Constant Popups - celldorado, party poker, system cleaner, c5.zedo.net

[greenoznic]

Hi,

Over the past few days I have been getting annoying popups from sites such as celldorado, party poker, c5.zedo.net, system cleaner and many more.

It seems to have come out of nowhere. The only new thing I have done to my computer in the last week has been to upgrade to the latest Internet Explorer version. All my microsoft security packages and patches are kept up to date regularly and I have never had a problem with pop ups before.

I have also noticed an error in the last day that pops up whenever I turn my computer on, the error is as follows:

Error loading c:/windows/system32/j4241130.dll the specified module could not be found.

I have had .dll file issues before and have downloaded the missing modules myself, but I thought I would wait this time and see if the issues were connected.

Thanks for taking the time, and here is my Deckard Log:

Deckard's System Scanner v20070603.47
Run by Graeme Knight on 2007-06-06 at 20:45:02
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
93: 2007-06-06 10:45:15 UTC - RP924 - Deckard's System Scanner Restore Point
92: 2007-06-06 07:49:40 UTC - RP923 - Installed Ad-Aware SE Personal
91: 2007-06-04 21:51:10 UTC - RP922 - System Checkpoint
90: 2007-06-03 21:43:20 UTC - RP921 - Software Distribution Service 3.0
89: 2007-06-03 01:42:16 UTC - RP920 - Software Distribution Service 3.0


-- First Restore Point --
1: 2007-03-08 13:23:21 UTC - RP832 - System Checkpoint


Backed up registry hives.

Performed disk cleanup.


-- HijackThis (run as Graeme Knight.exe) ---------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 8:48:45 PM, on 06/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\downloads\dss.exe
C:\DOWNLO~1\Graeme Knight.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.televisionwithoutpity.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: (no name) - {7E4F537B-C56B-4037-9436-35846E1CB42F} - C:\WINDOWS\system32\jkhhi.dll
O2 - BHO: (no name) - {8AB46ECF-6665-4AEE-B0B3-C143CFDA0679} - C:\WINDOWS\system32\hvgskdke.dll
O2 - BHO: (no name) - {A2339A9B-D1F4-4084-9EEE-B9F5CB487527} - C:\WINDOWS\system32\rqrolkk.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {CD3447D4-CA39-4377-8084-30E86331D74C} - C:\WINDOWS\system32\rxtdvrds.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ApachInc] rundll32.exe "C:\WINDOWS\system32\mtdibftx.dll",realset
O4 - HKLM\..\Run: [j4241130] rundll32 C:\WINDOWS\system32\j4241130.dll sook
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [sys_up1] C:\Program Files\Common Files\svchostsys\svchostsys.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: Download &Flash Movies - C:\Program Files\Flash2X\Flash Hunter\save.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Flash2X Flash Hunter - {77B563A5-2A35-4E6B-BFC8-F4B6BB65D5DF} - C:\Program Files\Flash2X\Flash Hunter\save.htm (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: &Launch Flash Hunter - {77B563A5-2A35-4E6B-BFC8-F4B6BB65D5DF} - C:\Program Files\Flash2X\Flash Hunter\save.htm (file missing) (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O16 - DPF: {00000005-0000-0000-0000-100009000004} - http://code.trasferimento.biz/l/dbd0...65c2ff8_35.exe
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} -
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/Me...bridge-c18.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1135801488718
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1135801190937
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangocash.com/cab/Zango/ie/bridge-c18.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} -
O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} - http://static.zangocash.com/cab/Seek...ce5b5b666353a7
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/061...ie06101001.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{73A602BD-B187-457D-983A-4741DB484CF7}: NameServer = 203.50.2.71,139.130.4.4
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: jkhhi - C:\WINDOWS\system32\jkhhi.dll
O20 - Winlogon Notify: rqrolkk - C:\WINDOWS\SYSTEM32\rqrolkk.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winwly32 - C:\WINDOWS\SYSTEM32\winwly32.dll
O21 - SSODL: eplrr - {140808BD-27CA-4B13-9593-0165484B2AF5} - blank (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe


-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell>
R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>

S3 iAimTV2 - c:\windows\system32\drivers\watv03nt.sys (file missing)
S3 msdirectx - c:\documents and settings\graeme knight\msdirectx.sys (file missing)
S3 NPF (NetGroup Packet Filter Driver) - c:\windows\system32\drivers\npf.sys <Not Verified; CACE Technologies; WinPcap Netgroup Packet Filter Driver>
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S3 rpcapd (Remote Packet Capture Protocol v.0 (experimental)) - "c:\program files\winpcap\rpcapd.exe" -d -f "c:\program files\winpcap\rpcapd.ini" <Not Verified; CACE Technologies; Remote Packet Capture Daemon>


-- Scheduled Tasks -------------------------------------------------------------

2007-06-06 18:39:15 448 --a------ C:\WINDOWS\Tasks\XoftSpySE 2.job
2007-06-05 03:00:00 378 --a------ C:\WINDOWS\Tasks\XoftSpySE.job
2007-06-04 20:13:36 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2006-02-12 09:01:17 316 --a------ C:\WINDOWS\Tasks\XoftSpy.job


-- Files created between 2007-05-06 and 2007-06-06 -----------------------------

2007-06-06 20:28:38 0 d-------- C:\ie-spyad
2007-06-06 20:18:28 0 d-------- C:\Program Files\SpywareBlaster
2007-06-06 18:59:13 73 --a------ C:\WINDOWS\system32\pfdnnt_actions.sys
2007-06-06 18:59:12 8704 --a------ C:\WINDOWS\system32\pfdnnt.exe <Not Verified; Panda Software International; Panda Anti-malware>
2007-06-06 18:47:32 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-06-06 18:47:27 0 d-------- C:\WINDOWS\LastGood
2007-06-06 17:50:02 0 d-------- C:\Program Files\Lavasoft
2007-06-06 17:48:48 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-06-06 11:48:15 125460 -----n--- C:\WINDOWS\system32\hvgskdke.dll
2007-06-06 11:42:15 14868 --a------ C:\WINDOWS\system32\gpfauwux.exe
2007-06-05 10:44:14 131124 --a------ C:\WINDOWS\system32\mtdibftx.dll
2007-06-04 10:41:15 2580 --a------ C:\WINDOWS\system32\ujtedxsw.exe
2007-06-04 10:36:35 676042 ---hs---- C:\WINDOWS\system32\ihhkj.bak2
2007-06-03 11:50:03 0 d-------- C:\WINDOWS\network diagnostic
2007-06-03 11:16:09 0 d-------- C:\Program Files\XoftSpySE
2007-06-03 10:44:42 2580 --a------ C:\WINDOWS\system32\jlfoyvyl.exe
2007-06-03 10:36:06 676967 ---hs---- C:\WINDOWS\system32\ihhkj.bak1
2007-06-03 10:35:22 263220 ---hs---- C:\WINDOWS\system32\jkhhi.dll
2007-06-03 10:30:05 33302 --a------ C:\WINDOWS\system32\rqrolkk.dll
2007-05-29 13:02:10 19456 --a------ C:\WINDOWS\system32\winwly32.dll
2007-05-12 17:56:41 0 d-------- C:\Program Files\ACW


-- Find3M Report ---------------------------------------------------------------

2007-06-06 19:33:59 0 d-------- C:\Program Files\QuickTime
2007-06-06 19:30:30 0 d-------- C:\Program Files\iTunes
2007-06-06 19:29:54 0 d-------- C:\Program Files\Google
2007-06-06 19:29:50 0 d-------- C:\Program Files\GetRight
2007-06-06 19:29:30 0 d-------- C:\Program Files\Digital Line Detect
2007-06-06 17:51:12 0 d-------- C:\Documents and Settings\Graeme Knight\Application Data\Lavasoft
2007-06-06 17:29:19 0 d-------- C:\Documents and Settings\Graeme Knight\Application Data\uTorrent
2007-06-03 15:05:12 0 d-------- C:\Program Files\Blaze Media Pro
2007-06-03 11:25:51 0 d-------- C:\Program Files\Media Gateway
2007-06-03 10:20:55 0 d-------- C:\Program Files\iPod
2007-05-29 13:08:27 0 d-------- C:\Program Files\ImTOO
2007-05-17 18:31:07 0 d-------- C:\Program Files\LimeWire
2007-05-08 20:51:43 0 d-------- C:\Program Files\WMR11


-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{31FF080D-12A3-439A-A2EF-4BA95A3148E8} C:\Program Files\GetRight\xx2gr.dll
{7E4F537B-C56B-4037-9436-35846E1CB42F} C:\WINDOWS\system32\jkhhi.dll
{8AB46ECF-6665-4AEE-B0B3-C143CFDA0679} C:\WINDOWS\system32\hvgskdke.dll
{A2339A9B-D1F4-4084-9EEE-B9F5CB487527} C:\WINDOWS\system32\rqrolkk.dll
{AA58ED58-01DD-4d91-8333-CF10577473F7} c:\program files\google\googletoolbar3.dll
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
{CD3447D4-CA39-4377-8084-30E86331D74C} C:\WINDOWS\system32\rxtdvrds.dll [x]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"ApachInc"="rundll32.exe \"C:\\WINDOWS\\system32\\mtdibftx.dll\",realset"
"j4241130"="rundll32 C:\\WINDOWS\\system32\\j4241130.dll sook"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"sys_up1"="C:\\Program Files\\Common Files\\svchostsys\\svchostsys.exe"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runservices]
"Compaq32 Service Drivers"="msconfig32.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{A2339A9B-D1F4-4084-9EEE-B9F5CB487527}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"eplrr"="{140808BD-27CA-4B13-9593-0165484B2AF5}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkhhi
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrolkk
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winwly32

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0



-- End of Deckard's System Scanner: finished at 2007-06-06 at 20:50:34 ---------

[greenoznic]

Sorry forgot to add my Panda Active Scan report:


Incident Status Location

Virus:Trj/Downloader.ORT Disinfected Operating system
Virus:Trj/Agent.FPC Disinfected Operating system
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\rqrolkk.dll
Adware:adware/wupd Not disinfected c:\windows\downloaded program files\MediaGatewayX.dll
Potentially unwanted tool:application/winfixer2005 Not disinfected c:\windows\downloaded program files\UERS_0001_N68M1801NetInstaller.exe
Adware:adware/webhancer Not disinfected c:\WHCC2.exe
Adware:adware/dollarrevenue Not disinfected c:\windows\drsmartload.dat
Dialer:dialer.xd Not disinfected c:\windows\switchagreement.txt
Adware:adware/powerscan Not disinfected Windows Registry
Hacktool:rootkit/fu.a Not disinfected hkey_local_machine\system\currentcontrolset\services\msdirectx
Potentially unwanted tool:application/myway Not disinfected hkey_classes_root\clsid\{66FC8717-EFA7-4546-8C4A-E224F3A80C76}
Adware:adware/ist.istbar Not disinfected Windows Registry
Adware:adware/surfaccuracy Not disinfected Windows Registry
Adware:adware/ncase Not disinfected Windows Registry
Adware:adware/ist.sidefind Not disinfected Windows Registry
Adware:adware/cws.searchmeup Not disinfected Windows Registry
Adware:adware/mediatickets Not disinfected Windows Registry
Adware:adware/startpage.acd Not disinfected Windows Registry
Dialer:dialer.asl Not disinfected HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database\Distribution Units\{A1426AC5-8CE5-4A00-B71E-011D35709AC6}
Adware:adware/ist.xxxtoolbar Not disinfected Windows Registry
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Graeme Knight\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Dummy.class-393d648-4b9fc13c.class
Spyware:Cookie/adstat Not disinfected C:\Documents and Settings\Graeme Knight\Cookies\graeme knight@ad.stat.4u[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Graeme Knight\Cookies\graeme knight@burstnet[2].txt
Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\Graeme Knight\Cookies\graeme knight@clickbank[2].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Graeme Knight\Cookies\graeme knight@go[2].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Graeme Knight\Cookies\graeme knight@mediaplex[1].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Graeme Knight\Cookies\graeme knight@www.burstbeacon[1].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Graeme Knight\Cookies\graeme knight@xiti[1].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Graeme Knight\Cookies\graeme_knight@112.2o7[2].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Graeme Knight\Cookies\graeme_knight@2o7[2].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Graeme Knight\Cookies\graeme_knight@888[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Graeme Knight\Cookies\graeme_knight@ad.yieldmanager[2].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Graeme Knight\Cookies\graeme_knight@ads.pointroll[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Graeme Knight\Cookies\graeme_knight@advertising[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Graeme Knight\Cookies\graeme_knight@atdmt[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Graeme Knight\Cookies\graeme_knight@bs.serving-sys[2].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Graeme Knight\Cookies\graeme_knight@casalemedia[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Graeme Knight\Cookies\graeme_knight@com[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Graeme Knight\Cookies\graeme_knight@doubleclick[2].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Graeme Knight\Cookies\graeme_knight@drivecleaner[1].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Graeme Knight\Cookies\graeme_knight@errorsafe[2].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Graeme Knight\Cookies\graeme_knight@fastclick[2].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Graeme Knight\Cookies\graeme_knight@questionmarket[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Graeme Knight\Cookies\graeme_knight@serving-sys[2].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Graeme Knight\Cookies\graeme_knight@statcounter[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Graeme Knight\Cookies\graeme_knight@stats.drivecleaner[2].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Graeme Knight\Cookies\graeme_knight@stats1.reliablestats[1].txt
Spyware:Cookie/Systemdoctor Not disinfected C:\Documents and Settings\Graeme Knight\Cookies\graeme_knight@systemdoctor[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Graeme Knight\Cookies\graeme_knight@tribalfusion[1].txt
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Graeme Knight\Cookies\graeme_knight@winantispyware[1].txt
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Graeme Knight\Cookies\graeme_knight@winantivirus[2].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Graeme Knight\Cookies\graeme_knight@www.drivecleaner[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Graeme Knight\Cookies\graeme_knight@zedo[2].txt
Adware:Adware/WinAntivirus2006 Not disinfected C:\Documents and Settings\Graeme Knight\Local Settings\Temp\iwwsmbxy.dll
Adware:Adware/nCase Not disinfected C:\Documents and Settings\Graeme Knight\Local Settings\Temp\res7.tmp
Adware:Adware/IST.SideFind Not disinfected C:\Documents and Settings\Graeme Knight\Local Settings\Temp\targetsaver.exe
Adware:Adware/WinAntivirus2006 Not disinfected C:\Documents and Settings\Graeme Knight\Local Settings\Temp\vtwcirkf.dll
Adware:Adware/Yazzle Not disinfected C:\Documents and Settings\Graeme Knight\Local Settings\Temp\win71.tmp.exe
Adware:Adware/WUpd Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\MediaGatewayX.dll
Potentially unwanted tool:Application/ErrorSafe Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UERS_0001_N68M1801NetInstaller.exe
Potentially unwanted tool:Application/Winfixer2005 Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UWFX5_0001_N66M1101NetInstaller.exe
Potentially unwanted tool:Application/Winfixer2005 Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UWFX6_0001_N57M0912NetInstaller.exe
Potentially unwanted tool:Application/Winfixer2005 Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.2\UWFX5_0001_N66M1101NetInstaller.exe
Potentially unwanted tool:Application/Winfixer2005 Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.3\UWFX5_0001_N66M1101NetInstaller.exe
Potentially unwanted tool:Application/Winfixer2005 Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.4\UWFX5_0001_N66M1101NetInstaller.exe
Potentially unwanted tool:Application/Winfixer2005 Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.5\UWFX5_0001_N66M1101NetInstaller.exe
Potentially unwanted tool:Application/Winfixer2005 Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.6\UWFX5_0001_N66M1101NetInstaller.exe
Potentially unwanted tool:Application/Winfixer2005 Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.7\UWFX5_0001_N66M1101NetInstaller.exe
Adware:Adware/TrustIn Not disinfected C:\WINDOWS\Downloaded Program Files\loader2.exe
Potentially unwanted tool:Application/SystemDoctor2006 Not disinfected C:\WINDOWS\Downloaded Program Files\USDR6_7777_BHLP0611NetInstaller.exe
Potentially unwanted tool:Application/Winfixer2005 Not disinfected C:\WINDOWS\Downloaded Program Files\UWFX5_0001_N66M1101NetInstaller.exe
Potentially unwanted tool:Application/Winfixer2005 Not disinfected C:\WINDOWS\Downloaded Program Files\UWFX6_0001_N57M0912NetInstaller.exe
Potentially unwanted tool:Application/ErrorSafe Not disinfected C:\WINDOWS\Downloaded Program Files\UWFX6_0001_N68M2301NetInstaller.exe
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\SYSTEM32\aza007hme.dll
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\SYSTEM32\CTSEQCHK.DLL
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\SYSTEM32\cyedui.dll
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\SYSTEM32\dn0001dme.dll
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\SYSTEM32\gpp8l37u1.dll
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\SYSTEM32\HHFCI005.dll
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\SYSTEM32\hrl2053oe.dll
Virus:Trj/Downloader.ORT Disinfected C:\WINDOWS\SYSTEM32\hvgskdke.dll
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\SYSTEM32\IRETCPLC.DLL
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\SYSTEM32\jt0407dqe.dll
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\SYSTEM32\jt4007hme.dll
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\SYSTEM32\k6no0g53e6.dll
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\SYSTEM32\l02slaf71d2.dll
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\SYSTEM32\MUOBJS.DLL
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\SYSTEM32\n8n6li5s18.dll
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\SYSTEM32\namssvc.dll
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\SYSTEM32\o2rolc931f.dll
Adware:Adware/PurityScan Not disinfected C:\WINDOWS\SYSTEM32\r?ndll32.exe
Virus:W32/Gaobot.FEP.worm Disinfected C:\WINDOWS\SYSTEM32\TFTP2308
Virus:W32/Gaobot.FEP.worm Disinfected C:\WINDOWS\SYSTEM32\TFTP2856
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\Temp\bw2.com
Spyware:Cookie/RealMedia Not disinfected C:\WINDOWS\Temp\Cookies\graeme knight@247realmedia[1].txt
Spyware:Cookie/888 Not disinfected C:\WINDOWS\Temp\Cookies\graeme knight@888[1].txt
Spyware:Cookie/888 Not disinfected C:\WINDOWS\Temp\Cookies\graeme knight@888[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\WINDOWS\Temp\Cookies\graeme knight@ad.yieldmanager[1].txt
Spyware:Cookie/Bluestreak Not disinfected C:\WINDOWS\Temp\Cookies\graeme knight@bluestreak[1].txt
Spyware:Cookie/Cassava Not disinfected C:\WINDOWS\Temp\Cookies\graeme knight@cassava[1].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\WINDOWS\Temp\Cookies\graeme knight@errorsafe[2].txt
Spyware:Cookie/AspinallsOnlineCasino Not disinfected C:\WINDOWS\Temp\Cookies\graeme knight@pacificpoker[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\WINDOWS\Temp\Cookies\graeme knight@realmedia[1].txt
Spyware:Cookie/Reliablestats Not disinfected C:\WINDOWS\Temp\Cookies\graeme knight@stats1.reliablestats[1].txt
Spyware:Cookie/Systemdoctor Not disinfected C:\WINDOWS\Temp\Cookies\graeme knight@systemdoctor[2].txt
Spyware:Cookie/Systemdoctor Not disinfected C:\WINDOWS\Temp\Cookies\graeme knight@www.systemdoctor[1].txt
Spyware:Cookie/Zedo Not disinfected C:\WINDOWS\Temp\Cookies\graeme knight@zedo[1].txt
Adware:Adware/Yazzle Not disinfected C:\WINDOWS\Temp\win26.tmp.exe
Virus:Trj/Agent.FPC Disinfected C:\WINDOWS\Temp\win2D.tmp.exe
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\warebundle.exe
Adware:Adware/WebHancer Not disinfected C:\WINDOWS\WHCC2.exe
Adware:Adware/Findtheweb Not disinfected C:\WINDOWS\winsysupd.exe

[greenoznic]

bump for 48 hours

[tetonbob]

Hello and Welcome. Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

1. Download combofix.exe to your desktop.
2. Double click on combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

---------------------------------------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

---------------------------------------------------------------------------------------------

[tetonbob]

This is to be performed after posting the logs....

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:

• Download the latest version of Java Runtime Environment (JRE) 6 u1.
• Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications". (4th one down)
• Click the "Download" button to the right.
• Check the box that says: "Accept License Agreement".
• The page will refresh.
• Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java. For you, it is J2SE Runtime Environment 5.0 Update 6 and Java 2 Runtime Environment, SE v1.4.2_05
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-6u1-windowsi586-p.exe to install the newest version.

• After the install is complete, go back into the Control Panel and double-click the Java Icon.
• Under Temporary Internet Files, click the Delete Files button.
• There are three options in the window to clear the cache - Leave ALL 3 Checked
  • Downloaded Applets
  • Downloaded Applications
  • Other Files
• Click OK on Delete Temporary Files Window
  Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
• Click OK to leave the Java Control Panel.

---------------------------------------------------------------------------------------------

[greenoznic]

Hi,

Thanks for taking the time to help. Here is my combofix log:

ComboFix 07-06-09.1 - C:\Documents and Settings\Graeme Knight\Desktop\ComboFix.exe
"Graeme Knight" - 2007-06-09 9:53:48 - Service Pack 2 NTFS


(((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\system32\aza007hme.dll
C:\WINDOWS\system32\CTSEQCHK.DLL
C:\WINDOWS\system32\cyedui.dll
C:\WINDOWS\system32\dn0001dme.dll
C:\WINDOWS\system32\gpp8l37u1.dll
C:\WINDOWS\system32\HHFCI005.dll
C:\WINDOWS\system32\hrl2053oe.dll
C:\WINDOWS\system32\IRETCPLC.DLL
C:\WINDOWS\system32\jt0407dqe.dll
C:\WINDOWS\system32\jt4007hme.dll
C:\WINDOWS\system32\k6no0g53e6.dll
C:\WINDOWS\system32\l02slaf71d2.dll
C:\WINDOWS\system32\MUOBJS.DLL
C:\WINDOWS\system32\n8n6li5s18.dll
C:\WINDOWS\system32\namssvc.dll
C:\WINDOWS\system32\o2rolc931f.dll


Granting SeDebugPrivilege to Administrators ... successful


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\mtdibftx.dll
C:\WINDOWS\system32\mljjkjg.dll
C:\WINDOWS\system32\vtuvwut.dll
C:\WINDOWS\system32\winwly32.dll
C:\WINDOWS\SYSTEM32\ihhkj.bak1
C:\WINDOWS\SYSTEM32\ihhkj.bak2
C:\WINDOWS\SYSTEM32\ihhkj.ini
C:\WINDOWS\SYSTEM32\ihhkj.ini2
C:\WINDOWS\SYSTEM32\ihhkj.tmp
C:\WINDOWS\SYSTEM32\xtfbidtm.ini
C:\WINDOWS\SYSTEM32\xtfbidtm.tmp
C:\WINDOWS\SYSTEM32\ihhkj.bak1
C:\WINDOWS\SYSTEM32\ihhkj.bak2
C:\WINDOWS\SYSTEM32\ihhkj.ini
C:\WINDOWS\SYSTEM32\ihhkj.ini2
C:\WINDOWS\SYSTEM32\ihhkj.tmp
C:\WINDOWS\SYSTEM32\ihhkj.bak1
C:\WINDOWS\SYSTEM32\ihhkj.bak2
C:\WINDOWS\SYSTEM32\ihhkj.ini
C:\WINDOWS\SYSTEM32\ihhkj.ini2
C:\WINDOWS\SYSTEM32\ihhkj.tmp
C:\WINDOWS\system32\jkhhi.dll
C:\WINDOWS\system32\rqrolkk.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe
C:\whcc2.exe
C:\WINDOWS\drsmartload.dat
C:\WINDOWS\warebundle.exe
C:\WINDOWS\winsysupd.exe
C:\WINDOWS\winsysupd1.dat
C:\WINDOWS\winsysupd21.dat


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_NM
-------\msdirectx
-------\nm


((((((((((((((((((((((((( Files Created from 2007-05-09 to 2007-06-09 )))))))))))))))))))))))))))))))


2007-06-09 09:56 56,832 --a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\twbutobw.exe
2007-06-09 09:52 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-08 13:47 58,420 --a------ C:\WINDOWS\SYSTEM32\ysoplxen.dll
2007-06-07 13:46 55,316 --a------ C:\WINDOWS\SYSTEM32\vkjjddei.dll
2007-06-06 20:44 <DIR> d-------- C:\Deckard
2007-06-06 20:28 <DIR> d-------- C:\ie-spyad
2007-06-06 20:18 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-06-06 18:47 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2007-06-06 17:50 <DIR> d-------- C:\Program Files\Lavasoft
2007-06-06 17:48 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-06-06 11:42 14,868 --a------ C:\WINDOWS\SYSTEM32\gpfauwux.exe
2007-06-03 11:50 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-06-03 11:16 <DIR> d-------- C:\Program Files\XoftSpySE
2007-05-12 17:56 <DIR> d-------- C:\Program Files\ACW


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-08 23:12:48 -------- d-----w C:\DOCUME~1\GRAEME~1\APPLIC~1\uTorrent
2007-06-07 22:20:35 -------- d-----w C:\Program Files\Blaze Media Pro
2007-06-06 09:33:59 -------- d-----w C:\Program Files\QuickTime
2007-06-06 09:30:30 -------- d-----w C:\Program Files\iTunes
2007-06-06 09:29:54 -------- d-----w C:\Program Files\Google
2007-06-06 09:29:50 -------- d-----w C:\Program Files\GetRight
2007-06-06 09:29:30 -------- d-----w C:\Program Files\Digital Line Detect
2007-06-06 07:51:12 -------- d-----w C:\DOCUME~1\GRAEME~1\APPLIC~1\Lavasoft
2007-06-03 01:25:51 -------- d-----w C:\Program Files\Media Gateway
2007-06-03 00:20:55 -------- d-----w C:\Program Files\iPod
2007-05-29 03:08:27 -------- d-----w C:\Program Files\ImTOO
2007-05-17 08:31:07 -------- d-----w C:\Program Files\LimeWire
2007-05-08 10:51:43 -------- d-----w C:\Program Files\WMR11
2007-05-01 15:35:12 146,432 --sh--w C:\Program Files\Common Files\Yazzle1162OinAdmin.exe
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-16 12:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-16 12:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-16 12:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-16 12:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-16 12:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-16 12:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 12:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-16 12:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-16 12:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-04-16 12:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2005-05-13 07:12:00 217,073 --sha-r C:\WINDOWS\meta4.exe
2005-10-24 01:13:58 66,560 --sha-r C:\WINDOWS\MOTA113.exe
2005-10-13 11:27:00 422,400 --sha-r C:\WINDOWS\x2.64.exe
2005-10-07 09:14:52 308,224 --sha-r C:\WINDOWS\SYSTEM32\avisynth.dll
2005-07-14 02:31:20 27,648 --sha-r C:\WINDOWS\SYSTEM32\AVSredirect.dll
2005-06-26 05:32:28 616,448 --sha-r C:\WINDOWS\SYSTEM32\cygwin1.dll
2005-06-21 12:37:42 45,568 --sha-r C:\WINDOWS\SYSTEM32\cygz.dll
2004-01-24 14:00:00 70,656 --sha-r C:\WINDOWS\SYSTEM32\i420vfw.dll
2006-08-27 04:58:59 10,856 --sha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
2004-10-05 1530 380,928 --sh--r C:\WINDOWS\SYSTEM32\r?ndll32.exe
2006-04-27 00:24:24 2,945,024 --sha-r C:\WINDOWS\SYSTEM32\Smab.dll
2005-02-28 03:16:22 240,128 --sha-r C:\WINDOWS\SYSTEM32\x.264.exe
2004-01-24 14:00:00 70,656 --sha-r C:\WINDOWS\SYSTEM32\yv12vfw.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{31FF080D-12A3-439A-A2EF-4BA95A3148E8}=C:\Program Files\GetRight\xx2gr.dll [2005-02-14 12:08]
{8AB46ECF-6665-4AEE-B0B3-C143CFDA0679}=C:\WINDOWS\system32\hvgskdke.dll []
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar3.dll [2007-01-19 22:55]
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}=C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll [2007-05-30 12:12]
{E12BFF69-38A7-406e-A8EF-2738107A7831}=C:\WINDOWS\system32\ysoplxen.dll [2007-06-08 13:47]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-04-24 20:42]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-04-21 09:31]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-05-26 12:45]
"twbutobw.exe"="C:\Documents and Settings\All Users\Application Data\twbutobw.exe" [2007-06-09 09:56]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 17:56]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-30 12:12]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runservices]
"Compaq32 Service Drivers"=msconfig32.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"{140808BD-27CA-4B13-9593-0165484B2AF5}"="blank" []

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


Contents of the 'Scheduled Tasks' folder
2007-06-04 10:13:36 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2006-02-11 23:01:17 C:\WINDOWS\tasks\XoftSpy.job
2007-06-09 00:09:07 C:\WINDOWS\tasks\XoftSpySE 2.job
2007-06-08 17:00:00 C:\WINDOWS\tasks\XoftSpySE.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-09 10:09:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

cmd.exe [3048]


scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-09 10:12:54 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-09 10:12

--- E O F ---



And here is my HijackThis log:


Logfile of HijackThis v1.99.1
Scan saved at 11:31:50 AM, on 06/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Documents and Settings\All Users\Application Data\twbutobw.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\downloads\Graeme Knight.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.televisionwithoutpity.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: (no name) - {8AB46ECF-6665-4AEE-B0B3-C143CFDA0679} - C:\WINDOWS\system32\hvgskdke.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - C:\WINDOWS\system32\ysoplxen.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [twbutobw.exe] C:\Documents and Settings\All Users\Application Data\twbutobw.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: Download &Flash Movies - C:\Program Files\Flash2X\Flash Hunter\save.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Flash2X Flash Hunter - {77B563A5-2A35-4E6B-BFC8-F4B6BB65D5DF} - C:\Program Files\Flash2X\Flash Hunter\save.htm (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: &Launch Flash Hunter - {77B563A5-2A35-4E6B-BFC8-F4B6BB65D5DF} - C:\Program Files\Flash2X\Flash Hunter\save.htm (file missing) (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O16 - DPF: {00000005-0000-0000-0000-100009000004} - http://code.trasferimento.biz/l/dbd0...65c2ff8_35.exe
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} -
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/Me...bridge-c18.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1135801488718
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1135801190937
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangocash.com/cab/Zango/ie/bridge-c18.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} -
O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} - http://static.zangocash.com/cab/Seek...ce5b5b666353a7
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/061...ie06101001.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{73A602BD-B187-457D-983A-4741DB484CF7}: NameServer = 203.50.2.71,139.130.4.4
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: eplrr - {140808BD-27CA-4B13-9593-0165484B2AF5} - blank (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe




Cheers

[tetonbob]

P2P - I see you have P2P software ( Limewire, uTorrent ) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

---------------------------------------------------------------------------------------------


Copy everything inside the quote box below (starting with dir) and paste it into notepad. Go up to "File > Save As" and click the drop-down box to change the "Save As Type" to "All Files". Save it as findfile.bat on your Desktop.

Quote:

dir C:\WINDOWS\SYSTEM32\r?ndll32.exe /a h > files.txt
notepad files.txt

Locate findfile.bat on your Desktop and double-click on it. It will open Notepad with some text in it. Please post the contents of that Notepad here.

---------------------------------------------------------------------------------------------------

Please go to: VirusTotal

• At the top of the page you'll find a "Browse" button.
  
• Next to the browse button you'll see a box to enter text.
• Please copy/paste the following in BOLD:
  
  C:\WINDOWS\SYSTEM32\gpfauwux.exe
  
  
• Then click the "Send" button at the top of the VirusTotal page.
• This will scan the file. Please be patient.
• Then repeat as above for the following files in BOLD:
  
  
• Once scanned, copy and paste the results in your next reply.

---------------------------------------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked

O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O16 - DPF: {00000005-0000-0000-0000-100009000004} - http://code.trasferimento.biz/l/dbd0...65c2ff8_35.exe
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} -
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/Me...bridge-c18.cab
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangocash.com/cab/Zango/ie/bridge-c18.cab
O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} -
O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} - http://static.zangocash.com/cab/Seek...ce5b5b666353a7
O21 - SSODL: eplrr - {140808BD-27CA-4B13-9593-0165484B2AF5} - blank (file missing)


Close HijackThis now.

---------------------------------------------------------------------------------------------

Open notepad and copy/paste the text in the quotebox below into it:

Quote:

File::
C:\Documents and Settings\All Users\Application Data\twbutobw.exe
C:\WINDOWS\SYSTEM32\ysoplxen.dll
C:\WINDOWS\SYSTEM32\vkjjddei.dll
C:\Program Files\Common Files\Yazzle1162OinAdmin.exe

Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8AB46ECF-6665-4AEE-B0B3-C143CFDA0679}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E12BFF69-38A7-406e-A8EF-2738107A7831}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"twbutobw.exe"=-
[HKEY_USERS\.default\software\microsoft\windows\currentversion\runservices]
"Compaq32 Service Drivers"=-

Save this as ComboFix-Do.txt




Refering to the picture above, drag ComboFix-Do.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

---------------------------------------------------------------------------------------------

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

• The program will then begin downloading the latest definition files.
• Once the files have been downloaded click on NEXT
• Locate the Scan Settings button & configure to:
  • Scan using the following Anti-Virus database:
    • Extended
  • Scan Options:
    • Scan Archives
    • Scan Mail Bases
• Click OK & have it scan My Computer
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the licence, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

---------------------------------------------------------------------------------------------

Open Hijack This and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

---------------------------------------------------------------------------------------------

[greenoznic]

Hey,

Here is findfile.bat

Volume in drive C has no label.
Volume Serial Number is D462-7566

Directory of C:\WINDOWS\SYSTEM32

08/04/2004 05:56 PM 33,280 rundll32.exe
10/06/2004 01:06 AM 380,928 r?ndll32.exe
2 File(s) 414,208 bytes

Directory of C:\Documents and Settings\GRAEME~1\Desktop





Virustotal



Complete scanning result of "gpfauwux.exe", received in VirusTotal at 06.09.2007, 08:45:25 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.6.9.0 06.08.2007 no virus found
AntiVir 7.4.0.32 06.08.2007 TR/Click.Small.MW
Authentium 4.93.8 05.23.2007 no virus found
Avast 4.7.997.0 06.08.2007 no virus found
AVG 7.5.0.467 06.08.2007 no virus found
BitDefender 7.2 06.09.2007 Trojan.Clicker.Small.YB
CAT-QuickHeal 9.00 06.08.2007 TrojanClicker.Small.cf
ClamAV devel-20070416 06.09.2007 no virus found
DrWeb 4.33 06.09.2007 Trojan.Click.2485
eSafe 7.0.15.0 06.06.2007 no virus found
eTrust-Vet 30.7.3703 06.08.2007 no virus found
Ewido 4.0 06.08.2007 no virus found
FileAdvisor 1 06.09.2007 no virus found
Fortinet 2.85.0.0 06.09.2007 no virus found
F-Prot 4.3.2.48 06.08.2007 no virus found
F-Secure 6.70.13030.0 06.08.2007 no virus found
Ikarus T3.1.1.8 06.09.2007 Trojan-Clicker.Small.YB
Kaspersky 4.0.2.24 06.09.2007 no virus found
McAfee 5049 06.08.2007 Generic AdClicker.b.dll
Microsoft 1.2503 06.09.2007 no virus found
NOD32v2 2320 06.09.2007 no virus found
Norman 5.80.02 06.08.2007 no virus found
Panda 9.0.0.4 06.09.2007 Trj/Clicker.ACO
Prevx1 V2 06.09.2007 no virus found
Sophos 4.18.0 06.01.2007 no virus found
Sunbelt 2.2.907.0 06.09.2007 no virus found
Symantec 10 06.09.2007 no virus found
TheHacker 6.1.6.131 06.08.2007 no virus found
VBA32 3.12.0 06.07.2007 Trojan.Click.2480
VirusBuster 4.3.23:9 06.08.2007 no virus found
Webwasher-Gateway 6.0.1 06.09.2007 Trojan.Click.Small.MW


Aditional Information
File size: 14868 bytes
MD5: 9b278e3b7ea1f467d7ea602a54d706a0
SHA1: fa1a97a18156e763f737e8f6b09326793a12ac13
packers: BINARYRES




Combofix:


ComboFix 07-06-09.1 - C:\Documents and Settings\Graeme Knight\Desktop\ComboFix.exe
"Graeme Knight" - 2007-06-09 17:00:21 - Service Pack 2 NTFS
Command switches used :: C:\Documents and Settings\Graeme Knight\Desktop\ComboFix-Do.txt


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\All Users\Application Data\twbutobw.exe
C:\Program Files\Common Files\Yazzle1162OinAdmin.exe
C:\WINDOWS\SYSTEM32\vkjjddei.dll
C:\WINDOWS\SYSTEM32\ysoplxen.dll


((((((((((((((((((((((((( Files Created from 2007-05-09 to 2007-06-09 )))))))))))))))))))))))))))))))


2007-06-09 09:52 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-06 20:44 <DIR> d-------- C:\Deckard
2007-06-06 20:28 <DIR> d-------- C:\ie-spyad
2007-06-06 20:18 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-06-06 18:47 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2007-06-06 17:50 <DIR> d-------- C:\Program Files\Lavasoft
2007-06-06 17:48 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-06-06 11:42 14,868 --a------ C:\WINDOWS\SYSTEM32\gpfauwux.exe
2007-06-03 11:50 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-06-03 11:16 <DIR> d-------- C:\Program Files\XoftSpySE
2007-05-12 17:56 <DIR> d-------- C:\Program Files\ACW


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-09 06:38:23 -------- d-----w C:\DOCUME~1\GRAEME~1\APPLIC~1\uTorrent
2007-06-07 22:20:35 -------- d-----w C:\Program Files\Blaze Media Pro
2007-06-06 09:33:59 -------- d-----w C:\Program Files\QuickTime
2007-06-06 09:30:30 -------- d-----w C:\Program Files\iTunes
2007-06-06 09:29:54 -------- d-----w C:\Program Files\Google
2007-06-06 09:29:50 -------- d-----w C:\Program Files\GetRight
2007-06-06 09:29:30 -------- d-----w C:\Program Files\Digital Line Detect
2007-06-06 07:51:12 -------- d-----w C:\DOCUME~1\GRAEME~1\APPLIC~1\Lavasoft
2007-06-03 01:25:51 -------- d-----w C:\Program Files\Media Gateway
2007-06-03 00:20:55 -------- d-----w C:\Program Files\iPod
2007-05-29 03:08:27 -------- d-----w C:\Program Files\ImTOO
2007-05-17 08:31:07 -------- d-----w C:\Program Files\LimeWire
2007-05-08 10:51:43 -------- d-----w C:\Program Files\WMR11
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-16 12:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-16 12:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-16 12:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-16 12:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-16 12:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-16 12:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 12:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-16 12:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-16 12:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-04-16 12:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2005-05-13 07:12:00 217,073 --sha-r C:\WINDOWS\meta4.exe
2005-10-24 01:13:58 66,560 --sha-r C:\WINDOWS\MOTA113.exe
2005-10-13 11:27:00 422,400 --sha-r C:\WINDOWS\x2.64.exe
2005-10-07 09:14:52 308,224 --sha-r C:\WINDOWS\SYSTEM32\avisynth.dll
2005-07-14 02:31:20 27,648 --sha-r C:\WINDOWS\SYSTEM32\AVSredirect.dll
2005-06-26 05:32:28 616,448 --sha-r C:\WINDOWS\SYSTEM32\cygwin1.dll
2005-06-21 12:37:42 45,568 --sha-r C:\WINDOWS\SYSTEM32\cygz.dll
2004-01-24 14:00:00 70,656 --sha-r C:\WINDOWS\SYSTEM32\i420vfw.dll
2006-08-27 04:58:59 10,856 --sha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
2004-10-05 1530 380,928 --sh--r C:\WINDOWS\SYSTEM32\r?ndll32.exe
2006-04-27 00:24:24 2,945,024 --sha-r C:\WINDOWS\SYSTEM32\Smab.dll
2005-02-28 03:16:22 240,128 --sha-r C:\WINDOWS\SYSTEM32\x.264.exe
2004-01-24 14:00:00 70,656 --sha-r C:\WINDOWS\SYSTEM32\yv12vfw.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{31FF080D-12A3-439A-A2EF-4BA95A3148E8}=C:\Program Files\GetRight\xx2gr.dll [2005-02-14 12:08]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar3.dll [2007-01-19 22:55]
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}=C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll [2007-05-30 12:12]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-04-24 20:42]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-04-21 09:31]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-05-26 12:45]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 17:56]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-30 12:12]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" []

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


Contents of the 'Scheduled Tasks' folder
2007-06-04 10:13:36 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2006-02-11 23:01:17 C:\WINDOWS\tasks\XoftSpy.job
2007-06-09 07:00:01 C:\WINDOWS\tasks\XoftSpySE 2.job
2007-06-08 17:00:00 C:\WINDOWS\tasks\XoftSpySE.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-09 17:05:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-09 1709
C:\ComboFix-quarantined-files.txt ... 2007-06-09 17:05
C:\ComboFix2.txt ... 2007-06-09 10:12

--- E O F ---



Kaspersky


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, June 09, 2007 6:58:31 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 9/06/2007
Kaspersky Anti-Virus database records: 341561
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 66308
Number of viruses found: 30
Number of infected objects: 112 / 0
Number of suspicious objects: 79
Duration of the scan process: 01:13:26

Infected Object Name / Virus Name / Last Action
C:\Deckard\System Scanner\backup\DOCUME~1\GRAEME~1\LOCALS~1\Temp\res7.tmp Infected: not-a-virus:AdWare.Win32.180Solutions.g skipped
C:\Deckard\System Scanner\backup\DOCUME~1\GRAEME~1\LOCALS~1\Temp\targetsaver.exe/WISE0007.BIN Infected: Trojan-Downloader.Win32.TSUpdate.p skipped
C:\Deckard\System Scanner\backup\DOCUME~1\GRAEME~1\LOCALS~1\Temp\targetsaver.exe WiseSFX: infected - 1 skipped
C:\Deckard\System Scanner\backup\DOCUME~1\GRAEME~1\LOCALS~1\Temp\win71.tmp.exe/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\Deckard\System Scanner\backup\DOCUME~1\GRAEME~1\LOCALS~1\Temp\win71.tmp.exe NSIS: infected - 1 skipped
C:\Deckard\System Scanner\backup\DOCUME~1\GRAEME~1\LOCALS~1\Temp\wnd5C.tmp Infected: Trojan.Win32.Dialer.qn skipped
C:\Deckard\System Scanner\backup\WINDOWS\Downloaded Program Files\loader2.exe Infected: not-a-virus:AdWare.Win32.Azesearch.h skipped
C:\Deckard\System Scanner\backup\WINDOWS\Downloaded Program Files\MediaGatewayX.dll Infected: not-a-virus:AdWare.Win32.WinAD.bg skipped
C:\Deckard\System Scanner\backup\WINDOWS\Downloaded Program Files\UERS_0001_N68M1801NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.d skipped
C:\Deckard\System Scanner\backup\WINDOWS\Downloaded Program Files\USDR6_7777_BHLP0611NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.q skipped
C:\Deckard\System Scanner\backup\WINDOWS\Downloaded Program Files\UWFX5_0001_N66M1101NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.f skipped
C:\Deckard\System Scanner\backup\WINDOWS\Downloaded Program Files\UWFX6_0001_N57M0912NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.b skipped
C:\Deckard\System Scanner\backup\WINDOWS\Downloaded Program Files\UWFX6_0001_N68M2301NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.d skipped
C:\Deckard\System Scanner\backup\WINDOWS\temp\bw2.com Infected: not-a-virus:AdWare.Win32.Zestyfind skipped
C:\Deckard\System Scanner\backup\WINDOWS\temp\Temporary Internet Files\Content.IE5\X5YVW4GU\send_car_int[1].htm Suspicious: Exploit.HTML.CodeBaseExec skipped
C:\Deckard\System Scanner\backup\WINDOWS\temp\win26.tmp.exe/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\Deckard\System Scanner\backup\WINDOWS\temp\win26.tmp.exe NSIS: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\AVG7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\Graeme Knight\#9.50.173.250 auto.search.msn.com Infected: Trojan.Win32.Qhost.cy skipped
C:\Documents and Settings\Graeme Knight\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Dummy.class-393d648-4b9fc13c.class Infected: Trojan.Java.ClassLoader.Dummy.d skipped
C:\Documents and Settings\Graeme Knight\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Graeme Knight\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Graeme Knight\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Graeme Knight\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Graeme Knight\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Graeme Knight\Local Settings\Temp\~DF25FC.tmp Object is locked skipped
C:\Documents and Settings\Graeme Knight\Local Settings\Temp\~DF2609.tmp Object is locked skipped
C:\Documents and Settings\Graeme Knight\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Graeme Knight\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Graeme Knight\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Graeme Knight\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\QooBox\Quarantine\C\Program Files\Common Files\Yazzle1162OinAdmin.exe.vir Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\QooBox\Quarantine\C\WHCC2.exe.vir/data.rar/whAgent.exe Infected: not-a-virus:AdWare.Win32.WebHancer.351 skipped
C:\QooBox\Quarantine\C\WHCC2.exe.vir/data.rar/whSurvey.exe Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped
C:\QooBox\Quarantine\C\WHCC2.exe.vir/data.rar/webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped
C:\QooBox\Quarantine\C\WHCC2.exe.vir/data.rar/whiehlpr.dll Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped
C:\QooBox\Quarantine\C\WHCC2.exe.vir/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped
C:\QooBox\Quarantine\C\WHCC2.exe.vir RarSFX: infected - 5 skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\aza007hme.dll.vir Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\CTSEQCHK.DLL.vir Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\cyedui.dll.vir Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\dn0001dme.dll.vir Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\gpp8l37u1.dll.vir Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\HHFCI005.dll.vir Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\hrl2053oe.dll.vir Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\IRETCPLC.DLL.vir Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\jkhhi.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\jt0407dqe.dll.vir Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\jt4007hme.dll.vir Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\k6no0g53e6.dll.vir Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\l02slaf71d2.dll.vir Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\mljjkjg.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\mtdibftx.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\MUOBJS.DLL.vir Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\n8n6li5s18.dll.vir Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\namssvc.dll.vir Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\o2rolc931f.dll.vir Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\rqrolkk.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\vkjjddei.dll.vir Infected: Trojan.Win32.BHO.o skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\vtuvwut.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\winwly32.dll.vir Infected: Trojan.Win32.Dialer.qn skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\ysoplxen.dll.vir Infected: Trojan.Win32.BHO.bd skipped
C:\QooBox\Quarantine\C\WINDOWS\warebundle.exe.vir Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\QooBox\Quarantine\C\WINDOWS\winsysupd.exe.vir Infected: Trojan.Win32.StartPage.ahg skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP918\A0563007.exe Infected: not-a-virus:AdWare.Win32.Azesearch.h skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP918\A0563008.exe Infected: not-a-virus:AdWare.Win32.Azesearch.h skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP918\A0563009.dll Infected: not-a-virus:AdWare.Win32.Azesearch.h skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP918\A0563010.dll Infected: not-a-virus:AdWare.Win32.Azesearch.h skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP918\A0563011.exe Infected: not-a-virus:AdWare.Win32.Azesearch.h skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP918\A0563023.exe Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP918\A0563024.exe/data0004 Infected: Trojan-Downloader.MSIL.Agent.a skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP918\A0563024.exe/data0006 Infected: Trojan-Downloader.MSIL.Agent.a skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP918\A0563024.exe/data0010 Infected: Trojan.Win32.Zapchast.bl skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP918\A0563024.exe/data0011/data0006 Infected: Trojan-Dropper.Win32.VB.mz skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP918\A0563024.exe/data0011 Infected: Trojan-Dropper.Win32.VB.mz skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP918\A0563024.exe NSIS: infected - 5 skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP922\A0564206.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kg skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP924\A0568256.dll Suspicious: Packed.Win32.Morphine.a skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP926\A0575277.exe Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP926\A0575278.exe Infected: Trojan.Win32.StartPage.ahg skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP926\A0575279.exe/data.rar/whAgent.exe Infected: not-a-virus:AdWare.Win32.WebHancer.351 skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP926\A0575279.exe/data.rar/whSurvey.exe Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP926\A0575279.exe/data.rar/webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP926\A0575279.exe/data.rar/whiehlpr.dll Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP926\A0575279.exe/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP926\A0575279.exe RarSFX: infected - 5 skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP926\A0575280.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP926\A0575281.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP926\A0575282.dll Infected: Trojan.Win32.Dialer.qn skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP926\A0575286.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP926\A0575288.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP926\A0575395.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP926\A0575397.DLL Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP926\A0575398.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP926\A0575399.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP926\A0575400.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP926\A0575401.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP926\A0575402.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP926\A0575403.DLL Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP926\A0575404.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP926\A0575405.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP926\A0575406.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP926\A0575407.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP926\A0575408.DLL Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP926\A0575409.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP926\A0575410.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP926\A0575411.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP929\A0575691.exe Object is locked skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP929\A0575693.dll Infected: Trojan.Win32.BHO.bd skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP929\A0575694.dll Object is locked skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP929\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\MediaGatewayX.dll Infected: not-a-virus:AdTool.Win32.WinAD.bv skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UERS_0001_N68M1801NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.d skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UWFX5_0001_N66M1101NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.f skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UWFX6_0001_N57M0912NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.b skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\UWFX5_0001_N66M1101NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.f skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\UWFX5_0001_N66M1101NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.f skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.4\UWFX5_0001_N66M1101NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.f skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.5\UWFX5_0001_N66M1101NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.f skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.6\UWFX5_0001_N66M1101NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.f skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.7\UWFX5_0001_N66M1101NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.f skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\SYSTEM32\#9.50.173.250 auto.search.msn.com Infected: Trojan.Win32.Qhost.cy skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Internet.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\rυndll32.exe Infected: not-a-virus:AdWare.Win32.PurityScan.aa skipped
C:\WINDOWS\SYSTEM32\TFTP1032 Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\SYSTEM32\TFTP1328 Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\SYSTEM32\TFTP1484 Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\SYSTEM32\TFTP1504 Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\SYSTEM32\TFTP1640 Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\SYSTEM32\TFTP188 Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\SYSTEM32\TFTP1916 Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\SYSTEM32\TFTP2124 Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\SYSTEM32\TFTP2160 Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\SYSTEM32\TFTP2164 Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\SYSTEM32\TFTP2184 Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\SYSTEM32\TFTP2312 Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\SYSTEM32\TFTP2336 Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\SYSTEM32\TFTP2360 Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\SYSTEM32\TFTP2396 Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\SYSTEM32\TFTP2484 Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\SYSTEM32\TFTP2504 Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\SYSTEM32\TFTP2508 Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\SYSTEM32\TFTP2516 Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\SYSTEM32\TFTP2536 Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\SYSTEM32\TFTP2552 Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\SYSTEM32\TFTP2560 Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\SYSTEM32\TFTP2564 Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\SYSTEM32\TFTP2568 Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\SYSTEM32\TFTP2592 Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\SYSTEM32\TFTP2608 Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\SYSTEM32\TFTP2636 Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\SYSTEM32\TFTP2664 Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\SYSTEM32\TFTP2676 Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\SYSTEM32\TFTP2708 Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\SYSTEM32\TFTP2720 Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\SYSTEM32\TFTP2732 Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\SYSTEM32\TFTP2736 Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\SYSTEM32\TFTP2784 Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\SYSTEM32\TFTP2788 Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\SYSTEM32\TFTP2796 Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\SYSTEM32\TFTP2800 Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\SYSTEM32\TFTP2816 Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\SYSTEM32\TFTP2828 Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\SYSTEM32\TFTP2868 Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\SYSTEM32\TFTP2880 Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\SYSTEM32\TFTP2900 Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\SYSTEM32\TFTP2912 Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\SYSTEM32\TFTP2944 Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\SYSTEM32\TFTP2952 Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\SYSTEM32\TFTP2968 Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\SYSTEM32\TFTP3020 Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\SYSTEM32\TFTP3048 Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\SYSTEM32\TFTP3056 Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\SYSTEM32\TFTP3088 Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\SYSTEM32\TFTP3100 Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\SYSTEM32\TFTP3120 Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\SYSTEM32\TFTP3184 Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\SYSTEM32\TFTP3212 Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\SYSTEM32\TFTP3248 Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\SYSTEM32\TFTP3256 Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\SYSTEM32\TFTP3304 Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\SYSTEM32\TFTP3392 Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\SYSTEM32\TFTP3396 Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\SYSTEM32\TFTP3416 Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\SYSTEM32\TFTP3440 Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\SYSTEM32\TFTP3520 Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\SYSTEM32\TFTP3544 Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\SYSTEM32\TFTP3616 Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\SYSTEM32\TFTP3636 Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\SYSTEM32\TFTP3648 Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\SYSTEM32\TFTP3680 Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\SYSTEM32\TFTP3716 Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\SYSTEM32\TFTP3760 Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\SYSTEM32\TFTP3784 Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\SYSTEM32\TFTP3832 Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\SYSTEM32\TFTP3848 Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\SYSTEM32\TFTP3984 Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\SYSTEM32\TFTP4000 Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\SYSTEM32\TFTP436 Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\SYSTEM32\TFTP928 Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\SYSTEM32\TFTP996 Suspicious: Packed.Win32.Morphine.a skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WHCC2.exe/data.rar/whAgent.exe Infected: not-a-virus:AdWare.Win32.WebHancer.351 skipped
C:\WINDOWS\WHCC2.exe/data.rar/whSurvey.exe Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped
C:\WINDOWS\WHCC2.exe/data.rar/webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped
C:\WINDOWS\WHCC2.exe/data.rar/whiehlpr.dll Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped
C:\WINDOWS\WHCC2.exe/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped
C:\WINDOWS\WHCC2.exe RarSFX: infected - 5 skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.



HijackThis

Logfile of HijackThis v1.99.1
Scan saved at 7:01:35 PM, on 06/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
C:\downloads\Graeme Knight.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.televisionwithoutpity.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: Download &Flash Movies - C:\Program Files\Flash2X\Flash Hunter\save.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Flash2X Flash Hunter - {77B563A5-2A35-4E6B-BFC8-F4B6BB65D5DF} - C:\Program Files\Flash2X\Flash Hunter\save.htm (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: &Launch Flash Hunter - {77B563A5-2A35-4E6B-BFC8-F4B6BB65D5DF} - C:\Program Files\Flash2X\Flash Hunter\save.htm (file missing) (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1135801488718
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1135801190937
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/061...ie06101001.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{73A602BD-B187-457D-983A-4741DB484CF7}: NameServer = 203.50.2.71,139.130.4.4
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe



Cheers

[tetonbob]

Before doing any fixing, please locate this file, and upload it for examination:

C:\WINDOWS\SYSTEM32\r?ndll32.exe <<<The ? may appear as any character. The file may be located towards the end of the System32 folder.

This is not the legit rundll32.exe. Right click on the file and check it's properties to make sure you send the right one. It will have a size of 380,928 bytes, and was created on 10/06/2004 01:06 AM

Once you've located it, please do this:

Please submit it to this site http://www.bleepingcomputer.com/subm....php?channel=4
Please include a link to this topic in the message.

---------------------------------------------------------------------------------------------

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup)

• On the General tab, under Temporary Internet Files, click the Settings button.
• Next, click on the Delete Files button
• There are two options in the window to clear the cache - Leave BOTH Checked
  • Applications and Applets
    Trace and Log Files
• Click OK on Delete Temporary Files Window
  Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
• Click OK to leave the Temporary Files Window
• Click OK to leave the Java Control Panel.

---------------------------------------------------------------------------------------------

Open notepad and copy/paste the text in the quotebox below into it:

Quote:

File::
C:\WINDOWS\SYSTEM32\gpfauwux.exe
C:\Deckard\System Scanner\backup\DOCUME~1\GRAEME~1\LOCALS~1\Temp\res7.tmp
C:\Deckard\System Scanner\backup\DOCUME~1\GRAEME~1\LOCALS~1\Temp\targetsaver.exe
C:\Deckard\System Scanner\backup\DOCUME~1\GRAEME~1\LOCALS~1\Temp\win71.tmp.exe
C:\Deckard\System Scanner\backup\DOCUME~1\GRAEME~1\LOCALS~1\Temp\wnd5C.tmp
C:\Deckard\System Scanner\backup\WINDOWS\Downloaded Program Files\loader2.exe
C:\Deckard\System Scanner\backup\WINDOWS\Downloaded Program Files\MediaGatewayX.dll
C:\Deckard\System Scanner\backup\WINDOWS\Downloaded Program Files\UERS_0001_N68M1801NetInstaller.exe
C:\Deckard\System Scanner\backup\WINDOWS\Downloaded Program Files\USDR6_7777_BHLP0611NetInstaller.exe
C:\Deckard\System Scanner\backup\WINDOWS\Downloaded Program Files\UWFX5_0001_N66M1101NetInstaller.exe
C:\Deckard\System Scanner\backup\WINDOWS\Downloaded Program Files\UWFX6_0001_N57M0912NetInstaller.exe
C:\Deckard\System Scanner\backup\WINDOWS\Downloaded Program Files\UWFX6_0001_N68M2301NetInstaller.exe
C:\Deckard\System Scanner\backup\WINDOWS\temp\bw2.com
C:\Deckard\System Scanner\backup\WINDOWS\temp\Temporary Internet Files\Content.IE5\X5YVW4GU\send_car_int[1].htm
C:\Deckard\System Scanner\backup\WINDOWS\temp\win26.tmp.exe
C:\Documents and Settings\Graeme Knight\#9.50.173.250 auto.search.msn.com
C:\Documents and Settings\Graeme Knight\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Dummy.class-393d648-4b9fc13c.class
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\MediaGatewayX.dll
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UERS_0001_N68M1801NetInstaller.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UWFX5_0001_N66M1101NetInstaller.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UWFX6_0001_N57M0912NetInstaller.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\UWFX5_0001_N66M1101NetInstaller.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\UWFX5_0001_N66M1101NetInstaller.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.4\UWFX5_0001_N66M1101NetInstaller.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.5\UWFX5_0001_N66M1101NetInstaller.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.6\UWFX5_0001_N66M1101NetInstaller.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.7\UWFX5_0001_N66M1101NetInstaller.exe
C:\WINDOWS\SYSTEM32\#9.50.173.250 auto.search.msn.com
C:\WINDOWS\SYSTEM32\TFTP1032
C:\WINDOWS\SYSTEM32\TFTP1328
C:\WINDOWS\SYSTEM32\TFTP1484
C:\WINDOWS\SYSTEM32\TFTP1504
C:\WINDOWS\SYSTEM32\TFTP1640
C:\WINDOWS\SYSTEM32\TFTP188
C:\WINDOWS\SYSTEM32\TFTP1916
C:\WINDOWS\SYSTEM32\TFTP2124
C:\WINDOWS\SYSTEM32\TFTP2160
C:\WINDOWS\SYSTEM32\TFTP2164
C:\WINDOWS\SYSTEM32\TFTP2184
C:\WINDOWS\SYSTEM32\TFTP2312
C:\WINDOWS\SYSTEM32\TFTP2336
C:\WINDOWS\SYSTEM32\TFTP2360
C:\WINDOWS\SYSTEM32\TFTP2396
C:\WINDOWS\SYSTEM32\TFTP2484
C:\WINDOWS\SYSTEM32\TFTP2504
C:\WINDOWS\SYSTEM32\TFTP2508
C:\WINDOWS\SYSTEM32\TFTP2516
C:\WINDOWS\SYSTEM32\TFTP2536
C:\WINDOWS\SYSTEM32\TFTP2552
C:\WINDOWS\SYSTEM32\TFTP2560
C:\WINDOWS\SYSTEM32\TFTP2564
C:\WINDOWS\SYSTEM32\TFTP2568
C:\WINDOWS\SYSTEM32\TFTP2592
C:\WINDOWS\SYSTEM32\TFTP2608
C:\WINDOWS\SYSTEM32\TFTP2636
C:\WINDOWS\SYSTEM32\TFTP2664
C:\WINDOWS\SYSTEM32\TFTP2676
C:\WINDOWS\SYSTEM32\TFTP2708
C:\WINDOWS\SYSTEM32\TFTP2720
C:\WINDOWS\SYSTEM32\TFTP2732
C:\WINDOWS\SYSTEM32\TFTP2736
C:\WINDOWS\SYSTEM32\TFTP2784
C:\WINDOWS\SYSTEM32\TFTP2788
C:\WINDOWS\SYSTEM32\TFTP2796
C:\WINDOWS\SYSTEM32\TFTP2800
C:\WINDOWS\SYSTEM32\TFTP2816
C:\WINDOWS\SYSTEM32\TFTP2828
C:\WINDOWS\SYSTEM32\TFTP2868
C:\WINDOWS\SYSTEM32\TFTP2880
C:\WINDOWS\SYSTEM32\TFTP2900
C:\WINDOWS\SYSTEM32\TFTP2912
C:\WINDOWS\SYSTEM32\TFTP2944
C:\WINDOWS\SYSTEM32\TFTP2952
C:\WINDOWS\SYSTEM32\TFTP2968
C:\WINDOWS\SYSTEM32\TFTP3020
C:\WINDOWS\SYSTEM32\TFTP3048
C:\WINDOWS\SYSTEM32\TFTP3056
C:\WINDOWS\SYSTEM32\TFTP3088
C:\WINDOWS\SYSTEM32\TFTP3100
C:\WINDOWS\SYSTEM32\TFTP3120
C:\WINDOWS\SYSTEM32\TFTP3184
C:\WINDOWS\SYSTEM32\TFTP3212
C:\WINDOWS\SYSTEM32\TFTP3248
C:\WINDOWS\SYSTEM32\TFTP3256
C:\WINDOWS\SYSTEM32\TFTP3304
C:\WINDOWS\SYSTEM32\TFTP3392
C:\WINDOWS\SYSTEM32\TFTP3396
C:\WINDOWS\SYSTEM32\TFTP3416
C:\WINDOWS\SYSTEM32\TFTP3440
C:\WINDOWS\SYSTEM32\TFTP3520
C:\WINDOWS\SYSTEM32\TFTP3544
C:\WINDOWS\SYSTEM32\TFTP3616
C:\WINDOWS\SYSTEM32\TFTP3636
C:\WINDOWS\SYSTEM32\TFTP3648
C:\WINDOWS\SYSTEM32\TFTP3680
C:\WINDOWS\SYSTEM32\TFTP3716
C:\WINDOWS\SYSTEM32\TFTP3760
C:\WINDOWS\SYSTEM32\TFTP3784
C:\WINDOWS\SYSTEM32\TFTP3832
C:\WINDOWS\SYSTEM32\TFTP3848
C:\WINDOWS\SYSTEM32\TFTP3984
C:\WINDOWS\SYSTEM32\TFTP4000
C:\WINDOWS\SYSTEM32\TFTP436
C:\WINDOWS\SYSTEM32\TFTP928
C:\WINDOWS\SYSTEM32\TFTP996
C:\WINDOWS\WHCC2.exe

Save this as ComboFix-Do.txt




Refering to the picture above, drag ComboFix-Do.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

---------------------------------------------------------------------------------------------


Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Also make sure there is no checkmark beside Hide file extensions for known file types
* Click Yes to confirm and then click OK.


Delete the following if they exist:

C:\WINDOWS\SYSTEM32\r?ndll32.exe <<<The ? may appear as any character. The file may be located towards the end of the System32 folder.

This is not the legit rundll32.exe. Right click on the file and check it's properties to make sure you delete the right one. It will have a size of 380,928 bytes, and was created on 10/06/2004 01:06 AM

The legit file is this one:

08/04/2004 05:56 PM 33,280 rundll32.exe

---------------------------------------------------------------------------------------------

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).
• Finally paste the contents of the Report.txt back on the forum.

---------------------------------------------------------------------------------------------

Run Deckard's System scanner once again. Post it's log.

---------------------------------------------------------------------------------------------

Please return with results from:

ComboFix
SDFix
DSS (main.txt)

[greenoznic]

Hi,

Combofix

ComboFix 07-06-09.1 - C:\Documents and Settings\GRAEME~1\Desktop\ComboFix.exe
"Graeme Knight" - 2007-06-10 9:39:27 - Service Pack 2 NTFS
Command switches used :: C:\Documents and Settings\GRAEME~1\Desktop\ComboFix-Do.txt


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Deckard\System Scanner\backup\DOCUME~1\GRAEME~1\LOCALS~1\Temp\res7.tmp
C:\Deckard\System Scanner\backup\DOCUME~1\GRAEME~1\LOCALS~1\Temp\targetsaver.exe
C:\Deckard\System Scanner\backup\DOCUME~1\GRAEME~1\LOCALS~1\Temp\win71.tmp.exe
C:\Deckard\System Scanner\backup\DOCUME~1\GRAEME~1\LOCALS~1\Temp\wnd5C.tmp
C:\Deckard\System Scanner\backup\WINDOWS\Downloaded Program Files\loader2.exe
C:\Deckard\System Scanner\backup\WINDOWS\Downloaded Program Files\MediaGatewayX.dll
C:\Deckard\System Scanner\backup\WINDOWS\Downloaded Program Files\UERS_0001_N68M1801NetInstaller.exe
C:\Deckard\System Scanner\backup\WINDOWS\Downloaded Program Files\USDR6_7777_BHLP0611NetInstaller.exe
C:\Deckard\System Scanner\backup\WINDOWS\Downloaded Program Files\UWFX5_0001_N66M1101NetInstaller.exe
C:\Deckard\System Scanner\backup\WINDOWS\Downloaded Program Files\UWFX6_0001_N57M0912NetInstaller.exe
C:\Deckard\System Scanner\backup\WINDOWS\Downloaded Program Files\UWFX6_0001_N68M2301NetInstaller.exe
C:\Deckard\System Scanner\backup\WINDOWS\temp\bw2.com
C:\Deckard\System Scanner\backup\WINDOWS\temp\Temporary Internet Files\Content.IE5\X5YVW4GU\send_car_int[1].htm
C:\Deckard\System Scanner\backup\WINDOWS\temp\win26.tmp.exe
C:\Documents and Settings\Graeme Knight\#9.50.173.250 auto.search.msn.com
C:\Documents and Settings\Graeme Knight\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Dummy.class-393d648-4b9fc13c.class
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\MediaGatewayX.dll
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UERS_0001_N68M1801NetInstaller.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UWFX5_0001_N66M1101NetInstaller.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UWFX6_0001_N57M0912NetInstaller.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\UWFX5_0001_N66M1101NetInstaller.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\UWFX5_0001_N66M1101NetInstaller.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.4\UWFX5_0001_N66M1101NetInstaller.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.5\UWFX5_0001_N66M1101NetInstaller.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.6\UWFX5_0001_N66M1101NetInstaller.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.7\UWFX5_0001_N66M1101NetInstaller.exe
C:\WINDOWS\SYSTEM32\#9.50.173.250 auto.search.msn.com
C:\WINDOWS\SYSTEM32\gpfauwux.exe
C:\WINDOWS\SYSTEM32\TFTP1032
C:\WINDOWS\SYSTEM32\TFTP1328
C:\WINDOWS\SYSTEM32\TFTP1484
C:\WINDOWS\SYSTEM32\TFTP1504
C:\WINDOWS\SYSTEM32\TFTP1640
C:\WINDOWS\SYSTEM32\TFTP188
C:\WINDOWS\SYSTEM32\TFTP1916
C:\WINDOWS\SYSTEM32\TFTP2124
C:\WINDOWS\SYSTEM32\TFTP2160
C:\WINDOWS\SYSTEM32\TFTP2164
C:\WINDOWS\SYSTEM32\TFTP2184
C:\WINDOWS\SYSTEM32\TFTP2312
C:\WINDOWS\SYSTEM32\TFTP2336
C:\WINDOWS\SYSTEM32\TFTP2360
C:\WINDOWS\SYSTEM32\TFTP2396
C:\WINDOWS\SYSTEM32\TFTP2484
C:\WINDOWS\SYSTEM32\TFTP2504
C:\WINDOWS\SYSTEM32\TFTP2508
C:\WINDOWS\SYSTEM32\TFTP2516
C:\WINDOWS\SYSTEM32\TFTP2536
C:\WINDOWS\SYSTEM32\TFTP2552
C:\WINDOWS\SYSTEM32\TFTP2560
C:\WINDOWS\SYSTEM32\TFTP2564
C:\WINDOWS\SYSTEM32\TFTP2568
C:\WINDOWS\SYSTEM32\TFTP2592
C:\WINDOWS\SYSTEM32\TFTP2608
C:\WINDOWS\SYSTEM32\TFTP2636
C:\WINDOWS\SYSTEM32\TFTP2664
C:\WINDOWS\SYSTEM32\TFTP2676
C:\WINDOWS\SYSTEM32\TFTP2708
C:\WINDOWS\SYSTEM32\TFTP2720
C:\WINDOWS\SYSTEM32\TFTP2732
C:\WINDOWS\SYSTEM32\TFTP2736
C:\WINDOWS\SYSTEM32\TFTP2784
C:\WINDOWS\SYSTEM32\TFTP2788
C:\WINDOWS\SYSTEM32\TFTP2796
C:\WINDOWS\SYSTEM32\TFTP2800
C:\WINDOWS\SYSTEM32\TFTP2816
C:\WINDOWS\SYSTEM32\TFTP2828
C:\WINDOWS\SYSTEM32\TFTP2868
C:\WINDOWS\SYSTEM32\TFTP2880
C:\WINDOWS\SYSTEM32\TFTP2900
C:\WINDOWS\SYSTEM32\TFTP2912
C:\WINDOWS\SYSTEM32\TFTP2944
C:\WINDOWS\SYSTEM32\TFTP2952
C:\WINDOWS\SYSTEM32\TFTP2968
C:\WINDOWS\SYSTEM32\TFTP3020
C:\WINDOWS\SYSTEM32\TFTP3048
C:\WINDOWS\SYSTEM32\TFTP3056
C:\WINDOWS\SYSTEM32\TFTP3088
C:\WINDOWS\SYSTEM32\TFTP3100
C:\WINDOWS\SYSTEM32\TFTP3120
C:\WINDOWS\SYSTEM32\TFTP3184
C:\WINDOWS\SYSTEM32\TFTP3212
C:\WINDOWS\SYSTEM32\TFTP3248
C:\WINDOWS\SYSTEM32\TFTP3256
C:\WINDOWS\SYSTEM32\TFTP3304
C:\WINDOWS\SYSTEM32\TFTP3392
C:\WINDOWS\SYSTEM32\TFTP3396
C:\WINDOWS\SYSTEM32\TFTP3416
C:\WINDOWS\SYSTEM32\TFTP3440
C:\WINDOWS\SYSTEM32\TFTP3520
C:\WINDOWS\SYSTEM32\TFTP3544
C:\WINDOWS\SYSTEM32\TFTP3616
C:\WINDOWS\SYSTEM32\TFTP3636
C:\WINDOWS\SYSTEM32\TFTP3648
C:\WINDOWS\SYSTEM32\TFTP3680
C:\WINDOWS\SYSTEM32\TFTP3716
C:\WINDOWS\SYSTEM32\TFTP3760
C:\WINDOWS\SYSTEM32\TFTP3784
C:\WINDOWS\SYSTEM32\TFTP3832
C:\WINDOWS\SYSTEM32\TFTP3848
C:\WINDOWS\SYSTEM32\TFTP3984
C:\WINDOWS\SYSTEM32\TFTP4000
C:\WINDOWS\SYSTEM32\TFTP436
C:\WINDOWS\SYSTEM32\TFTP928
C:\WINDOWS\SYSTEM32\TFTP996
C:\WINDOWS\WHCC2.exe


((((((((((((((((((((((((( Files Created from 2007-05-09 to 2007-06-09 )))))))))))))))))))))))))))))))


2007-06-09 17:12 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-06-09 17:12 <DIR> d-------- C:\WINDOWS\LastGood
2007-06-09 09:52 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-06 20:44 <DIR> d-------- C:\Deckard
2007-06-06 20:28 <DIR> d-------- C:\ie-spyad
2007-06-06 20:18 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-06-06 18:47 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2007-06-06 17:50 <DIR> d-------- C:\Program Files\Lavasoft
2007-06-06 17:48 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-06-03 11:50 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-06-03 11:16 <DIR> d-------- C:\Program Files\XoftSpySE
2007-05-12 17:56 <DIR> d-------- C:\Program Files\ACW


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-09 23:23:59 -------- d-----w C:\DOCUME~1\GRAEME~1\APPLIC~1\uTorrent
2007-06-09 11:24:41 -------- d-----w C:\Program Files\Blaze Media Pro
2007-06-06 09:33:59 -------- d-----w C:\Program Files\QuickTime
2007-06-06 09:30:30 -------- d-----w C:\Program Files\iTunes
2007-06-06 09:29:54 -------- d-----w C:\Program Files\Google
2007-06-06 09:29:50 -------- d-----w C:\Program Files\GetRight
2007-06-06 09:29:30 -------- d-----w C:\Program Files\Digital Line Detect
2007-06-06 07:51:12 -------- d-----w C:\DOCUME~1\GRAEME~1\APPLIC~1\Lavasoft
2007-06-03 01:25:51 -------- d-----w C:\Program Files\Media Gateway
2007-06-03 00:20:55 -------- d-----w C:\Program Files\iPod
2007-05-29 03:08:27 -------- d-----w C:\Program Files\ImTOO
2007-05-17 08:31:07 -------- d-----w C:\Program Files\LimeWire
2007-05-08 10:51:43 -------- d-----w C:\Program Files\WMR11
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-16 12:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-16 12:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-16 12:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-16 12:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-16 12:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-16 12:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 12:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-16 12:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-16 12:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-04-16 12:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2005-05-13 07:12:00 217,073 --sha-r C:\WINDOWS\meta4.exe
2005-10-24 01:13:58 66,560 --sha-r C:\WINDOWS\MOTA113.exe
2005-10-13 11:27:00 422,400 --sha-r C:\WINDOWS\x2.64.exe
2005-10-07 09:14:52 308,224 --sha-r C:\WINDOWS\SYSTEM32\avisynth.dll
2005-07-14 02:31:20 27,648 --sha-r C:\WINDOWS\SYSTEM32\AVSredirect.dll
2005-06-26 05:32:28 616,448 --sha-r C:\WINDOWS\SYSTEM32\cygwin1.dll
2005-06-21 12:37:42 45,568 --sha-r C:\WINDOWS\SYSTEM32\cygz.dll
2004-01-24 14:00:00 70,656 --sha-r C:\WINDOWS\SYSTEM32\i420vfw.dll
2006-08-27 04:58:59 10,856 --sha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
2004-10-05 1530 380,928 --sh--r C:\WINDOWS\SYSTEM32\r?ndll32.exe
2006-04-27 00:24:24 2,945,024 --sha-r C:\WINDOWS\SYSTEM32\Smab.dll
2005-02-28 03:16:22 240,128 --sha-r C:\WINDOWS\SYSTEM32\x.264.exe
2004-01-24 14:00:00 70,656 --sha-r C:\WINDOWS\SYSTEM32\yv12vfw.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{31FF080D-12A3-439A-A2EF-4BA95A3148E8}=C:\Program Files\GetRight\xx2gr.dll [2005-02-14 12:08]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar3.dll [2007-01-19 22:55]
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}=C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll [2007-05-30 12:12]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-04-24 20:42]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-04-21 09:31]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-05-26 12:45]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 17:56]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-30 12:12]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" []

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


Contents of the 'Scheduled Tasks' folder
2007-06-04 10:13:36 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2006-02-11 23:01:17 C:\WINDOWS\tasks\XoftSpy.job
2007-06-09 07:00:01 C:\WINDOWS\tasks\XoftSpySE 2.job
2007-06-08 17:00:00 C:\WINDOWS\tasks\XoftSpySE.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-10 09:44:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-10 9:45:12
C:\ComboFix-quarantined-files.txt ... 2007-06-10 09:44
C:\ComboFix2.txt ... 2007-06-09 17:06
C:\ComboFix3.txt ... 2007-06-09 10:12

--- E O F ---



SDFix


SDFix: Version 1.86

Run by Graeme Knight - 06/10/2007 - 10:01:26.50

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:






Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Missing SharedAccess Service

Rebooting...


Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\system32\TFTP1008 - Deleted
C:\WINDOWS\system32\TFTP1024 - Deleted
C:\WINDOWS\system32\TFTP1072 - Deleted
C:\WINDOWS\system32\TFTP1112 - Deleted
C:\WINDOWS\system32\TFTP1120 - Deleted
C:\WINDOWS\system32\TFTP1128 - Deleted
C:\WINDOWS\system32\TFTP1196 - Deleted
C:\WINDOWS\system32\TFTP1592 - Deleted
C:\WINDOWS\system32\TFTP1756 - Deleted
C:\WINDOWS\system32\TFTP1892 - Deleted
C:\WINDOWS\system32\TFTP1896 - Deleted
C:\WINDOWS\system32\TFTP1904 - Deleted
C:\WINDOWS\system32\TFTP1944 - Deleted
C:\WINDOWS\system32\TFTP2024 - Deleted
C:\WINDOWS\system32\TFTP2028 - Deleted
C:\WINDOWS\system32\TFTP2168 - Deleted
C:\WINDOWS\system32\TFTP220 - Deleted
C:\WINDOWS\system32\TFTP2204 - Deleted
C:\WINDOWS\system32\TFTP2212 - Deleted
C:\WINDOWS\system32\TFTP2284 - Deleted
C:\WINDOWS\system32\TFTP2288 - Deleted
C:\WINDOWS\system32\TFTP2320 - Deleted
C:\WINDOWS\system32\TFTP2364 - Deleted
C:\WINDOWS\system32\TFTP2392 - Deleted
C:\WINDOWS\system32\TFTP2400 - Deleted
C:\WINDOWS\system32\TFTP2404 - Deleted
C:\WINDOWS\system32\TFTP2408 - Deleted
C:\WINDOWS\system32\TFTP2416 - Deleted
C:\WINDOWS\system32\TFTP2452 - Deleted
C:\WINDOWS\system32\TFTP2456 - Deleted
C:\WINDOWS\system32\TFTP2492 - Deleted
C:\WINDOWS\system32\TFTP2524 - Deleted
C:\WINDOWS\system32\TFTP2528 - Deleted
C:\WINDOWS\system32\TFTP2532 - Deleted
C:\WINDOWS\system32\TFTP2540 - Deleted
C:\WINDOWS\system32\TFTP2544 - Deleted
C:\WINDOWS\system32\TFTP2604 - Deleted
C:\WINDOWS\system32\TFTP2612 - Deleted
C:\WINDOWS\system32\TFTP2628 - Deleted
C:\WINDOWS\system32\TFTP2648 - Deleted
C:\WINDOWS\system32\TFTP2652 - Deleted
C:\WINDOWS\system32\TFTP2660 - Deleted
C:\WINDOWS\system32\TFTP2684 - Deleted
C:\WINDOWS\system32\TFTP2688 - Deleted
C:\WINDOWS\system32\TFTP2692 - Deleted
C:\WINDOWS\system32\TFTP2700 - Deleted
C:\WINDOWS\system32\TFTP2740 - Deleted
C:\WINDOWS\system32\TFTP2764 - Deleted
C:\WINDOWS\system32\TFTP2768 - Deleted
C:\WINDOWS\system32\TFTP2772 - Deleted
C:\WINDOWS\system32\TFTP2804 - Deleted
C:\WINDOWS\system32\TFTP2808 - Deleted
C:\WINDOWS\system32\TFTP2820 - Deleted
C:\WINDOWS\system32\TFTP2832 - Deleted
C:\WINDOWS\system32\TFTP2836 - Deleted
C:\WINDOWS\system32\TFTP2872 - Deleted
C:\WINDOWS\system32\TFTP2876 - Deleted
C:\WINDOWS\system32\TFTP2888 - Deleted
C:\WINDOWS\system32\TFTP2908 - Deleted
C:\WINDOWS\system32\TFTP2936 - Deleted
C:\WINDOWS\system32\TFTP2956 - Deleted
C:\WINDOWS\system32\TFTP2980 - Deleted
C:\WINDOWS\system32\TFTP2996 - Deleted
C:\WINDOWS\system32\TFTP3000 - Deleted
C:\WINDOWS\system32\TFTP3004 - Deleted
C:\WINDOWS\system32\TFTP3028 - Deleted
C:\WINDOWS\system32\TFTP3032 - Deleted
C:\WINDOWS\system32\TFTP3036 - Deleted
C:\WINDOWS\system32\TFTP3060 - Deleted
C:\WINDOWS\system32\TFTP3072 - Deleted
C:\WINDOWS\system32\TFTP3084 - Deleted
C:\WINDOWS\system32\TFTP3092 - Deleted
C:\WINDOWS\system32\TFTP3124 - Deleted
C:\WINDOWS\system32\TFTP3132 - Deleted
C:\WINDOWS\system32\TFTP3144 - Deleted
C:\WINDOWS\system32\TFTP3148 - Deleted
C:\WINDOWS\system32\TFTP3156 - Deleted
C:\WINDOWS\system32\TFTP3188 - Deleted
C:\WINDOWS\system32\TFTP3196 - Deleted
C:\WINDOWS\system32\TFTP3232 - Deleted
C:\WINDOWS\system32\TFTP3240 - Deleted
C:\WINDOWS\system32\TFTP3252 - Deleted
C:\WINDOWS\system32\TFTP3264 - Deleted
C:\WINDOWS\system32\TFTP3280 - Deleted
C:\WINDOWS\system32\TFTP3300 - Deleted
C:\WINDOWS\system32\TFTP3316 - Deleted
C:\WINDOWS\system32\TFTP3320 - Deleted
C:\WINDOWS\system32\TFTP3336 - Deleted
C:\WINDOWS\system32\TFTP3340 - Deleted
C:\WINDOWS\system32\TFTP3344 - Deleted
C:\WINDOWS\system32\TFTP3348 - Deleted
C:\WINDOWS\system32\TFTP3364 - Deleted
C:\WINDOWS\system32\TFTP3408 - Deleted
C:\WINDOWS\system32\TFTP3464 - Deleted
C:\WINDOWS\system32\TFTP3476 - Deleted
C:\WINDOWS\system32\TFTP3484 - Deleted
C:\WINDOWS\system32\TFTP3492 - Deleted
C:\WINDOWS\system32\TFTP3524 - Deleted
C:\WINDOWS\system32\TFTP3528 - Deleted
C:\WINDOWS\system32\TFTP3552 - Deleted
C:\WINDOWS\system32\TFTP3592 - Deleted
C:\WINDOWS\system32\TFTP3608 - Deleted
C:\WINDOWS\system32\TFTP3628 - Deleted
C:\WINDOWS\system32\TFTP3632 - Deleted
C:\WINDOWS\system32\TFTP3640 - Deleted
C:\WINDOWS\system32\TFTP368 - Deleted
C:\WINDOWS\system32\TFTP3704 - Deleted
C:\WINDOWS\system32\TFTP3712 - Deleted
C:\WINDOWS\system32\TFTP3748 - Deleted
C:\WINDOWS\system32\TFTP3752 - Deleted
C:\WINDOWS\system32\TFTP3768 - Deleted
C:\WINDOWS\system32\TFTP3780 - Deleted
C:\WINDOWS\system32\TFTP3788 - Deleted
C:\WINDOWS\system32\TFTP3808 - Deleted
C:\WINDOWS\system32\TFTP3816 - Deleted
C:\WINDOWS\system32\TFTP3824 - Deleted
C:\WINDOWS\system32\TFTP3852 - Deleted
C:\WINDOWS\system32\TFTP388 - Deleted
C:\WINDOWS\system32\TFTP3880 - Deleted
C:\WINDOWS\system32\TFTP3888 - Deleted
C:\WINDOWS\system32\TFTP3956 - Deleted
C:\WINDOWS\system32\TFTP3976 - Deleted
C:\WINDOWS\system32\TFTP3980 - Deleted
C:\WINDOWS\system32\TFTP3996 - Deleted
C:\WINDOWS\system32\TFTP4008 - Deleted
C:\WINDOWS\system32\TFTP4032 - Deleted
C:\WINDOWS\system32\TFTP4036 - Deleted
C:\WINDOWS\system32\TFTP4044 - Deleted
C:\WINDOWS\system32\TFTP4064 - Deleted
C:\WINDOWS\system32\TFTP440 - Deleted
C:\WINDOWS\system32\TFTP516 - Deleted
C:\WINDOWS\system32\TFTP800 - Deleted
C:\WINDOWS\system32\TFTP860 - Deleted
C:\WINDOWS\system32\TFTP904 - Deleted
C:\WINDOWS\system32\TFTP960 - Deleted
C:\WINDOWS\system32\TFTP980 - Deleted
C:\WINDOWS\system32\TFTP988 - Deleted



Removing Temp Files...

ADS Check:

Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.

Checking if ADS is attached to ntoskrnl.exe
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Listing Files with Hidden Attributes:

C:\WINDOWS\SYSTEM32\avisynth.dll
C:\WINDOWS\SYSTEM32\AVSredirect.dll
C:\WINDOWS\SYSTEM32\cygwin1.dll
C:\WINDOWS\SYSTEM32\cygz.dll
C:\WINDOWS\SYSTEM32\i420vfw.dll
C:\WINDOWS\SYSTEM32\Smab.dll
C:\WINDOWS\SYSTEM32\yv12vfw.dll
C:\RECYCLER\S-1-5-21-2813653242-4190985015-3280066550-1007\Dc1.exe
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP918\A0562941.exe
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP926\A0575275.exe
C:\WINDOWS\meta4.exe
C:\WINDOWS\MOTA113.exe
C:\WINDOWS\x2.64.exe
C:\WINDOWS\SYSTEM32\x.264.exe
C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
C:\Deckard\System Scanner\backup\WINDOWS\temp\nhvqh83u.TMP
C:\Documents and Settings\Graeme Knight\My Documents\~WRL0030.tmp
C:\Documents and Settings\Graeme Knight\My Documents\~WRL0157.tmp
C:\Documents and Settings\Graeme Knight\My Documents\~WRL0372.tmp
C:\Documents and Settings\Graeme Knight\My Documents\~WRL0824.tmp
C:\Documents and Settings\Graeme Knight\My Documents\~WRL0844.tmp
C:\Documents and Settings\Graeme Knight\My Documents\~WRL1099.tmp
C:\Documents and Settings\Graeme Knight\My Documents\~WRL1189.tmp
C:\Documents and Settings\Graeme Knight\My Documents\~WRL1875.tmp
C:\Documents and Settings\Graeme Knight\My Documents\~WRL2326.tmp
C:\Documents and Settings\Graeme Knight\My Documents\~WRL2377.tmp
C:\Documents and Settings\Graeme Knight\My Documents\~WRL2416.tmp
C:\Documents and Settings\Graeme Knight\My Documents\~WRL3690.tmp
C:\Documents and Settings\Graeme Knight\My Documents\~WRL3857.tmp
C:\Documents and Settings\Graeme Knight\My Documents\~WRL3867.tmp
C:\Documents and Settings\Graeme Knight\My Documents\word documents\~WRL0119.tmp
C:\Documents and Settings\Graeme Knight\My Documents\word documents\~WRL0279.tmp
C:\Documents and Settings\Graeme Knight\My Documents\word documents\~WRL1000.tmp
C:\Documents and Settings\Graeme Knight\My Documents\word documents\~WRL1321.tmp
C:\Documents and Settings\Graeme Knight\My Documents\word documents\~WRL1669.tmp
C:\Documents and Settings\Graeme Knight\My Documents\word documents\~WRL3779.tmp
C:\Documents and Settings\Graeme Knight\My Documents\word documents\~WRL3863.tmp
C:\Documents and Settings\Graeme Knight\My Documents\word documents\~WRL3869.tmp
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.tmp.LOG
C:\WINDOWS\SYSTEM32\CONFIG\SAM.tmp.LOG
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.tmp.LOG
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.tmp.LOG
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.tmp.LOG

Listing User Accounts:

User accounts for \\BOB

Administrator ASPNET Graeme Knight
Guest HelpAssistant SUPPORT_388945a0
SUPPORT_3f151ab9


Finished



DSS

Deckard's System Scanner v20070603.47
Run by Graeme Knight on 2007-06-10 at 10:57:27
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Graeme Knight.exe) ---------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 10:58:29 AM, on 06/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\downloads\dss.exe
C:\DOWNLO~1\GRAEME~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.televisionwithoutpity.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: Download &Flash Movies - C:\Program Files\Flash2X\Flash Hunter\save.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Flash2X Flash Hunter - {77B563A5-2A35-4E6B-BFC8-F4B6BB65D5DF} - C:\Program Files\Flash2X\Flash Hunter\save.htm (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: &Launch Flash Hunter - {77B563A5-2A35-4E6B-BFC8-F4B6BB65D5DF} - C:\Program Files\Flash2X\Flash Hunter\save.htm (file missing) (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1135801488718
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1135801190937
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/061...ie06101001.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{73A602BD-B187-457D-983A-4741DB484CF7}: NameServer = 203.50.2.71,139.130.4.4
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe


-- Files created between 2007-05-10 and 2007-06-10 -----------------------------

2007-06-09 17:12:46 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-06-09 11:49:17 0 d-------- C:\Program Files\Common Files\Java
2007-06-09 10:08:43 0 d-------- C:\Avenger
2007-06-06 20:28:38 0 d-------- C:\ie-spyad
2007-06-06 20:18:28 0 d-------- C:\Program Files\SpywareBlaster
2007-06-06 18:47:32 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-06-06 17:50:02 0 d-------- C:\Program Files\Lavasoft
2007-06-06 17:48:48 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-06-03 11:50:03 0 d-------- C:\WINDOWS\network diagnostic
2007-06-03 11:16:09 0 d-------- C:\Program Files\XoftSpySE
2007-05-12 17:56:41 0 d-------- C:\Program Files\ACW


-- Find3M Report ---------------------------------------------------------------

2007-06-10 09:23:59 0 d-------- C:\Documents and Settings\Graeme Knight\Application Data\uTorrent
2007-06-09 21:24:41 0 d-------- C:\Program Files\Blaze Media Pro
2007-06-09 11:50:21 0 d-------- C:\Program Files\Java
2007-06-06 19:33:59 0 d-------- C:\Program Files\QuickTime
2007-06-06 19:30:30 0 d-------- C:\Program Files\iTunes
2007-06-06 19:29:54 0 d-------- C:\Program Files\Google
2007-06-06 19:29:50 0 d-------- C:\Program Files\GetRight
2007-06-06 19:29:30 0 d-------- C:\Program Files\Digital Line Detect
2007-06-06 17:51:12 0 d-------- C:\Documents and Settings\Graeme Knight\Application Data\Lavasoft
2007-06-03 11:25:51 0 d-------- C:\Program Files\Media Gateway
2007-06-03 10:20:55 0 d-------- C:\Program Files\iPod
2007-05-29 13:08:27 0 d-------- C:\Program Files\ImTOO
2007-05-17 18:31:07 0 d-------- C:\Program Files\LimeWire
2007-05-08 20:51:43 0 d-------- C:\Program Files\WMR11


-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{31FF080D-12A3-439A-A2EF-4BA95A3148E8} C:\Program Files\GetRight\xx2gr.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
{AA58ED58-01DD-4d91-8333-CF10577473F7} c:\program files\google\googletoolbar3.dll
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0



-- End of Deckard's System Scanner: finished at 2007-06-10 at 10:59:05 ---------



Cheers

[tetonbob]

Good job. A bit more work to do, this system was pretty heavily infected.

Before begining the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Please download Brute Force Uninstaller to your desktop.

• Right click the BFU folder on your desktop, and choose Extract All
• Click "Next"
• In the box to choose where to extract the files to,
• Click "Browse"
• Click on the + sign next to "My Computer"
• Click on "Local Disk (C:) or whatever your primary drive is
• Click "Make New Folder"
• Type in BFU
• Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".

RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download MediaGateway/Zango remover.
Save it in the same folder you made earlier (c:\BFU).

Do not do anything with this yet!

---------------------------------------------------------------------------------------------

Download AVG Anti Spyware

Use the link at the bottom of the page under "AVG Anti-Spyware Free for Windows Installation Files"

• Install AVG Anti Spyware
• Double-click the icon on Desktop to launch AVG
• On the main Status screen, under Your Computer's Security, click Resident Shield
• Click the word active to change it to inactive
• On the top of the main screen click Update.
• Then click on Start Update. The update will start and a progress bar will show the updates being installed.
• Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
• Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
• Under "Reports"
  • Select "Do Not Automatically generate report after every scan"

Note: If you have trouble using the updater, use this link to get the manual updates. Download the file and execute it, allow it to install to the same directory as AVG Anti-Spyware.

http://download.ewido.net/avgas-sign...ll-current.exe

When you have finished updating....

Run AVG Anti-Spyware with it's updated definitions:(...it's important that all windows must be closed)

• Click Scanner
• Click on the Scan tab
• Click Complete System Scan to begin scanning.
  Once the scan is complete do the following:
• If you have any infections you will prompted, then select "Apply all actions"
• Once finished, click the Save report button, then click Save Report As and save it to your desktop. (make sure to remember where you saved that file, this is important).

---------------------------------------------------------------------------------------------

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers.

---------------------------------------------------------------------------------------------


Then, please go to Start > My Computer and navigate to the C:\BFU folder.

• Start the Brute Force Uninstaller by doubleclicking BFU.exe
• Beside the scriptline to execute field click the folder icon and select mediagateway.bfu by double clicking on it.
• Press Execute and let it do it’s job. (You ought to see a blue progress bar if you did this correctly.)
• Wait for the complete script execution box to pop up and press OK.
• Press exit to terminate the BFU program.

Reboot into normal windows.

---------------------------------------------------------------------------------------------

Run DSS once again, and post it's log.

---------------------------------------------------------------------------------------------

Please return with results from:

AVG Anti-Spyware
DSS (main.txt)

[greenoznic]

Here is my latest results:


AVG - Anti-spyware

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 4:22:06 PM 06/10/2007

+ Scan result:



C:\QooBox\Quarantine\C\Deckard\System Scanner\backup\DOCUME~1\GRAEME~1\LOCALS~1\Temp\res7.tmp.vir -> Adware.180Solutions : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\Deckard\System Scanner\backup\WINDOWS\Downloaded Program Files\loader2.exe.vir -> Adware.Azesearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP918\A0563007.exe -> Adware.Azesearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP918\A0563008.exe -> Adware.Azesearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP918\A0563009.dll -> Adware.Azesearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP918\A0563010.dll -> Adware.Azesearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP918\A0563011.exe -> Adware.Azesearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP929\A0575713.exe -> Adware.Azesearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP918\A0563019.exe -> Adware.DollarRevenu : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\CTSEQCHK.DLL.vir -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\HHFCI005.dll.vir -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\IRETCPLC.DLL.vir -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\MUOBJS.DLL.vir -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\aza007hme.dll.vir -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\cyedui.dll.vir -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\dn0001dme.dll.vir -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\gpp8l37u1.dll.vir -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\hrl2053oe.dll.vir -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\jt0407dqe.dll.vir -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\jt4007hme.dll.vir -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\k6no0g53e6.dll.vir -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\l02slaf71d2.dll.vir -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\n8n6li5s18.dll.vir -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\namssvc.dll.vir -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\o2rolc931f.dll.vir -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\warebundle.exe.vir -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP918\A0563023.exe -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP926\A0575277.exe -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP926\A0575395.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP926\A0575397.DLL -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP926\A0575398.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP926\A0575399.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP926\A0575400.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP926\A0575401.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP926\A0575402.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP926\A0575403.DLL -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP926\A0575404.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP926\A0575405.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP926\A0575406.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP926\A0575407.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP926\A0575408.DLL -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP926\A0575409.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP926\A0575410.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP926\A0575411.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-2813653242-4190985015-3280066550-1007\Dc1.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\mljjkjg.dll.vir -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\rqrolkk.dll.vir -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\vtuvwut.dll.vir -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP926\A0575281.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP926\A0575288.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Adware.WebRebates : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\Deckard\System Scanner\backup\WINDOWS\Downloaded Program Files\MediaGatewayX.dll.vir -> Adware.WinAD : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\Downloaded Program Files\CONFLICT.1\MediaGatewayX.dll.vir -> Adware.WinAD : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP929\A0575714.dll -> Adware.WinAD : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\Deckard\System Scanner\backup\WINDOWS\temp\bw2.com.vir -> Adware.Zestyfind : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP929\A0575720.com -> Adware.Zestyfind : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\TFTP188.vir -> Backdoor.Rbot : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\TFTP2164.vir -> Backdoor.Rbot : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\TFTP2396.vir -> Backdoor.Rbot : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\TFTP2516.vir -> Backdoor.Rbot : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\TFTP2552.vir -> Backdoor.Rbot : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\TFTP2816.vir -> Backdoor.Rbot : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\TFTP2828.vir -> Backdoor.Rbot : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\TFTP2900.vir -> Backdoor.Rbot : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\TFTP2952.vir -> Backdoor.Rbot : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\TFTP3088.vir -> Backdoor.Rbot : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\TFTP3256.vir -> Backdoor.Rbot : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\TFTP3304.vir -> Backdoor.Rbot : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\TFTP3616.vir -> Backdoor.Rbot : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\TFTP3636.vir -> Backdoor.Rbot : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\TFTP3984.vir -> Backdoor.Rbot : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP918\A0563024.exe -> Downloader.Agent.a : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\Deckard\System Scanner\backup\DOCUME~1\GRAEME~1\LOCALS~1\Temp\win71.tmp.exe.vir -> Downloader.PurityScan.eg : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\Deckard\System Scanner\backup\WINDOWS\temp\win26.tmp.exe.vir -> Downloader.PurityScan.eg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP929\A0575712.exe -> Downloader.PurityScan.eg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP929\A0575721.exe -> Downloader.PurityScan.eg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP918\A0563021.config -> Downloader.Small : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\Deckard\System Scanner\backup\DOCUME~1\GRAEME~1\LOCALS~1\Temp\targetsaver.exe.vir -> Downloader.TSUpdate.j : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP929\A0575711.exe -> Downloader.TSUpdate.j : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\TFTP1032.vir -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\TFTP1328.vir -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\TFTP1484.vir -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\TFTP1504.vir -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\TFTP1640.vir -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\TFTP1916.vir -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\TFTP2124.vir -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\TFTP2160.vir -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\TFTP2184.vir -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\TFTP2312.vir -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\TFTP2336.vir -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\TFTP2360.vir -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\TFTP2484.vir -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\TFTP2504.vir -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\TFTP2508.vir -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\TFTP2536.vir -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\TFTP2560.vir -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\TFTP2564.vir -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\TFTP2568.vir -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\TFTP2592.vir -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\TFTP2608.vir -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\TFTP2636.vir -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\TFTP2664.vir -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\TFTP2676.vir -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\TFTP2708.vir -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\TFTP2720.vir -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\TFTP2732.vir -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\TFTP2736.vir -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\TFTP2784.vir -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\TFTP2788.vir -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\TFTP2796.vir -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\TFTP2800.vir -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\TFTP2868.vir -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\TFTP2880.vir -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\TFTP2912.vir -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\TFTP2944.vir -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\TFTP2968.vir -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\TFTP3020.vir -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\TFTP3048.vir -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\TFTP3056.vir -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\TFTP3100.vir -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\TFTP3120.vir -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\TFTP3184.vir -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\TFTP3212.vir -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\TFTP3248.vir -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\TFTP3392.vir -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\TFTP3396.vir -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\TFTP3416.vir -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\TFTP3440.vir -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\TFTP3520.vir -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\TFTP3544.vir -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\TFTP3648.vir -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\TFTP3680.vir -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\TFTP3716.vir -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\TFTP3760.vir -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\TFTP3784.vir -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\TFTP3832.vir -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\TFTP3848.vir -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\TFTP4000.vir -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\TFTP436.vir -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\TFTP928.vir -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\TFTP996.vir -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup (quarantined).
C:\SDFix\backups\backups.zip/backups/TFTP3124 -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\winsysupd.exe.vir -> Hijacker.StartPage.ahg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP926\A0575278.exe -> Hijacker.StartPage.ahg : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\Deckard\System Scanner\backup\WINDOWS\Downloaded Program Files\UWFX6_0001_N57M0912NetInstaller.exe.vir -> Not-A-Virus.Downloader.Win32.WinFixer.b : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\Downloaded Program Files\CONFLICT.1\UWFX6_0001_N57M0912NetInstaller.exe.vir -> Not-A-Virus.Downloader.Win32.WinFixer.b : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP929\A0575718.exe -> Not-A-Virus.Downloader.Win32.WinFixer.b : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\Deckard\System Scanner\backup\WINDOWS\Downloaded Program Files\UERS_0001_N68M1801NetInstaller.exe.vir -> Not-A-Virus.Downloader.Win32.WinFixer.d : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\Deckard\System Scanner\backup\WINDOWS\Downloaded Program Files\UWFX6_0001_N68M2301NetInstaller.exe.vir -> Not-A-Virus.Downloader.Win32.WinFixer.d : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\Downloaded Program Files\CONFLICT.1\UERS_0001_N68M1801NetInstaller.exe.vir -> Not-A-Virus.Downloader.Win32.WinFixer.d : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP929\A0575715.exe -> Not-A-Virus.Downloader.Win32.WinFixer.d : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP929\A0575719.exe -> Not-A-Virus.Downloader.Win32.WinFixer.d : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\Deckard\System Scanner\backup\WINDOWS\Downloaded Program Files\UWFX5_0001_N66M1101NetInstaller.exe.vir -> Not-A-Virus.Downloader.Win32.WinFixer.f : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\Downloaded Program Files\CONFLICT.1\UWFX5_0001_N66M1101NetInstaller.exe.vir -> Not-A-Virus.Downloader.Win32.WinFixer.f : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\Downloaded Program Files\CONFLICT.2\UWFX5_0001_N66M1101NetInstaller.exe.vir -> Not-A-Virus.Downloader.Win32.WinFixer.f : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\Downloaded Program Files\CONFLICT.3\UWFX5_0001_N66M1101NetInstaller.exe.vir -> Not-A-Virus.Downloader.Win32.WinFixer.f : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\Downloaded Program Files\CONFLICT.4\UWFX5_0001_N66M1101NetInstaller.exe.vir -> Not-A-Virus.Downloader.Win32.WinFixer.f : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\Downloaded Program Files\CONFLICT.5\UWFX5_0001_N66M1101NetInstaller.exe.vir -> Not-A-Virus.Downloader.Win32.WinFixer.f : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\Downloaded Program Files\CONFLICT.6\UWFX5_0001_N66M1101NetInstaller.exe.vir -> Not-A-Virus.Downloader.Win32.WinFixer.f : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\Downloaded Program Files\CONFLICT.7\UWFX5_0001_N66M1101NetInstaller.exe.vir -> Not-A-Virus.Downloader.Win32.WinFixer.f : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP929\A0575717.exe -> Not-A-Virus.Downloader.Win32.WinFixer.f : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\Deckard\System Scanner\backup\WINDOWS\Downloaded Program Files\USDR6_7777_BHLP0611NetInstaller.exe.vir -> Not-A-Virus.Downloader.Win32.WinFixer.q : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP929\A0575716.exe -> Not-A-Virus.Downloader.Win32.WinFixer.q : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\Deckard\System Scanner\backup\WINDOWS\temp\Temporary Internet Files\Content.IE5\X5YVW4GU\send_car_int[1].htm.vir -> Not-A-Virus.Exploit.HTML.CodeBaseExec : Cleaned with backup (quarantined).
C:\Deckard\System Scanner\20070610105726\backup\WINDOWS\temp\Cookies\graeme knight@247realmedia[1].txt -> TrackingCookie.247realmedia : Cleaned.
C:\Deckard\System Scanner\20070610105726\backup\WINDOWS\temp\Cookies\graeme knight@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Graeme Knight\Cookies\graeme knight@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Graeme Knight\Cookies\graeme_knight@112.2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Graeme Knight\Cookies\graeme_knight@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Graeme Knight\Cookies\graeme_knight@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Graeme Knight\Cookies\graeme_knight@adbrite[3].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Graeme Knight\Cookies\graeme_knight@advertising[2].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Graeme Knight\Cookies\graeme_knight@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Deckard\System Scanner\20070610105726\backup\WINDOWS\temp\Cookies\graeme knight@bluestreak[1].txt -> TrackingCookie.Bluestreak : Cleaned.
C:\Documents and Settings\Graeme Knight\Cookies\graeme knight@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned.
C:\Documents and Settings\Graeme Knight\Cookies\graeme knight@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Graeme Knight\Cookies\graeme knight@www.burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Graeme Knight\Cookies\graeme_knight@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\Graeme Knight\Cookies\graeme knight@clickbank[2].txt -> TrackingCookie.Clickbank : Cleaned.
C:\Documents and Settings\Graeme Knight\Cookies\graeme_knight@com[1].txt -> TrackingCookie.Com : Cleaned.
C:\Deckard\System Scanner\20070610105726\backup\WINDOWS\temp\Cookies\graeme knight@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\Graeme Knight\Cookies\graeme_knight@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\Graeme Knight\Cookies\graeme_knight@doubleclick[2].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Graeme Knight\Cookies\graeme_knight@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Graeme Knight\Cookies\graeme knight@hit.gemius[1].txt -> TrackingCookie.Gemius : Cleaned.
C:\Documents and Settings\Graeme Knight\Cookies\graeme knight@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Graeme Knight\Cookies\graeme knight@ssl-hints.netflame[2].txt -> TrackingCookie.Netflame : Cleaned.
C:\Documents and Settings\Graeme Knight\Cookies\graeme_knight@www.paypal[1].txt -> TrackingCookie.Paypal : Cleaned.
C:\Documents and Settings\Graeme Knight\Cookies\graeme_knight@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned.
C:\Documents and Settings\Graeme Knight\Cookies\graeme_knight@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Deckard\System Scanner\20070610105726\backup\WINDOWS\temp\Cookies\graeme knight@realmedia[1].txt -> TrackingCookie.Realmedia : Cleaned.
C:\Deckard\System Scanner\20070610105726\backup\WINDOWS\temp\Cookies\graeme knight@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned.
C:\Documents and Settings\Graeme Knight\Cookies\graeme_knight@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned.
C:\Documents and Settings\Graeme Knight\Cookies\graeme_knight@revsci[2].txt -> TrackingCookie.Revsci : Cleaned.
C:\Documents and Settings\Graeme Knight\Cookies\graeme_knight@bs.serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Graeme Knight\Cookies\graeme_knight@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Graeme Knight\Cookies\graeme_knight@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned.
C:\Documents and Settings\Graeme Knight\Cookies\graeme knight@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Graeme Knight\Cookies\graeme_knight@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Graeme Knight\Cookies\graeme_knight@m.webtrends[2].txt -> TrackingCookie.Webtrends : Cleaned.
C:\Deckard\System Scanner\20070610105726\backup\WINDOWS\temp\Cookies\graeme knight@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Graeme Knight\Cookies\graeme_knight@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Deckard\System Scanner\20070610105726\backup\WINDOWS\temp\Cookies\graeme knight@zedo[1].txt -> TrackingCookie.Zedo : Cleaned.
C:\Documents and Settings\Graeme Knight\Cookies\graeme_knight@zedo[2].txt -> TrackingCookie.Zedo : Cleaned.
C:\QooBox\Quarantine\C\Documents and Settings\Graeme Knight\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Dummy.class-393d648-4b9fc13c.class.vir -> Trojan.ClassLoader.Dummy.d : Cleaned with backup (quarantined).


::Report end



DSS

Deckard's System Scanner v20070603.47
Run by Graeme Knight on 2007-06-10 at 16:28:26
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Graeme Knight.exe) ---------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 4:31:16 PM, on 06/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\downloads\dss.exe
C:\DOWNLO~1\GRAEME~1.EXE
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.televisionwithoutpity.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: Download &Flash Movies - C:\Program Files\Flash2X\Flash Hunter\save.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Flash2X Flash Hunter - {77B563A5-2A35-4E6B-BFC8-F4B6BB65D5DF} - C:\Program Files\Flash2X\Flash Hunter\save.htm (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: &Launch Flash Hunter - {77B563A5-2A35-4E6B-BFC8-F4B6BB65D5DF} - C:\Program Files\Flash2X\Flash Hunter\save.htm (file missing) (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1135801488718
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1135801190937
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/061...ie06101001.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{73A602BD-B187-457D-983A-4741DB484CF7}: NameServer = 203.50.2.71,139.130.4.4
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe


-- Files created between 2007-05-10 and 2007-06-10 -----------------------------

2007-06-10 15:31:07 0 d-------- C:\Documents and Settings\Graeme Knight\Application Data\Grisoft
2007-06-10 14:59:12 0 d-------- C:\BFU
2007-06-09 17:12:46 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-06-09 11:49:17 0 d-------- C:\Program Files\Common Files\Java
2007-06-09 10:08:43 0 d-------- C:\Avenger
2007-06-06 20:28:38 0 d-------- C:\ie-spyad
2007-06-06 20:18:28 0 d-------- C:\Program Files\SpywareBlaster
2007-06-06 18:47:32 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-06-06 17:50:02 0 d-------- C:\Program Files\Lavasoft
2007-06-06 17:48:48 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-06-03 11:50:03 0 d-------- C:\WINDOWS\network diagnostic
2007-06-03 11:16:09 0 d-------- C:\Program Files\XoftSpySE
2007-05-12 17:56:41 0 d-------- C:\Program Files\ACW


-- Find3M Report ---------------------------------------------------------------

2007-06-10 14:53:28 0 d-------- C:\Documents and Settings\Graeme Knight\Application Data\uTorrent
2007-06-09 21:24:41 0 d-------- C:\Program Files\Blaze Media Pro
2007-06-09 11:50:21 0 d-------- C:\Program Files\Java
2007-06-06 19:33:59 0 d-------- C:\Program Files\QuickTime
2007-06-06 19:30:30 0 d-------- C:\Program Files\iTunes
2007-06-06 19:29:54 0 d-------- C:\Program Files\Google
2007-06-06 19:29:50 0 d-------- C:\Program Files\GetRight
2007-06-06 19:29:30 0 d-------- C:\Program Files\Digital Line Detect
2007-06-06 17:51:12 0 d-------- C:\Documents and Settings\Graeme Knight\Application Data\Lavasoft
2007-06-03 11:25:51 0 d-------- C:\Program Files\Media Gateway
2007-06-03 10:20:55 0 d-------- C:\Program Files\iPod
2007-05-29 13:08:27 0 d-------- C:\Program Files\ImTOO
2007-05-17 18:31:07 0 d-------- C:\Program Files\LimeWire
2007-05-08 20:51:43 0 d-------- C:\Program Files\WMR11


-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{31FF080D-12A3-439A-A2EF-4BA95A3148E8} C:\Program Files\GetRight\xx2gr.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
{AA58ED58-01DD-4d91-8333-CF10577473F7} c:\program files\google\googletoolbar3.dll
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0



-- End of Deckard's System Scanner: finished at 2007-06-10 at 16:31:40 ---------



Thanks

[tetonbob]

Hmmm, well that looks much better, but the BFU script should have removed this folder (along with other unseen items).

C:\Program Files\Media Gateway

Did you encounter any troubles running it?

Please delete that folder manually, and let me know how that goes.

[greenoznic]

Hey,

I didn't seem to have any problems running it. I deleted the mediagateway folder (it was empty) and the system let me, so maybe the BFU just got rid of the contents and not the empty folder...

Thanks for all your help so far

[tetonbob]

Well done. Your logs appear clean.You should be good to go. We still have a few items to address.

Make sure your antivirus program is up to date, and run a full system scan.

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup)

• On the General tab, under Temporary Internet Files, click the Settings button.
• Next, click on the Delete Files button
• There are two options in the window to clear the cache - Leave BOTH Checked
  • Applications and Applets
    Trace and Log Files
• Click OK on Delete Temporary Files Window
  Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
• Click OK to leave the Temporary Files Window
• Click OK to leave the Java Control Panel.

C:\QooBox\ is ComboFix's quarantine folder. You can safely delete it


C:\System Volume Information\ is where System Restore's cache is stored. Whatever is in there can't harm you unless you choose to perform a manual restore. Nevertheless, we shall be reseting/clearing the cache in a little while.


Reset hidden/system files and folders

• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View tab.
• Deselect the Show hidden files and folders option.
• Select the Hide file extensions for known types option.
• Select the Hide protected operating system files option.
• Click Yes to confirm.
• Click OK.

Clear & Reset System Restore's Cache

• click Start >> Run - type SYSDM.CPL & press Enter
• select the System Restore Tab
• tick on the checkbox - "Turn off System Restore on all drives"
• click Apply
• then untick the same checkbox & click OK

Enable Windows Auto Update

• Go to Start>Run - type wuaucpl.cpl
• tick on the checkbox - "Automatically download the updates, and install them on the schedule that I specify".
• Click on "OK".

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs if you don't have them already:

• SpywareBlaster to help prevent spyware from installing in the first place.
  • Install & update SpywareBlaster with the latest definitions.
    After you have updated, click the button - enable protection for all unprotected items
• SpywareGuard to catch and block spyware before it can execute.
  
• SPYBOT - SEARCH & DESTROY
  Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here
  
• AD-AWARE
  Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here
  
  
• IE-SPYAD - IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • Download IE-SpyAD - Extract the contents to a new folder
    From within the folder, double-click install.bat
    Select Option #2 - Install the new IE-SPYAD list.
    Then return to the main menu.
    Select option #4 - Add the old porn sites domain
  
  
  
• MVPS HOST FILE
  The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
  • Download Host.zip to your desktop.
  • From your Desktop right-click (hosts.zip) and select:
    Extract All from the menu.
    
  • Click Next, click Next, select the option:
    "Show Extracted files", click Finish
    
  • This will open the newly created hosts folder on your Desktop.
    
  • Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
  
  
  
• ANTIVIRUS SOFTWARE
  It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
  
  Here are a few very good free Antivirus products which are available:
  • AOL Active Virus Shield (powered by Kaspersky Antivirus)
  • Avast!
  • AVG
  • Avira PersonalEdition Classic
  Select one of these, or another of your choice. Do not install more than one antivirus program because they will conflict with each other. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.
  

  See this link for a listing of some online antivirus scanners:
  
  Anti-Spyware Tutorial

• FIREWALL
  If you do not have a firewall, here are a couple of great free ones available for personal use. Using a third-party firewall will allow you to give/deny access for applications that want to go online. Select one of these, or another of your choice:
  
  Do not install more than one firewall program because they will conflict with each other.

• Comodo Personal Firewall
• ZoneAlarm

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

• HOW DID I GET INFECTED IN THE FIRST PLACE?
• THE ANTI-SPYWARE TUTORIAL
• MAKING INTERNET EXPLORER SAFER

If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.

[greenoznic]

Hey,

I've completed all the steps in your last post, everything seemed to go fine.

My computer does still seem to be running a lot slower than usual though...

Anything you can suggest to help would be great.

Thanks

[tetonbob]

AVG Anti-Spyware would be a good program to keep, update and run a scan with once a week or so. It adds another layer of protection to your system's security tools. You may want to prevent AVG Anti-Spyware from running at Windows startup, and just call it into service when needed. This may help with system boot times. To do so, right click on the AVG A/S system tray icon, and uncheck Start with Windows. Also disable it's real time protection, as this will also use system resources, and will time out at the end of the trial period in 30 days. To do so:

Open AVG Anti-Spyware.

• On the main screen under Your Computer's security.
  • Click on Change state next to Resident shield. It should now change to inactive.
  • Click on Change state next to Automatic updates. It should now change to inactive.

Hope that helps.

Try defragging your system as well.

Some systems never fully recover from an infection such as you've had. Many changes are made to a system during infections, causing problems for the machine, though the infection itself gets cleaned. Sometimes the only true solution for recovery is a format and clean install.

You may want to ask for system optimization help in our Windows XP forum.

[greenoznic]

Thanks so much for your help it was very much appreciated.


Cheers