Virus messing up my computer

mercenaryfox · 03-19-2008, 12:47 PM

i can't get rid of a virus on my computer and i was wondering if you could help, a friend recommended this site and to download hijackthis and save a log and post it here so here it is...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:37:00 PM, on 3/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\Day\Desktop\photoshop\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\VentSrv\ventrilo_svc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\VentSrv\ventrilo_srv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Documents and Settings\Day\Desktop\photoshop\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Creative\Mixer\CTSVolFE.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Documents and Settings\Day\Desktop\photoshop\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Documents and Settings\Day\Desktop\photoshop\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Day\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/dell?hl=en&...suk&channel=us
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en&...suk&channel=us
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Documents and Settings\Day\Desktop\photoshop\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [CTSVolFE.exe] "C:\Program Files\Creative\Mixer\CTSVolFE.exe" /r
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Documents and Settings\Day\Desktop\photoshop\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Documents and Settings\Day\Desktop\photoshop\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [7430db06] rundll32.exe "C:\WINDOWS\system32\kgoasidw.dll",b
O4 - HKLM\..\Run: [BM7703e89a] Rundll32.exe "C:\WINDOWS\system32\vjkpeehu.dll",s
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKUS\S-1-5-18\..\RunOnce: [WMC_WMPDBExport] C:\Program Files\Windows Media Player\wmdbexport.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [WMC_WMPDBExport] C:\Program Files\Windows Media Player\wmdbexport.exe (User 'Default user')
O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgentLauncher.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Documents and Settings\Day\Desktop\photoshop\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Documents and Settings\Day\Desktop\photoshop\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Documents and Settings\Day\Desktop\photoshop\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Documents and Settings\Day\Desktop\photoshop\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Documents and Settings\Day\Desktop\photoshop\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Documents and Settings\Day\Desktop\photoshop\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Documents and Settings\Day\Desktop\photoshop\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Documents and Settings\Day\Desktop\photoshop\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - https://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/...oUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {B3E32D88-8E7F-468F-B0E2-3A300FD4A82C} (Enlite 2.x Simulation Engine Installer) - http://myitlab.pearsoned.com/Pegasus...es/ax/stub.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
O16 - DPF: {C9D7D239-B502-48B3-BA25-9DF8C7264073} (CCAWebLogin Control) - https://fsuccas1.ferris.edu/auth/CCALogin.CAB
O16 - DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} (WebBasedClientInstall Class) - http://www.ferris.edu/sats/Students/...ll/webinst.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Documents and Settings\Day\Desktop\photoshop\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 11821 bytes

p.s. thanks a bunch in advance for whatever help i can get!

sjb007 · 03-21-2008, 05:21 AM

Hi mercenaryfox

Thank you for your patience. I will be helping you deal with the issues raised in your log from this point onwards

Before we start jumping into things, here is a quick basic note which I mention to everyone. The fix which I have provided for you is for this computer only, it should not be used on any other computer. Each fix is tailor made for the specific task in hand. If for some reason you have system restore disabled, then please re-enable it before proceeding, an infected restore is better than none. Please read through the fix first and set enough time aside to complete the task in one session. If there is anything you feel needs clarification then please ask - do not guess! Thanks.

If this is a computer from a work place then please advise your IT department of the concerning issues before commencing further.

Please follow these directions in the order they are set out for you.

On with the fix.....

Please download SmitfraudFix (by S!Ri) to your Desktop.

Double-click smitfraudfix.exe
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

IMPORTANT: Do NOT run any other options until you are asked to do so!

mercenaryfox · 03-22-2008, 06:03 PM

thank you so much for helping me i've been checking everyday for this reply and my friend helped me find this so sorry for the delay in the reply

here is what you asked for thanks so much !!!

SmitFraudFix v2.307

Scan done at 20:00:46.42, Sat 03/22/2008
Run from C:\Documents and Settings\Day\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\Day\Desktop\photoshop\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\VentSrv\ventrilo_svc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\VentSrv\ventrilo_srv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe

sjb007 · 03-23-2008, 03:36 AM

Hi there mercenaryfox

Not a problem for the delay.
One thing I do notice is that the log you posted is not complete, can you please post back with the full smitfraudfix log then we can look at resolving your issues.

mercenaryfox · 03-23-2008, 09:55 PM

ok here is what you wanted sorry i didn't notice that it scroll down...

SmitFraudFix v2.307

Scan done at 23:51:13.34, Sun 03/23/2008
Run from C:\Documents and Settings\Day\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Day\Desktop\photoshop\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\VentSrv\ventrilo_svc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\VentSrv\ventrilo_srv.exe
C:\Program Files\Creative\Mixer\CTSVolFE.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Documents and Settings\Day\Desktop\photoshop\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Documents and Settings\Day\Desktop\photoshop\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\Documents and Settings\Day\Desktop\photoshop\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\program files\common files\installshield\updateservice\isuspm.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\WordPerfect Office 12\Programs\wpwin12.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

hosts file corrupted !

127.0.0.1 www.legal-at-spybot.info
127.0.0.1 legal-at-spybot.info

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Day

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Day\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Day\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Rustock

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Broadcom 440x 10/100 Integrated Controller - Packet Scheduler Miniport
DNS Server Search Order: 161.57.5.2
DNS Server Search Order: 161.57.5.6
DNS Server Search Order: 198.108.1.42

HKLM\SYSTEM\CCS\Services\Tcpip\..\{60039DAA-6CD5-4274-B088-19A29137B7D7}: DhcpNameServer=161.57.5.2 161.57.5.6 198.108.1.42
HKLM\SYSTEM\CS1\Services\Tcpip\..\{60039DAA-6CD5-4274-B088-19A29137B7D7}: DhcpNameServer=161.57.5.2 161.57.5.6 198.108.1.42
HKLM\SYSTEM\CS3\Services\Tcpip\..\{60039DAA-6CD5-4274-B088-19A29137B7D7}: DhcpNameServer=161.57.5.2 161.57.5.6 198.108.1.42
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=161.57.5.2 161.57.5.6 198.108.1.42
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=161.57.5.2 161.57.5.6 198.108.1.42
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=161.57.5.2 161.57.5.6 198.108.1.42

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

sjb007 · 03-24-2008, 12:31 AM

Hi there

Please download ComboFix.exe

Save ComboFix to the desktop.

1. Double click on combo.exe and follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt.
3. Post the contents of that log in your next reply with a new HijackThis log.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.

If your computer did not restart then please restart it now.
Once it has restarted please generate a fresh HJT log
Post this along with the results from combofix in your next reply

mercenaryfox · 03-25-2008, 06:22 PM

Thank you so much. Here is the report that popped up after my computer restarted...

ComboFix 08-03-25.1 - Day 2008-03-25 20:00:20.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.371 [GMT -4:00]
Running from: C:\Documents and Settings\Day\Local Settings\Temporary Internet Files\Content.IE5\SIAX1WYM\ComboFix[1].exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Temp\isgTi19
C:\Temp\sanR24
C:\WINDOWS\BM7703e89a.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\aanvetje.dll
C:\WINDOWS\system32\abcwpuxh.dll
C:\WINDOWS\system32\aqnmcfle.ini
C:\WINDOWS\system32\avaclwqx.dll
C:\WINDOWS\system32\awtqp.dll
C:\WINDOWS\system32\aybeg.ini
C:\WINDOWS\system32\aybeg.ini2
C:\WINDOWS\system32\cudpbeid.dll
C:\WINDOWS\system32\ekfdgiqk.dll
C:\WINDOWS\system32\elfcmnqa.dll
C:\WINDOWS\system32\gebya.dll
C:\WINDOWS\system32\ghkmp.ini
C:\WINDOWS\system32\ghkmp.ini2
C:\WINDOWS\system32\gmewbuhr.dll
C:\WINDOWS\system32\gvchqueu.ini
C:\WINDOWS\system32\gxyagdcf.ini
C:\WINDOWS\system32\iDlo01
C:\WINDOWS\system32\ihhkj.ini
C:\WINDOWS\system32\ihhkj.ini2
C:\WINDOWS\system32\jjkkj.ini
C:\WINDOWS\system32\jjkkj.ini2
C:\WINDOWS\system32\jkhhi.dll
C:\WINDOWS\system32\jkkjj.dll
C:\WINDOWS\system32\jobmmogb.dll
C:\WINDOWS\system32\khxuwudg.dll
C:\WINDOWS\system32\kjjlm.ini
C:\WINDOWS\system32\kjjlm.ini2
C:\WINDOWS\system32\laahowww.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\meuklfng.dll
C:\WINDOWS\system32\mhajfisj.dll
C:\WINDOWS\system32\mhiacwrg.dll
C:\WINDOWS\system32\mjxxekyq.dll
C:\WINDOWS\system32\mljjk.dll
C:\WINDOWS\system32\ndqpbldx.dll
C:\WINDOWS\system32\nGpxx01
C:\WINDOWS\system32\nrnqyidl.dll
C:\WINDOWS\system32\oeuxvidu.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pqstv.ini
C:\WINDOWS\system32\pqstv.ini2
C:\WINDOWS\system32\pqtwa.ini
C:\WINDOWS\system32\pqtwa.ini2
C:\WINDOWS\system32\rgbknhpt.dll
C:\WINDOWS\system32\rqtwa.ini
C:\WINDOWS\system32\rqtwa.ini2
C:\WINDOWS\system32\rutqmiiy.dll
C:\WINDOWS\system32\rwimguty.dll
C:\WINDOWS\system32\sttss.ini
C:\WINDOWS\system32\sttss.ini2
C:\WINDOWS\system32\tqbanblp.ini
C:\WINDOWS\system32\vqarsfce.dll
C:\WINDOWS\system32\vtsqp.dll
C:\WINDOWS\system32\wbqgyyio.dll
C:\WINDOWS\system32\xpchoqch.dll

----- BITS: Possible infected sites -----

hxxp://fsuwsus1.ferris.edu
.
((((((((((((((((((((((((( Files Created from 2008-02-26 to 2008-03-26 )))))))))))))))))))))))))))))))
.

2008-03-22 17:10 . 2008-03-23 16:50 414 ---hs---- C:\WINDOWS\system32\drocvins.ini
2008-03-21 18:18 . 2008-03-21 18:18 594 --ahs---- C:\WINDOWS\system32\yrjqnmed.ini
2008-03-20 18:44 . 2008-03-21 18:08 534 --ahs---- C:\WINDOWS\system32\sunhivld.ini
2008-03-20 15:21 . 2008-03-20 16:29 354 --ahs---- C:\WINDOWS\system32\mtttddtk.ini
2008-03-20 03:31 . 2008-03-20 14:53 354 --ahs---- C:\WINDOWS\system32\gaovkdvm.ini
2008-03-20 00:43 . 2008-03-20 00:44 654 --ahs---- C:\WINDOWS\system32\kcghwukl.ini
2008-03-19 14:44 . 2008-03-20 02:03 714 --ahs---- C:\WINDOWS\system32\rnpeliyo.ini
2008-03-19 14:29 . 2008-03-19 14:34 354 --ahs---- C:\WINDOWS\system32\wdisaogk.ini
2008-03-19 13:40 . 2008-03-19 13:40 594 --ahs---- C:\WINDOWS\system32\osohcljl.ini
2008-03-18 20:48 . 2008-03-19 13:44 594 --ahs---- C:\WINDOWS\system32\pbaggylo.ini
2008-03-17 21:29 . 2008-03-17 21:29 1,014 --ahs---- C:\WINDOWS\system32\bgjaymtq.ini
2008-03-17 17:32 . 2008-03-18 02:14 1,254 --ahs---- C:\WINDOWS\system32\baxotbpg.ini
2008-03-17 02:15 . 2008-03-17 17:32 774 --ahs---- C:\WINDOWS\system32\jfaxvmve.ini
2008-03-17 00:01 . 2008-03-17 01:31 594 --ahs---- C:\WINDOWS\system32\ubonakjv.ini
2008-03-14 23:08 . 2008-03-16 23:29 3,654 --ahs---- C:\WINDOWS\system32\kpfyshim.ini
2008-03-14 22:49 . 2008-03-14 22:49 37,376 --a------ C:\WINDOWS\mrofinu572.exe.tmp
2008-03-14 22:48 . 2003-05-22 16:31 55,808 --a------ C:\WINDOWS\system32\lfpsd13n.dll
2008-03-14 22:47 . 2004-05-14 16:53 462,848 --a------ C:\WINDOWS\system32\ltkrn13n.dll
2008-03-14 22:47 . 2004-05-14 16:53 450,560 --a------ C:\WINDOWS\system32\ltimg13n.dll
2008-03-14 22:47 . 2004-05-14 16:53 401,408 --a------ C:\WINDOWS\system32\lfcmp13n.dll
2008-03-14 22:47 . 2004-05-14 16:53 299,008 --a------ C:\WINDOWS\system32\ltdis13n.dll
2008-03-14 22:47 . 2004-01-12 02:09 206,336 --a------ C:\WINDOWS\system32\ltefx13n.dll
2008-03-14 22:47 . 2004-05-14 16:53 163,840 --a------ C:\WINDOWS\system32\ltfil13n.dll
2008-03-14 22:47 . 2003-11-04 15:10 69,632 --a------ C:\WINDOWS\system32\lfgif13n.dll
2008-03-14 22:47 . 2004-05-14 16:53 57,344 --a------ C:\WINDOWS\system32\lfbmp13n.dll
2008-03-14 00:36 . 2008-03-14 23:03 3,534 --ahs---- C:\WINDOWS\system32\arohapco.ini
2008-03-13 00:29 . 2008-03-14 00:29 3,054 --ahs---- C:\WINDOWS\system32\yhrbmaba.ini
2008-03-11 23:03 . 2008-03-13 00:27 2,754 --ahs---- C:\WINDOWS\system32\cwlsbddf.ini
2008-03-05 19:21 . 2008-03-11 23:00 1,854 --ahs---- C:\WINDOWS\system32\dpetbfqv.ini
2008-03-05 03:41 . 2008-03-05 19:08 714 --ahs---- C:\WINDOWS\system32\agycubux.ini
2008-03-04 16:17 . 2008-03-04 16:17 534 --ahs---- C:\WINDOWS\system32\jwxwrvma.ini
2008-03-04 00:50 . 2008-03-04 20:06 534 --ahs---- C:\WINDOWS\system32\afoaxfis.ini
2008-03-03 19:42 . 2008-03-03 19:37 2,833,218 --a------ C:\WINDOWS\system32\gglhelvk.xml
2008-03-03 15:57 . 2008-03-03 15:57 414 --ahs---- C:\WINDOWS\system32\ntbqueri.ini
2008-03-03 00:45 . 2008-03-03 18:46 414 --ahs---- C:\WINDOWS\system32\kkuhmlau.ini
2008-03-03 00:04 . 2008-03-03 00:04 294 --ahs---- C:\WINDOWS\system32\eavtsaue.ini
2008-03-02 22:37 . 2008-03-02 22:37 294 --ahs---- C:\WINDOWS\system32\sgygepeg.ini
2008-03-02 14:15 . 2008-03-02 14:15 414 --ahs---- C:\WINDOWS\system32\fmkagqfd.ini
2008-03-01 22:56 . 2008-03-02 18:04 414 --ahs---- C:\WINDOWS\system32\pfthjnuk.ini
2008-03-01 04:54 . 2008-03-01 04:53 2,833,184 --a------ C:\WINDOWS\system32\ehqbfbrq.xml
2008-02-29 20:44 . 2008-02-29 20:40 2,832,980 --a------ C:\WINDOWS\system32\iutublwl.xml
2008-02-29 16:02 . 2008-03-06 14:38 2,833,218 --a------ C:\WINDOWS\system32\pduupauq.xml
2008-02-29 01:38 . 2008-02-29 01:38 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-29 01:38 . 2008-02-29 01:38 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-28 20:07 . 2008-02-29 15:54 354 --ahs---- C:\WINDOWS\system32\jvoxaurh.ini
2008-02-28 15:32 . 2008-02-28 18:40 534 --ahs---- C:\WINDOWS\system32\vvdciyau.ini
2008-02-27 15:40 . 2003-04-18 15:55 2,772,798 -ra------ C:\WINDOWS\system32\lmdrv#.zip
2008-02-27 15:40 . 2003-04-18 15:55 405,974 -ra------ C:\WINDOWS\system32\lexunst.zip
2008-02-27 15:36 . 2003-04-18 15:45 294,432 --a------ C:\WINDOWS\system32\lmpclxc.dll
2008-02-27 15:36 . 2003-04-18 15:45 208,592 --a------ C:\WINDOWS\system32\ptapiw16.dll
2008-02-27 15:36 . 2003-04-18 15:45 77,824 --a------ C:\WINDOWS\system32\lmpclpp.dll
2008-02-27 15:36 . 2003-04-18 15:45 61,440 --a------ C:\WINDOWS\system32\lmpclthk.dll
2008-02-27 15:35 . 2003-04-18 15:45 673,216 --a------ C:\WINDOWS\system32\lmpcl5cx.dll
2008-02-27 15:35 . 2003-04-18 15:45 533,504 --a------ C:\WINDOWS\system32\lmpcl5c.drv
2008-02-27 15:35 . 2003-04-18 15:45 266,196 --a------ C:\WINDOWS\system32\lmpcl5d.hlp
2008-02-27 15:35 . 2003-04-18 15:45 237,568 --a------ C:\WINDOWS\system32\lexdrvin.exe
2008-02-27 15:35 . 2003-04-18 15:45 205,440 --a------ C:\WINDOWS\system32\lmpcl5cc.dll
2008-02-27 15:35 . 2003-04-18 15:45 110,592 --a------ C:\WINDOWS\system32\lexdrvx.dll
2008-02-27 15:35 . 2003-04-18 15:55 67,426 --a------ C:\WINDOWS\system32\lmpcl5c.all
2008-02-27 15:35 . 2003-04-18 15:55 22,651 --a------ C:\WINDOWS\system32\lmpcl5d$.ini
2008-02-26 00:53 . 2008-02-26 01:18 294 --ahs---- C:\WINDOWS\system32\fvjokdku.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-26 00:11 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-03-20 23:06 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-05 07:55 --------- d-----w C:\Program Files\Dl_cats
2008-03-04 23:46 --------- d-----w C:\Documents and Settings\Day\Application Data\TAIT3
2008-03-03 23:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-03 23:14 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-23 04:46 --------- d-----w C:\Program Files\Roxio
2008-02-23 04:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\GTek
2008-02-23 04:42 --------- d-----w C:\Program Files\Dell
2008-01-29 20:06 --------- d-----w C:\Program Files\Steam
2008-01-29 07:11 --------- d-----w C:\Program Files\World of Warcraft
2008-01-28 06:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Dell
2008-01-28 02:58 --------- d-----w C:\Program Files\Creative
2008-01-28 00:57 --------- d-----w C:\Documents and Settings\Day\Application Data\Sonic
2008-01-28 00:56 --------- d-----w C:\Documents and Settings\Day\Application Data\Leadertech
2007-01-19 20:51 88 --sha-r C:\WINDOWS\system32\F80FE42FB5.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8CF595BD-3529-4A6D-BDF1-86C0248FD018}]
C:\WINDOWS\system32\gebcb.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="C:\Program Files\NetWaiting\netWaiting.exe" [2003-09-10 03:24 20480]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 13:54 5674352]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2006-11-07 11:29 50736]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-12-13 03:44 98304]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-12-13 03:41 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-12-13 03:45 118784]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 12:48 761947]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2005-12-19 09:08 1347584]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 17:30 282624 C:\WINDOWS\stsystra.exe]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 21:15 290816]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 04:12 94208]
"CTSVolFE.exe"="C:\Program Files\Creative\Mixer\CTSVolFE.exe" [2005-02-23 16:57 57344]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 11:44 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 11:44 81920]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-07-12 20:05 1117184]
"Adobe Version Cue CS2"="C:\Documents and Settings\Day\Desktop\photoshop\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [2005-04-04 19:58 856064]
"Acrobat Assistant 7.0"="C:\Documents and Settings\Day\Desktop\photoshop\Adobe Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 03:12 483328]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24 286720]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 20:26 52896]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-09-27 21:33 125168]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"WMC_WMPDBExport"="C:\Program Files\Windows Media Player\wmdbexport.exe" [2006-10-18 21:04 493568]
"TSClientMSIUninstaller"="cmd.exe" [2004-08-04 06:00 388608 C:\WINDOWS\system32\cmd.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Clean Access Agent.lnk - C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgentLauncher.exe [2007-12-07 18:12:50 28672]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-08-10 02:21:29 24576]
TabUserW.exe.lnk - C:\WINDOWS\system32\WTablet\TabUserW.exe [2007-03-22 20:46:49 114688]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2006-11-07 11:29 50736 C:\Program Files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative WebCam Tray]
C:\Program Files\Creative\Shared Files\CamTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-08-15 20:15 271672 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 13:54 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2007-06-29 20:51 1258744 c:\program files\steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"DSBrokerService"=3 (0x3)
"dlcf_device"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.2.0-enUS-downloader.exe"=
"C:\\Program Files\\Symantec AntiVirus\\SavRoam.exe"=
"C:\\Program Files\\Symantec AntiVirus\\Rtvscan.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{af110745-7e97-11dc-a075-0015c568c135}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-25 20:11:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Documents and Settings\Day\Desktop\photoshop\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\VentSrv\ventrilo_svc.exe
C:\Program Files\VentSrv\ventrilo_srv.exe
C:\Documents and Settings\Day\Desktop\photoshop\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
.
**************************************************************************
.
Completion time: 2008-03-25 20:15:58 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-26 00:15:54
.
2008-02-23 18:36:42 --- E O F ---

sjb007 · 03-26-2008, 01:38 AM

Hi there mercenaryfox

Please follow my instructions as set out

-> Save ComboFix to the desktop.

You are currently running combofix from a temp location -> C:\Documents and Settings\Day\Local Settings\Temporary Internet Files\
Combofix needs to be run from the desktop in order for it to function properly and at is maximum strength

Please delete combofix from the current location and download it to your desktop from the link posted previously, then generate and post a fresh combofix log

Thanks

mercenaryfox · 03-26-2008, 07:21 PM

anything else that you need just let me know...

ComboFix 08-03-25.4 - Day 2008-03-26 21

43.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.357 [GMT -4:00]
Running from: C:\Documents and Settings\Day\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-02-27 to 2008-03-27 )))))))))))))))))))))))))))))))
.

2008-03-26 01:15 . 2008-03-26 01:15 <DIR> d-------- C:\Logs
2008-03-22 17:10 . 2008-03-23 16:50 414 ---hs---- C:\WINDOWS\system32\drocvins.ini
2008-03-21 18:18 . 2008-03-21 18:18 594 --ahs---- C:\WINDOWS\system32\yrjqnmed.ini
2008-03-20 18:44 . 2008-03-21 18:08 534 --ahs---- C:\WINDOWS\system32\sunhivld.ini
2008-03-20 15:21 . 2008-03-20 16:29 354 --ahs---- C:\WINDOWS\system32\mtttddtk.ini
2008-03-20 03:31 . 2008-03-20 14:53 354 --ahs---- C:\WINDOWS\system32\gaovkdvm.ini
2008-03-20 00:43 . 2008-03-20 00:44 654 --ahs---- C:\WINDOWS\system32\kcghwukl.ini
2008-03-19 14:44 . 2008-03-20 02:03 714 --ahs---- C:\WINDOWS\system32\rnpeliyo.ini
2008-03-19 14:29 . 2008-03-19 14:34 354 --ahs---- C:\WINDOWS\system32\wdisaogk.ini
2008-03-19 13:40 . 2008-03-19 13:40 594 --ahs---- C:\WINDOWS\system32\osohcljl.ini
2008-03-18 20:48 . 2008-03-19 13:44 594 --ahs---- C:\WINDOWS\system32\pbaggylo.ini
2008-03-17 21:29 . 2008-03-17 21:29 1,014 --ahs---- C:\WINDOWS\system32\bgjaymtq.ini
2008-03-17 17:32 . 2008-03-18 02:14 1,254 --ahs---- C:\WINDOWS\system32\baxotbpg.ini
2008-03-17 02:15 . 2008-03-17 17:32 774 --ahs---- C:\WINDOWS\system32\jfaxvmve.ini
2008-03-17 00:01 . 2008-03-17 01:31 594 --ahs---- C:\WINDOWS\system32\ubonakjv.ini
2008-03-14 23:08 . 2008-03-16 23:29 3,654 --ahs---- C:\WINDOWS\system32\kpfyshim.ini
2008-03-14 22:48 . 2003-05-22 16:31 55,808 --a------ C:\WINDOWS\system32\lfpsd13n.dll
2008-03-14 22:47 . 2004-05-14 16:53 462,848 --a------ C:\WINDOWS\system32\ltkrn13n.dll
2008-03-14 22:47 . 2004-05-14 16:53 450,560 --a------ C:\WINDOWS\system32\ltimg13n.dll
2008-03-14 22:47 . 2004-05-14 16:53 401,408 --a------ C:\WINDOWS\system32\lfcmp13n.dll
2008-03-14 22:47 . 2004-05-14 16:53 299,008 --a------ C:\WINDOWS\system32\ltdis13n.dll
2008-03-14 22:47 . 2004-01-12 02:09 206,336 --a------ C:\WINDOWS\system32\ltefx13n.dll
2008-03-14 22:47 . 2004-05-14 16:53 163,840 --a------ C:\WINDOWS\system32\ltfil13n.dll
2008-03-14 22:47 . 2003-11-04 15:10 69,632 --a------ C:\WINDOWS\system32\lfgif13n.dll
2008-03-14 22:47 . 2004-05-14 16:53 57,344 --a------ C:\WINDOWS\system32\lfbmp13n.dll
2008-03-14 00:36 . 2008-03-14 23:03 3,534 --ahs---- C:\WINDOWS\system32\arohapco.ini
2008-03-13 00:29 . 2008-03-14 00:29 3,054 --ahs---- C:\WINDOWS\system32\yhrbmaba.ini
2008-03-11 23:03 . 2008-03-13 00:27 2,754 --ahs---- C:\WINDOWS\system32\cwlsbddf.ini
2008-03-05 19:21 . 2008-03-11 23:00 1,854 --ahs---- C:\WINDOWS\system32\dpetbfqv.ini
2008-03-05 03:41 . 2008-03-05 19:08 714 --ahs---- C:\WINDOWS\system32\agycubux.ini
2008-03-04 16:17 . 2008-03-04 16:17 534 --ahs---- C:\WINDOWS\system32\jwxwrvma.ini
2008-03-04 00:50 . 2008-03-04 20:06 534 --ahs---- C:\WINDOWS\system32\afoaxfis.ini
2008-03-03 19:42 . 2008-03-03 19:37 2,833,218 --a------ C:\WINDOWS\system32\gglhelvk.xml
2008-03-03 15:57 . 2008-03-03 15:57 414 --ahs---- C:\WINDOWS\system32\ntbqueri.ini
2008-03-03 00:45 . 2008-03-03 18:46 414 --ahs---- C:\WINDOWS\system32\kkuhmlau.ini
2008-03-03 00:04 . 2008-03-03 00:04 294 --ahs---- C:\WINDOWS\system32\eavtsaue.ini
2008-03-02 22:37 . 2008-03-02 22:37 294 --ahs---- C:\WINDOWS\system32\sgygepeg.ini
2008-03-02 14:15 . 2008-03-02 14:15 414 --ahs---- C:\WINDOWS\system32\fmkagqfd.ini
2008-03-01 22:56 . 2008-03-02 18:04 414 --ahs---- C:\WINDOWS\system32\pfthjnuk.ini
2008-03-01 04:54 . 2008-03-01 04:53 2,833,184 --a------ C:\WINDOWS\system32\ehqbfbrq.xml
2008-02-29 20:44 . 2008-02-29 20:40 2,832,980 --a------ C:\WINDOWS\system32\iutublwl.xml
2008-02-29 16:02 . 2008-03-06 14:38 2,833,218 --a------ C:\WINDOWS\system32\pduupauq.xml
2008-02-29 01:38 . 2008-02-29 01:38 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-29 01:38 . 2008-02-29 01:38 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-28 20:07 . 2008-02-29 15:54 354 --ahs---- C:\WINDOWS\system32\jvoxaurh.ini
2008-02-28 15:32 . 2008-02-28 18:40 534 --ahs---- C:\WINDOWS\system32\vvdciyau.ini
2008-02-27 15:40 . 2003-04-18 15:55 2,772,798 -ra------ C:\WINDOWS\system32\lmdrv#.zip
2008-02-27 15:40 . 2003-04-18 15:55 405,974 -ra------ C:\WINDOWS\system32\lexunst.zip
2008-02-27 15:36 . 2003-04-18 15:45 294,432 --a------ C:\WINDOWS\system32\lmpclxc.dll
2008-02-27 15:36 . 2003-04-18 15:45 208,592 --a------ C:\WINDOWS\system32\ptapiw16.dll
2008-02-27 15:36 . 2003-04-18 15:45 77,824 --a------ C:\WINDOWS\system32\lmpclpp.dll
2008-02-27 15:36 . 2003-04-18 15:45 61,440 --a------ C:\WINDOWS\system32\lmpclthk.dll
2008-02-27 15:35 . 2003-04-18 15:45 673,216 --a------ C:\WINDOWS\system32\lmpcl5cx.dll
2008-02-27 15:35 . 2003-04-18 15:45 533,504 --a------ C:\WINDOWS\system32\lmpcl5c.drv
2008-02-27 15:35 . 2003-04-18 15:45 266,196 --a------ C:\WINDOWS\system32\lmpcl5d.hlp
2008-02-27 15:35 . 2003-04-18 15:45 237,568 --a------ C:\WINDOWS\system32\lexdrvin.exe
2008-02-27 15:35 . 2003-04-18 15:45 205,440 --a------ C:\WINDOWS\system32\lmpcl5cc.dll
2008-02-27 15:35 . 2003-04-18 15:45 110,592 --a------ C:\WINDOWS\system32\lexdrvx.dll
2008-02-27 15:35 . 2003-04-18 15:55 67,426 --a------ C:\WINDOWS\system32\lmpcl5c.all
2008-02-27 15:35 . 2003-04-18 15:55 22,651 --a------ C:\WINDOWS\system32\lmpcl5d$.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-26 23:39 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-03-26 05:13 --------- d-----w C:\Program Files\World of Warcraft
2008-03-26 01:26 5,486 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-03-24 03:51 3,206 ----a-w C:\WINDOWS\system32\tmp.reg
2008-03-22 19:49 86,528 ----a-w C:\WINDOWS\system32\VACFix.exe
2008-03-20 23:06 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-15 21:16 82,432 ----a-w C:\WINDOWS\system32\IEDFix.exe
2008-03-05 07:55 --------- d-----w C:\Program Files\Dl_cats
2008-03-04 23:46 --------- d-----w C:\Documents and Settings\Day\Application Data\TAIT3
2008-03-03 23:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-03 23:14 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-23 04:46 --------- d-----w C:\Program Files\Roxio
2008-02-23 04:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\GTek
2008-02-23 04:42 --------- d-----w C:\Program Files\Dell
2008-01-29 20:06 --------- d-----w C:\Program Files\Steam
2008-01-28 06:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Dell
2008-01-28 02:58 --------- d-----w C:\Program Files\Creative
2008-01-28 00:57 --------- d-----w C:\Documents and Settings\Day\Application Data\Sonic
2008-01-28 00:56 --------- d-----w C:\Documents and Settings\Day\Application Data\Leadertech
2007-01-19 20:51 88 --sha-r C:\WINDOWS\system32\F80FE42FB5.sys
.

((((((((((((((((((((((((((((( snapshot@2008-03-25_20.15.38.93 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-03-26 00:10:23 12,912 ----a-w C:\WINDOWS\system32\tablet.dat
+ 2008-03-26 23:37:46 12,912 ----a-w C:\WINDOWS\system32\tablet.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8CF595BD-3529-4A6D-BDF1-86C0248FD018}]
C:\WINDOWS\system32\gebcb.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="C:\Program Files\NetWaiting\netWaiting.exe" [2003-09-10 03:24 20480]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 13:54 5674352]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2006-11-07 11:29 50736]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-12-13 03:44 98304]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-12-13 03:41 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-12-13 03:45 118784]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 12:48 761947]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2005-12-19 09:08 1347584]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 17:30 282624 C:\WINDOWS\stsystra.exe]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 21:15 290816]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 04:12 94208]
"CTSVolFE.exe"="C:\Program Files\Creative\Mixer\CTSVolFE.exe" [2005-02-23 16:57 57344]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 11:44 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 11:44 81920]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-07-12 20:05 1117184]
"Adobe Version Cue CS2"="C:\Documents and Settings\Day\Desktop\photoshop\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [2005-04-04 19:58 856064]
"Acrobat Assistant 7.0"="C:\Documents and Settings\Day\Desktop\photoshop\Adobe Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 03:12 483328]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24 286720]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 20:26 52896]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-09-27 21:33 125168]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [ ]
"BM7703e89a"="C:\WINDOWS\system32\eqwrgcrn.dll" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"WMC_WMPDBExport"="C:\Program Files\Windows Media Player\wmdbexport.exe" [2006-10-18 21:04 493568]
"TSClientMSIUninstaller"="cmd.exe" [2004-08-04 06:00 388608 C:\WINDOWS\system32\cmd.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Clean Access Agent.lnk - C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgentLauncher.exe [2007-12-07 18:12:50 28672]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-08-10 02:21:29 24576]
TabUserW.exe.lnk - C:\WINDOWS\system32\WTablet\TabUserW.exe [2007-03-22 20:46:49 114688]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2006-11-07 11:29 50736 C:\Program Files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative WebCam Tray]
C:\Program Files\Creative\Shared Files\CamTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-08-15 20:15 271672 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 13:54 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2007-06-29 20:51 1258744 c:\program files\steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"DSBrokerService"=3 (0x3)
"dlcf_device"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.2.0-enUS-downloader.exe"=
"C:\\Program Files\\Symantec AntiVirus\\SavRoam.exe"=
"C:\\Program Files\\Symantec AntiVirus\\Rtvscan.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{af110745-7e97-11dc-a075-0015c568c135}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-26 21:07:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-26 21:08:11
ComboFix-quarantined-files.txt 2008-03-27 01:08:00
ComboFix2.txt 2008-03-27 01:02:20
ComboFix3.txt 2008-03-26 00:15:59
.
2008-02-23 18:36:42 --- E O F ---

hijack this before restart

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:09:28 PM, on 3/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Creative\Mixer\CTSVolFE.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Documents and Settings\Day\Desktop\photoshop\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Documents and Settings\Day\Desktop\photoshop\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\Documents and Settings\Day\Desktop\photoshop\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\VentSrv\ventrilo_svc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\VentSrv\ventrilo_srv.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Documents and Settings\Day\Desktop\photoshop\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Day\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en&...suk&channel=us
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Documents and Settings\Day\Desktop\photoshop\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {8CF595BD-3529-4A6D-BDF1-86C0248FD018} - C:\WINDOWS\system32\gebcb.dll (file missing)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Documents and Settings\Day\Desktop\photoshop\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Documents and Settings\Day\Desktop\photoshop\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [CTSVolFE.exe] "C:\Program Files\Creative\Mixer\CTSVolFE.exe" /r
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Documents and Settings\Day\Desktop\photoshop\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Documents and Settings\Day\Desktop\photoshop\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [BM7703e89a] Rundll32.exe "C:\WINDOWS\system32\eqwrgcrn.dll",s
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKUS\S-1-5-18\..\RunOnce: [WMC_WMPDBExport] C:\Program Files\Windows Media Player\wmdbexport.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [WMC_WMPDBExport] C:\Program Files\Windows Media Player\wmdbexport.exe (User 'Default user')
O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgentLauncher.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Documents and Settings\Day\Desktop\photoshop\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Documents and Settings\Day\Desktop\photoshop\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Documents and Settings\Day\Desktop\photoshop\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Documents and Settings\Day\Desktop\photoshop\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Documents and Settings\Day\Desktop\photoshop\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Documents and Settings\Day\Desktop\photoshop\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Documents and Settings\Day\Desktop\photoshop\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Documents and Settings\Day\Desktop\photoshop\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - https://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/...oUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {B3E32D88-8E7F-468F-B0E2-3A300FD4A82C} (Enlite 2.x Simulation Engine Installer) - http://myitlab.pearsoned.com/Pegasus...es/ax/stub.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
O16 - DPF: {C9D7D239-B502-48B3-BA25-9DF8C7264073} (CCAWebLogin Control) - https://fsuccas1.ferris.edu/auth/CCALogin.CAB
O16 - DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} (WebBasedClientInstall Class) - http://www.ferris.edu/sats/Students/...ll/webinst.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Documents and Settings\Day\Desktop\photoshop\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 11777 bytes

hijack this after the restart

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:15:15 PM, on 3/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\Day\Desktop\photoshop\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\VentSrv\ventrilo_svc.exe
C:\Program Files\Creative\Mixer\CTSVolFE.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\VentSrv\ventrilo_srv.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Documents and Settings\Day\Desktop\photoshop\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Documents and Settings\Day\Desktop\photoshop\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Documents and Settings\Day\Desktop\photoshop\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Documents and Settings\Day\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en&...suk&channel=us
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Documents and Settings\Day\Desktop\photoshop\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {8CF595BD-3529-4A6D-BDF1-86C0248FD018} - C:\WINDOWS\system32\gebcb.dll (file missing)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Documents and Settings\Day\Desktop\photoshop\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Documents and Settings\Day\Desktop\photoshop\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [CTSVolFE.exe] "C:\Program Files\Creative\Mixer\CTSVolFE.exe" /r
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Documents and Settings\Day\Desktop\photoshop\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Documents and Settings\Day\Desktop\photoshop\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [BM7703e89a] Rundll32.exe "C:\WINDOWS\system32\eqwrgcrn.dll",s
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKUS\S-1-5-18\..\RunOnce: [WMC_WMPDBExport] C:\Program Files\Windows Media Player\wmdbexport.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [WMC_WMPDBExport] C:\Program Files\Windows Media Player\wmdbexport.exe (User 'Default user')
O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgentLauncher.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Documents and Settings\Day\Desktop\photoshop\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Documents and Settings\Day\Desktop\photoshop\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Documents and Settings\Day\Desktop\photoshop\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Documents and Settings\Day\Desktop\photoshop\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Documents and Settings\Day\Desktop\photoshop\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Documents and Settings\Day\Desktop\photoshop\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Documents and Settings\Day\Desktop\photoshop\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Documents and Settings\Day\Desktop\photoshop\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - https://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/...oUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {B3E32D88-8E7F-468F-B0E2-3A300FD4A82C} (Enlite 2.x Simulation Engine Installer) - http://myitlab.pearsoned.com/Pegasus...es/ax/stub.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
O16 - DPF: {C9D7D239-B502-48B3-BA25-9DF8C7264073} (CCAWebLogin Control) - https://fsuccas1.ferris.edu/auth/CCALogin.CAB
O16 - DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} (WebBasedClientInstall Class) - http://www.ferris.edu/sats/Students/...ll/webinst.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Documents and Settings\Day\Desktop\photoshop\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 11722 bytes

and again thanks a lot for all the help so far!

sjb007 · 03-27-2008, 01:32 AM

Hi mercenaryfox

We need to install the recovery console before we proceed further...

Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System

Download the file & save it as its originally named, next to ComboFix.exe.

Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.

Please do not reboot your machine until we have reviewed the log.
I will be here to review the log until around 14:00 hrs GMT and then from 23:00 to 00:00 hrs due to work commitments

mercenaryfox · 03-27-2008, 08:46 PM

This is all that appeared on the page. I am sorry if it is too late for you right now but i will keep my computer on until I hear from you again, thank you!

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

sjb007 · 03-28-2008, 01:38 AM

Hi there

You are now clear to boot. In the meantime I will check over the logs you submitted.

sjb007 · 03-28-2008, 01:44 AM

Hi there mercenaryfox

Go to start menu - Select Run and in the command box type in notepad
Next - copy/paste the text in the code box below into it:

Code:

File::
C:\WINDOWS\system32\drocvins.ini
C:\WINDOWS\system32\yrjqnmed.ini
C:\WINDOWS\system32\sunhivld.ini
C:\WINDOWS\system32\mtttddtk.ini
C:\WINDOWS\system32\gaovkdvm.ini
C:\WINDOWS\system32\kcghwukl.ini
C:\WINDOWS\system32\rnpeliyo.ini
C:\WINDOWS\system32\wdisaogk.ini
C:\WINDOWS\system32\osohcljl.ini
C:\WINDOWS\system32\pbaggylo.ini
C:\WINDOWS\system32\bgjaymtq.ini
C:\WINDOWS\system32\baxotbpg.ini
C:\WINDOWS\system32\jfaxvmve.ini
C:\WINDOWS\system32\ubonakjv.ini
C:\WINDOWS\system32\kpfyshim.ini
C:\WINDOWS\system32\arohapco.ini
C:\WINDOWS\system32\yhrbmaba.ini
C:\WINDOWS\system32\cwlsbddf.ini
C:\WINDOWS\system32\dpetbfqv.ini
C:\WINDOWS\system32\agycubux.ini
C:\WINDOWS\system32\jwxwrvma.ini
C:\WINDOWS\system32\afoaxfis.ini
C:\WINDOWS\system32\gglhelvk.xml
C:\WINDOWS\system32\ntbqueri.ini
C:\WINDOWS\system32\kkuhmlau.ini
C:\WINDOWS\system32\eavtsaue.ini
C:\WINDOWS\system32\sgygepeg.ini
C:\WINDOWS\system32\fmkagqfd.ini
C:\WINDOWS\system32\pfthjnuk.ini
C:\WINDOWS\system32\ehqbfbrq.xml
C:\WINDOWS\system32\iutublwl.xml
C:\WINDOWS\system32\pduupauq.xml
C:\WINDOWS\system32\jvoxaurh.ini
C:\WINDOWS\system32\vvdciyau.ini
C:\WINDOWS\system32\lmdrv#.zip
C:\WINDOWS\system32\lexunst.zip
C:\WINDOWS\system32\gebcb.dll
C:\WINDOWS\system32\eqwrgcrn.dll

FileLook::
C:\WINDOWS\system32\F80FE42FB5.sys

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8CF595BD-3529-4A6D-BDF1-86C0248FD018}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BM7703e89a"=-

- Save this to your desktop as CFScript.txt
- Drag the CFScript.txt over onto Combofix.exe and release.
Combofix will then fix the entry and then rescan your computer
If you are unsure on what is needed then click on the link to view an example - CFScript.gif

Combofix will then execute the script and produce a fresh log.
If your computer does not reboot on completion then reboot it now and generate and fresh HJT log

Post both logs back to me as a reply to this post

mercenaryfox · 03-28-2008, 03:10 PM

i did as you said and again i'm sorry for the delay... hope everything is in order here and here is the combofix and hijackthis logs respectively

combofix

ComboFix 08-03-25.4 - Day 2008-03-28 16:56:43.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.412 [GMT -4:00]
Running from: C:\Documents and Settings\Day\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Day\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\afoaxfis.ini
C:\WINDOWS\system32\agycubux.ini
C:\WINDOWS\system32\arohapco.ini
C:\WINDOWS\system32\baxotbpg.ini
C:\WINDOWS\system32\bgjaymtq.ini
C:\WINDOWS\system32\cwlsbddf.ini
C:\WINDOWS\system32\dpetbfqv.ini
C:\WINDOWS\system32\drocvins.ini
C:\WINDOWS\system32\eavtsaue.ini
C:\WINDOWS\system32\ehqbfbrq.xml
C:\WINDOWS\system32\eqwrgcrn.dll
C:\WINDOWS\system32\fmkagqfd.ini
C:\WINDOWS\system32\gaovkdvm.ini
C:\WINDOWS\system32\gebcb.dll
C:\WINDOWS\system32\gglhelvk.xml
C:\WINDOWS\system32\iutublwl.xml
C:\WINDOWS\system32\jfaxvmve.ini
C:\WINDOWS\system32\jvoxaurh.ini
C:\WINDOWS\system32\jwxwrvma.ini
C:\WINDOWS\system32\kcghwukl.ini
C:\WINDOWS\system32\kkuhmlau.ini
C:\WINDOWS\system32\kpfyshim.ini
C:\WINDOWS\system32\lexunst.zip
C:\WINDOWS\system32\lmdrv#.zip
C:\WINDOWS\system32\mtttddtk.ini
C:\WINDOWS\system32\ntbqueri.ini
C:\WINDOWS\system32\osohcljl.ini
C:\WINDOWS\system32\pbaggylo.ini
C:\WINDOWS\system32\pduupauq.xml
C:\WINDOWS\system32\pfthjnuk.ini
C:\WINDOWS\system32\rnpeliyo.ini
C:\WINDOWS\system32\sgygepeg.ini
C:\WINDOWS\system32\sunhivld.ini
C:\WINDOWS\system32\ubonakjv.ini
C:\WINDOWS\system32\vvdciyau.ini
C:\WINDOWS\system32\wdisaogk.ini
C:\WINDOWS\system32\yhrbmaba.ini
C:\WINDOWS\system32\yrjqnmed.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\afoaxfis.ini
C:\WINDOWS\system32\agycubux.ini
C:\WINDOWS\system32\arohapco.ini
C:\WINDOWS\system32\baxotbpg.ini
C:\WINDOWS\system32\bgjaymtq.ini
C:\WINDOWS\system32\cwlsbddf.ini
C:\WINDOWS\system32\dpetbfqv.ini
C:\WINDOWS\system32\drocvins.ini
C:\WINDOWS\system32\eavtsaue.ini
C:\WINDOWS\system32\ehqbfbrq.xml
C:\WINDOWS\system32\fmkagqfd.ini
C:\WINDOWS\system32\gaovkdvm.ini
C:\WINDOWS\system32\gglhelvk.xml
C:\WINDOWS\system32\iutublwl.xml
C:\WINDOWS\system32\jfaxvmve.ini
C:\WINDOWS\system32\jvoxaurh.ini
C:\WINDOWS\system32\jwxwrvma.ini
C:\WINDOWS\system32\kcghwukl.ini
C:\WINDOWS\system32\kkuhmlau.ini
C:\WINDOWS\system32\kpfyshim.ini
C:\WINDOWS\system32\lexunst.zip
C:\WINDOWS\system32\lmdrv#.zip
C:\WINDOWS\system32\mtttddtk.ini
C:\WINDOWS\system32\ntbqueri.ini
C:\WINDOWS\system32\osohcljl.ini
C:\WINDOWS\system32\pbaggylo.ini
C:\WINDOWS\system32\pduupauq.xml
C:\WINDOWS\system32\pfthjnuk.ini
C:\WINDOWS\system32\rnpeliyo.ini
C:\WINDOWS\system32\sgygepeg.ini
C:\WINDOWS\system32\sunhivld.ini
C:\WINDOWS\system32\ubonakjv.ini
C:\WINDOWS\system32\vvdciyau.ini
C:\WINDOWS\system32\wdisaogk.ini
C:\WINDOWS\system32\yhrbmaba.ini
C:\WINDOWS\system32\yrjqnmed.ini

.
((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-28 )))))))))))))))))))))))))))))))
.

2008-03-26 01:15 . 2008-03-26 01:15 <DIR> d-------- C:\Logs
2008-03-14 22:48 . 2003-05-22 16:31 55,808 --a------ C:\WINDOWS\system32\lfpsd13n.dll
2008-03-14 22:47 . 2004-05-14 16:53 462,848 --a------ C:\WINDOWS\system32\ltkrn13n.dll
2008-03-14 22:47 . 2004-05-14 16:53 450,560 --a------ C:\WINDOWS\system32\ltimg13n.dll
2008-03-14 22:47 . 2004-05-14 16:53 401,408 --a------ C:\WINDOWS\system32\lfcmp13n.dll
2008-03-14 22:47 . 2004-05-14 16:53 299,008 --a------ C:\WINDOWS\system32\ltdis13n.dll
2008-03-14 22:47 . 2004-01-12 02:09 206,336 --a------ C:\WINDOWS\system32\ltefx13n.dll
2008-03-14 22:47 . 2004-05-14 16:53 163,840 --a------ C:\WINDOWS\system32\ltfil13n.dll
2008-03-14 22:47 . 2003-11-04 15:10 69,632 --a------ C:\WINDOWS\system32\lfgif13n.dll
2008-03-14 22:47 . 2004-05-14 16:53 57,344 --a------ C:\WINDOWS\system32\lfbmp13n.dll
2008-02-29 01:38 . 2008-02-29 01:38 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-29 01:38 . 2008-02-29 01:38 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-28 04:46 5,486 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-03-27 20:19 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-03-26 05:13 --------- d-----w C:\Program Files\World of Warcraft
2008-03-24 03:51 3,206 ----a-w C:\WINDOWS\system32\tmp.reg
2008-03-22 19:49 86,528 ----a-w C:\WINDOWS\system32\VACFix.exe
2008-03-20 23:06 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-15 21:16 82,432 ----a-w C:\WINDOWS\system32\IEDFix.exe
2008-03-05 07:55 --------- d-----w C:\Program Files\Dl_cats
2008-03-04 23:46 --------- d-----w C:\Documents and Settings\Day\Application Data\TAIT3
2008-03-03 23:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-03 23:14 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-23 04:46 --------- d-----w C:\Program Files\Roxio
2008-02-23 04:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\GTek
2008-02-23 04:42 --------- d-----w C:\Program Files\Dell
2008-01-29 20:06 --------- d-----w C:\Program Files\Steam
2008-01-28 06:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Dell
2008-01-28 02:58 --------- d-----w C:\Program Files\Creative
2008-01-28 00:57 --------- d-----w C:\Documents and Settings\Day\Application Data\Sonic
2008-01-28 00:56 --------- d-----w C:\Documents and Settings\Day\Application Data\Leadertech
2007-01-19 20:51 88 --sha-r C:\WINDOWS\system32\F80FE42FB5.sys
.

((((((((((((((((((((((((((((( snapshot@2008-03-25_20.15.38.93 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-03-28 20:51:17 10,138 ----a-w C:\WINDOWS\SoftwareDistribution\EventCache\{3F9F4F07-66AA-411E-BDD6-E59AD4729F92}.bin
- 2008-03-26 00:10:23 12,912 ----a-w C:\WINDOWS\system32\tablet.dat
+ 2008-03-27 20:17:49 12,913 ----a-w C:\WINDOWS\system32\tablet.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="C:\Program Files\NetWaiting\netWaiting.exe" [2003-09-10 03:24 20480]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 13:54 5674352]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2006-11-07 11:29 50736]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-12-13 03:44 98304]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-12-13 03:41 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-12-13 03:45 118784]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 12:48 761947]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2005-12-19 09:08 1347584]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 17:30 282624 C:\WINDOWS\stsystra.exe]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 21:15 290816]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 04:12 94208]
"CTSVolFE.exe"="C:\Program Files\Creative\Mixer\CTSVolFE.exe" [2005-02-23 16:57 57344]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 11:44 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 11:44 81920]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-07-12 20:05 1117184]
"Adobe Version Cue CS2"="C:\Documents and Settings\Day\Desktop\photoshop\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [2005-04-04 19:58 856064]
"Acrobat Assistant 7.0"="C:\Documents and Settings\Day\Desktop\photoshop\Adobe Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 03:12 483328]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24 286720]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 20:26 52896]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-09-27 21:33 125168]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [ ]
"BM7703e89a"="C:\WINDOWS\system32\eqwrgcrn.dll" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"WMC_WMPDBExport"="C:\Program Files\Windows Media Player\wmdbexport.exe" [2006-10-18 21:04 493568]
"TSClientMSIUninstaller"="cmd.exe" [2004-08-04 06:00 388608 C:\WINDOWS\system32\cmd.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Clean Access Agent.lnk - C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgentLauncher.exe [2007-12-07 18:12:50 28672]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-08-10 02:21:29 24576]
TabUserW.exe.lnk - C:\WINDOWS\system32\WTablet\TabUserW.exe [2007-03-22 20:46:49 114688]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2006-11-07 11:29 50736 C:\Program Files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative WebCam Tray]
C:\Program Files\Creative\Shared Files\CamTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-08-15 20:15 271672 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 13:54 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2007-06-29 20:51 1258744 c:\program files\steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"DSBrokerService"=3 (0x3)
"dlcf_device"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.2.0-enUS-downloader.exe"=
"C:\\Program Files\\Symantec AntiVirus\\SavRoam.exe"=
"C:\\Program Files\\Symantec AntiVirus\\Rtvscan.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{af110745-7e97-11dc-a075-0015c568c135}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-28 16:59:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-28 17:00:31
ComboFix-quarantined-files.txt 2008-03-28 21:00:28
ComboFix2.txt 2008-03-27 01:08:12
ComboFix3.txt 2008-03-27 01:02:20
ComboFix4.txt 2008-03-26 00:15:59
.
2008-02-23 18:36:42 --- E O F ---

hijack this

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:07:41 PM, on 3/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\Day\Desktop\photoshop\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\VentSrv\ventrilo_svc.exe
C:\Program Files\VentSrv\ventrilo_srv.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Documents and Settings\Day\Desktop\photoshop\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Creative\Mixer\CTSVolFE.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Documents and Settings\Day\Desktop\photoshop\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Documents and Settings\Day\Desktop\photoshop\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Documents and Settings\Day\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en&...suk&channel=us
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Documents and Settings\Day\Desktop\photoshop\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Documents and Settings\Day\Desktop\photoshop\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Documents and Settings\Day\Desktop\photoshop\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [CTSVolFE.exe] "C:\Program Files\Creative\Mixer\CTSVolFE.exe" /r
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Documents and Settings\Day\Desktop\photoshop\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Documents and Settings\Day\Desktop\photoshop\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [BM7703e89a] Rundll32.exe "C:\WINDOWS\system32\eqwrgcrn.dll",s
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKUS\S-1-5-18\..\RunOnce: [WMC_WMPDBExport] C:\Program Files\Windows Media Player\wmdbexport.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [WMC_WMPDBExport] C:\Program Files\Windows Media Player\wmdbexport.exe (User 'Default user')
O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgentLauncher.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Documents and Settings\Day\Desktop\photoshop\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Documents and Settings\Day\Desktop\photoshop\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Documents and Settings\Day\Desktop\photoshop\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Documents and Settings\Day\Desktop\photoshop\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Documents and Settings\Day\Desktop\photoshop\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Documents and Settings\Day\Desktop\photoshop\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Documents and Settings\Day\Desktop\photoshop\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Documents and Settings\Day\Desktop\photoshop\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - https://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/...oUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {B3E32D88-8E7F-468F-B0E2-3A300FD4A82C} (Enlite 2.x Simulation Engine Installer) - http://myitlab.pearsoned.com/Pegasus...es/ax/stub.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
O16 - DPF: {C9D7D239-B502-48B3-BA25-9DF8C7264073} (CCAWebLogin Control) - https://fsuccas1.ferris.edu/auth/CCALogin.CAB
O16 - DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} (WebBasedClientInstall Class) - http://www.ferris.edu/sats/Students/...ll/webinst.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Documents and Settings\Day\Desktop\photoshop\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 11657 bytes

thanks again and have a great day!

sjb007 · 03-28-2008, 05:33 PM

Hi there

Things are looking better, just a couple of entries for combofix to sort out...

Go to start menu - Select Run and in the command box type in notepad
Next - copy/paste the text in the code box below into it:

Code:

File::
C:\WINDOWS\system32\eqwrgcrn.dll

FileLook::
C:\WINDOWS\system32\F80FE42FB5.sys

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BM7703e89a"=-

- Save this to your desktop as CFScript.txt
- Drag the CFScript.txt over onto Combofix.exe and release.
Combofix will then fix the entry and then rescan your computer
If you are unsure on what is needed then click on the link to view an example - CFScript.gif

Combofix will then execute the script and produce a fresh log, once complete
If your computer does not reboot on completion then reboot it now and generate and fresh HJT log

Next I want you to run an online scan, before we do lets flush out unwanted files

Download and scan with CCleaner lite
1.Double click the file and install ccleaner

2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:

Clean all entries in the "Internet Explorer" section.
Clean all the entries in the "Windows Explorer" section.
Clean all entries in the "System" section.
Clean all entries in the "Advanced" section.
Clean any others that you choose.

In the Applications Tab:

Clean all in the Firefox/Mozilla section if you use it.
Clean all in the Opera section if you use it.
Clean Sun Java in the Internet Section.
Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

Please perform a scan with Kaspersky Webscan Online Virus Scanner

Kaspersky does not remove anything but will provide a log of anything it finds. On August 8th, 2006 Kaspersky updated the software used for Free Online Virus Scanner. In order to continue using the online scanner you will need to uninstall the old version (if previously used) from your Add/Remove Programs list and then install the latest version. To do this, follow the steps here and reboot afterwards if your system does not reboot automatically or it will show 'Kaspersky Online Scanner license key was not found!

1. Click the "Kaspersky Online Scanner" button (NOT "Kaspersky File Scanner").
2. Read the Requirements and Privacy statement, then select "Accept".
3. A new window will appear promting you to install an ActiveX component from Kaspersky - "Do you want to install this software?".
4. Click "Yes" or select "Install" to download the ActiveX controls that allows ActiveScan to run.
5. When the download is complete it will say ready, click "Next".
6. Click "Scan Settings" and check the option to use the Extended Database if available otherwise Standard).
7. Click "Scan Options" and select both "Scan Archives" and "Scan Mail Bases".
8. Click "OK".
9. Under "Select a target to scan", click on "My Computer".
10. When the scan is complete choose to save the results as "Save as Text" named kaspersky.txt to your desktop and post them in your next reply.

Now reboot and generate a fresh HJT log

Please post back with:
The new log from combofix
The log from kaspersky
A fresh HJT log

mercenaryfox · 03-31-2008, 06:52 AM

took me awhile to get that scan done hopefully this is everything you need...

combofix

ComboFix 08-03-25.4 - Day 2008-03-30 17

35.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.401 [GMT -4:00]
Running from: C:\Documents and Settings\Day\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Day\Desktop\CFScript.txt.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\eqwrgcrn.dll
.

((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-30 )))))))))))))))))))))))))))))))
.

2008-03-30 16:45 . 2008-03-30 16:45 <DIR> d-------- C:\Program Files\CCleaner
2008-03-26 01:15 . 2008-03-26 01:15 <DIR> d-------- C:\Logs
2008-03-14 22:48 . 2003-05-22 16:31 55,808 --a------ C:\WINDOWS\system32\lfpsd13n.dll
2008-03-14 22:47 . 2004-05-14 16:53 462,848 --a------ C:\WINDOWS\system32\ltkrn13n.dll
2008-03-14 22:47 . 2004-05-14 16:53 450,560 --a------ C:\WINDOWS\system32\ltimg13n.dll
2008-03-14 22:47 . 2004-05-14 16:53 401,408 --a------ C:\WINDOWS\system32\lfcmp13n.dll
2008-03-14 22:47 . 2004-05-14 16:53 299,008 --a------ C:\WINDOWS\system32\ltdis13n.dll
2008-03-14 22:47 . 2004-01-12 02:09 206,336 --a------ C:\WINDOWS\system32\ltefx13n.dll
2008-03-14 22:47 . 2004-05-14 16:53 163,840 --a------ C:\WINDOWS\system32\ltfil13n.dll
2008-03-14 22:47 . 2003-11-04 15:10 69,632 --a------ C:\WINDOWS\system32\lfgif13n.dll
2008-03-14 22:47 . 2004-05-14 16:53 57,344 --a------ C:\WINDOWS\system32\lfbmp13n.dll
2008-02-29 01:38 . 2008-02-29 01:38 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-29 01:38 . 2008-02-29 01:38 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-27 15:36 . 2003-04-18 15:45 294,432 --a------ C:\WINDOWS\system32\lmpclxc.dll
2008-02-27 15:36 . 2003-04-18 15:45 208,592 --a------ C:\WINDOWS\system32\ptapiw16.dll
2008-02-27 15:36 . 2003-04-18 15:45 77,824 --a------ C:\WINDOWS\system32\lmpclpp.dll
2008-02-27 15:36 . 2003-04-18 15:45 61,440 --a------ C:\WINDOWS\system32\lmpclthk.dll
2008-02-27 15:35 . 2003-04-18 15:45 673,216 --a------ C:\WINDOWS\system32\lmpcl5cx.dll
2008-02-27 15:35 . 2003-04-18 15:45 533,504 --a------ C:\WINDOWS\system32\lmpcl5c.drv
2008-02-27 15:35 . 2003-04-18 15:45 266,196 --a------ C:\WINDOWS\system32\lmpcl5d.hlp
2008-02-27 15:35 . 2003-04-18 15:45 237,568 --a------ C:\WINDOWS\system32\lexdrvin.exe
2008-02-27 15:35 . 2003-04-18 15:45 205,440 --a------ C:\WINDOWS\system32\lmpcl5cc.dll
2008-02-27 15:35 . 2003-04-18 15:45 110,592 --a------ C:\WINDOWS\system32\lexdrvx.dll
2008-02-27 15:35 . 2003-04-18 15:55 67,426 --a------ C:\WINDOWS\system32\lmpcl5c.all
2008-02-27 15:35 . 2003-04-18 15:55 22,651 --a------ C:\WINDOWS\system32\lmpcl5d$.ini
2008-02-26 00:53 . 2008-02-26 01:18 294 --ahs---- C:\WINDOWS\system32\fvjokdku.ini
2008-02-25 00:44 . 2008-02-25 00:44 294 --ahs---- C:\WINDOWS\system32\xvrkojwd.ini
2008-02-24 00:41 . 2008-02-24 00:41 294 --ahs---- C:\WINDOWS\system32\kxgfxnqr.ini
2008-02-23 01:09 . 2008-02-23 01:09 73 --a------ C:\WINDOWS\st_affiliate.ini
2008-02-22 22:54 . 2008-02-23 01:45 354 --ahs---- C:\WINDOWS\system32\chgihotj.ini
2008-02-22 22:13 . 2008-02-22 22:13 294 --ahs---- C:\WINDOWS\system32\nycowflp.ini
2008-02-18 23:52 . 2008-02-19 00:20 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-02-16 19:09 . 2008-03-25 20:00 <DIR> d-------- C:\Temp
2008-02-04 16:11 . 2008-03-04 19:46 <DIR> d-------- C:\Documents and Settings\Day\Application Data\TAIT3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-30 20:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-29 21:40 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-03-28 04:46 5,486 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-03-26 05:13 --------- d-----w C:\Program Files\World of Warcraft
2008-03-24 03:51 3,206 ----a-w C:\WINDOWS\system32\tmp.reg
2008-03-22 19:49 86,528 ----a-w C:\WINDOWS\system32\VACFix.exe
2008-03-20 23:06 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-15 21:16 82,432 ----a-w C:\WINDOWS\system32\IEDFix.exe
2008-03-05 07:55 --------- d-----w C:\Program Files\Dl_cats
2008-03-03 23:14 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-23 04:46 --------- d-----w C:\Program Files\Roxio
2008-02-23 04:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\GTek
2008-02-23 04:42 --------- d-----w C:\Program Files\Dell
2008-01-29 20:06 --------- d-----w C:\Program Files\Steam
2008-01-28 06:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Dell
2008-01-28 02:58 --------- d-----w C:\Program Files\Creative
2008-01-28 00:57 --------- d-----w C:\Documents and Settings\Day\Application Data\Sonic
2008-01-28 00:56 --------- d-----w C:\Documents and Settings\Day\Application Data\Leadertech
2007-01-19 20:51 88 --sha-r C:\WINDOWS\system32\F80FE42FB5.sys
.

((((((((((((((((((((((((((((( snapshot@2008-03-25_20.15.38.93 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-03-26 00:10:23 12,912 ----a-w C:\WINDOWS\system32\tablet.dat
+ 2008-03-29 21:39:10 12,913 ----a-w C:\WINDOWS\system32\tablet.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="C:\Program Files\NetWaiting\netWaiting.exe" [2003-09-10 03:24 20480]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 13:54 5674352]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2006-11-07 11:29 50736]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-12-13 03:44 98304]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-12-13 03:41 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-12-13 03:45 118784]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 12:48 761947]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2005-12-19 09:08 1347584]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 17:30 282624 C:\WINDOWS\stsystra.exe]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 21:15 290816]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 04:12 94208]
"CTSVolFE.exe"="C:\Program Files\Creative\Mixer\CTSVolFE.exe" [2005-02-23 16:57 57344]
"ISUSPM Startup"="c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 11:44 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 11:44 81920]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-07-12 20:05 1117184]
"Adobe Version Cue CS2"="C:\Documents and Settings\Day\Desktop\photoshop\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [2005-04-04 19:58 856064]
"Acrobat Assistant 7.0"="C:\Documents and Settings\Day\Desktop\photoshop\Adobe Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 03:12 483328]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24 286720]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 20:26 52896]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-09-27 21:33 125168]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"WMC_WMPDBExport"="C:\Program Files\Windows Media Player\wmdbexport.exe" [2006-10-18 21:04 493568]
"TSClientMSIUninstaller"="cmd.exe" [2004-08-04 06:00 388608 C:\WINDOWS\system32\cmd.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Clean Access Agent.lnk - C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgentLauncher.exe [2007-12-07 18:12:50 28672]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-08-10 02:21:29 24576]
TabUserW.exe.lnk - C:\WINDOWS\system32\WTablet\TabUserW.exe [2007-03-22 20:46:49 114688]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2006-11-07 11:29 50736 C:\Program Files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative WebCam Tray]
C:\Program Files\Creative\Shared Files\CamTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-08-15 20:15 271672 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 13:54 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2007-06-29 20:51 1258744 c:\program files\steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"DSBrokerService"=3 (0x3)
"dlcf_device"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.2.0-enUS-downloader.exe"=
"C:\\Program Files\\Symantec AntiVirus\\SavRoam.exe"=
"C:\\Program Files\\Symantec AntiVirus\\Rtvscan.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{af110745-7e97-11dc-a075-0015c568c135}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-30 17:07:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-30 17:07:55
ComboFix-quarantined-files.txt 2008-03-30 21:07:52
ComboFix2.txt 2008-03-30 20:36:18
ComboFix3.txt 2008-03-28 21:00:32
ComboFix4.txt 2008-03-27 01:08:12
ComboFix5.txt 2008-03-27 01:02:20
.
2008-02-23 18:36:42 --- E O F ---

HIJACK THIS

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:07:41 PM, on 3/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\Day\Desktop\photoshop\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\VentSrv\ventrilo_svc.exe
C:\Program Files\VentSrv\ventrilo_srv.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Documents and Settings\Day\Desktop\photoshop\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Creative\Mixer\CTSVolFE.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Documents and Settings\Day\Desktop\photoshop\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Documents and Settings\Day\Desktop\photoshop\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Documents and Settings\Day\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en&...suk&channel=us
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Documents and Settings\Day\Desktop\photoshop\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Documents and Settings\Day\Desktop\photoshop\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Documents and Settings\Day\Desktop\photoshop\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [CTSVolFE.exe] "C:\Program Files\Creative\Mixer\CTSVolFE.exe" /r
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Documents and Settings\Day\Desktop\photoshop\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Documents and Settings\Day\Desktop\photoshop\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [BM7703e89a] Rundll32.exe "C:\WINDOWS\system32\eqwrgcrn.dll",s
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKUS\S-1-5-18\..\RunOnce: [WMC_WMPDBExport] C:\Program Files\Windows Media Player\wmdbexport.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [WMC_WMPDBExport] C:\Program Files\Windows Media Player\wmdbexport.exe (User 'Default user')
O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgentLauncher.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Documents and Settings\Day\Desktop\photoshop\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Documents and Settings\Day\Desktop\photoshop\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Documents and Settings\Day\Desktop\photoshop\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Documents and Settings\Day\Desktop\photoshop\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Documents and Settings\Day\Desktop\photoshop\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Documents and Settings\Day\Desktop\photoshop\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Documents and Settings\Day\Desktop\photoshop\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Documents and Settings\Day\Desktop\photoshop\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - https://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/...oUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {B3E32D88-8E7F-468F-B0E2-3A300FD4A82C} (Enlite 2.x Simulation Engine Installer) - http://myitlab.pearsoned.com/Pegasus...es/ax/stub.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
O16 - DPF: {C9D7D239-B502-48B3-BA25-9DF8C7264073} (CCAWebLogin Control) - https://fsuccas1.ferris.edu/auth/CCALogin.CAB
O16 - DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} (WebBasedClientInstall Class) - http://www.ferris.edu/sats/Students/...ll/webinst.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Documents and Settings\Day\Desktop\photoshop\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 11657 bytes

KAPERSKY

KASPERSKY ONLINE SCANNER REPORT
Monday, March 31, 2008 8:46:59 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 31/03/2008
Kaspersky Anti-Virus database records: 674026

Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\

Scan Statistics
Total number of scanned objects 77607
Number of viruses found 10
Number of infected objects 220
Number of suspicious objects 0
Duration of the scan process 00:56:36

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\QSLLPSVCShare Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01BC0000\47BF444A.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02100000\47F99560.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02100001\47F99582.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02100002\47F9958F.VBN Infected: not-a-virus:AdWare.Win32.Agent.asj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02100003\47F9959E.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02100004\47F995AB.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02100005\47F995B8.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02100006\47F995C4.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02100007\47F995CF.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02100008\47F995DC.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02100009\47F995E9.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0210000B\47F99601.VBN Infected: not-a-virus:AdWare.Win32.Agent.asj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0210000C\47F9960E.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0210000D\47F9961B.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0210000E\47F99629.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0210000F\47F99637.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02100010\47F99643.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02100011\47F99650.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02100012\47F9965C.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02100013\47F99669.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02100014\47F99676.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02100015\47F99683.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02100016\47F99690.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02100017\47F9969C.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02100018\47F996A9.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02100019\47F996B4.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0210001B\47F996CC.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0210001C\47F996D8.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0210001D\47F996E6.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\046C0004\47FDF85B.VBN Infected: Trojan-Downloader.Win32.Agent.kvv skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05380001\47FC57A2.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05380002\47FC57C9.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05F40000\47FF786E.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05F40001\47FF788B.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05F40002\47FF7B65.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06A00000\47E017F4.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06A00001\47E052EF.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06A00002\47E0712A.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06A00003\47E08A01.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06A00004\47E098CE.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06B80001\47F86440.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07940000\47DEEDB4.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07940001\47DEEDD8.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07940002\47DF2968.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07940003\47DF41C0.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08580000\4FF957E6.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08B40000\4FF74AE8.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08B40001\4FF74C0E.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08B40002\4FF7ADCC.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08F00000\4FF03B33.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08F00001\4FF045A4.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08F00002\4FF064C6.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08F00003\4FF070A0.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.ixf skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08F00004\4FF0A6CD.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.ixf skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08F00005\4FF0CA4E.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09000004\4FE2F1D5.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.ixe skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09000005\4FE3533F.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.ixe skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09680000\4FEF2A29.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\098C0002\4FED92DD.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\098C0003\4FED9303.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\098C0004\4FED9316.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\098C0005\4FED9329.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\098C0006\4FED933B.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\098C0007\4FED934E.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\098C0008\4FED9360.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\098C0009\4FED9373.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\098C000A\4FED9385.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\098C000B\4FED93A7.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\098C000D\4FED93D6.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\098C000E\4FED93ED.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09D00002\4FFA53F0.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09E00000\4FFF8A83.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09FC0000\4FFCB442.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09FC0001\4FFCB45F.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09FC0002\4FFCB46E.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09FC0003\4FFCB47E.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09FC0004\4FFCB491.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09FC0005\4FFCB4A1.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09FC0006\4FFCB4B0.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09FC0007\4FFCB4C0.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.ixf skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09FC0008\4FFCB4D1.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.ixf skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09FC0009\4FFCB4E3.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09FC000A\4FFCB4F3.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09FC000B\4FFCB502.VBN Infected: not-a-virus:AdWare.Win32.SuperJuan.bce skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09FC000C\4FFCB512.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.ixf skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09FC000D\4FFCB522.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09FC000E\4FFCB532.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09FC000F\4FFCB540.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09FC0010\4FFCB54E.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09FC0011\4FFCB55D.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09FC0012\4FFCB56C.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09FC0013\4FFCB57B.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09FC0014\4FFCB58B.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.ixe skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09FC0015\4FFCB59A.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.ixe skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300000\4FFA171C.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300001\4FFA2E59.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A400000\4FE1C9B5.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A400001\4FE1E081.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A400002\4FE1F2B6.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A640000\4FF76F28.VBN Infected: not-a-virus:Downloader.Win32.WinFixer.dz skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A640001\4FF76F36.VBN Infected: not-a-virus:Downloader.Win32.WinFixer.dz skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A640002\4FF76F40.VBN Infected: Trojan-Downloader.Win32.VB.cgu skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A640003\4FF76F4E.VBN Infected: Trojan-Downloader.Win32.Agent.kvv skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A640004\4FF76F59.VBN Infected: Trojan-Downloader.Win32.Agent.kvv skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B0C0000\4FCF9B8B.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B1C0000\4FFC4E3F.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B640000\4FE647C5.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BE40000\4FECD415.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BE40001\4FECD47E.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BE40002\4FFF3CCD.VBN Infected: not-a-virus:Downloader.Win32.WinFixer.dz skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BE40003\4FFF3CDC.VBN Infected: Trojan-Downloader.Win32.VB.caw skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C280000\4FEED412.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C280001\4FEEFC1E.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C280002\4FF80EC8.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C280003\4FF80EE3.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C280004\4FF80EF1.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C280005\4FF80EFF.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C280006\4FF80F0D.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C280007\4FF80F1C.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C280009\4FF80F38.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C28000A\4FF80F46.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C28000C\4FF80F61.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C28000D\4FF80F6E.VBN Infected: not-a-virus:AdWare.Win32.Agent.asj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C28000E\4FF80F7C.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C28000F\4FF80F8B.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C280010\4FF80F99.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C280011\4FF80FA5.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C280012\4FF80FB4.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C280013\4FF80FC2.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C280014.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C280016.VBN Infected: not-a-virus:AdWare.Win32.Agent.asj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C280017.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C280018.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C280019.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C28001A.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C28001B.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C28001C.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C28001D.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C28001E.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C28001F.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C280020.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C280021.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C280022.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C280023.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C280024.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C280026.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C280027.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C280028.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C280029.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C28002A.VBN Infected: not-a-virus:AdWare.Win32.Agent.asj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C28002B.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C28002C.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C28002D.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C28002E.VBN Infected: not-a-virus:AdWare.Win32.Agent.asj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C28002F.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C280030.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C280031.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C280032.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C280033.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C280034.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C280035.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C280036.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C280037.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C280038.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C280039.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C28003A.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C28003B.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C28003C.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C28003D.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CC40002\4FDDF1CD.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CCC0000\4FEF4233.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CF00000\4FFD6305.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D400000\4FC0F462.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D400001\4FDB3A83.VBN Infected: Trojan-Downloader.Win32.VB.caw skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D580003\4FFF3489.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DE00000\4FE45866.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DE00001\4FE46CCB.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DE00002\4FE488C5.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E140000\4FDF222F.VBN Infected: not-a-virus:AdWare.Win32.SuperJuan.bce skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E140005\4FDF3A9F.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.ixf skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E1C0000\4FFC0A94.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E1C0001\4FFC1E26.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E1C0002\4FFC8501.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E1C0003\4FFC9498.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E240000\4FBD0234.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0ECC0000\4FCF81F6.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0ECC0001\4FCF8219.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0ECC0002\4FCF8995.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0EEC0000\4FEDAE23.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0EEC0001\4FEDAE47.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0EEC0002\4FEDCC09.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0EEC0003\4FEDF9BF.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0EEC0004\4FEE01AF.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0EEC0005\4FEE4E2B.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0EEC0006\4FEE4E58.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F100000\4FF57D41.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F100001\4FF59C0F.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F400000\4FCB6327.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F500000\4FD866DD.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F880000\4FDF0716.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F940000\4FBFA51A.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F940001\4FD74803.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F940002\4FD74832.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0FB40000\4FF70B4D.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\Documents and Settings\Day\Application Data\CiscoCAA\event.log Object is locked skipped

C:\Documents and Settings\Day\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Day\Desktop\photoshop\Adobe Version Cue CS2\config\configuration\org.eclipse.core.runtime\.manager\.tmp36612.instance Object is locked skipped

C:\Documents and Settings\Day\Desktop\photoshop\Adobe Version Cue CS2\data\database\data\ibdata1 Object is locked skipped

C:\Documents and Settings\Day\Desktop\photoshop\Adobe Version Cue CS2\data\database\data\ib_logfile0 Object is locked skipped

C:\Documents and Settings\Day\Desktop\photoshop\Adobe Version Cue CS2\data\database\data\ib_logfile1 Object is locked skipped

C:\Documents and Settings\Day\Desktop\photoshop\Adobe Version Cue CS2\data\database\data\versioncue\bhasset.ibd Object is locked skipped

C:\Documents and Settings\Day\Desktop\photoshop\Adobe Version Cue CS2\data\database\data\versioncue\bhlabel.ibd Object is locked skipped

C:\Documents and Settings\Day\Desktop\photoshop\Adobe Version Cue CS2\data\database\data\versioncue\bhlabeltoversion.ibd Object is locked skipped

C:\Documents and Settings\Day\Desktop\photoshop\Adobe Version Cue CS2\data\database\data\versioncue\bhpqentry.ibd Object is locked skipped

C:\Documents and Settings\Day\Desktop\photoshop\Adobe Version Cue CS2\data\database\data\versioncue\bhschemaversion.ibd Object is locked skipped

C:\Documents and Settings\Day\Desktop\photoshop\Adobe Version Cue CS2\data\database\data\versioncue\bhserverglobals.ibd Object is locked skipped

C:\Documents and Settings\Day\Desktop\photoshop\Adobe Version Cue CS2\data\database\data\versioncue\bhuser.ibd Object is locked skipped

C:\Documents and Settings\Day\Desktop\photoshop\Adobe Version Cue CS2\logs\VersionCue.log Object is locked skipped

C:\Documents and Settings\Day\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\Day\Local Settings\Application Data\BVRP Software\NetWaiting\MoHlog.txt Object is locked skipped

C:\Documents and Settings\Day\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_360.wmdb Object is locked skipped

C:\Documents and Settings\Day\Local Settings\Application Data\Microsoft\Messenger\foxy_roxy209@hotmail.com\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped

C:\Documents and Settings\Day\Local Settings\Application Data\Microsoft\Messenger\foxy_roxy209@hotmail.com\SharingMetadata\pending.dat Object is locked skipped

C:\Documents and Settings\Day\Local Settings\Application Data\Microsoft\Messenger\foxy_roxy209@hotmail.com\SharingMetadata\Working\database_9E74_30FF_7430_DBA9\dfsr.db Object is locked skipped

C:\Documents and Settings\Day\Local Settings\Application Data\Microsoft\Messenger\foxy_roxy209@hotmail.com\SharingMetadata\Working\database_9E74_30FF_7430_DBA9\fsr.log Object is locked skipped

C:\Documents and Settings\Day\Local Settings\Application Data\Microsoft\Messenger\foxy_roxy209@hotmail.com\SharingMetadata\Working\database_9E74_30FF_7430_DBA9\fsrtmp.log Object is locked skipped

C:\Documents and Settings\Day\Local Settings\Application Data\Microsoft\Messenger\foxy_roxy209@hotmail.com\SharingMetadata\Working\database_9E74_30FF_7430_DBA9\tmp.edb Object is locked skipped

C:\Documents and Settings\Day\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Day\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Day\Local Settings\Application Data\Microsoft\Windows Live Contacts\foxy_roxy209@hotmail.com\real\members.stg Object is locked skipped

C:\Documents and Settings\Day\Local Settings\Application Data\Microsoft\Windows Live Contacts\foxy_roxy209@hotmail.com\shadow\members.stg Object is locked skipped

C:\Documents and Settings\Day\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Day\Local Settings\History\History.IE5\MSHist012008033120080401\index.dat Object is locked skipped

C:\Documents and Settings\Day\Local Settings\Temp\~DF2008.tmp Object is locked skipped

C:\Documents and Settings\Day\Local Settings\Temp\~DFA2B9.tmp Object is locked skipped

C:\Documents and Settings\Day\Local Settings\Temp\~DFA2EE.tmp Object is locked skipped

C:\Documents and Settings\Day\Local Settings\Temp\~DFB22F.tmp Object is locked skipped

C:\Documents and Settings\Day\Local Settings\Temp\~DFB2DE.tmp Object is locked skipped

C:\Documents and Settings\Day\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Day\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Day\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBConfig.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDebug.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDetect.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBNotify.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBRefr.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg2.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetDev.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetLoc.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetUsr.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMNot.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMReg.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMRSt.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStHash.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStMSI.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBValid.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPPolicy.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStart.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStop.log Object is locked skipped

C:\Program Files\Symantec AntiVirus\SAVRT\0518NAV~.TMP Object is locked skipped

C:\Program Files\Symantec AntiVirus\SAVRT\0524NAV~.TMP Object is locked skipped

C:\Program Files\VentSrv\ventrilo_srv.log Object is locked skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\abcwpuxh.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\awtqp.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\elfcmnqa.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\jkkjj.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\laahowww.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\mljjk.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\QooBox\Quarantine\catchme2008-03-25_201047.70.zip/gebya.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\QooBox\Quarantine\catchme2008-03-25_201047.70.zip ZIP: infected - 1 skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP320\A0148087.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP322\A0148297.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP322\A0148299.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP322\A0148302.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP322\A0148304.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP322\A0148307.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP322\A0148312.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP328\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\DEFAULT Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SYSTEM Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\Temp\hsperfdata_SYSTEM\924 Object is locked skipped

C:\WINDOWS\Temp\ib10 Object is locked skipped

C:\WINDOWS\Temp\ib8 Object is locked skipped

C:\WINDOWS\Temp\ib9 Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

This is everything you hope for and i followed the directions completely thanks so much for your help!

sjb007 · 03-31-2008, 01:47 PM

Hi there mercenaryfox

Good work in getting the scan through

Regarding the Kaspersky scan....
Although the scan shows Number of infected objects 220 - What it has found is contained, and is not in the wild on your computer. A vast majority of these are in Nortons Quarantine, you can empty/delete all the items in the Quarantine folder whithin Norton. Other items are contained in C:\QooBox\Quarantine which we will flush out in this next part of the fix which leaves just a few items in the system restore which will be also flushed out at the very end of the fix.

Just a few more items for combofix to take care of...

Go to start menu - Select Run and in the command box type in notepad
Next - copy/paste the text in the code box below into it:

Code:

File::
C:\WINDOWS\system32\fvjokdku.ini
C:\WINDOWS\system32\xvrkojwd.ini
C:\WINDOWS\system32\kxgfxnqr.ini
C:\WINDOWS\system32\chgihotj.ini
C:\WINDOWS\system32\nycowflp.ini
C:\WINDOWS\system32\eqwrgcrn.dll

Folder::
C:\QooBox\Quarantine

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BM7703e89a"=-

- Save this to your desktop as CFScript.txt
- Drag the CFScript.txt over onto Combofix.exe and release.

Combofix will then fix the entry and then rescan your computer

Combofix will also then execute the script and produce a fresh log, once complete
If your computer does not reboot on completion then reboot it now and generate and fresh HJT log

Let me know how your computer is running now....

mercenaryfox · 04-01-2008, 02:40 PM

i've completed what you asked me too do and so far so good i've had minimal problems and for the most part the only thing is norton symantec is getting quarantine items from the stuff you have me do... its usually the files that i'm deleting so i'm sure that the quarantine from norton is just picking up stupid risidules from what is happening... i never liked norton anyway... but here are the logs you asked for...

Hijack this

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:35:20 PM, on 4/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\Day\Desktop\photoshop\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\VentSrv\ventrilo_svc.exe
C:\Program Files\VentSrv\ventrilo_srv.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Documents and Settings\Day\Desktop\photoshop\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\Program Files\Creative\Mixer\CTSVolFE.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Documents and Settings\Day\Desktop\photoshop\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Documents and Settings\Day\Desktop\photoshop\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Day\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en&...suk&channel=us
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Documents and Settings\Day\Desktop\photoshop\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Documents and Settings\Day\Desktop\photoshop\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Documents and Settings\Day\Desktop\photoshop\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [CTSVolFE.exe] "C:\Program Files\Creative\Mixer\CTSVolFE.exe" /r
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Documents and Settings\Day\Desktop\photoshop\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Documents and Settings\Day\Desktop\photoshop\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKUS\S-1-5-18\..\RunOnce: [WMC_WMPDBExport] C:\Program Files\Windows Media Player\wmdbexport.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [WMC_WMPDBExport] C:\Program Files\Windows Media Player\wmdbexport.exe (User 'Default user')
O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgentLauncher.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Documents and Settings\Day\Desktop\photoshop\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Documents and Settings\Day\Desktop\photoshop\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Documents and Settings\Day\Desktop\photoshop\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Documents and Settings\Day\Desktop\photoshop\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Documents and Settings\Day\Desktop\photoshop\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Documents and Settings\Day\Desktop\photoshop\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Documents and Settings\Day\Desktop\photoshop\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Documents and Settings\Day\Desktop\photoshop\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - https://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/...oUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {B3E32D88-8E7F-468F-B0E2-3A300FD4A82C} (Enlite 2.x Simulation Engine Installer) - http://myitlab.pearsoned.com/Pegasus...es/ax/stub.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
O16 - DPF: {C9D7D239-B502-48B3-BA25-9DF8C7264073} (CCAWebLogin Control) - https://fsuccas1.ferris.edu/auth/CCALogin.CAB
O16 - DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} (WebBasedClientInstall Class) - http://www.ferris.edu/sats/Students/...ll/webinst.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Documents and Settings\Day\Desktop\photoshop\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 11764 bytes

COMBOFIX

ComboFix 08-03-25.4 - Day 2008-04-01 16:24:45.7 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.449 [GMT -4:00]
Running from: C:\Documents and Settings\Day\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Day\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\chgihotj.ini
C:\WINDOWS\system32\eqwrgcrn.dll
C:\WINDOWS\system32\fvjokdku.ini
C:\WINDOWS\system32\kxgfxnqr.ini
C:\WINDOWS\system32\nycowflp.ini
C:\WINDOWS\system32\xvrkojwd.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\QooBox\Quarantine
C:\WINDOWS\system32\chgihotj.ini
C:\WINDOWS\system32\fvjokdku.ini
C:\WINDOWS\system32\kxgfxnqr.ini
C:\WINDOWS\system32\nycowflp.ini
C:\WINDOWS\system32\xvrkojwd.ini

.
((((((((((((((((((((((((( Files Created from 2008-03-01 to 2008-04-01 )))))))))))))))))))))))))))))))
.

2008-03-30 17:13 . 2008-03-30 17:13 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-30 17:13 . 2008-03-30 17:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-30 16:45 . 2008-03-30 16:45 <DIR> d-------- C:\Program Files\CCleaner
2008-03-26 01:15 . 2008-03-26 01:15 <DIR> d-------- C:\Logs
2008-03-14 22:48 . 2003-05-22 16:31 55,808 --a------ C:\WINDOWS\system32\lfpsd13n.dll
2008-03-14 22:47 . 2004-05-14 16:53 462,848 --a------ C:\WINDOWS\system32\ltkrn13n.dll
2008-03-14 22:47 . 2004-05-14 16:53 450,560 --a------ C:\WINDOWS\system32\ltimg13n.dll
2008-03-14 22:47 . 2004-05-14 16:53 401,408 --a------ C:\WINDOWS\system32\lfcmp13n.dll
2008-03-14 22:47 . 2004-05-14 16:53 299,008 --a------ C:\WINDOWS\system32\ltdis13n.dll
2008-03-14 22:47 . 2004-01-12 02:09 206,336 --a------ C:\WINDOWS\system32\ltefx13n.dll
2008-03-14 22:47 . 2004-05-14 16:53 163,840 --a------ C:\WINDOWS\system32\ltfil13n.dll
2008-03-14 22:47 . 2003-11-04 15:10 69,632 --a------ C:\WINDOWS\system32\lfgif13n.dll
2008-03-14 22:47 . 2004-05-14 16:53 57,344 --a------ C:\WINDOWS\system32\lfbmp13n.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-01 19:51 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-03-31 02:42 5,486 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-03-30 20:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-26 05:13 --------- d-----w C:\Program Files\World of Warcraft
2008-03-24 03:51 3,206 ----a-w C:\WINDOWS\system32\tmp.reg
2008-03-22 19:49 86,528 ----a-w C:\WINDOWS\system32\VACFix.exe
2008-03-20 23:06 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-15 21:16 82,432 ----a-w C:\WINDOWS\system32\IEDFix.exe
2008-03-05 07:55 --------- d-----w C:\Program Files\Dl_cats
2008-03-04 23:46 --------- d-----w C:\Documents and Settings\Day\Application Data\TAIT3
2008-03-03 23:14 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-23 04:46 --------- d-----w C:\Program Files\Roxio
2008-02-23 04:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\GTek
2008-02-23 04:42 --------- d-----w C:\Program Files\Dell
2007-01-19 20:51 88 --sha-r C:\WINDOWS\system32\F80FE42FB5.sys
.

((((((((((((((((((((((((((((( snapshot@2008-03-25_20.15.38.93 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-05-24 16:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 19:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 19:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
- 2008-03-26 00:10:23 12,912 ----a-w C:\WINDOWS\system32\tablet.dat
+ 2008-04-01 19:50:17 12,913 ----a-w C:\WINDOWS\system32\tablet.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="C:\Program Files\NetWaiting\netWaiting.exe" [2003-09-10 03:24 20480]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 13:54 5674352]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2006-11-07 11:29 50736]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-12-13 03:44 98304]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-12-13 03:41 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-12-13 03:45 118784]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 12:48 761947]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2005-12-19 09:08 1347584]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 17:30 282624 C:\WINDOWS\stsystra.exe]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 21:15 290816]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 04:12 94208]
"CTSVolFE.exe"="C:\Program Files\Creative\Mixer\CTSVolFE.exe" [2005-02-23 16:57 57344]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 11:44 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 11:44 81920]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-07-12 20:05 1117184]
"Adobe Version Cue CS2"="C:\Documents and Settings\Day\Desktop\photoshop\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [2005-04-04 19:58 856064]
"Acrobat Assistant 7.0"="C:\Documents and Settings\Day\Desktop\photoshop\Adobe Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 03:12 483328]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24 286720]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 20:26 52896]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-09-27 21:33 125168]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"WMC_WMPDBExport"="C:\Program Files\Windows Media Player\wmdbexport.exe" [2006-10-18 21:04 493568]
"TSClientMSIUninstaller"="cmd.exe" [2004-08-04 06:00 388608 C:\WINDOWS\system32\cmd.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Clean Access Agent.lnk - C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgentLauncher.exe [2007-12-07 18:12:50 28672]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-08-10 02:21:29 24576]
TabUserW.exe.lnk - C:\WINDOWS\system32\WTablet\TabUserW.exe [2007-03-22 20:46:49 114688]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2006-11-07 11:29 50736 C:\Program Files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative WebCam Tray]
C:\Program Files\Creative\Shared Files\CamTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-08-15 20:15 271672 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 13:54 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2007-06-29 20:51 1258744 c:\program files\steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"DSBrokerService"=3 (0x3)
"dlcf_device"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-2.2.0-enUS-downloader.exe"=
"C:\\Program Files\\Symantec AntiVirus\\SavRoam.exe"=
"C:\\Program Files\\Symantec AntiVirus\\Rtvscan.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{af110745-7e97-11dc-a075-0015c568c135}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-01 16:27:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-01 16:28:11
ComboFix-quarantined-files.txt 2008-04-01 20:28:07
ComboFix2.txt 2008-03-30 21:07:56
ComboFix3.txt 2008-03-30 20:36:18
ComboFix4.txt 2008-03-28 21:00:32
ComboFix5.txt 2008-03-27 01:08:12
.
2008-02-23 18:36:42 --- E O F ---

and again thanks for all the help! if anything pops up in the time it takes for the next reply i'll let you know !

sjb007 · 04-01-2008, 10:28 PM

Hi mercenaryfox

Great work, Your logs look clean. If you are still experiencing any problems or wish to ask any further questions then please feel free to post back.

Go to Start > Run > copy and paste next command in the field:
ComboFix /u
Make sure there's a space between Combofix and /u
Then hit Enter.
This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Reboot your computer!

Once you have completed the above tasks I would like you to read the following information which I have placed below as a general read through...

Now that you appear to be free from malware lets help you stay that way!

Update windows on a regular basis - If you do not have automatic updates enabled then

Visit Microsoft's Update Page and update your computer from there
Update your virus checker on a regular basis - It is no use having a virus checker with out of date definitions.
Keep an eye on your firewall. check what it wants to allow, do not simply allow everything, If there is any processes that you are unsure of then dont be afraid to ask for advice. For more infomration on firewalls read this article here

Make your Internet Explorer more secure - This can be done by following these simple instructions:

Open Internet Explorer, click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.

Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialise and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.

Next press the Apply button and then the OK to exit the Internet Properties page.

Safer Browsing
Use software such as Trendprotect or Sitehound to help you stay away from unsuspecting sites that have malicious purposes.
Use Spywareblaster to help prevent the installation of unwanted BHO's (Browser Helper Objects)

Use an alternative browser
Other browsers tend to be more secure than IE as they do not make use of active x objects, active x objects can be used by spyware as an infection point on your computer. Safer non active x browsers include Opera browser and, more recently, Firefox browser.

Computer Maintenance
Malware can breed in temporary locations. Use a program such as ccleaner slim to clear out temporary files your computer on a regular basis.

Scan your computer regularly for malware
Scan on a regular basis to keep your computer clean, free software such as Spybot's Search & Destroy and Adaware 2007 Free by Lavasoft can help you keep clear. These two products can be installed together without any complications.

Other alternative software that runs under licience and monitors your computer continuously in the background for malware is SUPERAntiSpyware or
AVG Antispyware - Please note that these products can also be run as free without a licience but the background protection will not be active.

I have included some security related articles that I advise you read through in your own time. These articles will give you tips and advice on preveting malware, and how to stay safe whilst browsing the internet.

-> So How Did I Get Infected In First Place - By TonyKlein
-> How to prevent Malware - By miekiemoes
-> I'm not pulling your leg, honest - By Sandi Hardmeie

Good luck and happy surfing.

Regards

mercenaryfox · 04-03-2008, 12:20 PM

thank you so much for all your help with everything that i went through i greatly appreciate your services and what you guys and gals do there on these forums. I took all your advice and did what you told me... no other issues have arrised and everything seems to be in order... thanks again SOOO SOOOO much and have a wonderful year and life!

03-19-2008, 12:47 PM	#1 (permalink)
mercenaryfox Registered User Join Date: Mar 2008 Posts: 10 OS: windows xp	Virus messing up my computer i can't get rid of a virus on my computer and i was wondering if you could help, a friend recommended this site and to download hijackthis and save a log and post it here so here it is... Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 2:37:00 PM, on 3/19/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\WINDOWS\System32\WLTRYSVC.EXE C:\WINDOWS\System32\bcmwltry.exe C:\WINDOWS\system32\spoolsv.exe C:\Documents and Settings\Day\Desktop\photoshop\Adobe Version Cue CS2\bin\VersionCueCS2.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe C:\Program Files\Symantec AntiVirus\SavRoam.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\system32\Tablet.exe C:\Program Files\VentSrv\ventrilo_svc.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\Program Files\VentSrv\ventrilo_srv.exe C:\WINDOWS\system32\hkcmd.exe C:\Documents and Settings\Day\Desktop\photoshop\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\system32\igfxsrvc.exe C:\WINDOWS\system32\WLTRAY.exe C:\WINDOWS\stsystra.exe C:\Program Files\Dell\Media Experience\PCMService.exe C:\Program Files\Dell\Media Experience\DMXLauncher.exe C:\Program Files\Creative\Mixer\CTSVolFE.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Documents and Settings\Day\Desktop\photoshop\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe C:\Documents and Settings\Day\Desktop\photoshop\Adobe Acrobat 7.0\Distillr\Acrotray.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\NetWaiting\netWaiting.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\Digital Line Detect\DLG.exe C:\WINDOWS\system32\WTablet\TabUserW.exe C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\explorer.exe C:\Documents and Settings\Day\Desktop\HiJackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/dell?hl=en&...suk&channel=us R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en&...suk&channel=us O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Documents and Settings\Day\Desktop\photoshop\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe" O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe O4 - HKLM\..\Run: [CTSVolFE.exe] "C:\Program Files\Creative\Mixer\CTSVolFE.exe" /r O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Documents and Settings\Day\Desktop\photoshop\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Documents and Settings\Day\Desktop\photoshop\Adobe Acrobat 7.0\Distillr\Acrotray.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE O4 - HKLM\..\Run: [7430db06] rundll32.exe "C:\WINDOWS\system32\kgoasidw.dll",b O4 - HKLM\..\Run: [BM7703e89a] Rundll32.exe "C:\WINDOWS\system32\vjkpeehu.dll",s O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp O4 - HKUS\S-1-5-18\..\RunOnce: [WMC_WMPDBExport] C:\Program Files\Windows Media Player\wmdbexport.exe (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [WMC_WMPDBExport] C:\Program Files\Windows Media Player\wmdbexport.exe (User 'Default user') O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgentLauncher.exe O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Documents and Settings\Day\Desktop\photoshop\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Documents and Settings\Day\Desktop\photoshop\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Documents and Settings\Day\Desktop\photoshop\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Documents and Settings\Day\Desktop\photoshop\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Documents and Settings\Day\Desktop\photoshop\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Documents and Settings\Day\Desktop\photoshop\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Documents and Settings\Day\Desktop\photoshop\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert to existing PDF - res://C:\Documents and Settings\Day\Desktop\photoshop\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: .amaena.com O15 - Trusted Zone: .avsystemcare.com O15 - Trusted Zone: .onerateld.com O15 - Trusted Zone: .safetydownload.com O15 - Trusted Zone: .trustedantivirus.com O15 - Trusted Zone: .virusschlacht.com O15 - Trusted Zone: .amaena.com (HKLM) O15 - Trusted Zone: .avsystemcare.com (HKLM) O15 - Trusted Zone: .onerateld.com (HKLM) O15 - Trusted Zone: .safetydownload.com (HKLM) O15 - Trusted Zone: .trustedantivirus.com (HKLM) O15 - Trusted Zone: .virusschlacht.com (HKLM) O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - https://support.dell.com/systemprofiler/SysPro.CAB O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/...oUploader3.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab O16 - DPF: {B3E32D88-8E7F-468F-B0E2-3A300FD4A82C} (Enlite 2.x Simulation Engine Installer) - http://myitlab.pearsoned.com/Pegasus...es/ax/stub.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab O16 - DPF: {C9D7D239-B502-48B3-BA25-9DF8C7264073} (CCAWebLogin Control) - https://fsuccas1.ferris.edu/auth/CCALogin.CAB O16 - DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} (WebBasedClientInstall Class) - http://www.ferris.edu/sats/Students/...ll/webinst.cab O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Documents and Settings\Day\Desktop\photoshop\Adobe Version Cue CS2\bin\VersionCueCS2.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE -- End of file - 11821 bytes p.s. thanks a bunch in advance for whatever help i can get!

03-21-2008, 05:21 AM	#2 (permalink)
sjb007 Analyst, Security Team Join Date: Dec 2007 Location: Lincoln UK Posts: 2,265 OS: Windows 7 Premium x64 My System	Re: Virus messing up my computer Hi mercenaryfox Thank you for your patience. I will be helping you deal with the issues raised in your log from this point onwards Before we start jumping into things, here is a quick basic note which I mention to everyone. The fix which I have provided for you is for this computer only, it should not be used on any other computer. Each fix is tailor made for the specific task in hand. If for some reason you have system restore disabled, then please re-enable it before proceeding, an infected restore is better than none. Please read through the fix first and set enough time aside to complete the task in one session. If there is anything you feel needs clarification then please ask - do not guess! Thanks. If this is a computer from a work place then please advise your IT department of the concerning issues before commencing further. Please follow these directions in the order they are set out for you. On with the fix..... Please download SmitfraudFix (by S!Ri) to your Desktop. Double-click smitfraudfix.exe Select option #1 - Search by typing 1 and press Enter This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply. Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. http://www.beyondlogic.org/consulting/proc...processutil.htm IMPORTANT: Do NOT run any other options until you are asked to do so! __________________ If we have helped you then please consider donating Proud Member of ASAP & UNITE Since 2007

03-22-2008, 06:03 PM	#3 (permalink)
mercenaryfox Registered User Join Date: Mar 2008 Posts: 10 OS: windows xp	Re: Virus messing up my computer thank you so much for helping me i've been checking everyday for this reply and my friend helped me find this so sorry for the delay in the reply here is what you asked for thanks so much !!! SmitFraudFix v2.307 Scan done at 20:00:46.42, Sat 03/22/2008 Run from C:\Documents and Settings\Day\Desktop\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in normal mode »»»»»»»»»»»»»»»»»»»»»»»» Process C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\WINDOWS\System32\WLTRYSVC.EXE C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\bcmwltry.exe C:\WINDOWS\system32\spoolsv.exe C:\Documents and Settings\Day\Desktop\photoshop\Adobe Version Cue CS2\bin\VersionCueCS2.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe C:\Program Files\Symantec AntiVirus\SavRoam.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\system32\Tablet.exe C:\Program Files\VentSrv\ventrilo_svc.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\Program Files\VentSrv\ventrilo_srv.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\system32\igfxsrvc.exe

03-23-2008, 03:36 AM	#4 (permalink)
sjb007 Analyst, Security Team Join Date: Dec 2007 Location: Lincoln UK Posts: 2,265 OS: Windows 7 Premium x64 My System	Re: Virus messing up my computer Hi there mercenaryfox Not a problem for the delay. One thing I do notice is that the log you posted is not complete, can you please post back with the full smitfraudfix log then we can look at resolving your issues. __________________ If we have helped you then please consider donating Proud Member of ASAP & UNITE Since 2007

03-23-2008, 09:55 PM	#5 (permalink)
mercenaryfox Registered User Join Date: Mar 2008 Posts: 10 OS: windows xp	Re: Virus messing up my computer ok here is what you wanted sorry i didn't notice that it scroll down... SmitFraudFix v2.307 Scan done at 23:51:13.34, Sun 03/23/2008 Run from C:\Documents and Settings\Day\Desktop\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in normal mode »»»»»»»»»»»»»»»»»»»»»»»» Process C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\WINDOWS\System32\WLTRYSVC.EXE C:\WINDOWS\System32\bcmwltry.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Documents and Settings\Day\Desktop\photoshop\Adobe Version Cue CS2\bin\VersionCueCS2.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe C:\Program Files\Symantec AntiVirus\SavRoam.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\system32\Tablet.exe C:\WINDOWS\system32\WLTRAY.exe C:\WINDOWS\stsystra.exe C:\WINDOWS\system32\igfxsrvc.exe C:\Program Files\Dell\Media Experience\PCMService.exe C:\Program Files\Dell\Media Experience\DMXLauncher.exe C:\Program Files\VentSrv\ventrilo_svc.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\Program Files\VentSrv\ventrilo_srv.exe C:\Program Files\Creative\Mixer\CTSVolFE.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Documents and Settings\Day\Desktop\photoshop\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe C:\Documents and Settings\Day\Desktop\photoshop\Adobe Acrobat 7.0\Distillr\Acrotray.exe C:\Documents and Settings\Day\Desktop\photoshop\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\Program Files\NetWaiting\netWaiting.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\AIM6\aim6.exe C:\Program Files\Digital Line Detect\DLG.exe C:\WINDOWS\system32\WTablet\TabUserW.exe C:\Program Files\AIM6\aolsoftware.exe C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe c:\program files\common files\installshield\updateservice\isuspm.exe C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\WordPerfect Office 12\Programs\wpwin12.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\cmd.exe »»»»»»»»»»»»»»»»»»»»»»»» hosts hosts file corrupted ! 127.0.0.1 www.legal-at-spybot.info 127.0.0.1 legal-at-spybot.info »»»»»»»»»»»»»»»»»»»»»»»» C:\ »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32 »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Day »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Day\Application Data »»»»»»»»»»»»»»»»»»»»»»»» Start Menu »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Day\FAVORI~1 »»»»»»»»»»»»»»»»»»»»»»»» Desktop »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="My Current Home Page" »»»»»»»»»»»»»»»»»»»»»»»» IEDFix !!!Attention, following keys are not inevitably infected!!! IEDFix Credits: Malware Analysis & Diagnostic Code: S!Ri »»»»»»»»»»»»»»»»»»»»»»»» VACFix !!!Attention, following keys are not inevitably infected!!! VACFix Credits: Malware Analysis & Diagnostic Code: S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLs"="" »»»»»»»»»»»»»»»»»»»»»»»» Winlogon !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "Userinit"="C:\\WINDOWS\\system32\\userinit.exe," "System"="" »»»»»»»»»»»»»»»»»»»»»»»» Rustock »»»»»»»»»»»»»»»»»»»»»»»» DNS Description: Broadcom 440x 10/100 Integrated Controller - Packet Scheduler Miniport DNS Server Search Order: 161.57.5.2 DNS Server Search Order: 161.57.5.6 DNS Server Search Order: 198.108.1.42 HKLM\SYSTEM\CCS\Services\Tcpip\..\{60039DAA-6CD5-4274-B088-19A29137B7D7}: DhcpNameServer=161.57.5.2 161.57.5.6 198.108.1.42 HKLM\SYSTEM\CS1\Services\Tcpip\..\{60039DAA-6CD5-4274-B088-19A29137B7D7}: DhcpNameServer=161.57.5.2 161.57.5.6 198.108.1.42 HKLM\SYSTEM\CS3\Services\Tcpip\..\{60039DAA-6CD5-4274-B088-19A29137B7D7}: DhcpNameServer=161.57.5.2 161.57.5.6 198.108.1.42 HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=161.57.5.2 161.57.5.6 198.108.1.42 HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=161.57.5.2 161.57.5.6 198.108.1.42 HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=161.57.5.2 161.57.5.6 198.108.1.42 »»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection »»»»»»»»»»»»»»»»»»»»»»»» End

03-24-2008, 12:31 AM	#6 (permalink)
sjb007 Analyst, Security Team Join Date: Dec 2007 Location: Lincoln UK Posts: 2,265 OS: Windows 7 Premium x64 My System	Re: Virus messing up my computer Hi there Please download ComboFix.exe Save ComboFix to the desktop. 1. Double click on combo.exe and follow the prompts. 2. When finished, it will produce a logfile located at C:\ComboFix.txt. 3. Post the contents of that log in your next reply with a new HijackThis log. Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang. If your computer did not restart then please restart it now. Once it has restarted please generate a fresh HJT log Post this along with the results from combofix in your next reply __________________ If we have helped you then please consider donating Proud Member of ASAP & UNITE Since 2007

03-25-2008, 06:22 PM	#7 (permalink)
mercenaryfox Registered User Join Date: Mar 2008 Posts: 10 OS: windows xp	Re: Virus messing up my computer Thank you so much. Here is the report that popped up after my computer restarted... ComboFix 08-03-25.1 - Day 2008-03-25 20:00:20.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.371 [GMT -4:00] Running from: C:\Documents and Settings\Day\Local Settings\Temporary Internet Files\Content.IE5\SIAX1WYM\ComboFix[1].exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat C:\Temp\isgTi19 C:\Temp\sanR24 C:\WINDOWS\BM7703e89a.xml C:\WINDOWS\cookies.ini C:\WINDOWS\pskt.ini C:\WINDOWS\system32\aanvetje.dll C:\WINDOWS\system32\abcwpuxh.dll C:\WINDOWS\system32\aqnmcfle.ini C:\WINDOWS\system32\avaclwqx.dll C:\WINDOWS\system32\awtqp.dll C:\WINDOWS\system32\aybeg.ini C:\WINDOWS\system32\aybeg.ini2 C:\WINDOWS\system32\cudpbeid.dll C:\WINDOWS\system32\ekfdgiqk.dll C:\WINDOWS\system32\elfcmnqa.dll C:\WINDOWS\system32\gebya.dll C:\WINDOWS\system32\ghkmp.ini C:\WINDOWS\system32\ghkmp.ini2 C:\WINDOWS\system32\gmewbuhr.dll C:\WINDOWS\system32\gvchqueu.ini C:\WINDOWS\system32\gxyagdcf.ini C:\WINDOWS\system32\iDlo01 C:\WINDOWS\system32\ihhkj.ini C:\WINDOWS\system32\ihhkj.ini2 C:\WINDOWS\system32\jjkkj.ini C:\WINDOWS\system32\jjkkj.ini2 C:\WINDOWS\system32\jkhhi.dll C:\WINDOWS\system32\jkkjj.dll C:\WINDOWS\system32\jobmmogb.dll C:\WINDOWS\system32\khxuwudg.dll C:\WINDOWS\system32\kjjlm.ini C:\WINDOWS\system32\kjjlm.ini2 C:\WINDOWS\system32\laahowww.dll C:\WINDOWS\system32\mcrh.tmp C:\WINDOWS\system32\meuklfng.dll C:\WINDOWS\system32\mhajfisj.dll C:\WINDOWS\system32\mhiacwrg.dll C:\WINDOWS\system32\mjxxekyq.dll C:\WINDOWS\system32\mljjk.dll C:\WINDOWS\system32\ndqpbldx.dll C:\WINDOWS\system32\nGpxx01 C:\WINDOWS\system32\nrnqyidl.dll C:\WINDOWS\system32\oeuxvidu.dll C:\WINDOWS\system32\pac.txt C:\WINDOWS\system32\pqstv.ini C:\WINDOWS\system32\pqstv.ini2 C:\WINDOWS\system32\pqtwa.ini C:\WINDOWS\system32\pqtwa.ini2 C:\WINDOWS\system32\rgbknhpt.dll C:\WINDOWS\system32\rqtwa.ini C:\WINDOWS\system32\rqtwa.ini2 C:\WINDOWS\system32\rutqmiiy.dll C:\WINDOWS\system32\rwimguty.dll C:\WINDOWS\system32\sttss.ini C:\WINDOWS\system32\sttss.ini2 C:\WINDOWS\system32\tqbanblp.ini C:\WINDOWS\system32\vqarsfce.dll C:\WINDOWS\system32\vtsqp.dll C:\WINDOWS\system32\wbqgyyio.dll C:\WINDOWS\system32\xpchoqch.dll ----- BITS: Possible infected sites ----- hxxp://fsuwsus1.ferris.edu . ((((((((((((((((((((((((( Files Created from 2008-02-26 to 2008-03-26 ))))))))))))))))))))))))))))))) . 2008-03-22 17:10 . 2008-03-23 16:50 414 ---hs---- C:\WINDOWS\system32\drocvins.ini 2008-03-21 18:18 . 2008-03-21 18:18 594 --ahs---- C:\WINDOWS\system32\yrjqnmed.ini 2008-03-20 18:44 . 2008-03-21 18:08 534 --ahs---- C:\WINDOWS\system32\sunhivld.ini 2008-03-20 15:21 . 2008-03-20 16:29 354 --ahs---- C:\WINDOWS\system32\mtttddtk.ini 2008-03-20 03:31 . 2008-03-20 14:53 354 --ahs---- C:\WINDOWS\system32\gaovkdvm.ini 2008-03-20 00:43 . 2008-03-20 00:44 654 --ahs---- C:\WINDOWS\system32\kcghwukl.ini 2008-03-19 14:44 . 2008-03-20 02:03 714 --ahs---- C:\WINDOWS\system32\rnpeliyo.ini 2008-03-19 14:29 . 2008-03-19 14:34 354 --ahs---- C:\WINDOWS\system32\wdisaogk.ini 2008-03-19 13:40 . 2008-03-19 13:40 594 --ahs---- C:\WINDOWS\system32\osohcljl.ini 2008-03-18 20:48 . 2008-03-19 13:44 594 --ahs---- C:\WINDOWS\system32\pbaggylo.ini 2008-03-17 21:29 . 2008-03-17 21:29 1,014 --ahs---- C:\WINDOWS\system32\bgjaymtq.ini 2008-03-17 17:32 . 2008-03-18 02:14 1,254 --ahs---- C:\WINDOWS\system32\baxotbpg.ini 2008-03-17 02:15 . 2008-03-17 17:32 774 --ahs---- C:\WINDOWS\system32\jfaxvmve.ini 2008-03-17 00:01 . 2008-03-17 01:31 594 --ahs---- C:\WINDOWS\system32\ubonakjv.ini 2008-03-14 23:08 . 2008-03-16 23:29 3,654 --ahs---- C:\WINDOWS\system32\kpfyshim.ini 2008-03-14 22:49 . 2008-03-14 22:49 37,376 --a------ C:\WINDOWS\mrofinu572.exe.tmp 2008-03-14 22:48 . 2003-05-22 16:31 55,808 --a------ C:\WINDOWS\system32\lfpsd13n.dll 2008-03-14 22:47 . 2004-05-14 16:53 462,848 --a------ C:\WINDOWS\system32\ltkrn13n.dll 2008-03-14 22:47 . 2004-05-14 16:53 450,560 --a------ C:\WINDOWS\system32\ltimg13n.dll 2008-03-14 22:47 . 2004-05-14 16:53 401,408 --a------ C:\WINDOWS\system32\lfcmp13n.dll 2008-03-14 22:47 . 2004-05-14 16:53 299,008 --a------ C:\WINDOWS\system32\ltdis13n.dll 2008-03-14 22:47 . 2004-01-12 02:09 206,336 --a------ C:\WINDOWS\system32\ltefx13n.dll 2008-03-14 22:47 . 2004-05-14 16:53 163,840 --a------ C:\WINDOWS\system32\ltfil13n.dll 2008-03-14 22:47 . 2003-11-04 15:10 69,632 --a------ C:\WINDOWS\system32\lfgif13n.dll 2008-03-14 22:47 . 2004-05-14 16:53 57,344 --a------ C:\WINDOWS\system32\lfbmp13n.dll 2008-03-14 00:36 . 2008-03-14 23:03 3,534 --ahs---- C:\WINDOWS\system32\arohapco.ini 2008-03-13 00:29 . 2008-03-14 00:29 3,054 --ahs---- C:\WINDOWS\system32\yhrbmaba.ini 2008-03-11 23:03 . 2008-03-13 00:27 2,754 --ahs---- C:\WINDOWS\system32\cwlsbddf.ini 2008-03-05 19:21 . 2008-03-11 23:00 1,854 --ahs---- C:\WINDOWS\system32\dpetbfqv.ini 2008-03-05 03:41 . 2008-03-05 19:08 714 --ahs---- C:\WINDOWS\system32\agycubux.ini 2008-03-04 16:17 . 2008-03-04 16:17 534 --ahs---- C:\WINDOWS\system32\jwxwrvma.ini 2008-03-04 00:50 . 2008-03-04 20:06 534 --ahs---- C:\WINDOWS\system32\afoaxfis.ini 2008-03-03 19:42 . 2008-03-03 19:37 2,833,218 --a------ C:\WINDOWS\system32\gglhelvk.xml 2008-03-03 15:57 . 2008-03-03 15:57 414 --ahs---- C:\WINDOWS\system32\ntbqueri.ini 2008-03-03 00:45 . 2008-03-03 18:46 414 --ahs---- C:\WINDOWS\system32\kkuhmlau.ini 2008-03-03 00:04 . 2008-03-03 00:04 294 --ahs---- C:\WINDOWS\system32\eavtsaue.ini 2008-03-02 22:37 . 2008-03-02 22:37 294 --ahs---- C:\WINDOWS\system32\sgygepeg.ini 2008-03-02 14:15 . 2008-03-02 14:15 414 --ahs---- C:\WINDOWS\system32\fmkagqfd.ini 2008-03-01 22:56 . 2008-03-02 18:04 414 --ahs---- C:\WINDOWS\system32\pfthjnuk.ini 2008-03-01 04:54 . 2008-03-01 04:53 2,833,184 --a------ C:\WINDOWS\system32\ehqbfbrq.xml 2008-02-29 20:44 . 2008-02-29 20:40 2,832,980 --a------ C:\WINDOWS\system32\iutublwl.xml 2008-02-29 16:02 . 2008-03-06 14:38 2,833,218 --a------ C:\WINDOWS\system32\pduupauq.xml 2008-02-29 01:38 . 2008-02-29 01:38 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2008-02-29 01:38 . 2008-02-29 01:38 1,409 --a------ C:\WINDOWS\QTFont.for 2008-02-28 20:07 . 2008-02-29 15:54 354 --ahs---- C:\WINDOWS\system32\jvoxaurh.ini 2008-02-28 15:32 . 2008-02-28 18:40 534 --ahs---- C:\WINDOWS\system32\vvdciyau.ini 2008-02-27 15:40 . 2003-04-18 15:55 2,772,798 -ra------ C:\WINDOWS\system32\lmdrv#.zip 2008-02-27 15:40 . 2003-04-18 15:55 405,974 -ra------ C:\WINDOWS\system32\lexunst.zip 2008-02-27 15:36 . 2003-04-18 15:45 294,432 --a------ C:\WINDOWS\system32\lmpclxc.dll 2008-02-27 15:36 . 2003-04-18 15:45 208,592 --a------ C:\WINDOWS\system32\ptapiw16.dll 2008-02-27 15:36 . 2003-04-18 15:45 77,824 --a------ C:\WINDOWS\system32\lmpclpp.dll 2008-02-27 15:36 . 2003-04-18 15:45 61,440 --a------ C:\WINDOWS\system32\lmpclthk.dll 2008-02-27 15:35 . 2003-04-18 15:45 673,216 --a------ C:\WINDOWS\system32\lmpcl5cx.dll 2008-02-27 15:35 . 2003-04-18 15:45 533,504 --a------ C:\WINDOWS\system32\lmpcl5c.drv 2008-02-27 15:35 . 2003-04-18 15:45 266,196 --a------ C:\WINDOWS\system32\lmpcl5d.hlp 2008-02-27 15:35 . 2003-04-18 15:45 237,568 --a------ C:\WINDOWS\system32\lexdrvin.exe 2008-02-27 15:35 . 2003-04-18 15:45 205,440 --a------ C:\WINDOWS\system32\lmpcl5cc.dll 2008-02-27 15:35 . 2003-04-18 15:45 110,592 --a------ C:\WINDOWS\system32\lexdrvx.dll 2008-02-27 15:35 . 2003-04-18 15:55 67,426 --a------ C:\WINDOWS\system32\lmpcl5c.all 2008-02-27 15:35 . 2003-04-18 15:55 22,651 --a------ C:\WINDOWS\system32\lmpcl5d$.ini 2008-02-26 00:53 . 2008-02-26 01:18 294 --ahs---- C:\WINDOWS\system32\fvjokdku.ini . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-03-26 00:11 --------- d-----w C:\Program Files\Symantec AntiVirus 2008-03-20 23:06 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-03-05 07:55 --------- d-----w C:\Program Files\Dl_cats 2008-03-04 23:46 --------- d-----w C:\Documents and Settings\Day\Application Data\TAIT3 2008-03-03 23:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-03-03 23:14 --------- d-----w C:\Program Files\Spybot - Search & Destroy 2008-02-23 04:46 --------- d-----w C:\Program Files\Roxio 2008-02-23 04:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\GTek 2008-02-23 04:42 --------- d-----w C:\Program Files\Dell 2008-01-29 20:06 --------- d-----w C:\Program Files\Steam 2008-01-29 07:11 --------- d-----w C:\Program Files\World of Warcraft 2008-01-28 06:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Dell 2008-01-28 02:58 --------- d-----w C:\Program Files\Creative 2008-01-28 00:57 --------- d-----w C:\Documents and Settings\Day\Application Data\Sonic 2008-01-28 00:56 --------- d-----w C:\Documents and Settings\Day\Application Data\Leadertech 2007-01-19 20:51 88 --sha-r C:\WINDOWS\system32\F80FE42FB5.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8CF595BD-3529-4A6D-BDF1-86C0248FD018}] C:\WINDOWS\system32\gebcb.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ModemOnHold"="C:\Program Files\NetWaiting\netWaiting.exe" [2003-09-10 03:24 20480] "msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 13:54 5674352] "Aim6"="C:\Program Files\AIM6\aim6.exe" [2006-11-07 11:29 50736] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-12-13 03:44 98304] "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-12-13 03:41 77824] "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-12-13 03:45 118784] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 12:48 761947] "Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2005-12-19 09:08 1347584] "SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 17:30 282624 C:\WINDOWS\stsystra.exe] "PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 21:15 290816] "DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 04:12 94208] "CTSVolFE.exe"="C:\Program Files\Creative\Mixer\CTSVolFE.exe" [2005-02-23 16:57 57344] "ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 11:44 249856] "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 11:44 81920] "MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-07-12 20:05 1117184] "Adobe Version Cue CS2"="C:\Documents and Settings\Day\Desktop\photoshop\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [2005-04-04 19:58 856064] "Acrobat Assistant 7.0"="C:\Documents and Settings\Day\Desktop\photoshop\Adobe Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 03:12 483328] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24 286720] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 20:26 52896] "vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-09-27 21:33 125168] "DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [ ] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "WMC_WMPDBExport"="C:\Program Files\Windows Media Player\wmdbexport.exe" [2006-10-18 21:04 493568] "TSClientMSIUninstaller"="cmd.exe" [2004-08-04 06:00 388608 C:\WINDOWS\system32\cmd.exe] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Clean Access Agent.lnk - C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgentLauncher.exe [2007-12-07 18:12:50 28672] Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-08-10 02:21:29 24576] TabUserW.exe.lnk - C:\WINDOWS\system32\WTablet\TabUserW.exe [2007-03-22 20:46:49 114688] [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma.lnk backup=C:\WINDOWS\pss\Adobe Gamma.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6] --a------ 2006-11-07 11:29 50736 C:\Program Files\AIM6\aim6.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CamTray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2007-08-15 20:15 271672 C:\Program Files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr] --a------ 2007-01-19 13:54 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam] --a------ 2007-06-29 20:51 1258744 c:\program files\steam\steam.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "DSBrokerService"=3 (0x3) "dlcf_device"=3 (0x3) [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "C:\\Program Files\\AIM6\\aim6.exe"= "C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= "C:\\Program Files\\World of Warcraft\\WoW-2.2.0-enUS-downloader.exe"= "C:\\Program Files\\Symantec AntiVirus\\SavRoam.exe"= "C:\\Program Files\\Symantec AntiVirus\\Rtvscan.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3724:TCP"= 3724:TCP:Blizzard Downloader: 3724 R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{af110745-7e97-11dc-a075-0015c568c135}] \Shell\AutoRun\command - E:\LaunchU3.exe -a . ************************************************************************ catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-03-25 20:11:45 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\WINDOWS\System32\WLTRYSVC.EXE C:\WINDOWS\System32\bcmwltry.exe C:\Documents and Settings\Day\Desktop\photoshop\Adobe Version Cue CS2\bin\VersionCueCS2.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe C:\Program Files\Symantec AntiVirus\SavRoam.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\system32\Tablet.exe C:\Program Files\VentSrv\ventrilo_svc.exe C:\Program Files\VentSrv\ventrilo_srv.exe C:\Documents and Settings\Day\Desktop\photoshop\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe C:\WINDOWS\system32\igfxsrvc.exe C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\Program Files\MSN Messenger\usnsvc.exe . ************************************************************************ . Completion time: 2008-03-25 20:15:58 - machine was rebooted ComboFix-quarantined-files.txt 2008-03-26 00:15:54 . 2008-02-23 18:36:42 --- E O F ---

03-26-2008, 01:38 AM	#8 (permalink)
sjb007 Analyst, Security Team Join Date: Dec 2007 Location: Lincoln UK Posts: 2,265 OS: Windows 7 Premium x64 My System	Re: Virus messing up my computer Hi there mercenaryfox Please follow my instructions as set out -> Save ComboFix to the desktop. You are currently running combofix from a temp location -> C:\Documents and Settings\Day\Local Settings\Temporary Internet Files\ Combofix needs to be run from the desktop in order for it to function properly and at is maximum strength Please delete combofix from the current location and download it to your desktop from the link posted previously, then generate and post a fresh combofix log Thanks __________________ If we have helped you then please consider donating Proud Member of ASAP & UNITE Since 2007

03-27-2008, 01:32 AM	#10 (permalink)
sjb007 Analyst, Security Team Join Date: Dec 2007 Location: Lincoln UK Posts: 2,265 OS: Windows 7 Premium x64 My System	Re: Virus messing up my computer Hi mercenaryfox We need to install the recovery console before we proceed further... Go to Microsoft's website => http://support.microsoft.com/kb/310994 Select the download that's appropriate for your Operating System Download the file & save it as its originally named, next to ComboFix.exe. Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log. Please do not reboot your machine until we have reviewed the log. I will be here to review the log until around 14:00 hrs GMT and then from 23:00 to 00:00 hrs due to work commitments __________________ If we have helped you then please consider donating Proud Member of ASAP & UNITE Since 2007

03-27-2008, 08:46 PM	#11 (permalink)
mercenaryfox Registered User Join Date: Mar 2008 Posts: 10 OS: windows xp	Re: Virus messing up my computer This is all that appeared on the page. I am sorry if it is too late for you right now but i will keep my computer on until I hear from you again, thank you! WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

03-28-2008, 01:38 AM	#12 (permalink)
sjb007 Analyst, Security Team Join Date: Dec 2007 Location: Lincoln UK Posts: 2,265 OS: Windows 7 Premium x64 My System	Re: Virus messing up my computer Hi there You are now clear to boot. In the meantime I will check over the logs you submitted. __________________ If we have helped you then please consider donating Proud Member of ASAP & UNITE Since 2007

03-28-2008, 05:33 PM	#15 (permalink)
sjb007 Analyst, Security Team Join Date: Dec 2007 Location: Lincoln UK Posts: 2,265 OS: Windows 7 Premium x64 My System	Re: Virus messing up my computer Hi there Things are looking better, just a couple of entries for combofix to sort out... Go to start menu - Select Run and in the command box type in notepad Next - copy/paste the text in the code box below into it: Code: File:: C:\WINDOWS\system32\eqwrgcrn.dll FileLook:: C:\WINDOWS\system32\F80FE42FB5.sys Registry:: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "BM7703e89a"=- - Save this to your desktop as CFScript.txt - Drag the CFScript.txt over onto Combofix.exe and release. Combofix will then fix the entry and then rescan your computer If you are unsure on what is needed then click on the link to view an example - CFScript.gif Combofix will then execute the script and produce a fresh log, once complete If your computer does not reboot on completion then reboot it now and generate and fresh HJT log Next I want you to run an online scan, before we do lets flush out unwanted files Download and scan with CCleaner lite 1.Double click the file and install ccleaner 2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours" 3. Then select the items you wish to clean up. In the Windows Tab: Clean all entries in the "Internet Explorer" section. Clean all the entries in the "Windows Explorer" section. Clean all entries in the "System" section. Clean all entries in the "Advanced" section. Clean any others that you choose. In the Applications Tab: Clean all in the Firefox/Mozilla section if you use it. Clean all in the Opera section if you use it. Clean Sun Java in the Internet Section. Clean any others that you choose. 4. Click the "Run Cleaner" button. 5. A pop up box will appear advising this process will permanently delete files from your system. 6. Click "OK" and it will scan and clean your system. 7. Click "exit" when done. Please perform a scan with Kaspersky Webscan Online Virus Scanner Kaspersky does not remove anything but will provide a log of anything it finds. On August 8th, 2006 Kaspersky updated the software used for Free Online Virus Scanner. In order to continue using the online scanner you will need to uninstall the old version (if previously used) from your Add/Remove Programs list and then install the latest version. To do this, follow the steps here and reboot afterwards if your system does not reboot automatically or it will show 'Kaspersky Online Scanner license key was not found! 1. Click the "Kaspersky Online Scanner" button (NOT "Kaspersky File Scanner"). 2. Read the Requirements and Privacy statement, then select "Accept". 3. A new window will appear promting you to install an ActiveX component from Kaspersky - "Do you want to install this software?". 4. Click "Yes" or select "Install" to download the ActiveX controls that allows ActiveScan to run. 5. When the download is complete it will say ready, click "Next". 6. Click "Scan Settings" and check the option to use the Extended Database if available otherwise Standard). 7. Click "Scan Options" and select both "Scan Archives" and "Scan Mail Bases". 8. Click "OK". 9. Under "Select a target to scan", click on "My Computer". 10. When the scan is complete choose to save the results as "Save as Text" named kaspersky.txt to your desktop and post them in your next reply. Now reboot and generate a fresh HJT log Please post back with: The new log from combofix The log from kaspersky A fresh HJT log __________________ If we have helped you then please consider donating Proud Member of ASAP & UNITE Since 2007

03-31-2008, 01:47 PM	#17 (permalink)
sjb007 Analyst, Security Team Join Date: Dec 2007 Location: Lincoln UK Posts: 2,265 OS: Windows 7 Premium x64 My System	Re: Virus messing up my computer Hi there mercenaryfox Good work in getting the scan through Regarding the Kaspersky scan.... Although the scan shows Number of infected objects 220 - What it has found is contained, and is not in the wild on your computer. A vast majority of these are in Nortons Quarantine, you can empty/delete all the items in the Quarantine folder whithin Norton. Other items are contained in C:\QooBox\Quarantine which we will flush out in this next part of the fix which leaves just a few items in the system restore which will be also flushed out at the very end of the fix. Just a few more items for combofix to take care of... Go to start menu - Select Run and in the command box type in notepad Next - copy/paste the text in the code box below into it: Code: File:: C:\WINDOWS\system32\fvjokdku.ini C:\WINDOWS\system32\xvrkojwd.ini C:\WINDOWS\system32\kxgfxnqr.ini C:\WINDOWS\system32\chgihotj.ini C:\WINDOWS\system32\nycowflp.ini C:\WINDOWS\system32\eqwrgcrn.dll Folder:: C:\QooBox\Quarantine Registry:: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "BM7703e89a"=- - Save this to your desktop as CFScript.txt - Drag the CFScript.txt over onto Combofix.exe and release. Combofix will then fix the entry and then rescan your computer Combofix will also then execute the script and produce a fresh log, once complete If your computer does not reboot on completion then reboot it now and generate and fresh HJT log Let me know how your computer is running now.... __________________ If we have helped you then please consider donating Proud Member of ASAP & UNITE Since 2007

04-01-2008, 10:28 PM	#19 (permalink)
sjb007 Analyst, Security Team Join Date: Dec 2007 Location: Lincoln UK Posts: 2,265 OS: Windows 7 Premium x64 My System	Re: Virus messing up my computer Hi mercenaryfox Great work, Your logs look clean. If you are still experiencing any problems or wish to ask any further questions then please feel free to post back. Go to Start > Run > copy and paste next command in the field: ComboFix /u Make sure there's a space between Combofix and /u Then hit Enter. This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again. Reboot your computer! Once you have completed the above tasks I would like you to read the following information which I have placed below as a general read through... Now that you appear to be free from malware lets help you stay that way! Update windows on a regular basis - If you do not have automatic updates enabled then Visit Microsoft's Update Page and update your computer from there Update your virus checker on a regular basis - It is no use having a virus checker with out of date definitions. Keep an eye on your firewall. check what it wants to allow, do not simply allow everything, If there is any processes that you are unsure of then dont be afraid to ask for advice. For more infomration on firewalls read this article here Make your Internet Explorer more secure - This can be done by following these simple instructions: Open Internet Explorer, click on the Tools menu and then click on Options. Click once on the Security tab Click once on the Internet icon so it becomes highlighted. Click once on the Custom Level button. Change the Download signed ActiveX controls to Prompt Change the Download unsigned ActiveX controls to Disable Change the Initialise and script ActiveX controls not marked as safe to Disable Change the Installation of desktop items to Prompt Change the Launching programs and files in an IFRAME to Prompt Change the Navigate sub-frames across different domains to Prompt When all these settings have been made, click on the OK button. If it prompts you as to whether or not you want to save the settings, press the Yes button. Next press the Apply button and then the OK to exit the Internet Properties page. Safer Browsing Use software such as Trendprotect or Sitehound to help you stay away from unsuspecting sites that have malicious purposes. Use Spywareblaster to help prevent the installation of unwanted BHO's (Browser Helper Objects) Use an alternative browser Other browsers tend to be more secure than IE as they do not make use of active x objects, active x objects can be used by spyware as an infection point on your computer. Safer non active x browsers include Opera browser and, more recently, Firefox browser. Computer Maintenance Malware can breed in temporary locations. Use a program such as ccleaner slim to clear out temporary files your computer on a regular basis. Scan your computer regularly for malware Scan on a regular basis to keep your computer clean, free software such as Spybot's Search & Destroy and Adaware 2007 Free by Lavasoft can help you keep clear. These two products can be installed together without any complications. Other alternative software that runs under licience and monitors your computer continuously in the background for malware is SUPERAntiSpyware or AVG Antispyware - Please note that these products can also be run as free without a licience but the background protection will not be active. I have included some security related articles that I advise you read through in your own time. These articles will give you tips and advice on preveting malware, and how to stay safe whilst browsing the internet. -> So How Did I Get Infected In First Place - By TonyKlein -> How to prevent Malware - By miekiemoes -> I'm not pulling your leg, honest - By Sandi Hardmeie Good luck and happy surfing. Regards __________________ If we have helped you then please consider donating Proud Member of ASAP & UNITE Since 2007

04-03-2008, 12:20 PM	#20 (permalink)
mercenaryfox Registered User Join Date: Mar 2008 Posts: 10 OS: windows xp	Re: Virus messing up my computer thank you so much for all your help with everything that i went through i greatly appreciate your services and what you guys and gals do there on these forums. I took all your advice and did what you told me... no other issues have arrised and everything seems to be in order... thanks again SOOO SOOOO much and have a wonderful year and life!