Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page "Your computer is infected!" pop-up (trojan-downloader.win32.adload.ma
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
Page 1 of 2 1 2
 
LinkBack Thread Tools
Old 02-07-2008, 12:36 AM   #1 (permalink)
Registered User
 
Join Date: Feb 2008
Posts: 14
OS: WinXP Media Service Pack 2


"Your computer is infected!" pop-up (trojan-downloader.win32.adload.ma
I went to a website of a ligit company and a pop up came up asking if I would accept the certificate...thinking that this is a real company I accepted...as soon as I did my system restarted it self. When it loaded back up of course I had warnings from my virus detector that I was infected, but it was in quarentine..obviously not because I keep getting the pop-up.

I tried MANY times to run Panda ActiveScan however it would go so far and quit...after numerous tries I stopped it after it detected some things.

Panda ActiveScan

Incident Status Location

Dialer:dialer.su Not disinfected hkey_local_machine\software\microsoft\windows\currentversion\uninstall\Switch
Adware:adware/wupd Not disinfected Windows Registry
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\oy8b4g3l.default\cookies.txt[server.iad.liveperson.net/hc/42100763]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\oy8b4g3l.default\cookies.txt[server.iad.liveperson.net/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\oy8b4g3l.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\oy8b4g3l.default\cookies.txt[server.iad.liveperson.net/hc/59276654]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\oy8b4g3l.default\cookies.txt[.go.com/]
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\oy8b4g3l.default\cookies.txt[.yadro.ru/]
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\oy8b4g3l.default\cookies.txt[.xiti.com/]
Spyware:Cookie/Cd Freaks Not disinfected C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\oy8b4g3l.default\cookies.txt[.club.cdfreaks.com/]
Spyware:Cookie/Cd Freaks Not disinfected C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\oy8b4g3l.default\cookies.txt[.cdfreaks.com/]
Spyware:Cookie/Cd Freaks Not disinfected C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\oy8b4g3l.default\cookies.txt[.club.cdfreaks.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\oy8b4g3l.default\cookies.txt[.com.com/]
Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\oy8b4g3l.default\cookies.txt[.gostats.com/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\oy8b4g3l.default\cookies.txt[server.iad.liveperson.net/hc/17019767]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\oy8b4g3l.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\oy8b4g3l.default\cookies.txt[.did-it.com/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\oy8b4g3l.default\cookies.txt[server.iad.liveperson.net/hc/8850704]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\HP_Administrator\Application Data\SecondLife\browser_profile\cookies.txt[.atdmt.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\HP_Administrator\Application Data\SecondLife\browser_profile\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\HP_Administrator\Application Data\SecondLife\browser_profile\cookies.txt[.trafficmp.com/]
Spyware:Cookie/Hitslink Not disinfected C:\Documents and Settings\HP_Administrator\Application Data\SecondLife\browser_profile\cookies.txt[counter.hitslink.com/]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\HP_Administrator\Application Data\Sun\Java\Deployment\cache\6.0\14\74b4254e-1ad1cb61[MagicApplet.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\HP_Administrator\Application Data\Sun\Java\Deployment\cache\6.0\14\74b4254e-1ad1cb61[OwnClassLoader.class]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\HP_Administrator\Application Data\Uniblue\SpyEraser\Quarantine\RealMedia.com_05_11_2007_10_33_14.asq6334
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\HP_Administrator\Application Data\Uniblue\SpyEraser\Quarantine\Tracking Cookie_05_11_2007_10_33_14.asq18467
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\HP_Administrator\Application Data\Uniblue\SpyEraser\Quarantine\Tracking Cookie_05_11_2007_10_33_14.asq41
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@atdmt[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@doubleclick[1].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@server.iad.liveperson[2].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@statcounter[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@tribalfusion[1].txt
Possible Virus. Not disinfected C:\Documents and Settings\HP_Administrator\Local Settings\Temp\jar_cache26178.tmp
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\HP_Administrator\Local Settings\Temp\NoadwareBkupTemp\hp_administrator@atwola[2].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\HP_Administrator\Local Settings\Temp\NoadwareBkupTemp\hp_administrator@go[1].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\HP_Administrator\Local Settings\Temp\NoadwareBkupTemp\hp_administrator@www.burstbeacon[1].txt
Possible Virus. Not disinfected C:\Documents and Settings\HP_Administrator\Local Settings\Temp\us0105.exe



Deckard's System Scanner Results

Deckard's System Scanner v20071014.68
Run by HP_Administrator on 2008-02-06 23:08:08
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
164: 2008-02-07 07:08:19 UTC - RP830 - Deckard's System Scanner Restore Point
163: 2008-02-06 23:40:19 UTC - RP829 - Software Distribution Service 3.0
162: 2008-02-06 18:37:22 UTC - RP828 - Software Distribution Service 3.0
161: 2008-02-05 23:18:23 UTC - RP827 - Software Distribution Service 3.0
160: 2008-02-05 11:00:50 UTC - RP826 - Software Distribution Service 3.0


-- First Restore Point --
1: 2007-11-08 1900 UTC - RP667 - Software Distribution Service 3.0


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as HP_Administrator.exe) ------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:14:39 PM, on 2/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Comodo\Firewall\cfp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Comodo\common\CAVASpy\cavasm.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Comodo\Comodo AntiVirus\Cavaud.exe
C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\8IMMGP1V\dss[1].exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\HP_Administrator.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: MYPOINTS - {A057A204-BACC-4D26-CEC4-75A487FD6484} - C:\PROGRA~1\mypoints\mypoints.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DiscWizardMonitor.exe] C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [BOC-425] C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
O4 - HKLM\..\Run: [cnfgCav] "C:\Program Files\Comodo\Comodo AntiVirus\CMain.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\cfp.exe" -s
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [braviax] braviax.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [Uniblue SpyEraser] "C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Uniblue SpeedUpMyPC] C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe -s
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [Tunebite] C:\Program Files\RapidSolution\Tunebite\Tunebite.exe -tray
O4 - HKCU\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Startup: VonageRestart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: GMail.lnk = C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - Global Startup: RoboForm.lnk = C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe
O4 - Global Startup: Updates From HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - https://h20364.www2.hp.com/CSMWeb/Cu...ataManager.CAB
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqcpc/downloads/sysinfo.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/Driver...sysreqlab2.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn...tDetection.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://playgames.comcast.net/Gameshe...onGameHost.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: cru629.dat
O20 - Winlogon Notify: monln - C:\WINDOWS\SYSTEM32\monln.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Comodo Anti-Virus and Anti-Spyware Service - Comodo Inc. - C:\Program Files\Comodo\common\CAVASpy\cavasm.exe
O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe
O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: Kodak AiO Device Service (KodakSvc) - Eastman Kodak Company - C:\Program Files\Kodak\printer\center\KodakSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 13752 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 Cavasm - c:\windows\system32\drivers\cavasm.sys <Not Verified; Comodo Inc.; Comodo Anti-Viruspyware>
R0 ntcdrdrv - c:\windows\system32\drivers\ntcdrdrv.sys <Not Verified; NoteBurn Software; NoteBurn>
R0 timounter (Acronis True Image Backup Archive Explorer) - c:\windows\system32\drivers\timntr.sys <Not Verified; Acronis; Acronis True Image>
R2 BTSERIAL (Bluetooth Serial Driver) - c:\windows\system32\drivers\btserial.sys <Not Verified; Broadcom Corporation.; Bluetooth Software 4.0.1.2500>
R2 BTSLBCSP (Bluetooth Port Client Driver) - c:\windows\system32\drivers\btslbcsp.sys <Not Verified; Broadcom Corporation.; Bluetooth Software 4.0.1.2500>
R2 MaVctrl - c:\windows\system32\drivers\mavc2k.sys <Not Verified; Mobile Action Technology Inc.; Handset Manager>
R2 mdmxsdk - c:\windows\system32\drivers\mdmxsdk.sys <Not Verified; Conexant; Diagnostic Interface>
R2 tifsfilter (Acronis True Image FS Filter) - c:\windows\system32\drivers\tifsfilt.sys <Not Verified; Acronis; Acronis True Image>
R3 CXFALCON (Conexant Falcon II NTSC Video Capture) - c:\windows\system32\drivers\cxfalcon.sys <Not Verified; Conexant Systems, Inc.; cxfalcon.sys>
R3 HSX_DP - c:\windows\system32\drivers\hsx_dp.sys <Not Verified; Conexant Systems, Inc.; SoftK56 Modem Driver>
R3 HSXHWBS2 - c:\windows\system32\drivers\hsxhwbs2.sys <Not Verified; Conexant Systems, Inc.; SoftK56 Modem Driver>
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell>
R3 winachsx - c:\windows\system32\drivers\hsx_cnxt.sys <Not Verified; Conexant Systems, Inc.; SoftK56 Modem Driver>

S0 ftsata2 - c:\windows\system32\drivers\ftsata2.sys (file missing)
S1 intelppm (Intel Processor Driver) - c:\windows\system32\drivers\intelppm.sys (file missing)
S3 btwmodem (Bluetooth Modem) - c:\windows\system32\drivers\btwmodem.sys <Not Verified; Broadcom Corporation.; Bluetooth Software 4.0.1.2500>
S3 CA561 (EZCam III) - c:\windows\system32\drivers\spca561.sys <Not Verified; SP; Microsoft(R) Windows NT(R) Operating System>
S3 cmudau (C-Media USB Sound Interface) - c:\windows\system32\drivers\cmudau.sys <Not Verified; C-Media Inc; C-Media USB Audio Driver (WDM)>
S3 DFUBTUSB (WIDCOMM USB Bluetooth Driver in DFU State) - c:\windows\system32\drivers\frmupgr.sys <Not Verified; Broadcom Corporation.; >
S3 mamotou - c:\windows\system32\drivers\mamotou.sys <Not Verified; Mobile Action Technology Inc.; Handset Manager>
S3 MaRdPnp - c:\windows\system32\drivers\mardp2k.sys <Not Verified; Mobile Action Technology Inc.; Handset Manager>
S3 pcouffin (VSO Software pcouffin) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
S3 PSI - c:\windows\system32\drivers\psi_mf.sys <Not Verified; Secunia; Secunia Personal Software Inspector>
S3 RapFile - c:\windows\system32\drivers\rapfile.sys <Not Verified; Internet Security Systems, Inc.; Rap Protection System>
S3 RapNet - c:\windows\system32\drivers\rapnet.sys <Not Verified; Internet Security Systems, Inc.; Rap Protection System>
S3 SDDMI2 - c:\windows\system32\ddmi2.sys (file missing)
S3 SDTHOOK - c:\windows\system32\drivers\sdthook.sys <Not Verified; Panda Software; Panda® Antivirus>
S3 TVICHW32 - c:\windows\system32\drivers\tvichw32.sys <Not Verified; EnTech Taiwan; TVicHW32 Generic Device Driver for Windows 95/98/ME/NT/2000/2003/XP/XP64>
S4 black - c:\windows\system32\drivers\blackdrv.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 BOCore - c:\program files\comodo\cboclean\bocore.exe <Not Verified; COMODO; COMODO BOClean - Anti-Malware>
R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Computer, Inc.; Bonjour>
R2 Comodo Anti-Virus and Anti-Spyware Service - "c:\program files\comodo\common\cavaspy\cavasm.exe" <Not Verified; Comodo Inc.; Comodo Anti-Viruspyware>
R2 FirebirdGuardianDefaultInstance (Firebird Guardian - DefaultInstance) - c:\program files\firebird\firebird_1_5\bin\fbguard.exe -s <Not Verified; The Firebird Project; Firebird SQL Server>
R3 FirebirdServerDefaultInstance (Firebird Server - DefaultInstance) - c:\program files\firebird\firebird_1_5\bin\fbserver.exe -s <Not Verified; The Firebird Project; Firebird SQL Server>

S2 KodakCCS (Kodak Camera Connection Software) - c:\windows\system32\drivers\kodakccs.exe (file missing)
S2 KodakSvc (Kodak AiO Device Service) - "c:\program files\kodak\printer\center\kodaksvc.exe" <Not Verified; Eastman Kodak Company; KodakSvc>
S3 Mua15ertr -


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-02-06 15:02:03 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2008-02-06 02:22:38 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job
2008-02-02 14:15:01 286 --a------ C:\WINDOWS\Tasks\Uniblue SpyEraser Nag.job
2008-01-29 11:49:01 292 --a------ C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job
2007-11-05 15:02:26 360 --a------ C:\WINDOWS\Tasks\Uniblue SpyEraser.job
2007-07-01 12:20:34 414 --a------ C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job


-- Files created between 2008-01-06 and 2008-02-06 -----------------------------

2008-02-06 23:13:11 0 d-------- C:\Program Files\Trend Micro
2008-02-06 15:39:24 44928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS <Not Verified; Panda Software; Panda® Antivirus>
2008-02-06 15:37:52 8576 --a------ C:\WINDOWS\system32\drivers\jrrbvwsdrlib.sys <Not Verified; Panda Software International; RKPavProc Driver>
2008-02-06 12:56:59 8576 --a------ C:\WINDOWS\system32\drivers\kjeiidvlpowc.sys <Not Verified; Panda Software International; RKPavProc Driver>
2008-02-06 11:17:58 8576 --a------ C:\WINDOWS\system32\drivers\uqhngeneygsc.sys <Not Verified; Panda Software International; RKPavProc Driver>
2008-02-06 10:04:55 8576 --a------ C:\WINDOWS\system32\drivers\jxuvoxfskpmf.sys <Not Verified; Panda Software International; RKPavProc Driver>
2008-02-06 09:01:53 0 d-------- C:\ie-spyad_zo
2008-02-06 09:00:00 0 d-------- C:\WINDOWS\system32\ActiveScan
2008-02-06 08:41:07 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-02-06 08:41:07 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-02-06 08:41:07 85504 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-02-06 08:41:07 81920 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-02-06 08:41:06 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-02-06 08:41:06 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-02-06 08:41:06 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-02-05 17:59:16 6656 --a------ C:\WINDOWS\system32\users32.dat
2008-02-05 17:55:24 6144 --a------ C:\WINDOWS\system32\cru629.dat
2008-02-05 17:55:24 6144 --a------ C:\WINDOWS\cru629.dat
2008-02-05 17:55:24 11264 --a------ C:\WINDOWS\braviax.exe
2008-02-05 17:49:48 11264 --a------ C:\WINDOWS\system32\braviax.exe
2008-02-04 20:38:59 13440 --a------ C:\WINDOWS\system32\drivers\ntcdrdrv.sys <Not Verified; NoteBurn Software; NoteBurn>
2008-02-04 20:38:59 0 d-------- C:\Program Files\NoteBurner
2008-01-31 14:12:30 0 dr-h----- C:\Documents and Settings\HP_Administrator\Recent
2008-01-30 15:48:49 0 d-------- C:\Program Files\iPod
2008-01-30 15:48:45 0 d-------- C:\Program Files\iTunes
2008-01-25 19:27:58 0 d-------- C:\GLIntercept0_5
2008-01-25 16:58:46 0 d-------- C:\Program Files\VirtualDJ
2008-01-24 15:11:31 0 d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-01-24 15:07:52 0 dr-h----- C:\MSOCache
2008-01-10 15:56:40 0 d-------- C:\Program Files\World of Warcraft
2008-01-09 15:23:56 0 d-------- C:\b33526da661b0136afc6d64a


-- Find3M Report ---------------------------------------------------------------

2008-02-06 23:02:50 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Skype
2008-02-06 22:58:09 12 --a------ C:\WINDOWS\bthservsdp.dat
2008-02-06 19:01:39 0 d-------- C:\Program Files\Bonjour
2008-02-06 18:58:46 0 d-------- C:\Program Files\Windows Defender
2008-02-06 18:57:53 0 d-------- C:\Program Files\Microsoft ActiveSync
2008-02-06 18:57:05 0 d-------- C:\Program Files\PixiePack Codec Pack
2008-02-06 18:56:21 0 d-------- C:\Program Files\Common Files\LightScribe
2008-02-06 18:54:58 0 d-------- C:\Program Files\SecondLife
2008-02-06 11:18:31 0 d-------- C:\Program Files\MediaMonkey
2008-02-06 10:05:28 0 d-------- C:\Program Files\PhotoDeluxe 2.0
2008-02-05 21:23:55 0 d-------- C:\Program Files\NoAdware4
2008-02-05 21:15:30 0 d-------- C:\Program Files\Norton Security Scan
2008-02-05 19:18:30 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\LimeWire
2008-01-31 11:26:00 0 d-------- C:\Program Files\GLIntercept0_5
2008-01-29 15:11:13 0 d-------- C:\Program Files\Mahjong Towers Eternity
2008-01-27 19:17:25 0 d-------- C:\Program Files\Google
2008-01-24 15:16:28 0 d-------- C:\Program Files\Microsoft Works
2008-01-23 15:13:40 0 d-------- C:\Program Files\QuickTime
2008-01-18 23:18:16 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\SecondLife
2008-01-18 16:53:31 0 d-------- C:\Program Files\Zam BeeZee
2008-01-18 11:42:39 0 d-------- C:\Program Files\support.com
2008-01-10 19:10:13 134782 --a------ C:\Documents and Settings\HP_Administrator\Application Data\Cosmos Prefs
2008-01-10 18:54:28 0 d-------- C:\Program Files\Common Files\Blizzard Entertainment
2008-01-10 16:10:08 0 d-------- C:\Program Files\ISS
2008-01-09 17:22:15 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-01-09 11:56:35 0 d-------- C:\Program Files\Norton Internet Security
2008-01-09 08:21:05 96897 --a------ C:\logfile
2008-01-04 13:27:30 0 d-------- C:\Program Files\Windows Live
2008-01-04 13:26:25 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-01-04 13:23:47 0 d-------- C:\Program Files\Common Files
2008-01-04 00:39:56 0 d-------- C:\Program Files\Comcast Play Games
2008-01-04 00:38:08 0 d-------- C:\Program Files\HP Games
2008-01-02 21:56:26 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Home Sweet Home
2008-01-02 14:20:04 0 d-------- C:\Program Files\Kodak
2008-01-02 14:19:09 26 --a------ C:\WINDOWS\popcinfo.dat
2008-01-01 21:23:12 0 d-------- C:\Program Files\GamesBar
2008-01-01 21:22:54 0 d-------- C:\Program Files\Common Files\Oberon Media
2007-12-13 11:07:12 12800 --a------ C:\WINDOWS\system32\EKDeviceServices.dll <Not Verified; ; EKDevice Dynamic Link Library>
2007-12-12 16:38:02 0 d-------- C:\Program Files\USB Headset
2007-12-11 15:53:21 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-12-11 15:48:02 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Vso
2007-12-11 15:48:01 33 --a------ C:\Documents and Settings\HP_Administrator\Application Data\pcouffin.log
2007-12-11 15:47:36 47360 --a------ C:\Documents and Settings\HP_Administrator\Application Data\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
2007-12-11 15:47:36 7887 --a------ C:\Documents and Settings\HP_Administrator\Application Data\pcouffin.cat
2007-12-11 15:47:35 1144 --a------ C:\Documents and Settings\HP_Administrator\Application Data\pcouffin.inf
2007-12-11 12:41:12 0 d-------- C:\Program Files\SecondLifeBetaHavok
2007-12-11 12:22:32 0 --a------ C:\Documents and Settings\HP_Administrator\Application Data\CopyToGo.dat
2007-12-11 12:05:31 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Tunebite
2007-12-11 11:02:43 0 d-------- C:\Program Files\RapidSolution
2007-12-11 09:56:49 0 d-------- C:\Program Files\Big Kahuna Reef 2 - Chain Reaction
2007-12-10 11:35:09 2528 --a------ C:\Documents and Settings\HP_Administrator\Application Data\$_hpcst$.hpc
2007-12-09 18:47:53 0 d-------- C:\Program Files\NCH Swift Sound
2007-12-07 01:54:04 264 --a------ C:\Documents and Settings\HP_Administrator\Application Data\wklnhst.dat
2007-12-05 23:16:55 315392 --a------ C:\WINDOWS\HideWin.exe <Not Verified; Realtek Semiconductor Corp.; HD Audio Hide windows program>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A057A204-BACC-4D26-CEC4-75A487FD6484}"= C:\PROGRA~1\mypoints\mypoints.dll [10/29/2007 11:20 AM 1909248]

[-HKEY_CLASSES_ROOT\CLSID\{A057A204-BACC-4D26-CEC4-75A487FD6484}]
[HKEY_CLASSES_ROOT\mypoints.MYPOINTS]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [09/17/2007 12:07 AM]
"DiscWizardMonitor.exe"="C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe" [04/19/2007 08:24 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [01/09/2007 09:59 PM]
"AcronisTimounterMonitor"="C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe" [04/19/2007 08:38 PM]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe" [04/19/2007 08:29 PM]
"nwiz"="nwiz.exe" [09/17/2007 12:07 AM C:\WINDOWS\system32\nwiz.exe]
"BOC-425"="C:\PROGRA~1\Comodo\CBOClean\BOC425.exe" [08/08/2007 06:49 PM]
"cnfgCav"="C:\Program Files\Comodo\Comodo AntiVirus\CMain.exe" [09/03/2007 03:13 PM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [07/17/2006 07:18 PM]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [09/17/2007 12:07 AM]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\cfp.exe" [02/06/2008 10:03 AM]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [11/28/2007 07:51 PM]
"RTHDCPL"="RTHDCPL.EXE" [11/06/2007 10:50 AM C:\WINDOWS\RTHDCPL.exe]
"Alcmtr"="ALCMTR.EXE" [05/03/2005 06:43 PM C:\WINDOWS\Alcmtr.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [08/09/2004 08:00 PM C:\WINDOWS\system32\bthprops.cpl]
"EKIJ5000StatusMonitor"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [11/13/2007 10:00 AM]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [01/01/2007 01:22 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [01/10/2008 03:27 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [01/15/2008 03:22 AM]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []
"braviax"="braviax.exe" [02/06/2008 10:59 PM C:\WINDOWS\system32\braviax.exe]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [08/17/2007 02:45 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/09/2004 08:00 PM]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [08/14/2007 03:52 PM]
"Uniblue SpyEraser"="C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" [12/03/2007 03:39 PM]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [08/20/2007 03:30 PM]
"Uniblue SpeedUpMyPC"="C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe" [08/14/2007 04:53 PM]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [12/08/2007 09:56 AM]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [11/13/2006 01:39 PM]
"Tunebite"="C:\Program Files\RapidSolution\Tunebite\Tunebite.exe" []
"braviax"="C:\WINDOWS\system32\braviax.exe" [02/06/2008 10:59 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Startup\
VonageRestart.exe [8/17/2006 2:58:46 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 10:05:26 PM]
GMail.lnk - C:\Program Files\Google\Gmail Notifier\gnotify.exe [7/15/2005 1:48:33 PM]
RoboForm.lnk - C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe [10/23/2006 7:37:31 PM]
Updates From HP.lnk - C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe [7/17/2006 7:36:25 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\monln]
monln.dll 09/03/2007 03:13 PM 216576 C:\WINDOWS\system32\monln.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=cru629.dat

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0b8105b1-9f58-11db-b4f9-001731c599ce}]
AutoRun\command- K:\.\MigWiz\migsetup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{12fc0e10-6153-11db-b4d7-001731c599ce}]
AutoRun\command- J:\PortableRoboForm.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6ad2ef24-c9e4-11db-b512-001731c599ce}]
AutoRun\command- K:\setupSNK.exe

*Newly Created Service* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{621FCD24-4498-4324-A81E-07D331376EDF}]
C:\Program Files\PixiePack Codec Pack\InstallerHelper.exe



-- End of Deckard's System Scanner: finished at 2008-02-06 23:15:19 ------------

Thank you so much for your help
Attached Files
File Type: txt extra.txt (41.0 KB, 3 views)
angelah2 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 02-09-2008, 03:11 PM   #2 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,555
OS: 2000 Pro; XP Pro; XP Home


Re: "Your computer is infected!" pop-up (trojan-downloader.win32.adload.ma
Please download BootCheck.exe to your desktop.
  • Double click BootCheck.exe to run the check
  • When complete, a Notepad window will open with some text in it
  • Save the Notepad file to your desktop as BootCheck.txt
  • Copy the contents of BootCheck.txt and post it in your next reply
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-09-2008, 04:03 PM   #3 (permalink)
Registered User
 
Join Date: Feb 2008
Posts: 14
OS: WinXP Media Service Pack 2


Re: "Your computer is infected!" pop-up (trojan-downloader.win32.adload.ma
CMDCONS Folder exists!

Contents of C:\boot.ini:

[boot loader]
timeout=3
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=alwaysoff /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
angelah2 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-09-2008, 05:25 PM   #4 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,555
OS: 2000 Pro; XP Pro; XP Home


Re: "Your computer is infected!" pop-up (trojan-downloader.win32.adload.ma
Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------
  1. Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Place combofix.exe on your Desktop
  2. Disconnect from the internet....pull the plug!
  3. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
  4. Double click on combofix.exe & follow the prompts. Type 1, then press Enter to start the fix.
  5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  6. When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

    ---------------------------------------------------------------------------------------------
  7. Ensure your AntiVirus and AntiSpyware applications are re-enabled. A reboot should have done this.
  8. Re-establish an internet connection.
  9. Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

    ---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-10-2008, 11:42 AM   #5 (permalink)
Registered User
 
Join Date: Feb 2008
Posts: 14
OS: WinXP Media Service Pack 2


Re: "Your computer is infected!" pop-up (trojan-downloader.win32.adload.ma
I have tried numerous times to get the program to run and it won't run. I have rebooted my system and shut the apps down that you said to.I unpluged the cable from the router...but I can't get the program to run :(
angelah2 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-10-2008, 12:05 PM   #6 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,555
OS: 2000 Pro; XP Pro; XP Home


Re: "Your computer is infected!" pop-up (trojan-downloader.win32.adload.ma
Delete any existing version of Combofix you may have. Look for and delete C:\ComboFix folder if it exists.


Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3





--------------------------------------------------------------------


Disable your protections...especially BOClean


Double click on Combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:ComboFix.txt along with a HijackThis log so we can continue cleaning the system.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-12-2008, 11:45 AM   #7 (permalink)
Registered User
 
Join Date: Feb 2008
Posts: 14
OS: WinXP Media Service Pack 2


Re: "Your computer is infected!" pop-up (trojan-downloader.win32.adload.ma
again nothing...it starts and then shuts down. I have tried doing it in safe mode to make sure nothing else is running. I have had my task manager open and I see it run then shut down. Once I start the program I don't do anything, I take my hand off the mouse but it still keeps shutting down.....I am so sorry
angelah2 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-12-2008, 11:50 AM   #8 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,555
OS: 2000 Pro; XP Pro; XP Home


Re: "Your computer is infected!" pop-up (trojan-downloader.win32.adload.ma
It's not you, it's the infection.

Confirm for me that you renamed Combofix before it was downloaded, please.

Also, do this:

Please go to: VirusTotal
  • On the page you'll find a "Browse" button.
  • Next to the browse button you'll see a box to enter text.
  • Please copy/paste the following in BOLD:

    C:\WINDOWS\system32\drivers\beep.sys

  • Then click the "Send File " button just below.
  • This will scan the file. Please be patient.
  • Once scanned, copy and paste the results in your next reply.

    Repeat for this file:

    C:\WINDOWS\system32\dllcache\beep.sys
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-12-2008, 12:05 PM   #9 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,555
OS: 2000 Pro; XP Pro; XP Home


Re: "Your computer is infected!" pop-up (trojan-downloader.win32.adload.ma
angelah2 -

I typically answer my threads very quickly. We can get this solved a bit more rapidly if you'll stick around for 15 minutes or so after a reply, and also be sure that you are subscribed to the thread to get instant email notifications.

To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Please be sure to look at Post #8
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-12-2008, 01:03 PM   #10 (permalink)
Registered User
 
Join Date: Feb 2008
Posts: 14
OS: WinXP Media Service Pack 2


Re: "Your computer is infected!" pop-up (trojan-downloader.win32.adload.ma
File beep.sys_ received on 02.12.2008 20:47:51 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 12/32 (37.5%)
Loading server information...
Your file is queued in position: 29.
Estimated start time is between 92 and 131 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2008.2.13.10 2008.02.12 -
AntiVir 7.6.0.65 2008.02.12 -
Authentium 4.93.8 2008.02.11 -
Avast 4.7.1098.0 2008.02.12 Win32:Agent-QNI
AVG 7.5.0.516 2008.02.12 BackDoor.Ntrootkit.X
BitDefender 7.2 2008.02.12 Generic.Malware.P!.C9205724
CAT-QuickHeal None 2008.02.12 FraudTool.UltimateDefender.af (Not a Virus)
ClamAV 0.92 2008.02.12 -
DrWeb 4.44.0.09170 2008.02.12 -
eSafe 7.0.15.0 2008.02.11 -
eTrust-Vet 31.3.5530 2008.02.12 Win32/Eldycow!generic
Ewido 4.0 2008.02.12 -
FileAdvisor 1 2008.02.12 -
Fortinet 3.14.0.0 2008.02.12 -
F-Prot 4.4.2.54 2008.02.11 -
F-Secure 6.70.13260.0 2008.02.12 W32/Agent.EFKL
Ikarus T3.1.1.20 2008.02.12 not-a-virus:.FraudTool.Win32.UltimateDefender.af
Kaspersky 7.0.0.125 2008.02.12 not-a-virus:FraudTool.Win32.UltimateDefender.af
McAfee 5228 2008.02.12 -
Microsoft 1.3204 2008.02.12 -
NOD32v2 2869 2008.02.12 -
Norman 5.80.02 2008.02.12 W32/Agent.EFKL
Panda 9.0.0.4 2008.02.12 -
Prevx1 V2 2008.02.12 Heuristic: Suspicious File With Anti-Security Technology
Rising 20.29.22.00 2008.01.30 -
Sophos 4.26.0 2008.02.12 -
Sunbelt 2.2.907.0 2008.02.12 -
Symantec 10 2008.02.12 Hacktool.Rootkit
TheHacker 6.2.9.218 2008.02.12 -
VBA32 3.12.6.0 2008.02.11 -
VirusBuster 4.3.26:9 2008.02.12 -
Webwasher-Gateway 6.6.2 2008.02.12 Win32.Malware.gen!80 (suspicious)
Additional information
File size: 29184 bytes
MD5: 4c5ae139340b38b3b9b4724317817065
SHA1: fb3cb2266113aa7dc6088ccd622536b2d289088b
PEiD: -
Prevx info: http://info.prevx.com/aboutprogramte...E9DE008680705A


I copied and pasted the 2nd one and I got this message...

File has already been analysed:
MD5: 4c5ae139340b38b3b9b4724317817065
Date: 02.12.2008 20:56:06 (CET) [<1D]
Results: 12/32
Permalink: analisis/d63054e60a3b1d545018c8b81cd30092
angelah2 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-12-2008, 01:13 PM   #11 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,555
OS: 2000 Pro; XP Pro; XP Home


Re: "Your computer is infected!" pop-up (trojan-downloader.win32.adload.ma
OTMoveIt2 -

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Quote:
    C:\WINDOWS\system32\drivers\beep.sys
    C:\WINDOWS\system32\dllcache\beep.sys
  • Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

If the machine reboots, the Results log can be found here:

c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

Where mmddyyyy_hhmmss is the date of the tool run.

==========================================

Now see if ComboFix will run.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-12-2008, 01:19 PM   #12 (permalink)
Registered User
 
Join Date: Feb 2008
Posts: 14
OS: WinXP Media Service Pack 2


Re: "Your computer is infected!" pop-up (trojan-downloader.win32.adload.ma
C:\WINDOWS\system32\drivers\beep.sys moved successfully.
C:\WINDOWS\system32\dllcache\beep.sys moved successfully.

OTMoveIt2 v1.0.19 log created on 02122008_121847

Ok unfortunately I am djing via an internet stream so I can't run the program until after 2 PST...unfortunately my dj program doesn't run on vista (my laptop) go figure...as soon as I am done I will repost
angelah2 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-12-2008, 01:24 PM   #13 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,555
OS: 2000 Pro; XP Pro; XP Home


Re: "Your computer is infected!" pop-up (trojan-downloader.win32.adload.ma
With your machine infected, you should not be doing anything on the internet with it except for those things which help clean it. Doing normal things while connected to the internet and infected only prolongs the infection, and exposes the machine to more possible infection.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-12-2008, 02:04 PM   #14 (permalink)
Registered User
 
Join Date: Feb 2008
Posts: 14
OS: WinXP Media Service Pack 2


Re: "Your computer is infected!" pop-up (trojan-downloader.win32.adload.ma
Ok...was able to find a work around and using my laptop as a temp dj....anyway process is now running
angelah2 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-12-2008, 02:30 PM   #15 (permalink)
Registered User
 
Join Date: Feb 2008
Posts: 14
OS: WinXP Media Service Pack 2


Re: "Your computer is infected!" pop-up (trojan-downloader.win32.adload.ma
Here is the ComboFix file:

ComboFix 08-02-13.1 - HP_Administrator 2008-02-12 13:04:54.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2929 [GMT -8:00]
Running from: C:\Documents and Settings\HP_Administrator\Desktop\Combo-Fix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\HP_Administrator\Application Data\inst.exe
C:\WINDOWS\system32\_000003_.tmp.dll
C:\WINDOWS\system32\_000006_.tmp.dll
C:\WINDOWS\system32\_000007_.tmp.dll
C:\WINDOWS\system32\_000010_.tmp.dll
C:\WINDOWS\system32\suspend.exe
C:\WINDOWS\system32\users32.dat
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\nm


((((((((((((((((((((((((( Files Created from 2008-01-13 to 2008-02-13 )))))))))))))))))))))))))))))))
.

2008-02-12 12:18 . 2008-02-12 12:18 <DIR> d-------- C:\_OTMoveIt
2008-02-08 11:40 . 2008-02-10 12:14 16,384 --a------ C:\WINDOWS\system32\nod32se.exe
2008-02-08 11:40 . 2008-02-08 11:40 80 --a------ C:\WINDOWS\system32\suspend.bin
2008-02-06 23:13 . 2008-02-06 23:13 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-06 23:07 . 2008-02-06 23:07 <DIR> d-------- C:\Deckard
2008-02-06 15:39 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-02-06 15:37 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\jrrbvwsdrlib.sys
2008-02-06 12:56 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\kjeiidvlpowc.sys
2008-02-06 11:17 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\uqhngeneygsc.sys
2008-02-06 10:04 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\jxuvoxfskpmf.sys
2008-02-06 09:01 . 2008-02-06 09:01 <DIR> d-------- C:\ie-spyad_zo
2008-02-06 09:00 . 2008-02-06 19:22 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-06 09:00 . 2008-02-06 18:52 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-06 09:00 . 2008-02-06 18:52 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-06 09:00 . 2008-02-06 18:52 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-06 08:41 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-02-06 08:41 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-02-06 08:41 . 2008-02-06 00:03 85,504 --a------ C:\WINDOWS\system32\VACFix.exe
2008-02-06 08:41 . 2008-01-27 14:37 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-02-06 08:41 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-02-06 08:41 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-02-06 08:41 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-02-05 17:55 . 2008-02-12 10:46 11,264 --a------ C:\WINDOWS\braviax.exe
2008-02-05 17:55 . 2008-02-12 10:46 6,144 --a------ C:\WINDOWS\system32\cru629.dat
2008-02-05 17:55 . 2008-02-12 10:46 6,144 --a------ C:\WINDOWS\cru629.dat
2008-02-05 17:49 . 2008-02-12 10:46 11,264 --a------ C:\WINDOWS\system32\braviax.exe
2008-02-04 20:38 . 2008-02-04 20:39 <DIR> d-------- C:\Program Files\NoteBurner
2008-02-04 20:38 . 2007-05-16 11:42 13,440 --a------ C:\WINDOWS\system32\drivers\ntcdrdrv.sys
2008-01-30 15:48 . 2008-02-06 18:58 <DIR> d-------- C:\Program Files\iTunes
2008-01-30 15:48 . 2008-01-30 15:48 <DIR> d-------- C:\Program Files\iPod
2008-01-26 14:00 . 2008-02-13 13:11 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-26 14:00 . 2008-01-26 14:00 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-25 19:27 . 2008-01-25 19:28 <DIR> d-------- C:\GLIntercept0_5
2008-01-25 16:58 . 2008-01-25 18:31 <DIR> d-------- C:\Program Files\VirtualDJ
2008-01-24 15:11 . 2008-02-06 15:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-01-24 15:07 . 2008-01-24 15:07 <DIR> dr-h----- C:\MSOCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-13 21:11 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\Skype
2008-02-12 17:50 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment
2008-02-11 22:39 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\LimeWire
2008-02-07 21:40 --------- d-----w C:\Program Files\SecondLife
2008-02-07 03:01 --------- d-----w C:\Program Files\Bonjour
2008-02-07 02:58 --------- d-----w C:\Program Files\Windows Defender
2008-02-07 02:57 --------- d-----w C:\Program Files\PixiePack Codec Pack
2008-02-07 02:57 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-02-07 02:56 --------- d-----w C:\Program Files\Common Files\LightScribe
2008-02-06 19:18 --------- d-----w C:\Program Files\MediaMonkey
2008-02-06 18:06 83,064 ----a-w C:\WINDOWS\system32\drivers\cmdGuard.sys
2008-02-06 18:06 23,800 ----a-w C:\WINDOWS\system32\drivers\cmdhlp.sys
2008-02-06 18:06 139,008 ----a-w C:\WINDOWS\system32\guard32.dll
2008-02-06 18:05 --------- d-----w C:\Program Files\PhotoDeluxe 2.0
2008-02-06 05:23 --------- d-----w C:\Program Files\NoAdware4
2008-02-06 05:15 --------- d-----w C:\Program Files\Norton Security Scan
2008-02-05 07:40 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-31 19:26 --------- d-----w C:\Program Files\GLIntercept0_5
2008-01-29 23:11 --------- d-----w C:\Program Files\Mahjong Towers Eternity
2008-01-28 03:17 --------- d-----w C:\Program Files\Google
2008-01-24 23:16 --------- d-----w C:\Program Files\Microsoft Works
2008-01-23 23:13 --------- d-----w C:\Program Files\QuickTime
2008-01-19 07:18 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\SecondLife
2008-01-19 00:53 --------- d-----w C:\Program Files\Zam BeeZee
2008-01-18 19:42 --------- d-----w C:\Program Files\support.com
2008-01-11 00:10 --------- d-----w C:\Program Files\ISS
2008-01-10 01:22 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-09 19:56 --------- d-----w C:\Program Files\Norton Internet Security
2008-01-09 18:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-01-09 18:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kodak
2008-01-05 01:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\kds_kodak
2008-01-04 21:27 --------- d-----w C:\Program Files\Windows Live
2008-01-04 21:26 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-01-04 21:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-01-04 08:39 --------- d-----w C:\Program Files\Comcast Play Games
2008-01-04 08:38 --------- d-----w C:\Program Files\HP Games
2008-01-03 05:56 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\Home Sweet Home
2008-01-02 22:20 --------- d-----w C:\Program Files\Kodak
2008-01-02 05:23 --------- d-----w C:\Program Files\GamesBar
2008-01-02 05:22 --------- d-----w C:\Program Files\Common Files\Oberon Media
2007-12-13 19:07 12,800 ----a-w C:\WINDOWS\system32\EKDeviceServices.dll
2007-12-13 00:38 --------- d-----w C:\Program Files\USB Headset
2007-12-11 23:47 47,360 ----a-w C:\Documents and Settings\HP_Administrator\Application Data\pcouffin.sys
2007-12-11 20:22 0 ----a-w C:\Documents and Settings\HP_Administrator\Application Data\CopyToGo.dat
2007-12-07 09:54 264 ----a-w C:\Documents and Settings\HP_Administrator\Application Data\wklnhst.dat
2007-12-06 07:16 315,392 ----a-w C:\WINDOWS\HideWin.exe
2007-12-05 06:22 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2007-11-13 18:00 335,872 ----a-w C:\WINDOWS\system32\EKIJ5000MON.dll
2007-10-27 01:14 57,840 ----a-w C:\Documents and Settings\HP_Administrator\Application Data\GDIPFONTCACHEV1.DAT
2007-07-14 06:27 326 ----a-w C:\Documents and Settings\HP_Administrator\Application Data\bbbconfig.dat
2006-02-19 17:28 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{724D43A0-0D85-11D4-9908-00400523E39A}
{A057A204-BACC-4D26-CEC4-75A487FD6484}

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-cec4-75a487fd6484}]
[HKEY_CLASSES_ROOT\mypoints.MYPOINTS]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A057A204-BACC-4D26-CEC4-75A487FD6484}"= C:\PROGRA~1\mypoints\mypoints.dll [2007-10-29 11:20 1909248]

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-cec4-75a487fd6484}]
[HKEY_CLASSES_ROOT\mypoints.MYPOINTS]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-08-17 02:45 23120680]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-09 20:00 15360]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [2007-08-14 15:52 1877272]
"Uniblue SpyEraser"="C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" [2007-12-03 15:39 1260296]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-20 15:30 4670704]
"Uniblue SpeedUpMyPC"="C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe" [2007-08-14 16:53 9495832]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2007-12-08 09:56 160592]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 13:39 1289000]
"Tunebite"="C:\Program Files\RapidSolution\Tunebite\Tunebite.exe" [ ]
"braviax"="C:\WINDOWS\system32\braviax.exe" [2008-02-12 10:46 11264]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-09-17 00:07 8491008]
"DiscWizardMonitor.exe"="C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe" [2007-04-19 20:24 1169744]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 21:59 115816]
"AcronisTimounterMonitor"="C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe" [2007-04-19 20:38 1945688]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe" [2007-04-19 20:29 149024]
"nwiz"="nwiz.exe" [2007-09-17 00:07 1626112 C:\WINDOWS\system32\nwiz.exe]
"BOC-425"="C:\PROGRA~1\Comodo\CBOClean\BOC425.exe" [2007-08-08 18:49 338432]
"cnfgCav"="C:\Program Files\Comodo\Comodo AntiVirus\CMain.exe" [2007-09-03 15:13 110592]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-07-17 19:18 180269]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-09-17 00:07 81920]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\cfp.exe" [2008-02-06 10:03 5046016]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 19:51 583048]
"RTHDCPL"="RTHDCPL.EXE" [2007-11-06 10:50 16855552 C:\WINDOWS\RTHDCPL.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-09 20:00 110592 C:\WINDOWS\system32\bthprops.cpl]
"EKIJ5000StatusMonitor"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2007-11-13 10:00 1052672]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 13:22 3739648]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 15:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"braviax"="braviax.exe" [2008-02-12 10:46 11264 C:\WINDOWS\system32\braviax.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-08-13 16:04 5562368]

C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Startup\
VonageRestart.exe [2006-08-17 02:58:46 3889140]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
GMail.lnk - C:\Program Files\Google\Gmail Notifier\gnotify.exe [2005-07-15 13:48:33 479232]
RoboForm.lnk - C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe [2006-10-23 19:37:31 160592]
Updates From HP.lnk - C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe [2006-07-17 19:36:25 36903]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\monln]
monln.dll 2007-09-03 15:13 216576 C:\WINDOWS\system32\monln.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 relog_ap

R0 ntcdrdrv;ntcdrdrv;C:\WINDOWS\system32\DRIVERS\ntcdrdrv.sys [2007-05-16 11:42]
R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2008-02-06 10:06]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2008-02-06 10:06]
R2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe [2004-12-13 00:05]
R2 KodakSvc;Kodak AiO Device Service;"C:\Program Files\Kodak\printer\center\KodakSvc.exe" [2007-12-13 11:07]
R2 zumbus;Zune Bus Enumerator Driver;C:\WINDOWS\system32\DRIVERS\zumbus.sys [2007-11-06 18:58]
R3 CXFALCON;Conexant Falcon II NTSC Video Capture;C:\WINDOWS\system32\drivers\cxfalcon.sys [2006-04-20 13:35]
R3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe [2004-12-13 00:05]
R3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 22:01]
S3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\Drivers\BrScnUsb.sys [2003-12-19 19:15]
S3 BrSerIf;Brother MFC Serial Port Interface WDM Driver;C:\WINDOWS\system32\Drivers\BrSerIf.sys [2004-06-12 03:27]
S3 BrUsbSer;Brother MFC USB Serial WDM Driver;C:\WINDOWS\system32\Drivers\BrUsbSer.sys [2004-01-10 02:28]
S3 cmudau;C-Media USB Sound Interface;C:\WINDOWS\system32\drivers\cmudau.sys [2005-06-06 01:21]
S3 cvspydr2;ColorVision Spyder 2;C:\WINDOWS\system32\DRIVERS\cvspydr2.sys [2002-04-02 16:30]
S3 mamotou;mamotou;C:\WINDOWS\system32\DRIVERS\mamotou.sys [2007-02-02 00:57]
S3 MaRdPnp;MaRdPnp;C:\WINDOWS\system32\DRIVERS\MaRdP2K.sys [2005-08-17 19:44]
S3 PSI;PSI;C:\WINDOWS\system32\DRIVERS\psi_mf.sys [2007-08-01 06:27]
S3 RapFile;RapFile;C:\WINDOWS\system32\drivers\RapFile.sys [2003-02-25 18:26]
S3 RapNet;RapNet;C:\WINDOWS\system32\drivers\RapNet.sys [2003-02-25 18:26]
S4 black;black;C:\WINDOWS\system32\drivers\BlackDrv.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0b8105b1-9f58-11db-b4f9-001731c599ce}]
\Shell\AutoRun\command - L:\.\MigWiz\migsetup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{12fc0e10-6153-11db-b4d7-001731c599ce}]
\Shell\AutoRun\command - J:\PortableRoboForm.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6ad2ef24-c9e4-11db-b512-001731c599ce}]
\Shell\AutoRun\command - K:\setupSNK.exe

*Newly Created Service* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{621FCD24-4498-4324-A81E-07D331376EDF}]
C:\Program Files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-02-06 23:02:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-13 21:13:58 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-02-08 19:49:01 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2007-07-01 20:20:34 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2008-02-02 22:15:01 C:\WINDOWS\Tasks\Uniblue SpyEraser Nag.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
"2007-11-05 23:02:26 C:\WINDOWS\Tasks\Uniblue SpyEraser.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-13 13:14:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\brss01a.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Comodo\common\CAVASpy\cavasm.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Comodo\Comodo AntiVirus\cavse.exe
C:\Program Files\Comodo\Comodo AntiVirus\cavse.exe
C:\Program Files\Comodo\Comodo AntiVirus\Cavaud.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\msiexec.exe
.
**************************************************************************
.
Completion time: 2008-02-13 13:19:33 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-13 21:19:29
.
2008-02-13 21:16:53 --- E O F ---


Hijackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:21:18 PM, on 2/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Comodo\common\CAVASpy\cavasm.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\braviax.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kodak\printer\center\KodakSvc.exe
C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe
C:\Program Files\Comodo\Comodo AntiVirus\Cavaud.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: MYPOINTS - {A057A204-BACC-4D26-CEC4-75A487FD6484} - C:\PROGRA~1\mypoints\mypoints.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DiscWizardMonitor.exe] C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [BOC-425] C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
O4 - HKLM\..\Run: [cnfgCav] "C:\Program Files\Comodo\Comodo AntiVirus\CMain.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\cfp.exe" -s
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [braviax] braviax.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [Uniblue SpyEraser] "C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Uniblue SpeedUpMyPC] C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe -s
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [Tunebite] C:\Program Files\RapidSolution\Tunebite\Tunebite.exe -tray
O4 - HKCU\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Startup: VonageRestart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: GMail.lnk = C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - Global Startup: RoboForm.lnk = C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe
O4 - Global Startup: Updates From HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - https://h20364.www2.hp.com/CSMWeb/Cu...ataManager.CAB
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqcpc/downloads/sysinfo.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/Driver...sysreqlab2.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn...tDetection.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://playgames.comcast.net/Gameshe...onGameHost.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: monln - C:\WINDOWS\SYSTEM32\monln.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Comodo Anti-Virus and Anti-Spyware Service - Comodo Inc. - C:\Program Files\Comodo\common\CAVASpy\cavasm.exe
O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe
O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: Kodak AiO Device Service (KodakSvc) - Eastman Kodak Company - C:\Program Files\Kodak\printer\center\KodakSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 14276 bytes


and on a side note I called the company from which I got the bugger from and they just found out yesterday their website had been hacked
angelah2 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-12-2008, 02:41 PM   #16 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,555
OS: 2000 Pro; XP Pro; XP Home


Re: "Your computer is infected!" pop-up (trojan-downloader.win32.adload.ma
Disconnect from the internet once again.

Disable your protection applications.

Open notepad and copy/paste the text in the quotebox below into it:

Quote:
http://www.techsupportforum.com/security-center/hijackthis-log-help/219284-your-computer-infected-pop-up-trojan-downloader-win32-adload-ma.html

Killall:

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"braviax"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"braviax"=-

Collect::
C:\WINDOWS\system32\nod32se.exe
C:\WINDOWS\system32\suspend.bin
C:\WINDOWS\braviax.exe
C:\WINDOWS\system32\cru629.dat
C:\WINDOWS\cru629.dat
C:\WINDOWS\system32\braviax.exe

Folder::
C:\_OTMoveIt
Save this as CFScript.txt




Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis.

Ensure your protection is re-enabled, you are connected to the internet and click OK. A browser will open. Simply follow the instructions to copy/paste/send the requested file.

---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-12-2008, 03:10 PM   #17 (permalink)
Registered User
 
Join Date: Feb 2008
Posts: 14
OS: WinXP Media Service Pack 2


Re: "Your computer is infected!" pop-up (trojan-downloader.win32.adload.ma
Ok file submitted and here is the log

ComboFix 08-02-13.1 - HP_Administrator 2008-02-13 13:51:07.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2850 [GMT -8:00]
Running from: C:\Documents and Settings\HP_Administrator\Desktop\Combo-Fix.exe
Command switches used :: C:\Documents and Settings\HP_Administrator\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\_OTMoveIt
C:\_OTMoveIt\MovedFiles\02122008_121847.log
C:\_OTMoveIt\MovedFiles\02122008_121847.res
C:\_OTMoveIt\MovedFiles\02122008_121847\WINDOWS\system32\dllcache\beep.sys
C:\_OTMoveIt\MovedFiles\02122008_121847\WINDOWS\system32\drivers\beep.sys
C:\_OTMoveIt\MovedFiles\02122008_125313.log
C:\_OTMoveIt\MovedFiles\02122008_125313.res
C:\_OTMoveIt\MovedFiles\02122008_125313\WINDOWS\system32\dllcache\beep.sys
C:\_OTMoveIt\MovedFiles\02122008_125313\WINDOWS\system32\drivers\beep.sys
C:\WINDOWS\braviax.exe
C:\WINDOWS\cru629.dat
C:\WINDOWS\system32\braviax.exe
C:\WINDOWS\system32\cru629.dat
C:\WINDOWS\system32\nod32se.exe
C:\WINDOWS\system32\suspend.bin
C:\WINDOWS\system32\users32.dat

.
((((((((((((((((((((((((( Files Created from 2008-01-13 to 2008-02-13 )))))))))))))))))))))))))))))))
.

2008-02-06 23:13 . 2008-02-06 23:13 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-06 23:07 . 2008-02-06 23:07 <DIR> d-------- C:\Deckard
2008-02-06 15:39 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-02-06 15:37 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\jrrbvwsdrlib.sys
2008-02-06 12:56 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\kjeiidvlpowc.sys
2008-02-06 11:17 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\uqhngeneygsc.sys
2008-02-06 10:04 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\jxuvoxfskpmf.sys
2008-02-06 09:01 . 2008-02-06 09:01 <DIR> d-------- C:\ie-spyad_zo
2008-02-06 09:00 . 2008-02-06 19:22 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-06 09:00 . 2008-02-06 18:52 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-06 09:00 . 2008-02-06 18:52 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-06 09:00 . 2008-02-06 18:52 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-06 08:41 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-02-06 08:41 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-02-06 08:41 . 2008-02-06 00:03 85,504 --a------ C:\WINDOWS\system32\VACFix.exe
2008-02-06 08:41 . 2008-01-27 14:37 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-02-06 08:41 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-02-06 08:41 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-02-06 08:41 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-02-04 20:38 . 2008-02-04 20:39 <DIR> d-------- C:\Program Files\NoteBurner
2008-02-04 20:38 . 2007-05-16 11:42 13,440 --a------ C:\WINDOWS\system32\drivers\ntcdrdrv.sys
2008-01-30 15:48 . 2008-02-06 18:58 <DIR> d-------- C:\Program Files\iTunes
2008-01-30 15:48 . 2008-01-30 15:48 <DIR> d-------- C:\Program Files\iPod
2008-01-26 14:00 . 2008-02-13 13:57 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-26 14:00 . 2008-01-26 14:00 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-25 19:27 . 2008-01-25 19:28 <DIR> d-------- C:\GLIntercept0_5
2008-01-25 16:58 . 2008-01-25 18:31 <DIR> d-------- C:\Program Files\VirtualDJ
2008-01-24 15:11 . 2008-02-06 15:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-01-24 15:07 . 2008-01-24 15:07 <DIR> dr-h----- C:\MSOCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-13 21:58 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\Skype
2008-02-12 17:50 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment
2008-02-11 22:39 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\LimeWire
2008-02-07 21:40 --------- d-----w C:\Program Files\SecondLife
2008-02-07 03:01 --------- d-----w C:\Program Files\Bonjour
2008-02-07 02:58 --------- d-----w C:\Program Files\Windows Defender
2008-02-07 02:57 --------- d-----w C:\Program Files\PixiePack Codec Pack
2008-02-07 02:57 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-02-07 02:56 --------- d-----w C:\Program Files\Common Files\LightScribe
2008-02-06 19:18 --------- d-----w C:\Program Files\MediaMonkey
2008-02-06 18:06 83,064 ----a-w C:\WINDOWS\system32\drivers\cmdGuard.sys
2008-02-06 18:06 23,800 ----a-w C:\WINDOWS\system32\drivers\cmdhlp.sys
2008-02-06 18:06 139,008 ----a-w C:\WINDOWS\system32\guard32.dll
2008-02-06 18:05 --------- d-----w C:\Program Files\PhotoDeluxe 2.0
2008-02-06 05:23 --------- d-----w C:\Program Files\NoAdware4
2008-02-06 05:15 --------- d-----w C:\Program Files\Norton Security Scan
2008-02-05 07:40 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-31 19:26 --------- d-----w C:\Program Files\GLIntercept0_5
2008-01-29 23:11 --------- d-----w C:\Program Files\Mahjong Towers Eternity
2008-01-28 03:17 --------- d-----w C:\Program Files\Google
2008-01-24 23:16 --------- d-----w C:\Program Files\Microsoft Works
2008-01-23 23:13 --------- d-----w C:\Program Files\QuickTime
2008-01-19 07:18 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\SecondLife
2008-01-19 00:53 --------- d-----w C:\Program Files\Zam BeeZee
2008-01-18 19:42 --------- d-----w C:\Program Files\support.com
2008-01-11 00:10 --------- d-----w C:\Program Files\ISS
2008-01-10 01:22 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-09 19:56 --------- d-----w C:\Program Files\Norton Internet Security
2008-01-09 18:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-01-09 18:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kodak
2008-01-05 01:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\kds_kodak
2008-01-04 21:27 --------- d-----w C:\Program Files\Windows Live
2008-01-04 21:26 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-01-04 21:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-01-04 08:39 --------- d-----w C:\Program Files\Comcast Play Games
2008-01-04 08:38 --------- d-----w C:\Program Files\HP Games
2008-01-03 05:56 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\Home Sweet Home
2008-01-02 22:20 --------- d-----w C:\Program Files\Kodak
2008-01-02 05:23 --------- d-----w C:\Program Files\GamesBar
2008-01-02 05:22 --------- d-----w C:\Program Files\Common Files\Oberon Media
2007-12-13 19:07 12,800 ----a-w C:\WINDOWS\system32\EKDeviceServices.dll
2007-12-13 00:38 --------- d-----w C:\Program Files\USB Headset
2007-12-11 23:47 47,360 ----a-w C:\Documents and Settings\HP_Administrator\Application Data\pcouffin.sys
2007-12-11 20:22 0 ----a-w C:\Documents and Settings\HP_Administrator\Application Data\CopyToGo.dat
2007-12-07 09:54 264 ----a-w C:\Documents and Settings\HP_Administrator\Application Data\wklnhst.dat
2007-12-06 07:16 315,392 ----a-w C:\WINDOWS\HideWin.exe
2007-12-05 06:22 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2007-11-13 18:00 335,872 ----a-w C:\WINDOWS\system32\EKIJ5000MON.dll
2007-10-27 01:14 57,840 ----a-w C:\Documents and Settings\HP_Administrator\Application Data\GDIPFONTCACHEV1.DAT
2007-07-14 06:27 326 ----a-w C:\Documents and Settings\HP_Administrator\Application Data\bbbconfig.dat
2006-02-19 17:28 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{724D43A0-0D85-11D4-9908-00400523E39A}
{A057A204-BACC-4D26-CEC4-75A487FD6484}

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-cec4-75a487fd6484}]
[HKEY_CLASSES_ROOT\mypoints.MYPOINTS]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A057A204-BACC-4D26-CEC4-75A487FD6484}"= C:\PROGRA~1\mypoints\mypoints.dll [2007-10-29 11:20 1909248]

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-cec4-75a487fd6484}]
[HKEY_CLASSES_ROOT\mypoints.MYPOINTS]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-08-17 02:45 23120680]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-09 20:00 15360]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [2007-08-14 15:52 1877272]
"Uniblue SpyEraser"="C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" [2007-12-03 15:39 1260296]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-20 15:30 4670704]
"Uniblue SpeedUpMyPC"="C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe" [2007-08-14 16:53 9495832]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2007-12-08 09:56 160592]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 13:39 1289000]
"Tunebite"="C:\Program Files\RapidSolution\Tunebite\Tunebite.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-09-17 00:07 8491008]
"DiscWizardMonitor.exe"="C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe" [2007-04-19 20:24 1169744]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 21:59 115816]
"AcronisTimounterMonitor"="C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe" [2007-04-19 20:38 1945688]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe" [2007-04-19 20:29 149024]
"nwiz"="nwiz.exe" [2007-09-17 00:07 1626112 C:\WINDOWS\system32\nwiz.exe]
"BOC-425"="C:\PROGRA~1\Comodo\CBOClean\BOC425.exe" [2007-08-08 18:49 338432]
"cnfgCav"="C:\Program Files\Comodo\Comodo AntiVirus\CMain.exe" [2007-09-03 15:13 110592]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-07-17 19:18 180269]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-09-17 00:07 81920]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\cfp.exe" [2008-02-06 10:03 5046016]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 19:51 583048]
"RTHDCPL"="RTHDCPL.EXE" [2007-11-06 10:50 16855552 C:\WINDOWS\RTHDCPL.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-09 20:00 110592 C:\WINDOWS\system32\bthprops.cpl]
"EKIJ5000StatusMonitor"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2007-11-13 10:00 1052672]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 13:22 3739648]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 15:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-08-13 16:04 5562368]

C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Startup\
VonageRestart.exe [2006-08-17 02:58:46 3889140]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
GMail.lnk - C:\Program Files\Google\Gmail Notifier\gnotify.exe [2005-07-15 13:48:33 479232]
RoboForm.lnk - C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe [2006-10-23 19:37:31 160592]
Updates From HP.lnk - C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe [2006-07-17 19:36:25 36903]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\monln]
monln.dll 2007-09-03 15:13 216576 C:\WINDOWS\system32\monln.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 relog_ap

R0 ntcdrdrv;ntcdrdrv;C:\WINDOWS\system32\DRIVERS\ntcdrdrv.sys [2007-05-16 11:42]
R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2008-02-06 10:06]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2008-02-06 10:06]
R2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe [2004-12-13 00:05]
R2 KodakSvc;Kodak AiO Device Service;"C:\Program Files\Kodak\printer\center\KodakSvc.exe" [2007-12-13 11:07]
R2 zumbus;Zune Bus Enumerator Driver;C:\WINDOWS\system32\DRIVERS\zumbus.sys [2007-11-06 18:58]
R3 CXFALCON;Conexant Falcon II NTSC Video Capture;C:\WINDOWS\system32\drivers\cxfalcon.sys [2006-04-20 13:35]
R3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe [2004-12-13 00:05]
R3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 22:01]
S3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\Drivers\BrScnUsb.sys [2003-12-19 19:15]
S3 BrSerIf;Brother MFC Serial Port Interface WDM Driver;C:\WINDOWS\system32\Drivers\BrSerIf.sys [2004-06-12 03:27]
S3 BrUsbSer;Brother MFC USB Serial WDM Driver;C:\WINDOWS\system32\Drivers\BrUsbSer.sys [2004-01-10 02:28]
S3 cmudau;C-Media USB Sound Interface;C:\WINDOWS\system32\drivers\cmudau.sys [2005-06-06 01:21]
S3 cvspydr2;ColorVision Spyder 2;C:\WINDOWS\system32\DRIVERS\cvspydr2.sys [2002-04-02 16:30]
S3 mamotou;mamotou;C:\WINDOWS\system32\DRIVERS\mamotou.sys [2007-02-02 00:57]
S3 MaRdPnp;MaRdPnp;C:\WINDOWS\system32\DRIVERS\MaRdP2K.sys [2005-08-17 19:44]
S3 PSI;PSI;C:\WINDOWS\system32\DRIVERS\psi_mf.sys [2007-08-01 06:27]
S3 RapFile;RapFile;C:\WINDOWS\system32\drivers\RapFile.sys [2003-02-25 18:26]
S3 RapNet;RapNet;C:\WINDOWS\system32\drivers\RapNet.sys [2003-02-25 18:26]
S4 black;black;C:\WINDOWS\system32\drivers\BlackDrv.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0b8105b1-9f58-11db-b4f9-001731c599ce}]
\Shell\AutoRun\command - L:\.\MigWiz\migsetup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{12fc0e10-6153-11db-b4d7-001731c599ce}]
\Shell\AutoRun\command - J:\PortableRoboForm.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6ad2ef24-c9e4-11db-b512-001731c599ce}]
\Shell\AutoRun\command - K:\setupSNK.exe

*Newly Created Service* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{621FCD24-4498-4324-A81E-07D331376EDF}]
C:\Program Files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-02-06 23:02:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-13 22:00:37 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-02-08 19:49:01 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2007-07-01 20:20:34 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2008-02-02 22:15:01 C:\WINDOWS\Tasks\Uniblue SpyEraser Nag.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
"2007-11-05 23:02:26 C:\WINDOWS\Tasks\Uniblue SpyEraser.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-13 14:01:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\brss01a.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Comodo\common\CAVASpy\cavasm.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Comodo\Comodo AntiVirus\cavse.exe
C:\Program Files\Comodo\Comodo AntiVirus\cavse.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Comodo\Comodo AntiVirus\Cavaud.exe
.
**************************************************************************
.
Completion time: 2008-02-13 14:05:46 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-13 22:05:40
ComboFix2.txt 2008-02-13 21:19:33
.
2008-02-13 21:16:53 --- E O F ---
angelah2 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-12-2008, 03:32 PM   #18 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,555
OS: 2000 Pro; XP Pro; XP Home


Re: "Your computer is infected!" pop-up (trojan-downloader.win32.adload.ma
Great. Now a question.

I see you're using Comodo AntiVirus, but I also see parts of Norton installed still. This might cause some conflict for the machine,

If you've intended to remove Norton completely, you may want to run this tool also:

Please use the instructions on this page to completely uninstall your Norton Products.

Next....

Please run this online scan to help look for remnants.

First, Go to Start>Control Panel>Add/Remove Programs and remove Kaspersky online scanner if present prior to downloading the most up-to-date one.

Next, establish an internet connection & perform an online scan using Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK & have it scan My Computer
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
* Turn off the real time scanner of any existing antivirus program while performing the online scan

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

---------------------------------------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-13-2008, 08:38 PM   #19 (permalink)
Registered User
 
Join Date: Feb 2008
Posts: 14
OS: WinXP Media Service Pack 2


Re: "Your computer is infected!" pop-up (trojan-downloader.win32.adload.ma
Thursday, February 14, 2008 7:31:10 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 13/02/2008
Kaspersky Anti-Virus database records: 563949


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\

Scan Statistics
Total number of scanned objects 273230
Number of viruses found 9
Number of infected objects 51
Number of suspicious objects 0
Duration of the scan process 04:01:50

Infected Object Name Virus Name Last Action
C:\Deckard\System Scanner\backup\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\jar_cache26178.tmp Infected: not-a-virus:FraudTool.Win32.UltimateDefender.am skipped

C:\Deckard\System Scanner\backup\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\us0105.exe Infected: not-a-virus:FraudTool.Win32.UltimateDefender.am skipped

C:\Deckard\System Scanner\backup\WINDOWS\temp\ASHeuristic\jar_cache26178_tmp.vir Infected: not-a-virus:FraudTool.Win32.UltimateDefender.am skipped

C:\Deckard\System Scanner\backup\WINDOWS\temp\ASHeuristic\us0105_exe.vir Infected: not-a-virus:FraudTool.Win32.UltimateDefender.am skipped

C:\Documents and Settings\All Users\Application Data\Comodo\Comodo AntiVirus\cav.lock Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Comodo\Comodo AntiVirus\TroubleShootLog\cavasm.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Comodo\Comodo AntiVirus\TroubleShootLog\monln.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Comodo\Firewall Pro\cfplogdb.sdb Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-12062006-093402.log Object is locked skipped

C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\MSDVRMM_3826114685_1048576_124136 Object is locked skipped

C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\SBE2.tmp Object is locked skipped

C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\{1362F479-EB83-421F-AE4D-FACB72FC151B}.TmpSBE Object is locked skipped

C:\Documents and Settings\All Users\DRM\Cache\Indiv03.tmp Object is locked skipped

C:\Documents and Settings\All Users\DRM\drmstore.hds Object is locked skipped

C:\Documents and Settings\HP_Administrator\Application Data\$_hpcst$.hpc Object is locked skipped

C:\Documents and Settings\HP_Administrator\Application Data\Sun\Java\Deployment\cache\6.0\14\74b4254e-1ad1cb61/MagicApplet.class Infected: Trojan-Downloader.Java.OpenConnection.ao skipped

C:\Documents and Settings\HP_Administrator\Application Data\Sun\Java\Deployment\cache\6.0\14\74b4254e-1ad1cb61/Installer.class Infected: Trojan-Downloader.Java.Agent.a skipped

C:\Documents and Settings\HP_Administrator\Application Data\Sun\Java\Deployment\cache\6.0\14\74b4254e-1ad1cb61 ZIP: infected - 2 skipped

C:\Documents and Settings\HP_Administrator\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\HP_Administrator\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\HP_Administrator\Desktop\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\HP_Administrator\Desktop\SmitfraudFix.exe RarSFX: infected - 2 skipped

C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db Object is locked skipped

C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db.shadow Object is locked skipped

C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\HP_Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\HP_Administrator\Local Settings\History\History.IE5\MSHist012008021420080215\index.dat Object is locked skipped

C:\Documents and Settings\HP_Administrator\Local Settings\Temp\Perflib_Perfdata_700.dat Object is locked skipped

C:\Documents and Settings\HP_Administrator\Local Settings\Temp\WCESLog.log Object is locked skipped

C:\Documents and Settings\HP_Administrator\Local Settings\Temp\~DFC0C8.tmp Object is locked skipped

C:\Documents and Settings\HP_Administrator\Local Settings\Temp\~DFC0F4.tmp Object is locked skipped

C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\SL6PZZKW\in[1].htm Infected: Trojan-Downloader.JS.Psyme.wi skipped

C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\SL6PZZKW\in[2].htm Infected: Trojan-Downloader.JS.Psyme.wi skipped

C:\Documents and Settings\HP_Administrator\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\HP_Administrator\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Eastman Kodak Company\KodakSvc\2.0.708.0\System.ServiceProcess, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a.html Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Program Files\Firebird\Firebird_1_5\ANG_DESKTOP.lck Object is locked skipped

C:\Program Files\Online Services\PeoplePC\ISP5900\Branding\ppal3ppc.exe/data0004 Infected: not-a-virus:AdWare.Win32.Agent.aeh skipped

C:\Program Files\Online Services\PeoplePC\ISP5900\Branding\ppal3ppc.exe NSIS: infected - 1 skipped

C:\Program Files\Updates from HP\9972322\Users\Default\Data\chandir.dat Object is locked skipped

C:\Program Files\Updates from HP\9972322\Users\Default\Data\chandir.idx Object is locked skipped

C:\Program Files\Updates from HP\9972322\Users\Default\Data\chn.dat Object is locked skipped

C:\Program Files\Updates from HP\9972322\Users\Default\Data\chn.idx Object is locked skipped

C:\Program Files\Updates from HP\9972322\Users\Default\Data\D0000000.FCS Object is locked skipped

C:\Program Files\Updates from HP\9972322\Users\Default\Data\inuse.txt Object is locked skipped

C:\Program Files\Updates from HP\9972322\Users\Default\Data\L0000001.FCS Object is locked skipped

C:\Program Files\Updates from HP\9972322\Users\Default\Data\main.log Object is locked skipped

C:\Program Files\Updates from HP\9972322\Users\Default\Data\prs.dat Object is locked skipped

C:\Program Files\Updates from HP\9972322\Users\Default\Data\prs.idx Object is locked skipped

C:\Program Files\Updates from HP\9972322\Users\Default\Data\prs_die.dat Object is locked skipped

C:\Program Files\Updates from HP\9972322\Users\Default\Data\prs_die.idx Object is locked skipped

C:\Program Files\Updates from HP\9972322\Users\Default\Data\prs_dnd.dat Object is locked skipped

C:\Program Files\Updates from HP\9972322\Users\Default\Data\prs_dnd.idx Object is locked skipped

C:\Program Files\Updates from HP\9972322\Users\Default\Data\prs_ext.dat Object is locked skipped

C:\Program Files\Updates from HP\9972322\Users\Default\Data\prs_ext.idx Object is locked skipped

C:\Program Files\Updates from HP\9972322\Users\Default\Data\prs_rcv.dat Object is locked skipped

C:\Program Files\Updates from HP\9972322\Users\Default\Data\prs_rcv.idx Object is locked skipped

C:\Program Files\Updates from HP\9972322\Users\Default\Data\storydb.dat Object is locked skipped

C:\Program Files\Updates from HP\9972322\Users\Default\Data\storydb.idx Object is locked skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\users32.dat.vir Infected: not-a-virus:AdWare.Win32.Agent.zo skipped

C:\QooBox\Quarantine\C\_OTMoveIt\MovedFiles\02122008_121847\WINDOWS\system32\dllcache\beep.sys.vir Infected: not-a-virus:FraudTool.Win32.UltimateDefender.af skipped

C:\QooBox\Quarantine\C\_OTMoveIt\MovedFiles\02122008_121847\WINDOWS\system32\drivers\beep.sys.vir Infected: not-a-virus:FraudTool.Win32.UltimateDefender.af skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP827\A0189878.exe Infected: not-a-virus:FraudTool.Win32.UltimateDefender.an skipped

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP827\A0189879.sys Infected: not-a-virus:FraudTool.Win32.UltimateDefender.af skipped

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP827\A0190113.exe Infected: not-a-virus:FraudTool.Win32.UltimateDefender.an skipped

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP827\A0190114.exe Infected: not-a-virus:FraudTool.Win32.UltimateDefender.an skipped

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP827\A0190265.exe Infected: not-a-virus:FraudTool.Win32.UltimateDefender.an skipped

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP827\A0190266.exe Infected: not-a-virus:FraudTool.Win32.UltimateDefender.an skipped

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP828\A0191265.exe Infected: not-a-virus:FraudTool.Win32.UltimateDefender.an skipped

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP828\A0191266.exe Infected: not-a-virus:FraudTool.Win32.UltimateDefender.an skipped

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP829\A0191380.exe Infected: not-a-virus:FraudTool.Win32.UltimateDefender.an skipped

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP829\A0191381.exe Infected: not-a-virus:FraudTool.Win32.UltimateDefender.an skipped

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP830\A0191707.exe Infected: not-a-virus:FraudTool.Win32.UltimateDefender.an skipped

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP830\A0191708.exe Infected: not-a-virus:FraudTool.Win32.UltimateDefender.an skipped

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP839\A0193478.exe Infected: not-a-virus:FraudTool.Win32.UltimateDefender.an skipped

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP839\A0193479.exe Infected: not-a-virus:FraudTool.Win32.UltimateDefender.an skipped

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP840\A0194478.exe Infected: not-a-virus:FraudTool.Win32.UltimateDefender.an skipped

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP840\A0194479.exe Infected: not-a-virus:FraudTool.Win32.UltimateDefender.an skipped

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP840\A0194636.exe Infected: not-a-virus:FraudTool.Win32.UltimateDefender.an skipped

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP840\A0194637.exe Infected: not-a-virus:FraudTool.Win32.UltimateDefender.an skipped

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP841\A0194941.exe Infected: not-a-virus:FraudTool.Win32.UltimateDefender.an skipped

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP841\A0194942.exe Infected: not-a-virus:FraudTool.Win32.UltimateDefender.an skipped

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP844\A0195742.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP847\A0196203.exe Infected: not-a-virus:FraudTool.Win32.UltimateDefender.an skipped

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP847\A0196204.exe Infected: not-a-virus:FraudTool.Win32.UltimateDefender.an skipped

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP847\A0196246.exe Infected: not-a-virus:FraudTool.Win32.UltimateDefender.an skipped

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP847\A0196247.exe Infected: not-a-virus:FraudTool.Win32.UltimateDefender.an skipped

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP847\A0196286.exe Infected: not-a-virus:FraudTool.Win32.UltimateDefender.an skipped

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP847\A0196287.exe Infected: not-a-virus:FraudTool.Win32.UltimateDefender.an skipped

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP847\A0196475.exe Infected: not-a-virus:FraudTool.Win32.UltimateDefender.an skipped

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP847\A0196476.exe Infected: not-a-virus:FraudTool.Win32.UltimateDefender.an skipped

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP847\A0196665.exe Infected: not-a-virus:FraudTool.Win32.UltimateDefender.an skipped

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP847\A0196666.exe Infected: not-a-virus:FraudTool.Win32.UltimateDefender.an skipped

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP850\A0197471.sys Infected: not-a-virus:FraudTool.Win32.UltimateDefender.af skipped

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP850\A0197472.sys Infected: not-a-virus:FraudTool.Win32.UltimateDefender.af skipped

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP850\A0197476.exe Infected: not-a-virus:FraudTool.Win32.UltimateDefender.an skipped

C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP852\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{963CF65E-F91E-4C7A-BD4A-2868D6BCA673}.crmlog Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edbtmp.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped

C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped

C:\WINDOWS\system32\config\OSession.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

HIJACKTHIS

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:34:12 PM, on 2/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
C:\Program Files\Comodo\Comodo AntiVirus\CMain.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Comodo\Firewall\cfp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe
C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Comodo\common\CAVASpy\cavasm.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe
C:\Program Files\Kodak\printer\center\KodakSvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Comodo\Comodo AntiVirus\Cavaud.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: MYPOINTS - {A057A204-BACC-4D26-CEC4-75A487FD6484} - C:\PROGRA~1\mypoints\mypoints.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DiscWizardMonitor.exe] C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [BOC-425] C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
O4 - HKLM\..\Run: [cnfgCav] "C:\Program Files\Comodo\Comodo AntiVirus\CMain.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\cfp.exe" -s
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [Uniblue SpyEraser] "C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Uniblue SpeedUpMyPC] C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe -s
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [Tunebite] C:\Program Files\RapidSolution\Tunebite\Tunebite.exe -tray
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - S-1-5-18 Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Startup: VonageRestart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: GMail.lnk = C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - Global Startup: RoboForm.lnk = C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe
O4 - Global Startup: Updates From HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - https://h20364.www2.hp.com/CSMWeb/Cu...ataManager.CAB
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqcpc/downloads/sysinfo.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/Driver...sysreqlab2.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn...tDetection.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://playgames.comcast.net/Gameshe...onGameHost.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: monln - C:\WINDOWS\SYSTEM32\monln.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Comodo Anti-Virus and Anti-Spyware Service - Comodo Inc. - C:\Program Files\Comodo\common\CAVASpy\cavasm.exe
O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe
O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: Kodak AiO Device Service (KodakSvc) - Eastman Kodak Company - C:\Program Files\Kodak\printer\center\KodakSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

--
End of file - 12896 bytes
angelah2 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-13-2008, 08:55 PM   #20 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,555
OS: 2000 Pro; XP Pro; XP Home


Re: "Your computer is infected!" pop-up (trojan-downloader.win32.adload.ma
Open NOTEPAD.exe and copy/paste the text in the codebox below into it:
Code:
@echo off
if exist "%temp%\log.txt" del "%temp%\log.txt"

for %%g in (

"C:\Documents and Settings\HP_Administrator\Application Data\Sun\Java\Deployment\cache\6.0\14\74b4254e-1ad1cb61"
"C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\SL6PZZKW\in[1].htm"
"C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\SL6PZZKW\in[2].htm"
"C:\Program Files\Online Services\PeoplePC\ISP5900\Branding\ppal3ppc.exe"

) do (
del /a/f %%g >nul 2>&1
if exist %%g echo.%%g>>"%temp%\log.txt"
)

for %%g in (

%systemdrive%\Deckard

) do (
rd /s/q %%g >nul 2>&1
if exist %%g echo.%%g>>"%temp%\log.txt"
)
if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt"
) else echo.Deleted Successfully !!

pause
del %0
Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:
Double click on fix.bat & allow it to run

Post back to tell me what it says. If it says "Deleted Successfully!! Press Any Key to Continue", please do press any key, and follow these next instructtions.

==========================================

I need you to download this file,

http://andymanchesta.com/Files/XP/beep.sys

and place a copy of it in both of these folder locations:

C:\WINDOWS\system32\drivers
C:\WINDOWS\system32\dllcache

You can do that a couple of different ways. In the download manager, browse to first one of the above folders, and then choose save, then download again, but browse to the next folder.

Let me know how that goes.

==========================================

Next...


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6u4.
  • Scroll down to where it says "The Java SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • In the drop-down menu next to Platform select Windows
  • Check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement"
  • Click Continue
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u4-windowsi586-p.exe to install the newest version.
  • After the install is complete, go into the Control Panel and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      • Applications and Applets
        Trace and Log Files
    • Click OK on Delete Temporary Files Window
      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
    • Click OK to leave the Temporary Files Window
    • Click OK to leave the Java Control Panel.

---------------------------------------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

---------------------------------------------------------------------------------------------

Let me know how the machine is behaving.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 
Page 1 of 2 1 2

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 11:53 PM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85