Trojan Virus - "Your Privacy Guard"

[bharat.gattu]

Hi,
It seems like my computer is infected by a trojan virus - it is the same virus as described in the post:
Your Privacy Guard Malware

I have a desktop picture which redirects me to the site:

link removed.

I have got two icons on my desktop: "Spyware&protection" and "Privacy Protector". A pop up called "Spyware Alert" appears every now and then with the description as follows:
"Spyware alert Warning:

Worm.Win32.NetSky detected on your machine. This virus is distributed via the Internet through e-mail and Active-X objects. The worm has its own SMTP engine which means it gathers e-mails from your local computer and re-distributes itself. In worst cases this worm can allow attackers to access your computer, stealing passwords and personal data.
This process should be removed from your system.

Type: Virus
System Affected: WIndows 2000, NT, ME, XP, Vista
Security Risk (0-5): 5
Recommendations: Click Yes to remove it from your PC immediately "

Could you please help me remove this virus from my system?
Please let me know if you need any furthur details.

Thanking You,
With Regards,
Bharat Gattu

[tetonbob]

Please follow MicroBell's 5 Step process outlined here:

http://www.techsupportforum.com/secu...tml#post342651

After running through all the steps, please post the requested logs.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.

[bharat.gattu]

Hi Bob,

I have followed the steps:
Step1 - Removing/uninstalling programs - done
Step 2: Panda Log - Generated as Activescan.txt attached to the Post.
Step 3: Installed Spyware Blaster and IE Spyad
Step 4: Operating system - up to Date Miscrosoft Windows XP Professional version 2002, Service pack 2
Step5: Deckard's System Scanner
extra.txt attached to the post.
main.text is as given below:

Deckard's System Scanner v20071014.68
Run by bgtx5 on 2007-12-28 20:40:07
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
103: 2007-12-29 02:40:15 UTC - RP103 - Deckard's System Scanner Restore Point
102: 2007-12-28 21:02:02 UTC - RP102 - System Checkpoint
101: 2007-12-27 20:46:53 UTC - RP101 - Installed AVG 7.5
100: 2007-12-27 20:46:16 UTC - RP100 - Removed AVG 7.5
99: 2007-12-27 20:42:36 UTC - RP99 - Installed AVG 7.5


-- First Restore Point --
1: 2007-10-03 17:41:32 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2007-12-28 20:40:42
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\system32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ati2evxx.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\explorer.exe
C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\McAfee\Common Framework\Mctray.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Documents and Settings\bgtx5\Desktop\FIX\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mst.edu/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\Software\..\Telephony: DomainName = managed.mst.edu
O17 - HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: Domain = managed.mst.edu
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: Domain = managed.mst.edu
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O21 - SSODL: alxvdvm - {489A8ACE-DF7D-4FC2-A493-74C89F382BAE} - C:\WINNT\alxvdvm.dll
O21 - SSODL: bvtqfvx - {62C3862D-03A0-4539-AB17-EA3387C0BE42} - C:\WINNT\bvtqfvx.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\ati2evxx.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINNT\privacy_danger\index.htm

--
End of file - 4748 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S3 catchme - c:\docume~1\bgtx5\locals~1\temp\catchme.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2007-12-28 03:00:01 504 --a------ C:\WINNT\Tasks\AntiSpywareBot Scheduled Scan.job


-- Files created between 2007-11-28 and 2007-12-28 -----------------------------

2007-12-28 19:58:51 0 d-------- C:\ie-spyad_zo
2007-12-28 19:57:36 44928 --a------ C:\WINNT\system32\drivers\SDTHOOK.SYS <Not Verified; Panda Software; Panda® Antivirus>
2007-12-28 19:47:46 0 d-------- C:\WINNT\system32\ActiveScan
2007-12-28 19:47:46 0 d-------- C:\WINNT\LastGood
2007-12-28 19:41:21 0 d-------- C:\WINNT\privacy_danger
2007-12-27 17:22:34 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-27 14:46:54 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2007-12-26 23:36:08 0 d-------- C:\Documents and Settings\bgtx5\Application Data\AntiSpywareBot
2007-12-26 23:04:49 0 d-------- C:\Program Files\Enigma Software Group
2007-12-26 17:58:22 0 d-------- C:\Documents and Settings\bgtx5\Contacts
2007-12-26 14:21:54 0 d-------- C:\WINNT\35C03C043F1F42C2A989A757EE691F65.TMP
2007-12-24 18:52:12 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-24 18:52:11 0 d-------- C:\WINNT\system32\Kaspersky Lab
2007-12-24 1737 1786 --a------ C:\WINNT\system32\tmp.reg
2007-12-24 15:55:17 0 d-------- C:\WINNT\system32\appmgmt
2007-12-23 03:09:06 0 d-------- C:\Documents and Settings\bgtx5\Application Data\WinRAR
2007-12-23 00:55:01 217088 --a------ C:\WINNT\alxvdvm.dll <Not Verified; ; alxvdvm>
2007-12-21 1736 0 d--h----- C:\WINNT\PIF
2007-12-14 12:36:49 0 d-------- C:\Documents and Settings\bgtx5\Application Data\Design Science
2007-12-13 06:21:47 0 d-------- C:\Documents and Settings\bgtx5\Application Data\U3
2007-12-10 22:04:17 0 d-------- C:\Documents and Settings\bgtx5\Application Data\CTdeveloping
2007-12-10 21:53:59 0 d-------- C:\Documents and Settings\bgtx5\Application Data\deskUNPDF
2007-12-10 19:12:58 0 d-------- C:\Java
2007-12-10 19:09:09 95 --a------ C:\WINNT\system32\productregistry
2007-12-10 18:46:20 0 d-------- C:\Program Files\Sun
2007-12-10 18:41:00 0 d-------- C:\Sun
2007-11-30 02:36:55 0 d-------- C:\WINNT\Sun
2007-11-30 02:36:54 0 d-------- C:\Documents and Settings\bgtx5\Application Data\Sun


-- Find3M Report ---------------------------------------------------------------

2007-12-28 20:13:58 0 d-------- C:\Program Files\MSN Messenger
2007-12-24 18:45:29 0 d-------- C:\Program Files\Java
2007-12-24 16:03:40 0 d-------- C:\Program Files\DivX
2007-12-24 16:02:13 0 d-------- C:\Program Files\Yahoo!
2007-12-24 16:01:18 0 d-------- C:\Documents and Settings\bgtx5\Application Data\Yahoo!
2007-12-24 15:55:04 0 d-------- C:\Program Files\Common Files
2007-12-24 15:53:40 0 d-------- C:\Program Files\Real
2007-12-24 15:53:40 0 d-------- C:\Program Files\Common Files\Real
2007-12-24 15:53:24 0 d-------- C:\Documents and Settings\bgtx5\Application Data\Real
2007-12-07 16:42:29 0 d-------- C:\Documents and Settings\bgtx5\Application Data\Adobe
2007-11-10 04:05:59 0 d-------- C:\Documents and Settings\bgtx5\Application Data\Identities
2007-11-10 04:02:44 0 d-------- C:\Documents and Settings\bgtx5\Application Data\Viewpoint
2007-11-09 13:31:07 0 d-------- C:\Documents and Settings\bgtx5\Application Data\Help
2007-11-09 13:18:18 0 d-------- C:\Documents and Settings\bgtx5\Application Data\Helios
2007-11-09 13:18:13 0 d-------- C:\Program Files\TextPad 5
2007-11-05 18:08:25 0 d-------- C:\Documents and Settings\bgtx5\Application Data\Apple Computer
2007-11-05 18:05:32 0 d-------- C:\Program Files\Common Files\DVDVideoSoft
2007-11-03 19:46:59 0 d-------- C:\Program Files\Microcal
2007-10-31 11:55:15 0 d-------- C:\Documents and Settings\bgtx5\Application Data\FileOpen
2007-10-04 1609 0 -rahs---- C:\MSDOS.SYS
2007-10-04 1609 0 -rahs---- C:\IO.SYS
2007-10-03 09:55:38 0 --a------ C:\CONFIG.SYS
2007-10-03 09:53:35 21640 --a------ C:\WINNT\system32\emptyregdb.dat
2007-10-03 04:45:26 62 --ahs---- C:\Documents and Settings\bgtx5\Application Data\desktop.ini


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2007-02-22 19:50]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2006-12-19 10:27]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2004-08-04 01:00]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"nltide_3"=rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= file:///C:\WINNT\privacy_danger\index.htm
FriendlyName= Privacy Protection

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"alxvdvm"= {489A8ACE-DF7D-4FC2-A493-74C89F382BAE} - C:\WINNT\alxvdvm.dll [2007-12-22 11:56 217088]
"bvtqfvx"= {62C3862D-03A0-4539-AB17-EA3387C0BE42} - C:\WINNT\bvtqfvx.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=%SystemRoot%\system32\umrinst\scripts\startup.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-439975060-858025054-1849977318-13833\Scripts\Logon\0\0]
"Script"=%ALLUSERSPROFILE%\scripts\logon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-439975060-858025054-1849977318-13833\Scripts\Logon\0\1]
"Script"=userlogindesktop.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-439975060-858025054-1849977318-13833\Scripts\Logon\0\2]
"Script"=%ALLUSERSPROFILE%\scripts\calluserlogin.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-439975060-858025054-1849977318-2063\Scripts\Logon\0\0]
"Script"=%ALLUSERSPROFILE%\scripts\logon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-439975060-858025054-1849977318-2063\Scripts\Logon\0\1]
"Script"=userlogindesktop.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-439975060-858025054-1849977318-2063\Scripts\Logon\0\2]
"Script"=%ALLUSERSPROFILE%\scripts\calluserlogin.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-439975060-858025054-1849977318-64530\Scripts\Logon\0\0]
"Script"=%ALLUSERSPROFILE%\scripts\logon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-439975060-858025054-1849977318-64530\Scripts\Logon\0\1]
"Script"=userlogindesktop.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-439975060-858025054-1849977318-64530\Scripts\Logon\0\2]
"Script"=%ALLUSERSPROFILE%\scripts\calluserlogin.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-439975060-858025054-1849977318-64589\Scripts\Logon\0\0]
"Script"=%ALLUSERSPROFILE%\scripts\logon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-439975060-858025054-1849977318-64589\Scripts\Logon\0\1]
"Script"=userlogindesktop.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-439975060-858025054-1849977318-64589\Scripts\Logon\0\2]
"Script"=%ALLUSERSPROFILE%\scripts\calluserlogin.cmd


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- D:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c740ef16-98b9-11dc-8ec6-001aa0c9ab82}]
Auto\command- adp.exe
AutoRun\command- C:\WINNT\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL adp.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c740efc3-98b9-11dc-8ec6-001aa0c9ab82}]
AutoRun\command- D:\LaunchU3.exe

*Newly Created Service* - SDTHOOK
*Newly Created Service* - UXDUBTTBYJBT



-- Hosts -----------------------------------------------------------------------

127.0.0.1 007guard.com
127.0.0.1 www.007guard.com
127.0.0.1 008i.com
127.0.0.1 008k.com
127.0.0.1 www.008k.com
127.0.0.1 00hq.com
127.0.0.1 www.00hq.com
127.0.0.1 010402.com
127.0.0.1 032439.com
127.0.0.1 www.032439.com

7791 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2007-12-28 20:41:52 ------------

Please note that I had installed spybot which took care of some of the trojans, however, there is still a pop up flashing related to Addware Remover 2007 and which opens a site which asks for scan. I guess there are still traces of the virus present in the system. I have uninstalled spybot now.

Please let me know my future course of actions.

Thanks and Regards,

Bharat Gattu

[tetonbob]

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

I see you may have run ComboFix previously. I need you to delete whatever version you may have, and get this latest version from the link below.

1. Download this file - http://download.bleepingcomputer.com...a/ComboFix.exe
   
   * IMPORTANT !!! Place combofix.exe on your Desktop
   
   
   
2. Disconnect from the internet....pull the plug!
   
3. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
   
4. Go to -> Run -> paste in the following single line command & click OK
   
   

   "%userprofile%\desktop\combofix.exe" /killall

   
   
   
   
5. Follow the prompts. Type "1" and press Enter to begin the scan.
6. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
   
7. When finished, it shall produce a log for you. Post that log in your next reply
   
   Note:
   Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
   
   ---------------------------------------------------------------------------------------------
   
8. Ensure your AntiVirus and AntiSpyware applications are re-enabled. A reboot should have done this.
   
9. Re-establish an internet connection.
   
10. Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.
    
    ---------------------------------------------------------------------------------------------

[bharat.gattu]

Hi Bob,

I have attached the ComboFix log - ComboFix.txt and
HiJackThis Log - hijackthis.log to the post.

Yup, I had run the Combofix previously (was following the post I had referred to in the first post), however, I was not sure if what I was doing was in the correct sequence.

Thanks and Regards,
Bharat Gattu


ComboFix 07-12-29.3 - bgtx5 2007-12-28 23:00:29.7 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1548 [GMT -6:00]
Running from: C:\Documents and Settings\bgtx5\desktop\combofix.exe
Command switches used :: /killall
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\bgtx5\Application Data\AntiSpywareBot
C:\Documents and Settings\bgtx5\Application Data\AntiSpywareBot\Log\2007 Dec 26 - 11_36_14 PM_082.log
C:\Documents and Settings\bgtx5\Application Data\AntiSpywareBot\Log\2007 Dec 26 - 11_36_16 PM_801.log
C:\Documents and Settings\bgtx5\Application Data\AntiSpywareBot\rs.dat
C:\Documents and Settings\bgtx5\Application Data\AntiSpywareBot\Settings\CustomScan.stg
C:\Documents and Settings\bgtx5\Application Data\AntiSpywareBot\Settings\IgnoreList.stg
C:\Documents and Settings\bgtx5\Application Data\AntiSpywareBot\Settings\ScanInfo.stg
C:\Documents and Settings\bgtx5\Application Data\AntiSpywareBot\Settings\ScanResults.stg
C:\Documents and Settings\bgtx5\Application Data\AntiSpywareBot\Settings\SelectedFolders.stg
C:\Documents and Settings\bgtx5\Application Data\AntiSpywareBot\Settings\Settings.stg
C:\WINNT\alxvdvm.dll
C:\WINNT\privacy_danger
C:\WINNT\privacy_danger\images\capt.gif
C:\WINNT\privacy_danger\images\danger.jpg
C:\WINNT\privacy_danger\images\down.gif
C:\WINNT\privacy_danger\images\spacer.gif
C:\WINNT\privacy_danger\index.htm
C:\WINNT\Tasks.\AntiSpywareBot Scheduled Scan.job

.
((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-29 )))))))))))))))))))))))))))))))
.

2007-12-28 20:39 . 2007-12-28 20:39 <DIR> d-------- C:\Deckard
2007-12-28 19:58 . 2007-12-28 19:58 <DIR> d-------- C:\ie-spyad_zo
2007-12-28 19:57 . 2007-06-05 10:56 44,928 --a------ C:\WINNT\system32\drivers\SDTHOOK.SYS
2007-12-28 19:47 . 2007-12-28 20:24 <DIR> d-------- C:\WINNT\system32\ActiveScan
2007-12-28 19:47 . 2007-12-28 19:47 30,590 --a------ C:\WINNT\system32\pavas.ico
2007-12-27 23:46 . 2007-12-27 23:46 11,264 --a------ C:\WINNT\system32\292.tmp
2007-12-27 23:31 . 2007-12-28 19:47 2,550 --a------ C:\WINNT\system32\Uninstall.ico
2007-12-27 23:31 . 2007-12-28 19:47 1,406 --a------ C:\WINNT\system32\Help.ico
2007-12-27 17:22 . 2007-12-28 01:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-27 14:46 . 2007-12-27 14:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2007-12-26 23:04 . 2007-12-26 23:04 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-12-26 17:58 . 2007-12-28 04:09 <DIR> d-------- C:\Documents and Settings\bgtx5\Contacts
2007-12-26 14:21 . 2007-12-26 14:21 <DIR> d-------- C:\WINNT\35C03C043F1F42C2A989A757EE691F65.TMP
2007-12-24 19:13 . 2005-09-23 08:29 626,688 --a------ C:\WINNT\system32\msvcr80.dll
2007-12-24 18:52 . 2007-12-24 18:52 <DIR> d-------- C:\WINNT\system32\Kaspersky Lab
2007-12-24 18:52 . 2007-12-24 18:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-24 18:45 . 2007-09-24 23:31 69,632 --a------ C:\WINNT\system32\javacpl.cpl
2007-12-24 17:06 . 2007-12-26 21:53 1,786 --a------ C:\WINNT\system32\tmp.reg
2007-12-21 17:06 . 2007-12-21 17:06 <DIR> d--h----- C:\WINNT\PIF
2007-12-14 12:36 . 2007-12-14 12:36 <DIR> d-------- C:\Documents and Settings\bgtx5\Application Data\Design Science
2007-12-13 06:21 . 2007-12-13 06:46 <DIR> d-------- C:\Documents and Settings\bgtx5\Application Data\U3
2007-12-10 22:04 . 2007-12-10 23:19 <DIR> d-------- C:\Documents and Settings\bgtx5\Application Data\CTdeveloping
2007-12-10 21:53 . 2007-12-10 22:02 <DIR> d-------- C:\Documents and Settings\bgtx5\Application Data\deskUNPDF
2007-12-10 21:53 . 2007-12-10 21:53 732 --a------ C:\deskPDF.opt
2007-12-10 19:12 . 2007-12-10 19:14 <DIR> d-------- C:\Java
2007-12-10 19:09 . 2007-12-24 15:51 95 --a------ C:\WINNT\system32\productregistry
2007-12-10 18:46 . 2007-12-10 18:46 <DIR> d-------- C:\Program Files\Sun
2007-12-10 18:41 . 2007-12-10 18:41 <DIR> d-------- C:\Sun
2007-11-30 02:36 . 2007-11-30 02:36 <DIR> d-------- C:\WINNT\Sun
2007-11-29 16:30 . 2007-11-29 16:30 1,044,480 --a------ C:\WINNT\system32\libdivx.dll
2007-11-29 16:30 . 2007-11-29 16:30 200,704 --a------ C:\WINNT\system32\ssldivx.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-29 02:13 --------- d-----w C:\Program Files\MSN Messenger
2007-12-25 00:45 --------- d-----w C:\Program Files\Java
2007-12-24 22:03 --------- d-----w C:\Program Files\DivX
2007-12-24 22:02 --------- d-----w C:\Program Files\Yahoo!
2007-12-24 22:01 --------- d-----w C:\Documents and Settings\bgtx5\Application Data\Yahoo!
2007-12-24 22:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-12-24 21:53 --------- d-----w C:\Program Files\Real
2007-12-24 21:53 --------- d-----w C:\Program Files\Common Files\Real
2007-11-24 11:36 499,712 ----a-w C:\WINNT\system32\msvcp71.dll
2007-11-13 10:25 20,480 ----a-w C:\WINNT\system32\drivers\secdrv.sys
2007-11-10 10:02 --------- d-----w C:\Documents and Settings\bgtx5\Application Data\Viewpoint
2007-11-09 19:18 --------- d-----w C:\Program Files\TextPad 5
2007-11-09 19:18 --------- d-----w C:\Documents and Settings\bgtx5\Application Data\Helios
2007-11-06 00:08 --------- d-----w C:\Documents and Settings\bgtx5\Application Data\Apple Computer
2007-11-06 00:05 --------- d-----w C:\Program Files\Common Files\DVDVideoSoft
2007-11-04 01:46 --------- d-----w C:\Program Files\Microcal
2007-10-31 17:55 --------- d-----w C:\Documents and Settings\bgtx5\Application Data\FileOpen
2007-10-31 17:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\FileOpen
2007-10-29 23:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-10-29 23:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2007-10-29 22:35 1,287,680 ----a-w C:\WINNT\system32\quartz.dll
2007-10-27 23:40 227,328 ----a-w C:\WINNT\system32\wmasf.dll
2007-07-25 14:33 113,664 ----a-w C:\WINNT\inf\hdaudio.sys
.

((((((((((((((((((((((((((((( snapshot@2007-12-26_14.58.08.14 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-12-26 23:57:28 29,926 ----a-r C:\WINNT\Installer\{571700F0-DB9D-4B3A-B03D-35A14BB5939F}\MsblIco.Exe
+ 2007-03-29 15:20:50 110,592 ----a-w C:\WINNT\system32\ActiveScan\as.dll
+ 2006-10-05 22:15:26 233,472 ----a-w C:\WINNT\system32\ActiveScan\ascontrol.dll
+ 2005-06-03 20:03:18 96,256 ----a-w C:\WINNT\system32\ActiveScan\asmdat.dll
+ 2003-08-01 17:00:16 36,864 ----a-w C:\WINNT\system32\ActiveScan\certdll.dll
+ 2005-05-20 19:42:44 86,016 ----a-w C:\WINNT\system32\ActiveScan\instlsp.dll
+ 2007-11-12 15:46:18 26,112 ----a-w C:\WINNT\system32\ActiveScan\JID.dll
+ 2006-02-17 00:20:20 4,608 ----a-w C:\WINNT\system32\ActiveScan\memvfile.dll
+ 2005-10-26 00:08:32 348,160 ----a-w C:\WINNT\system32\ActiveScan\msvcr71.dll
+ 2007-11-26 17:10:36 61,440 ----a-w C:\WINNT\system32\ActiveScan\NanoWrapper.dll
+ 2004-05-04 21:01:02 139,264 ----a-w C:\WINNT\system32\ActiveScan\pavaleas.dll
+ 2006-07-14 19:04:10 45,056 ----a-w C:\WINNT\system32\ActiveScan\pavdr.exe
+ 2006-04-10 16:50:02 159,832 ----a-w C:\WINNT\system32\ActiveScan\pavexcom.dll
+ 2006-02-14 19:05:38 94,208 ----a-w C:\WINNT\system32\ActiveScan\pavinas.dll
+ 2006-02-17 00:35:38 180,224 ----a-w C:\WINNT\system32\ActiveScan\pavoe.dll
+ 2006-10-05 22:15:38 122,880 ----a-w C:\WINNT\system32\ActiveScan\pavpz.dll
+ 2007-06-04 17:31:52 57,344 ----a-w C:\WINNT\system32\ActiveScan\pavsddl.dll
+ 2006-06-30 20:13:38 8,704 ----a-w C:\WINNT\system32\ActiveScan\pfdnnt.exe
+ 2004-02-04 20:08:42 49,152 ----a-w C:\WINNT\system32\ActiveScan\port32.dll
+ 2007-10-30 16:04:14 36,864 ----a-w C:\WINNT\system32\ActiveScan\Prescan.dll
+ 2006-08-01 19:23:10 69,632 ----a-w C:\WINNT\system32\ActiveScan\pscpu.dll
+ 2007-11-21 16:00:06 376,832 ----a-w C:\WINNT\system32\ActiveScan\pskahk.dll
+ 2007-10-31 19:05:06 32,768 ----a-w C:\WINNT\system32\ActiveScan\PSKAHKPRESCAN.dll
+ 2006-08-17 17:38:14 10,752 ----a-w C:\WINNT\system32\ActiveScan\pskalloc.dll
+ 2006-09-04 17:49:54 61,440 ----a-w C:\WINNT\system32\ActiveScan\pskas.dll
+ 2006-08-18 14:46:18 779,264 ----a-w C:\WINNT\system32\ActiveScan\pskavs.dll
+ 2007-03-26 20:25:34 417,792 ----a-w C:\WINNT\system32\ActiveScan\pskcmp.dll
+ 2006-08-09 16:42:24 90,112 ----a-w C:\WINNT\system32\ActiveScan\pskfss.dll
+ 2006-07-19 16:55:58 208,896 ----a-w C:\WINNT\system32\ActiveScan\pskhtml.dll
+ 2006-01-20 22:57:00 9,728 ----a-w C:\WINNT\system32\ActiveScan\pskmas.dll
+ 2006-05-17 15:50:12 14,336 ----a-w C:\WINNT\system32\ActiveScan\pskmdfs.dll
+ 2006-08-16 16:58:12 33,280 ----a-w C:\WINNT\system32\ActiveScan\pskpack.dll
+ 2006-06-30 20:42:36 266,240 ----a-w C:\WINNT\system32\ActiveScan\pskscs.dll
+ 2006-08-17 20:33:14 62,976 ----a-w C:\WINNT\system32\ActiveScan\pskutil.dll
+ 2006-08-08 19:13:10 13,312 ----a-w C:\WINNT\system32\ActiveScan\pskvfile.dll
+ 2006-08-18 14:53:08 69,632 ----a-w C:\WINNT\system32\ActiveScan\pskvfs.dll
+ 2006-08-18 14:49:50 167,936 ----a-w C:\WINNT\system32\ActiveScan\pskvm.dll
+ 2007-10-18 15:30:16 105,472 ----a-w C:\WINNT\system32\ActiveScan\psnahk.dll
+ 2007-11-23 20:29:08 10,752 ----a-w C:\WINNT\system32\ActiveScan\psndsk.dll
+ 2007-10-18 15:30:38 42,496 ----a-w C:\WINNT\system32\ActiveScan\psnflg.dll
+ 2007-10-30 17:19:22 98,304 ----a-w C:\WINNT\system32\ActiveScan\psnglknt.dll
+ 2007-08-22 14:52:00 20,272 ----a-w C:\WINNT\system32\ActiveScan\psnhsh.dll
+ 2007-11-12 21:49:34 11,776 ----a-w C:\WINNT\system32\ActiveScan\psnjidsign.dll
+ 2007-08-22 14:52:04 76,080 ----a-w C:\WINNT\system32\ActiveScan\psnkrnl.dll
+ 2007-08-22 14:52:06 21,296 ----a-w C:\WINNT\system32\ActiveScan\psnmem.dll
+ 2007-10-04 21:26:28 28,672 ----a-w C:\WINNT\system32\ActiveScan\PsnPen.dll
+ 2007-10-23 17:40:10 86,016 ----a-w C:\WINNT\system32\ActiveScan\psntuc.dll
+ 2007-05-24 17:27:36 27,136 ----a-w C:\WINNT\system32\ActiveScan\PSNXprs.dll
+ 2007-04-18 23:16:04 353,840 ----a-w C:\WINNT\system32\ActiveScan\psscan.dll
+ 2007-01-22 20:42:48 35,328 ----a-w C:\WINNT\system32\ActiveScan\rawvfile.dll
+ 2007-06-08 15:44:36 8,576 ----a-w C:\WINNT\system32\ActiveScan\RKPavProc.sys
+ 2007-06-05 16:56:40 44,928 ----a-w C:\WINNT\system32\ActiveScan\sdthook.sys
+ 1997-09-18 12:12:32 9,488 ----a-w C:\WINNT\system32\ActiveScan\sporder.dll
+ 2006-02-28 23:23:40 69,632 ----a-w C:\WINNT\system32\ActiveScan\tcpvfile.dll
+ 2007-09-17 15:14:08 126,976 ----a-w C:\WINNT\system32\ActiveScan\Tucan.dll
+ 2006-08-02 18:39:06 73,728 ----a-w C:\WINNT\system32\asuninst.exe
- 2007-12-20 15:43:24 53,812 ----a-w C:\WINNT\system32\perfc009.dat
+ 2007-12-27 23:12:37 53,812 ----a-w C:\WINNT\system32\perfc009.dat
- 2007-12-20 15:43:24 383,584 ----a-w C:\WINNT\system32\perfh009.dat
+ 2007-12-27 23:12:37 383,584 ----a-w C:\WINNT\system32\perfh009.dat
- 2005-10-12 22:11:06 118,784 ----a-w C:\WINNT\system32\sirenacm.dll
+ 2007-01-19 18:53:04 51,056 ----a-w C:\WINNT\system32\sirenacm.dll
+ 2003-03-26 00:53:50 11,776 ----a-w C:\WINNT\system32\ZPORT4AS.dll
+ 2006-06-05 20:14:28 479,232 ----a-w C:\WINNT\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\msvcm80.dll
+ 2006-06-05 20:14:28 548,864 ----a-w C:\WINNT\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\msvcp80.dll
+ 2006-06-05 20:14:28 626,688 ----a-w C:\WINNT\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\msvcr80.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2004-08-04 01:00]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2007-02-22 19:50]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2006-12-19 10:27]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2004-08-04 01:00 C:\WINNT\system32\advpack.dll]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=%SystemRoot%\system32\umrinst\scripts\startup.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-439975060-858025054-1849977318-13833\Scripts\Logon\0\0]
"Script"=%ALLUSERSPROFILE%\scripts\logon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-439975060-858025054-1849977318-13833\Scripts\Logon\0\1]
"Script"=userlogindesktop.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-439975060-858025054-1849977318-13833\Scripts\Logon\0\2]
"Script"=%ALLUSERSPROFILE%\scripts\calluserlogin.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-439975060-858025054-1849977318-2063\Scripts\Logon\0\0]
"Script"=%ALLUSERSPROFILE%\scripts\logon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-439975060-858025054-1849977318-2063\Scripts\Logon\0\1]
"Script"=userlogindesktop.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-439975060-858025054-1849977318-2063\Scripts\Logon\0\2]
"Script"=%ALLUSERSPROFILE%\scripts\calluserlogin.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-439975060-858025054-1849977318-64530\Scripts\Logon\0\0]
"Script"=%ALLUSERSPROFILE%\scripts\logon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-439975060-858025054-1849977318-64530\Scripts\Logon\0\1]
"Script"=userlogindesktop.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-439975060-858025054-1849977318-64530\Scripts\Logon\0\2]
"Script"=%ALLUSERSPROFILE%\scripts\calluserlogin.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-439975060-858025054-1849977318-64589\Scripts\Logon\0\0]
"Script"=%ALLUSERSPROFILE%\scripts\logon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-439975060-858025054-1849977318-64589\Scripts\Logon\0\1]
"Script"=userlogindesktop.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-439975060-858025054-1849977318-64589\Scripts\Logon\0\2]
"Script"=%ALLUSERSPROFILE%\scripts\calluserlogin.cmd


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c740ef16-98b9-11dc-8ec6-001aa0c9ab82}]
\Shell\Auto\command - adp.exe
\Shell\AutoRun\command - C:\WINNT\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL adp.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c740efc3-98b9-11dc-8ec6-001aa0c9ab82}]
\Shell\AutoRun\command - D:\LaunchU3.exe

.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-28 23:02:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-28 23:03:47 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-26 22:02
C:\ComboFix3.txt ... 2007-12-26 16:32
.
2007-12-18 21:02:35 --- E O F ---


Logfile of HijackThis v1.99.1
Scan saved at 23:09, on 2007-12-28
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINNT\Explorer.EXE
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Documents and Settings\bgtx5\Desktop\FIX\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mst.edu/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = managed.mst.edu
O17 - HKLM\Software\..\Telephony: DomainName = managed.mst.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = managed.mst.edu
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe

[tetonbob]

That looks much better.

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

J2SE Runtime Environment 5.0 Update 11

These is outdated, and a security risk by having it installed still. Unfortunately, Java does not uninstall previous version when you update, nor tell you that you should.

Leave Java(TM) 6 Update 3 alone, as it is the most recent.

---------------------------------------------------------------------------------------------

Please run this online scan to help look for remnants.

First, Go to Start>Control Panel>Add/Remove Programs and remove Kaspersky online scanner if present prior to downloading the most up-to-date one.

Next, establish an internet connection & perform an online scan using Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

• The program will then begin downloading the latest definition files.
• Once the files have been downloaded click on NEXT
• Locate the Scan Settings button & configure to:
  • Scan using the following Anti-Virus database:
    • Extended
  • Scan Options:
    • Scan Archives
    • Scan Mail Bases
• Click OK & have it scan My Computer
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

---------------------------------------------------------------------------------------------

[bharat.gattu]

Hi,

I have done the Kaspersky scan. Detected a few viruses. I have attached the log (Kaspersky.txt) to this post.

Thanks and Regards,
Bharat Gattu.

[tetonbob]

Looks good. Most of the items found by Kaspersky are in System Restore points, and will be addressed by uninstalling ComboFix using the method proscribed below.

Delete this, as it's no longer needed:

C:\Documents and Settings\bgtx5\Desktop\FIX\SmitfraudFix.exe

Your logs appear clean.You should be good to go. We still have a few items to address.

Go to -> Run -> copy/paste in the following single line command & click OK

combofix /u

This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points.

Now that your system is clean, to help protect your computer in the future I recommend that you follow these steps and use the following free programs:

• Microsoft Windows Update - http://www.windowsupdate.com
  Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  
  
• SpywareBlaster to help prevent spyware from installing in the first place.
  • Install & update SpywareBlaster with the latest definitions.
    After you have updated, click the button - enable protection for all unprotected items
• SpywareGuard to catch and block spyware before it can execute.
  
• IE-SpyAd - IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impairs attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. An installation tutorial is available here.
  
  
• MVPS HOST FILE
  The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
  • Download Host.zip to your desktop.
  • From your Desktop right-click (hosts.zip) and select:
    Extract All from the menu.
    
  • Click Next, click Next, select the option:
    "Show Extracted files", click Finish
    
  • This will open the newly created hosts folder on your Desktop.
    
  • Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
    
  • Once updated you should see another prompt that the task was completed.
• ANTIVIRUS SOFTWARE
  It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.
  
  Do not install more than one AntiVirus program because they will conflict with each other.
  
  
• FIREWALL
  If you do not have a firewall, here are a couple of great free ones available for personal use. Using a third-party firewall will allow you to give/deny access for applications that want to go online. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here
  
  Do not install more than one firewall program because they will conflict with each other.

Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer

Here are some additional utilities that will further enhance your safety.

• http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  
  
• http://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. While Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
  
  
• http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
  
  
• http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.
  
  ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.
  
  NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

• HOW DID I GET INFECTED IN THE FIRST PLACE?
• MAKING INTERNET EXPLORER SAFER

If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.

[bharat.gattu]

Hi TSF,

Thanks a ton...

With Regards,

Bharat Gattu