started 17PHolmes572.exe, Netdde.exe - lots of IE pop up

Reeder · 12-31-2007, 11:55 AM

My name is Reeder

Hp pavilion zv 5340 us notebook xp – svc pack 2

I believe this all started because of avisit to my son’s “my space page”. I clicked on several of the obvious links – after leaving his site started I started getting pop-ups everywhere.

17PHolmes572.exe
Immediately went to task manager and saw several of these >>> 17PHolmes572.exe <<< entries in the manager, also in the applications menu many IE titles, I started ending the tasks and the problem seemed to subside but then would come back.

The pop-ups have stopped and this file is not in the task manager any more?? 17PHolmes572.exe

Netdde.exe
In the task manager there are approx 4 of these processes running they continually move back and forth within the menu when clicking on one it will move out from under the cursor and be replace by another .
I was able to place my cursor on one of them and end the process and not the jumping has quite.

Have also notice at least 4 netdde.exe processes running. All the titles in task manage move back and forth so quickly that I cannot click on one and try to end the process. Once I was able to try to eliminate this file I was told I could not delete or suspend.

Panda Scan
Tried to get Panda to do its free scan - started last night about 6:30 pm was moving so slow I thought it be this morning before finishing. Woke up IE had shut itself off.

Tried again this morning, at present can get to internet - downloaded Hi Jack this – was / am trying to do a Panda scan but it has stopped – says it is still scanning but seems stuck at 109,873 files at present found 12 spyware and 2 rootkits. I’ve downloaded the other items through step 5 but don’t know what to do about the “stuck” scan. Tried clicking on the FAQ hoping it would restart the scanning process but nothing happened and this screen is not offering me the opportunity to see a log or save a log.

WONDERFUL!! Panda has begun moving again, probably just moving slowly – patience is one of the virtues I work on constantly; the computer has taught me much about this exacting science - after 180,000 files still had the same result - left office for about 10 minutes came back and IE was gone again. No log or anything this time took about 4 hours. Seemed to move very slowly.

Isass.exe
This resides in the task manager my research indicates this could be bad news???

KHALMNRP.exe is there as well.

The typing is erratic but works sometimes it is slow and sometimes it is not.

My cursor has an hourglass that stays beside it constantly except with I am entering text. The cursor works as it always has. Went to my Logitech mouse/keyboard control panel but the mouse control is missing???

When shutting down everything to do the Deckard scan the computer locked up so bad I had to manually shut it down. Started it back up and got 4 "error loading" warnings "system 32/ vturq.dll

Also "framedyn.dll not found

Thought of doing a System Restore but in reading several of the forums that option was never mentioned as a solution

All the titles on the desktop are highlighted in blue and nothing I do changes that.
When rebooting the desktop is completely blue and then the icons began to appear and then the picture I use as wall paper appears.

Hijack This
When I purchased HJT and tried to install there were approx 4 error messages, one of which I screen captures but have not tried to send because you probably don’t want to have that on your system.

I use Spy-ware Doctor – first scan found over 500 problems but was not able to eliminate all of them.
Now when I try to run SD I get a error message stating that a dll file is missing and that I should reload the program.
Since reading the forum I’ve not tried to do another SD scan.

Following is the log from note pad I hope you can help me out of this problem.

Everything I try using seems to work but very slowly, especially when accessing the internet – I use Foxfire rather than IE.

I know you have not asked for a HiJack log but thought perhaps it might help you in determining what is going on. Hope this is OK.
This log is after doing all the "5" steps, which I might say seems very conclusive. It is good that you are this detailed. It really helps this old carpenter to understand what it is that you need. Well almost understand.

Actually there will be two logs; the first was when I started having problems and looking for solutions last night, the second is described above AFTER following all the "5" steps.

I hope this has been detailed correctly, we are after all dealing with a carpenter; not a computer person.

My hat is off to those of you who understand the inter sanctums of this machine.

Candidly, my computer is operating better now that it has in a while, program are coming up faster and operating efficiently???? Not sure I understand any of this.

Thank you for your service and the heart of this operation, were you a religious organization this would certainly be classed as a ministry.

I for one deeply appreciate any help that you can give in figuring out the problem.

Well the problem is definitely not gone I just clicked on IE and started getting more popups. There are now two netdde.exe titles in the TM.

Don't see any 17PHolmes572.exe

Respectfully

Reeder Lyons
IMHshre@bellsouth.net

Log number 1
Logfile of HijackThis v1.99.1
Scan saved at 9:13:37 PM, on 12/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft ActiveSync\wcescomm .exe
C:\Program Files\Backup4all\Backup4all.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon .exe
C:\Program Files\Microsoft ActiveSync\wcescomm .exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
C:\Program Files\Backup4all\Backup4all .exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Documents and Settings\WADFSDZ\Desktop\HijackThis.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\SearchFilterHost.exe
C:\PROGRA~1\COMMON~1\MBOLS~1\netdde.exe
C:\PROGRA~1\COMMON~1\MBOLS~1\netdde.exe

[php][php][php][php]R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.worldnetdaily.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.worldnetdaily.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F3 - REG:win.ini: load=C:\WINDOWS\system32\vturq.exe
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm .exe"
O4 - HKCU\..\Run: [Backup4all] C:\Program Files\Backup4all\Backup4all.exe /s
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [Tbsa] "C:\PROGRA~1\COMMON~1\MBOLS~1\netdde.exe" -vt yazb
O4 - HKCU\..\Run: [Ytowkj] "C:\Documents and Settings\WADFSDZ\Application Data\?ppPatch\?ttrib.exe"
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: &Search -
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: AddressGrabber - {70192830-2B20-450E-8CED-4151CA0F422F} - C:\Program Files\eGrabber\AGB\InternetAddress.exe
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.worldnetdaily.com
O14 - IERESET.INF: MS_START_PAGE_URL=http://www.worldnetdaily.com
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - http://h20278.www2.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM_ca.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1190863566984
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} -
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Logitech Easy Synchronization - Unknown owner - C:\Program Files\Logitech\Easy Synchronization\servicestub.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SoundMAX Agent Service (default) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

Log #2

Logfile of HijackThis v1.99.1
Scan saved at 12:31:50 PM, on 12/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft ActiveSync\wcescomm .exe
C:\Program Files\Backup4all\Backup4all.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon .exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
C:\Program Files\Microsoft ActiveSync\wcescomm .exe
C:\Program Files\Backup4all\Backup4all .exe
C:\PROGRA~1\COMMON~1\MBOLS~1\netdde.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Documents and Settings\WADFSDZ\Application Data\?ppPatch\?ttrib.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Documents and Settings\WADFSDZ\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.worldnetdaily.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.worldnetdaily.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F3 - REG:win.ini: load=C:\WINDOWS\system32\vturq.exe
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm .exe"
O4 - HKCU\..\Run: [Backup4all] C:\Program Files\Backup4all\Backup4all.exe /s
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [Tbsa] "C:\PROGRA~1\COMMON~1\MBOLS~1\netdde.exe" -vt yazb
O4 - HKCU\..\Run: [Ytowkj] "C:\Documents and Settings\WADFSDZ\Application Data\?ppPatch\?ttrib.exe"
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: &Search -
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: AddressGrabber - {70192830-2B20-450E-8CED-4151CA0F422F} - C:\Program Files\eGrabber\AGB\InternetAddress.exe
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.worldnetdaily.com
O14 - IERESET.INF: MS_START_PAGE_URL=http://www.worldnetdaily.com
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - http://h20278.www2.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM_ca.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1190863566984
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Logitech Easy Synchronization - Unknown owner - C:\Program Files\Logitech\Easy Synchronization\servicestub.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SoundMAX Agent Service (default) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

Deckard's System Scanner v20071014.68
Run by WADFSDZ on 2007-12-31 11:56:12
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Failed to create restore point; unknown error code 0x00000001

Backed up registry hives.
Performed disk cleanup.

-- HijackThis (run as WADFSDZ.exe) ---------------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2007-12-31 11:58:54
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\searchindexer.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\alg.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft ActiveSync\wcescomm .exe
C:\Program Files\Backup4all\Backup4all.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon .exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
C:\Program Files\Microsoft ActiveSync\wcescomm .exe
C:\Program Files\Backup4all\Backup4all .exe
C:\Program Files\Common Files\??mbols\netdde.exe
C:\Program Files\Microsoft ActiveSync\rapimgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.exe
C:\WINDOWS\system32\searchprotocolhost.exe
C:\Documents and Settings\WADFSDZ\Application Data\?ppPatch\?ttrib.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\WADFSDZ\Desktop\dss.exe
C:\WINDOWS\system32\searchfilterhost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.worldnetdaily.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.worldnetdaily.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.microsoft.com/search/search.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F0 - win.ini: load=C:\WINDOWS\system32\vturq.exe
F3 - REG:win.ini: Load=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\Program Files\Spyware Doctor\tools\iesdsg.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: (no name) - {834f5683-1fbd-4125-abf6-65640ee9764a} - C:\WINDOWS\system32\ikhsrbf.dll
O2 - BHO: (no name) - {988FAAFD-C671-45F5-8732-6CA3F3B3A697} - C:\WINDOWS\system32\vturq.dll
O2 - BHO: (no name) - {A74F3FC3-CC9A-4D4C-AFB5-B56F0CAA445D} - C:\WINDOWS\system32\vtuvwwu.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\Program Files\Spyware Doctor\tools\iesdpb.dll
O2 - BHO: (no name) - {E0A4F316-30AE-4B0D-8F27-4FE671F758C7} - C:\WINDOWS\system32\uvzbvolo.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm .exe"
O4 - HKCU\..\Run: [Backup4all] C:\Program Files\Backup4all\Backup4all.exe /s
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [Tbsa] "C:\PROGRA~1\COMMON~1\MBOLS~1\netdde.exe" -vt yazb
O4 - HKCU\..\Run: [Ytowkj] "C:\Documents and Settings\WADFSDZ\Application Data\?ppPatch\?ttrib.exe"
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\Program Files\Spyware Doctor\tools\iesdpb.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html (file missing)
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html (file missing)
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html (file missing)
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html (file missing)
O9 - Extra button: AddressGrabber - {70192830-2B20-450E-8CED-4151CA0F422F} - C:\Program Files\eGrabber\AGB\InternetAddress.exe
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html (file missing)
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: (no name) - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: https://www.plymart.com (HKCU)
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - http://h20278.www2.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM_ca.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1190863566984
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O18 - Protocol: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} - (no file)
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - AppInit_DLLs: sockspy.dll
O20 - Winlogon Notify: vtuvwwu - C:\WINDOWS\system32\vtuvwwu.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSVCCDA.EXE
O23 - Service: Dcfssvc - Unknown owner - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\shared\hpqwmi.exe
O23 - Service: KodakCCS - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Unknown owner - C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_0.EXE
O23 - Service: Logitech Easy Synchronization - Unknown owner - C:\Program Files\Logitech\Easy Synchronization\servicestub.exe
O23 - Service: NVSvc - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SoundMAX Agent Service (default) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O24 - Desktop Component 0: -

--
End of file - 13570 bytes

-- File Associations -----------------------------------------------------------

.cmd - VisualCADD.Alias.4 - DefaultIcon - C:\Program Files\VCADD4\Programs\VCADD32.Exe,0
.cmd - VisualCADD.Alias.4 - shell\open\command - unable to read value
.cmd - VisualCADD.Alias.4 - shell\edit\command - unable to read value
.js - JSFile - DefaultIcon - "C:\Program Files\Macromedia\Dreamweaver 8\dreamweaver.exe",2
.js - JSFile - shell\open\command - "C:\Program Files\Macromedia\Dreamweaver MX\Dreamweaver.exe" "%1"
.vbs - VBSFile - shell\open\command - unable to read value

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 IABFilt (Iomega Snapshot Volume Filter) - c:\windows\system32\drivers\iabfilt.sys <Not Verified; Iomega; Iomega Volume Filter Driver>
R0 snapman (Acronis Snapshots Manager) - c:\windows\system32\drivers\snapman.sys <Not Verified; Acronis; Acronis Snapshot API>
R0 timounter (Acronis TrueImage Backup Archive Explorer) - c:\windows\system32\drivers\timntr.sys <Not Verified; Acronis; Acronis True Image>
R2 HPW5ECP - c:\windows\system32\drivers\hpw5ecp.sys <Not Verified; Hewlett-Packard Company; HP Printing System for Windows>
R2 LBeepKE - c:\windows\system32\drivers\lbeepke.sys <Not Verified; Logitech, Inc.; Logitech SetPoint(TM)>
R2 tifsfilter (Acronis TrueImage FS Filter) - c:\windows\system32\drivers\tifsfilt.sys <Not Verified; Acronis; TrueImage>
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell>
R3 vsbus (Virtual Serial Bus Enumerator) - c:\windows\system32\drivers\vsb.sys <Not Verified; ELTIMA Software; ELTIMA Virtual Serial Bus>

S1 core - c:\windows\system32\drivers\core.sys (file missing)
S2 pciinfo (HP Pci Information) - c:\docume~1\wadfsdz\locals~1\temp\hpispz\hpdom\pciinfo.sys (file missing)
S3 AvFlt (Antivirus Filter Driver) - c:\windows\system32\drivers\av5flt.sys (file missing)
S3 btwhid - c:\windows\system32\drivers\btwhid.sys <Not Verified; Broadcom Corporation.; Bluetooth Software 5.0.1.2500>
S3 RimUsb (RIM Handheld) - c:\windows\system32\drivers\rimusb.sys (file missing)
S3 vserial (ELTIMA Virtual Serial Ports Driver) - c:\windows\system32\drivers\vserial.sys <Not Verified; ELTIMA Software; ELTIMA Virtual Serial Ports>
S3 w600bus - c:\windows\system32\drivers\w600bus.sys (file missing)
S3 w600mdfl - c:\windows\system32\drivers\w600mdfl.sys (file missing)
S3 w600mdm - c:\windows\system32\drivers\w600mdm.sys (file missing)
S3 w600mgmt - c:\windows\system32\drivers\w600mgmt.sys (file missing)
S3 w600obex - c:\windows\system32\drivers\w600obex.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 AcrSch2Svc (Acronis Scheduler2 Service) - "c:\program files\common files\acronis\schedule2\schedul2.exe" <Not Verified; Acronis; Acronis Scheduler 2>

S3 hpqwmi (HP WMI Interface) - c:\program files\hpq\shared\hpqwmi.exe <Not Verified; Hewlett-Packard Development Company, L.P.; hpqwmi Module>
S3 Logitech Easy Synchronization - c:\program files\logitech\easy synchronization\servicestub.exe
S4 Dcfssvc - c:\windows\system32\drivers\dcfssvc.exe (file missing)
S4 LBTServ (Logitech Bluetooth Service) - c:\program files\common files\logitech\bluetooth\lbtserv.exe (file missing)
S4 pmshellsrv -
S4 PSHost -
S4 PSIMSVC -
S4 TPSrv -

-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Parallel Device
Device ID: ROOT\LEGACY_HPW5ECP\0000
Manufacturer:
Name: Parallel Device
PNP Device ID: ROOT\LEGACY_HPW5ECP\0000
Service: HPW5ECP

-- Scheduled Tasks -------------------------------------------------------------

2006-11-04 04:34:50 304 --a------ C:\WINDOWS\Tasks\XoftSpy.job

-- Files created between 2007-11-30 and 2007-12-31 -----------------------------

2007-12-31 11:54:20 0 d-------- C:\Program Files\Outerinfo
2007-12-31 11:54:18 0 d-------- C:\WINDOWS\?ppPatch
2007-12-31 11:54:15 60928 --a------ C:\WINDOWS\system32\uvzbvolo.dll
2007-12-30 22:01:21 0 dr-h----- C:\Documents and Settings\WADFSDZ\Recent
2007-12-30 19:59:10 348160 --a------ C:\WINDOWS\system32\vturq.exe
2007-12-30 19:59:08 24607 --ahs---- C:\WINDOWS\system32\qrutv.ini2
2007-12-30 19:59:01 344576 --a------ C:\WINDOWS\system32\vturq.dll
2007-12-30 19:02:50 0 dr------- C:\Documents and Settings\LocalService\Favorites
2007-12-30 19:00:30 0 d-------- C:\Documents and Settings\LocalService\Application Data\Mozilla
2007-12-30 18:55:44 38400 --a------ C:\WINDOWS\system32\wvwtsqn.dll
2007-12-30 18:53:01 2 --a------ C:\WINDOWS\system32\wapiisv.exe
2007-12-30 18:52:57 0 d-------- C:\Documents and Settings\WADFSDZ\Application Data\?ppPatch
2007-12-30 18:52:46 0 d--hs---- C:\WINDOWS\V0FERlNEWg
2007-12-30 18:52:33 171520 --a------ C:\WINDOWS\system32\ikhsrbf.dll
2007-12-30 18:52:14 0 d-------- C:\WINDOWS\system32\mr9
2007-12-30 18:52:14 0 d-------- C:\WINDOWS\system32\cc9
2007-12-30 18:52:14 0 d-------- C:\WINDOWS\system32\aj2
2007-12-30 18:52:13 0 d-------- C:\WINDOWS\system32\z1
2007-12-30 18:52:04 0 d-------- C:\Program Files\Common Files\??mbols
2007-12-30 18:51:59 0 d-------- C:\WINDOWS\system32\ardCo01
2007-12-30 18:51:50 38400 --a------ C:\WINDOWS\system32\vtuvwwu.dll
2007-12-29 08:40:07 0 d-------- C:\Program Files\Softnik Technologies
2007-12-28 19:09:05 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-12-28 16:24:13 0 d-------- C:\Documents and Settings\All Users\Application Data\TechSmith
2007-12-28 16:23:38 0 d-------- C:\WINDOWS\Agenda One
2007-12-28 16:11:47 0 d-------- C:\WINDOWS\system32\PAV
2007-12-28 14:12:39 0 --a------ C:\Autoexec.bat
2007-12-28 03:36:49 13369344 --a------ C:\Documents and Settings\WADFSDZ\ntuser.dat
2007-12-28 03:36:49 491520 --a------ C:\Documents and Settings\LocalService\ntuser.dat
2007-12-20 07:23:14 0 d-------- C:\Documents and Settings\WADFSDZ\Application Data\Good Keywords v2
2007-12-17 20:56:34 0 d-------- C:\Program Files\Niche Inspector
2007-12-11 06:38:03 0 d-------- C:\Documents and Settings\WADFSDZ\Application Data\eBookPro6
2007-12-09 17:46:07 0 d-------- C:\Program Files\XP Smoker
2007-12-09 08

49 0 d-------- C:\Program Files\Showcalc
2007-12-09 08:01:00 0 d-------- C:\Program Files\Photo Print Calendar from YOKOHAMA Ver.3.00E beta
2007-12-09 07:58:02 0 d-------- C:\Program Files\Backup4all
2007-12-09 07:52:31 0 d-------- C:\Program Files\Lavalys
2007-12-07 07:01:58 0 d-------- C:\Program Files\Agenda One

-- Find3M Report ---------------------------------------------------------------

2007-12-31 11:54:18 0 d-------- C:\Documents and Settings\WADFSDZ\Application Data\?ppPatch
2007-12-31 11:53:11 0 d-------- C:\Program Files\QuickTime
2007-12-31 11:53:10 0 d-------- C:\Program Files\Common Files\??mbols
2007-12-31 11:52:59 0 d-------- C:\Program Files\Microsoft ActiveSync
2007-12-31 07:09:28 0 d-------- C:\Program Files\Spyware Doctor
2007-12-31 07:05:12 0 d-------- C:\Program Files\ACT
2007-12-31 07:02:26 0 d-------- C:\Program Files\Google
2007-12-31 06:41:44 0 d-------- C:\Program Files\e-Sword
2007-12-31 00:31:23 0 d-------- C:\Program Files\Windows Desktop Search
2007-12-31 00:23:49 0 d-------- C:\Program Files\SpywareBlaster
2007-12-30 19:51:04 0 d-------- C:\Program Files\Snapshot Viewer
2007-12-30 19:51:02 0 d-------- C:\Program Files\Common Files
2007-12-28 20:22:20 9525 --a------ C:\WINDOWS\mozver.dat
2007-12-28 16:24:50 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-12-28 16:23:37 0 d-------- C:\Program Files\CCleaner
2007-12-28 16:22:52 0 d-------- C:\Program Files\Pocket Informant
2007-12-28 16:22:06 0 d-------- C:\Program Files\XPMedic
2007-12-28 16:11:18 0 d-------- C:\Program Files\Common Files\Panda Software
2007-12-21 05:26:12 73216 --a------ C:\WINDOWS\ST6UNST.EXE <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows>
2007-12-17 13:47:40 15 --a----c- C:\WINDOWS\DatabaseID
2007-12-09 05:12:06 737280 --a------ C:\WINDOWS\iun6002.exe <Not Verified; Indigo Rose Corporation; Setup Factory 6.0 Runtime Module>
2007-11-25 17:28:43 0 d-------- C:\Program Files\TechSmith
2007-11-01 08:19:00 0 d-------- C:\Program Files\HPQ
2007-11-01 07:59:53 0 d-------- C:\Program Files\Yahoo!
2007-10-06 23:45:00 214528 --a------ C:\WINDOWS\iun3403.exe <Not Verified; Indigo Rose Corporation; Indigo Rose Corporation unin32>

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{834f5683-1fbd-4125-abf6-65640ee9764a}]
12/30/2007 06:52 PM 171520 --a------ C:\WINDOWS\system32\ikhsrbf.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{988FAAFD-C671-45F5-8732-6CA3F3B3A697}]
12/30/2007 07:59 PM 344576 --a------ C:\WINDOWS\system32\vturq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A74F3FC3-CC9A-4D4C-AFB5-B56F0CAA445D}]
12/30/2007 06:51 PM 38400 --a------ C:\WINDOWS\system32\vtuvwwu.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E0A4F316-30AE-4B0D-8F27-4FE671F758C7}]
11/01/2007 08:44 AM 60928 --a------ C:\WINDOWS\system32\uvzbvolo.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [12/31/2007 11:53 AM]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [12/31/2007 11:47 AM]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm .exe" [12/31/2007 11:52 AM]
"Backup4all"="C:\Program Files\Backup4all\Backup4all.exe" [12/31/2007 11:47 AM]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [12/31/2007 11:47 AM]
"Tbsa"="C:\PROGRA~1\COMMON~1\MBOLS~1\netdde.exe" [12/31/2007 11:53 AM]
"Ytowkj"="C:\Documents and Settings\WADFSDZ\Application Data\?ppPatch\?ttrib.exe" [11/01/2007 08:45 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" /Q

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [5/11/2005 11:23:26 PM]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2/24/2007 2:52:54 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoStrCmpLogical"=00000000
"NoLogoff"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [02/05/2007 02:39 PM 294400]
"{A74F3FC3-CC9A-4D4C-AFB5-B56F0CAA445D}"= C:\WINDOWS\system32\vtuvwwu.dll [12/30/2007 06:51 PM 38400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
avldr.dll 02/15/2007 07:02 PM 50736 C:\WINDOWS\system32\avldr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtuvwwu]
vtuvwwu.dll 12/30/2007 06:51 PM 38400 C:\WINDOWS\system32\vtuvwwu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=sockspy.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 relog_ap C:\WINDOWS\system32\vturq

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
backup=C:\WINDOWS\pss\KODAK Software Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SideACT!.lnk]
backup=C:\WINDOWS\pss\SideACT!.lnkCommon Startup

-- End of Deckard's System Scanner: finished at 2007-12-31 12:01:18 ------------

Respectfully,

Reeder Lyons

**Pancake** · 01-01-2008, 07:20 PM

You have a couple of infections that need to come out...

Download SDFix from here and save it to your desktop.

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer

After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

In Safe Mode, right click the SDFix.zip folder and choose Extract All,
Open the extracted folder and double click RunThis.bat to start the script.
Type Y to begin the script.

It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.

Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.

Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).

Finally paste the contents of the Report.txt back on the forum.

=========================================

This will help to identify malware on your system.
Please download Combofix from any of these locations:

Here
or
Here

Save ComboFix to the desktop and please ensure that you disable realtime security/virus programs that monitors your PC while CF is running.

1. Double click on combo.exe & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt.
3. Copy and Paste the contents of that log in your next reply with a new hijackthis log. Do not use Code or html unless asked for.
Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.

Caution...Never run and remove files using ComboFix without being supervised by a security analyst.

Reeder · 01-02-2008, 06:49 AM

Good morning Pancake:

downloaded SDFix but came to me as an exe. file - when clicking on the file in safe mode the menu asked to "install" - I did this - there was / is no zip file - concerned I went to the explorer and found SDFix and opened it the "RunThis.cmd file was there with my cadd icon beside it??? but when I double left clicked it nothing happened. There was no RunThis.bat file anywhere to be found. All I know for sure is that SDFix has been installed on my computer in the C directory. To the best of my knowledge there were no fixes and I was never directed or asked to reboot.

At this point I'm not sure if you still want me to run the "Combofix" tool or not following is another HiJack this log as of doing these things.

I know you have not asked for this info but thought perhaps it might help because of not being able to complete your instruction and send you a report from "ComboFix".

I went back and clicked on the link in your message thinking this old carpenter might have done something amiss, but it is an exe file rather than a zip file.

Last evening Spyware Doctor started automatically telling me there were more problems and that it had quarantined them.?? Also a small window comes up stating that "Restore Point" can't be executed because of missing framedyn.dll. I tried doing a manual restore point and was told it had been successful. ??

hope this helps and thank you for helping me.
Reeder

Logfile of HijackThis v1.99.1
Scan saved at 8:33:25 AM, on 1/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\jddlbtdq.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft ActiveSync\wcescomm .exe
C:\Program Files\Backup4all\Backup4all.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Microsoft ActiveSync\wcescomm .exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon .exe
C:\Program Files\Backup4all\Backup4all .exe
C:\Program Files\Spyware Doctor\swdoctor .exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\WADFSDZ\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.worldnetdaily.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.worldnetdaily.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F3 - REG:win.ini: load=C:\WINDOWS\system32\vturq.exe
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [69996048] rundll32.exe "C:\WINDOWS\system32\fjsuwhah.dll",b
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm .exe"
O4 - HKCU\..\Run: [Backup4all] C:\Program Files\Backup4all\Backup4all.exe /s
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [Tbsa] "C:\PROGRA~1\COMMON~1\MBOLS~1\netdde.exe" -vt yazb
O4 - HKCU\..\Run: [Ytowkj] "C:\Documents and Settings\WADFSDZ\Application Data\?ppPatch\?ttrib.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: &Search -
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: AddressGrabber - {70192830-2B20-450E-8CED-4151CA0F422F} - C:\Program Files\eGrabber\AGB\InternetAddress.exe
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.worldnetdaily.com
O14 - IERESET.INF: MS_START_PAGE_URL=http://www.worldnetdaily.com
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - http://h20278.www2.hp.com/HPISWeb/Cu...ataManager.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM_ca.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1190863566984
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\jddlbtdq.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Logitech Easy Synchronization - Unknown owner - C:\Program Files\Logitech\Easy Synchronization\servicestub.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SoundMAX Agent Service (default) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

Reeder · 01-02-2008, 06:53 AM

Pancake:
One more thing:
When right clicking, the menu says "Run as" is the only "run" option. I was not sure if this is the correct option or not so I chose to wait and ask.

Reeder

**Pancake** · 01-02-2008, 04:27 PM

You can skip SDfix.Just go with Combofix.

Reeder · 01-02-2008, 07:47 PM

Pancake;

Thanks for sticking with me.
I hope intrepreting your instructions to mean running combofix in window rather than safe mode was OK??? It seemed that was what you were saying. That is what I did.

In trying to turn off Spyware Doctor I got the message "cannot load tool bar iesdbp.dll after going through the process of running combofix this message has come up and I've not trid to run SD yet. ???

Following is the text report for running combofix

Thanks again for your assistance

Reeder

ComboFix 08-01-03.3 - WADFSDZ 2007-12-02 21:18:28.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.693 [GMT -5:00]
Running from: C:\Documents and Settings\WADFSDZ\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\WADFSDZ\Application Data\PPPATC~1
C:\PROGRA~1\COMMON~1\MBOLS~1\netdde.exe
C:\Program Files\Backup4all\Backup4all.exe
C:\Program Files\Common Files\mbols~1
C:\Program Files\Common Files\mbols~1\??mbols\
C:\Program Files\Common Files\mbols~1\netdde .exe
C:\Program Files\Common Files\mbols~1\netdde.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft ActiveSync\wcescomm .exe
C:\Program Files\Microsoft ActiveSync\wcescomm .exe
C:\Program Files\Microsoft ActiveSync\wcescomm .exe
C:\Program Files\Microsoft ActiveSync\wcescomm .exe
C:\Program Files\Microsoft ActiveSync\wcescomm .exe
C:\Program Files\Microsoft ActiveSync\wcescomm .exe
C:\Program Files\Microsoft ActiveSync\wcescomm .exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\pppatc~1
C:\WINDOWS\system32\fjsuwhah.dll
C:\WINDOWS\system32\hahwusjf.ini
C:\WINDOWS\system32\ikhsrbf.dll
C:\WINDOWS\system32\jddlbtdq.exe
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\qrutv.ini
C:\WINDOWS\system32\qrutv.ini2
C:\WINDOWS\system32\RCX18.tmp
C:\WINDOWS\system32\vturq.dll
C:\WINDOWS\system32\vturq.exe
C:\WINDOWS\system32\whwcdnsd.dll
C:\WINDOWS\system32\z1

Code:

"C:\Program Files\Backup4all\Backup4all .exe" replaces infected copy of "C:\Program Files\Backup4all\Backup4all.exe"
"C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe" replaces infected copy of "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
"C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon .exe" replaces infected copy of "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
"C:\Program Files\Spyware Doctor\swdoctor .exe" replaces infected copy of "C:\Program Files\Spyware Doctor\swdoctor.exe"

.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\DomainService

((((((((((((((((((((((((( Files Created from 2007-12-04 to 2008-01-04 )))))))))))))))))))))))))))))))
.

2008-01-02 07:52 . 2008-01-02 07:52 5,632 --ahs---- C:\Thumbs.db
2007-12-31 11:55 . 2007-12-31 11:55 <DIR> d-------- C:\Deckard
2007-12-30 23:28 . 2007-12-31 06:53 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2007-12-30 18:52 . 2007-12-30 19:52 <DIR> d--hs---- C:\WINDOWS\V0FERlNEWg
2007-12-30 18:52 . 2007-12-30 19:51 <DIR> d-------- C:\WINDOWS\system32\mr9
2007-12-30 18:52 . 2007-12-30 19:53 <DIR> d-------- C:\WINDOWS\system32\cc9
2007-12-30 18:52 . 2007-12-30 18:52 <DIR> d-------- C:\WINDOWS\system32\aj2
2007-12-30 18:52 . 2007-12-30 18:52 39,936 --a------ C:\WINDOWS\mrofinu572.exe.tmp
2007-12-30 18:51 . 2007-12-30 18:51 <DIR> d-------- C:\WINDOWS\system32\ardCo01
2007-12-30 18:51 . 2007-12-30 18:52 <DIR> d-------- C:\Temp\cEeer12
2007-12-29 08:40 . 2007-12-29 08:40 <DIR> d-------- C:\Program Files\Softnik Technologies
2007-12-28 19:09 . 2007-12-28 19:09 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-12-28 16:24 . 2007-12-28 16:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TechSmith
2007-12-28 16:23 . 2007-12-28 16:23 <DIR> d-------- C:\WINDOWS\Agenda One
2007-12-28 16:11 . 2007-12-28 16:11 <DIR> d-------- C:\WINDOWS\system32\PAV
2007-12-20 07:23 . 2007-12-20 13:04 <DIR> d-------- C:\Documents and Settings\WADFSDZ\Application Data\Good Keywords v2
2007-12-17 20:56 . 2007-12-28 20:25 <DIR> d-------- C:\Program Files\Niche Inspector
2007-12-11 06:38 . 2007-12-13 05:36 <DIR> d-------- C:\Documents and Settings\WADFSDZ\Application Data\eBookPro6
2007-12-11 00:19 . 2007-12-11 00:20 242 --a------ C:\WINDOWS\ActiveActG.INI
2007-12-09 17:46 . 2007-12-28 16:24 <DIR> d-------- C:\Program Files\XP Smoker
2007-12-09 17:43 . 2007-12-09 17:43 79 --a------ C:\WINDOWS\showcalc.ini
2007-12-09 08:06 . 2007-12-09 08:06 <DIR> d-------- C:\Program Files\Showcalc
2007-12-09 08:01 . 2007-12-28 16:24 <DIR> d-------- C:\Program Files\Photo Print Calendar from YOKOHAMA Ver.3.00E beta
2007-12-09 07:58 . 2008-01-03 21:33 <DIR> d-------- C:\Program Files\Backup4all
2007-12-09 07:52 . 2007-12-09 07:52 <DIR> d-------- C:\Program Files\Lavalys
2007-12-07 07:01 . 2007-12-28 16:24 <DIR> d-------- C:\Program Files\Agenda One

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-04 02:33 --------- d-----w C:\Program Files\Spyware Doctor
2008-01-04 02:28 --------- d-----w C:\Program Files\QuickTime
2008-01-04 02:28 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-01-01 12:41 --------- d-----w C:\Program Files\e-Sword
2008-01-01 01:11 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-31 12:05 --------- d-----w C:\Program Files\ACT
2007-12-31 12:02 --------- d-----w C:\Program Files\Google
2007-12-31 05:31 --------- d-----w C:\Program Files\Windows Desktop Search
2007-12-31 05:23 --------- d-----w C:\Program Files\SpywareBlaster
2007-12-31 00:51 --------- d-----w C:\Program Files\Snapshot Viewer
2007-12-28 21:24 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-28 21:23 --------- d-----w C:\Program Files\CCleaner
2007-12-28 21:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-28 21:22 --------- d-----w C:\Program Files\XPMedic
2007-12-28 21:22 --------- d-----w C:\Program Files\Pocket Informant
2007-12-28 21:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-12-28 21:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-28 21:11 --------- d-----w C:\Program Files\Common Files\Panda Software
2007-12-28 14:06 0 ----a-w C:\WINDOWS\system32\drivers\wnmsav.dat
2007-12-28 13:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2007-12-27 11:50 13,880 ----a-w C:\WINDOWS\system32\drivers\COMFiltr.sys
2007-12-21 10:26 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2007-12-21 10:26 249,856 ------w C:\WINDOWS\Setup1.exe
2007-12-14 22:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\pdf995
2007-12-09 10:12 737,280 ----a-w C:\WINDOWS\iun6002.exe
2007-11-28 00:25 1,204 ----a-w C:\WINDOWS\system32\drivers\APPFLTR.CFG
2007-11-25 22:28 --------- d-----w C:\Program Files\TechSmith
2007-10-07 04:45 214,528 ----a-w C:\WINDOWS\iun3403.exe
2005-07-16 21:38 774,144 -c--a-w C:\Program Files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-02 14:44 68856]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm .exe" [ ]
"Backup4all"="C:\Program Files\Backup4all\Backup4all.exe" [2007-12-02 14:44 1948672]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2007-12-02 14:44 160832]
"Tbsa"="C:\PROGRA~1\COMMON~1\MBOLS~1\netdde.exe" [ ]
"Ytowkj"="C:\Documents and Settings\WADFSDZ\Application Data\?ppPatch\?ttrib.exe" [ ]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor_new.exe" [2006-05-18 16:22 2074848]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2007-12-02 14:44 2074848]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 23:23:26]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-02-24 14:52:54]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoStrCmpLogical"= 00000000
"NoLogoff"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 14:39 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
avldr.dll 2007-02-15 19:02 50736 C:\WINDOWS\system32\avldr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtuvwwu]
vtuvwwu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=sockspy.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
backup=C:\WINDOWS\pss\KODAK Software Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SideACT!.lnk]
backup=C:\WINDOWS\pss\SideACT!.lnkCommon Startup

R0 IABFilt;Iomega Snapshot Volume Filter;C:\WINDOWS\system32\DRIVERS\IABFilt.sys [2005-03-03 12:23]
R1 APPFLT;App Filter Plugin;C:\WINDOWS\system32\Drivers\APPFLT.SYS [2007-05-11 08:33]
R1 FNETMON;NetMon Filter Plugin;C:\WINDOWS\system32\Drivers\fnetmon.SYS [2007-05-11 08:33]
R1 NETFLTDI;NETFLTDI;C:\WINDOWS\system32\Drivers\NETFLTDI.SYS [2007-05-11 08:33]
R1 ShldDrv;ShldDrv;C:\WINDOWS\system32\Drivers\ShlDrv51.sys [2007-05-23 09:40]
R2 HPW5ECP;HPW5ECP;C:\WINDOWS\system32\drivers\HPW5ECP.SYS [1998-09-25 06:06]
R2 LBeepKE;LBeepKE;C:\WINDOWS\system32\Drivers\LBeepKE.sys [2006-05-25 00:53]
R3 RimSerPort;RIM Virtual Serial Port;C:\WINDOWS\system32\DRIVERS\RimSerial.sys [2004-08-06 07:50]
S1 DSAFLT;DSA Filter Plugin;C:\WINDOWS\system32\Drivers\DSAFLT.SYS [2007-05-11 08:33]
S1 IDSFLT;Ids Filter Plugin;C:\WINDOWS\system32\Drivers\IDSFLT.SYS [2007-07-11 10:39]
S1 SMSFLT;SMS Filter Plugin;C:\WINDOWS\system32\Drivers\SMSFLT.SYS [2007-05-11 08:33]
S1 WNMFLT;Wifi Monitor Filter Plugin;C:\WINDOWS\system32\Drivers\WNMFLT.SYS [2007-05-11 08:33]
S2 cpoint;cpoint;C:\WINDOWS\system32\drivers\cpoint.sys [2007-06-08 07:44]
S2 pciinfo;HP Pci Information;C:\DOCUME~1\WADFSDZ\LOCALS~1\Temp\HPISPz\hpdom\pciinfo.sys []
S3 AvFlt;Antivirus Filter Driver;C:\WINDOWS\system32\drivers\av5flt.sys []
S3 ComFiltr;ComFiltr;C:\WINDOWS\system32\DRIVERS\COMFiltr.sys [2007-12-27 06:50]
S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 23:01]
S3 w600bus;w600bus;C:\WINDOWS\system32\DRIVERS\w600bus.sys []
S3 w600mdfl;w600mdfl;C:\WINDOWS\system32\DRIVERS\w600mdfl.sys []
S3 w600mdm;w600mdm;C:\WINDOWS\system32\DRIVERS\w600mdm.sys []
S3 w600mgmt;w600mgmt;C:\WINDOWS\system32\DRIVERS\w600mgmt.sys []
S3 w600obex;w600obex;C:\WINDOWS\system32\DRIVERS\w600obex.sys []

.
Contents of the 'Scheduled Tasks' folder
"2006-11-04 09:34:50 C:\WINDOWS\Tasks\XoftSpy.job"
- C:\Program Files\XoftSpy\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-03 21:35:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-03 21:39:29 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-04 02:39:25

**Pancake** · 01-02-2008, 08:15 PM

After completing these instructions you will need to Remove/Uninstall Combofix and get this updated version...Run it and post its log.

http://download.bleepingcomputer.com...a/ComboFix.exe

Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open *notepad* and copy/paste the text in the quotebox below into it:

Quote:

KillAll::

Folder::
C:\WINDOWS\V0FERlNEWg
C:\WINDOWS\system32\mr9
C:\WINDOWS\system32\cc9
C:\WINDOWS\system32\aj2
C:\WINDOWS\mrofinu572.exe.tmp
C:\WINDOWS\system32\ardCo01
C:\Temp\cEeer12

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ytowkj"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtuvwwu]

Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.

Refering to the picture above, drag CFScript.txt into ComboFix.exe

Restart your computer.

When finished, it shall produce a log for you at C:\ComboFix.txt

Please copy and paste the ComboFix.txt along with a fresh HijackThis log in your next reply please.

*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall*

Reeder · 01-03-2008, 06:08 AM

Good morning Pancake

Not completely sure I followed the instructions correctly

Placed the quote box on notepad then on the desk top
Drug the file onto Combofix, however once I dropped this file onto ComboFix, it started running and created a report. ComboFix then restarted my computer. This event did not sound like the sequence described in the instructions.

After ComboFix completed the scan I followed the remaining instructions.
The only option open was to delete ComboFix - no uninstall directions or option existed.

Dwn Loaded new ComboFix per instructions - problem - Foxfire is my browser of choice this time when clicking on the link in the email IE opened and brought me to the forum - rather quickly I might add

That part was a plus, also there were no pop-ups as a result of opening in IE.

For some reason unknown to me when IE brought me to the forum the "posting rules" box said I did not have the right to post, it was as if the forum did not recognize me because of using IE rather the FireFox which is the browser I'm using at the present, and is the browser used to join the froum. ???

Then I ran combofix again, so I'll post both logs.
Then in attempting to run HiJackThis I got the error message that is posted just above that log.

I got this same error message when running HJT the very first time. Before finding your forum I followed those instructions and my mail was returned telling me that the address in the error message was not a valid mail box.???

Thankfully, I was led to your forum.

Also when Windows opens back up I'm getting these two two error messages:
Spyware Doctor - Cannot load tool libary - iesdpb.dll and iesdsg.dll not sure what this means but yesterday I received these two messages and was not able to run SD.

Per the instructions I opened SD this morning and turned all the protection OFF. ???

Following is the first Combofix log after that the 2nd one per your instructions then the HJT log error message then the log itself per your instructions.

Thank you again for you continued help

Reeder

1st Combo Fix Log
ComboFix 08-01-03.3 - WADFSDZ 2008-01-04 6:34:11.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.798 [GMT -5:00]
Running from: C:\Documents and Settings\WADFSDZ\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\WADFSDZ\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\cEeer12
C:\Temp\cEeer12\skAt.log
C:\WINDOWS\mrofinu572.exe.tmp\
C:\WINDOWS\system32\aj2
C:\WINDOWS\system32\aj2\bumebrpl5.exe
C:\WINDOWS\system32\ardCo01
C:\WINDOWS\system32\ardCo01\ardCo011065.exe
C:\WINDOWS\system32\cc9
C:\WINDOWS\system32\mr9
C:\WINDOWS\V0FERlNEWg

.
((((((((((((((((((((((((( Files Created from 2007-12-04 to 2008-01-04 )))))))))))))))))))))))))))))))
.

2008-01-02 07:52 . 2008-01-02 07:52 5,632 --ahs---- C:\Thumbs.db
2007-12-31 11:55 . 2007-12-31 11:55 <DIR> d-------- C:\Deckard
2007-12-30 23:28 . 2007-12-31 06:53 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2007-12-30 18:52 . 2007-12-30 18:52 39,936 --a------ C:\WINDOWS\mrofinu572.exe.tmp
2007-12-29 08:40 . 2007-12-29 08:40 <DIR> d-------- C:\Program Files\Softnik Technologies
2007-12-28 19:09 . 2007-12-28 19:09 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-12-28 16:24 . 2007-12-28 16:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TechSmith
2007-12-28 16:23 . 2007-12-28 16:23 <DIR> d-------- C:\WINDOWS\Agenda One
2007-12-28 16:11 . 2007-12-28 16:11 <DIR> d-------- C:\WINDOWS\system32\PAV
2007-12-20 07:23 . 2007-12-20 13:04 <DIR> d-------- C:\Documents and Settings\WADFSDZ\Application Data\Good Keywords v2
2007-12-17 20:56 . 2007-12-28 20:25 <DIR> d-------- C:\Program Files\Niche Inspector
2007-12-11 06:38 . 2007-12-13 05:36 <DIR> d-------- C:\Documents and Settings\WADFSDZ\Application Data\eBookPro6
2007-12-11 00:19 . 2007-12-11 00:20 242 --a------ C:\WINDOWS\ActiveActG.INI
2007-12-09 17:46 . 2007-12-28 16:24 <DIR> d-------- C:\Program Files\XP Smoker
2007-12-09 17:43 . 2007-12-09 17:43 79 --a------ C:\WINDOWS\showcalc.ini
2007-12-09 08:06 . 2007-12-09 08:06 <DIR> d-------- C:\Program Files\Showcalc
2007-12-09 08:01 . 2007-12-28 16:24 <DIR> d-------- C:\Program Files\Photo Print Calendar from YOKOHAMA Ver.3.00E beta
2007-12-09 07:58 . 2008-01-03 21:35 <DIR> d-------- C:\Program Files\Backup4all
2007-12-09 07:52 . 2007-12-09 07:52 <DIR> d-------- C:\Program Files\Lavalys
2007-12-07 07:01 . 2007-12-28 16:24 <DIR> d-------- C:\Program Files\Agenda One

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-04 02:33 --------- d-----w C:\Program Files\Spyware Doctor
2008-01-04 02:28 --------- d-----w C:\Program Files\QuickTime
2008-01-04 02:28 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-01-01 12:41 --------- d-----w C:\Program Files\e-Sword
2008-01-01 01:11 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-31 12:05 --------- d-----w C:\Program Files\ACT
2007-12-31 12:02 --------- d-----w C:\Program Files\Google
2007-12-31 05:31 --------- d-----w C:\Program Files\Windows Desktop Search
2007-12-31 05:23 --------- d-----w C:\Program Files\SpywareBlaster
2007-12-31 00:51 --------- d-----w C:\Program Files\Snapshot Viewer
2007-12-28 21:24 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-28 21:23 --------- d-----w C:\Program Files\CCleaner
2007-12-28 21:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-28 21:22 --------- d-----w C:\Program Files\XPMedic
2007-12-28 21:22 --------- d-----w C:\Program Files\Pocket Informant
2007-12-28 21:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-12-28 21:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-28 21:11 --------- d-----w C:\Program Files\Common Files\Panda Software
2007-12-28 14:06 0 ----a-w C:\WINDOWS\system32\drivers\wnmsav.dat
2007-12-28 13:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2007-12-27 11:50 13,880 ----a-w C:\WINDOWS\system32\drivers\COMFiltr.sys
2007-12-21 10:26 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2007-12-21 10:26 249,856 ------w C:\WINDOWS\Setup1.exe
2007-12-14 22:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\pdf995
2007-12-09 10:12 737,280 ----a-w C:\WINDOWS\iun6002.exe
2007-11-28 00:25 1,204 ----a-w C:\WINDOWS\system32\drivers\APPFLTR.CFG
2007-11-25 22:28 --------- d-----w C:\Program Files\TechSmith
2007-10-07 04:45 214,528 ----a-w C:\WINDOWS\iun3403.exe
2005-07-16 21:38 774,144 -c--a-w C:\Program Files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-02 14:44 68856]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm .exe" [ ]
"Backup4all"="C:\Program Files\Backup4all\Backup4all.exe" [2007-12-02 14:44 1948672]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2007-12-02 14:44 160832]
"Tbsa"="C:\PROGRA~1\COMMON~1\MBOLS~1\netdde.exe" [ ]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor_new.exe" [2006-05-18 16:22 2074848]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2007-12-02 14:44 2074848]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 23:23:26]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-02-24 14:52:54]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoStrCmpLogical"= 00000000
"NoLogoff"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 14:39 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
avldr.dll 2007-02-15 19:02 50736 C:\WINDOWS\system32\avldr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=sockspy.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
backup=C:\WINDOWS\pss\KODAK Software Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SideACT!.lnk]
backup=C:\WINDOWS\pss\SideACT!.lnkCommon Startup

R0 IABFilt;Iomega Snapshot Volume Filter;C:\WINDOWS\system32\DRIVERS\IABFilt.sys [2005-03-03 12:23]
R1 APPFLT;App Filter Plugin;C:\WINDOWS\system32\Drivers\APPFLT.SYS [2007-05-11 08:33]
R1 FNETMON;NetMon Filter Plugin;C:\WINDOWS\system32\Drivers\fnetmon.SYS [2007-05-11 08:33]
R1 NETFLTDI;NETFLTDI;C:\WINDOWS\system32\Drivers\NETFLTDI.SYS [2007-05-11 08:33]
R1 ShldDrv;ShldDrv;C:\WINDOWS\system32\Drivers\ShlDrv51.sys [2007-05-23 09:40]
R2 HPW5ECP;HPW5ECP;C:\WINDOWS\system32\drivers\HPW5ECP.SYS [1998-09-25 06:06]
R2 LBeepKE;LBeepKE;C:\WINDOWS\system32\Drivers\LBeepKE.sys [2006-05-25 00:53]
R3 RimSerPort;RIM Virtual Serial Port;C:\WINDOWS\system32\DRIVERS\RimSerial.sys [2004-08-06 07:50]
S1 DSAFLT;DSA Filter Plugin;C:\WINDOWS\system32\Drivers\DSAFLT.SYS [2007-05-11 08:33]
S1 IDSFLT;Ids Filter Plugin;C:\WINDOWS\system32\Drivers\IDSFLT.SYS [2007-07-11 10:39]
S1 SMSFLT;SMS Filter Plugin;C:\WINDOWS\system32\Drivers\SMSFLT.SYS [2007-05-11 08:33]
S1 WNMFLT;Wifi Monitor Filter Plugin;C:\WINDOWS\system32\Drivers\WNMFLT.SYS [2007-05-11 08:33]
S2 cpoint;cpoint;C:\WINDOWS\system32\drivers\cpoint.sys [2007-06-08 07:44]
S2 pciinfo;HP Pci Information;C:\DOCUME~1\WADFSDZ\LOCALS~1\Temp\HPISPz\hpdom\pciinfo.sys []
S3 AvFlt;Antivirus Filter Driver;C:\WINDOWS\system32\drivers\av5flt.sys []
S3 ComFiltr;ComFiltr;C:\WINDOWS\system32\DRIVERS\COMFiltr.sys [2007-12-27 06:50]
S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 23:01]
S3 w600bus;w600bus;C:\WINDOWS\system32\DRIVERS\w600bus.sys []
S3 w600mdfl;w600mdfl;C:\WINDOWS\system32\DRIVERS\w600mdfl.sys []
S3 w600mdm;w600mdm;C:\WINDOWS\system32\DRIVERS\w600mdm.sys []
S3 w600mgmt;w600mgmt;C:\WINDOWS\system32\DRIVERS\w600mgmt.sys []
S3 w600obex;w600obex;C:\WINDOWS\system32\DRIVERS\w600obex.sys []

.
Contents of the 'Scheduled Tasks' folder
"2006-11-04 09:34:50 C:\WINDOWS\Tasks\XoftSpy.job"
- C:\Program Files\XoftSpy\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-04 06:41:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-04 6:45:48 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-04 11:45:44
ComboFix2.txt 2008-01-04 02:39:29

2nd Combo Fix Log

ComboFix 08-01-03.4 - WADFSDZ 2008-01-04 6:57:43.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.721 [GMT -5:00]
Running from: C:\Documents and Settings\WADFSDZ\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-12-04 to 2008-01-04 )))))))))))))))))))))))))))))))
.

2008-01-02 07:52 . 2008-01-02 07:52 5,632 --ahs---- C:\Thumbs.db
2007-12-31 11:55 . 2007-12-31 11:55 <DIR> d-------- C:\Deckard
2007-12-30 23:28 . 2007-12-31 06:53 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2007-12-30 18:52 . 2007-12-30 18:52 39,936 --a------ C:\WINDOWS\mrofinu572.exe.tmp
2007-12-29 08:40 . 2007-12-29 08:40 <DIR> d-------- C:\Program Files\Softnik Technologies
2007-12-28 19:09 . 2007-12-28 19:09 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-12-28 16:24 . 2007-12-28 16:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TechSmith
2007-12-28 16:23 . 2007-12-28 16:23 <DIR> d-------- C:\WINDOWS\Agenda One
2007-12-28 16:11 . 2007-12-28 16:11 <DIR> d-------- C:\WINDOWS\system32\PAV
2007-12-20 07:23 . 2007-12-20 13:04 <DIR> d-------- C:\Documents and Settings\WADFSDZ\Application Data\Good Keywords v2
2007-12-17 20:56 . 2007-12-28 20:25 <DIR> d-------- C:\Program Files\Niche Inspector
2007-12-11 06:38 . 2007-12-13 05:36 <DIR> d-------- C:\Documents and Settings\WADFSDZ\Application Data\eBookPro6
2007-12-11 00:19 . 2007-12-11 00:20 242 --a------ C:\WINDOWS\ActiveActG.INI
2007-12-09 17:46 . 2007-12-28 16:24 <DIR> d-------- C:\Program Files\XP Smoker
2007-12-09 17:43 . 2007-12-09 17:43 79 --a------ C:\WINDOWS\showcalc.ini
2007-12-09 08:06 . 2007-12-09 08:06 <DIR> d-------- C:\Program Files\Showcalc
2007-12-09 08:01 . 2007-12-28 16:24 <DIR> d-------- C:\Program Files\Photo Print Calendar from YOKOHAMA Ver.3.00E beta
2007-12-09 07:58 . 2008-01-04 06:42 <DIR> d-------- C:\Program Files\Backup4all
2007-12-09 07:52 . 2007-12-09 07:52 <DIR> d-------- C:\Program Files\Lavalys
2007-12-07 07:01 . 2007-12-28 16:24 <DIR> d-------- C:\Program Files\Agenda One

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-04 02:33 --------- d-----w C:\Program Files\Spyware Doctor
2008-01-04 02:28 --------- d-----w C:\Program Files\QuickTime
2008-01-04 02:28 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-01-01 12:41 --------- d-----w C:\Program Files\e-Sword
2008-01-01 01:11 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-31 12:05 --------- d-----w C:\Program Files\ACT
2007-12-31 12:02 --------- d-----w C:\Program Files\Google
2007-12-31 05:31 --------- d-----w C:\Program Files\Windows Desktop Search
2007-12-31 05:23 --------- d-----w C:\Program Files\SpywareBlaster
2007-12-31 00:51 --------- d-----w C:\Program Files\Snapshot Viewer
2007-12-28 21:24 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-28 21:23 --------- d-----w C:\Program Files\CCleaner
2007-12-28 21:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-28 21:22 --------- d-----w C:\Program Files\XPMedic
2007-12-28 21:22 --------- d-----w C:\Program Files\Pocket Informant
2007-12-28 21:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-12-28 21:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-28 21:11 --------- d-----w C:\Program Files\Common Files\Panda Software
2007-12-28 14:06 0 ----a-w C:\WINDOWS\system32\drivers\wnmsav.dat
2007-12-28 13:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2007-12-27 11:50 13,880 ----a-w C:\WINDOWS\system32\drivers\COMFiltr.sys
2007-12-21 10:26 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2007-12-21 10:26 249,856 ------w C:\WINDOWS\Setup1.exe
2007-12-14 22:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\pdf995
2007-12-09 10:12 737,280 ----a-w C:\WINDOWS\iun6002.exe
2007-11-28 00:25 1,204 ----a-w C:\WINDOWS\system32\drivers\APPFLTR.CFG
2007-11-25 22:28 --------- d-----w C:\Program Files\TechSmith
2007-10-07 04:45 214,528 ----a-w C:\WINDOWS\iun3403.exe
2005-07-16 21:38 774,144 -c--a-w C:\Program Files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-02 14:44 68856]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm .exe" [ ]
"Backup4all"="C:\Program Files\Backup4all\Backup4all.exe" [2007-12-02 14:44 1948672]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2007-12-02 14:44 160832]
"Tbsa"="C:\PROGRA~1\COMMON~1\MBOLS~1\netdde.exe" [ ]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor_new.exe" [2006-05-18 16:22 2074848]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2007-12-02 14:44 2074848]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 23:23:26]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-02-24 14:52:54]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoStrCmpLogical"= 00000000
"NoLogoff"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 14:39 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
avldr.dll 2007-02-15 19:02 50736 C:\WINDOWS\system32\avldr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=sockspy.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
backup=C:\WINDOWS\pss\KODAK Software Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SideACT!.lnk]
backup=C:\WINDOWS\pss\SideACT!.lnkCommon Startup

R0 IABFilt;Iomega Snapshot Volume Filter;C:\WINDOWS\system32\DRIVERS\IABFilt.sys [2005-03-03 12:23]
R1 APPFLT;App Filter Plugin;C:\WINDOWS\system32\Drivers\APPFLT.SYS [2007-05-11 08:33]
R1 FNETMON;NetMon Filter Plugin;C:\WINDOWS\system32\Drivers\fnetmon.SYS [2007-05-11 08:33]
R1 NETFLTDI;NETFLTDI;C:\WINDOWS\system32\Drivers\NETFLTDI.SYS [2007-05-11 08:33]
R1 ShldDrv;ShldDrv;C:\WINDOWS\system32\Drivers\ShlDrv51.sys [2007-05-23 09:40]
R2 HPW5ECP;HPW5ECP;C:\WINDOWS\system32\drivers\HPW5ECP.SYS [1998-09-25 06:06]
R2 LBeepKE;LBeepKE;C:\WINDOWS\system32\Drivers\LBeepKE.sys [2006-05-25 00:53]
R3 RimSerPort;RIM Virtual Serial Port;C:\WINDOWS\system32\DRIVERS\RimSerial.sys [2004-08-06 07:50]
S1 DSAFLT;DSA Filter Plugin;C:\WINDOWS\system32\Drivers\DSAFLT.SYS [2007-05-11 08:33]
S1 IDSFLT;Ids Filter Plugin;C:\WINDOWS\system32\Drivers\IDSFLT.SYS [2007-07-11 10:39]
S1 SMSFLT;SMS Filter Plugin;C:\WINDOWS\system32\Drivers\SMSFLT.SYS [2007-05-11 08:33]
S1 WNMFLT;Wifi Monitor Filter Plugin;C:\WINDOWS\system32\Drivers\WNMFLT.SYS [2007-05-11 08:33]
S2 cpoint;cpoint;C:\WINDOWS\system32\drivers\cpoint.sys [2007-06-08 07:44]
S2 pciinfo;HP Pci Information;C:\DOCUME~1\WADFSDZ\LOCALS~1\Temp\HPISPz\hpdom\pciinfo.sys []
S3 AvFlt;Antivirus Filter Driver;C:\WINDOWS\system32\drivers\av5flt.sys []
S3 ComFiltr;ComFiltr;C:\WINDOWS\system32\DRIVERS\COMFiltr.sys [2007-12-27 06:50]
S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 23:01]
S3 w600bus;w600bus;C:\WINDOWS\system32\DRIVERS\w600bus.sys []
S3 w600mdfl;w600mdfl;C:\WINDOWS\system32\DRIVERS\w600mdfl.sys []
S3 w600mdm;w600mdm;C:\WINDOWS\system32\DRIVERS\w600mdm.sys []
S3 w600mgmt;w600mgmt;C:\WINDOWS\system32\DRIVERS\w600mgmt.sys []
S3 w600obex;w600obex;C:\WINDOWS\system32\DRIVERS\w600obex.sys []

.
Contents of the 'Scheduled Tasks' folder
"2006-11-04 09:34:50 C:\WINDOWS\Tasks\XoftSpy.job"
- C:\Program Files\XoftSpy\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-04 07:02:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-04 7

32 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-04 12

28
ComboFix2.txt 2008-01-04 11:45:48
ComboFix3.txt 2008-01-04 02:39:29

Error message as HJT was beginning it procedures

An unexpected error has occurred at procedure: modMain_CheckOther1Item()
Error #5 - Invalid procedure call or argument

Please email me at merijn@spywareinfo.com, reporting the following:
* What you were trying to fix when the error occurred, if applicable
* How you can reproduce the error
* A complete HijackThis scan log, if possible

Windows version: Windows NT 5.01.2600
MSIE version: 7.0.5730.11
HijackThis version: 1.99.1

This message has been copied to your clipboard.
Click OK to continue the rest of the scan.

Logfile of HijackThis v1.99.1
Scan saved at 7:13:30 AM, on 1/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Backup4all\Backup4all.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Spyware Doctor\swdoctor_new.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\WADFSDZ\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.worldnetdaily.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm .exe"
O4 - HKCU\..\Run: [Backup4all] C:\Program Files\Backup4all\Backup4all.exe /s
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [Tbsa] "C:\PROGRA~1\COMMON~1\MBOLS~1\netdde.exe" -vt yazb
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor_new.exe" /Q
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: &Search -
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: AddressGrabber - {70192830-2B20-450E-8CED-4151CA0F422F} - C:\Program Files\eGrabber\AGB\InternetAddress.exe
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.worldnetdaily.com
O14 - IERESET.INF: MS_START_PAGE_URL=http://www.worldnetdaily.com
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - http://h20278.www2.hp.com/HPISWeb/Cu...ataManager.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM_ca.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1190863566984
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Logitech Easy Synchronization - Unknown owner - C:\Program Files\Logitech\Easy Synchronization\servicestub.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SoundMAX Agent Service (default) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

Reeder · 01-03-2008, 06:42 AM

Also - the icon titles are still highlighted in blue as if I'd single clicked on each of them.?? This has been the case since this event began several days ago.

Have just attempted to open Spyware Doctor to no avail. No matter how I try it will not open.

Although this morning when following your instructions it opened up quite quickly and I was able to turn off the service in prep for following your instructions.

I will close windows and see if restarting the computer helps.

Reeder

Reeder · 01-03-2008, 08:25 AM

pancake:

some additional information. I've not told Spyware Doctor to do anything with this but here is the current log of the "to date scan". I wanted to wait till you had a chance to review the other information before making any changes to my computer.

I have to go into task manager and remove the SD process then SD will open.

As an aside question do you recommend for or against using SD?

following is its current scan log

I hope this info is helpful rather than superfluous.

just trying to be of some help.

Thanks again

Reeder

Spyware Doctor Activity Report
Generated on 1/4/2008 9:30:28 AM
Spyware Doctor Homepage PC Tools Homepage Technical Support
Scans (basic information only):
Scan Results:
scan start: 1/4/2008 9:31:00 AM
scan stop: 1/4/2008 10:05:27 AM
scanned items: 191509
found items: 35
found and ignored: 0
tools used: General Scanner, Process Scanner, LSP Scanner, Startup Scanner, Registry Scanner, Hosts Scanner, Browser Scanner, Browser Activity Scanner, Disk Scanner, ActiveX Scanner

Infection Name Location Risk
Tracking Cookie(s) cookies.txt - Line #10 Low
Advertising cookies.txt - Line #100 Low
Advertising cookies.txt - Line #101 Low
Advertising cookies.txt - Line #102 Low
Advertising cookies.txt - Line #103 Low
Advertising cookies.txt - Line #104 Low
Advertising cookies.txt - Line #105 Low
Advertising cookies.txt - Line #115 Low
Advertising cookies.txt - Line #118 Low
Tracking Cookie(s) cookies.txt - Line #27 Low
Tracking Cookie(s) cookies.txt - Line #5 Low
Tracking Cookie(s) cookies.txt - Line #62 Low
Tracking Cookie(s) cookies.txt - Line #63 Low
Tracking Cookie(s) cookies.txt - Line #68 Low
Tracking Cookie(s) cookies.txt - Line #69 Low
Tracking Cookie(s) cookies.txt - Line #70 Low
Tracking Cookie(s) cookies.txt - Line #83 Low
Tracking Cookie(s) cookies.txt - Line #84 Low
Tracking Cookie(s) cookies.txt - Line #85 Low
Advertising cookies.txt - Line #88 Low
Advertising cookies.txt - Line #89 Low
Advertising cookies.txt - Line #90 Low
Advertising cookies.txt - Line #91 Low
Advertising cookies.txt - Line #92 Low
Advertising cookies.txt - Line #93 Low
Advertising cookies.txt - Line #94 Low
Advertising cookies.txt - Line #95 Low
Advertising cookies.txt - Line #96 Low
Advertising cookies.txt - Line #97 Low
Advertising cookies.txt - Line #98 Low
Advertising cookies.txt - Line #99 Low
Common Components for Trojans HKCU\Software\Wget Medium
Common Components for Trojans HKCU\Software\Wget## Medium
Trojan.PWS.Tanspy HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\load High
Trojan.PWS.Tanspy HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\load## High

Other Sections:

Copyright © 2003 PC Tools Research Pty Ltd. All rights reserved. Legal Notice
sigs
Click to go back

**Pancake** · 01-03-2008, 04:40 PM

Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open *notepad* and copy/paste the text in the quotebox below into it:

Quote:

KillAll::

Folder::
C:\WINDOWS\system32\pavas.ico
C:\WINDOWS\mrofinu572.exe.tmp
C:\WINDOWS\system32\d3d8caps.dat
C:\WINDOWS\Setup1.exe

Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.

Refering to the picture above, drag CFScript.txt into ComboFix.exe

Restart your computer.

When finished, it shall produce a log for you at C:\ComboFix.txt

Please copy and paste the ComboFix.txt along with a fresh HijackThis log in your next reply please.

*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall*

=====================

Go to http://www.kaspersky.com/kos/eng/par...avwebscan.html

Answer Yes, when prompted to install an ActiveX component.

The program will then begin downloading the latest definition files.
Once the files have been downloaded click on NEXT
Locate the Scan Settings button & configure to:
- Scan using the following Anti-Virus database:
  - Extended
- Scan Options:
  - Scan Archives
  - Scan Mail Bases
Click OK & have it scan My Computer
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

**Pancake** · 01-04-2008, 02:53 AM

And a bit more for you to fix...

Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open *notepad* and copy/paste the text in the quotebox below into it:

Quote:

File::
C:\WINDOWS\mrofinu572.exe.tmp
C:\WINDOWS\system32\drivers\wnmsav.dat
C:\WINDOWS\iun3403.exe
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Tbsa"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"=-

Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.

Refering to the picture above, drag CFScript.txt into ComboFix.exe

Restart your computer.

When finished, it shall produce a log for you at C:\ComboFix.txt

Please copy and paste the ComboFix.txt along with a fresh HijackThis log in your next reply please.

*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall*

===================================

Also......

Go to Control Panel click Display>Desktop>Customize Desktop>Website
Under the 'Web pages' box, Delete everything present.

Reeder · 01-04-2008, 04:09 AM

Pancake, here are the requested logs
thanks Reeder

ComboFix 08-01-03.4 - WADFSDZ 2007-01-03 21:08:52.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.806 [GMT -5:00]
Running from: C:\Documents and Settings\WADFSDZ\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\WADFSDZ\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\mrofinu572.exe.tmp\
C:\WINDOWS\Setup1.exe\
C:\WINDOWS\system32\d3d8caps.dat\
C:\WINDOWS\system32\pavas.ico\

.
((((((((((((((((((((((((( Files Created from 2007-12-04 to 2008-01-04 )))))))))))))))))))))))))))))))
.

2008-01-02 07:52 . 2008-01-02 07:52 5,632 --ahs---- C:\Thumbs.db
2007-12-31 11:55 . 2007-12-31 11:55 <DIR> d-------- C:\Deckard
2007-12-30 23:28 . 2007-12-31 06:53 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2007-12-30 18:52 . 2007-12-30 18:52 39,936 --a------ C:\WINDOWS\mrofinu572.exe.tmp
2007-12-29 08:40 . 2007-12-29 08:40 <DIR> d-------- C:\Program Files\Softnik Technologies
2007-12-28 19:09 . 2007-12-28 19:09 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-12-28 16:24 . 2007-12-28 16:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TechSmith
2007-12-28 16:23 . 2007-12-28 16:23 <DIR> d-------- C:\WINDOWS\Agenda One
2007-12-28 16:11 . 2007-12-28 16:11 <DIR> d-------- C:\WINDOWS\system32\PAV
2007-12-20 07:23 . 2007-12-20 13:04 <DIR> d-------- C:\Documents and Settings\WADFSDZ\Application Data\Good Keywords v2
2007-12-17 20:56 . 2008-01-04 11:26 <DIR> d-------- C:\Program Files\Niche Inspector
2007-12-11 06:38 . 2007-12-13 05:36 <DIR> d-------- C:\Documents and Settings\WADFSDZ\Application Data\eBookPro6
2007-12-11 00:19 . 2007-12-11 00:20 242 --a------ C:\WINDOWS\ActiveActG.INI
2007-12-09 17:46 . 2007-12-28 16:24 <DIR> d-------- C:\Program Files\XP Smoker
2007-12-09 17:43 . 2007-12-09 17:43 79 --a------ C:\WINDOWS\showcalc.ini
2007-12-09 08:06 . 2007-12-09 08:06 <DIR> d-------- C:\Program Files\Showcalc
2007-12-09 08:01 . 2007-12-28 16:24 <DIR> d-------- C:\Program Files\Photo Print Calendar from YOKOHAMA Ver.3.00E beta
2007-12-09 07:58 . 2008-01-04 09:12 <DIR> d-------- C:\Program Files\Backup4all
2007-12-09 07:52 . 2007-12-09 07:52 <DIR> d-------- C:\Program Files\Lavalys
2007-12-07 07:01 . 2007-12-28 16:24 <DIR> d-------- C:\Program Files\Agenda One

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-04 14:11 --------- d-----w C:\Program Files\Spyware Doctor
2008-01-04 14:09 51,072 ----a-w C:\WINDOWS\system32\drivers\ikhlayer.sys
2008-01-04 14:09 30,592 ----a-w C:\WINDOWS\system32\drivers\ikhfile.sys
2008-01-04 14:02 --------- d-----w C:\Program Files\SpywareBlaster
2008-01-04 02:28 --------- d-----w C:\Program Files\QuickTime
2008-01-04 02:28 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-01-01 12:41 --------- d-----w C:\Program Files\e-Sword
2008-01-01 01:11 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-31 12:05 --------- d-----w C:\Program Files\ACT
2007-12-31 12:02 --------- d-----w C:\Program Files\Google
2007-12-31 05:31 --------- d-----w C:\Program Files\Windows Desktop Search
2007-12-31 00:51 --------- d-----w C:\Program Files\Snapshot Viewer
2007-12-28 21:24 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-28 21:23 --------- d-----w C:\Program Files\CCleaner
2007-12-28 21:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-28 21:22 --------- d-----w C:\Program Files\XPMedic
2007-12-28 21:22 --------- d-----w C:\Program Files\Pocket Informant
2007-12-28 21:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-12-28 21:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-28 21:11 --------- d-----w C:\Program Files\Common Files\Panda Software
2007-12-28 14:06 0 ----a-w C:\WINDOWS\system32\drivers\wnmsav.dat
2007-12-28 13:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2007-12-27 11:50 13,880 ----a-w C:\WINDOWS\system32\drivers\COMFiltr.sys
2007-12-21 10:26 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2007-12-21 10:26 249,856 ------w C:\WINDOWS\Setup1.exe
2007-12-14 22:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\pdf995
2007-12-09 10:12 737,280 ----a-w C:\WINDOWS\iun6002.exe
2007-11-28 00:25 1,204 ----a-w C:\WINDOWS\system32\drivers\APPFLTR.CFG
2007-11-25 22:28 --------- d-----w C:\Program Files\TechSmith
2007-10-07 04:45 214,528 ----a-w C:\WINDOWS\iun3403.exe
2005-07-16 21:38 774,144 -c--a-w C:\Program Files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-02 14:44 68856]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm .exe" [ ]
"Backup4all"="C:\Program Files\Backup4all\Backup4all.exe" [2007-12-02 14:44 1948672]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2007-12-02 14:44 160832]
"Tbsa"="C:\PROGRA~1\COMMON~1\MBOLS~1\netdde.exe" [ ]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2008-01-04 09:09 2083040]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2008-01-04 09:09 2083040]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 23:23:26]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-02-24 14:52:54]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoStrCmpLogical"= 00000000
"NoLogoff"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 14:39 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
avldr.dll 2007-02-15 19:02 50736 C:\WINDOWS\system32\avldr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=sockspy.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
backup=C:\WINDOWS\pss\KODAK Software Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SideACT!.lnk]
backup=C:\WINDOWS\pss\SideACT!.lnkCommon Startup

R0 IABFilt;Iomega Snapshot Volume Filter;C:\WINDOWS\system32\DRIVERS\IABFilt.sys [2005-03-03 12:23]
R1 APPFLT;App Filter Plugin;C:\WINDOWS\system32\Drivers\APPFLT.SYS [2007-05-11 08:33]
R1 FNETMON;NetMon Filter Plugin;C:\WINDOWS\system32\Drivers\fnetmon.SYS [2007-05-11 08:33]
R1 NETFLTDI;NETFLTDI;C:\WINDOWS\system32\Drivers\NETFLTDI.SYS [2007-05-11 08:33]
R1 ShldDrv;ShldDrv;C:\WINDOWS\system32\Drivers\ShlDrv51.sys [2007-05-23 09:40]
R2 HPW5ECP;HPW5ECP;C:\WINDOWS\system32\drivers\HPW5ECP.SYS [1998-09-25 06:06]
R2 LBeepKE;LBeepKE;C:\WINDOWS\system32\Drivers\LBeepKE.sys [2006-05-25 00:53]
R3 RimSerPort;RIM Virtual Serial Port;C:\WINDOWS\system32\DRIVERS\RimSerial.sys [2004-08-06 07:50]
S1 DSAFLT;DSA Filter Plugin;C:\WINDOWS\system32\Drivers\DSAFLT.SYS [2007-05-11 08:33]
S1 IDSFLT;Ids Filter Plugin;C:\WINDOWS\system32\Drivers\IDSFLT.SYS [2007-07-11 10:39]
S1 SMSFLT;SMS Filter Plugin;C:\WINDOWS\system32\Drivers\SMSFLT.SYS [2007-05-11 08:33]
S1 WNMFLT;Wifi Monitor Filter Plugin;C:\WINDOWS\system32\Drivers\WNMFLT.SYS [2007-05-11 08:33]
S2 cpoint;cpoint;C:\WINDOWS\system32\drivers\cpoint.sys [2007-06-08 07:44]
S2 pciinfo;HP Pci Information;C:\DOCUME~1\WADFSDZ\LOCALS~1\Temp\HPISPz\hpdom\pciinfo.sys []
S3 AvFlt;Antivirus Filter Driver;C:\WINDOWS\system32\drivers\av5flt.sys []
S3 ComFiltr;ComFiltr;C:\WINDOWS\system32\DRIVERS\COMFiltr.sys [2007-12-27 06:50]
S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 23:01]
S3 w600bus;w600bus;C:\WINDOWS\system32\DRIVERS\w600bus.sys []
S3 w600mdfl;w600mdfl;C:\WINDOWS\system32\DRIVERS\w600mdfl.sys []
S3 w600mdm;w600mdm;C:\WINDOWS\system32\DRIVERS\w600mdm.sys []
S3 w600mgmt;w600mgmt;C:\WINDOWS\system32\DRIVERS\w600mgmt.sys []
S3 w600obex;w600obex;C:\WINDOWS\system32\DRIVERS\w600obex.sys []

.
Contents of the 'Scheduled Tasks' folder
"2006-11-04 09:34:50 C:\WINDOWS\Tasks\XoftSpy.job"
- C:\Program Files\XoftSpy\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-03 21:16:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-03 21:21:30 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-04 02:21:26
ComboFix2.txt 2008-01-04 12

32
ComboFix3.txt 2008-01-04 11:45:48
ComboFix4.txt 2008-01-04 02:39:29

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, January 04, 2008 6:04:13 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 4/01/2008
Kaspersky Anti-Virus database records: 502290
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
F:\

Scan Statistics:
Total number of scanned objects: 147933
Number of viruses found: 14
Number of infected objects: 144
Number of suspicious objects: 0
Duration of the scan process: 02:44:02

Infected Object Name / Virus Name / Last Action
C:\Deckard\System Scanner\backup\DOCUME~1\WADFSDZ\LOCALS~1\Temp\RCX10.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Deckard\System Scanner\backup\DOCUME~1\WADFSDZ\LOCALS~1\Temp\RCX12.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Deckard\System Scanner\backup\DOCUME~1\WADFSDZ\LOCALS~1\Temp\RCX13.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Deckard\System Scanner\backup\DOCUME~1\WADFSDZ\LOCALS~1\Temp\RCX15.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Deckard\System Scanner\backup\DOCUME~1\WADFSDZ\LOCALS~1\Temp\RCX16.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Deckard\System Scanner\backup\DOCUME~1\WADFSDZ\LOCALS~1\Temp\RCX6.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Deckard\System Scanner\backup\DOCUME~1\WADFSDZ\LOCALS~1\Temp\RCX7.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Deckard\System Scanner\backup\DOCUME~1\WADFSDZ\LOCALS~1\Temp\RCX8.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Deckard\System Scanner\backup\DOCUME~1\WADFSDZ\LOCALS~1\Temp\RCX9.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Deckard\System Scanner\backup\DOCUME~1\WADFSDZ\LOCALS~1\Temp\RCXB.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Deckard\System Scanner\backup\DOCUME~1\WADFSDZ\LOCALS~1\Temp\RCXC.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Deckard\System Scanner\backup\DOCUME~1\WADFSDZ\LOCALS~1\Temp\RCXE.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Deckard\System Scanner\backup\DOCUME~1\WADFSDZ\LOCALS~1\Temp\RCXF.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Deckard\System Scanner\backup\DOCUME~1\WADFSDZ\LOCALS~1\Temp\TMP10.tmp Infected: Trojan-Downloader.Win32.PurityScan.ez skipped
C:\Deckard\System Scanner\backup\DOCUME~1\WADFSDZ\LOCALS~1\Temp\TMP14.tmp Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\Deckard\System Scanner\backup\DOCUME~1\WADFSDZ\LOCALS~1\Temp\yazzsnet.exe/data0003 Infected: Trojan-Downloader.Win32.PurityScan.fg skipped
C:\Deckard\System Scanner\backup\DOCUME~1\WADFSDZ\LOCALS~1\Temp\yazzsnet.exe NSIS: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.5.Crwl Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.5.gthr Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\MSS.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010001.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010002.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010008.ci Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010008.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010008.wsb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010012.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010013.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\INDEX.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\Used0000.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.chk1.gthr Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.chk2.gthr Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.Ntfy7.gthr Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\tmp.edb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Windows.edb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf4.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf5.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Perflib_Perfdata_1e0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\muvee Technologies\030410\0102\0102\values Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2008-01-03_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\WADFSDZ\Application Data\Microsoft\Outlook\outitems.log Object is locked skipped
C:\Documents and Settings\WADFSDZ\Application Data\Microsoft\Outlook\Outlook.srs Object is locked skipped
C:\Documents and Settings\WADFSDZ\Application Data\Microsoft\Templates\Normal.dot Object is locked skipped
C:\Documents and Settings\WADFSDZ\Application Data\Microsoft\Word\STARTUP\DVZWDAddin.dot Object is locked skipped
C:\Documents and Settings\WADFSDZ\Application Data\Mozilla\Firefox\Profiles\mwkc5841.default\cert8.db Object is locked skipped
C:\Documents and Settings\WADFSDZ\Application Data\Mozilla\Firefox\Profiles\mwkc5841.default\history.dat Object is locked skipped
C:\Documents and Settings\WADFSDZ\Application Data\Mozilla\Firefox\Profiles\mwkc5841.default\key3.db Object is locked skipped
C:\Documents and Settings\WADFSDZ\Application Data\Mozilla\Firefox\Profiles\mwkc5841.default\parent.lock Object is locked skipped
C:\Documents and Settings\WADFSDZ\Application Data\Mozilla\Firefox\Profiles\mwkc5841.default\search.sqlite Object is locked skipped
C:\Documents and Settings\WADFSDZ\Application Data\Mozilla\Firefox\Profiles\mwkc5841.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\WADFSDZ\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\WADFSDZ\Desktop\OiUninstaller.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.gn skipped
C:\Documents and Settings\WADFSDZ\Desktop\OiUninstaller.exe NSIS: infected - 1 skipped
C:\Documents and Settings\WADFSDZ\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\WADFSDZ\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\WADFSDZ\Local Settings\Application Data\Mozilla\Firefox\Profiles\mwkc5841.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\WADFSDZ\Local Settings\Application Data\Mozilla\Firefox\Profiles\mwkc5841.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\WADFSDZ\Local Settings\Application Data\Mozilla\Firefox\Profiles\mwkc5841.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\WADFSDZ\Local Settings\Application Data\Mozilla\Firefox\Profiles\mwkc5841.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\WADFSDZ\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\WADFSDZ\Local Settings\Temp\hpodvd09.log Object is locked skipped
C:\Documents and Settings\WADFSDZ\Local Settings\Temp\~DF17EA.tmp Object is locked skipped
C:\Documents and Settings\WADFSDZ\Local Settings\Temp\~DF17F5.tmp Object is locked skipped
C:\Documents and Settings\WADFSDZ\Local Settings\Temp\~DFAD99.tmp Object is locked skipped
C:\Documents and Settings\WADFSDZ\Local Settings\Temp\~DFBD54.tmp Object is locked skipped
C:\Documents and Settings\WADFSDZ\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\WADFSDZ\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\WADFSDZ\ntuser.dat Object is locked skipped
C:\Documents and Settings\WADFSDZ\ntuser.dat.LOG Object is locked skipped
C:\QooBox\Quarantine\C\Program Files\Backup4all\Backup4all.exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\QooBox\Quarantine\C\Program Files\Common Files\MBOLS~1\netdde .exe.vir Infected: Trojan-Downloader.Win32.PurityScan.ez skipped
C:\QooBox\Quarantine\C\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\QooBox\Quarantine\C\Program Files\Microsoft ActiveSync\wcescomm .exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\QooBox\Quarantine\C\Program Files\Microsoft ActiveSync\wcescomm .exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\QooBox\Quarantine\C\Program Files\Microsoft ActiveSync\wcescomm .exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\QooBox\Quarantine\C\Program Files\Microsoft ActiveSync\wcescomm .exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\QooBox\Quarantine\C\Program Files\Microsoft ActiveSync\wcescomm .exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\QooBox\Quarantine\C\Program Files\Microsoft ActiveSync\wcescomm .exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\QooBox\Quarantine\C\Program Files\Microsoft ActiveSync\wcescomm .exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\QooBox\Quarantine\C\Program Files\Microsoft ActiveSync\wcescomm.exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask.exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\QooBox\Quarantine\C\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\QooBox\Quarantine\C\Program Files\Spyware Doctor\swdoctor.exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\QooBox\Quarantine\C\PROGRA~1\COMMON~1\MBOLS~1\netdde.exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\aj2\bumebrpl5.exe.vir Infected: Trojan.Win32.Pakes.bvs skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\fjsuwhah.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ikhsrbf.dll.vir Infected: not-a-virus:AdWare.Win32.Agent.wx skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\jddlbtdq.exe.vir Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\RCX18.tmp.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\vturq.exe.vir Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\QooBox\Quarantine\catchme2008-01-03_213452.82.zip/vturq.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dih skipped
C:\QooBox\Quarantine\catchme2008-01-03_213452.82.zip ZIP: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP877\A0316765.sys Infected: Rootkit.Win32.Agent.sg skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP877\A0316767.exe Infected: not-a-virus:AdWare.Win32.Agent.co skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP877\A0316788.exe Infected: Trojan-Downloader.Win32.PurityScan.ez skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP877\A0316797.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP877\A0316800.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP877\A0316801.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP877\A0316802.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP877\A0316804.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP877\A0316812.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP877\A0316813.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP877\A0316815.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP877\A0316816.exe Infected: Trojan-Downloader.Win32.PurityScan.ez skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP877\A0316818.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP877\A0316819.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP877\A0316820.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP877\A0316822.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP878\A0316903.exe Infected: Trojan-Downloader.Win32.PurityScan.ez skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP878\A0317851.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP878\A0317852.exe Infected: Trojan-Downloader.Win32.PurityScan.ez skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP878\A0317856.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP878\A0317858.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP878\A0317859.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP878\A0317861.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP878\A0318808.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP878\A0318810.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP878\A0318811.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP878\A0318812.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP878\A0318813.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP878\A0318814.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP878\A0318815.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP878\A0318824.exe Infected: Trojan-Downloader.Win32.PurityScan.ez skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP878\A0318826.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP878\A0318828.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP878\A0318829.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP878\A0318830.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP878\A0318832.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP878\A0318834.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP878\A0319820.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP878\A0319826.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP878\A0319828.exe Infected: Trojan-Downloader.Win32.PurityScan.ez skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP878\A0319829.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP878\A0319830.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP878\A0319842.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dih skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP878\A0319847.dll Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP878\A0319848.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.fk skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP878\A0319848.exe/data0003 Infected: not-a-virus:AdWare.Win32.PurityScan.bu skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP878\A0319848.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP880\A0320001.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP880\A0320004.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP880\A0320007.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP880\A0320008.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP880\A0320012.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP881\A0320033.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP881\A0320036.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP881\A0320037.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP881\A0320038.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP881\A0320040.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP881\A0320041.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP881\A0320048.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP881\A0320050.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP881\A0320051.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP881\A0320052.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP881\A0320053.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP881\A0320054.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP881\A0320057.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP882\A0321048.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP882\A0321051.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP882\A0321052.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP882\A0321053.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP882\A0321054.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP882\A0321056.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP882\A0322048.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP882\A0322051.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP882\A0322052.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP882\A0322053.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP882\A0322054.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP882\A0322060.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP882\A0322085.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP882\A0322086.dll Infected: not-a-virus:AdWare.Win32.Agent.wx skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP882\A0322087.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP882\A0322089.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP882\A0322090.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP882\A0322091.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP882\A0322092.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP882\A0322093.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP882\A0322094.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP882\A0322095.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP882\A0322096.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP882\A0322097.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP882\A0322098.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP882\A0322099.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP882\A0322100.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP882\A0322101.exe Infected: Trojan-Downloader.Win32.PurityScan.ez skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP882\A0322102.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dih skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP883\A0322159.exe Infected: Trojan.Win32.Pakes.bvs skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP886\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.

**Pancake** · 01-04-2008, 04:24 AM

And a few more to fix....

Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open *notepad* and copy/paste the text in the quotebox below into it:

Quote:

KillAll::

File::
C:\WINDOWS\system32\pavas.ico
C:\WINDOWS\mrofinu572.exe.tmp
C:\WINDOWS\Setup1.exe
C:\WINDOWS\iun3403.exe
C:\Documents and Settings\WADFSDZ\Desktop\OiUninstaller.exe/data0002
C:\Documents and Settings\WADFSDZ\Desktop\OiUninstaller.exe NSIS

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Tbsa"=-

Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.

Refering to the picture above, drag CFScript.txt into ComboFix.exe

Restart your computer.

When finished, it shall produce a log for you at C:\ComboFix.txt

Please copy and paste the ComboFix.txt along with a fresh HijackThis log in your next reply please.

*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall*

Reeder · 01-04-2008, 05:14 AM

Good morning Pancake,
here are the requested logs, it appears you were burning the "after midnight oil" last evening.
Thanks again for your help

Reeder

ComboFix 08-01-03.4 - WADFSDZ 2008-01-04 6:50:16.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.741 [GMT -5:00]
Running from: C:\Documents and Settings\WADFSDZ\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\WADFSDZ\Desktop\CFScript.txt

FILE
C:\Documents and Settings\WADFSDZ\Desktop\OiUninstaller.exe NSIS
C:\Documents and Settings\WADFSDZ\Desktop\OiUninstaller.exe/data0002
C:\WINDOWS\iun3403.exe
C:\WINDOWS\mrofinu572.exe.tmp
C:\WINDOWS\Setup1.exe
C:\WINDOWS\system32\pavas.ico
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\iun3403.exe
C:\WINDOWS\mrofinu572.exe.tmp
C:\WINDOWS\Setup1.exe
C:\WINDOWS\system32\pavas.ico

.
((((((((((((((((((((((((( Files Created from 2007-12-04 to 2008-01-04 )))))))))))))))))))))))))))))))
.

2008-01-03 21:34 . 2008-01-03 21:34 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-03 21:34 . 2008-01-03 21:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-02 07:52 . 2008-01-02 07:52 5,632 --ahs---- C:\Thumbs.db
2007-12-31 11:55 . 2007-12-31 11:55 <DIR> d-------- C:\Deckard
2007-12-29 08:40 . 2007-12-29 08:40 <DIR> d-------- C:\Program Files\Softnik Technologies
2007-12-28 19:09 . 2007-12-28 19:09 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-12-28 16:24 . 2007-12-28 16:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TechSmith
2007-12-28 16:23 . 2007-12-28 16:23 <DIR> d-------- C:\WINDOWS\Agenda One
2007-12-28 16:11 . 2007-12-28 16:11 <DIR> d-------- C:\WINDOWS\system32\PAV
2007-12-20 07:23 . 2007-12-20 13:04 <DIR> d-------- C:\Documents and Settings\WADFSDZ\Application Data\Good Keywords v2
2007-12-17 20:56 . 2008-01-04 11:26 <DIR> d-------- C:\Program Files\Niche Inspector
2007-12-11 06:38 . 2007-12-13 05:36 <DIR> d-------- C:\Documents and Settings\WADFSDZ\Application Data\eBookPro6
2007-12-11 00:19 . 2007-12-11 00:20 242 --a------ C:\WINDOWS\ActiveActG.INI
2007-12-09 17:46 . 2007-12-28 16:24 <DIR> d-------- C:\Program Files\XP Smoker
2007-12-09 17:43 . 2007-12-09 17:43 79 --a------ C:\WINDOWS\showcalc.ini
2007-12-09 08:06 . 2007-12-09 08:06 <DIR> d-------- C:\Program Files\Showcalc
2007-12-09 08:01 . 2007-12-28 16:24 <DIR> d-------- C:\Program Files\Photo Print Calendar from YOKOHAMA Ver.3.00E beta
2007-12-09 07:58 . 2008-01-03 21:16 <DIR> d-------- C:\Program Files\Backup4all
2007-12-09 07:52 . 2007-12-09 07:52 <DIR> d-------- C:\Program Files\Lavalys
2007-12-07 07:01 . 2007-12-28 16:24 <DIR> d-------- C:\Program Files\Agenda One

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-04 14:11 --------- d-----w C:\Program Files\Spyware Doctor
2008-01-04 14:09 51,072 ----a-w C:\WINDOWS\system32\drivers\ikhlayer.sys
2008-01-04 14:09 30,592 ----a-w C:\WINDOWS\system32\drivers\ikhfile.sys
2008-01-04 14:02 --------- d-----w C:\Program Files\SpywareBlaster
2008-01-04 02:28 --------- d-----w C:\Program Files\QuickTime
2008-01-04 02:28 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-01-01 12:41 --------- d-----w C:\Program Files\e-Sword
2008-01-01 01:11 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-31 12:05 --------- d-----w C:\Program Files\ACT
2007-12-31 12:02 --------- d-----w C:\Program Files\Google
2007-12-31 05:31 --------- d-----w C:\Program Files\Windows Desktop Search
2007-12-31 00:51 --------- d-----w C:\Program Files\Snapshot Viewer
2007-12-28 21:24 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-28 21:23 --------- d-----w C:\Program Files\CCleaner
2007-12-28 21:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-28 21:22 --------- d-----w C:\Program Files\XPMedic
2007-12-28 21:22 --------- d-----w C:\Program Files\Pocket Informant
2007-12-28 21:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-12-28 21:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-28 21:11 --------- d-----w C:\Program Files\Common Files\Panda Software
2007-12-28 14:06 0 ----a-w C:\WINDOWS\system32\drivers\wnmsav.dat
2007-12-28 13:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2007-12-27 11:50 13,880 ----a-w C:\WINDOWS\system32\drivers\COMFiltr.sys
2007-12-21 10:26 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2007-12-14 22:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\pdf995
2007-12-09 10:12 737,280 ----a-w C:\WINDOWS\iun6002.exe
2007-11-28 00:25 1,204 ----a-w C:\WINDOWS\system32\drivers\APPFLTR.CFG
2007-11-25 22:28 --------- d-----w C:\Program Files\TechSmith
2005-07-16 21:38 774,144 -c--a-w C:\Program Files\RngInterstitial.dll
.

((((((((((((((((((((((((((((( snapshot@2008-01-03_21.39.12.28 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-05-24 17:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 20:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 20:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-02 14:44 68856]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm .exe" [ ]
"Backup4all"="C:\Program Files\Backup4all\Backup4all.exe" [2007-12-02 14:44 1948672]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2007-12-02 14:44 160832]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2008-01-04 09:09 2083040]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2008-01-04 09:09 2083040]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 23:23:26]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-02-24 14:52:54]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoStrCmpLogical"= 00000000
"NoLogoff"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 14:39 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
avldr.dll 2007-02-15 19:02 50736 C:\WINDOWS\system32\avldr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=sockspy.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
backup=C:\WINDOWS\pss\KODAK Software Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SideACT!.lnk]
backup=C:\WINDOWS\pss\SideACT!.lnkCommon Startup

R0 IABFilt;Iomega Snapshot Volume Filter;C:\WINDOWS\system32\DRIVERS\IABFilt.sys [2005-03-03 12:23]
R1 APPFLT;App Filter Plugin;C:\WINDOWS\system32\Drivers\APPFLT.SYS [2007-05-11 08:33]
R1 FNETMON;NetMon Filter Plugin;C:\WINDOWS\system32\Drivers\fnetmon.SYS [2007-05-11 08:33]
R1 NETFLTDI;NETFLTDI;C:\WINDOWS\system32\Drivers\NETFLTDI.SYS [2007-05-11 08:33]
R1 ShldDrv;ShldDrv;C:\WINDOWS\system32\Drivers\ShlDrv51.sys [2007-05-23 09:40]
R2 HPW5ECP;HPW5ECP;C:\WINDOWS\system32\drivers\HPW5ECP.SYS [1998-09-25 06:06]
R2 LBeepKE;LBeepKE;C:\WINDOWS\system32\Drivers\LBeepKE.sys [2006-05-25 00:53]
R3 RimSerPort;RIM Virtual Serial Port;C:\WINDOWS\system32\DRIVERS\RimSerial.sys [2004-08-06 07:50]
S1 DSAFLT;DSA Filter Plugin;C:\WINDOWS\system32\Drivers\DSAFLT.SYS [2007-05-11 08:33]
S1 IDSFLT;Ids Filter Plugin;C:\WINDOWS\system32\Drivers\IDSFLT.SYS [2007-07-11 10:39]
S1 SMSFLT;SMS Filter Plugin;C:\WINDOWS\system32\Drivers\SMSFLT.SYS [2007-05-11 08:33]
S1 WNMFLT;Wifi Monitor Filter Plugin;C:\WINDOWS\system32\Drivers\WNMFLT.SYS [2007-05-11 08:33]
S2 cpoint;cpoint;C:\WINDOWS\system32\drivers\cpoint.sys [2007-06-08 07:44]
S2 pciinfo;HP Pci Information;C:\DOCUME~1\WADFSDZ\LOCALS~1\Temp\HPISPz\hpdom\pciinfo.sys []
S3 AvFlt;Antivirus Filter Driver;C:\WINDOWS\system32\drivers\av5flt.sys []
S3 ComFiltr;ComFiltr;C:\WINDOWS\system32\DRIVERS\COMFiltr.sys [2007-12-27 06:50]
S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 23:01]
S3 w600bus;w600bus;C:\WINDOWS\system32\DRIVERS\w600bus.sys []
S3 w600mdfl;w600mdfl;C:\WINDOWS\system32\DRIVERS\w600mdfl.sys []
S3 w600mdm;w600mdm;C:\WINDOWS\system32\DRIVERS\w600mdm.sys []
S3 w600mgmt;w600mgmt;C:\WINDOWS\system32\DRIVERS\w600mgmt.sys []
S3 w600obex;w600obex;C:\WINDOWS\system32\DRIVERS\w600obex.sys []

.
Contents of the 'Scheduled Tasks' folder
"2006-11-04 09:34:50 C:\WINDOWS\Tasks\XoftSpy.job"
- C:\Program Files\XoftSpy\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-04 06:58:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-04 7:03:26 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-04 12:03:22
ComboFix2.txt 2008-01-04 02:21:31
ComboFix3.txt 2008-01-04 12

32
ComboFix4.txt 2008-01-04 11:45:48
ComboFix5.txt 2008-01-04 02:39:29

Logfile of HijackThis v1.99.1
Scan saved at 7

33 AM, on 1/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Backup4all\Backup4all.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\WADFSDZ\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.worldnetdaily.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm .exe"
O4 - HKCU\..\Run: [Backup4all] C:\Program Files\Backup4all\Backup4all.exe /s
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: &Search -
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: AddressGrabber - {70192830-2B20-450E-8CED-4151CA0F422F} - C:\Program Files\eGrabber\AGB\InternetAddress.exe
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.worldnetdaily.com
O14 - IERESET.INF: MS_START_PAGE_URL=http://www.worldnetdaily.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - http://h20278.www2.hp.com/HPISWeb/Cu...ataManager.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM_ca.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1190863566984
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Logitech Easy Synchronization - Unknown owner - C:\Program Files\Logitech\Easy Synchronization\servicestub.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SoundMAX Agent Service (default) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

**Pancake** · 01-04-2008, 02:48 PM

I think we can now call this cleaned.

This will clear away any of the files and folders that were created by ComboFix.

Go to :
Start > Run then copy and paste the following highlighted text below and click OK.

Quote:

ComboFix /u

========================

Now that you are clean,and If you wish to do so, here are a few things that you can do that will help keep your computer a bit more clean and secure..they can be done at your leisure.

Download and scan with CCleaner from http://www.ccleaner.com/downloadbuilds.asp

1. Starting with v1.27.260, http://www.ccleaner.com/downloadbuilds.asp installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation. IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbar-free Basic or Slim versions instead of the Standard Build.

2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
• Clean all entries in the "Internet Explorer" section except Cookies.
• Clean all the entries in the "Windows Explorer" section.
• Clean all entries in the "System" section.
• Clean all entries in the "Advanced" section.
• Clean any others that you choose.

In the Applications Tab:
• Clean all except cookies in the Firefox/Mozilla section if you use it.
• Clean all in the Opera section if you use it.
• Clean Sun Java in the Internet Section.
• Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.
__________________

=========================================

Is your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version if required.

Updating Java:

Download the latest version of Java Runtime Environment (JRE) 6u3 (http://java.sun.com/javase/downloads/index.jsp).
Scroll down to where it says
The J2SE Runtime Environment (JRE) allows end-users to run Java applications.

Click the
Download
button to the right.
Check the box that says:
Accept License Agreement.

The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u2-windows-i586-p.exe to install the newest version.

UPDATING WINDOWS AND INTERNET EXPLORER

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site (http://windowsupdate.microsoft.com/) to get the critical updates.

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.

Make your Internet Explorer more secure

This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

========================================================

The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.

Download SpywareBlaster
Spyware blaster is a program that stops known malicious activex controls from installing on your computer. It works by changing settings in your registry. It makes
kill bits in the registry, so that certain activex controls can't install.
If you don't know what activex controls are, see here (http://www.webopedia.com/TERM/A/ActiveX_control.html)
You can download SpywareBlaster here here (http://majorgeeks.com/downloadget.ph...7615f4682b4cef)
SpywareBlaster tutorial (http://www.bleepingcomputer.com/forums/tutorial49.html)

Download iespyad
It puts many bad webpages on your restricted zones list. This means that you can still view the bad webpages, but the webpages cannot do certain things (such as use javascripts and cookies).

Download it here (http://www.spywarewarrior.com/uiuc/res/ie-spyad.exe)

Hosts file:
Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate webpages. We can customize a hosts file so that it blocks certain webpages. However, it can slow down certain computers. This is why using a hosts file is optional!!
Download it here (http://www.mvps.org/winhelp2002/hosts.htm). Make sure you read the instructions on how to install the hosts file. There is a good tutorial here (http://www.bleepingcomputer.com/forums/tutorial51.html)
If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
Click the start button (at the lower left hand corner of your screen) Click run In the dialog box, type services.msc hit enter, then locate dns client Highlight it, then double-click it. On the dropdown box, change the setting from automatic to manual. Click ok

Keep Anti Virus Software updated - Most AVs will update automatically, but if not I would recommend making updating the AV the first job every time the PC is connected to the internet. An AV that is using defs that are seven days old is not going to be much protection. If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out. See here (http://www.snapfiles.com/Freeware/security/fwvirus.html) to choose one.

Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For more info, check this (http://www.bleepingcomputer.com/forums/tutorial60.html) webpage out.
Here (http://www.snapfiles.com/Freeware/se...wfirewall.html) are some Vista compatible firewalls also.

Know What You're Installing
Check the source.
To avoid malware, make sure your software comes from a reputable source. Be particularly suspicious of sponsored software (software that relies on advertising) or software that claims to speed up your Internet connection.

Use Custom Install.
If you feel comfortable with software installation, you can choose Custom Install (as opposed to Typical Install). Custom Install allows you to select only the software components you wish to install, and leave out others (such as potential spyware).

Modify Security Settings (Internet Explorer 6)
To reduce the risk of installing malware, you can set Internet Explorer to high security mode. To do so:

Open Internet Explorer. Go to Tools > Internet Options….
On the Internet Options screen, select the Security tab, then select the Internet icon (if it is not already selected).
Under Security level for this zone, click Default Level. Set the slider to High.
Note: You may have to lower the security level to view certain Web sites.
Next, select the Trusted Sites icon. Under Security level for this zone, click Default Level. Set the slider to Medium.
Click Apply, then OK to save the changes.

Before using or purchasing any Spyware/Malware protection/removal program, always check the Rogue/Suspect Spyware List. It will save you a lot of grief, as well as money if you are thinking of purchasing. Here is the link:

http://www.spywarewarrior.com/rogue_anti-spyware.htm
If you want to know just how effective your anti-spyware program is, or how well any of the "rogue" programs listed at the above link work, check this for an independent comparison of several anti-spyware programs:

http://www.spywarewarrior.com/asw-test-guide.htm

Let us know if we have not resolved your problem. Otherwise, you are good to go.
Happy and Safe Surfing!

Reeder · 01-04-2008, 03:44 PM

Pancake:

have a blessed day and thank you for your diligent and excellent work on my behalf.

I shall set about doing those things you have suggested.

Thanks again

Reeder

**Pancake** · 01-04-2008, 04:01 PM

Your welcome..

Reeder · 01-04-2008, 07:09 PM

A final question that has not been resolved.

The titles under each icon on the desktop are still all blue as if each had been single clicked, is this something to be concerned about?

Thanks

Reeder

BTW I was going to conribute some money to this forum but have not been able to figure out how to do that.

**Pancake** · 01-04-2008, 09:54 PM

That is a setting that will need to be fixed but for the life of me I can't remember where it resides in Windows.I think you best bet is to go to one of our other forums like Window XP where i,m sure they will sort it for you.

01-01-2008, 07:20 PM	#2 (permalink)
Pancake Security Team (ret.) Join Date: Nov 2003 Location: Victoria.Australia Posts: 7,404 OS: XP Pro SP3	Re: started 17PHolmes572.exe, Netdde.exe - lots of IE pop up You have a couple of infections that need to come out... Download SDFix from here and save it to your desktop. Please then reboot your computer in Safe Mode by doing the following : Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; Instead of Windows loading as normal, a menu with options should appear; Select the first option, to run Windows in Safe Mode, then press "Enter". Choose your usual account. In Safe Mode, right click the SDFix.zip folder and choose Extract All, Open the extracted folder and double click RunThis.bat to start the script. Type Y to begin the script. It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot. Press any Key and it will restart the PC. Your system will take longer that normal to restart as the fixtool will be running and removing files. When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons. Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt (Report.txt will also be copied to Clipboard ready for posting back on the forum). Finally paste the contents of the Report.txt back on the forum. ========================================= This will help to identify malware on your system. Please download Combofix from any of these locations: Here or Here Save ComboFix to the desktop and please ensure that you disable realtime security/virus programs that monitors your PC while CF is running. 1. Double click on combo.exe & follow the prompts. 2. When finished, it will produce a logfile located at C:\ComboFix.txt. 3. Copy and Paste the contents of that log in your next reply with a new hijackthis log. Do not use Code or html unless asked for. Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang. Caution...Never run and remove files using ComboFix without being supervised by a security analyst. __________________ Eddy

01-02-2008, 06:49 AM	#3 (permalink)
Reeder Registered User Join Date: Dec 2007 Posts: 12 OS: xp	Re: started 17PHolmes572.exe, Netdde.exe - lots of IE pop up Good morning Pancake: downloaded SDFix but came to me as an exe. file - when clicking on the file in safe mode the menu asked to "install" - I did this - there was / is no zip file - concerned I went to the explorer and found SDFix and opened it the "RunThis.cmd file was there with my cadd icon beside it??? but when I double left clicked it nothing happened. There was no RunThis.bat file anywhere to be found. All I know for sure is that SDFix has been installed on my computer in the C directory. To the best of my knowledge there were no fixes and I was never directed or asked to reboot. At this point I'm not sure if you still want me to run the "Combofix" tool or not following is another HiJack this log as of doing these things. I know you have not asked for this info but thought perhaps it might help because of not being able to complete your instruction and send you a report from "ComboFix". I went back and clicked on the link in your message thinking this old carpenter might have done something amiss, but it is an exe file rather than a zip file. Last evening Spyware Doctor started automatically telling me there were more problems and that it had quarantined them.?? Also a small window comes up stating that "Restore Point" can't be executed because of missing framedyn.dll. I tried doing a manual restore point and was told it had been successful. ?? hope this helps and thank you for helping me. Reeder Logfile of HijackThis v1.99.1 Scan saved at 8:33:25 AM, on 1/2/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16512) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\System32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\jddlbtdq.exe C:\WINDOWS\system32\netdde.exe C:\Program Files\Spyware Doctor\sdhelp.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\alg.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Microsoft ActiveSync\wcescomm .exe C:\Program Files\Backup4all\Backup4all.exe C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe C:\Program Files\Spyware Doctor\swdoctor.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files\Microsoft ActiveSync\wcescomm .exe C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon .exe C:\Program Files\Backup4all\Backup4all .exe C:\Program Files\Spyware Doctor\swdoctor .exe C:\PROGRA~1\MI3AA1~1\rapimgr.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE C:\PROGRA~1\MOZILL~1\FIREFOX.EXE C:\Documents and Settings\WADFSDZ\Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.worldnetdaily.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.worldnetdaily.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll F3 - REG:win.ini: load=C:\WINDOWS\system32\vturq.exe O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [69996048] rundll32.exe "C:\WINDOWS\system32\fjsuwhah.dll",b O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm .exe" O4 - HKCU\..\Run: [Backup4all] C:\Program Files\Backup4all\Backup4all.exe /s O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" O4 - HKCU\..\Run: [Tbsa] "C:\PROGRA~1\COMMON~1\MBOLS~1\netdde.exe" -vt yazb O4 - HKCU\..\Run: [Ytowkj] "C:\Documents and Settings\WADFSDZ\Application Data\?ppPatch\?ttrib.exe" O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Logitech SetPoint.lnk = ? O8 - Extra context menu item: &Search - O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra button: AddressGrabber - {70192830-2B20-450E-8CED-4151CA0F422F} - C:\Program Files\eGrabber\AGB\InternetAddress.exe O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O14 - IERESET.INF: START_PAGE_URL=http://www.worldnetdaily.com O14 - IERESET.INF: MS_START_PAGE_URL=http://www.worldnetdaily.com O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - http://h20278.www2.hp.com/HPISWeb/Cu...ataManager.CAB O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM_ca.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1190863566984 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe O23 - Service: DomainService - - C:\WINDOWS\system32\jddlbtdq.exe O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: Logitech Easy Synchronization - Unknown owner - C:\Program Files\Logitech\Easy Synchronization\servicestub.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe O23 - Service: SoundMAX Agent Service (default) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

01-02-2008, 06:53 AM	#4 (permalink)
Reeder Registered User Join Date: Dec 2007 Posts: 12 OS: xp	Re: started 17PHolmes572.exe, Netdde.exe - lots of IE pop up Pancake: One more thing: When right clicking, the menu says "Run as" is the only "run" option. I was not sure if this is the correct option or not so I chose to wait and ask. Reeder Last edited by Reeder; 01-02-2008 at 06:56 AM.

01-02-2008, 04:27 PM	#5 (permalink)
Pancake Security Team (ret.) Join Date: Nov 2003 Location: Victoria.Australia Posts: 7,404 OS: XP Pro SP3	Re: started 17PHolmes572.exe, Netdde.exe - lots of IE pop up You can skip SDfix.Just go with Combofix. __________________ Eddy Last edited by Pancake; 01-02-2008 at 04:29 PM.

01-02-2008, 07:47 PM	#6 (permalink)
Reeder Registered User Join Date: Dec 2007 Posts: 12 OS: xp	Re: started 17PHolmes572.exe, Netdde.exe - lots of IE pop up Pancake; Thanks for sticking with me. I hope intrepreting your instructions to mean running combofix in window rather than safe mode was OK??? It seemed that was what you were saying. That is what I did. In trying to turn off Spyware Doctor I got the message "cannot load tool bar iesdbp.dll after going through the process of running combofix this message has come up and I've not trid to run SD yet. ??? Following is the text report for running combofix Thanks again for your assistance Reeder ComboFix 08-01-03.3 - WADFSDZ 2007-12-02 21:18:28.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.693 [GMT -5:00] Running from: C:\Documents and Settings\WADFSDZ\Desktop\ComboFix.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\WADFSDZ\Application Data\PPPATC~1 C:\PROGRA~1\COMMON~1\MBOLS~1\netdde.exe C:\Program Files\Backup4all\Backup4all.exe C:\Program Files\Common Files\mbols~1 C:\Program Files\Common Files\mbols~1\??mbols\ C:\Program Files\Common Files\mbols~1\netdde .exe C:\Program Files\Common Files\mbols~1\netdde.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Microsoft ActiveSync\wcescomm .exe C:\Program Files\Microsoft ActiveSync\wcescomm .exe C:\Program Files\Microsoft ActiveSync\wcescomm .exe C:\Program Files\Microsoft ActiveSync\wcescomm .exe C:\Program Files\Microsoft ActiveSync\wcescomm .exe C:\Program Files\Microsoft ActiveSync\wcescomm .exe C:\Program Files\Microsoft ActiveSync\wcescomm .exe C:\Program Files\Microsoft ActiveSync\wcescomm.exe C:\Program Files\QuickTime\qttask .exe C:\Program Files\QuickTime\qttask .exe C:\Program Files\QuickTime\qttask .exe C:\Program Files\QuickTime\qttask .exe C:\Program Files\QuickTime\qttask .exe C:\Program Files\QuickTime\qttask .exe C:\Program Files\QuickTime\qttask .exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe C:\Program Files\Spyware Doctor\swdoctor.exe C:\Temp\1cb C:\Temp\1cb\syscheck.log C:\temp\tn3 C:\WINDOWS\pppatc~1 C:\WINDOWS\system32\fjsuwhah.dll C:\WINDOWS\system32\hahwusjf.ini C:\WINDOWS\system32\ikhsrbf.dll C:\WINDOWS\system32\jddlbtdq.exe C:\WINDOWS\system32\pac.txt C:\WINDOWS\system32\qrutv.ini C:\WINDOWS\system32\qrutv.ini2 C:\WINDOWS\system32\RCX18.tmp C:\WINDOWS\system32\vturq.dll C:\WINDOWS\system32\vturq.exe C:\WINDOWS\system32\whwcdnsd.dll C:\WINDOWS\system32\z1 Code: "C:\Program Files\Backup4all\Backup4all .exe" replaces infected copy of "C:\Program Files\Backup4all\Backup4all.exe" "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe" replaces infected copy of "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon .exe" replaces infected copy of "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" "C:\Program Files\Spyware Doctor\swdoctor .exe" replaces infected copy of "C:\Program Files\Spyware Doctor\swdoctor.exe" . . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\LEGACY_DOMAINSERVICE -------\DomainService ((((((((((((((((((((((((( Files Created from 2007-12-04 to 2008-01-04 ))))))))))))))))))))))))))))))) . 2008-01-02 07:52 . 2008-01-02 07:52 5,632 --ahs---- C:\Thumbs.db 2007-12-31 11:55 . 2007-12-31 11:55 <DIR> d-------- C:\Deckard 2007-12-30 23:28 . 2007-12-31 06:53 30,590 --a------ C:\WINDOWS\system32\pavas.ico 2007-12-30 18:52 . 2007-12-30 19:52 <DIR> d--hs---- C:\WINDOWS\V0FERlNEWg 2007-12-30 18:52 . 2007-12-30 19:51 <DIR> d-------- C:\WINDOWS\system32\mr9 2007-12-30 18:52 . 2007-12-30 19:53 <DIR> d-------- C:\WINDOWS\system32\cc9 2007-12-30 18:52 . 2007-12-30 18:52 <DIR> d-------- C:\WINDOWS\system32\aj2 2007-12-30 18:52 . 2007-12-30 18:52 39,936 --a------ C:\WINDOWS\mrofinu572.exe.tmp 2007-12-30 18:51 . 2007-12-30 18:51 <DIR> d-------- C:\WINDOWS\system32\ardCo01 2007-12-30 18:51 . 2007-12-30 18:52 <DIR> d-------- C:\Temp\cEeer12 2007-12-29 08:40 . 2007-12-29 08:40 <DIR> d-------- C:\Program Files\Softnik Technologies 2007-12-28 19:09 . 2007-12-28 19:09 552 --a------ C:\WINDOWS\system32\d3d8caps.dat 2007-12-28 16:24 . 2007-12-28 16:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TechSmith 2007-12-28 16:23 . 2007-12-28 16:23 <DIR> d-------- C:\WINDOWS\Agenda One 2007-12-28 16:11 . 2007-12-28 16:11 <DIR> d-------- C:\WINDOWS\system32\PAV 2007-12-20 07:23 . 2007-12-20 13:04 <DIR> d-------- C:\Documents and Settings\WADFSDZ\Application Data\Good Keywords v2 2007-12-17 20:56 . 2007-12-28 20:25 <DIR> d-------- C:\Program Files\Niche Inspector 2007-12-11 06:38 . 2007-12-13 05:36 <DIR> d-------- C:\Documents and Settings\WADFSDZ\Application Data\eBookPro6 2007-12-11 00:19 . 2007-12-11 00:20 242 --a------ C:\WINDOWS\ActiveActG.INI 2007-12-09 17:46 . 2007-12-28 16:24 <DIR> d-------- C:\Program Files\XP Smoker 2007-12-09 17:43 . 2007-12-09 17:43 79 --a------ C:\WINDOWS\showcalc.ini 2007-12-09 08:06 . 2007-12-09 08:06 <DIR> d-------- C:\Program Files\Showcalc 2007-12-09 08:01 . 2007-12-28 16:24 <DIR> d-------- C:\Program Files\Photo Print Calendar from YOKOHAMA Ver.3.00E beta 2007-12-09 07:58 . 2008-01-03 21:33 <DIR> d-------- C:\Program Files\Backup4all 2007-12-09 07:52 . 2007-12-09 07:52 <DIR> d-------- C:\Program Files\Lavalys 2007-12-07 07:01 . 2007-12-28 16:24 <DIR> d-------- C:\Program Files\Agenda One . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-01-04 02:33 --------- d-----w C:\Program Files\Spyware Doctor 2008-01-04 02:28 --------- d-----w C:\Program Files\QuickTime 2008-01-04 02:28 --------- d-----w C:\Program Files\Microsoft ActiveSync 2008-01-01 12:41 --------- d-----w C:\Program Files\e-Sword 2008-01-01 01:11 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP 2007-12-31 12:05 --------- d-----w C:\Program Files\ACT 2007-12-31 12:02 --------- d-----w C:\Program Files\Google 2007-12-31 05:31 --------- d-----w C:\Program Files\Windows Desktop Search 2007-12-31 05:23 --------- d-----w C:\Program Files\SpywareBlaster 2007-12-31 00:51 --------- d-----w C:\Program Files\Snapshot Viewer 2007-12-28 21:24 --------- d--h--w C:\Program Files\InstallShield Installation Information 2007-12-28 21:23 --------- d-----w C:\Program Files\CCleaner 2007-12-28 21:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2007-12-28 21:22 --------- d-----w C:\Program Files\XPMedic 2007-12-28 21:22 --------- d-----w C:\Program Files\Pocket Informant 2007-12-28 21:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion 2007-12-28 21:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec 2007-12-28 21:11 --------- d-----w C:\Program Files\Common Files\Panda Software 2007-12-28 14:06 0 ----a-w C:\WINDOWS\system32\drivers\wnmsav.dat 2007-12-28 13:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater 2007-12-27 11:50 13,880 ----a-w C:\WINDOWS\system32\drivers\COMFiltr.sys 2007-12-21 10:26 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE 2007-12-21 10:26 249,856 ------w C:\WINDOWS\Setup1.exe 2007-12-14 22:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\pdf995 2007-12-09 10:12 737,280 ----a-w C:\WINDOWS\iun6002.exe 2007-11-28 00:25 1,204 ----a-w C:\WINDOWS\system32\drivers\APPFLTR.CFG 2007-11-25 22:28 --------- d-----w C:\Program Files\TechSmith 2007-10-07 04:45 214,528 ----a-w C:\WINDOWS\iun3403.exe 2005-07-16 21:38 774,144 -c--a-w C:\Program Files\RngInterstitial.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-02 14:44 68856] "H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm .exe" [ ] "Backup4all"="C:\Program Files\Backup4all\Backup4all.exe" [2007-12-02 14:44 1948672] "RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2007-12-02 14:44 160832] "Tbsa"="C:\PROGRA~1\COMMON~1\MBOLS~1\netdde.exe" [ ] "Ytowkj"="C:\Documents and Settings\WADFSDZ\Application Data\?ppPatch\?ttrib.exe" [ ] "Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor_new.exe" [2006-05-18 16:22 2074848] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2007-12-02 14:44 2074848] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 23:23:26] Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-02-24 14:52:54] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoStrCmpLogical"= 00000000 "NoLogoff"= 0 (0x0) [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 14:39 294400] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr] avldr.dll 2007-02-15 19:02 50736 C:\WINDOWS\system32\avldr.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtuvwwu] vtuvwwu.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=sockspy.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Authentication Packages REG_MULTI_SZ msv1_0 relog_ap [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup] @="" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk] backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk] backup=C:\WINDOWS\pss\KODAK Software Updater.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SideACT!.lnk] backup=C:\WINDOWS\pss\SideACT!.lnkCommon Startup R0 IABFilt;Iomega Snapshot Volume Filter;C:\WINDOWS\system32\DRIVERS\IABFilt.sys [2005-03-03 12:23] R1 APPFLT;App Filter Plugin;C:\WINDOWS\system32\Drivers\APPFLT.SYS [2007-05-11 08:33] R1 FNETMON;NetMon Filter Plugin;C:\WINDOWS\system32\Drivers\fnetmon.SYS [2007-05-11 08:33] R1 NETFLTDI;NETFLTDI;C:\WINDOWS\system32\Drivers\NETFLTDI.SYS [2007-05-11 08:33] R1 ShldDrv;ShldDrv;C:\WINDOWS\system32\Drivers\ShlDrv51.sys [2007-05-23 09:40] R2 HPW5ECP;HPW5ECP;C:\WINDOWS\system32\drivers\HPW5ECP.SYS [1998-09-25 06:06] R2 LBeepKE;LBeepKE;C:\WINDOWS\system32\Drivers\LBeepKE.sys [2006-05-25 00:53] R3 RimSerPort;RIM Virtual Serial Port;C:\WINDOWS\system32\DRIVERS\RimSerial.sys [2004-08-06 07:50] S1 DSAFLT;DSA Filter Plugin;C:\WINDOWS\system32\Drivers\DSAFLT.SYS [2007-05-11 08:33] S1 IDSFLT;Ids Filter Plugin;C:\WINDOWS\system32\Drivers\IDSFLT.SYS [2007-07-11 10:39] S1 SMSFLT;SMS Filter Plugin;C:\WINDOWS\system32\Drivers\SMSFLT.SYS [2007-05-11 08:33] S1 WNMFLT;Wifi Monitor Filter Plugin;C:\WINDOWS\system32\Drivers\WNMFLT.SYS [2007-05-11 08:33] S2 cpoint;cpoint;C:\WINDOWS\system32\drivers\cpoint.sys [2007-06-08 07:44] S2 pciinfo;HP Pci Information;C:\DOCUME~1\WADFSDZ\LOCALS~1\Temp\HPISPz\hpdom\pciinfo.sys [] S3 AvFlt;Antivirus Filter Driver;C:\WINDOWS\system32\drivers\av5flt.sys [] S3 ComFiltr;ComFiltr;C:\WINDOWS\system32\DRIVERS\COMFiltr.sys [2007-12-27 06:50] S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 23:01] S3 w600bus;w600bus;C:\WINDOWS\system32\DRIVERS\w600bus.sys [] S3 w600mdfl;w600mdfl;C:\WINDOWS\system32\DRIVERS\w600mdfl.sys [] S3 w600mdm;w600mdm;C:\WINDOWS\system32\DRIVERS\w600mdm.sys [] S3 w600mgmt;w600mgmt;C:\WINDOWS\system32\DRIVERS\w600mgmt.sys [] S3 w600obex;w600obex;C:\WINDOWS\system32\DRIVERS\w600obex.sys [] . Contents of the 'Scheduled Tasks' folder "2006-11-04 09:34:50 C:\WINDOWS\Tasks\XoftSpy.job" - C:\Program Files\XoftSpy\XoftSpy.exe . ************************************************************************ catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-01-03 21:35:21 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . Completion time: 2008-01-03 21:39:29 - machine was rebooted ComboFix-quarantined-files.txt 2008-01-04 02:39:25

01-03-2008, 06:42 AM	#9 (permalink)
Reeder Registered User Join Date: Dec 2007 Posts: 12 OS: xp	Re: started 17PHolmes572.exe, Netdde.exe - lots of IE pop up Also - the icon titles are still highlighted in blue as if I'd single clicked on each of them.?? This has been the case since this event began several days ago. Have just attempted to open Spyware Doctor to no avail. No matter how I try it will not open. Although this morning when following your instructions it opened up quite quickly and I was able to turn off the service in prep for following your instructions. I will close windows and see if restarting the computer helps. Reeder Last edited by Reeder; 01-03-2008 at 06:46 AM.

01-03-2008, 08:25 AM	#10 (permalink)
Reeder Registered User Join Date: Dec 2007 Posts: 12 OS: xp	Re: started 17PHolmes572.exe, Netdde.exe - lots of IE pop up pancake: some additional information. I've not told Spyware Doctor to do anything with this but here is the current log of the "to date scan". I wanted to wait till you had a chance to review the other information before making any changes to my computer. I have to go into task manager and remove the SD process then SD will open. As an aside question do you recommend for or against using SD? following is its current scan log I hope this info is helpful rather than superfluous. just trying to be of some help. Thanks again Reeder Spyware Doctor Activity Report Generated on 1/4/2008 9:30:28 AM Spyware Doctor Homepage PC Tools Homepage Technical Support Scans (basic information only): Scan Results: scan start: 1/4/2008 9:31:00 AM scan stop: 1/4/2008 10:05:27 AM scanned items: 191509 found items: 35 found and ignored: 0 tools used: General Scanner, Process Scanner, LSP Scanner, Startup Scanner, Registry Scanner, Hosts Scanner, Browser Scanner, Browser Activity Scanner, Disk Scanner, ActiveX Scanner Infection Name Location Risk Tracking Cookie(s) cookies.txt - Line #10 Low Advertising cookies.txt - Line #100 Low Advertising cookies.txt - Line #101 Low Advertising cookies.txt - Line #102 Low Advertising cookies.txt - Line #103 Low Advertising cookies.txt - Line #104 Low Advertising cookies.txt - Line #105 Low Advertising cookies.txt - Line #115 Low Advertising cookies.txt - Line #118 Low Tracking Cookie(s) cookies.txt - Line #27 Low Tracking Cookie(s) cookies.txt - Line #5 Low Tracking Cookie(s) cookies.txt - Line #62 Low Tracking Cookie(s) cookies.txt - Line #63 Low Tracking Cookie(s) cookies.txt - Line #68 Low Tracking Cookie(s) cookies.txt - Line #69 Low Tracking Cookie(s) cookies.txt - Line #70 Low Tracking Cookie(s) cookies.txt - Line #83 Low Tracking Cookie(s) cookies.txt - Line #84 Low Tracking Cookie(s) cookies.txt - Line #85 Low Advertising cookies.txt - Line #88 Low Advertising cookies.txt - Line #89 Low Advertising cookies.txt - Line #90 Low Advertising cookies.txt - Line #91 Low Advertising cookies.txt - Line #92 Low Advertising cookies.txt - Line #93 Low Advertising cookies.txt - Line #94 Low Advertising cookies.txt - Line #95 Low Advertising cookies.txt - Line #96 Low Advertising cookies.txt - Line #97 Low Advertising cookies.txt - Line #98 Low Advertising cookies.txt - Line #99 Low Common Components for Trojans HKCU\Software\Wget Medium Common Components for Trojans HKCU\Software\Wget## Medium Trojan.PWS.Tanspy HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\load High Trojan.PWS.Tanspy HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\load## High Other Sections: Copyright © 2003 PC Tools Research Pty Ltd. All rights reserved. Legal Notice sigs Click to go back

01-04-2008, 03:44 PM	#17 (permalink)
Reeder Registered User Join Date: Dec 2007 Posts: 12 OS: xp	Re: started 17PHolmes572.exe, Netdde.exe - lots of IE pop up Pancake: have a blessed day and thank you for your diligent and excellent work on my behalf. I shall set about doing those things you have suggested. Thanks again Reeder

01-04-2008, 04:01 PM	#18 (permalink)
Pancake Security Team (ret.) Join Date: Nov 2003 Location: Victoria.Australia Posts: 7,404 OS: XP Pro SP3	Re: started 17PHolmes572.exe, Netdde.exe - lots of IE pop up Your welcome.. __________________ Eddy

01-04-2008, 07:09 PM	#19 (permalink)
Reeder Registered User Join Date: Dec 2007 Posts: 12 OS: xp	Re: started 17PHolmes572.exe, Netdde.exe - lots of IE pop up A final question that has not been resolved. The titles under each icon on the desktop are still all blue as if each had been single clicked, is this something to be concerned about? Thanks Reeder BTW I was going to conribute some money to this forum but have not been able to figure out how to do that.

01-04-2008, 09:54 PM	#20 (permalink)
Pancake Security Team (ret.) Join Date: Nov 2003 Location: Victoria.Australia Posts: 7,404 OS: XP Pro SP3	Re: started 17PHolmes572.exe, Netdde.exe - lots of IE pop up That is a setting that will need to be fixed but for the life of me I can't remember where it resides in Windows.I think you best bet is to go to one of our other forums like Window XP where i,m sure they will sort it for you. __________________ Eddy