Pop ups and trojans, low memory

maddog2018 · 11-05-2008, 07:11 AM

Here are my logs. thanks for your help:

Logfile of random's system information tool 1.04 (written by random/random)
Run by Randy Maddox at 2008-11-05 10:01:09
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 7 GB (19%) free of 38 GB
Total RAM: 511 MB (37% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:01:16 AM, on 11/5/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\PFU\ScanSnap\PfuSsSct.exe
C:\Program Files\PFU\ScanSnap\CardMinder V2.0\CardLauncher.exe
C:\Program Files\PFU\ScanSnap\PDF Thumbnail View\pdfquickview.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
C:\Program Files\PFU\ScanSnap\CardMinder V2.0\bcd_file\SbCRecE.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\PFU\ScanSnap\Driver\PfuSsMon.exe
C:\Palm\HOTSYNC.EXE
C:\WINDOWS\system32\macidwe.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\sobicyt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\WINDOWS\system32\mabidwe.exe
C:\WINDOWS\system32\soxpeca.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Randy Maddox\Desktop\RSIT.exe
C:\Documents and Settings\Randy Maddox\Desktop\HJT\Randy Maddox.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [PfuSsSct.exe] C:\Program Files\PFU\ScanSnap\PfuSsSct.exe /Station
O4 - HKLM\..\Run: [CardMinder] C:\Program Files\PFU\ScanSnap\CardMinder V2.0\CardLauncher.exe
O4 - HKLM\..\Run: [Pdfquickview] C:\Program Files\PFU\ScanSnap\PDF Thumbnail View\pdfquickview.exe
O4 - HKLM\..\Run: [CMLoader] rundll32.exe "c:\program files\crystalys media\cm.dll",MakeInjection
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
O4 - HKLM\..\Run: [ToolBoxFX] "C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /systrayIcon:on /fl:on /fr:on /appData:on
O4 - HKLM\..\Run: [hpbdfawep] C:\Program Files\HP\Dfawep\bin\hpbdfawep.exe 1
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [DellTransferAgent] "C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe"
O4 - HKUS\S-1-5-18\..\Run: [A00F14436CF5.exe] C:\WINDOWS\TEMP\_A00F14436CF5.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [A00F14436CF5.exe] C:\WINDOWS\TEMP\_A00F14436CF5.exe (User 'Default user')
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: ScanSnap Manager.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanage...ex-2.2.3.7.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1136410335562
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/...15/mcgdmgr.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://cvs.pnimedia.com/upload/activ...v2.0.0.10.cab?
O20 - Winlogon Notify: __c003CBD1 - C:\WINDOWS\system32\__c003CBD1.dat
O20 - Winlogon Notify: __c00EC4CD - C:\WINDOWS\system32\__c00EC4CD.dat (file missing)
O23 - Service: ABBYY FineReader 9.0 PE Licensing Service (ABBYY.Licensing.FineReader.Professional.9.0) - ABBYY (BIT Software) - C:\Program Files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: afinding Service (afinding) - Unknown owner - C:\WINDOWS\system32\AFinding.exe (file missing)
O23 - Service: afisicx Corporation inc. (afisicx) - Unknown owner - C:\WINDOWS\system32\afisicx.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\edvswvik.exe (file missing)
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: mabidwe Service (mabidwe) - Unknown owner - C:\WINDOWS\system32\mabidwe.exe
O23 - Service: macidwe Service (macidwe) - Unknown owner - C:\WINDOWS\system32\macidwe.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: nobicyt Service (nobicyt) - Unknown owner - C:\WINDOWS\system32\Nobicyt.exe (file missing)
O23 - Service: noxtcyr Settings storage service (noxtcyr) - Unknown owner - C:\WINDOWS\system32\noxtcyr.exe (file missing)
O23 - Service: noytcyr Service (noytcyr) - Unknown owner - C:\WINDOWS\system32\noytcyr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: perfs Service (perfs) - Unknown owner - C:\WINDOWS\system32\perfs.exe (file missing)
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: routing Service (routing) - Unknown owner - C:\WINDOWS\system32\routing.exe (file missing)
O23 - Service: roxtctm Settings storage service (roxtctm) - Unknown owner - C:\WINDOWS\system32\roxtctm.exe (file missing)
O23 - Service: roytctm Service (roytctm) - Unknown owner - C:\WINDOWS\system32\roytctm.exe
O23 - Service: sobicyt Service (sobicyt) - Unknown owner - C:\WINDOWS\system32\sobicyt.exe
O23 - Service: solewxte Service (solewxte) - Unknown owner - C:\WINDOWS\system32\solewxte.exe
O23 - Service: sotpeca Manages messages (sotpeca) - Unknown owner - C:\WINDOWS\system32\sotpeca.exe (file missing)
O23 - Service: soxpeca Service (soxpeca) - Unknown owner - C:\WINDOWS\system32\soxpeca.exe
O23 - Service: tdxdowkc Service (tdxdowkc) - Unknown owner - C:\WINDOWS\system32\tdxdowkc.exe (file missing)
O23 - Service: tdydowkc Service (tdydowkc) - Unknown owner - C:\WINDOWS\system32\tdydowkc.exe
O23 - Service: wserving Service (wserving) - Unknown owner - C:\WINDOWS\system32\WServing.exe (file missing)
O23 - Service: wsldoekd Manages messages (wsldoekd) - Unknown owner - C:\WINDOWS\system32\wsldoekd.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

--
End of file - 12199 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\MP Scheduled Scan.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll [2003-11-03 54248]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]
AcroIEToolbarHelper Class - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll [2003-05-15 147456]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll [2003-05-15 147456]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"StorageGuard"=C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe [2003-02-13 155648]
"PCMService"=C:\Program Files\Dell\Media Experience\PCMService.exe [2003-08-26 204800]
"MMTray"=C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe [2005-03-12 110592]
"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2003-10-22 151597]
"ADUserMon"=C:\Program Files\Iomega\AutoDisk\ADUserMon.exe [2002-09-24 147456]
"PfuSsSct.exe"=C:\Program Files\PFU\ScanSnap\PfuSsSct.exe [2003-12-22 110592]
"CardMinder"=C:\Program Files\PFU\ScanSnap\CardMinder V2.0\CardLauncher.exe [2004-02-17 36864]
"Pdfquickview"=C:\Program Files\PFU\ScanSnap\PDF Thumbnail View\pdfquickview.exe [2003-12-22 32768]
"CMLoader"=c:\program files\crystalys media\cm.dll []
"MimBoot"=C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe [2005-03-12 11776]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2006-04-03 777424]
"Adobe Photo Downloader"=C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe [2006-09-14 61440]
"ToolBoxFX"=C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe [2006-06-15 49152]
""= []
"hpbdfawep"=C:\Program Files\HP\Dfawep\bin\hpbdfawep.exe [2007-12-23 618496]
"HP Software Update"=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [2007-05-08 54840]
"CXMon"=C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe [2001-08-27 45056]
"Share-to-Web Namespace Daemon"=C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe [2001-07-03 57344]
"AppleSyncNotifier"=C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe [2008-07-22 116040]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2008-05-27 413696]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2008-07-30 289064]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Sonic RecordNow!"= []
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2008-04-13 1695232]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"DellSupport"=C:\Program Files\DellSupport\DSAgnt.exe [2007-03-15 460784]
"DellTransferAgent"=C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe [2007-11-13 135168]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
ScanSnap Manager.lnk - C:\Program Files\PFU\ScanSnap\Driver\PfuSsMon.exe

C:\Documents and Settings\Randy Maddox\Start Menu\Programs\Startup
HotSync Manager.lnk - C:\Palm\HOTSYNC.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-02-15 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c003CBD1]
C:\WINDOWS\system32\__c003CBD1.dat [2008-11-04 25088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c00EC4CD]
C:\WINDOWS\system32\__c00EC4CD.dat []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"=C:\PROGRA~1\WINDOW~4\MpShHook.dll [2006-04-03 81616]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"=C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll [2008-08-15 79408]
"{E60A0B68-2F3C-A1D2-A901-9381E036D21A}"= []

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Guard]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\AVG Anti-Spyware Guard]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WinDefend]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=36
"NoDriveAutoRun"=FFFFFFFF

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Program Files\Internet Explorer\iexplore.exe"="C:\Program Files\Internet Explorer\iexplore.exe:*:Enabled:Internet Explorer"
"C:\Program Files\Intuit\QuickBooks 2007\QBDBMgrN.exe"="C:\Program Files\Intuit\QuickBooks 2007\QBDBMgrN.exe:*:Enabled:QuickBooks 2007 Data Manager"
"C:\Program Files\GameHouse\TextTwist\TextTwist.exe"="C:\Program Files\GameHouse\TextTwist\TextTwist.exe:*:Enabled:Super TextTwist"
"C:\Program Files\Real\RealOne Player\realplay.exe"="C:\Program Files\Real\RealOne Player\realplay.exe:*:Enabled:RealOne Player"
"C:\ProDoc\ProWin.Exe"="C:\ProDoc\ProWin.Exe:*:Enabled:ProDoc®"
"C:\ProDoc\prosend.exe"="C:\ProDoc\prosend.exe:*:Enabled:ProDoc® Pro Send"
"C:\Program Files\TurboTax\Basic 2007\32bit\ttax.exe"="C:\Program Files\TurboTax\Basic 2007\32bit\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\Program Files\TurboTax\Basic 2007\32bit\updatemgr.exe"="C:\Program Files\TurboTax\Basic 2007\32bit\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

======List of files/folders created in the last 1 months======

2008-11-05 10:01:09 ----D---- C:\rsit
2008-11-05 09:34:24 ----A---- C:\WINDOWS\gmer.ini
2008-11-05 09:34:21 ----RA---- C:\WINDOWS\gmer.exe
2008-11-05 09:34:21 ----A---- C:\WINDOWS\gmer_uninstall.cmd
2008-11-05 09:34:21 ----A---- C:\WINDOWS\gmer.dll
2008-10-24 02:01:24 ----HDC---- C:\WINDOWS\$NtUninstallKB958644$
2008-10-21 11:47:47 ----A---- C:\WINDOWS\system32\~.exe
2008-10-15 02

39 ----HDC---- C:\WINDOWS\$NtUninstallKB956803$
2008-10-15 02

32 ----HDC---- C:\WINDOWS\$NtUninstallKB956391$
2008-10-15 02

25 ----HDC---- C:\WINDOWS\$NtUninstallKB957095$
2008-10-15 02:04:24 ----HDC---- C:\WINDOWS\$NtUninstallKB954211$
2008-10-15 02:04:11 ----HDC---- C:\WINDOWS\$NtUninstallKB956841$

======List of files/folders modified in the last 1 months======

2008-11-05 09:58:21 ----D---- C:\WINDOWS\Prefetch
2008-11-05 09:34:24 ----SHD---- C:\WINDOWS
2008-11-05 09:34:21 ----D---- C:\WINDOWS\system32\DRIVERS
2008-11-05 01:37:17 ----D---- C:\WINDOWS\SYSTEM32
2008-11-05 01:31:01 ----D---- C:\WINDOWS\temp
2008-11-03 15:08:55 ----D---- C:\Work
2008-11-02 15:18:14 ----A---- C:\WINDOWS\system32\HPPDEVX.DLL.log
2008-10-31 22:14:57 ----D---- C:\WINDOWS\network diagnostic
2008-10-30 10:26:00 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-10-28 12:43:03 ----A---- C:\WINDOWS\ezufunct.INI
2008-10-28 12:43:03 ----A---- C:\WINDOWS\ez-filing.ini
2008-10-28 12:43:03 ----A---- C:\WINDOWS\ezdfunct.INI
2008-10-28 12:43:02 ----A---- C:\WINDOWS\ezstreet.INI
2008-10-28 12:43:02 ----A---- C:\WINDOWS\ezmanage.INI
2008-10-28 12:43:02 ----A---- C:\WINDOWS\ezecf.INI
2008-10-28 12:43:02 ----A---- C:\WINDOWS\ezcfunct.INI
2008-10-28 12:43:02 ----A---- C:\WINDOWS\ez707b.INI
2008-10-27 10:11:24 ----D---- C:\WINDOWS\system32\CatRoot2
2008-10-24 15:12:05 ----D---- C:\Program Files\QUICKENW
2008-10-24 15:08:27 ----A---- C:\WINDOWS\Quicken.ini
2008-10-24 15:08:16 ----AD---- C:\Program Files\Common Files
2008-10-24 14:27:43 ----D---- C:\Documents and Settings\Randy Maddox\Application Data\AdobeUM
2008-10-24 02:01:27 ----RSHD---- C:\WINDOWS\system32\DLLCACHE
2008-10-24 02:00:42 ----HD---- C:\WINDOWS\INF
2008-10-24 02:00:32 ----HD---- C:\WINDOWS\$hf_mig$
2008-10-15 11:34:24 ----A---- C:\WINDOWS\system32\netapi32.dll
2008-10-15 11:22:30 ----D---- C:\Program Files\EZ-FilingNew
2008-10-15 06:01:52 ----D---- C:\WINDOWS\system32\WBEM
2008-10-15 06:01:50 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2008-10-15 06:00:15 ----D---- C:\Program Files\Internet Explorer
2008-10-15 02

44 ----A---- C:\WINDOWS\imsins.BAK
2008-10-15 02:05:40 ----SHD---- C:\WINDOWS\Installer
2008-10-15 02:05:39 ----HD---- C:\Config.Msi
2008-10-15 02:05:21 ----A---- C:\WINDOWS\WIN.INI
2008-10-07 14:19:40 ----A---- C:\WINDOWS\system32\MRT.exe

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AVG Anti-Spyware Driver;AVG Anti-Spyware Driver; \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys []
R1 AvgAsCln;AVG Anti-Spyware Clean Driver; C:\WINDOWS\System32\DRIVERS\AvgAsCln.sys [2006-09-05 3968]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 omci;OMCI WDM Device Driver; C:\WINDOWS\System32\DRIVERS\omci.sys [2002-11-08 17217]
R1 sscdbhk5;sscdbhk5; C:\WINDOWS\system32\drivers\sscdbhk5.sys [2003-07-14 5621]
R1 ssrtln;ssrtln; C:\WINDOWS\system32\drivers\ssrtln.sys [2003-07-14 23219]
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2002-08-29 12032]
R2 drvnddm;drvnddm; C:\WINDOWS\system32\drivers\drvnddm.sys [2003-06-20 40448]
R2 dsunidrv;DellSupport UniDriver; C:\WINDOWS\system32\DRIVERS\dsunidrv.sys [2007-02-25 5376]
R2 tfsnboio;tfsnboio; C:\WINDOWS\system32\dla\tfsnboio.sys [2003-08-06 25685]
R2 tfsncofs;tfsncofs; C:\WINDOWS\system32\dla\tfsncofs.sys [2003-08-06 34837]
R2 tfsndrct;tfsndrct; C:\WINDOWS\system32\dla\tfsndrct.sys [2003-08-06 4117]
R2 tfsndres;tfsndres; C:\WINDOWS\system32\dla\tfsndres.sys [2003-08-06 2233]
R2 tfsnifs;tfsnifs; C:\WINDOWS\system32\dla\tfsnifs.sys [2003-08-06 83284]
R2 tfsnopio;tfsnopio; C:\WINDOWS\system32\dla\tfsnopio.sys [2003-08-06 14229]
R2 tfsnpool;tfsnpool; C:\WINDOWS\system32\dla\tfsnpool.sys [2003-08-06 6357]
R2 tfsnudf;tfsnudf; C:\WINDOWS\system32\dla\tfsnudf.sys [2003-08-06 98068]
R2 tfsnudfa;tfsnudfa; C:\WINDOWS\system32\dla\tfsnudfa.sys [2003-08-06 100373]
R3 aeaudio;aeaudio; C:\WINDOWS\system32\drivers\aeaudio.sys [2002-04-01 4816]
R3 E100B;Intel(R) PRO Adapter Driver; C:\WINDOWS\System32\DRIVERS\e100b325.sys [2003-03-04 145408]
R3 GEARAspiWDM;GEAR CDRom Filter; C:\WINDOWS\SYSTEM32\DRIVERS\GEARAspiWDM.sys [2008-01-29 16168]
R3 HPFXBULK;HPFXBULK; C:\WINDOWS\system32\drivers\hpfxbulk.sys [2006-06-12 9344]
R3 nv;nv; C:\WINDOWS\System32\DRIVERS\nv4_mini.sys [2003-05-02 1312555]
R3 smwdm;smwdm; C:\WINDOWS\system32\drivers\smwdm.sys [2003-06-18 578176]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\System32\DRIVERS\usbccgp.sys [2008-04-13 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\System32\DRIVERS\usbprint.sys [2008-04-13 25856]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S1 P3;Intel PentiumIII Processor Driver; C:\WINDOWS\System32\DRIVERS\p3.sys [2008-04-13 42752]
S2 UXRJNHMC;UXRJNHMC; \??\C:\WINDOWS\system32\uxrjnhmc.tuj []
S3 BVRPMPR5;BVRPMPR5 NDIS Protocol Driver; \??\D:\INSTAL~E\Core\BVRPMPR5.SYS []
S3 DSproct;DSproct; \??\C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys []
S3 EL90XBC;3Com EtherLink XL 90XB/C Adapter Driver; C:\WINDOWS\System32\DRIVERS\el90xbc5.sys [2001-08-17 66591]
S3 gmer;gmer; C:\WINDOWS\System32\DRIVERS\gmer.sys [2008-11-05 85969]
S3 i81x;i81x; C:\WINDOWS\System32\DRIVERS\i81xnt5.sys [2004-08-04 161020]
S3 iAimFP0;iAimFP0; C:\WINDOWS\System32\DRIVERS\wADV01nt.sys [2004-08-04 12415]
S3 iAimFP1;iAimFP1; C:\WINDOWS\System32\DRIVERS\wADV02NT.sys [2004-08-04 12127]
S3 iAimFP2;iAimFP2; C:\WINDOWS\System32\DRIVERS\wADV05NT.sys [2004-08-04 11775]
S3 iAimFP3;iAimFP3; C:\WINDOWS\System32\DRIVERS\wSiINTxx.sys [2004-08-04 12063]
S3 iAimFP4;iAimFP4; C:\WINDOWS\System32\DRIVERS\wVchNTxx.sys [2004-08-04 19455]
S3 iAimTV0;iAimTV0; C:\WINDOWS\System32\DRIVERS\wATV01nt.sys [2004-08-04 29311]
S3 iAimTV1;iAimTV1; C:\WINDOWS\System32\DRIVERS\wATV02NT.sys [2004-08-04 19551]
S3 iAimTV2;iAimTV2; C:\WINDOWS\System32\DRIVERS\wATV03nt.sys []
S3 iAimTV3;iAimTV3; C:\WINDOWS\System32\DRIVERS\wATV04nt.sys [2004-08-04 33599]
S3 iAimTV4;iAimTV4; C:\WINDOWS\System32\DRIVERS\wCh7xxNT.sys [2004-08-04 23615]
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2007-10-31 30464]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\System32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 agpCPQ;Compaq AGP Bus Filter; C:\WINDOWS\System32\DRIVERS\agpCPQ.sys [2008-04-13 44928]
S4 alim1541;ALI AGP Bus Filter; C:\WINDOWS\System32\DRIVERS\alim1541.sys [2008-04-13 42752]
S4 amdagp;AMD AGP Bus Filter Driver; C:\WINDOWS\System32\DRIVERS\amdagp.sys [2008-04-13 43008]
S4 cbidf;cbidf; C:\WINDOWS\System32\DRIVERS\cbidf2k.sys [2001-08-17 13952]
S4 IntelIde;IntelIde; C:\WINDOWS\System32\DRIVERS\intelide.sys [2008-04-13 5504]
S4 sisagp;SIS AGP Bus Filter; C:\WINDOWS\System32\DRIVERS\sisagp.sys [2008-04-13 40960]
S4 viaagp;VIA AGP Bus Filter; C:\WINDOWS\System32\DRIVERS\viaagp.sys [2008-04-13 42240]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 _IOMEGA_ACTIVE_DISK_SERVICE_;Iomega Active Disk; C:\Program Files\Iomega\AutoDisk\ADService.exe [2002-09-24 151552]
R2 ABBYY.Licensing.FineReader.Professional.9.0;ABBYY FineReader 9.0 PE Licensing Service; C:\Program Files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe [2008-05-16 759072]
R2 AdobeActiveFileMonitor5.0;Adobe Active File Monitor V5; C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe [2006-09-14 102400]
R2 afisicx;afisicx Corporation inc.; C:\WINDOWS\system32\afisicx.exe [2002-08-29 46592]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-07-22 116040]
R2 AVG Anti-Spyware Guard;AVG Anti-Spyware Guard; C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe [2008-08-15 312880]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2007-07-24 229376]
R2 Iomega App Services;Iomega App Services; C:\PROGRA~1\Iomega\System32\AppServices.exe [2002-09-04 73728]
R2 mabidwe;mabidwe Service; C:\WINDOWS\system32\mabidwe.exe [2002-08-29 45568]
R2 macidwe;macidwe Service; C:\WINDOWS\system32\macidwe.exe [2002-08-29 34816]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-19 322120]
R2 noytcyr;noytcyr Service; C:\WINDOWS\system32\noytcyr.exe [2002-08-29 46592]
R2 NVSvc;NVIDIA Driver Helper Service; C:\WINDOWS\System32\nvsvc32.exe [2003-05-02 69632]
R2 roytctm;roytctm Service; C:\WINDOWS\system32\roytctm.exe [2002-08-29 46592]
R2 sobicyt;sobicyt Service; C:\WINDOWS\system32\sobicyt.exe [2002-08-29 34816]
R2 solewxte;solewxte Service; C:\WINDOWS\system32\solewxte.exe [2002-08-29 45056]
R2 soxpeca;soxpeca Service; C:\WINDOWS\system32\soxpeca.exe [2002-08-29 46592]
R2 tdydowkc;tdydowkc Service; C:\WINDOWS\system32\tdydowkc.exe [2002-08-29 45568]
R2 wsldoekd;wsldoekd Manages messages; C:\WINDOWS\system32\wsldoekd.exe [2002-08-29 46080]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-07-30 532264]
S2 afinding;afinding Service; C:\WINDOWS\system32\AFinding.exe []
S2 DomainService;DomainService; C:\WINDOWS\system32\edvswvik.exe /service []
S2 nobicyt;nobicyt Service; C:\WINDOWS\system32\Nobicyt.exe []
S2 noxtcyr;noxtcyr Settings storage service; C:\WINDOWS\system32\noxtcyr.exe []
S2 perfs;perfs Service; C:\WINDOWS\system32\perfs.exe []
S2 routing;routing Service; C:\WINDOWS\system32\routing.exe []
S2 roxtctm;roxtctm Settings storage service; C:\WINDOWS\system32\roxtctm.exe []
S2 seuictol;Security Control; C:\WINDOWS\system32\dbi102.dll [2000-02-01 15360]
S2 sotpeca;sotpeca Manages messages; C:\WINDOWS\system32\sotpeca.exe []
S2 tdxdowkc;tdxdowkc Service; C:\WINDOWS\system32\tdxdowkc.exe []
S2 wserving;wserving Service; C:\WINDOWS\system32\WServing.exe []
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 DSBrokerService;DSBrokerService; C:\Program Files\DellSupport\brkrsvc.exe [2007-03-07 76848]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 NetSvc;Intel NCS NetService; C:\Program Files\Intel\NCS\Sync\NetSvc.exe [2003-03-03 143360]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 QBFCService;Intuit QuickBooks FCS; C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe [2006-11-09 65536]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
S4 Iomega Activity Disk2;Iomega Activity Disk2; []
S4 QBCFMonitorService;QBCFMonitorService; C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe [2007-11-07 20480]
S4 WinDefend;Windows Defender Service; C:\Program Files\Windows Defender\MsMpEng.exe [2006-04-03 14032]

-----------------EOF-----------------

**TheBruce1** · 11-10-2008, 11:18 AM

Hello and welcome to TSF

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

========

Please follow all instructions and in which order they come, if you have any questions, please ask before proceeding. Its important that you follow this through until i give you the all clear, a lack of symptoms does not mean that it is no longer present.

Please DO NOT Attach logs to your posts unless you are advised to do so.

========

Why do you not have any virus protection installed, it can take a little as eight seconds to become infected. We will install some protection during the cleaning process, please wait until i advise you to install one.

=========

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Place combofix.exe on your Desktop
[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
[*]Double click on combofix.exe & follow the prompts.
[*]As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.

ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:

The Recovery Console was successfully installed.

Click on Yes, to continue scanning for malware.
[*]Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
[*] When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

=========

Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

=========
Logs Required
C:\Combofix.txt
Hijackthis Log

If there is no response to this post within 72hrs, this thread will be closed.

maddog2018 · 11-10-2008, 12:25 PM

Thanks for reply. Here is combo fix log.

ComboFix 08-11-09.04 - Randy Maddox 2008-11-10 14:42:46.1 - NTFSx86
Running from: c:\documents and settings\Randy Maddox\Desktop\ComboFix.exe
* Created a new restore point
.
The following files were disabled during the run:
c:\windows\system32\dbi102.dll

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\RANDYM~1\LOCALS~1\Temp\WowInitcode.dll
c:\documents and settings\Randy Maddox\Start Menu\Programs\Outerinfo
c:\documents and settings\Randy Maddox\Start Menu\Programs\Outerinfo\Terms.lnk
c:\documents and settings\Randy Maddox\Start Menu\Programs\Outerinfo\Uninstall.lnk
c:\windows\Install.txt
c:\windows\system32\__c00249DF.dat
c:\windows\system32\__c003CBD1.dat
c:\windows\system32\__c00AE347.dat
c:\windows\system32\~.exe
c:\windows\system32\afisicx.exe
c:\windows\system32\atsxyzd.sys
c:\windows\system32\comsa32.sys
c:\windows\SYSTEM32\dbi102.dll.vir
c:\windows\system32\Install.txt
c:\windows\system32\KBPK080812.log
c:\windows\system32\mabidwe.exe
c:\windows\system32\macidwe.exe
c:\windows\system32\mcrh.tmp
c:\windows\system32\MSINET.oca
c:\windows\system32\noytcyr.exe
c:\windows\system32\oduxftw.sys
c:\windows\system32\roytctm.exe
c:\windows\system32\sobicyt.exe
c:\windows\system32\soxpeca.exe
c:\windows\system32\syspilog.pil
c:\windows\system32\tdydowkc.exe
c:\windows\system32\tmp0_29171611636.bk
c:\windows\system32\tmp1_477757584426.bk
c:\windows\system32\tpszxyd.sys
c:\windows\system32\uvvwa.ini
c:\windows\system32\wsldoekd.exe
c:\windows\system32\zxdnt3d.cfg
C:\xcrashdump.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AFINDING
-------\Legacy_AFISICX
-------\Legacy_DOMAINSERVICE
-------\Legacy_MABIDWE
-------\Legacy_MACIDWE
-------\Legacy_NOBICYT
-------\Legacy_NOXTCYR
-------\Legacy_NOYTCYR
-------\Legacy_PERFS
-------\Legacy_ROUTING
-------\Legacy_ROXTCTM
-------\Legacy_ROYTCTM
-------\Legacy_SEUICTOL
-------\Legacy_SOBICYT
-------\Legacy_SOTPECA
-------\Legacy_SOXPECA
-------\Legacy_TDXDOWKC
-------\Legacy_TDYDOWKC
-------\Legacy_WSERVING
-------\Legacy_WSLDOEKD
-------\Service_afinding
-------\Service_afisicx
-------\Service_DomainService
-------\Service_mabidwe
-------\Service_macidwe
-------\Service_nobicyt
-------\Service_noxtcyr
-------\Service_noytcyr
-------\Service_perfs
-------\Service_routing
-------\Service_roxtctm
-------\Service_roytctm
-------\Service_seuictol
-------\Service_sobicyt
-------\Service_sotpeca
-------\Service_soxpeca
-------\Service_tdxdowkc
-------\Service_tdydowkc
-------\Service_wserving
-------\Service_wsldoekd

((((((((((((((((((((((((( Files Created from 2008-10-10 to 2008-11-10 )))))))))))))))))))))))))))))))
.

2008-11-05 10:01 . 2008-11-05 10:01 <DIR> d-------- C:\rsit
2008-11-05 09:34 . 2008-11-05 09:41 250 --a------ c:\windows\gmer.ini
2008-10-23 22:43 . 2008-10-15 11:34 337,408 --------- c:\windows\SYSTEM32\DLLCACHE\netapi32.dll
2008-10-14 23:20 . 2008-09-08 05:41 333,824 --------- c:\windows\SYSTEM32\DLLCACHE\srv.sys
2008-10-14 23:19 . 2008-08-14 05:11 2,189,184 --------- c:\windows\SYSTEM32\DLLCACHE\ntoskrnl.exe
2008-10-14 23:19 . 2008-08-14 05:09 2,145,280 --------- c:\windows\SYSTEM32\DLLCACHE\ntkrnlmp.exe
2008-10-14 23:19 . 2008-08-14 04:33 2,066,048 --------- c:\windows\SYSTEM32\DLLCACHE\ntkrnlpa.exe
2008-10-14 23:19 . 2008-08-14 04:33 2,023,936 --------- c:\windows\SYSTEM32\DLLCACHE\ntkrpamp.exe
2008-10-14 23:19 . 2008-09-15 07:12 1,846,400 --------- c:\windows\SYSTEM32\DLLCACHE\win32k.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-10 19:22 --------- d-----w c:\program files\EZ-FilingNew
2008-11-10 16:25 --------- d-----w c:\documents and settings\Randy Maddox\Application Data\AdobeUM
2008-10-24 20:12 --------- d-----w c:\program files\QUICKENW
2008-09-30 12:25 --------- d-----w c:\program files\DYMO Label
2008-06-27 14:13 56,912 ----a-w c:\documents and settings\Randy Maddox\g2mdlhlpx.exe
2004-10-11 23:46 205,312 ----a-w c:\program files\ltefx13n.dll
2004-01-19 18:31 153,600 ----a-w c:\program files\ltfil13n.DLL
2004-01-19 17:31 27,648 ----a-w c:\program files\lfiff13n.dll
2004-01-19 17:31 20,480 ----a-w c:\program files\lfCUT13n.dll
2004-01-19 16:31 453,120 ----a-w c:\program files\ltkrn13n.dll
2004-01-19 16:12 89,600 ----a-w c:\program files\Lfcgm13n.dll
2004-01-19 15:49 278,016 ----a-w c:\program files\LFJ2K13n.dll
2004-01-19 15:49 180,736 ----a-w c:\program files\Lfpng13n.dll
2004-01-19 15:47 76,800 ----a-w c:\program files\Lfwmf13n.dll
2004-01-19 15:47 509,440 ----a-w c:\program files\LFCMW13n.dll
2004-01-19 15:45 420,352 ----a-w c:\program files\LFCMP13n.DLL
2004-01-19 15:44 143,872 ----a-w c:\program files\lftif13n.dll
2004-01-19 15:36 65,536 ----a-w c:\program files\Lfpct13n.dll
2004-01-19 15:36 56,832 ----a-w c:\program files\lfpsd13n.dll
2004-01-19 15:36 26,624 ----a-w c:\program files\lfpcx13n.dll
2004-01-19 15:36 19,968 ----a-w c:\program files\lfpcd13n.dll
2004-01-19 15:36 18,944 ----a-w c:\program files\lfmsp13n.dll
2004-01-19 15:35 20,992 ----a-w c:\program files\lfimg13n.dll
2004-01-19 15:35 18,944 ----a-w c:\program files\lfmac13n.dll
2004-01-19 15:34 31,744 ----a-w c:\program files\lfclp13n.dll
2004-01-19 15:34 30,208 ----a-w c:\program files\lfbmp13n.dll
2004-01-19 15:33 444,928 ----a-w c:\program files\ltimg13n.dll
2004-01-19 15:32 265,216 ----a-w c:\program files\LTDIS13n.dll
2000-05-02 08:17 212,480 ----a-w c:\program files\PCDLIB32.DLL
1999-11-19 03:00 284,032 ----a-w c:\program files\XceedZip.dll
2008-04-14 00:12 50,688 --sh--w c:\windows\twain_32.dll
2008-04-14 00:11 1,028,096 --sha-w c:\windows\SYSTEM32\mfc42.dll
2008-04-14 00:12 57,344 --sha-w c:\windows\SYSTEM32\msvcirt.dll
2008-04-14 00:12 413,696 --sha-w c:\windows\SYSTEM32\msvcp60.dll
2008-04-14 00:12 343,040 --sha-w c:\windows\SYSTEM32\msvcrt.dll
2008-04-14 00:12 551,936 --sh--w c:\windows\SYSTEM32\oleaut32.dll
2008-04-14 00:12 84,992 --sh--w c:\windows\SYSTEM32\olepro32.dll
2008-04-14 00:12 11,776 --sh--w c:\windows\SYSTEM32\regsvr32.exe
.

-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"DellTransferAgent"="c:\documents and settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" [2007-11-13 135168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 155648]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2003-08-26 204800]
"MMTray"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2005-03-12 110592]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2003-10-22 151597]
"ADUserMon"="c:\program files\Iomega\AutoDisk\ADUserMon.exe" [2002-09-24 147456]
"PfuSsSct.exe"="c:\program files\PFU\ScanSnap\PfuSsSct.exe" [2003-12-22 110592]
"CardMinder"="c:\program files\PFU\ScanSnap\CardMinder V2.0\CardLauncher.exe" [2004-02-17 36864]
"Pdfquickview"="c:\program files\PFU\ScanSnap\PDF Thumbnail View\pdfquickview.exe" [2003-12-22 32768]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~1\mimboot.exe" [2005-03-12 11776]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-09-14 61440]
"ToolBoxFX"="c:\program files\HP\ToolBoxFX\bin\HPTLBXFX.exe" [2006-06-15 49152]
"hpbdfawep"="c:\program files\HP\Dfawep\bin\hpbdfawep.exe" [2007-12-23 618496]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"CXMon"="c:\program files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe" [2001-08-27 45056]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 57344]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]

c:\documents and settings\Randy Maddox\Start Menu\Programs\Startup\
HotSync Manager.lnk - c:\palm\HOTSYNC.EXE [2004-04-13 299008]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-23 217194]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-11-09 972064]
ScanSnap Manager.lnk - c:\program files\PFU\ScanSnap\Driver\PfuSsMon.exe [2004-08-02 712704]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"=
"c:\\Program Files\\Real\\RealOne Player\\realplay.exe"=
"c:\\ProDoc\\ProWin.Exe"=
"c:\\ProDoc\\prosend.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-06-19 28544]
R2 ABBYY.Licensing.FineReader.Professional.9.0;ABBYY FineReader 9.0 PE Licensing Service;c:\program files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe [2008-05-16 759072]
R2 afisicx;afisicx Service;c:\windows\system32\afisicx.exe [2002-08-29 46592]
R2 mabidwe;mabidwe Service;c:\windows\system32\mabidwe.exe [2002-08-29 45568]
R2 noytcyr;noytcyr Service;c:\windows\system32\noytcyr.exe [2002-08-29 45568]
R2 roytctm;roytctm Service;c:\windows\system32\roytctm.exe [2002-08-29 46592]
R2 solewxte;solewxte Service;c:\windows\system32\solewxte.exe [2002-08-29 45056]
R2 soxpeca;soxpeca Service;c:\windows\system32\soxpeca.exe [2002-08-29 47104]
R2 tdydowkc;tdydowkc Service;c:\windows\system32\tdydowkc.exe [2002-08-29 46080]
R2 wsldoekd;wsldoekd Service;c:\windows\system32\wsldoekd.exe [2002-08-29 46592]
R3 HPFXBULK;HPFXBULK;c:\windows\system32\drivers\hpfxbulk.sys [2006-06-12 9344]
S2 UXRJNHMC;UXRJNHMC;c:\windows\system32\uxrjnhmc.tuj [ ]

*Newly Created Service* - AFISICX
*Newly Created Service* - MABIDWE
*Newly Created Service* - NOYTCYR
*Newly Created Service* - ROYTCTM
*Newly Created Service* - SOXPECA
*Newly Created Service* - TDYDOWKC
*Newly Created Service* - WSLDOEKD
.
Contents of the 'Scheduled Tasks' folder

2008-11-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]

2008-11-10 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-04-03 17:12]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Sonic RecordNow! - (no file)
HKLM-Run-CMLoader - c:\program files\crystalys media\cm.dll
HKU-Default-Run-A00F14436CF5.exe - c:\windows\TEMP\_A00F14436CF5.exe
Notify-__c003CBD1 - c:\windows\system32\__c003CBD1.dat
Notify-__c00EC4CD - c:\windows\system32\__c00EC4CD.dat

.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
R0 -: HKLM-Main,Start Page = about:blank
R1 -: HKCU-Internet Connection Wizard,ShellNext = hxxp://www.dellnet.com/
R1 -: HKCU-Internet Settings,ProxyOverride = *.local
O8 -: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O16 -: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.3.7.cab
c:\windows\Downloaded Program Files\DownloadManagerV2.inf
c:\windows\Downloaded Program Files\Manager.exe
c:\windows\Downloaded Program Files\DownloadManagerV2.ocx
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-10 14:52:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

c:\windows\SYSTEM32\solewxte.exe [1772] 0x82A8E5D0
c:\windows\SYSTEM32\tpszxyd.sys [3496] 0x82DEC4F8
c:\windows\SYSTEM32\noytcyr.exe [2344] 0x82D8AC50
c:\windows\SYSTEM32\wsldoekd.exe [3484] 0x82C1C248
c:\windows\SYSTEM32\afisicx.exe [3976] 0x82C2FBE8
c:\windows\SYSTEM32\roytctm.exe [1100] 0x82D6BDA0
c:\windows\SYSTEM32\tdydowkc.exe [4032] 0x82B97C38

scanning hidden autostart entries ...

scanning hidden files ...

c:\windows\system32\afisicx.exe 46592 bytes executable
c:\windows\system32\wsldoekd.exe 46592 bytes executable
c:\windows\system32\tpszxyd.sys 274944 bytes executable
c:\windows\system32\mabidwe.exe 45568 bytes executable
c:\windows\system32\Install.txt
c:\windows\system32\soxpeca.exe 47104 bytes executable
c:\windows\system32\roytctm.exe 46592 bytes executable

scan completed successfully
hidden files: 7

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Iomega Activity Disk2]
"ImagePath"="\"\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UXRJNHMC]
"ImagePath"="\??\c:\windows\system32\uxrjnhmc.tuj"
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\progra~1\Iomega\System32\AppServices.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\SYSTEM32\nvsvc32.exe
c:\program files\Iomega\AutoDisk\ADService.exe
c:\windows\SYSTEM32\wscntfy.exe
c:\program files\PFU\ScanSnap\CardMinder V2.0\bcd_file\SbCRece.exe
c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
c:\progra~1\MUSICM~1\MUSICM~1\MMDiag.exe
c:\progra~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\SYSTEM32\udxfytw.sys
c:\windows\SYSTEM32\tpszxyd.sys
.
**************************************************************************
.
Completion time: 2008-11-10 15

13 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-10 20

08
ComboFix2.txt 2007-06-21 16:35:24

Pre-Run: 7,186,391,040 bytes free
Post-Run: 8,588,689,408 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

292 --- E O F --- 2008-10-24 07:01:32

maddog2018 · 11-10-2008, 12:34 PM

Here are Hijack logs.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:29:45 PM, on 11/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\PFU\ScanSnap\PfuSsSct.exe
C:\Program Files\PFU\ScanSnap\CardMinder V2.0\CardLauncher.exe
C:\Program Files\PFU\ScanSnap\PDF Thumbnail View\pdfquickview.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe
C:\Program Files\PFU\ScanSnap\CardMinder V2.0\bcd_file\SbCRecE.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\PFU\ScanSnap\Driver\PfuSsMon.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\mabidwe.exe
C:\WINDOWS\system32\soxpeca.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\udxfytw.sys
C:\Documents and Settings\Randy Maddox\Desktop\HJT\Randy Maddox.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [PfuSsSct.exe] C:\Program Files\PFU\ScanSnap\PfuSsSct.exe /Station
O4 - HKLM\..\Run: [CardMinder] C:\Program Files\PFU\ScanSnap\CardMinder V2.0\CardLauncher.exe
O4 - HKLM\..\Run: [Pdfquickview] C:\Program Files\PFU\ScanSnap\PDF Thumbnail View\pdfquickview.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
O4 - HKLM\..\Run: [ToolBoxFX] "C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /systrayIcon:on /fl:on /fr:on /appData:on
O4 - HKLM\..\Run: [hpbdfawep] C:\Program Files\HP\Dfawep\bin\hpbdfawep.exe 1
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [DellTransferAgent] "C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe"
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: ScanSnap Manager.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanage...ex-2.2.3.7.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1136410335562
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/...15/mcgdmgr.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://cvs.pnimedia.com/upload/activ...v2.0.0.10.cab?
O23 - Service: ABBYY FineReader 9.0 PE Licensing Service (ABBYY.Licensing.FineReader.Professional.9.0) - ABBYY (BIT Software) - C:\Program Files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: afisicx - Unknown owner - C:\WINDOWS\system32\afisicx.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: mabidwe - Unknown owner - C:\WINDOWS\system32\mabidwe.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: noytcyr - Unknown owner - C:\WINDOWS\system32\noytcyr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: roytctm - Unknown owner - C:\WINDOWS\system32\roytctm.exe
O23 - Service: solewxte Service (solewxte) - Unknown owner - C:\WINDOWS\system32\solewxte.exe
O23 - Service: soxpeca - Unknown owner - C:\WINDOWS\system32\soxpeca.exe
O23 - Service: tdydowkc - Unknown owner - C:\WINDOWS\system32\tdydowkc.exe
O23 - Service: wsldoekd - Unknown owner - C:\WINDOWS\system32\wsldoekd.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

--
End of file - 10508 bytes

**TheBruce1** · 11-10-2008, 01:15 PM

Hello again

Quote:

Why do you not have any virus protection installed

Can you answer this question, you have received help at this forum before and you should know not to connect to the internet without proper protection installed.

As stated in the forum rules:

Quote:

It is not our intent to repeatedly remove malware from the same member's machines.

Keep this in mind for the future.

=========

Your logs suggest the possibility that your computer was attacked by a backdoor trojan. This type of infection allows hackers to remotely control your computer, steal critical system information and download and execute files without your knowledge.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Please read this: How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

=========

Download ATF-Cleaner by Atribune to your desktop. Do not run just yet, we will shortly

=========

Open notepad and copy/paste the text in the quotebox below into it:

Quote:

File::
c:\windows\system32\afisicx.exe
c:\windows\system32\mabidwe.exe
c:\windows\system32\noytcyr.exe
c:\windows\system32\roytctm.exe
c:\windows\system32\solewxte.exe
c:\windows\system32\soxpeca.exe
c:\windows\system32\tdydowkc.exe c:\windows\system32\wsldoekd.exe c:\windows\system32\drivers\hpfxbulk.sys
c:\windows\system32\dbi102.dll
Driver::
HPFXBULK
wsldoekd
tdydowkc
soxpeca
solewxte
roytctm
noytcyr
mabidwe
afisicx
UXRJNHMC
Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UXRJNHMC]

Save this as CFscript

Refering to the picture above, drag CFscript into ComboFix.exe

Follow the prompts, and post the resulting log, C:\ComboFix.txt

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Warning:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis.

Ensure you are connected to the internet and click OK. A browser will open. Simply follow the instructions to copy/paste/send the requested file(s).

==========

JAVA OUTDATED

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Download the latest version of Java Runtime Environment (JRE) 6 and save it to your desktop.
Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 10. The Java SE Runtime Environment (JRE) allows end-users to run Java applications."
Click the "Download" button to the right.
Select the Windows platform from the dropdown menu.
Read the License Agreement and then check the box that says: "Accept License Agreement". Click on Continue.The page will refresh.
Click on the link to download Windows Offline Installation and save the file to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u10-windows-i586-p.exe to install the newest version.

After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
- On the General tab, under Temporary Internet Files, click the Settings button.
- Next, click on the Delete Files button
- There are two options in the window to clear the cache - Leave BOTH Checked
  - Applications and Applets
    Trace and Log Files
- Click OK on Delete Temporary Files Window
  Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
- Click OK to leave the Temporary Files Window
- Click OK to leave the Java Control Panel.

==========

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you have Firefox installed:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you have Opera installed:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.

=========

I see no evidence of an AntiVirus program on your system. This must be resolved. Go Here and download/install and run a scan, post the log from that scan in your reply.

You can choose an antivirus of your own if you wish.

==========

Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

===========
Logs Required
C:\Combofix.txt
Avira Scan Report
Hijackthis Log

How is your system running now.

maddog2018 · 11-10-2008, 06:53 PM

Regarding your question about antivirus program, I do not know what happened. It must have expired. I thought the microsoft package was in place. A month ago, I posted here and had difficulty downloading the recommended fixes. I turned off security to allow downloads. Still, did not work, but failed to reactivate security. Also, I did not know the importance of keeping java updated, despite reminders. I want to maintain security of my computer, and will be more vigilant. Thanks for your assistance this time. I have posted the logs you requested.

I used the Avira program for antivirus and will make sure that it stays active. I think computer is working properly but have not used it much since running the scans. I will follow up if there seems to still be a problem.

ComboFix 08-11-09.04 - Randy Maddox 2008-11-10 16:33:07.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.152 [GMT -5:00]
Running from: c:\documents and settings\Randy Maddox\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Randy Maddox\Desktop\CFscript.txt
* Created a new restore point

FILE ::
c:\windows\system32\afisicx.exe
c:\windows\system32\dbi102.dll
c:\windows\system32\mabidwe.exe
c:\windows\system32\noytcyr.exe
c:\windows\system32\roytctm.exe
c:\windows\system32\solewxte.exe
c:\windows\system32\soxpeca.exe
c:\windows\system32\tdydowkc.exe c:\windows\system32\wsldoekd.exe c:\windows\system32\drivers\hpfxbulk.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Install.txt
c:\windows\system32\afisicx.exe
c:\windows\system32\comsa32.sys
c:\windows\system32\Install.txt
c:\windows\system32\mabidwe.exe
c:\windows\system32\noytcyr.exe
c:\windows\system32\roytctm.exe
c:\windows\system32\solewxte.exe
c:\windows\system32\soxpeca.exe
c:\windows\system32\tdydowkc.exe
c:\windows\system32\tpszxyd.sys
c:\windows\system32\wsldoekd.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AFISICX
-------\Legacy_MABIDWE
-------\Legacy_NOYTCYR
-------\Legacy_ROYTCTM
-------\Legacy_SOLEWXTE
-------\Legacy_SOXPECA
-------\Legacy_TDYDOWKC
-------\Legacy_UXRJNHMC
-------\Legacy_WSLDOEKD
-------\Service_afisicx
-------\Service_HPFXBULK
-------\Service_mabidwe
-------\Service_noytcyr
-------\Service_roytctm
-------\Service_solewxte
-------\Service_soxpeca
-------\Service_tdydowkc
-------\Service_wsldoekd

((((((((((((((((((((((((( Files Created from 2008-10-10 to 2008-11-10 )))))))))))))))))))))))))))))))
.

2008-11-05 10:01 . 2008-11-05 10:01 <DIR> d-------- C:\rsit
2008-11-05 09:34 . 2008-11-05 09:41 250 --a------ c:\windows\gmer.ini
2008-10-23 22:43 . 2008-10-15 11:34 337,408 --------- c:\windows\SYSTEM32\DLLCACHE\netapi32.dll
2008-10-14 23:20 . 2008-09-08 05:41 333,824 --------- c:\windows\SYSTEM32\DLLCACHE\srv.sys
2008-10-14 23:19 . 2008-08-14 05:11 2,189,184 --------- c:\windows\SYSTEM32\DLLCACHE\ntoskrnl.exe
2008-10-14 23:19 . 2008-08-14 05:09 2,145,280 --------- c:\windows\SYSTEM32\DLLCACHE\ntkrnlmp.exe
2008-10-14 23:19 . 2008-08-14 04:33 2,066,048 --------- c:\windows\SYSTEM32\DLLCACHE\ntkrnlpa.exe
2008-10-14 23:19 . 2008-08-14 04:33 2,023,936 --------- c:\windows\SYSTEM32\DLLCACHE\ntkrpamp.exe
2008-10-14 23:19 . 2008-09-15 07:12 1,846,400 --------- c:\windows\SYSTEM32\DLLCACHE\win32k.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-10 19:22 --------- d-----w c:\program files\EZ-FilingNew
2008-11-10 16:25 --------- d-----w c:\documents and settings\Randy Maddox\Application Data\AdobeUM
2008-10-24 20:12 --------- d-----w c:\program files\QUICKENW
2008-09-30 12:25 --------- d-----w c:\program files\DYMO Label
2008-06-27 14:13 56,912 ----a-w c:\documents and settings\Randy Maddox\g2mdlhlpx.exe
2004-10-11 23:46 205,312 ----a-w c:\program files\ltefx13n.dll
2004-01-19 18:31 153,600 ----a-w c:\program files\ltfil13n.DLL
2004-01-19 17:31 27,648 ----a-w c:\program files\lfiff13n.dll
2004-01-19 17:31 20,480 ----a-w c:\program files\lfCUT13n.dll
2004-01-19 16:31 453,120 ----a-w c:\program files\ltkrn13n.dll
2004-01-19 16:12 89,600 ----a-w c:\program files\Lfcgm13n.dll
2004-01-19 15:49 278,016 ----a-w c:\program files\LFJ2K13n.dll
2004-01-19 15:49 180,736 ----a-w c:\program files\Lfpng13n.dll
2004-01-19 15:47 76,800 ----a-w c:\program files\Lfwmf13n.dll
2004-01-19 15:47 509,440 ----a-w c:\program files\LFCMW13n.dll
2004-01-19 15:45 420,352 ----a-w c:\program files\LFCMP13n.DLL
2004-01-19 15:44 143,872 ----a-w c:\program files\lftif13n.dll
2004-01-19 15:36 65,536 ----a-w c:\program files\Lfpct13n.dll
2004-01-19 15:36 56,832 ----a-w c:\program files\lfpsd13n.dll
2004-01-19 15:36 26,624 ----a-w c:\program files\lfpcx13n.dll
2004-01-19 15:36 19,968 ----a-w c:\program files\lfpcd13n.dll
2004-01-19 15:36 18,944 ----a-w c:\program files\lfmsp13n.dll
2004-01-19 15:35 20,992 ----a-w c:\program files\lfimg13n.dll
2004-01-19 15:35 18,944 ----a-w c:\program files\lfmac13n.dll
2004-01-19 15:34 31,744 ----a-w c:\program files\lfclp13n.dll
2004-01-19 15:34 30,208 ----a-w c:\program files\lfbmp13n.dll
2004-01-19 15:33 444,928 ----a-w c:\program files\ltimg13n.dll
2004-01-19 15:32 265,216 ----a-w c:\program files\LTDIS13n.dll
2000-05-02 08:17 212,480 ----a-w c:\program files\PCDLIB32.DLL
1999-11-19 03:00 284,032 ----a-w c:\program files\XceedZip.dll
2008-04-14 00:12 50,688 --sh--w c:\windows\twain_32.dll
2008-04-14 00:11 1,028,096 --sha-w c:\windows\SYSTEM32\mfc42.dll
2008-04-14 00:12 57,344 --sha-w c:\windows\SYSTEM32\msvcirt.dll
2008-04-14 00:12 413,696 --sha-w c:\windows\SYSTEM32\msvcp60.dll
2008-04-14 00:12 343,040 --sha-w c:\windows\SYSTEM32\msvcrt.dll
2008-04-14 00:12 551,936 --sh--w c:\windows\SYSTEM32\oleaut32.dll
2008-04-14 00:12 84,992 --sh--w c:\windows\SYSTEM32\olepro32.dll
2008-04-14 00:12 11,776 --sh--w c:\windows\SYSTEM32\regsvr32.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"DellTransferAgent"="c:\documents and settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" [2007-11-13 135168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 155648]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2003-08-26 204800]
"MMTray"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2005-03-12 110592]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2003-10-22 151597]
"ADUserMon"="c:\program files\Iomega\AutoDisk\ADUserMon.exe" [2002-09-24 147456]
"PfuSsSct.exe"="c:\program files\PFU\ScanSnap\PfuSsSct.exe" [2003-12-22 110592]
"CardMinder"="c:\program files\PFU\ScanSnap\CardMinder V2.0\CardLauncher.exe" [2004-02-17 36864]
"Pdfquickview"="c:\program files\PFU\ScanSnap\PDF Thumbnail View\pdfquickview.exe" [2003-12-22 32768]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~1\mimboot.exe" [2005-03-12 11776]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-09-14 61440]
"ToolBoxFX"="c:\program files\HP\ToolBoxFX\bin\HPTLBXFX.exe" [2006-06-15 49152]
"hpbdfawep"="c:\program files\HP\Dfawep\bin\hpbdfawep.exe" [2007-12-23 618496]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"CXMon"="c:\program files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe" [2001-08-27 45056]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 57344]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]

c:\documents and settings\Randy Maddox\Start Menu\Programs\Startup\
HotSync Manager.lnk - c:\palm\HOTSYNC.EXE [2004-04-13 299008]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-23 217194]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-11-09 972064]
ScanSnap Manager.lnk - c:\program files\PFU\ScanSnap\Driver\PfuSsMon.exe [2004-08-02 712704]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"=
"c:\\Program Files\\Real\\RealOne Player\\realplay.exe"=
"c:\\ProDoc\\ProWin.Exe"=
"c:\\ProDoc\\prosend.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-06-19 28544]
R2 ABBYY.Licensing.FineReader.Professional.9.0;ABBYY FineReader 9.0 PE Licensing Service;c:\program files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe [2008-05-16 759072]
.
Contents of the 'Scheduled Tasks' folder

2008-11-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]

2008-11-10 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-04-03 17:12]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-10 16:45:05
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\progra~1\Iomega\System32\AppServices.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\SYSTEM32\nvsvc32.exe
c:\program files\Iomega\AutoDisk\ADService.exe
c:\windows\SYSTEM32\wscntfy.exe
c:\progra~1\MUSICM~1\MUSICM~1\MMDiag.exe
c:\progra~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\PFU\ScanSnap\CardMinder V2.0\bcd_file\SbCRece.exe
.
**************************************************************************
.
Completion time: 2008-11-10 16:58:55 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-10 21:58:50
ComboFix2.txt 2008-11-10 20

14
ComboFix3.txt 2007-06-21 16:35:24

Pre-Run: 8,572,497,920 bytes free
Post-Run: 8,575,385,600 bytes free

196 --- E O F --- 2008-10-24 07:01:32

Avira AntiVir Personal
Report file date: Monday, November 10, 2008 17:30

Scanning for 1024586 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 3) [5.1.2600]
Boot mode: Normally booted
Username: SYSTEM
Computer name: RANDY

Version information:
BUILD.DAT : 8.2.0.336 16933 Bytes 10/30/2008 11:40:00
AVSCAN.EXE : 8.1.4.7 315649 Bytes 6/26/2008 15:57:53
AVSCAN.DLL : 8.1.4.0 40705 Bytes 5/26/2008 14:56:40
LUKE.DLL : 8.1.4.5 164097 Bytes 6/12/2008 19:44:19
LUKERES.DLL : 8.1.4.0 12033 Bytes 5/26/2008 14:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 22:27:58
ANTIVIR1.VDF : 7.1.0.56 411136 Bytes 11/9/2008 22:28:02
ANTIVIR2.VDF : 7.1.0.57 2048 Bytes 11/9/2008 22:28:02
ANTIVIR3.VDF : 7.1.0.65 52736 Bytes 11/10/2008 22:28:03
Engineversion : 8.2.0.29
AEVDF.DLL : 8.1.0.6 102772 Bytes 10/14/2008 17:05:56
AESCRIPT.DLL : 8.1.1.13 332156 Bytes 11/10/2008 22:28:13
AESCN.DLL : 8.1.1.5 123251 Bytes 11/10/2008 22:28:12
AERDL.DLL : 8.1.1.3 438645 Bytes 11/10/2008 22:28:11
AEPACK.DLL : 8.1.3.3 393591 Bytes 11/10/2008 22:28:10
AEOFFICE.DLL : 8.1.0.30 196986 Bytes 11/10/2008 22:28:09
AEHEUR.DLL : 8.1.0.71 1487222 Bytes 11/10/2008 22:28:09
AEHELP.DLL : 8.1.1.3 119157 Bytes 11/10/2008 22:28:06
AEGEN.DLL : 8.1.1.0 319859 Bytes 11/10/2008 22:28:06
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/14/2008 17:05:56
AECORE.DLL : 8.1.4.1 172405 Bytes 11/10/2008 22:28:04
AEBB.DLL : 8.1.0.3 53618 Bytes 10/14/2008 17:05:56
AVWINLL.DLL : 1.0.0.12 15105 Bytes 7/9/2008 15:40:05
AVPREF.DLL : 8.0.2.0 38657 Bytes 5/16/2008 16:28:01
AVREP.DLL : 8.0.0.2 98344 Bytes 11/10/2008 22:28:03
AVREG.DLL : 8.0.0.1 33537 Bytes 5/9/2008 18:26:40
AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 15:29:23
AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 6/12/2008 19:27:49
SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/23/2008 00:28:02
SMTPLIB.DLL : 1.2.0.23 28929 Bytes 6/12/2008 19:49:40
NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 19:05:10
RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 6/12/2008 20:48:07
RCTEXT.DLL : 8.0.52.0 86273 Bytes 6/27/2008 20:34:37

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:, F:,
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Monday, November 10, 2008 17:30

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'iexplore.exe' - '1' Module(s) have been scanned
Scan process 'WINWORD.EXE' - '1' Module(s) have been scanned
Scan process 'OUTLOOK.EXE' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'wscntfy.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'iPodService.exe' - '1' Module(s) have been scanned
Scan process 'ADService.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'HOTSYNC.EXE' - '1' Module(s) have been scanned
Scan process 'PfuSsMon.exe' - '1' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned
Scan process 'MDM.EXE' - '1' Module(s) have been scanned
Scan process 'AppServices.exe' - '1' Module(s) have been scanned
Scan process 'acrotray.exe' - '1' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned
Scan process 'guard.exe' - '1' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'TransferAgent.exe' - '1' Module(s) have been scanned
Scan process 'DSAgnt.exe' - '1' Module(s) have been scanned
Scan process 'PhotoshopElementsFileAgent.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'hpgs2wnf.exe' - '1' Module(s) have been scanned
Scan process 'SbCRece.exe' - '1' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
Scan process 'mim.exe' - '1' Module(s) have been scanned
Scan process 'NetworkLicenseServer.exe' - '1' Module(s) have been scanned
Scan process 'hpgs2wnd.exe' - '1' Module(s) have been scanned
Scan process 'MMDiag.exe' - '1' Module(s) have been scanned
Scan process 'Hpi_monitor.exe' - '1' Module(s) have been scanned
Scan process 'hpwuSchd2.exe' - '1' Module(s) have been scanned
Scan process 'HPTLBXFX.exe' - '1' Module(s) have been scanned
Scan process 'apdproxy.exe' - '1' Module(s) have been scanned
Scan process 'pdfquickview.exe' - '1' Module(s) have been scanned
Scan process 'CardLauncher.exe' - '1' Module(s) have been scanned
Scan process 'PfuSsSct.exe' - '1' Module(s) have been scanned
Scan process 'ADUserMon.exe' - '1' Module(s) have been scanned
Scan process 'realsched.exe' - '1' Module(s) have been scanned
Scan process 'mm_tray.exe' - '1' Module(s) have been scanned
Scan process 'PCMService.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
58 processes with 58 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'F:\'
[INFO] No virus was found!

Starting to scan the registry.
The registry was scanned ( '62' files ).

Starting the file scan:

Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Qoobox\Quarantine\C\DOCUME~1\RANDYM~1\LOCALS~1\Temp\WowInitcode.dll.vir
[DETECTION] Is the TR/PSW.54260 Trojan
[NOTE] The file was moved to '498fdfb9.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\dbi102.dll.vir.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '4981dfb3.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\macidwe.exe.vir
[DETECTION] Is the TR/Agent.zem Trojan
[NOTE] The file was moved to '497bdfc1.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\oduxftw.sys.vir
[DETECTION] Is the TR/Click.VB.brv.2 Trojan
[NOTE] The file was moved to '498ddfcb.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\sobicyt.exe.vir
[DETECTION] Is the TR/Agent.zbc Trojan
[NOTE] The file was moved to '497adfe0.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\solewxte.exe.vir
[DETECTION] Is the TR/Agent.aebz Trojan
[NOTE] The file was moved to '4984dfe6.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\__c003CBD1.dat.vir
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '497bdfd7.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\~.exe.vir
[DETECTION] Is the TR/Dldr.Agent.ajzq Trojan
[NOTE] The file was moved to '497ddfa7.qua'!
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1888\A0160272.old
[DETECTION] Is the TR/Dldr.Delf.ogu Trojan
[NOTE] The file was moved to '4949dfae.qua'!
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1889\A0160277.old
[DETECTION] Is the TR/Dldr.Delf.oif Trojan
[NOTE] The file was moved to '4949dfb0.qua'!
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1889\A0160278.old
[DETECTION] Is the TR/Dldr.Delf.oka Trojan
[NOTE] The file was moved to '4d7c8211.qua'!
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1901\A0160544.old
[DETECTION] Is the TR/Clicker.LA Trojan
[NOTE] The file was moved to '4949dfca.qua'!
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1904\A0160577.exe
[DETECTION] Is the TR/Agent.ackj Trojan
[NOTE] The file was moved to '4949dfd0.qua'!
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1904\A0160578.exe
[DETECTION] Is the TR/Agent.adjn Trojan
[NOTE] The file was moved to '4d7c8271.qua'!
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1905\A0160592.old
[DETECTION] Is the TR/Crypt.CFI.Gen Trojan
[NOTE] The file was moved to '4949dfd2.qua'!
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1926\A0169860.old
[DETECTION] Is the TR/Refpron.B Trojan
[NOTE] The file was moved to '4949e008.qua'!
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1927\A0169887.old
[DETECTION] Is the TR/Click.VB.cdm Trojan
[NOTE] The file was moved to '4949e00a.qua'!
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1928\A0169890.exe
[DETECTION] Is the TR/Agent.abat Trojan
[NOTE] The file was moved to '4949e00c.qua'!
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1928\A0169891.exe
[DETECTION] Is the TR/Agent.abat Trojan
[NOTE] The file was moved to '4d7cbdad.qua'!
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1928\A0169892.exe
[DETECTION] Is the TR/Agent.aaxn Trojan
[NOTE] The file was moved to '4949e00e.qua'!
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1928\A0169893.exe
[DETECTION] Is the TR/Agent.acku Trojan
[NOTE] The file was moved to '4949e00d.qua'!
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1928\A0169894.exe
[DETECTION] Is the TR/Agent.abbe Trojan
[NOTE] The file was moved to '4d7cbdae.qua'!
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1928\A0169895.exe
[DETECTION] Is the TR/Agent.abbe Trojan
[NOTE] The file was moved to '4949e00f.qua'!
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1928\A0169896.exe
[DETECTION] Is the TR/Agent.adfl Trojan
[NOTE] The file was moved to '4d7cbdaf.qua'!
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1928\A0169897.exe
[DETECTION] Is the TR/Agent.acid Trojan
[NOTE] The file was moved to '4949e010.qua'!
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1928\A0169898.exe
[DETECTION] Is the TR/Agent.abay Trojan
[NOTE] The file was moved to '4d7cbdb1.qua'!
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1928\A0169899.exe
[DETECTION] Is the TR/Agent.abav Trojan
[NOTE] The file was moved to '4d7cbdb0.qua'!
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1928\A0169900.exe
[DETECTION] Is the TR/Agent.aclf Trojan
[NOTE] The file was moved to '4949e011.qua'!
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1928\A0169901.exe
[DETECTION] Is the TR/Agent.aaxn.1 Trojan
[NOTE] The file was moved to '4949e012.qua'!
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1928\A0169902.exe
[DETECTION] Is the TR/Agent.zen Trojan
[NOTE] The file was moved to '4d7cbdb3.qua'!
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1928\A0169903.exe
[DETECTION] Is the TR/Meredrop.AI Trojan
[NOTE] The file was moved to '4949e014.qua'!
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1928\A0169904.sys
[DETECTION] Is the TR/Click.VB.bqs Trojan
[NOTE] The file was moved to '4d7cbdb2.qua'!
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1928\A0169905.sys
[DETECTION] Is the TR/Click.VB.bpf Trojan
[NOTE] The file was moved to '4949e013.qua'!
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1928\A0169906.dll
[DETECTION] Is the TR/PSW.OnLineGa.OCJ Trojan
[NOTE] The file was moved to '4d7cbdb4.qua'!
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1928\A0169907.dll
[DETECTION] Is the TR/PSW.OnLineGa.OCJ Trojan
[NOTE] The file was moved to '4d7cbdb5.qua'!
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1928\A0169908.dll
[DETECTION] Is the TR/PSW.OnLineGa.OCJ Trojan
[NOTE] The file was moved to '4949e016.qua'!
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1928\A0169909.dll
[DETECTION] Is the TR/PSW.OnLineGa.OCJ Trojan
[NOTE] The file was moved to '4d7cbdb7.qua'!
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1928\A0169910.dll
[DETECTION] Is the TR/PSW.OnLineGa.OCJ Trojan
[NOTE] The file was moved to '4949e018.qua'!
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1928\A0169911.dll
[DETECTION] Is the TR/PSW.OnLineGa.OCJ Trojan
[NOTE] The file was moved to '4949e015.qua'!
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1928\A0169912.dll
[DETECTION] Is the TR/PSW.OnLineGa.OCJ Trojan
[NOTE] The file was moved to '4d7cbdb6.qua'!
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1928\A0169913.dll
[DETECTION] Is the TR/PSW.OnLineGa.OCJ Trojan
[NOTE] The file was moved to '4949e017.qua'!
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1928\A0169914.old
[DETECTION] Is the TR/Agent.274944.C Trojan
[NOTE] The file was moved to '4d7cbdb9.qua'!
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1928\A0169924.exe
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '4d7cbdb8.qua'!
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1928\A0169925.exe
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '4949e019.qua'!
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1938\A0169990.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '4949e026.qua'!
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1939\A0170006.exe
[DETECTION] Is the TR/Agent.zem Trojan
[NOTE] The file was moved to '4949e028.qua'!
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1939\A0170007.exe
[DETECTION] Is the TR/Agent.alsp Trojan
[NOTE] The file was moved to '4949e029.qua'!
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1939\A0170008.sys
[DETECTION] Is the TR/Click.VB.brv.2 Trojan
[NOTE] The file was moved to '4d7cbd8a.qua'!
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1939\A0170010.exe
[DETECTION] Is the TR/Agent.zbc Trojan
[NOTE] The file was moved to '4949e02b.qua'!
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1939\A0170018.exe
[DETECTION] Is the TR/Dldr.Agent.ajzq Trojan
[NOTE] The file was moved to '4949e02a.qua'!
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1939\snapshot\MFEX-1.DAT
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '495de046.qua'!
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1940\A0170105.exe
[DETECTION] Is the TR/Agent.aebz Trojan
[NOTE] The file was moved to '4949e032.qua'!
C:\WINDOWS\SYSTEM32\fduvfct.sys
[DETECTION] Is the TR/Click.VB.btw Trojan
[NOTE] The file was moved to '498de492.qua'!
C:\WINDOWS\SYSTEM32\tmp0_462886265468.bk.old
[DETECTION] Is the TR/Agent.mta.274944 Trojan
[NOTE] The file was moved to '4988e4d6.qua'!
C:\WINDOWS\SYSTEM32\tmp0_582751252004.bk.old
[DETECTION] Is the TR/Dldr.Delf.oda Trojan
[NOTE] The file was moved to '4988e4d7.qua'!
C:\WINDOWS\SYSTEM32\tmp2_840081179240.bk.old
[DETECTION] Is the TR/Dldr.Delf.oda Trojan
[NOTE] The file was moved to '4dbcb2d8.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_102495353302.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '4988e4d8.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_103708220738.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '4dbcb2d9.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_105210521411.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '4988e4d9.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_111647127121.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '4dbcb2da.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_114806391773.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '4988e4db.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_136005377602.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '4988e4da.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_139854150801.bk
[DETECTION] Is the TR/Agent.46080.F Trojan
[NOTE] The file was moved to '4dbcb2db.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_140592630741.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '4dbcb2dc.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_143458128076.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '4988e4dd.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_146113200683.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '4dbcb2de.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_14873424408.bk
[DETECTION] Is the TR/Delf.ffb.4 Trojan
[NOTE] The file was moved to '4988e4dc.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_149181801898.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '4dbcb2dd.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_151653790164.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '4988e4de.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_154204675973.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '4988e4df.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_161924341933.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '4dbcb2e0.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_166030860147.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '4988e4e1.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_181512432517.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '4dbcb2df.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_20339518008.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '4988e4e0.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_205387464841.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '4dbcb2e1.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_214106403739.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '4dbcb2e2.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_216448485396.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '4988e4e3.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_225695338950.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '4988e4e2.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_228902439693.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '4dbcb2e3.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_24445714047.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '4988e4e4.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_246174593755.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '4dbcb2e5.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_247555723994.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '4dbcb2e4.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_25383175518.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '4988e4e5.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_255124299597.bk
[DETECTION] Is the TR/Drop.Delf.MT.48 Trojan
[NOTE] The file was moved to '4dbcb2e6.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_258951658822.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '4988e4e6.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_262891199136.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '4988e4e7.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_264448809166.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '4dbcb2e8.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_283149409571.bk
[DETECTION] Is the TR/Agent.amjf Trojan
[NOTE] The file was moved to '4988e4e9.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_29652248883.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '4dbcb2ea.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_296561554417.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '4dbcb2e7.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_312871200166.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '4988e4e8.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_31923347798.bk
[DETECTION] Is the TR/Delf.ffb.4 Trojan
[NOTE] The file was moved to '4dbcb2e9.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_323518891601.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '4988e4eb.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_324661405196.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '4dbcb2ec.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_325182238637.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '4988e4ed.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_3302975716.bk
[DETECTION] Is the TR/Drop.Del.MTA.461 Trojan
[NOTE] The file was moved to '4dbcb2ee.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_332605604384.bk
[DETECTION] Is the TR/Agent.also Trojan
[NOTE] The file was moved to '4988e4ea.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_346250680724.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '4dbcb2eb.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_350623428892.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '4988e4ec.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_357477770053.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '4988e4ef.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_37408280819.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '4dbcb2f0.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_376848610466.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '4988e4f1.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_380519586529.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '4dbcb2f2.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_38483711772.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '4dbcb2ed.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_387826403383.bk
[DETECTION] Is the TR/Drop.Delf.M.1460 Trojan
[NOTE] The file was moved to '4988e4f3.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_391102316927.bk
[DETECTION] Is the TR/Agent.alsn Trojan
[NOTE] The file was moved to '4dbcb2f4.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_394467538494.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '4988e4f5.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_39630059755.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '4988e4ee.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_402436500408.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '4dbcb2f6.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_404378801462.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '488df8f7.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_410830793143.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '488df8f9.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_423076235380.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '488df8fb.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_434124172518.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '488df8e8.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_439277286557.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '488df8ea.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_44427279682.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '488df8ec.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_446277325521.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '488df8ee.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_462874514006.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '4988e4f0.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_463062735728.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '488df8e9.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_47945483945.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '4988e4f2.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_498870888907.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '4988e4f7.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_502503563213.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '488df8e0.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_506730371918.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '4988e4f9.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_516461808434.bk
[DETECTION] Is the TR/Delf.Agent.SD Trojan
[NOTE] The file was moved to '488df8e2.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_516666117939.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '488df8eb.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_523996759005.bk
[DETECTION] Is the TR/Drop.Delf.MT.48 Trojan
[NOTE] The file was moved to '4988e4f4.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_537917337666.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '488df8ed.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_552617443224.bk
[DETECTION] Is the TR/Dldr.Delf.OZM Trojan
[NOTE] The file was moved to '4988e4fb.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_555886818529.bk
[DETECTION] Is the TR/Delf.ffb.4 Trojan
[NOTE] The file was moved to '488df8e4.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_557366601451.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '4988e4f6.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_55768140761.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '488df8ef.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_558452370450.bk
[DETECTION] Is the TR/Agent.also Trojan
[NOTE] The file was moved to '488df8f1.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_56522784462.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '488df8f3.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_57009214539.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '4988e4fd.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_572405483892.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '488df8e6.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_57834725294.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '4988e4ff.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_586004306838.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '488df918.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_587224457331.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '488df8f5.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_591187856881.bk
[DETECTION] Is the TR/Agent.alsn Trojan
[NOTE] The file was moved to '488df8fd.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_595213758636.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '488df8ff.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_597204305469.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '4988e501.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_624147611736.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '488df91a.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_626349329461.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '4988e503.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_627254159795.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '488df91c.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_63623925865.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '4988e4f8.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_648430741400.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '488df8e1.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_649700103641.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '4988e4fa.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_656511616110.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '488df8e3.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_659644598804.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '4988e505.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_662041808789.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '488df91e.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_669554810190.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '4988e507.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_684635771113.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '4988e4fc.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_688962265887.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '488df8e5.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_69712727003.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '4988e4fe.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_706926453944.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '488df910.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_712485878850.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '4988e509.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_713145539090.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '488df912.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_717274642611.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '488df8e7.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_721547500934.bk
[DETECTION] Is the TR/Drop.Del.MTA.463 Trojan
[NOTE] The file was moved to '4988e518.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_72238799839.bk
[DETECTION] Is the TR/Dldr.Delf.OZM Trojan
[NOTE] The file was moved to '488df901.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_725205465436.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '4988e51a.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_734836661330.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '4988e50b.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_73627436476.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '488df914.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_737569637081.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '4988e50d.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_745058334257.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '488df903.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_753096514405.bk
[DETECTION] Is the TR/Drop.Delf.MT.48 Trojan
[NOTE] The file was moved to '4988e51c.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_755425330566.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '488df905.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_75855640940.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '4988e51e.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_77165959275.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '488df916.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_77624876730.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '4988e50f.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_78404586888.bk
[DETECTION] Is the TR/Delf.Agent.SA Trojan
[NOTE] The file was moved to '488df908.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_79279881218.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '4988e511.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_80355446801.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '4988e500.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_803909711468.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '488df919.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_811772707353.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '4988e502.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_82035806139.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '488df90a.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_823188194136.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '4988e513.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_841448146960.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '488df90c.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_867074709655.bk
[DETECTION] Is the TR/Drop.Delf.M.2465 Trojan
[NOTE] The file was moved to '488df91b.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_871402714666.bk
[DETECTION] Is the TR/Agent.46080.F Trojan
[NOTE] The file was moved to '4988e504.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_874532363172.bk
[DETECTION] Is the TR/Drop.Del.MTA.455 Trojan
[NOTE] The file was moved to '488df91d.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_875999683759.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '4988e506.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_877301134348.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '4988e515.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_895576349758.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '488df90e.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_93949271854.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '4988e517.qua'!
C:\WINDOWS\SYSTEM32\tmpxr_9534594979.bk
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '488df91f.qua'!
C:\WINDOWS\SYSTEM32\udxfytw.sys
[DETECTION] Is the TR/Agent.akyk.2 Trojan
[NOTE] The file was moved to '4990e4fc.qua'!
C:\WINDOWS\SYSTEM32\xdufytw.sys
[DETECTION] Is the TR/Click.VB.bzk Trojan
[NOTE] The file was moved to '498de50c.qua'!
C:\WINDOWS\SYSTEM32\ActiveScan\pskavs.dll
[DETECTION] Contains recognition pattern of the W95/Blumblebee.1738 Windows virus
[NOTE] The file was moved to '4983e51e.qua'!
Begin scan in 'F:\' <My Book>

End of the scan: Monday, November 10, 2008 20:56
Used time: 3:26:04 Hour(s)

The scan has been done completely.

14676 Scanning directories
314378 Files were scanned
188 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
0 files were deleted
0 files were repaired
188 files were moved to quarantine
0 files were renamed
2 Files cannot be scanned
314188 Files not concerned
3511 Archives were scanned
2 Warnings
188 Notes

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:38:53 PM, on 11/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\PFU\ScanSnap\PfuSsSct.exe
C:\Program Files\PFU\ScanSnap\CardMinder V2.0\CardLauncher.exe
C:\Program Files\PFU\ScanSnap\PDF Thumbnail View\pdfquickview.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\PFU\ScanSnap\CardMinder V2.0\bcd_file\SbCRecE.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\PFU\ScanSnap\Driver\PfuSsMon.exe
C:\Palm\HOTSYNC.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Documents and Settings\Randy Maddox\Desktop\HJT\Randy Maddox.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [PfuSsSct.exe] C:\Program Files\PFU\ScanSnap\PfuSsSct.exe /Station
O4 - HKLM\..\Run: [CardMinder] C:\Program Files\PFU\ScanSnap\CardMinder V2.0\CardLauncher.exe
O4 - HKLM\..\Run: [Pdfquickview] C:\Program Files\PFU\ScanSnap\PDF Thumbnail View\pdfquickview.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
O4 - HKLM\..\Run: [ToolBoxFX] "C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /systrayIcon:on /fl:on /fr:on /appData:on
O4 - HKLM\..\Run: [hpbdfawep] C:\Program Files\HP\Dfawep\bin\hpbdfawep.exe 1
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [DellTransferAgent] "C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe"
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: ScanSnap Manager.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanage...ex-2.2.3.7.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1136410335562
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/...15/mcgdmgr.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://cvs.pnimedia.com/upload/activ...v2.0.0.10.cab?
O23 - Service: ABBYY FineReader 9.0 PE Licensing Service (ABBYY.Licensing.FineReader.Professional.9.0) - ABBYY (BIT Software) - C:\Program Files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

--
End of file - 11065 bytes

**TheBruce1** · 11-11-2008, 04:32 AM

Hello again

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (If they still exist, make sure you do not miss any)

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

Please remember to close all other windows, including browsers then click Fix checked.

=======

You may want to uninstall AVG Anti-Spyware 7.5, at the end of this year it will no longer receive updates, it is now incorporated into AVG8.

=======

You don't seem to have a firewall program installed. Using a firewall will allow you to give/deny access for applications that want to go online. Select one of these, or another of your choice:

.

========

If there are no further issues, continue below.

========

Click Start>Run and type or copy/paste the following command into box then hit enter to uninstall gmer.

%systemroot%\gmer_uninstall.cmd

=========

Delete RSIT from your desktop, also delete this folder c:\rsit. Uninstall Hijackthis via add/remove, you may keep ATF-Cleaner if you wish.

=========

Well done, your logs are clean.

Click start>run>type(or copy/paste command into run box):

ComboFix /u

Click ok.

==========

Clear IE7 cookies

*On the Internet Explorer 7 Tools menu, click Internet Options. The Internet Options box should open to the General tab.
*On the General tab, in the Browsing History, click the Delete button. This will delete all the files that are currently stored in your cache [that includes cookies too].
*Click OK, and then click OK again.

Clear Firefox cookies/cache

• Select "Tools"
• Select "Options".
• Select "Privacy".
• In "Settings" window put the check mark for Cookies,Cache,Browsing history and any others you want.
• Click OK.
• In Private area click "Clear Now".

-------------------------------------------------------------------------------------------

MICROSOFT UPDATES

1.Click Start,Run, type sysdm.cpl, and then press OK.
2.Click the Automatic Updates tab, and then click to select one of the following options. We recommend that you select the Automatic (recommended).

Microsoft updates are released every second Tuesday of each month,what is called "Patch Tuesday".

------------------------------------------------------------------------------------------

Useful Information and Programs to keep you safe.

TrendProtect is a FREE browser plug-in that helps you avoid Web pages with unwanted content and hidden threats. TrendProtect rates the current page and pages listed in Google, MSN, and Yahoo search results. You can use the rating to decide if you want to visit or avoid a given Web page. To rate Web pages, TrendProtect refers to an extensive database that covers the following information for billions of Web pages:

* Content category
* Phishing scam detection
* Site reputation
* Page reputation

WOT Free helps you avoid disingenuous Internet content by allowing you to learn from others' experiences. WOT shows you website reputations on your browser, telling you how much other users trust a website. This helps you make better decisions while browsing and avoid phishing, malware, and other types of fraud. Reputations can also be added to web search results, Gmail, Wikipedia, and other selected sites.

WOT reputations are computed mainly from user testimonies. Sharing your knowledge with others is just a click away, without ever having to leave the site. We also collect data from hundreds of other sources (including PhishTank) to quickly warn you of emerging threats. Currently, WOT knows over 12 million websites.
Note:Only compatible with Firefox 1.5 and higher.

--------------------------------------------------------------------------------------

Alternate Browsers
Try the following free alternate browsers rather than Internet Explorer
Avant
Firefox
Opera
K-Meleon

------------------------------------------------------------------------------------------

Free Antispyware Products
SuperAntiSpyware
Malwarebytes ' Anti-Malware

SpywareBlaster to help prevent spyware from installing in the first place.

Install & update SpywareBlaster with the latest definitions.
After you have updated, click the button - enable protection for all unprotected items

------------------------------------------------------------------

IE-Spyad™ is a freeware utility that places more than 4000 dubious websites and domains in the Internet Explorer Restricted List.

Download and installation instructions for IE-Spyad™ Here

-----------------------------------------

The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. Note that if you use a company provided HOSTS file you should not use the MVPS HOSTS file.

If your having trouble downloading & extracting,see link below for guidance:
http://www.mvps.org/winhelp2002/hosts2.htm

Once you have extracted the host file,double click on it and a new window will open.

Double-click on mvps.batand follow the prompts

---------------------------------------------------------------

Winpatrol - Download and install the free version of Winpatrol. A tutorial for this product is located here:
Using Winpatrol to protect your computer.

----------------------------------------

SnoopFree is a programme that informs you when another programme is wanting to log your keystrokes or read your screen.Only for XP users.

Update all these programs regularly. Without regular updates you will not be protected when new malicious programs are released.

==============================================

Also, please take a look at this well written article:

PC Safety and Security--What Do I Need?

**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

Please reply to this thread once more, as we may mark this as resolved, thanks.

maddog2018 · 11-11-2008, 04:53 AM

While I am at it, I noticed some programs and that I also wanted to uninstall:

Kaspersky online scanner
Panda Active Scan
Panda Active Scan 2.0

I believe these were used the last time I had malware. Is it OK to remove these?

Thanks for your help and as I said I will make sure my security programs stay active.

**TheBruce1** · 11-11-2008, 06:06 AM

Yes you can remove them if you wish.

Surf safely

11-10-2008, 11:18 AM	#2 (permalink)
TheBruce1 Moderator, Analyst, Security Team Join Date: Oct 2006 Location: Dùn Èideann,Scotland. Posts: 4,491 OS: XP	Re: Pop ups and trojans, low memory Hello and welcome to TSF Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe. ======== Please follow all instructions and in which order they come, if you have any questions, please ask before proceeding. Its important that you follow this through until i give you the all clear, a lack of symptoms does not mean that it is no longer present. Please DO NOT Attach logs to your posts unless you are advised to do so. ======== Why do you not have any virus protection installed, it can take a little as eight seconds to become infected. We will install some protection during the cleaning process, please wait until i advise you to install one. ========= Download ComboFix from one of these locations: Link 1 Link 2 Link 3 * IMPORTANT !!! Place combofix.exe on your Desktop []Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix. []Double click on combofix.exe & follow the prompts. []As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement. ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says: The Recovery Console was successfully installed.* Click on Yes, to continue scanning for malware. []Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal. [] When finished, it shall produce a log for you. Post that log in your next reply Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall. ========= Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here. ========= Logs Required C:\Combofix.txt Hijackthis Log If there is no response to this post within 72hrs, this thread will be closed. __________________ Member of ASAP since 2007 Member of UNITE since 2008 Notice to BT customers BT to dump Phorm, see Here for more information. No DPI If we have helped you in anyway, please consider Donating

11-10-2008, 12:25 PM	#3 (permalink)
maddog2018 Registered User Join Date: May 2007 Posts: 26 OS: xp	Re: Pop ups and trojans, low memory Thanks for reply. Here is combo fix log. ComboFix 08-11-09.04 - Randy Maddox 2008-11-10 14:42:46.1 - NTFSx86 Running from: c:\documents and settings\Randy Maddox\Desktop\ComboFix.exe * Created a new restore point . The following files were disabled during the run: c:\windows\system32\dbi102.dll ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\docume~1\RANDYM~1\LOCALS~1\Temp\WowInitcode.dll c:\documents and settings\Randy Maddox\Start Menu\Programs\Outerinfo c:\documents and settings\Randy Maddox\Start Menu\Programs\Outerinfo\Terms.lnk c:\documents and settings\Randy Maddox\Start Menu\Programs\Outerinfo\Uninstall.lnk c:\windows\Install.txt c:\windows\system32\__c00249DF.dat c:\windows\system32\__c003CBD1.dat c:\windows\system32\__c00AE347.dat c:\windows\system32\~.exe c:\windows\system32\afisicx.exe c:\windows\system32\atsxyzd.sys c:\windows\system32\comsa32.sys c:\windows\SYSTEM32\dbi102.dll.vir c:\windows\system32\Install.txt c:\windows\system32\KBPK080812.log c:\windows\system32\mabidwe.exe c:\windows\system32\macidwe.exe c:\windows\system32\mcrh.tmp c:\windows\system32\MSINET.oca c:\windows\system32\noytcyr.exe c:\windows\system32\oduxftw.sys c:\windows\system32\roytctm.exe c:\windows\system32\sobicyt.exe c:\windows\system32\soxpeca.exe c:\windows\system32\syspilog.pil c:\windows\system32\tdydowkc.exe c:\windows\system32\tmp0_29171611636.bk c:\windows\system32\tmp1_477757584426.bk c:\windows\system32\tpszxyd.sys c:\windows\system32\uvvwa.ini c:\windows\system32\wsldoekd.exe c:\windows\system32\zxdnt3d.cfg C:\xcrashdump.dat . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_AFINDING -------\Legacy_AFISICX -------\Legacy_DOMAINSERVICE -------\Legacy_MABIDWE -------\Legacy_MACIDWE -------\Legacy_NOBICYT -------\Legacy_NOXTCYR -------\Legacy_NOYTCYR -------\Legacy_PERFS -------\Legacy_ROUTING -------\Legacy_ROXTCTM -------\Legacy_ROYTCTM -------\Legacy_SEUICTOL -------\Legacy_SOBICYT -------\Legacy_SOTPECA -------\Legacy_SOXPECA -------\Legacy_TDXDOWKC -------\Legacy_TDYDOWKC -------\Legacy_WSERVING -------\Legacy_WSLDOEKD -------\Service_afinding -------\Service_afisicx -------\Service_DomainService -------\Service_mabidwe -------\Service_macidwe -------\Service_nobicyt -------\Service_noxtcyr -------\Service_noytcyr -------\Service_perfs -------\Service_routing -------\Service_roxtctm -------\Service_roytctm -------\Service_seuictol -------\Service_sobicyt -------\Service_sotpeca -------\Service_soxpeca -------\Service_tdxdowkc -------\Service_tdydowkc -------\Service_wserving -------\Service_wsldoekd ((((((((((((((((((((((((( Files Created from 2008-10-10 to 2008-11-10 ))))))))))))))))))))))))))))))) . 2008-11-05 10:01 . 2008-11-05 10:01 <DIR> d-------- C:\rsit 2008-11-05 09:34 . 2008-11-05 09:41 250 --a------ c:\windows\gmer.ini 2008-10-23 22:43 . 2008-10-15 11:34 337,408 --------- c:\windows\SYSTEM32\DLLCACHE\netapi32.dll 2008-10-14 23:20 . 2008-09-08 05:41 333,824 --------- c:\windows\SYSTEM32\DLLCACHE\srv.sys 2008-10-14 23:19 . 2008-08-14 05:11 2,189,184 --------- c:\windows\SYSTEM32\DLLCACHE\ntoskrnl.exe 2008-10-14 23:19 . 2008-08-14 05:09 2,145,280 --------- c:\windows\SYSTEM32\DLLCACHE\ntkrnlmp.exe 2008-10-14 23:19 . 2008-08-14 04:33 2,066,048 --------- c:\windows\SYSTEM32\DLLCACHE\ntkrnlpa.exe 2008-10-14 23:19 . 2008-08-14 04:33 2,023,936 --------- c:\windows\SYSTEM32\DLLCACHE\ntkrpamp.exe 2008-10-14 23:19 . 2008-09-15 07:12 1,846,400 --------- c:\windows\SYSTEM32\DLLCACHE\win32k.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-11-10 19:22 --------- d-----w c:\program files\EZ-FilingNew 2008-11-10 16:25 --------- d-----w c:\documents and settings\Randy Maddox\Application Data\AdobeUM 2008-10-24 20:12 --------- d-----w c:\program files\QUICKENW 2008-09-30 12:25 --------- d-----w c:\program files\DYMO Label 2008-06-27 14:13 56,912 ----a-w c:\documents and settings\Randy Maddox\g2mdlhlpx.exe 2004-10-11 23:46 205,312 ----a-w c:\program files\ltefx13n.dll 2004-01-19 18:31 153,600 ----a-w c:\program files\ltfil13n.DLL 2004-01-19 17:31 27,648 ----a-w c:\program files\lfiff13n.dll 2004-01-19 17:31 20,480 ----a-w c:\program files\lfCUT13n.dll 2004-01-19 16:31 453,120 ----a-w c:\program files\ltkrn13n.dll 2004-01-19 16:12 89,600 ----a-w c:\program files\Lfcgm13n.dll 2004-01-19 15:49 278,016 ----a-w c:\program files\LFJ2K13n.dll 2004-01-19 15:49 180,736 ----a-w c:\program files\Lfpng13n.dll 2004-01-19 15:47 76,800 ----a-w c:\program files\Lfwmf13n.dll 2004-01-19 15:47 509,440 ----a-w c:\program files\LFCMW13n.dll 2004-01-19 15:45 420,352 ----a-w c:\program files\LFCMP13n.DLL 2004-01-19 15:44 143,872 ----a-w c:\program files\lftif13n.dll 2004-01-19 15:36 65,536 ----a-w c:\program files\Lfpct13n.dll 2004-01-19 15:36 56,832 ----a-w c:\program files\lfpsd13n.dll 2004-01-19 15:36 26,624 ----a-w c:\program files\lfpcx13n.dll 2004-01-19 15:36 19,968 ----a-w c:\program files\lfpcd13n.dll 2004-01-19 15:36 18,944 ----a-w c:\program files\lfmsp13n.dll 2004-01-19 15:35 20,992 ----a-w c:\program files\lfimg13n.dll 2004-01-19 15:35 18,944 ----a-w c:\program files\lfmac13n.dll 2004-01-19 15:34 31,744 ----a-w c:\program files\lfclp13n.dll 2004-01-19 15:34 30,208 ----a-w c:\program files\lfbmp13n.dll 2004-01-19 15:33 444,928 ----a-w c:\program files\ltimg13n.dll 2004-01-19 15:32 265,216 ----a-w c:\program files\LTDIS13n.dll 2000-05-02 08:17 212,480 ----a-w c:\program files\PCDLIB32.DLL 1999-11-19 03:00 284,032 ----a-w c:\program files\XceedZip.dll 2008-04-14 00:12 50,688 --sh--w c:\windows\twain_32.dll 2008-04-14 00:11 1,028,096 --sha-w c:\windows\SYSTEM32\mfc42.dll 2008-04-14 00:12 57,344 --sha-w c:\windows\SYSTEM32\msvcirt.dll 2008-04-14 00:12 413,696 --sha-w c:\windows\SYSTEM32\msvcp60.dll 2008-04-14 00:12 343,040 --sha-w c:\windows\SYSTEM32\msvcrt.dll 2008-04-14 00:12 551,936 --sh--w c:\windows\SYSTEM32\oleaut32.dll 2008-04-14 00:12 84,992 --sh--w c:\windows\SYSTEM32\olepro32.dll 2008-04-14 00:12 11,776 --sh--w c:\windows\SYSTEM32\regsvr32.exe . -- Snapshot reset to current date -- . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] "DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784] "DellTransferAgent"="c:\documents and settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" [2007-11-13 135168] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 155648] "PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2003-08-26 204800] "MMTray"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2005-03-12 110592] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2003-10-22 151597] "ADUserMon"="c:\program files\Iomega\AutoDisk\ADUserMon.exe" [2002-09-24 147456] "PfuSsSct.exe"="c:\program files\PFU\ScanSnap\PfuSsSct.exe" [2003-12-22 110592] "CardMinder"="c:\program files\PFU\ScanSnap\CardMinder V2.0\CardLauncher.exe" [2004-02-17 36864] "Pdfquickview"="c:\program files\PFU\ScanSnap\PDF Thumbnail View\pdfquickview.exe" [2003-12-22 32768] "MimBoot"="c:\progra~1\MUSICM~1\MUSICM~1\mimboot.exe" [2005-03-12 11776] "Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-09-14 61440] "ToolBoxFX"="c:\program files\HP\ToolBoxFX\bin\HPTLBXFX.exe" [2006-06-15 49152] "hpbdfawep"="c:\program files\HP\Dfawep\bin\hpbdfawep.exe" [2007-12-23 618496] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840] "CXMon"="c:\program files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe" [2001-08-27 45056] "Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 57344] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064] c:\documents and settings\Randy Maddox\Start Menu\Programs\Startup\ HotSync Manager.lnk - c:\palm\HOTSYNC.EXE [2004-04-13 299008] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-23 217194] QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-11-09 972064] ScanSnap Manager.lnk - c:\program files\PFU\ScanSnap\Driver\PfuSsMon.exe [2004-08-02 712704] [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"= "c:\\Program Files\\Real\\RealOne Player\\realplay.exe"= "c:\\ProDoc\\ProWin.Exe"= "c:\\ProDoc\\prosend.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-06-19 28544] R2 ABBYY.Licensing.FineReader.Professional.9.0;ABBYY FineReader 9.0 PE Licensing Service;c:\program files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe [2008-05-16 759072] R2 afisicx;afisicx Service;c:\windows\system32\afisicx.exe [2002-08-29 46592] R2 mabidwe;mabidwe Service;c:\windows\system32\mabidwe.exe [2002-08-29 45568] R2 noytcyr;noytcyr Service;c:\windows\system32\noytcyr.exe [2002-08-29 45568] R2 roytctm;roytctm Service;c:\windows\system32\roytctm.exe [2002-08-29 46592] R2 solewxte;solewxte Service;c:\windows\system32\solewxte.exe [2002-08-29 45056] R2 soxpeca;soxpeca Service;c:\windows\system32\soxpeca.exe [2002-08-29 47104] R2 tdydowkc;tdydowkc Service;c:\windows\system32\tdydowkc.exe [2002-08-29 46080] R2 wsldoekd;wsldoekd Service;c:\windows\system32\wsldoekd.exe [2002-08-29 46592] R3 HPFXBULK;HPFXBULK;c:\windows\system32\drivers\hpfxbulk.sys [2006-06-12 9344] S2 UXRJNHMC;UXRJNHMC;c:\windows\system32\uxrjnhmc.tuj [ ] Newly Created Service - AFISICX Newly Created Service - MABIDWE Newly Created Service - NOYTCYR Newly Created Service - ROYTCTM Newly Created Service - SOXPECA Newly Created Service - TDYDOWKC Newly Created Service - WSLDOEKD . Contents of the 'Scheduled Tasks' folder 2008-11-06 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57] 2008-11-10 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Windows Defender\MpCmdRun.exe [2006-04-03 17:12] . - - - - ORPHANS REMOVED - - - - HKCU-Run-Sonic RecordNow! - (no file) HKLM-Run-CMLoader - c:\program files\crystalys media\cm.dll HKU-Default-Run-A00F14436CF5.exe - c:\windows\TEMP\_A00F14436CF5.exe Notify-__c003CBD1 - c:\windows\system32\__c003CBD1.dat Notify-__c00EC4CD - c:\windows\system32\__c00EC4CD.dat . ------- Supplementary Scan ------- . R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7 R0 -: HKLM-Main,Start Page = about:blank R1 -: HKCU-Internet Connection Wizard,ShellNext = hxxp://www.dellnet.com/ R1 -: HKCU-Internet Settings,ProxyOverride = .local O8 -: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O16 -: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.3.7.cab c:\windows\Downloaded Program Files\DownloadManagerV2.inf c:\windows\Downloaded Program Files\Manager.exe c:\windows\Downloaded Program Files\DownloadManagerV2.ocx . *********************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-11-10 14:52:44 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... c:\windows\SYSTEM32\solewxte.exe [1772] 0x82A8E5D0 c:\windows\SYSTEM32\tpszxyd.sys [3496] 0x82DEC4F8 c:\windows\SYSTEM32\noytcyr.exe [2344] 0x82D8AC50 c:\windows\SYSTEM32\wsldoekd.exe [3484] 0x82C1C248 c:\windows\SYSTEM32\afisicx.exe [3976] 0x82C2FBE8 c:\windows\SYSTEM32\roytctm.exe [1100] 0x82D6BDA0 c:\windows\SYSTEM32\tdydowkc.exe [4032] 0x82B97C38 scanning hidden autostart entries ... scanning hidden files ... c:\windows\system32\afisicx.exe 46592 bytes executable c:\windows\system32\wsldoekd.exe 46592 bytes executable c:\windows\system32\tpszxyd.sys 274944 bytes executable c:\windows\system32\mabidwe.exe 45568 bytes executable c:\windows\system32\Install.txt c:\windows\system32\soxpeca.exe 47104 bytes executable c:\windows\system32\roytctm.exe 46592 bytes executable scan completed successfully hidden files: 7 ********************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Iomega Activity Disk2] "ImagePath"="\"\"" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UXRJNHMC] "ImagePath"="\??\c:\windows\system32\uxrjnhmc.tuj" . ------------------------ Other Running Processes ------------------------ . c:\program files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Grisoft\AVG Anti-Spyware 7.5\guard.exe c:\program files\Bonjour\mDNSResponder.exe c:\progra~1\Iomega\System32\AppServices.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\windows\SYSTEM32\nvsvc32.exe c:\program files\Iomega\AutoDisk\ADService.exe c:\windows\SYSTEM32\wscntfy.exe c:\program files\PFU\ScanSnap\CardMinder V2.0\bcd_file\SbCRece.exe c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe c:\progra~1\MUSICM~1\MUSICM~1\MMDiag.exe c:\progra~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe c:\program files\iPod\bin\iPodService.exe c:\windows\SYSTEM32\udxfytw.sys c:\windows\SYSTEM32\tpszxyd.sys . ************************************************************************ . Completion time: 2008-11-10 1513 - machine was rebooted ComboFix-quarantined-files.txt 2008-11-10 2008 ComboFix2.txt 2007-06-21 16:35:24 Pre-Run: 7,186,391,040 bytes free Post-Run: 8,588,689,408 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn 292 --- E O F --- 2008-10-24 07:01:32

11-10-2008, 12:34 PM	#4 (permalink)
maddog2018 Registered User Join Date: May 2007 Posts: 26 OS: xp	Re: Pop ups and trojans, low memory Here are Hijack logs. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 3:29:45 PM, on 11/10/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16735) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\PROGRA~1\Iomega\System32\AppServices.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Iomega\AutoDisk\ADService.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Dell\Media Experience\PCMService.exe C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Iomega\AutoDisk\ADUserMon.exe C:\Program Files\PFU\ScanSnap\PfuSsSct.exe C:\Program Files\PFU\ScanSnap\CardMinder V2.0\CardLauncher.exe C:\Program Files\PFU\ScanSnap\PDF Thumbnail View\pdfquickview.exe C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe C:\Program Files\PFU\ScanSnap\CardMinder V2.0\bcd_file\SbCRecE.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\DellSupport\DSAgnt.exe C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe C:\Program Files\PFU\ScanSnap\Driver\PfuSsMon.exe C:\Palm\HOTSYNC.EXE C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\mabidwe.exe C:\WINDOWS\system32\soxpeca.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\udxfytw.sys C:\Documents and Settings\Randy Maddox\Desktop\HJT\Randy Maddox.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe" O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe O4 - HKLM\..\Run: [PfuSsSct.exe] C:\Program Files\PFU\ScanSnap\PfuSsSct.exe /Station O4 - HKLM\..\Run: [CardMinder] C:\Program Files\PFU\ScanSnap\CardMinder V2.0\CardLauncher.exe O4 - HKLM\..\Run: [Pdfquickview] C:\Program Files\PFU\ScanSnap\PDF Thumbnail View\pdfquickview.exe O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe" O4 - HKLM\..\Run: [ToolBoxFX] "C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /systrayIcon:on /fl:on /fr:on /appData:on O4 - HKLM\..\Run: [hpbdfawep] C:\Program Files\HP\Dfawep\bin\hpbdfawep.exe 1 O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe" O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup O4 - HKCU\..\Run: [DellTransferAgent] "C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe O4 - Global Startup: ScanSnap Manager.lnk = ? O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanage...ex-2.2.3.7.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1136410335562 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/...15/mcgdmgr.cab O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://cvs.pnimedia.com/upload/activ...v2.0.0.10.cab? O23 - Service: ABBYY FineReader 9.0 PE Licensing Service (ABBYY.Licensing.FineReader.Professional.9.0) - ABBYY (BIT Software) - C:\Program Files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe O23 - Service: afisicx - Unknown owner - C:\WINDOWS\system32\afisicx.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: mabidwe - Unknown owner - C:\WINDOWS\system32\mabidwe.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: noytcyr - Unknown owner - C:\WINDOWS\system32\noytcyr.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe O23 - Service: roytctm - Unknown owner - C:\WINDOWS\system32\roytctm.exe O23 - Service: solewxte Service (solewxte) - Unknown owner - C:\WINDOWS\system32\solewxte.exe O23 - Service: soxpeca - Unknown owner - C:\WINDOWS\system32\soxpeca.exe O23 - Service: tdydowkc - Unknown owner - C:\WINDOWS\system32\tdydowkc.exe O23 - Service: wsldoekd - Unknown owner - C:\WINDOWS\system32\wsldoekd.exe O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe -- End of file - 10508 bytes

11-10-2008, 06:53 PM	#6 (permalink)
maddog2018 Registered User Join Date: May 2007 Posts: 26 OS: xp	Re: Pop ups and trojans, low memory Regarding your question about antivirus program, I do not know what happened. It must have expired. I thought the microsoft package was in place. A month ago, I posted here and had difficulty downloading the recommended fixes. I turned off security to allow downloads. Still, did not work, but failed to reactivate security. Also, I did not know the importance of keeping java updated, despite reminders. I want to maintain security of my computer, and will be more vigilant. Thanks for your assistance this time. I have posted the logs you requested. I used the Avira program for antivirus and will make sure that it stays active. I think computer is working properly but have not used it much since running the scans. I will follow up if there seems to still be a problem. ComboFix 08-11-09.04 - Randy Maddox 2008-11-10 16:33:07.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.152 [GMT -5:00] Running from: c:\documents and settings\Randy Maddox\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Randy Maddox\Desktop\CFscript.txt * Created a new restore point FILE :: c:\windows\system32\afisicx.exe c:\windows\system32\dbi102.dll c:\windows\system32\mabidwe.exe c:\windows\system32\noytcyr.exe c:\windows\system32\roytctm.exe c:\windows\system32\solewxte.exe c:\windows\system32\soxpeca.exe c:\windows\system32\tdydowkc.exe c:\windows\system32\wsldoekd.exe c:\windows\system32\drivers\hpfxbulk.sys . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\Install.txt c:\windows\system32\afisicx.exe c:\windows\system32\comsa32.sys c:\windows\system32\Install.txt c:\windows\system32\mabidwe.exe c:\windows\system32\noytcyr.exe c:\windows\system32\roytctm.exe c:\windows\system32\solewxte.exe c:\windows\system32\soxpeca.exe c:\windows\system32\tdydowkc.exe c:\windows\system32\tpszxyd.sys c:\windows\system32\wsldoekd.exe . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_AFISICX -------\Legacy_MABIDWE -------\Legacy_NOYTCYR -------\Legacy_ROYTCTM -------\Legacy_SOLEWXTE -------\Legacy_SOXPECA -------\Legacy_TDYDOWKC -------\Legacy_UXRJNHMC -------\Legacy_WSLDOEKD -------\Service_afisicx -------\Service_HPFXBULK -------\Service_mabidwe -------\Service_noytcyr -------\Service_roytctm -------\Service_solewxte -------\Service_soxpeca -------\Service_tdydowkc -------\Service_wsldoekd ((((((((((((((((((((((((( Files Created from 2008-10-10 to 2008-11-10 ))))))))))))))))))))))))))))))) . 2008-11-05 10:01 . 2008-11-05 10:01 <DIR> d-------- C:\rsit 2008-11-05 09:34 . 2008-11-05 09:41 250 --a------ c:\windows\gmer.ini 2008-10-23 22:43 . 2008-10-15 11:34 337,408 --------- c:\windows\SYSTEM32\DLLCACHE\netapi32.dll 2008-10-14 23:20 . 2008-09-08 05:41 333,824 --------- c:\windows\SYSTEM32\DLLCACHE\srv.sys 2008-10-14 23:19 . 2008-08-14 05:11 2,189,184 --------- c:\windows\SYSTEM32\DLLCACHE\ntoskrnl.exe 2008-10-14 23:19 . 2008-08-14 05:09 2,145,280 --------- c:\windows\SYSTEM32\DLLCACHE\ntkrnlmp.exe 2008-10-14 23:19 . 2008-08-14 04:33 2,066,048 --------- c:\windows\SYSTEM32\DLLCACHE\ntkrnlpa.exe 2008-10-14 23:19 . 2008-08-14 04:33 2,023,936 --------- c:\windows\SYSTEM32\DLLCACHE\ntkrpamp.exe 2008-10-14 23:19 . 2008-09-15 07:12 1,846,400 --------- c:\windows\SYSTEM32\DLLCACHE\win32k.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-11-10 19:22 --------- d-----w c:\program files\EZ-FilingNew 2008-11-10 16:25 --------- d-----w c:\documents and settings\Randy Maddox\Application Data\AdobeUM 2008-10-24 20:12 --------- d-----w c:\program files\QUICKENW 2008-09-30 12:25 --------- d-----w c:\program files\DYMO Label 2008-06-27 14:13 56,912 ----a-w c:\documents and settings\Randy Maddox\g2mdlhlpx.exe 2004-10-11 23:46 205,312 ----a-w c:\program files\ltefx13n.dll 2004-01-19 18:31 153,600 ----a-w c:\program files\ltfil13n.DLL 2004-01-19 17:31 27,648 ----a-w c:\program files\lfiff13n.dll 2004-01-19 17:31 20,480 ----a-w c:\program files\lfCUT13n.dll 2004-01-19 16:31 453,120 ----a-w c:\program files\ltkrn13n.dll 2004-01-19 16:12 89,600 ----a-w c:\program files\Lfcgm13n.dll 2004-01-19 15:49 278,016 ----a-w c:\program files\LFJ2K13n.dll 2004-01-19 15:49 180,736 ----a-w c:\program files\Lfpng13n.dll 2004-01-19 15:47 76,800 ----a-w c:\program files\Lfwmf13n.dll 2004-01-19 15:47 509,440 ----a-w c:\program files\LFCMW13n.dll 2004-01-19 15:45 420,352 ----a-w c:\program files\LFCMP13n.DLL 2004-01-19 15:44 143,872 ----a-w c:\program files\lftif13n.dll 2004-01-19 15:36 65,536 ----a-w c:\program files\Lfpct13n.dll 2004-01-19 15:36 56,832 ----a-w c:\program files\lfpsd13n.dll 2004-01-19 15:36 26,624 ----a-w c:\program files\lfpcx13n.dll 2004-01-19 15:36 19,968 ----a-w c:\program files\lfpcd13n.dll 2004-01-19 15:36 18,944 ----a-w c:\program files\lfmsp13n.dll 2004-01-19 15:35 20,992 ----a-w c:\program files\lfimg13n.dll 2004-01-19 15:35 18,944 ----a-w c:\program files\lfmac13n.dll 2004-01-19 15:34 31,744 ----a-w c:\program files\lfclp13n.dll 2004-01-19 15:34 30,208 ----a-w c:\program files\lfbmp13n.dll 2004-01-19 15:33 444,928 ----a-w c:\program files\ltimg13n.dll 2004-01-19 15:32 265,216 ----a-w c:\program files\LTDIS13n.dll 2000-05-02 08:17 212,480 ----a-w c:\program files\PCDLIB32.DLL 1999-11-19 03:00 284,032 ----a-w c:\program files\XceedZip.dll 2008-04-14 00:12 50,688 --sh--w c:\windows\twain_32.dll 2008-04-14 00:11 1,028,096 --sha-w c:\windows\SYSTEM32\mfc42.dll 2008-04-14 00:12 57,344 --sha-w c:\windows\SYSTEM32\msvcirt.dll 2008-04-14 00:12 413,696 --sha-w c:\windows\SYSTEM32\msvcp60.dll 2008-04-14 00:12 343,040 --sha-w c:\windows\SYSTEM32\msvcrt.dll 2008-04-14 00:12 551,936 --sh--w c:\windows\SYSTEM32\oleaut32.dll 2008-04-14 00:12 84,992 --sh--w c:\windows\SYSTEM32\olepro32.dll 2008-04-14 00:12 11,776 --sh--w c:\windows\SYSTEM32\regsvr32.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] "DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784] "DellTransferAgent"="c:\documents and settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" [2007-11-13 135168] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 155648] "PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2003-08-26 204800] "MMTray"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2005-03-12 110592] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2003-10-22 151597] "ADUserMon"="c:\program files\Iomega\AutoDisk\ADUserMon.exe" [2002-09-24 147456] "PfuSsSct.exe"="c:\program files\PFU\ScanSnap\PfuSsSct.exe" [2003-12-22 110592] "CardMinder"="c:\program files\PFU\ScanSnap\CardMinder V2.0\CardLauncher.exe" [2004-02-17 36864] "Pdfquickview"="c:\program files\PFU\ScanSnap\PDF Thumbnail View\pdfquickview.exe" [2003-12-22 32768] "MimBoot"="c:\progra~1\MUSICM~1\MUSICM~1\mimboot.exe" [2005-03-12 11776] "Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-09-14 61440] "ToolBoxFX"="c:\program files\HP\ToolBoxFX\bin\HPTLBXFX.exe" [2006-06-15 49152] "hpbdfawep"="c:\program files\HP\Dfawep\bin\hpbdfawep.exe" [2007-12-23 618496] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840] "CXMon"="c:\program files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe" [2001-08-27 45056] "Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 57344] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064] c:\documents and settings\Randy Maddox\Start Menu\Programs\Startup\ HotSync Manager.lnk - c:\palm\HOTSYNC.EXE [2004-04-13 299008] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-23 217194] QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-11-09 972064] ScanSnap Manager.lnk - c:\program files\PFU\ScanSnap\Driver\PfuSsMon.exe [2004-08-02 712704] [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"= "c:\\Program Files\\Real\\RealOne Player\\realplay.exe"= "c:\\ProDoc\\ProWin.Exe"= "c:\\ProDoc\\prosend.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-06-19 28544] R2 ABBYY.Licensing.FineReader.Professional.9.0;ABBYY FineReader 9.0 PE Licensing Service;c:\program files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe [2008-05-16 759072] . Contents of the 'Scheduled Tasks' folder 2008-11-06 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57] 2008-11-10 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Windows Defender\MpCmdRun.exe [2006-04-03 17:12] . ************************************************************************ catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-11-10 16:45:05 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Iomega Activity Disk2] "ImagePath"="\"\"" . ------------------------ Other Running Processes ------------------------ . c:\program files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Grisoft\AVG Anti-Spyware 7.5\guard.exe c:\program files\Bonjour\mDNSResponder.exe c:\progra~1\Iomega\System32\AppServices.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\windows\SYSTEM32\nvsvc32.exe c:\program files\Iomega\AutoDisk\ADService.exe c:\windows\SYSTEM32\wscntfy.exe c:\progra~1\MUSICM~1\MUSICM~1\MMDiag.exe c:\progra~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe c:\program files\iPod\bin\iPodService.exe c:\program files\PFU\ScanSnap\CardMinder V2.0\bcd_file\SbCRece.exe . ************************************************************************ . Completion time: 2008-11-10 16:58:55 - machine was rebooted ComboFix-quarantined-files.txt 2008-11-10 21:58:50 ComboFix2.txt 2008-11-10 2014 ComboFix3.txt 2007-06-21 16:35:24 Pre-Run: 8,572,497,920 bytes free Post-Run: 8,575,385,600 bytes free 196 --- E O F --- 2008-10-24 07:01:32 Avira AntiVir Personal Report file date: Monday, November 10, 2008 17:30 Scanning for 1024586 virus strains and unwanted programs. Licensed to: Avira AntiVir PersonalEdition Classic Serial number: 0000149996-ADJIE-0001 Platform: Windows XP Windows version: (Service Pack 3) [5.1.2600] Boot mode: Normally booted Username: SYSTEM Computer name: RANDY Version information: BUILD.DAT : 8.2.0.336 16933 Bytes 10/30/2008 11:40:00 AVSCAN.EXE : 8.1.4.7 315649 Bytes 6/26/2008 15:57:53 AVSCAN.DLL : 8.1.4.0 40705 Bytes 5/26/2008 14:56:40 LUKE.DLL : 8.1.4.5 164097 Bytes 6/12/2008 19:44:19 LUKERES.DLL : 8.1.4.0 12033 Bytes 5/26/2008 14:58:52 ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 22:27:58 ANTIVIR1.VDF : 7.1.0.56 411136 Bytes 11/9/2008 22:28:02 ANTIVIR2.VDF : 7.1.0.57 2048 Bytes 11/9/2008 22:28:02 ANTIVIR3.VDF : 7.1.0.65 52736 Bytes 11/10/2008 22:28:03 Engineversion : 8.2.0.29 AEVDF.DLL : 8.1.0.6 102772 Bytes 10/14/2008 17:05:56 AESCRIPT.DLL : 8.1.1.13 332156 Bytes 11/10/2008 22:28:13 AESCN.DLL : 8.1.1.5 123251 Bytes 11/10/2008 22:28:12 AERDL.DLL : 8.1.1.3 438645 Bytes 11/10/2008 22:28:11 AEPACK.DLL : 8.1.3.3 393591 Bytes 11/10/2008 22:28:10 AEOFFICE.DLL : 8.1.0.30 196986 Bytes 11/10/2008 22:28:09 AEHEUR.DLL : 8.1.0.71 1487222 Bytes 11/10/2008 22:28:09 AEHELP.DLL : 8.1.1.3 119157 Bytes 11/10/2008 22:28:06 AEGEN.DLL : 8.1.1.0 319859 Bytes 11/10/2008 22:28:06 AEEMU.DLL : 8.1.0.9 393588 Bytes 10/14/2008 17:05:56 AECORE.DLL : 8.1.4.1 172405 Bytes 11/10/2008 22:28:04 AEBB.DLL : 8.1.0.3 53618 Bytes 10/14/2008 17:05:56 AVWINLL.DLL : 1.0.0.12 15105 Bytes 7/9/2008 15:40:05 AVPREF.DLL : 8.0.2.0 38657 Bytes 5/16/2008 16:28:01 AVREP.DLL : 8.0.0.2 98344 Bytes 11/10/2008 22:28:03 AVREG.DLL : 8.0.0.1 33537 Bytes 5/9/2008 18:26:40 AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 15:29:23 AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 6/12/2008 19:27:49 SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/23/2008 00:28:02 SMTPLIB.DLL : 1.2.0.23 28929 Bytes 6/12/2008 19:49:40 NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 19:05:10 RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 6/12/2008 20:48:07 RCTEXT.DLL : 8.0.52.0 86273 Bytes 6/27/2008 20:34:37 Configuration settings for the scan: Jobname..........................: Complete system scan Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp Logging..........................: low Primary action...................: interactive Secondary action.................: ignore Scan master boot sector..........: on Scan boot sector.................: on Boot sectors.....................: C:, F:, Process scan.....................: on Scan registry....................: on Search for rootkits..............: off Scan all files...................: Intelligent file selection Scan archives....................: on Recursion depth..................: 20 Smart extensions.................: on Macro heuristic..................: on File heuristic...................: medium Start of the scan: Monday, November 10, 2008 17:30 The scan of running processes will be started Scan process 'avscan.exe' - '1' Module(s) have been scanned Scan process 'avcenter.exe' - '1' Module(s) have been scanned Scan process 'avgnt.exe' - '1' Module(s) have been scanned Scan process 'avguard.exe' - '1' Module(s) have been scanned Scan process 'sched.exe' - '1' Module(s) have been scanned Scan process 'iexplore.exe' - '1' Module(s) have been scanned Scan process 'WINWORD.EXE' - '1' Module(s) have been scanned Scan process 'OUTLOOK.EXE' - '1' Module(s) have been scanned Scan process 'jqs.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'wscntfy.exe' - '1' Module(s) have been scanned Scan process 'alg.exe' - '1' Module(s) have been scanned Scan process 'iPodService.exe' - '1' Module(s) have been scanned Scan process 'ADService.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'HOTSYNC.EXE' - '1' Module(s) have been scanned Scan process 'PfuSsMon.exe' - '1' Module(s) have been scanned Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned Scan process 'MDM.EXE' - '1' Module(s) have been scanned Scan process 'AppServices.exe' - '1' Module(s) have been scanned Scan process 'acrotray.exe' - '1' Module(s) have been scanned Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned Scan process 'guard.exe' - '1' Module(s) have been scanned Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned Scan process 'TransferAgent.exe' - '1' Module(s) have been scanned Scan process 'DSAgnt.exe' - '1' Module(s) have been scanned Scan process 'PhotoshopElementsFileAgent.exe' - '1' Module(s) have been scanned Scan process 'ctfmon.exe' - '1' Module(s) have been scanned Scan process 'hpgs2wnf.exe' - '1' Module(s) have been scanned Scan process 'SbCRece.exe' - '1' Module(s) have been scanned Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned Scan process 'mim.exe' - '1' Module(s) have been scanned Scan process 'NetworkLicenseServer.exe' - '1' Module(s) have been scanned Scan process 'hpgs2wnd.exe' - '1' Module(s) have been scanned Scan process 'MMDiag.exe' - '1' Module(s) have been scanned Scan process 'Hpi_monitor.exe' - '1' Module(s) have been scanned Scan process 'hpwuSchd2.exe' - '1' Module(s) have been scanned Scan process 'HPTLBXFX.exe' - '1' Module(s) have been scanned Scan process 'apdproxy.exe' - '1' Module(s) have been scanned Scan process 'pdfquickview.exe' - '1' Module(s) have been scanned Scan process 'CardLauncher.exe' - '1' Module(s) have been scanned Scan process 'PfuSsSct.exe' - '1' Module(s) have been scanned Scan process 'ADUserMon.exe' - '1' Module(s) have been scanned Scan process 'realsched.exe' - '1' Module(s) have been scanned Scan process 'mm_tray.exe' - '1' Module(s) have been scanned Scan process 'PCMService.exe' - '1' Module(s) have been scanned Scan process 'explorer.exe' - '1' Module(s) have been scanned Scan process 'spoolsv.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'lsass.exe' - '1' Module(s) have been scanned Scan process 'services.exe' - '1' Module(s) have been scanned Scan process 'winlogon.exe' - '1' Module(s) have been scanned Scan process 'csrss.exe' - '1' Module(s) have been scanned Scan process 'smss.exe' - '1' Module(s) have been scanned 58 processes with 58 modules were scanned Starting master boot sector scan: Master boot sector HD0 [INFO] No virus was found! Master boot sector HD1 [INFO] No virus was found! Start scanning boot sectors: Boot sector 'C:\' [INFO] No virus was found! Boot sector 'F:\' [INFO] No virus was found! Starting to scan the registry. The registry was scanned ( '62' files ). Starting the file scan: Begin scan in 'C:\' C:\hiberfil.sys [WARNING] The file could not be opened! C:\pagefile.sys [WARNING] The file could not be opened! C:\Qoobox\Quarantine\C\DOCUME~1\RANDYM~1\LOCALS~1\Temp\WowInitcode.dll.vir [DETECTION] Is the TR/PSW.54260 Trojan [NOTE] The file was moved to '498fdfb9.qua'! C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\dbi102.dll.vir.vir [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan [NOTE] The file was moved to '4981dfb3.qua'! C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\macidwe.exe.vir [DETECTION] Is the TR/Agent.zem Trojan [NOTE] The file was moved to '497bdfc1.qua'! C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\oduxftw.sys.vir [DETECTION] Is the TR/Click.VB.brv.2 Trojan [NOTE] The file was moved to '498ddfcb.qua'! C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\sobicyt.exe.vir [DETECTION] Is the TR/Agent.zbc Trojan [NOTE] The file was moved to '497adfe0.qua'! C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\solewxte.exe.vir [DETECTION] Is the TR/Agent.aebz Trojan [NOTE] The file was moved to '4984dfe6.qua'! C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\__c003CBD1.dat.vir [DETECTION] Is the TR/Trash.Gen Trojan [NOTE] The file was moved to '497bdfd7.qua'! C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\~.exe.vir [DETECTION] Is the TR/Dldr.Agent.ajzq Trojan [NOTE] The file was moved to '497ddfa7.qua'! C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1888\A0160272.old [DETECTION] Is the TR/Dldr.Delf.ogu Trojan [NOTE] The file was moved to '4949dfae.qua'! C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1889\A0160277.old [DETECTION] Is the TR/Dldr.Delf.oif Trojan [NOTE] The file was moved to '4949dfb0.qua'! C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1889\A0160278.old [DETECTION] Is the TR/Dldr.Delf.oka Trojan [NOTE] The file was moved to '4d7c8211.qua'! C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1901\A0160544.old [DETECTION] Is the TR/Clicker.LA Trojan [NOTE] The file was moved to '4949dfca.qua'! C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1904\A0160577.exe [DETECTION] Is the TR/Agent.ackj Trojan [NOTE] The file was moved to '4949dfd0.qua'! C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1904\A0160578.exe [DETECTION] Is the TR/Agent.adjn Trojan [NOTE] The file was moved to '4d7c8271.qua'! C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1905\A0160592.old [DETECTION] Is the TR/Crypt.CFI.Gen Trojan [NOTE] The file was moved to '4949dfd2.qua'! C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1926\A0169860.old [DETECTION] Is the TR/Refpron.B Trojan [NOTE] The file was moved to '4949e008.qua'! C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1927\A0169887.old [DETECTION] Is the TR/Click.VB.cdm Trojan [NOTE] The file was moved to '4949e00a.qua'! C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1928\A0169890.exe [DETECTION] Is the TR/Agent.abat Trojan [NOTE] The file was moved to '4949e00c.qua'! C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1928\A0169891.exe [DETECTION] Is the TR/Agent.abat Trojan [NOTE] The file was moved to '4d7cbdad.qua'! C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1928\A0169892.exe [DETECTION] Is the TR/Agent.aaxn Trojan [NOTE] The file was moved to '4949e00e.qua'! C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1928\A0169893.exe [DETECTION] Is the TR/Agent.acku Trojan [NOTE] The file was moved to '4949e00d.qua'! C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1928\A0169894.exe [DETECTION] Is the TR/Agent.abbe Trojan [NOTE] The file was moved to '4d7cbdae.qua'! C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1928\A0169895.exe [DETECTION] Is the TR/Agent.abbe Trojan [NOTE] The file was moved to '4949e00f.qua'! C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1928\A0169896.exe [DETECTION] Is the TR/Agent.adfl Trojan [NOTE] The file was moved to '4d7cbdaf.qua'! C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1928\A0169897.exe [DETECTION] Is the TR/Agent.acid Trojan [NOTE] The file was moved to '4949e010.qua'! C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1928\A0169898.exe [DETECTION] Is the TR/Agent.abay Trojan [NOTE] The file was moved to '4d7cbdb1.qua'! C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1928\A0169899.exe [DETECTION] Is the TR/Agent.abav Trojan [NOTE] The file was moved to '4d7cbdb0.qua'! C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1928\A0169900.exe [DETECTION] Is the TR/Agent.aclf Trojan [NOTE] The file was moved to '4949e011.qua'! C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1928\A0169901.exe [DETECTION] Is the TR/Agent.aaxn.1 Trojan [NOTE] The file was moved to '4949e012.qua'! C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1928\A0169902.exe [DETECTION] Is the TR/Agent.zen Trojan [NOTE] The file was moved to '4d7cbdb3.qua'! C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1928\A0169903.exe [DETECTION] Is the TR/Meredrop.AI Trojan [NOTE] The file was moved to '4949e014.qua'! C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1928\A0169904.sys [DETECTION] Is the TR/Click.VB.bqs Trojan [NOTE] The file was moved to '4d7cbdb2.qua'! C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1928\A0169905.sys [DETECTION] Is the TR/Click.VB.bpf Trojan [NOTE] The file was moved to '4949e013.qua'! C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1928\A0169906.dll [DETECTION] Is the TR/PSW.OnLineGa.OCJ Trojan [NOTE] The file was moved to '4d7cbdb4.qua'! C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1928\A0169907.dll [DETECTION] Is the TR/PSW.OnLineGa.OCJ Trojan [NOTE] The file was moved to '4d7cbdb5.qua'! C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1928\A0169908.dll [DETECTION] Is the TR/PSW.OnLineGa.OCJ Trojan [NOTE] The file was moved to '4949e016.qua'! C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1928\A0169909.dll [DETECTION] Is the TR/PSW.OnLineGa.OCJ Trojan [NOTE] The file was moved to '4d7cbdb7.qua'! C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1928\A0169910.dll [DETECTION] Is the TR/PSW.OnLineGa.OCJ Trojan [NOTE] The file was moved to '4949e018.qua'! C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1928\A0169911.dll [DETECTION] Is the TR/PSW.OnLineGa.OCJ Trojan [NOTE] The file was moved to '4949e015.qua'! C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1928\A0169912.dll [DETECTION] Is the TR/PSW.OnLineGa.OCJ Trojan [NOTE] The file was moved to '4d7cbdb6.qua'! C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1928\A0169913.dll [DETECTION] Is the TR/PSW.OnLineGa.OCJ Trojan [NOTE] The file was moved to '4949e017.qua'! C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1928\A0169914.old [DETECTION] Is the TR/Agent.274944.C Trojan [NOTE] The file was moved to '4d7cbdb9.qua'! C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1928\A0169924.exe [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '4d7cbdb8.qua'! C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1928\A0169925.exe [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '4949e019.qua'! C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1938\A0169990.dll [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan [NOTE] The file was moved to '4949e026.qua'! C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1939\A0170006.exe [DETECTION] Is the TR/Agent.zem Trojan [NOTE] The file was moved to '4949e028.qua'! C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1939\A0170007.exe [DETECTION] Is the TR/Agent.alsp Trojan [NOTE] The file was moved to '4949e029.qua'! C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1939\A0170008.sys [DETECTION] Is the TR/Click.VB.brv.2 Trojan [NOTE] The file was moved to '4d7cbd8a.qua'! C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1939\A0170010.exe [DETECTION] Is the TR/Agent.zbc Trojan [NOTE] The file was moved to '4949e02b.qua'! C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1939\A0170018.exe [DETECTION] Is the TR/Dldr.Agent.ajzq Trojan [NOTE] The file was moved to '4949e02a.qua'! C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1939\snapshot\MFEX-1.DAT [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan [NOTE] The file was moved to '495de046.qua'! C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1940\A0170105.exe [DETECTION] Is the TR/Agent.aebz Trojan [NOTE] The file was moved to '4949e032.qua'! C:\WINDOWS\SYSTEM32\fduvfct.sys [DETECTION] Is the TR/Click.VB.btw Trojan [NOTE] The file was moved to '498de492.qua'! C:\WINDOWS\SYSTEM32\tmp0_462886265468.bk.old [DETECTION] Is the TR/Agent.mta.274944 Trojan [NOTE] The file was moved to '4988e4d6.qua'! C:\WINDOWS\SYSTEM32\tmp0_582751252004.bk.old [DETECTION] Is the TR/Dldr.Delf.oda Trojan [NOTE] The file was moved to '4988e4d7.qua'! C:\WINDOWS\SYSTEM32\tmp2_840081179240.bk.old [DETECTION] Is the TR/Dldr.Delf.oda Trojan [NOTE] The file was moved to '4dbcb2d8.qua'! C:\WINDOWS\SYSTEM32\tmpxr_102495353302.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '4988e4d8.qua'! C:\WINDOWS\SYSTEM32\tmpxr_103708220738.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '4dbcb2d9.qua'! C:\WINDOWS\SYSTEM32\tmpxr_105210521411.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '4988e4d9.qua'! C:\WINDOWS\SYSTEM32\tmpxr_111647127121.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '4dbcb2da.qua'! C:\WINDOWS\SYSTEM32\tmpxr_114806391773.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '4988e4db.qua'! C:\WINDOWS\SYSTEM32\tmpxr_136005377602.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '4988e4da.qua'! C:\WINDOWS\SYSTEM32\tmpxr_139854150801.bk [DETECTION] Is the TR/Agent.46080.F Trojan [NOTE] The file was moved to '4dbcb2db.qua'! C:\WINDOWS\SYSTEM32\tmpxr_140592630741.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '4dbcb2dc.qua'! C:\WINDOWS\SYSTEM32\tmpxr_143458128076.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '4988e4dd.qua'! C:\WINDOWS\SYSTEM32\tmpxr_146113200683.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '4dbcb2de.qua'! C:\WINDOWS\SYSTEM32\tmpxr_14873424408.bk [DETECTION] Is the TR/Delf.ffb.4 Trojan [NOTE] The file was moved to '4988e4dc.qua'! C:\WINDOWS\SYSTEM32\tmpxr_149181801898.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '4dbcb2dd.qua'! C:\WINDOWS\SYSTEM32\tmpxr_151653790164.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '4988e4de.qua'! C:\WINDOWS\SYSTEM32\tmpxr_154204675973.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '4988e4df.qua'! C:\WINDOWS\SYSTEM32\tmpxr_161924341933.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '4dbcb2e0.qua'! C:\WINDOWS\SYSTEM32\tmpxr_166030860147.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '4988e4e1.qua'! C:\WINDOWS\SYSTEM32\tmpxr_181512432517.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '4dbcb2df.qua'! C:\WINDOWS\SYSTEM32\tmpxr_20339518008.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '4988e4e0.qua'! C:\WINDOWS\SYSTEM32\tmpxr_205387464841.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '4dbcb2e1.qua'! C:\WINDOWS\SYSTEM32\tmpxr_214106403739.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '4dbcb2e2.qua'! C:\WINDOWS\SYSTEM32\tmpxr_216448485396.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '4988e4e3.qua'! C:\WINDOWS\SYSTEM32\tmpxr_225695338950.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '4988e4e2.qua'! C:\WINDOWS\SYSTEM32\tmpxr_228902439693.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '4dbcb2e3.qua'! C:\WINDOWS\SYSTEM32\tmpxr_24445714047.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '4988e4e4.qua'! C:\WINDOWS\SYSTEM32\tmpxr_246174593755.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '4dbcb2e5.qua'! C:\WINDOWS\SYSTEM32\tmpxr_247555723994.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '4dbcb2e4.qua'! C:\WINDOWS\SYSTEM32\tmpxr_25383175518.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '4988e4e5.qua'! C:\WINDOWS\SYSTEM32\tmpxr_255124299597.bk [DETECTION] Is the TR/Drop.Delf.MT.48 Trojan [NOTE] The file was moved to '4dbcb2e6.qua'! C:\WINDOWS\SYSTEM32\tmpxr_258951658822.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '4988e4e6.qua'! C:\WINDOWS\SYSTEM32\tmpxr_262891199136.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '4988e4e7.qua'! C:\WINDOWS\SYSTEM32\tmpxr_264448809166.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '4dbcb2e8.qua'! C:\WINDOWS\SYSTEM32\tmpxr_283149409571.bk [DETECTION] Is the TR/Agent.amjf Trojan [NOTE] The file was moved to '4988e4e9.qua'! C:\WINDOWS\SYSTEM32\tmpxr_29652248883.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '4dbcb2ea.qua'! C:\WINDOWS\SYSTEM32\tmpxr_296561554417.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '4dbcb2e7.qua'! C:\WINDOWS\SYSTEM32\tmpxr_312871200166.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '4988e4e8.qua'! C:\WINDOWS\SYSTEM32\tmpxr_31923347798.bk [DETECTION] Is the TR/Delf.ffb.4 Trojan [NOTE] The file was moved to '4dbcb2e9.qua'! C:\WINDOWS\SYSTEM32\tmpxr_323518891601.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '4988e4eb.qua'! C:\WINDOWS\SYSTEM32\tmpxr_324661405196.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '4dbcb2ec.qua'! C:\WINDOWS\SYSTEM32\tmpxr_325182238637.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '4988e4ed.qua'! C:\WINDOWS\SYSTEM32\tmpxr_3302975716.bk [DETECTION] Is the TR/Drop.Del.MTA.461 Trojan [NOTE] The file was moved to '4dbcb2ee.qua'! C:\WINDOWS\SYSTEM32\tmpxr_332605604384.bk [DETECTION] Is the TR/Agent.also Trojan [NOTE] The file was moved to '4988e4ea.qua'! C:\WINDOWS\SYSTEM32\tmpxr_346250680724.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '4dbcb2eb.qua'! C:\WINDOWS\SYSTEM32\tmpxr_350623428892.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '4988e4ec.qua'! C:\WINDOWS\SYSTEM32\tmpxr_357477770053.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '4988e4ef.qua'! C:\WINDOWS\SYSTEM32\tmpxr_37408280819.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '4dbcb2f0.qua'! C:\WINDOWS\SYSTEM32\tmpxr_376848610466.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '4988e4f1.qua'! C:\WINDOWS\SYSTEM32\tmpxr_380519586529.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '4dbcb2f2.qua'! C:\WINDOWS\SYSTEM32\tmpxr_38483711772.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '4dbcb2ed.qua'! C:\WINDOWS\SYSTEM32\tmpxr_387826403383.bk [DETECTION] Is the TR/Drop.Delf.M.1460 Trojan [NOTE] The file was moved to '4988e4f3.qua'! C:\WINDOWS\SYSTEM32\tmpxr_391102316927.bk [DETECTION] Is the TR/Agent.alsn Trojan [NOTE] The file was moved to '4dbcb2f4.qua'! C:\WINDOWS\SYSTEM32\tmpxr_394467538494.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '4988e4f5.qua'! C:\WINDOWS\SYSTEM32\tmpxr_39630059755.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '4988e4ee.qua'! C:\WINDOWS\SYSTEM32\tmpxr_402436500408.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '4dbcb2f6.qua'! C:\WINDOWS\SYSTEM32\tmpxr_404378801462.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '488df8f7.qua'! C:\WINDOWS\SYSTEM32\tmpxr_410830793143.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '488df8f9.qua'! C:\WINDOWS\SYSTEM32\tmpxr_423076235380.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '488df8fb.qua'! C:\WINDOWS\SYSTEM32\tmpxr_434124172518.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '488df8e8.qua'! C:\WINDOWS\SYSTEM32\tmpxr_439277286557.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '488df8ea.qua'! C:\WINDOWS\SYSTEM32\tmpxr_44427279682.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '488df8ec.qua'! C:\WINDOWS\SYSTEM32\tmpxr_446277325521.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '488df8ee.qua'! C:\WINDOWS\SYSTEM32\tmpxr_462874514006.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '4988e4f0.qua'! C:\WINDOWS\SYSTEM32\tmpxr_463062735728.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '488df8e9.qua'! C:\WINDOWS\SYSTEM32\tmpxr_47945483945.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '4988e4f2.qua'! C:\WINDOWS\SYSTEM32\tmpxr_498870888907.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '4988e4f7.qua'! C:\WINDOWS\SYSTEM32\tmpxr_502503563213.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '488df8e0.qua'! C:\WINDOWS\SYSTEM32\tmpxr_506730371918.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '4988e4f9.qua'! C:\WINDOWS\SYSTEM32\tmpxr_516461808434.bk [DETECTION] Is the TR/Delf.Agent.SD Trojan [NOTE] The file was moved to '488df8e2.qua'! C:\WINDOWS\SYSTEM32\tmpxr_516666117939.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '488df8eb.qua'! C:\WINDOWS\SYSTEM32\tmpxr_523996759005.bk [DETECTION] Is the TR/Drop.Delf.MT.48 Trojan [NOTE] The file was moved to '4988e4f4.qua'! C:\WINDOWS\SYSTEM32\tmpxr_537917337666.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '488df8ed.qua'! C:\WINDOWS\SYSTEM32\tmpxr_552617443224.bk [DETECTION] Is the TR/Dldr.Delf.OZM Trojan [NOTE] The file was moved to '4988e4fb.qua'! C:\WINDOWS\SYSTEM32\tmpxr_555886818529.bk [DETECTION] Is the TR/Delf.ffb.4 Trojan [NOTE] The file was moved to '488df8e4.qua'! C:\WINDOWS\SYSTEM32\tmpxr_557366601451.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '4988e4f6.qua'! C:\WINDOWS\SYSTEM32\tmpxr_55768140761.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '488df8ef.qua'! C:\WINDOWS\SYSTEM32\tmpxr_558452370450.bk [DETECTION] Is the TR/Agent.also Trojan [NOTE] The file was moved to '488df8f1.qua'! C:\WINDOWS\SYSTEM32\tmpxr_56522784462.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '488df8f3.qua'! C:\WINDOWS\SYSTEM32\tmpxr_57009214539.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '4988e4fd.qua'! C:\WINDOWS\SYSTEM32\tmpxr_572405483892.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '488df8e6.qua'! C:\WINDOWS\SYSTEM32\tmpxr_57834725294.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '4988e4ff.qua'! C:\WINDOWS\SYSTEM32\tmpxr_586004306838.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '488df918.qua'! C:\WINDOWS\SYSTEM32\tmpxr_587224457331.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '488df8f5.qua'! C:\WINDOWS\SYSTEM32\tmpxr_591187856881.bk [DETECTION] Is the TR/Agent.alsn Trojan [NOTE] The file was moved to '488df8fd.qua'! C:\WINDOWS\SYSTEM32\tmpxr_595213758636.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '488df8ff.qua'! C:\WINDOWS\SYSTEM32\tmpxr_597204305469.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '4988e501.qua'! C:\WINDOWS\SYSTEM32\tmpxr_624147611736.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '488df91a.qua'! C:\WINDOWS\SYSTEM32\tmpxr_626349329461.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '4988e503.qua'! C:\WINDOWS\SYSTEM32\tmpxr_627254159795.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '488df91c.qua'! C:\WINDOWS\SYSTEM32\tmpxr_63623925865.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '4988e4f8.qua'! C:\WINDOWS\SYSTEM32\tmpxr_648430741400.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '488df8e1.qua'! C:\WINDOWS\SYSTEM32\tmpxr_649700103641.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '4988e4fa.qua'! C:\WINDOWS\SYSTEM32\tmpxr_656511616110.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '488df8e3.qua'! C:\WINDOWS\SYSTEM32\tmpxr_659644598804.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '4988e505.qua'! C:\WINDOWS\SYSTEM32\tmpxr_662041808789.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '488df91e.qua'! C:\WINDOWS\SYSTEM32\tmpxr_669554810190.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '4988e507.qua'! C:\WINDOWS\SYSTEM32\tmpxr_684635771113.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '4988e4fc.qua'! C:\WINDOWS\SYSTEM32\tmpxr_688962265887.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '488df8e5.qua'! C:\WINDOWS\SYSTEM32\tmpxr_69712727003.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '4988e4fe.qua'! C:\WINDOWS\SYSTEM32\tmpxr_706926453944.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '488df910.qua'! C:\WINDOWS\SYSTEM32\tmpxr_712485878850.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '4988e509.qua'! C:\WINDOWS\SYSTEM32\tmpxr_713145539090.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '488df912.qua'! C:\WINDOWS\SYSTEM32\tmpxr_717274642611.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '488df8e7.qua'! C:\WINDOWS\SYSTEM32\tmpxr_721547500934.bk [DETECTION] Is the TR/Drop.Del.MTA.463 Trojan [NOTE] The file was moved to '4988e518.qua'! C:\WINDOWS\SYSTEM32\tmpxr_72238799839.bk [DETECTION] Is the TR/Dldr.Delf.OZM Trojan [NOTE] The file was moved to '488df901.qua'! C:\WINDOWS\SYSTEM32\tmpxr_725205465436.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '4988e51a.qua'! C:\WINDOWS\SYSTEM32\tmpxr_734836661330.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '4988e50b.qua'! C:\WINDOWS\SYSTEM32\tmpxr_73627436476.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '488df914.qua'! C:\WINDOWS\SYSTEM32\tmpxr_737569637081.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '4988e50d.qua'! C:\WINDOWS\SYSTEM32\tmpxr_745058334257.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '488df903.qua'! C:\WINDOWS\SYSTEM32\tmpxr_753096514405.bk [DETECTION] Is the TR/Drop.Delf.MT.48 Trojan [NOTE] The file was moved to '4988e51c.qua'! C:\WINDOWS\SYSTEM32\tmpxr_755425330566.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '488df905.qua'! C:\WINDOWS\SYSTEM32\tmpxr_75855640940.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '4988e51e.qua'! C:\WINDOWS\SYSTEM32\tmpxr_77165959275.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '488df916.qua'! C:\WINDOWS\SYSTEM32\tmpxr_77624876730.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '4988e50f.qua'! C:\WINDOWS\SYSTEM32\tmpxr_78404586888.bk [DETECTION] Is the TR/Delf.Agent.SA Trojan [NOTE] The file was moved to '488df908.qua'! C:\WINDOWS\SYSTEM32\tmpxr_79279881218.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '4988e511.qua'! C:\WINDOWS\SYSTEM32\tmpxr_80355446801.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '4988e500.qua'! C:\WINDOWS\SYSTEM32\tmpxr_803909711468.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '488df919.qua'! C:\WINDOWS\SYSTEM32\tmpxr_811772707353.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '4988e502.qua'! C:\WINDOWS\SYSTEM32\tmpxr_82035806139.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '488df90a.qua'! C:\WINDOWS\SYSTEM32\tmpxr_823188194136.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '4988e513.qua'! C:\WINDOWS\SYSTEM32\tmpxr_841448146960.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '488df90c.qua'! C:\WINDOWS\SYSTEM32\tmpxr_867074709655.bk [DETECTION] Is the TR/Drop.Delf.M.2465 Trojan [NOTE] The file was moved to '488df91b.qua'! C:\WINDOWS\SYSTEM32\tmpxr_871402714666.bk [DETECTION] Is the TR/Agent.46080.F Trojan [NOTE] The file was moved to '4988e504.qua'! C:\WINDOWS\SYSTEM32\tmpxr_874532363172.bk [DETECTION] Is the TR/Drop.Del.MTA.455 Trojan [NOTE] The file was moved to '488df91d.qua'! C:\WINDOWS\SYSTEM32\tmpxr_875999683759.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '4988e506.qua'! C:\WINDOWS\SYSTEM32\tmpxr_877301134348.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '4988e515.qua'! C:\WINDOWS\SYSTEM32\tmpxr_895576349758.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '488df90e.qua'! C:\WINDOWS\SYSTEM32\tmpxr_93949271854.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '4988e517.qua'! C:\WINDOWS\SYSTEM32\tmpxr_9534594979.bk [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to '488df91f.qua'! C:\WINDOWS\SYSTEM32\udxfytw.sys [DETECTION] Is the TR/Agent.akyk.2 Trojan [NOTE] The file was moved to '4990e4fc.qua'! C:\WINDOWS\SYSTEM32\xdufytw.sys [DETECTION] Is the TR/Click.VB.bzk Trojan [NOTE] The file was moved to '498de50c.qua'! C:\WINDOWS\SYSTEM32\ActiveScan\pskavs.dll [DETECTION] Contains recognition pattern of the W95/Blumblebee.1738 Windows virus [NOTE] The file was moved to '4983e51e.qua'! Begin scan in 'F:\' <My Book> End of the scan: Monday, November 10, 2008 20:56 Used time: 3:26:04 Hour(s) The scan has been done completely. 14676 Scanning directories 314378 Files were scanned 188 viruses and/or unwanted programs were found 0 Files were classified as suspicious: 0 files were deleted 0 files were repaired 188 files were moved to quarantine 0 files were renamed 2 Files cannot be scanned 314188 Files not concerned 3511 Archives were scanned 2 Warnings 188 Notes Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:38:53 PM, on 11/10/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16735) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Dell\Media Experience\PCMService.exe C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Iomega\AutoDisk\ADUserMon.exe C:\Program Files\PFU\ScanSnap\PfuSsSct.exe C:\Program Files\PFU\ScanSnap\CardMinder V2.0\CardLauncher.exe C:\Program Files\PFU\ScanSnap\PDF Thumbnail View\pdfquickview.exe C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe C:\Program Files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\PFU\ScanSnap\CardMinder V2.0\bcd_file\SbCRecE.exe C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe C:\Program Files\DellSupport\DSAgnt.exe C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe C:\PROGRA~1\Iomega\System32\AppServices.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\PFU\ScanSnap\Driver\PfuSsMon.exe C:\Palm\HOTSYNC.EXE C:\WINDOWS\System32\svchost.exe C:\Program Files\Iomega\AutoDisk\ADService.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\Documents and Settings\Randy Maddox\Desktop\HJT\Randy Maddox.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe" O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe O4 - HKLM\..\Run: [PfuSsSct.exe] C:\Program Files\PFU\ScanSnap\PfuSsSct.exe /Station O4 - HKLM\..\Run: [CardMinder] C:\Program Files\PFU\ScanSnap\CardMinder V2.0\CardLauncher.exe O4 - HKLM\..\Run: [Pdfquickview] C:\Program Files\PFU\ScanSnap\PDF Thumbnail View\pdfquickview.exe O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe" O4 - HKLM\..\Run: [ToolBoxFX] "C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /systrayIcon:on /fl:on /fr:on /appData:on O4 - HKLM\..\Run: [hpbdfawep] C:\Program Files\HP\Dfawep\bin\hpbdfawep.exe 1 O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe" O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup O4 - HKCU\..\Run: [DellTransferAgent] "C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe O4 - Global Startup: ScanSnap Manager.lnk = ? O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanage...ex-2.2.3.7.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1136410335562 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/...15/mcgdmgr.cab O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://cvs.pnimedia.com/upload/activ...v2.0.0.10.cab? O23 - Service: ABBYY FineReader 9.0 PE Licensing Service (ABBYY.Licensing.FineReader.Professional.9.0) - ABBYY (BIT Software) - C:\Program Files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe -- End of file - 11065 bytes

11-11-2008, 04:32 AM	#7 (permalink)
TheBruce1 Moderator, Analyst, Security Team Join Date: Oct 2006 Location: Dùn Èideann,Scotland. Posts: 4,491 OS: XP	Re: Pop ups and trojans, low memory Hello again Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (If they still exist, make sure you do not miss any) R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = .local Please remember to close all other windows, including browsers then click Fix checked.* ======= You may want to uninstall AVG Anti-Spyware 7.5, at the end of this year it will no longer receive updates, it is now incorporated into AVG8. ======= You don't seem to have a firewall program installed. Using a firewall will allow you to give/deny access for applications that want to go online. Select one of these, or another of your choice: Comodo Personal Firewall ZoneAlarm . ======== If there are no further issues, continue below. ======== Click Start>Run and type or copy/paste the following command into box then hit enter to uninstall gmer. %systemroot%\gmer_uninstall.cmd ========= Delete RSIT from your desktop, also delete this folder c:\rsit. Uninstall Hijackthis via add/remove, you may keep ATF-Cleaner if you wish. ========= Well done, your logs are clean. Click start>run>type(or copy/paste command into run box): ComboFix /u Click ok. ========== Clear IE7 cookies On the Internet Explorer 7 Tools menu, click Internet Options. The Internet Options box should open to the General tab. On the General tab, in the Browsing History, click the Delete button. This will delete all the files that are currently stored in your cache [that includes cookies too]. Click OK, and then click OK again. Clear Firefox cookies/cache* • Select "Tools" • Select "Options". • Select "Privacy". • In "Settings" window put the check mark for Cookies,Cache,Browsing history and any others you want. • Click OK. • In Private area click "Clear Now". ------------------------------------------------------------------------------------------- MICROSOFT UPDATES 1.Click Start,Run, type sysdm.cpl, and then press OK. 2.Click the Automatic Updates tab, and then click to select one of the following options. We recommend that you select the Automatic (recommended). Microsoft updates are released every second Tuesday of each month,what is called "Patch Tuesday". ------------------------------------------------------------------------------------------ Useful Information and Programs to keep you safe. TrendProtect is a FREE browser plug-in that helps you avoid Web pages with unwanted content and hidden threats. TrendProtect rates the current page and pages listed in Google, MSN, and Yahoo search results. You can use the rating to decide if you want to visit or avoid a given Web page. To rate Web pages, TrendProtect refers to an extensive database that covers the following information for billions of Web pages: * Content category * Phishing scam detection * Site reputation * Page reputation WOT Free helps you avoid disingenuous Internet content by allowing you to learn from others' experiences. WOT shows you website reputations on your browser, telling you how much other users trust a website. This helps you make better decisions while browsing and avoid phishing, malware, and other types of fraud. Reputations can also be added to web search results, Gmail, Wikipedia, and other selected sites. WOT reputations are computed mainly from user testimonies. Sharing your knowledge with others is just a click away, without ever having to leave the site. We also collect data from hundreds of other sources (including PhishTank) to quickly warn you of emerging threats. Currently, WOT knows over 12 million websites. Note:Only compatible with Firefox 1.5 and higher. -------------------------------------------------------------------------------------- Alternate Browsers Try the following free alternate browsers rather than Internet Explorer Avant Firefox Opera K-Meleon ------------------------------------------------------------------------------------------ Free Antispyware Products SuperAntiSpyware Malwarebytes ' Anti-Malware SpywareBlaster to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items ------------------------------------------------------------------ IE-Spyad™ is a freeware utility that places more than 4000 dubious websites and domains in the Internet Explorer Restricted List. Download and installation instructions for IE-Spyad™ Here ----------------------------------------- The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. Note that if you use a company provided HOSTS file you should not use the MVPS HOSTS file. If your having trouble downloading & extracting,see link below for guidance: http://www.mvps.org/winhelp2002/hosts2.htm Once you have extracted the host file,double click on it and a new window will open. Double-click on mvps.batand follow the prompts --------------------------------------------------------------- Winpatrol - Download and install the free version of Winpatrol. A tutorial for this product is located here: Using Winpatrol to protect your computer. ---------------------------------------- SnoopFree is a programme that informs you when another programme is wanting to log your keystrokes or read your screen.Only for XP users. Update all these programs regularly. Without regular updates you will not be protected when new malicious programs are released. ============================================== Also, please take a look at this well written article: PC Safety and Security--What Do I Need? Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them. Please reply to this thread once more, as we may mark this as resolved, thanks. __________________ Member of ASAP since 2007 Member of UNITE since 2008 Notice to BT customers BT to dump Phorm, see Here for more information. No DPI If we have helped you in anyway, please consider Donating**

11-11-2008, 04:53 AM	#8 (permalink)
maddog2018 Registered User Join Date: May 2007 Posts: 26 OS: xp	Re: Pop ups and trojans, low memory While I am at it, I noticed some programs and that I also wanted to uninstall: Kaspersky online scanner Panda Active Scan Panda Active Scan 2.0 I believe these were used the last time I had malware. Is it OK to remove these? Thanks for your help and as I said I will make sure my security programs stay active.

11-11-2008, 06:06 AM	#9 (permalink)
TheBruce1 Moderator, Analyst, Security Team Join Date: Oct 2006 Location: Dùn Èideann,Scotland. Posts: 4,491 OS: XP	Re: Pop ups and trojans, low memory Yes you can remove them if you wish. Surf safely __________________ Member of ASAP since 2007 Member of UNITE since 2008 Notice to BT customers BT to dump Phorm, see Here for more information. No DPI If we have helped you in anyway, please consider Donating