Application Data\ComcastToolbar
2007-10-15 01:33 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AdobeUM
2007-10-15 01:33 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AdobeUM
2007-10-13 18:07 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Ruckus Network
2007-10-13 18:07 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Ruckus Network
2007-10-12 14:22 --------- d-----w C:\Program Files\Google
2007-10-09 23:41 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Apple Computer
2007-10-09 23:41 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Apple Computer
2007-10-08 15:38 --------- d-----w C:\Program Files\Java
2007-01-29 06:57 2,410 -c--a-w C:\Documents and Settings\Administrator\Application Data\wklnhst.dat
2007-01-29 06:57 2,410 -c--a-w C:\Documents and Settings\Administrator\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((( snapshot@2007-10-17_12.19.48.35 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-09-28 1308 135,168 ----a-w C:\WINDOWS\catchme.exe
+ 2007-10-20 10:03:30 136,192 ----a-w C:\WINDOWS\catchme.exe
+ 2007-10-21 15:30:09 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_4d4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-03-26 20:20]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-03-26 20:20]
"SunKist"="C:\Program Files\Digital Media Reader\shwicon2k.exe" [2004-05-26 20:57]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 22:42]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-01-15 13:28]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-04-01 22:20]
"PCLEUSBTip"="C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe" []
"PinnacleDriverCheck"="C:\WINDOWS\system32\\PSDrvCheck.exe" [2003-11-10 16:06]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 17:17]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-27 11:44]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"SpybotDeletingB3282"=command /c del "C:\WINDOWS\system32\vlyagipz.dllbox"
"SpybotDeletingD5907"=cmd /c del "C:\WINDOWS\system32\vlyagipz.dllbox"
"SpybotDeletingB2651"=command /c del "C:\WINDOWS\system32\vlyagipz.dll_old"
"SpybotDeletingD3231"=cmd /c del "C:\WINDOWS\system32\vlyagipz.dll_old"
"SpybotDeletingB5037"=command /c del "C:\WINDOWS\system32\vlyagipz.dll"
"SpybotDeletingD1025"=cmd /c del "C:\WINDOWS\system32\vlyagipz.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"SpybotDeletingA8719"=command /c del "C:\WINDOWS\system32\ezfvarxk.dllbox"
"SpybotDeletingC4589"=cmd /c del "C:\WINDOWS\system32\ezfvarxk.dllbox"
"SpybotDeletingA5106"=command /c del "C:\WINDOWS\system32\ezfvarxk.dll_old"
"SpybotDeletingC7988"=cmd /c del "C:\WINDOWS\system32\ezfvarxk.dll_old"
"SpybotDeletingA466"=command /c del "C:\WINDOWS\system32\ezfvarxk.dll"
"SpybotDeletingA1520"=command /c del "C:\WINDOWS\system32\vlyagipz.dllbox"
"SpybotDeletingC8046"=cmd /c del "C:\WINDOWS\system32\vlyagipz.dllbox"
"SpybotDeletingA5107"=command /c del "C:\WINDOWS\system32\vlyagipz.dll_old"
"SpybotDeletingC6481"=cmd /c del "C:\WINDOWS\system32\vlyagipz.dll_old"
"SpybotDeletingA3715"=command /c del "C:\WINDOWS\system32\vlyagipz.dll"
"SpybotDeletingC7537"=cmd /c del "C:\WINDOWS\system32\vlyagipz.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awttqpn]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares lite]
"C:\Program Files\ARES\Ares.exe" -h

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\areslite]
"C:\Program Files\Ares Lite Edition\AresLite.exe" -h

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare]
"C:\Program Files\BearShare\BearShare.exe" /pause

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ddoctorv2]
"C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
"C:\Program Files\Microsoft IntelliPoint\point32.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
%WINDIR%\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
%WINDIR%\Creator\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PrismXL"=2 (0x2)
"Bonjour Service"=2 (0x2)
"sprtsvc_ddoctorv2"=2 (0x2)

R1 papycpu2;papycpu2;C:\WINDOWS\system32\DRIVERS\papycpu2.sys
R1 papyjoy;papyjoy;C:\WINDOWS\system32\DRIVERS\papyjoy.sys
R2 StreamDispatcher;StreamDispatcher;C:\WINDOWS\system32\DRIVERS\strmdisp.sys
S3 DC21x4;DC21x4 Based Network Adapter Driver;C:\WINDOWS\system32\DRIVERS\dc21x4.sys
S3 EMCFILT;Alcor Micro Corp for Emachine- 9361;\??\C:\WINDOWS\System32\Drivers\EMcFilt.sys
S3 WISTechVIDCAP;Dazzle DVC170;C:\WINDOWS\system32\drivers\wisgostrm.sys
S4 sprtsvc_ddoctorv2;SupportSoft Sprocket Service (ddoctorv2);"C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe" /service /P ddoctorv2

.
Contents of the 'Scheduled Tasks' folder
"2007-10-11 19:33:09 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
"2005-08-05 08:05:53 C:\WINDOWS\Tasks\ISP signup reminder 1.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-21 11:31:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-10-21 11:35:24 - machine was rebooted
C:\ComboFix2.txt ... 2007-10-17 12:21
.
--- E O F ---


ACTIVE SCAN

Incident Status
Virus:Trj/Downloader.MDW Not disinfected
Virus:Trj/Downloader.QRN Disinfected
Spyware:Cookie/Atwola Not disinfected
Potentially unwanted tool:Application/NirCmd.A Not disinfected Potentially unwanted tool:Application/NirCmd.A Not disinfected
Potentially unwanted tool:Application/NirCmd.A Not disinfected
Potentially unwanted tool:Application/NirCmd.A Not disinfected
Adware:Adware/SecurityToolbar Not disinfected
Virus:Trj/Agent.GQA Disinfected
Virus:Trj/Downloader.OZB Disinfected
Spyware:Spyware/Virtumonde Not disinfected
Virus:Trj/Downloader.OZB Disinfected
Adware:Adware/SecurityToolbar Not disinfected
Adware:Adware/SecurityToolbar Not disinfected
Adware:Adware/TTC Not disinfected
Adware:Adware/SecurityToolbar Not disinfected
Adware:Adware/SecurityToolbar Not disinfected
Adware:Adware/SecurityToolbar Not disinfected
Adware:Adware/SecurityToolbar Not disinfected
Spyware:Spyware/Virtumonde Not disinfected
Potentially unwanted tool:Application/NirCmd.A Not disinfected
Adware:Adware/Amera Not disinfected
Virus:Generic Malware Disinfected
Virus:Trj/Downloader.MDW Disinfected

location
C:\Deckard\SystemScanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\k11u72.exe[vMW10a1099.exe]
C:\Deckard\SystemScanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wr-1-77.exe
C:\Documents and Settings\Administrator\Cookies\administrator@atwola[1].txt
C:\Documents and Settings\Administrator\Desktop\ComboFix.exe[nircmd.exe]
C:\Documents and Settings\Administrator\Desktop\ComboFix.exe[nircmd.cfexe]
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\ggv0sp79.default\Cache\7ED6F4AAd01[nircmd.exe]
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\ggv0sp79.default\Cache\7ED6F4AAd01[nircmd.cfexe]
C:\qoobox\Quarantine\C\Program Files\Hammer.dll.vir
C:\qoobox\Quarantine\C\WINDOWS\system32\awttqpn.dll.vir
C:\qoobox\Quarantine\C\WINDOWS\system32\bmjrkcpd.exe.vir
C:\qoobox\Quarantine\C\WINDOWS\system32\dnuotnia.exe.vir
C:\qoobox\Quarantine\C\WINDOWS\system32\iwxnlqdk.exe.vir
C:\qoobox\Quarantine\C\WINDOWS\system32\iydwwkrn.exe.vir
C:\qoobox\Quarantine\C\WINDOWS\system32\njfptqbv.exe.vir
C:\qoobox\Quarantine\C\WINDOWS\system32\rv1\gccb83122.exe.vir
C:\qoobox\Quarantine\C\WINDOWS\system32\rvffbxqr.exe.vir
C:\qoobox\Quarantine\C\WINDOWS\system32\vgnfjqww.exe.vir
C:\qoobox\Quarantine\C\WINDOWS\system32\vlyagipz.dll.vir
C:\qoobox\Quarantine\C\WINDOWS\system32\wpwjfbnk.exe.vir
C:\qoobox\Quarantine\C\WINDOWS\system32\xlxofnhk.exe.vir
C:\WINDOWS\NirCmd.exe
C:\WINDOWS\system32\bbc1\bsasven2.exe[ISMPack6.exe]
C:\WINDOWS\system32\ss1\rw1002bc.exe
C:\WINDOWS\system32\vMW10a\vMW10a1099.exe


HJT LOG


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:35:13 PM, on 10/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Digital Media Reader\shwicon2k.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {32262E1A-2E89-4935-82FF-6F87C309D6C8} - (no file)
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5D1302DF-EA46-4C1F-B15B-C62CF4D328B6} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {B8297037-BC94-41E7-B7A2-808DB5209D69} - (no file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunKist] C:\Program Files\Digital Media Reader\shwicon2k.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PCLEUSBTip] C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\pofxwryy.dll",sitypnow
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA8719] command /c del "C:\WINDOWS\system32\ezfvarxk.dllbox"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4589] cmd /c del "C:\WINDOWS\system32\ezfvarxk.dllbox"
O4 - HKLM\..\RunOnce: [SpybotDeletingA5106] command /c del "C:\WINDOWS\system32\ezfvarxk.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7988] cmd /c del "C:\WINDOWS\system32\ezfvarxk.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA466] command /c del "C:\WINDOWS\system32\ezfvarxk.dll"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1192496157562
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - Winlogon Notify: awttqpn - C:\WINDOWS\
O20 - Winlogon Notify: vlyagipz - C:\WINDOWS\
O20 - Winlogon Notify: xfktctqa - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8848 bytes
import1 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 10-21-2007, 10:00 PM   #26 (permalink)
Analyst, Security Team
 
forhockey's Avatar
 
Join Date: Sep 2006
Location: Ontario, Canada
Posts: 2,584
OS: Windows XP Pro


Re: help removing trojan and adware
Hi import1,

P2P Software

I see you have P2P software ( ARES Lite, BearShare) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

--------------------------------------------------------------

Open notepad and copy/paste the text in the quotebox below into it:

Quote:
KILLALL::

File::
C:\WINDOWS\system32\pofxwryy.dll

Folder::
C:\WINDOWS\system32\zipz2
C:\WINDOWS\system32\vMW10a
C:\WINDOWS\system32\ss1
C:\WINDOWS\system32\bbc1

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awttqpn]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vlyagipz]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xfktctqa]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{32262E1A-2E89-4935-82FF-6F87C309D6C8}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5D1302DF-EA46-4C1F-B15B-C62CF4D328B6}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B8297037-BC94-41E7-B7A2-808DB5209D69}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SearchIndexer"=-
Save this as CFScript




Refering to the picture above, drag CFScript into ComboFix.exe

Follow the prompts, and post the resulting log, C:\ComboFix.txt

Warning:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

--------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (If they still exist, make sure you do not miss any)

O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.amaena.com (HKLM)

Please remember to close all other windows, including browsers then click Fix checked.

--------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

--------------------------------------------------------------

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK & have it scan My Computer
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
* Turn off the real time scanner of any existing antivirus program while performing the online scan

--------------------------------------------------------------

Please reply back with the following:

C:\ComboFix.txt
New HiJackThis Log
Kaspersky Online Scan Results
__________________


Proud Member of ASAP
Proud Member of UNITE

Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support.

Donation link for Tech Support Forum
forhockey is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 10-22-2007, 10:36 AM   #27 (permalink)
Registered User
 
Join Date: Oct 2007
Posts: 16
OS: xp


Re: help removing trojan and adware
COMBOFIX LOG

ComboFix 07-10-21.2 - Administrator 2007-10-22 9:56:39.9 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.185 [GMT -4:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\system32\pofxwryy.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\bbc1
C:\WINDOWS\system32\bbc1\bsasven2.exe
C:\WINDOWS\system32\ss1
C:\WINDOWS\system32\vMW10a
C:\WINDOWS\system32\zipz2

.
((((((((((((((((((((((((( Files Created from 2007-09-22 to 2007-10-22 )))))))))))))))))))))))))))))))
.

2007-10-21 13:34 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-21 11:42 <DIR> d-------- C:\WINDOWS\LastGood
2007-10-17 08:14 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-17 03:04 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-10-16 09:12 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-10-15 21:03 <DIR> d-------- C:\Deckard
2007-10-15 20:48 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-10-14 20:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-14 18:50 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-14 18:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-13 23:12 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2007-10-13 23:12 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2007-10-13 23:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-10-13 23:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-13 22:59 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-13 11:21 <DIR> d-------- C:\Docum
2007-10-13 10:52 <DIR> d-------- C:\Program Files\CONEXANT
2007-10-12 11:50 492,544 --a------ C:\WINDOWS\system32\WRLogonNtf(2).dll
2007-10-12 11:49 <DIR> d-------- C:\Program Files\Webroot
2007-10-12 11:49 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Webroot
2007-10-12 11:49 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Webroot
2007-09-28 10:19 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-09-28 10:16 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-09-27 18:21 <DIR> d-------- C:\WINDOWS\pss
2007-09-27 17:28 <DIR> d-------- C:\Program Files\QuickTime
2007-09-27 17:21 <DIR> d-------- C:\Program Files\Apple Software Update
2007-09-27 17:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-21 20:59 --------- d-----w C:\Documents and Settings\Administrator\Application Data\ComcastToolbar
2007-10-21 20:59 --------- d-----w C:\Documents and Settings\Administrator\Application Data\ComcastToolbar
2007-10-21 16:19 --------- d-----w C:\Program Files\Google
2007-10-21 16:19 --------- d-----w C:\Program Files\Digital Media Reader
2007-10-21 16:17 --------- d-----w C:\Program Files\ComcastToolbar
2007-10-21 16:16 --------- d-----w C:\Program Files\Bonjour
2007-10-21 16:16 --------- d-----w C:\Program Files\AIM6
2007-10-15 01:33 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AdobeUM
2007-10-15 01:33 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AdobeUM
2007-10-13 18:07 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Ruckus Network
2007-10-13 18:07 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Ruckus Network
2007-10-09 23:41 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Apple Computer
2007-10-09 23:41 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Apple Computer
2007-10-08 15:38 --------- d-----w C:\Program Files\Java
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-07-30 23:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-30 23:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-30 23:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-30 23:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-30 23:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-30 23:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-30 23:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-30 23:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-07-30 23:18 207,736 ----a-w C:\WINDOWS\system32\muweb.dll
2007-01-29 06:57 2,410 -c--a-w C:\Documents and Settings\Administrator\Application Data\wklnhst.dat
2007-01-29 06:57 2,410 -c--a-w C:\Documents and Settings\Administrator\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((( snapshot@2007-10-17_12.19.48.35 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-09-28 1308 135,168 ----a-w C:\WINDOWS\catchme.exe
+ 2007-10-20 10:03:30 136,192 ----a-w C:\WINDOWS\catchme.exe
+ 2006-08-24 12:28:54 141,424 ----a-w C:\WINDOWS\Downloaded Program Files\asinst.dll
+ 2003-08-01 15:00:16 36,864 ----a-w C:\WINDOWS\LastGood\system32\ActiveScan\certdll.dll
+ 2007-03-29 13:20:50 110,592 ----a-w C:\WINDOWS\system32\ActiveScan\as.dll
+ 2006-10-05 20:15:26 233,472 ----a-w C:\WINDOWS\system32\ActiveScan\ascontrol.dll
+ 2005-06-03 18:03:18 96,256 ----a-w C:\WINDOWS\system32\ActiveScan\asmdat.dll
+ 2005-05-20 17:42:44 86,016 ----a-w C:\WINDOWS\system32\ActiveScan\instlsp.dll
+ 2006-02-16 22:20:20 4,608 ----a-w C:\WINDOWS\system32\ActiveScan\memvfile.dll
+ 2005-10-25 22:08:32 348,160 ----a-w C:\WINDOWS\system32\ActiveScan\msvcr71.dll
+ 2004-05-04 19:01:02 139,264 ----a-w C:\WINDOWS\system32\ActiveScan\pavaleas.dll
+ 2006-07-14 17:04:10 45,056 ----a-w C:\WINDOWS\system32\ActiveScan\pavdr.exe
+ 2006-04-10 14:50:02 159,832 ----a-w C:\WINDOWS\system32\ActiveScan\pavexcom.dll
+ 2006-02-14 17:05:38 94,208 ----a-w C:\WINDOWS\system32\ActiveScan\pavinas.dll
+ 2006-02-16 22:35:38 180,224 ----a-w C:\WINDOWS\system32\ActiveScan\pavoe.dll
+ 2006-10-05 20:15:38 122,880 ----a-w C:\WINDOWS\system32\ActiveScan\pavpz.dll
+ 2006-06-30 18:13:38 8,704 ----a-w C:\WINDOWS\system32\ActiveScan\pfdnnt.exe
+ 2004-02-04 18:08:42 49,152 ----a-w C:\WINDOWS\system32\ActiveScan\port32.dll
+ 2006-08-01 17:23:10 69,632 ----a-w C:\WINDOWS\system32\ActiveScan\pscpu.dll
+ 2006-08-23 1708 1,388,544 ----a-w C:\WINDOWS\system32\ActiveScan\pskahk.dll
+ 2006-08-17 15:38:14 10,752 ----a-w C:\WINDOWS\system32\ActiveScan\pskalloc.dll
+ 2006-09-04 15:49:54 61,440 ----a-w C:\WINDOWS\system32\ActiveScan\pskas.dll
+ 2006-08-18 12:46:18 779,264 ----a-w C:\WINDOWS\system32\ActiveScan\pskavs.dll
+ 2007-03-26 18:25:34 417,792 ----a-w C:\WINDOWS\system32\ActiveScan\pskcmp.dll
+ 2006-08-09 14:42:24 90,112 ----a-w C:\WINDOWS\system32\ActiveScan\pskfss.dll
+ 2006-07-19 14:55:58 208,896 ----a-w C:\WINDOWS\system32\ActiveScan\pskhtml.dll
+ 2006-01-20 20:57:00 9,728 ----a-w C:\WINDOWS\system32\ActiveScan\pskmas.dll
+ 2006-05-17 13:50:12 14,336 ----a-w C:\WINDOWS\system32\ActiveScan\pskmdfs.dll
+ 2006-08-16 14:58:12 33,280 ----a-w C:\WINDOWS\system32\ActiveScan\pskpack.dll
+ 2006-06-30 18:42:36 266,240 ----a-w C:\WINDOWS\system32\ActiveScan\pskscs.dll
+ 2006-08-17 18:33:14 62,976 ----a-w C:\WINDOWS\system32\ActiveScan\pskutil.dll
+ 2006-08-08 17:13:10 13,312 ----a-w C:\WINDOWS\system32\ActiveScan\pskvfile.dll
+ 2006-08-18 12:53:08 69,632 ----a-w C:\WINDOWS\system32\ActiveScan\pskvfs.dll
+ 2006-08-18 12:49:50 167,936 ----a-w C:\WINDOWS\system32\ActiveScan\pskvm.dll
+ 2007-04-18 21:16:04 353,840 ----a-w C:\WINDOWS\system32\ActiveScan\psscan.dll
+ 2007-01-22 18:42:48 35,328 ----a-w C:\WINDOWS\system32\ActiveScan\rawvfile.dll
+ 1997-09-18 10:12:32 9,488 ----a-w C:\WINDOWS\system32\ActiveScan\sporder.dll
+ 2006-02-28 21:23:40 69,632 ----a-w C:\WINDOWS\system32\ActiveScan\tcpvfile.dll
+ 2006-08-02 16:39:06 73,728 ----a-w C:\WINDOWS\system32\asuninst.exe
+ 2003-03-25 22:53:50 11,776 ----a-w C:\WINDOWS\system32\ZPORT4AS.dll
+ 2007-10-21 15:30:09 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_4d4.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-03-26 20:20]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-03-26 20:20]
"SunKist"="C:\Program Files\Digital Media Reader\shwicon2k.exe" [2004-05-26 20:57]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 22:42]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-01-15 13:28]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-04-01 22:20]
"PCLEUSBTip"="C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe" []
"PinnacleDriverCheck"="C:\WINDOWS\system32\\PSDrvCheck.exe" [2003-11-10 16:06]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 17:17]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-27 11:44]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"Spybot - Search & Destroy"="C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
"SpybotDeletingA8719"=command /c del "C:\WINDOWS\system32\ezfvarxk.dllbox"
"SpybotDeletingC4589"=cmd /c del "C:\WINDOWS\system32\ezfvarxk.dllbox"
"SpybotDeletingA5106"=command /c del "C:\WINDOWS\system32\ezfvarxk.dll_old"
"SpybotDeletingC7988"=cmd /c del "C:\WINDOWS\system32\ezfvarxk.dll_old"
"SpybotDeletingA466"=command /c del "C:\WINDOWS\system32\ezfvarxk.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares lite]
"C:\Program Files\ARES\Ares.exe" -h

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\areslite]
"C:\Program Files\Ares Lite Edition\AresLite.exe" -h

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare]
"C:\Program Files\BearShare\BearShare.exe" /pause

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ddoctorv2]
"C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
"C:\Program Files\Microsoft IntelliPoint\point32.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
%WINDIR%\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
%WINDIR%\Creator\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PrismXL"=2 (0x2)
"Bonjour Service"=2 (0x2)
"sprtsvc_ddoctorv2"=2 (0x2)

R1 papycpu2;papycpu2;C:\WINDOWS\system32\DRIVERS\papycpu2.sys
R1 papyjoy;papyjoy;C:\WINDOWS\system32\DRIVERS\papyjoy.sys
R2 StreamDispatcher;StreamDispatcher;C:\WINDOWS\system32\DRIVERS\strmdisp.sys
S3 DC21x4;DC21x4 Based Network Adapter Driver;C:\WINDOWS\system32\DRIVERS\dc21x4.sys
S3 EMCFILT;Alcor Micro Corp for Emachine- 9361;\??\C:\WINDOWS\System32\Drivers\EMcFilt.sys
S3 WISTechVIDCAP;Dazzle DVC170;C:\WINDOWS\system32\drivers\wisgostrm.sys
S4 sprtsvc_ddoctorv2;SupportSoft Sprocket Service (ddoctorv2);"C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe" /service /P ddoctorv2

.
Contents of the 'Scheduled Tasks' folder
"2007-10-11 19:33:09 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
"2005-08-05 08:05:53 C:\WINDOWS\Tasks\ISP signup reminder 1.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-22 09:59:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-22 10:01:20
C:\ComboFix2.txt ... 2007-10-21 11:35
C:\ComboFix3.txt ... 2007-10-17 12:21
.
--- E O F ---


HJT LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:27:41 AM, on 10/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunKist] C:\Program Files\Digital Media Reader\shwicon2k.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PCLEUSBTip] C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA8719] command /c del "C:\WINDOWS\system32\ezfvarxk.dllbox"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4589] cmd /c del "C:\WINDOWS\system32\ezfvarxk.dllbox"
O4 - HKLM\..\RunOnce: [SpybotDeletingA5106] command /c del "C:\WINDOWS\system32\ezfvarxk.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7988] cmd /c del "C:\WINDOWS\system32\ezfvarxk.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA466] command /c del "C:\WINDOWS\system32\ezfvarxk.dll"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1192496157562
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7457 bytes


Kaspersky SCAN

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, October 22, 2007 12:33:17 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 22/10/2007
Kaspersky Anti-Virus database records: 442523
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 68834
Number of viruses found: 10
Number of infected objects: 48
Number of suspicious objects: 0
Duration of the scan process: 01:19:58

Infected Object Name / Virus Name / Last Action
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\k11u72.exe/data0006 Infected: Trojan-Downloader.Win32.VB.bkw skipped
C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~1\LOCALS~1\Temp\k11u72.exe NSIS: infected - 1 skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ggv0sp79.default\cert8.db Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ggv0sp79.default\history.dat Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ggv0sp79.default\key3.db Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ggv0sp79.default\parent.lock Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ggv0sp79.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ggv0sp79.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\ggv0sp79.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\ggv0sp79.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\ggv0sp79.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\ggv0sp79.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012007102220071023\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\qoobox\Quarantine\C\Program Files\Hammer.dll.vir Infected: not-a-virus:AdWare.Win32.SecToolBar.f skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\bbc1\bsasven2.exe.vir/stream/data0002 Infected: not-a-virus:Downloader.Win32.Agent.q skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\bbc1\bsasven2.exe.vir/stream/data0003 Infected: not-a-virus:AdWare.Win32.AdBand.a skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\bbc1\bsasven2.exe.vir/stream Infected: not-a-virus:AdWare.Win32.AdBand.a skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\bbc1\bsasven2.exe.vir NSIS: infected - 3 skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\dnuotnia.exe.vir Infected: not-a-virus:AdWare.Win32.SecToolBar.g skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\iydwwkrn.exe.vir Infected: not-a-virus:AdWare.Win32.SecToolBar.g skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\njfptqbv.exe.vir Infected: not-a-virus:AdWare.Win32.SecToolBar.g skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\rv1\gccb83122.exe.vir/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\rv1\gccb83122.exe.vir NSIS: infected - 1 skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\rvffbxqr.exe.vir Infected: not-a-virus:AdWare.Win32.SecToolBar.g skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\vgnfjqww.exe.vir Infected: not-a-virus:AdWare.Win32.SecToolBar.g skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\vlyagipz.dll.vir Infected: not-a-virus:AdWare.Win32.SecToolBar.f skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\wpwjfbnk.exe.vir Infected: not-a-virus:AdWare.Win32.SecToolBar.g skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\xlxofnhk.exe.vir Infected: not-a-virus:AdWare.Win32.SecToolBar.g skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{9786E1A5-2E7F-4801-91A9-EF3D4F91683E}\RP1\A0000022.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.f skipped
C:\System Volume Information\_restore{9786E1A5-2E7F-4801-91A9-EF3D4F91683E}\RP1\A0000024.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.f skipped
C:\System Volume Information\_restore{9786E1A5-2E7F-4801-91A9-EF3D4F91683E}\RP12\A0000923.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.f skipped
C:\System Volume Information\_restore{9786E1A5-2E7F-4801-91A9-EF3D4F91683E}\RP12\A0000924.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.f skipped
C:\System Volume Information\_restore{9786E1A5-2E7F-4801-91A9-EF3D4F91683E}\RP12\A0000925.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.f skipped
C:\System Volume Information\_restore{9786E1A5-2E7F-4801-91A9-EF3D4F91683E}\RP12\A0000926.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.f skipped
C:\System Volume Information\_restore{9786E1A5-2E7F-4801-91A9-EF3D4F91683E}\RP12\A0000928.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.f skipped
C:\System Volume Information\_restore{9786E1A5-2E7F-4801-91A9-EF3D4F91683E}\RP14\A0001028.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{9786E1A5-2E7F-4801-91A9-EF3D4F91683E}\RP14\A0001029.exe Infected: not-a-virus:AdWare.Win32.SecToolBar.g skipped
C:\System Volume Information\_restore{9786E1A5-2E7F-4801-91A9-EF3D4F91683E}\RP14\A0001030.exe Infected: not-a-virus:AdWare.Win32.SecToolBar.g skipped
C:\System Volume Information\_restore{9786E1A5-2E7F-4801-91A9-EF3D4F91683E}\RP14\A0001031.exe Infected: not-a-virus:AdWare.Win32.SecToolBar.g skipped
C:\System Volume Information\_restore{9786E1A5-2E7F-4801-91A9-EF3D4F91683E}\RP14\A0001032.exe Infected: not-a-virus:AdWare.Win32.SecToolBar.g skipped
C:\System Volume Information\_restore{9786E1A5-2E7F-4801-91A9-EF3D4F91683E}\RP14\A0001033.exe Infected: not-a-virus:AdWare.Win32.SecToolBar.g skipped
C:\System Volume Information\_restore{9786E1A5-2E7F-4801-91A9-EF3D4F91683E}\RP14\A0001034.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.f skipped
C:\System Volume Information\_restore{9786E1A5-2E7F-4801-91A9-EF3D4F91683E}\RP14\A0001035.exe Infected: not-a-virus:AdWare.Win32.SecToolBar.g skipped
C:\System Volume Information\_restore{9786E1A5-2E7F-4801-91A9-EF3D4F91683E}\RP14\A0001036.exe Infected: not-a-virus:AdWare.Win32.SecToolBar.g skipped
C:\System Volume Information\_restore{9786E1A5-2E7F-4801-91A9-EF3D4F91683E}\RP14\A0001037.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{9786E1A5-2E7F-4801-91A9-EF3D4F91683E}\RP14\A0001037.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{9786E1A5-2E7F-4801-91A9-EF3D4F91683E}\RP14\A0001043.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.f skipped
C:\System Volume Information\_restore{9786E1A5-2E7F-4801-91A9-EF3D4F91683E}\RP14\A0001178.exe Infected: Trojan-Downloader.Win32.Small.fxy skipped
C:\System Volume Information\_restore{9786E1A5-2E7F-4801-91A9-EF3D4F91683E}\RP14\A0001180.exe Infected: Email-Worm.Win32.Zhelatin.kb skipped
C:\System Volume Information\_restore{9786E1A5-2E7F-4801-91A9-EF3D4F91683E}\RP14\A0001181.exe Infected: Trojan-Downloader.Win32.VB.bkw skipped
C:\System Volume Information\_restore{9786E1A5-2E7F-4801-91A9-EF3D4F91683E}\RP15\A0001198.exe/stream/data0002 Infected: not-a-virus:Downloader.Win32.Agent.q skipped
C:\System Volume Information\_restore{9786E1A5-2E7F-4801-91A9-EF3D4F91683E}\RP15\A0001198.exe/stream/data0003 Infected: not-a-virus:AdWare.Win32.AdBand.a skipped
C:\System Volume Information\_restore{9786E1A5-2E7F-4801-91A9-EF3D4F91683E}\RP15\A0001198.exe/stream Infected: not-a-virus:AdWare.Win32.AdBand.a skipped
C:\System Volume Information\_restore{9786E1A5-2E7F-4801-91A9-EF3D4F91683E}\RP15\A0001198.exe NSIS: infected - 3 skipped
C:\System Volume Information\_restore{9786E1A5-2E7F-4801-91A9-EF3D4F91683E}\RP15\change.log Object is locked skipped
C:\System Volume Information\_restore{9786E1A5-2E7F-4801-91A9-EF3D4F91683E}\RP3\A0000167.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.f skipped
C:\System Volume Information\_restore{9786E1A5-2E7F-4801-91A9-EF3D4F91683E}\RP5\A0000266.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.f skipped
C:\System Volume Information\_restore{9786E1A5-2E7F-4801-91A9-EF3D4F91683E}\RP5\A0000364.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.f skipped
C:\System Volume Information\_restore{9786E1A5-2E7F-4801-91A9-EF3D4F91683E}\RP5\A0000365.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{9786E1A5-2E7F-4801-91A9-EF3D4F91683E}\RP5\A0000366.dll Infected: Trojan-Downloader.Win32.Agent.dpq skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{03488BFB-B0C0-4E6C-91C9-D1FBF1276DD5}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_4d4.dat Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\_restore{9786E1A5-2E7F-4801-91A9-EF3D4F91683E}\RP15\change.log Object is locked skipped

Scan process completed.
import1 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!