Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

malware

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

malware

Unread postby peterC » March 22nd, 2008, 7:45 am

Hi,
I am new to these forums, and i am having trouble when running a scan with avast. I keep sending malware to the chest as i am advised to do, but when i scan again the same ones keep coming up.
Please can anyone help me.
I am getting trojans with the references A0025771.exe A0029931.exe loudcash3.exe un-ariskkey.exe mymorpheustool.exe and a whole load of adware dialer traffic agent etc, whatever they are. It does not seem to make any difference wether i put them to chest or delete them they keep coming back. I am using firefox and very occationally IE.
I have enclosed the hijack this file.
Many thanks
Peter C


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:09:59, on 22/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Maxtor\Sync\SyncServices.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\User\Local Settings\Application Data\Google\Update\1.1.25.0\GoogleUpdate.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Shrink Pic\shrink_pic.exe
C:\Documents and Settings\User\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Program Files\Alwil Software\Avast4\ashChest.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
R3 - URLSearchHook: (no name) - {9CB65206-89C4-402c-BA80-02D8C59F9B1D} - (no file)
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: InternetProgram - {88C9B3C7-06B6-5C05-CFEC-C09DBC10CC30} - C:\Program Files\InternetProgram\InternetProgram-1.dll
O2 - BHO: (no name) - {911C4A8E-0F75-4B83-BEB9-02BDDF29D11E} - (no file)
O2 - BHO: IEWatchObj Class - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINDOWS\system32\IETie.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O2 - BHO: Ask Toolbar BHO - {FE063DB1-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: (no name) - {28BC2EC4-5EAD-45E1-9F9F-82CD5E293601} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Ask Toolbar - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe" -s
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\update.exe -silent
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\User\Local Settings\Application Data\Google\Update\1.1.25.0\GoogleUpdate.exe" /lang en
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Shrink Pic.lnk = C:\Program Files\Shrink Pic\shrink_pic.exe
O4 - Startup: YouTube Uploader.lnk = C:\Documents and Settings\User\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btinternet.com/template ... rol023.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CEC56E2C-5CA0-4E9F-BD10-B4CB3DA37D18}: NameServer = 80.58.0.33,80.58.32.97
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Messenger Sharing Folders USN Journal Reader service (usnjsvc) - Unknown owner - C:\Program Files\MSN Messenger\usnsvc.exe (file missing)
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe

--
End of file - 13543 bytes
peterC
Active Member
 
Posts: 14
Joined: March 22nd, 2008, 6:49 am
Advertisement
Register to Remove

Re: malware

Unread postby Carolyn » March 26th, 2008, 8:04 am

Hello and Welcome to the forums!

My name is Carolyn and I'll be glad to help you with your computer problems. HijackThis logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that it happens.

Please reply to this thread, do not start another.
Please tell me about any problems that have occurred during the fix.
Please tell me of any other symptoms you may be having as these can help also.
Please try as much as possible not to run anything while executing a fix.

As I am still in training, everything that I post to you must be checked by one of the teachers. Thus, there may be a bit of a delay between posts, but it shouldn't be too long.

If you follow these instructions, everything should go smoothly.

we are currently looking at your log now and will be back as soon as possible with your instructions.
while you are waiting one other thing that can be of good use is an uninstall list so please do the following

Make an uninstall list using HijackThis
To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here in your next reply.
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine

Re: malware

Unread postby peterC » March 26th, 2008, 1:37 pm

Hi Caroln,
Thanks for your reply.
I am having a lot of problems with program crashes, ie. program not responding, end now, send error report.
Also my laptop seems to be a lot slower than it ever was.
I regularly use wincleaner oneclick cleanup with ad-aware 6.0 pro , and avast antivirus.
It is when i run the antivirus scan that i keep getting the same trojans malware etc coming up even though i have removed them to the chest every time, i have even deleted them and they keep coming back.
Enclosed information that you asked for from hijackthis,
Kind regards
Peter

Ad-aware 6 Professional
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Reader 8.1.2
Adobe Shockwave Player
ALPS Touch Pad Driver
Apple Mobile Device Support
Apple Software Update
Ask Toolbar
Ask Toolbar
avast! Antivirus
Bluetooth Stack for Windows by Toshiba
Bonjour
Conexant HDA D110 MDC V.92 Modem
Cucusoft MPEG/MOV/RM/DivX/AVI to DVD/VCD/SVCD Creator Pro 7.07
DivX Pro Codec
eMule2
FBrowsingAdvisor
FrostWire 4.13.4
Google Desktop
Google Earth
Google Photos Screensaver
Google Toolbar for Firefox
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Google Updater
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Intel(R) Graphics Media Accelerator Driver
Intel(R) PROSet/Wireless Software
IntelligentAdvisor
InternetProgram
IrfanView (remove only)
iTunes
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 8
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) SE Runtime Environment 6 Update 1
LiveUpdate 2.0 (Symantec Corporation)
Macromedia Flash Player 8
Maxtor Manager
Maxtor Manager
mCore
mDriver
mDrWiFi
mHlpDell
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0 Service Pack 1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Disc 2
Microsoft Office XP Professional with FrontPage
Microsoft PhotoDraw 2000
Microsoft User-Mode Driver Framework Feature Pack 1.0
mIWA
mLogView
mMHouse
Mozilla Firefox (2.0.0.12)
mPfMgr
mPfWiz
mProSafe
MSN
mSSO
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
mWlsSafe
mWMI
mXML
mZConfig
Nero Digital
Nero Suite
Norton Ghost 9.0
OZ776 SCR CardBus Windows Driver
Qtrax 0.2beta (20080125)
QuickSet
QuickTime
Rhapsody Player Engine
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB946026)
Shrink Pic (remove)
SigmaTel Audio
Skype™ 3.5
TomTom HOME
TomTom HOME
UltimateZip 2007
Unlocker 1.8.6
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920342)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925720)
Update for Windows XP (KB925876)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Weather Watcher
Web Photo Album 0.9 Beta
WinCleaner OneClick Cleanup Version 10
Windows Essentials Media Codec Pack 1.0
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live installer
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Presentation Foundation
Windows Support Tools
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
winvi (remove only)
XviD MPEG-4 Codec
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Toolbar
YouTube Uploader
peterC
Active Member
 
Posts: 14
Joined: March 22nd, 2008, 6:49 am

Re: malware

Unread postby Carolyn » March 27th, 2008, 2:03 am

Hi Peter,

P2P Warning!

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

eMule2, FrostWire, Qtrax

Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. You may continue to use P2P sharing at your own risk; however, please keep in mind that this practice may be the source of your current malware infestation

I'd like you to read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.

References for the risk of these programs can be found in these links: http://www.microsoft.com/windows/ie/community/columns/protection.mspx
http://www.techweb.com/wire/160500554
http://www.internetworldstats.com/articles/art053.htm
See Clean/Infected P2P Programs here

I would recommend that you uninstall eMule2, FrostWire, Qtrax, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

If you wish to keep any, please do not use them until your computer is cleaned.


Remove Program
Please Click Start > Control Panel > Add/Remove Programs
Remove this program by clicking Remove

FBrowsingAdvisor


If the program listed is not present, please do not panic


Please download Malwarebytes' Anti-Malware and save it to a convenient location.
  1. Double click on mbam-setup.exe to install it.
  2. Before clicking the Finish button, make sure that these 2 boxes are checked (ticked):
      Update Malwarebytes' Anti-Malware
      Launch Malwarebytes' Anti-Malware
  3. Malwarebytes' Anti-Malware will now check for updates. If your firewall prompts, please allow it. If you can't update it, select the Update tab. Under Update Mirror, select one of the websites and click on Check for Updates.
  4. Select the Scanner tab. Click on Perform full scan, then click on Scan.
  5. Leave the default options as it is and click on Start Scan.
  6. When done, you will be prompted. Click OK, then click on Show Results.
  7. Checked (ticked) all items and click on Remove Selected.
  8. After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest.


Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
  1. Close all applications and windows.
  2. Right-click on dss.exe, then select "Run as administrator", and follow the prompts.
  3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
  4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt in your reply.


Please post the Malewarebytes' Anti-Malware log along with the contents of main.txt and extra.txt.
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine

Re: malware

Unread postby peterC » March 27th, 2008, 4:21 am

Hi Caroln,
Thanks for that, I've deleted e-mule and qtrax, and below are the scans you required
Many thanks,
Peter

Malwarebytes' Anti-Malware 1.09
Database version: 552

Scan type: Quick Scan
Objects scanned: 31691
Time elapsed: 6 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 14
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{c4ee31f3-4768-11d2-be5c-00a0c9a83da1} (Rogue.WinFixer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{c1a6d8b8-93c3-4186-9dd1-13983f9f1d9b} (Adware.RightOnAds) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{8f15b157-40d9-4b20-8d3b-b1f8b475b58d} (Adware.SoftMate) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a0881aa1-68be-41ac-9c0d-4c8a69c6c72c} (Adware.SoftMate) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e827ffd9-95d1-4b49-beb3-5d49e688c108} (Adware.SoftMate) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\AdvRemoteDbg (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\MediaHoldings (Adware.PlayMP3Z) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\PlayMP3 (Adware.PlayMP3Z) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\FBrowsingAdvisor (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DBReg.DBar.1 (Adware.SoftMate) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DBReg.dbarBHO.1 (Adware.SoftMate) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DBReg.DbarEnabler.1 (Adware.SoftMate) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\winvi (Adware.SoftMate) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\winvi (Adware.SoftMate) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\FBrowserAdvisor (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\Mozilla Firefox\regxpcom.exe (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Application Data\urlredir.cfg (Adware.RightOnAds) -> Quarantined and deleted successfully.


Deckard's System Scanner v20071014.68
Run by User on 2008-03-27 08:13:06
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
80: 2008-03-27 08:13:17 UTC - RP448 - Deckard's System Scanner Restore Point
79: 2008-03-26 18:30:11 UTC - RP447 - System Checkpoint
78: 2008-03-25 14:03:21 UTC - RP446 - System Checkpoint
77: 2008-03-24 13:46:21 UTC - RP445 - System Checkpoint
76: 2008-03-23 12:55:51 UTC - RP444 - System Checkpoint


-- First Restore Point --
1: 2007-12-27 23:20:00 UTC - RP369 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as User.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:14:07, on 27/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Maxtor\Sync\SyncServices.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Documents and Settings\User\Local Settings\Application Data\Google\Update\1.1.25.0\GoogleUpdate.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Shrink Pic\shrink_pic.exe
C:\Documents and Settings\User\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\User\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\User.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
R3 - URLSearchHook: (no name) - {9CB65206-89C4-402c-BA80-02D8C59F9B1D} - (no file)
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: InternetProgram - {88C9B3C7-06B6-5C05-CFEC-C09DBC10CC30} - C:\Program Files\InternetProgram\InternetProgram-1.dll
O2 - BHO: (no name) - {911C4A8E-0F75-4B83-BEB9-02BDDF29D11E} - (no file)
O2 - BHO: IEWatchObj Class - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINDOWS\system32\IETie.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O2 - BHO: Ask Toolbar BHO - {FE063DB1-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: (no name) - {28BC2EC4-5EAD-45E1-9F9F-82CD5E293601} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Ask Toolbar - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe" -s
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\update.exe -silent
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\User\Local Settings\Application Data\Google\Update\1.1.25.0\GoogleUpdate.exe" /lang en
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Shrink Pic.lnk = C:\Program Files\Shrink Pic\shrink_pic.exe
O4 - Startup: YouTube Uploader.lnk = C:\Documents and Settings\User\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btinternet.com/template ... rol023.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CEC56E2C-5CA0-4E9F-BD10-B4CB3DA37D18}: NameServer = 80.58.0.33,80.58.32.97
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Messenger Sharing Folders USN Journal Reader service (usnjsvc) - Unknown owner - C:\Program Files\MSN Messenger\usnsvc.exe (file missing)
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe

--
End of file - 13673 bytes

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - regedit.exe"%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 PQV2i - c:\windows\system32\drivers\pqv2i.sys <Not Verified; StorageCraft; V2i Protector>
R1 APPDRV - c:\windows\system32\drivers\appdrv.sys <Not Verified; Dell Inc; Application Driver>
R1 PQIMount - c:\windows\system32\drivers\pqimount.sys <Not Verified; PowerQuest Corporation; V2i Protector>
R1 Tosrfcom (Bluetooth RFCOMM from TOSHIBA) - c:\windows\system32\drivers\tosrfcom.sys <Not Verified; TOSHIBA Corporation; Bluetooth RFCOMM Driver>
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.6.0.0) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.6.0.0>
R2 s24trans (WLAN Transport) - c:\windows\system32\drivers\s24trans.sys <Not Verified; Intel Corporation; Intel Wireless LAN Packet Driver>
R3 tosporte (Bluetooth Port Driver from Toshiba) - c:\windows\system32\drivers\tosporte.sys <Not Verified; TOSHIBA Corporation; TOSHIBA Bluetooth Port Emulation Driver>
R3 Tosrfbd (Bluetooth RFBUS from TOSHIBA) - c:\windows\system32\drivers\tosrfbd.sys <Not Verified; TOSHIBA CORPORATION; Bluetooth BUS Driver(WindowsXP,Windows2000)>
R3 Tosrfbnp (Bluetooth RFBNEP from TOSHIBA) - c:\windows\system32\drivers\tosrfbnp.sys <Not Verified; TOSHIBA Corporation; Bluetooth RFBNEP Driver from TOSHIBA>
R3 Tosrfhid (Bluetooth RFHID from TOSHIBA) - c:\windows\system32\drivers\tosrfhid.sys <Not Verified; TOSHIBA Corporation.; Bluetooth HID Driver from TOSHIBA>
R3 tosrfnds (Bluetooth Personal Area Network from TOSHIBA) - c:\windows\system32\drivers\tosrfnds.sys <Not Verified; TOSHIBA Corporation.; Bluetooth BNEP Driver from TOSHIBA>
R3 Tosrfusb (Bluetooth USB Controller) - c:\windows\system32\drivers\tosrfusb.sys <Not Verified; TOSHIBA CORPORATION; Microsoft(R) Windows NT(R) Operating System>

S0 cercsr6 - c:\windows\system32\drivers\cercsr6.sys <Not Verified; Adaptec, Inc.; Dell RAID Controller>
S3 BCOREUSB (BCOREUSB.Sys CSR test driver) - c:\windows\system32\drivers\bcoreusb.sys <Not Verified; CSR; Bluetooth USB Dongle Device Driver>
S3 catchme - c:\docume~1\user\locals~1\temp\catchme.sys (file missing)
S3 LVUSBSta (Logitech USB Monitor Filter) - c:\windows\system32\drivers\lvusbsta.sys (file missing)
S3 NSNDIS5 (NSNDIS5 NDIS Protocol Driver) - c:\windows\system32\nsndis5.sys (file missing)
S3 QCMerced (Logitech QuickCam Communicate) - c:\windows\system32\drivers\lvcm.sys (file missing)
S3 toshidpt (TOSHIBA Bluetooth HID port driver) - c:\windows\system32\drivers\toshidpt.sys <Not Verified; TOSHIBA Corporation.; TOSHIBA Bluetooth HID Mini Port Driver>
S3 TosRfSnd (Bluetooth Audio Device (WDM) from TOSHIBA) - c:\windows\system32\drivers\tosrfsnd.sys <Not Verified; TOSHIBA Corporation; Bluetooth Audio Driver>
S3 UIUSys (Conexant Setup API) - c:\windows\system32\drivers\uiusys.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>
R2 GEARSecurity - c:\windows\system32\gearsec.exe <Not Verified; GEAR Software; gearsec>
R2 NICCONFIGSVC - c:\program files\dell\quickset\nicconfigsvc.exe <Not Verified; Dell Inc.; NicConfigSvc>
R2 RegSrvc (Intel(R) PROSet/Wireless Registry Service) - c:\program files\intel\wireless\bin\regsrvc.exe <Not Verified; Intel Corporation; Intel(R) PROSet/Wireless Registry Service>
R2 WLANKEEPER (Intel(R) PROSet/Wireless SSO Service) - c:\program files\intel\wireless\bin\wlkeeper.exe <Not Verified; Intel(R) Corporation; SSO Service>

S3 usnjsvc (Messenger Sharing Folders USN Journal Reader service) - "c:\program files\msn messenger\usnsvc.exe" (file missing)
S4 Bluetooth Hid Switch Service - "c:\program files\bluetooth\hidswitchservice\hidsw.exe" <Not Verified; Cambridge Silicon Radio; HID Switch Service>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-03-26 20:14:01 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-02-27 and 2008-03-27 -----------------------------

2008-03-27 07:59:02 0 d-------- C:\Documents and Settings\User\Application Data\Malwarebytes
2008-03-27 07:58:58 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-27 07:58:58 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-22 11:07:33 0 d-------- C:\Program Files\Trend Micro
2008-03-20 17:33:30 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-03-14 08:45:41 0 d-------- C:\Program Files\iPod
2008-03-14 08:45:24 0 d-------- C:\Program Files\iTunes
2008-03-14 08:45:00 0 d-------- C:\Program Files\Bonjour
2008-03-14 08:43:45 0 d-------- C:\Program Files\QuickTime
2008-03-14 08:43:42 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-03-14 08:42:53 0 d-------- C:\Program Files\Common Files\Apple
2008-03-13 14:38:53 0 d-------- C:\Program Files\InternetProgram
2008-03-06 19:05:06 0 d-------- C:\Documents and Settings\User\Application Data\Desktopicon
2008-03-06 19:04:34 0 d-------- C:\Program Files\DupKiller


-- Find3M Report ---------------------------------------------------------------

2008-03-27 07:54:24 0 d-------- C:\Program Files\eMule
2008-03-26 20:18:40 0 d-------- C:\Program Files\Weather Watcher
2008-03-23 20:04:17 0 d-------- C:\Documents and Settings\User\Application Data\FrostWire
2008-03-22 15:06:08 0 d-------- C:\Program Files\UltimateZip 2007
2008-03-20 19:41:54 0 d-------- C:\Program Files\Java
2008-03-15 08:16:20 0 d-------- C:\Program Files\IntelligentAdvisor
2008-03-14 08:46:10 0 d-------- C:\Documents and Settings\User\Application Data\Apple Computer
2008-03-14 08:42:53 0 d-------- C:\Program Files\Common Files
2008-03-13 09:30:59 0 d-------- C:\Documents and Settings\User\Application Data\shrink_pic
2008-03-11 14:46:31 0 d-------- C:\Documents and Settings\User\Application Data\Skype
2008-03-10 14:14:51 0 d-------- C:\Program Files\FrostWire
2008-02-06 17:14:45 0 d-------- C:\Program Files\Common Files\Adobe
2008-02-03 09:37:44 0 d-------- C:\Documents and Settings\User\Application Data\WeatherWatcher
2008-01-30 11:24:47 0 d-------- C:\Documents and Settings\User\Application Data\Qtrax1
2008-01-30 10:57:40 0 d-------- C:\Documents and Settings\User\Application Data\Adobe
2008-01-11 18:01:13 54240 --a------ C:\Documents and Settings\User\Application Data\GDIPFONTCACHEV1.DAT


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]
12/01/2008 09:15 66912 --a------ C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{88C9B3C7-06B6-5C05-CFEC-C09DBC10CC30}]
30/12/2007 20:48 1019904 --a------ C:\Program Files\InternetProgram\InternetProgram-1.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
12/01/2008 09:15 267592 --a------ C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL [12/01/2008 09:15 267592]

[-HKEY_CLASSES_ROOT\CLSID\{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [04/08/2004 12:00 C:\WINDOWS\system32\bthprops.cpl]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [23/03/2006 20:17]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [23/03/2006 20:13]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [23/03/2006 20:17]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [04/12/2007 13:00]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [03/08/2006 18:51]
"SigmatelSysTrayApp"="stsystra.exe" [24/03/2006 17:30 C:\WINDOWS\stsystra.exe]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [07/10/2005 14:13]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [18/10/2006 18:04]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [18/10/2006 17:58]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [28/07/2007 14:24]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [22/02/2008 04:25]
"Norton Ghost 9.0"="C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe" [29/07/2004 03:41]
"TomTomHOME.exe"="C:\Program Files\TomTom HOME 2\HOMERunner.exe" [15/08/2007 15:59]
"mxomssmenu"="C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe" [06/09/2007 14:53]
"Media Codec Update Service"="C:\Program Files\Essentials Codec Pack\update.exe" [08/04/2007 16:44]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/01/2008 22:16]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [31/01/2008 23:13]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [19/02/2008 13:10]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 12:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [06/04/2007 09:51]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [15/09/2006 12:27]
"Google Update"="C:\Documents and Settings\User\Local Settings\Application Data\Google\Update\1.1.25.0\GoogleUpdate.exe" [17/03/2008 17:12]

C:\Documents and Settings\User\Start Menu\Programs\Startup\
Shrink Pic.lnk - C:\Program Files\Shrink Pic\shrink_pic.exe [18/09/2007 20:08:02]
YouTube Uploader.lnk - C:\Documents and Settings\User\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe [09/11/2007 13:33:08]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [18/11/2005 17:46:00]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [31/01/2007 17:10:45]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [13/02/2001 01:01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Program Files\LimeWire\LimeWire On Startup.lnk
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC-Checkup]
"C:\Program Files\Speeditup Free\PCCheckup\PCCheckUp.exe" -mini

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USRobotics USB Internet Mini Phone]
"C:\Program Files\U.S. Robotics\USB Internet Mini Phone\USRobotics USB Internet Mini Phone.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USRobotics USB Internet Mini Phone Control Panel]
"C:\Program Files\U.S. Robotics\USB Internet Mini Phone\USB Internet Mini Phone UI.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"C:\Program Files\Winamp\winampa.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ




-- End of Deckard's System Scanner: finished at 2008-03-27 08:14:32 ------------



Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Genuine Intel(R) CPU T2500 @ 2.00GHz
CPU 1: Genuine Intel(R) CPU T2500 @ 2.00GHz
Percentage of Memory in Use: 61%
Physical Memory (total/avail): 1014.11 MiB / 392.99 MiB
Pagefile Memory (total/avail): 2441.09 MiB / 1898.4 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1928.01 MiB

C: is Fixed (NTFS) - 74.53 GiB total, 19.85 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - Hitachi HTS541080G9SA00 - 74.53 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 74.53 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: avast! antivirus 4.7.1098 [VPS 080326-3] v4.7.1098 (ALWIL Software)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\GhostSurf\\GhostSurf.exe"="C:\\Program Files\\GhostSurf\\GhostSurf.exe:*:Disabled:Architecture launch vehicle"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Morpheus\\Morpheus.exe"="C:\\Program Files\\Morpheus\\Morpheus.exe:*:Enabled:Morpheus"
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe:*:Enabled:Logitech Desktop Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\eMule\\emule.exe"="C:\\Program Files\\eMule\\emule.exe:*:Enabled:eMule"
"C:\\Program Files\\Ahead\\Nero ShowTime\\ShowTime.exe"="C:\\Program Files\\Ahead\\Nero ShowTime\\ShowTime.exe:*:Enabled:Nero ShowTime"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Mozilla Firefox"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\Program Files\\Outlook Express\\msimn.exe"="C:\\Program Files\\Outlook Express\\msimn.exe:*:Enabled:Outlook Express"
"C:\\Program Files\\U.S. Robotics\\USB Internet Mini Phone\\USB Internet Mini Phone UI.exe"="C:\\Program Files\\U.S. Robotics\\USB Internet Mini Phone\\USB Internet Mini Phone UI.exe:*:Enabled:USB Internet Mini Phone"
"C:\\Program Files\\Lavasoft\\Ad-aware 6\\Ad-aware.exe"="C:\\Program Files\\Lavasoft\\Ad-aware 6\\Ad-aware.exe:*:Enabled:Ad-aware 6"
"C:\\Program Files\\FrostWire\\FrostWire.exe"="C:\\Program Files\\FrostWire\\FrostWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"="C:\\Program Files\\Winamp Remote\\bin\\Orb.exe:*:Enabled:Orb"
"C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"="C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe:*:Enabled:OrbTray"
"C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"="C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe:*:Enabled:Orb Stream Client"
"C:\\Documents and Settings\\User\\Desktop\\age2_x1.exe"="C:\\Documents and Settings\\User\\Desktop\\age2_x1.exe:*:Enabled:Age of Empires II Expansion"
"C:\\Documents and Settings\\User\\Desktop\\age of empire 2\\empires2.exe"="C:\\Documents and Settings\\User\\Desktop\\age of empire 2\\empires2.exe:*:Enabled:Age of Empires II"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\User\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=D820-D5E727EA0C
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\User
LOGONSERVER=\\D820-D5E727EA0C
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Program Files\Mozilla Firefox;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Support Tools\;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 14 Stepping 8, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0e08
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\User\LOCALS~1\Temp
TMP=C:\DOCUME~1\User\LOCALS~1\Temp
USERDOMAIN=D820-D5E727EA0C
USERNAME=User
USERPROFILE=C:\Documents and Settings\User
windir=C:\WINDOWS
__COMPAT_LAYER=EnableNXShowUI


-- User Profiles ---------------------------------------------------------------

User (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-aware 6 Professional --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
ALPS Touch Pad Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}\setup.exe" UNINSTALL
Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
Ask Toolbar --> rundll32 C:\PROGRA~1\AskSBar\bar\1.bin\AskSBar.dll,O
Ask Toolbar --> rundll32 C:\PROGRA~1\AskTBar\bar\1.bin\AskTBar.dll,O
avast! Antivirus --> rundll32 C:\PROGRA~1\ALWILS~1\Avast4\Setup\setiface.dll,RunSetup
Bluetooth Stack for Windows by Toshiba --> MsiExec.exe /X{CEBB6BFB-D708-4F99-A633-BC2600E01EF6}
Bonjour --> MsiExec.exe /I{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}
Conexant HDA D110 MDC V.92 Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_14F100C3\HXFSETUP.EXE -U -Idel1028p.inf
Cucusoft MPEG/MOV/RM/DivX/AVI to DVD/VCD/SVCD Creator Pro 7.07 --> "C:\Program Files\Cucusoft\avi-dvd-pro\unins000.exe"
DivX Pro Codec --> C:\WINDOWS\unvise32.exe C:\Program Files\DivX\DivX Pro Bundle.log
FrostWire 4.13.4 --> C:\Program Files\FrostWire\Uninstall.exe
Google Desktop --> C:\Program Files\Google\Google Desktop Search\GoogleDesktopSetup.exe -uninstall
Google Earth --> MsiExec.exe /I{1E04F83B-2AB9-4301-9EF7-E86307F79C72}
Google Photos Screensaver --> MsiExec.exe /X{A52415E5-CA1E-44DE-9EDC-D412F31D271C}
Google Toolbar for Firefox --> MsiExec.exe /X{2CCBABCB-6427-4A55-B091-49864623C43F}
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar3.dll"
Google Updater --> "C:\Program Files\Google\Google Updater\GoogleUpdater.exe" -uninstall
High Definition Audio Driver Package - KB835221 --> C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Intel(R) Graphics Media Accelerator Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_27A6 PCI\VEN_8086&DEV_27A2
Intel(R) PROSet/Wireless Software --> C:\WINDOWS\Installer\iProInst.exe
IntelligentAdvisor --> C:\Program Files\IntelligentAdvisor\uninstall.exe
InternetProgram --> C:\Program Files\InternetProgram\uninstall.exe
IrfanView (remove only) --> C:\Program Files\IrfanView\iv_uninstall.exe
iTunes --> MsiExec.exe /I{80FD852F-5AAC-4129-B931-06AAFFA43138}
J2SE Runtime Environment 5.0 Update 10 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150100}
J2SE Runtime Environment 5.0 Update 11 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150110}
J2SE Runtime Environment 5.0 Update 8 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150080}
Java(TM) 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java(TM) 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java(TM) 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Java(TM) SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
LiveUpdate 2.0 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Macromedia Flash Player 8 --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\swflash.inf,DefaultUninstall,5
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Maxtor Manager --> "C:\Program Files\InstallShield Installation Information\{B8281D46-D846-4BB9-BC84-F1115A7BF820}\setup.exe" -runfromtemp -l0x0409 -removeonly
Maxtor Manager --> MsiExec.exe /I{B8281D46-D846-4BB9-BC84-F1115A7BF820}
mCore --> MsiExec.exe /I{E81667C6-2856-46D6-ABEA-6A2F42166779}
mDriver --> MsiExec.exe /I{A0F925BF-5C55-44C2-A4E7-5A4C59791C29}
mDrWiFi --> MsiExec.exe /I{90CC4231-94AC-45CD-991A-0253BFAC0650}
mHlpDell --> MsiExec.exe /I{49D687E5-6784-431B-A0A2-2F23B8CC5A1B}
Microsoft Base Smart Card Cryptographic Service Provider Package --> "C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office 2000 Disc 2 --> MsiExec.exe /I{00040409-78E1-11D2-B60F-006097C998E7}
Microsoft Office XP Professional with FrontPage --> MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Microsoft PhotoDraw 2000 --> "C:\Program Files\Microsoft Office\Office\Setup\PhotoDraw\setup.exe"
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
mIWA --> MsiExec.exe /I{3E9D596A-61D4-4239-BD19-2DB984D2A16F}
mLogView --> MsiExec.exe /I{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}
mMHouse --> MsiExec.exe /I{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}
Mozilla Firefox (2.0.0.13) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
mPfMgr --> MsiExec.exe /I{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}
mPfWiz --> MsiExec.exe /I{90B0D222-8C21-4B35-9262-53B042F18AF9}
mProSafe --> MsiExec.exe /I{23FB368F-1399-4EAC-817C-4B83ECBE3D83}
MSN --> C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP
mSSO --> MsiExec.exe /I{06BE8AFD-A8E2-4B63-BAE7-287016D16ACB}
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
mWlsSafe --> MsiExec.exe /I{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}
mWMI --> MsiExec.exe /I{63DB9CCD-2B56-4217-9A3D-507AC78320CA}
mXML --> MsiExec.exe /I{9CC89556-3578-48DD-8408-04E66EBEF401}
mZConfig --> MsiExec.exe /I{94658027-9F16-4509-BBD7-A59FE57C3023}
Nero Digital --> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
Nero Suite --> C:\Program Files\Common Files\Ahead\Uninstall\setup.exe /uninstall
Norton Ghost 9.0 --> MsiExec.exe /X{3C759736-8347-4031-BB9C-D75ADFE6B101}
OZ776 SCR CardBus Windows Driver --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe /M{2D91C34E-12CC-4B1B-90D5-31DAD47B6F48} /l1033
QuickSet --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C5074CC4-0E26-4716-A307-960272A90040}\setup.exe" -l0x9 APPDRVNT4
QuickTime --> MsiExec.exe /I{BFD96B89-B769-4CD6-B11E-E79FFD46F067}
Rhapsody Player Engine --> MsiExec.exe /I{8A62A068-3FD6-495A-9F66-26FE94F32EC9}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Shrink Pic (remove) --> C:\Program Files\Shrink Pic\Uninstall.exe
SigmaTel Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}\setup.exe" -l0x9 -remove -removeonly
Skype™ 3.5 --> MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
TomTom HOME --> C:\Program Files\InstallShield Installation Information\{3C9EEFEF-1F71-4213-AC41-4BF5FE0FED95}\setup.exe -runfromtemp -l0x0009 -removeonly -removeonly
TomTom HOME --> C:\Program Files\InstallShield Installation Information\{CE325D55-FCAF-4273-BB79-069BB8747270}\setup.exe -runfromtemp -l0x0009 -removeonly -removeonly
UltimateZip 2007 --> "C:\Program Files\UltimateZip 2007\unins000.exe"
Unlocker 1.8.6 --> C:\Program Files\Unlocker\uninst.exe
Weather Watcher --> "C:\Program Files\Weather Watcher\unins000.exe"
Web Photo Album 0.9 Beta --> "C:\Program Files\Web Photo Album\unins000.exe"
WinCleaner OneClick Cleanup Version 10 --> "C:\Program Files\blcorp\WCCSC\unins000.exe"
Windows Essentials Media Codec Pack 1.0 --> C:\Program Files\Essentials Codec Pack\uninst.exe
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Live installer --> MsiExec.exe /I{621AF8B2-75D2-4074-BA44-79178A617255}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Presentation Foundation --> MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows Support Tools --> MsiExec.exe /I{89B078C4-50B0-453E-BF53-3A7E6A0D85FA}
XML Paper Specification Shared Components Pack 1.0 -->
XviD MPEG-4 Codec --> "C:\Program Files\XviD\UninstXviD.exe"
Yahoo! Install Manager --> C:\WINDOWS\system32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
Yahoo! Internet Mail --> C:\WINDOWS\system32\regsvr32 /u /s C:\PROGRA~1\Yahoo!\Common\ymmapi.dll
Yahoo! Toolbar --> C:\PROGRA~1\Yahoo!\Common\unyt.exe
YouTube Uploader --> MsiExec.exe /X{171818BA-E0AD-313D-B45A-1BC9D77ADA86}


-- Application Event Log -------------------------------------------------------

Event Record #/Type8481 / Error
Event Submitted/Written: 03/23/2008 07:55:21 PM
Event ID/Source: 1001 / Application Error
Event Description:
Fault bucket 77721131.
The Wep key exchange did not result in a secure connection setup after 802.1x authentication. The current setting has been marked as failed and the Wireless connection will be disconnected.

Event Record #/Type8480 / Error
Event Submitted/Written: 03/23/2008 07:55:10 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application explorer.exe, version 6.0.2900.3156, faulting module unknown, version 0.0.0.0, fault address 0x04ea97d0.
Processing media-specific event for [explorer.exe!ws!]

Event Record #/Type8469 / Error
Event Submitted/Written: 03/21/2008 07:50:49 AM
Event ID/Source: 1001 / Application Hang
Event Description:
Fault bucket 02051377.

Event Record #/Type8468 / Error
Event Submitted/Written: 03/21/2008 07:50:44 AM
Event ID/Source: 1001 / Application Hang
Event Description:
Fault bucket 02051377.

Event Record #/Type8467 / Error
Event Submitted/Written: 03/21/2008 07:50:15 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application MSPUB.EXE, version 6.0.1.427, hang module hungapp, version 0.0.0.0, hang address 0x00000000.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type38637 / Warning
Event Submitted/Written: 03/27/2008 07:44:11 AM / 03/27/2008 07:44:39 AM
Event ID/Source: 4 / b57w2k
Event Description:
Broadcom NetXtreme 57xx Gigabit Controller: The network link is down. Check to make sure the network cable is properly connected.

Event Record #/Type38632 / Error
Event Submitted/Written: 03/27/2008 07:44:37 AM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The IPSEC Services service terminated with the following error:
%%1747

Event Record #/Type38612 / Warning
Event Submitted/Written: 03/26/2008 05:14:35 PM / 03/26/2008 05:15:03 PM
Event ID/Source: 4 / b57w2k
Event Description:
Broadcom NetXtreme 57xx Gigabit Controller: The network link is down. Check to make sure the network cable is properly connected.

Event Record #/Type38598 / Error
Event Submitted/Written: 03/26/2008 05:15:00 PM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The IPSEC Services service terminated with the following error:
%%1747

Event Record #/Type38594 / Warning
Event Submitted/Written: 03/26/2008 10:36:58 AM
Event ID/Source: 240 / Win32k
Event Description:
A request to suspend power was denied by winlogon.exe.



-- End of Deckard's System Scanner: finished at 2008-03-27 08:14:32 ------------
peterC
Active Member
 
Posts: 14
Joined: March 22nd, 2008, 6:49 am

Re: malware

Unread postby Carolyn » March 28th, 2008, 9:40 pm

Hi Peter,

Download CCleaner from here and save it to your desktop so that you can find it later. Don't run CCleaner yet. We'll use it later!
Boot to Safe Mode
Please print the instructions below or copy and paste to Notepad since you will not have internet access while in Safe Mode.

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, continually press F8.
* Instead of Windows loading as normal, a menu should appear
* Select the first option, to run Windows in Safe Mode.


Remove bad HijackThis entries
  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    R3 - URLSearchHook: (no name) - {9CB65206-89C4-402c-BA80-02D8C59F9B1D} - (no file)

    O2 - BHO: InternetProgram - {88C9B3C7-06B6-5C05-CFEC-C09DBC10CC30} - C:\Program Files\InternetProgram\InternetProgram-1.dll

    O2 - BHO: (no name) - {911C4A8E-0F75-4B83-BEB9-02BDDF29D11E} - (no file)

  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.


Now, enable the Show Hidden Folders option, like this:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.


Using Windows Explore by right-clicking the Start button and left clicking Explore navigate to and find the following files and folders: if found, delete them (some may not be present after previous steps):

C:\Program Files\InternetProgram <<Folder


Run CCleaner
CCleaner will remove everything from the temp/temporary folders but please note that it will not make back ups!
  • Before first use, select Options > Advanced and UNCHECK Only delete files in Windows Temp folder older than 48 hours
  • Then select the items you wish to clean up.
    • In the Windows Tab:
      • Clean all entries in the Internet Explorer section except Cookies
      • Clean all the entries in the Windows Explorer section
      • Clean all entries in the System section
      • Clean all entries in the Advanced section
      • Clean any others that you choose
    • In the Applications Tab:
      • Clean all except cookies in the Firefox/Mozilla section if you use it
      • Clean all in the Opera section if you use it
      • Clean Sun Java in the Internet Section
      • Clean any others that you choose
  • Click the Run Cleaner button.
  • A pop up box will appear advising this process will permanently delete files from your system.
  • Click OK and it will scan and clean your system.
  • Click exit when done.
  • If it asks you to reboot at the end, click NO
CCleaner should be run with the above settings for each User Account!


Boot to Normal Mode


Please download DAFT and save it to your desktop:
  1. Double-click the daft.exe icon. Read the disclaimer and click OK.
  2. Click on the Scan button.
  3. Place a checkmark next to the following entries:

    .reg
    .scr



  4. Click the Fix button.
  5. Re-scan and save a logfile. By default, it will save as daft.txt.

Post the contents of that logfile with your next post.


Run Kaspersky Online AV Scanner
Using Internet Explorer Go to http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html and click the Accept button at the end of the page.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
  • Read the Requirements and limitations before you click Accept.
  • Allow the ActiveX download if necessary.
  • Once the database has downloaded, click Next.
  • Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
  • Click on "My Computer" and then put the kettle on!
  • When the scan has completed, click Save Report As...
  • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
  • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

Copy and paste the report into your next reply along with the DAFT log and a fresh HJT log. Also please include a description of how your PC is behaving.
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine

Re: malware

Unread postby peterC » March 29th, 2008, 12:50 pm

Hi Carolyn,
Enclosed reports as requested.
With regards to my laptop behaviour, I seem to be getting quite a few ads popping up here and there, although I am very careful when navigating. I am still getting program not responding send error report etc. And I am unable to access search, as in start, search, I just get an untitled window, with no facility to search files and folders. I hope this helps,
Kind regards,
Peter

DAFT Log saved on 2008-03-29 09:26:36
-----------------------------------------------------------------------
All associations okay!


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, March 29, 2008 4:39:13 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 29/03/2008
Kaspersky Anti-Virus database records: 672073
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 57685
Number of viruses found: 8
Number of infected objects: 75
Number of suspicious objects: 0
Duration of the scan process: 00:50:22

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\QSLLPSVCShare Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\2yb0hq5j.default\cert8.db Object is locked skipped
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\2yb0hq5j.default\GoogleToolbarData\googlesafebrowsing.db Object is locked skipped
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\2yb0hq5j.default\history.dat Object is locked skipped
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\2yb0hq5j.default\key3.db Object is locked skipped
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\2yb0hq5j.default\parent.lock Object is locked skipped
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\2yb0hq5j.default\search.sqlite Object is locked skipped
C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\2yb0hq5j.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\User\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\User\Local Settings\Application Data\Google\Google Desktop\41f6642698f1\dbc2e.ht1 Object is locked skipped
C:\Documents and Settings\User\Local Settings\Application Data\Google\Google Desktop\41f6642698f1\dbdam Object is locked skipped
C:\Documents and Settings\User\Local Settings\Application Data\Google\Google Desktop\41f6642698f1\dbdao Object is locked skipped
C:\Documents and Settings\User\Local Settings\Application Data\Google\Google Desktop\41f6642698f1\dbeam Object is locked skipped
C:\Documents and Settings\User\Local Settings\Application Data\Google\Google Desktop\41f6642698f1\dbeao Object is locked skipped
C:\Documents and Settings\User\Local Settings\Application Data\Google\Google Desktop\41f6642698f1\dbm Object is locked skipped
C:\Documents and Settings\User\Local Settings\Application Data\Google\Google Desktop\41f6642698f1\dbu2d.ht1 Object is locked skipped
C:\Documents and Settings\User\Local Settings\Application Data\Google\Google Desktop\41f6642698f1\dbvm.cf1 Object is locked skipped
C:\Documents and Settings\User\Local Settings\Application Data\Google\Google Desktop\41f6642698f1\dbvmh.ht1 Object is locked skipped
C:\Documents and Settings\User\Local Settings\Application Data\Google\Google Desktop\41f6642698f1\fii.cf1 Object is locked skipped
C:\Documents and Settings\User\Local Settings\Application Data\Google\Google Desktop\41f6642698f1\fiih.ht1 Object is locked skipped
C:\Documents and Settings\User\Local Settings\Application Data\Google\Google Desktop\41f6642698f1\hp Object is locked skipped
C:\Documents and Settings\User\Local Settings\Application Data\Google\Google Desktop\41f6642698f1\hpt2i.ht1 Object is locked skipped
C:\Documents and Settings\User\Local Settings\Application Data\Google\Google Desktop\41f6642698f1\rpm.cf1 Object is locked skipped
C:\Documents and Settings\User\Local Settings\Application Data\Google\Google Desktop\41f6642698f1\rpm1m.cf1 Object is locked skipped
C:\Documents and Settings\User\Local Settings\Application Data\Google\Google Desktop\41f6642698f1\rpm1mh.ht1 Object is locked skipped
C:\Documents and Settings\User\Local Settings\Application Data\Google\Google Desktop\41f6642698f1\rpmh.ht1 Object is locked skipped
C:\Documents and Settings\User\Local Settings\Application Data\Google\Google Desktop\41f6642698f1\safeweb\goog-black-enchashm.cf1 Object is locked skipped
C:\Documents and Settings\User\Local Settings\Application Data\Google\Google Desktop\41f6642698f1\safeweb\goog-black-enchashmh.ht1 Object is locked skipped
C:\Documents and Settings\User\Local Settings\Application Data\Google\Google Desktop\41f6642698f1\safeweb\goog-black-urlm.cf1 Object is locked skipped
C:\Documents and Settings\User\Local Settings\Application Data\Google\Google Desktop\41f6642698f1\safeweb\goog-black-urlmh.ht1 Object is locked skipped
C:\Documents and Settings\User\Local Settings\Application Data\Google\Google Desktop\41f6642698f1\safeweb\goog-malware-domainm.cf1 Object is locked skipped
C:\Documents and Settings\User\Local Settings\Application Data\Google\Google Desktop\41f6642698f1\safeweb\goog-malware-domainmh.ht1 Object is locked skipped
C:\Documents and Settings\User\Local Settings\Application Data\Google\Google Desktop\41f6642698f1\safeweb\goog-white-domainm.cf1 Object is locked skipped
C:\Documents and Settings\User\Local Settings\Application Data\Google\Google Desktop\41f6642698f1\safeweb\goog-white-domainmh.ht1 Object is locked skipped
C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\User\Local Settings\Application Data\Mozilla\Firefox\Profiles\2yb0hq5j.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\User\Local Settings\Application Data\Mozilla\Firefox\Profiles\2yb0hq5j.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\User\Local Settings\Application Data\Mozilla\Firefox\Profiles\2yb0hq5j.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\User\Local Settings\Application Data\Mozilla\Firefox\Profiles\2yb0hq5j.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\User\Local Settings\Application Data\YouTube\Uploader\uploads.db Object is locked skipped
C:\Documents and Settings\User\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\User\Local Settings\History\History.IE5\MSHist012008032920080330\index.dat Object is locked skipped
C:\Documents and Settings\User\Local Settings\Temp\~DF93ED.tmp Object is locked skipped
C:\Documents and Settings\User\Local Settings\Temp\~DFB4E9.tmp Object is locked skipped
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\User\My Documents\keyfinder.exe/data.rar/officekey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Documents and Settings\User\My Documents\keyfinder.exe/data.rar Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Documents and Settings\User\My Documents\keyfinder.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\User\ntuser.dat Object is locked skipped
C:\Documents and Settings\User\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\Program Files\AskTBar\bar\1.bin\A5POPSWT.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.az skipped
C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.az skipped
C:\Program Files\ezt\webhancer.exe/data.rar/whAgent.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\Program Files\ezt\webhancer.exe/data.rar/whInstaller.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\Program Files\ezt\webhancer.exe/data.rar/webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\Program Files\ezt\webhancer.exe/data.rar/whiehlpr.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\Program Files\ezt\webhancer.exe/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\Program Files\ezt\webhancer.exe RarSFX: infected - 5 skipped
C:\Program Files\Passware\ariskkey.dll Infected: not-a-virus:PSWTool.Win32.Aster.55 skipped
C:\Program Files\Trend Micro\HijackThis\backups\backup-20080329-083144-859.dll Infected: not-a-virus:AdWare.Win32.Agent.ahl skipped
C:\SDFix\backups\backups.zip/backups/update.exe/stream/Script Infected: Trojan.NSIS.StartPage.c skipped
C:\SDFix\backups\backups.zip/backups/update.exe/stream Infected: Trojan.NSIS.StartPage.c skipped
C:\SDFix\backups\backups.zip/backups/update.exe Infected: Trojan.NSIS.StartPage.c skipped
C:\SDFix\backups\backups.zip ZIP: infected - 3 skipped
C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP381\A0030314.exe/data.rar/whAgent.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP381\A0030314.exe/data.rar/whInstaller.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP381\A0030314.exe/data.rar/webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP381\A0030314.exe/data.rar/whiehlpr.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP381\A0030314.exe/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP381\A0030314.exe RarSFX: infected - 5 skipped
C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP387\A0030621.exe/data.rar/whAgent.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP387\A0030621.exe/data.rar/whInstaller.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP387\A0030621.exe/data.rar/webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP387\A0030621.exe/data.rar/whiehlpr.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP387\A0030621.exe/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP387\A0030621.exe RarSFX: infected - 5 skipped
C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP396\A0030922.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.az skipped
C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP397\A0030995.exe/data.rar/whAgent.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP397\A0030995.exe/data.rar/whInstaller.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP397\A0030995.exe/data.rar/webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP397\A0030995.exe/data.rar/whiehlpr.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP397\A0030995.exe/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP397\A0030995.exe RarSFX: infected - 5 skipped
C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP397\A0030998.dll Infected: not-a-virus:AdWare.Win32.Agent.alo skipped
C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP403\A0031365.dll Infected: not-a-virus:AdWare.Win32.BHO.pm skipped
C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP404\A0031448.exe/data.rar/whAgent.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP404\A0031448.exe/data.rar/whInstaller.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP404\A0031448.exe/data.rar/webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP404\A0031448.exe/data.rar/whiehlpr.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP404\A0031448.exe/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP404\A0031448.exe RarSFX: infected - 5 skipped
C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP404\A0031829.exe/stream/Script Infected: Trojan.NSIS.StartPage.c skipped
C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP404\A0031829.exe/stream Infected: Trojan.NSIS.StartPage.c skipped
C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP404\A0031829.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP404\A0031841.exe/stream/Script Infected: Trojan.NSIS.StartPage.c skipped
C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP404\A0031841.exe/stream Infected: Trojan.NSIS.StartPage.c skipped
C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP404\A0031841.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP427\A0035041.exe/data.rar/whAgent.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP427\A0035041.exe/data.rar/whInstaller.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP427\A0035041.exe/data.rar/webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP427\A0035041.exe/data.rar/whiehlpr.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP427\A0035041.exe/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP427\A0035041.exe RarSFX: infected - 5 skipped
C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP436\A0035798.exe/data.rar/whAgent.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP436\A0035798.exe/data.rar/whInstaller.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP436\A0035798.exe/data.rar/webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP436\A0035798.exe/data.rar/whiehlpr.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP436\A0035798.exe/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP436\A0035798.exe RarSFX: infected - 5 skipped
C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP440\A0035929.exe/data.rar/whAgent.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP440\A0035929.exe/data.rar/whInstaller.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP440\A0035929.exe/data.rar/webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP440\A0035929.exe/data.rar/whiehlpr.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP440\A0035929.exe/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP440\A0035929.exe RarSFX: infected - 5 skipped
C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP442\A0036349.exe/data.rar/whAgent.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP442\A0036349.exe/data.rar/whInstaller.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP442\A0036349.exe/data.rar/webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP442\A0036349.exe/data.rar/whiehlpr.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP442\A0036349.exe/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP442\A0036349.exe RarSFX: infected - 5 skipped
C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP449\A0036776.dll Infected: not-a-virus:AdWare.Win32.Agent.ahl skipped
C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP449\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_460.dat Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:40:58, on 29/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Maxtor\Sync\SyncServices.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\User\Local Settings\Application Data\Google\Update\1.1.25.0\GoogleUpdate.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Shrink Pic\shrink_pic.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Documents and Settings\User\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: IEWatchObj Class - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINDOWS\system32\IETie.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O2 - BHO: Ask Toolbar BHO - {FE063DB1-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: (no name) - {28BC2EC4-5EAD-45E1-9F9F-82CD5E293601} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Ask Toolbar - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe" -s
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\update.exe -silent
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\User\Local Settings\Application Data\Google\Update\1.1.25.0\GoogleUpdate.exe" /lang en
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Shrink Pic.lnk = C:\Program Files\Shrink Pic\shrink_pic.exe
O4 - Startup: YouTube Uploader.lnk = C:\Documents and Settings\User\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btinternet.com/template ... rol023.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CEC56E2C-5CA0-4E9F-BD10-B4CB3DA37D18}: NameServer = 80.58.0.33,80.58.32.97
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Messenger Sharing Folders USN Journal Reader service (usnjsvc) - Unknown owner - C:\Program Files\MSN Messenger\usnsvc.exe (file missing)
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe

--
End of file - 13300 bytes
peterC
Active Member
 
Posts: 14
Joined: March 22nd, 2008, 6:49 am

Re: malware

Unread postby Carolyn » April 1st, 2008, 1:04 pm

I am still getting program not responding send error report

Can you be more specific - which programs are "not responding"?


Boot to Safe Mode
Please print the instructions below or copy and paste to Notepad since you will not have internet access while in Safe Mode.

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, continually press F8.
* Instead of Windows loading as normal, a menu should appear
* Select the first option, to run Windows in Safe Mode.


Now, enable the Show Hidden Folders option, like this:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.


Using Windows Explore by right-clicking the Start button and left clicking Explore navigate to and find the following files and folders: if found, delete them (some may not be present after previous steps):

C:\Documents and Settings\User\My Documents\keyfinder.exe <<File
C:\Program Files\ezt <<Folder
C:\Program Files\Passware <<Folder

Now empty you’re Recycle Bin.

Boot to Normal Mode


Please post a fresh HijackThis log and a description of how your computer is behaving along with details of which programs are not responding.
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine

Re: malware

Unread postby peterC » April 1st, 2008, 3:38 pm

Hi Carolyn,
Thanks again,
Enclosed log file as requested.

I don't really use much more than firefox, and itunes to listen to the radio, so it seems at the moment to be these that tell me that the program is not reponding to. Also after the last task you asked me to perform, I have aquired an icon on the desktop entitlrd THUMBS.db, which when I try to delete gives me a Confirm file delete window which says, THUMBS.db is a system file, if you remove it, your computer or one of your programs may no longer work correctly. Needless to say, I have not deleted it.
Also, I don't know if it of any help to you, but I am unable to perform a system restore. It always tells me that it cannot restore to that point, no matter how far back I try,
Thanks again, and here is the log file you requested,
Kind regards,
Peter


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:25:16, on 01/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Maxtor\Sync\SyncServices.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\User\Local Settings\Application Data\Google\Update\1.1.25.0\GoogleUpdate.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Shrink Pic\shrink_pic.exe
C:\Documents and Settings\User\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32Info.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: IEWatchObj Class - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINDOWS\system32\IETie.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O2 - BHO: Ask Toolbar BHO - {FE063DB1-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: (no name) - {28BC2EC4-5EAD-45E1-9F9F-82CD5E293601} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Ask Toolbar - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe" -s
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\update.exe -silent
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\User\Local Settings\Application Data\Google\Update\1.1.25.0\GoogleUpdate.exe" /lang en
O4 - HKCU\..\RunOnce: [WCIEClnOnce] C:\Program Files\blcorp\WCCSC\WCOC\WCNSCln.exe /WCI
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Shrink Pic.lnk = C:\Program Files\Shrink Pic\shrink_pic.exe
O4 - Startup: YouTube Uploader.lnk = C:\Documents and Settings\User\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btinternet.com/template ... rol023.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CEC56E2C-5CA0-4E9F-BD10-B4CB3DA37D18}: NameServer = 80.58.0.33,80.58.32.97
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Messenger Sharing Folders USN Journal Reader service (usnjsvc) - Unknown owner - C:\Program Files\MSN Messenger\usnsvc.exe (file missing)
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe

--
End of file - 13415 bytes
peterC
Active Member
 
Posts: 14
Joined: March 22nd, 2008, 6:49 am

Re: malware

Unread postby Carolyn » April 2nd, 2008, 1:21 pm

Hi Peter,

The Thumbs.db file is nothing to be concerned about. A lot pf programs produce such a file. It is normally hidden. We'll deal with that later.

We do not want to use any of the restore points that are currently on your computer because they are infected. Please do not do anything with system restore until instructed to do so.


  • Please download F-Secure Blacklight (fsbl.exe) from here
  • Save into C:\ with a name of fsbl.exe
  • Go to Start > Run
  • Copy and paste the contents of the below codebox into the run box
    Code: Select all
    C:\fsbl.exe /expert

  • Click OK
  • This will launch BlackLight
  • Select I accept the agreement
  • Click Next
  • Click Scan
  • Wait for the scan to finish
  • Click on Next>
  • Click Exit
  • A logfile will have been created in the C:\ drive
  • It will be named fsbl-xxxxxxxxxxxxxx.log where xxxxxxxxxxxxxx is the date and time of the scan
  • Use notepad to open that log


Remove Old Java Versions
Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • J2SE Runtime Environment 5.0 Update 10
    J2SE Runtime Environment 5.0 Update 11
    J2SE Runtime Environment 5.0 Update 8
    Java(TM) 6 Update 2
    Java(TM) 6 Update 3
    Java(TM) SE Runtime Environment 6 Update 1
    Note:Do not remove Java(TM) 6 Update 5 - that is the current version!
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Old Java components are removed.


Remove bad HijackThis entry
  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    O3 - Toolbar: (no name) - {28BC2EC4-5EAD-45E1-9F9F-82CD5E293601} - (no file)

  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

Please post another HijackThis log along with the Blacklight log and tell me if your antivirus program is warning you of any malware.
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine

Re: malware

Unread postby peterC » April 2nd, 2008, 2:29 pm

Hi Carolyn,
Logs attached as requested, and antivirus not showing up anything.
Regards,
Peter


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:12:19, on 02/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Maxtor\Sync\SyncServices.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Documents and Settings\User\Local Settings\Application Data\Google\Update\1.1.25.0\GoogleUpdate.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Shrink Pic\shrink_pic.exe
C:\Documents and Settings\User\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: IEWatchObj Class - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINDOWS\system32\IETie.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O2 - BHO: Ask Toolbar BHO - {FE063DB1-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Ask Toolbar - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe" -s
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\update.exe -silent
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\User\Local Settings\Application Data\Google\Update\1.1.25.0\GoogleUpdate.exe" /lang en
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Shrink Pic.lnk = C:\Program Files\Shrink Pic\shrink_pic.exe
O4 - Startup: YouTube Uploader.lnk = C:\Documents and Settings\User\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btinternet.com/template ... rol023.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CEC56E2C-5CA0-4E9F-BD10-B4CB3DA37D18}: NameServer = 80.58.0.33,80.58.32.97
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Messenger Sharing Folders USN Journal Reader service (usnjsvc) - Unknown owner - C:\Program Files\MSN Messenger\usnsvc.exe (file missing)
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe

--
End of file - 13238 bytes




04/02/08 18:41:06 [Info]: BlackLight Engine 1.0.70 initialized
04/02/08 18:41:06 [Info]: OS: 5.1 build 2600 (Service Pack 2)
04/02/08 18:41:06 [Note]: 7019 4
04/02/08 18:41:06 [Note]: 7005 0
04/02/08 18:41:24 [Note]: 7006 0
04/02/08 18:41:24 [Note]: 7022 0
04/02/08 18:41:24 [Note]: 7011 2020
04/02/08 18:41:24 [Note]: 7035 0
04/02/08 18:41:24 [Note]: 7026 0
04/02/08 18:41:24 [Note]: 7026 0
04/02/08 18:41:27 [Note]: FSRAW library version 1.7.1024
04/02/08 18:51:11 [Note]: 2000 1012
04/02/08 18:51:11 [Note]: 2000 1012
04/02/08 18:51:11 [Note]: 2000 1012
04/02/08 18:51:11 [Note]: 2000 1012
04/02/08 18:51:11 [Note]: 2000 1012
04/02/08 18:51:11 [Note]: 2000 1012
04/02/08 18:51:11 [Note]: 2000 1012
04/02/08 18:51:11 [Note]: 2000 1012
04/02/08 18:51:11 [Note]: 2000 1012
04/02/08 18:51:11 [Note]: 2000 1012
04/02/08 18:51:11 [Note]: 2000 1012
04/02/08 18:51:11 [Note]: 2000 1012
04/02/08 18:51:11 [Note]: 2000 1012
04/02/08 18:51:11 [Note]: 2000 1012
04/02/08 18:51:11 [Note]: 2000 1012
04/02/08 18:51:11 [Note]: 2000 1012
04/02/08 18:51:11 [Note]: 2000 1012
04/02/08 18:51:11 [Note]: 2000 1012
04/02/08 18:53:55 [Note]: 7007 0
peterC
Active Member
 
Posts: 14
Joined: March 22nd, 2008, 6:49 am

Re: malware

Unread postby Carolyn » April 3rd, 2008, 10:15 am

Hi Peter,

Those logs look good. Please tell me once more how the PC is behaving and what kind, if any, AntiVirus alerts are still there. I would like to see another HijackThis log as well. :)
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine

Re: malware

Unread postby peterC » April 3rd, 2008, 4:48 pm

Hi Carolyn,
I am still having trouble with the start/search facility, in as much as i just get an untitled window, which i can do nothing with, also and i dont know if it is of any significance, but i have lost my desktop theme, and cannot retrieve it.
I have just done a scan with avast antivirus, and the same malware is coming up that i have had for a long time.
It comes up about 8 times in groups of 4, and consists of just 2 filenames as follows.

C:\system volume information \_restore 699879AF-FOCA-4BBE-849F-43E
C:\system volume information \_restore 699879A5-FOCA-4BBE-849F-43E

Malware name win32 adware-gen (adw)

Malware type these are normally firstly Adware then Trojan horse then adware and finally Dialer

I have enclosed some log errors that i managed to copy from avast, but i dont know if they will be of any use to you, and also the latest hijack this log.
I hope this makes sense to you,
Kind regards,
Peter


09/02/2007 20:37:00 SYSTEM 656 Function setifaceUpdatePackages() has failed. Return code is 0xC0000142, dwRes is C0000142.
09/02/2007 20:37:00 SYSTEM 656 An error has occured while attempting to update. Please check the logs.
14/02/2007 15:19:04 SYSTEM 252 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
14/02/2007 15:19:04 SYSTEM 252 An error has occured while attempting to update. Please check the logs.
11/03/2007 13:34:09 SYSTEM 672 Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\Program Files\Morpheus\mymorpheusToolbar.exe" file.
13/03/2007 17:49:11 SYSTEM 644 Sign of "Win32:VB-IE [Wrm]" has been found in "C:\Documents and Settings\User\Shared\'Heroes Of Might And Magic Coleccion [PC][DVD][Spanish-English][www.emwreloaded.com].zip\Setup.exe" file.
08/04/2007 21:15:28 SYSTEM 680 Sign of "Win32:Trojan-gen. {UPX!}" has been found in "C:\DOCUME~1\User\LOCALS~1\Temp\loudcash3.exe" file.
08/04/2007 21:16:15 SYSTEM 680 Sign of "Win32:VB-MM [Wrm]" has been found in "C:\DOCUME~1\User\LOCALS~1\Temp\63mm.exe" file.
08/04/2007 21:16:40 SYSTEM 680 Sign of "Win32:Trojan-gen. {UPX!}" has been found in "C:\DOCUME~1\User\LOCALS~1\Temp\loudcash3.exe" file.
08/04/2007 21:17:19 SYSTEM 680 Sign of "Win32:VB-MM [Wrm]" has been found in "C:\DOCUME~1\User\LOCALS~1\Temp\63mm.exe" file.
08/04/2007 21:19:54 SYSTEM 680 Sign of "Win32:Trojan-gen. {UPX!}" has been found in "C:\DOCUME~1\User\LOCALS~1\Temp\loudcash3.exe" file.
08/04/2007 21:20:05 SYSTEM 680 Sign of "Win32:VB-MM [Wrm]" has been found in "C:\DOCUME~1\User\LOCALS~1\Temp\63mm.exe" file.
09/04/2007 16:33:28 User 684 Sign of "Win32:Adware-gen. [Adw]" has been found in "C:\DOCUME~1\User\LOCALS~1\Temp\tzl19.tmp" file.
16/07/2007 21:22:23 SYSTEM 856 Function setifaceUpdatePackages() has failed. Return code is 0xC0000142, dwRes is C0000142.
16/07/2007 21:22:23 SYSTEM 856 An error has occured while attempting to update. Please check the logs.
30/09/2007 10:07:24 User 844 Sign of "Win32:Adware-gen. [Adw]" has been found in "C:\Program Files\Morpheus\mymorpheusToolbar.exe" file.
25/10/2007 16:17:46 SYSTEM 844 Function setifaceUpdateFiles() has failed. Return code is 0xC0000142, dwRes is C0000142.
25/10/2007 16:17:46 SYSTEM 844 An error has occured while attempting to update. Please check the logs.
28/10/2007 13:15:19 User 4044 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Program Files\Passware\un-ariskkey.exe" file.
28/10/2007 13:21:16 User 4044 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP306\A0025771.exe" file.
29/10/2007 16:24:11 SYSTEM 880 Function setifaceUpdatePackages() has failed. Return code is 0xC0000142, dwRes is C0000142.
29/10/2007 16:24:11 SYSTEM 880 An error has occured while attempting to update. Please check the logs.
21/11/2007 14:27:31 SYSTEM 976 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
21/11/2007 14:27:33 SYSTEM 976 An error has occured while attempting to update. Please check the logs.
11/12/2007 17:47:05 SYSTEM 1096 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\DOCUME~1\User\LOCALS~1\Temp\RarSFX0\whAgent.exe" file.
11/12/2007 17:47:11 SYSTEM 1096 Sign of "Win32:Spyware-gen [Trj]" has been found in "C:\DOCUME~1\User\LOCALS~1\Temp\RarSFX0\whInstaller.exe" file.
11/12/2007 17:47:13 SYSTEM 1096 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\DOCUME~1\User\LOCALS~1\Temp\RarSFX0\webhdll.dll" file.
11/12/2007 17:47:16 SYSTEM 1096 Sign of "Win32:Dialer-567 [Trj]" has been found in "C:\DOCUME~1\User\LOCALS~1\Temp\RarSFX0\whiehlpr.dll" file.
22/12/2007 20:11:55 SYSTEM 1104 Function setifaceUpdatePackages() has failed. Return code is 0xC0000142, dwRes is C0000142.
22/12/2007 20:11:56 SYSTEM 1104 An error has occured while attempting to update. Please check the logs.
23/12/2007 18:04:03 SYSTEM 1140 Sign of "Win32:Dialer-gen [Trj]" has been found in "C:\WINDOWS\Downloaded Program Files\btwebcontrol.dll" file.
26/12/2007 13:03:32 SYSTEM 1072 Sign of "Win32:TrafficSol [Adw]" has been found in "C:\Documents and Settings\User\Shared\burn dvd windows shareware wet and wild.zip\setup.exe\$[37]\$PLUGINSDIR\bann.exe\$SYSDIR\$SYSDIR\spads.dll\[UPX]" file.
27/12/2007 14:43:55 SYSTEM 1072 Sign of "Win32:TrafficSol [Adw]" has been found in "C:\WINDOWS\system32\spads.dll\[UPX]" file.
27/12/2007 14:44:14 SYSTEM 1072 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\DOCUME~1\User\LOCALS~1\Temp\RarSFX0\whInstaller.exe" file.
27/12/2007 14:44:19 SYSTEM 1072 Sign of "Win32:Dialer-567 [Trj]" has been found in "C:\DOCUME~1\User\LOCALS~1\Temp\RarSFX0\whiehlpr.dll" file.
27/12/2007 14:50:58 SYSTEM 1072 Sign of "Win32:TrafficSol [Adw]" has been found in "C:\Documents and Settings\User\Shared\[Full] file converters with Bonus.zip\setup.exe\$[37]\$PLUGINSDIR\bann.exe\$SYSDIR\$SYSDIR\spads.dll\[UPX]" file.
27/12/2007 14:51:05 SYSTEM 1072 Sign of "Win32:TrafficSol [Adw]" has been found in "C:\Documents and Settings\User\Shared\file converters (uncensored).zip\setup.exe\$[37]\$PLUGINSDIR\bann.exe\$SYSDIR\$SYSDIR\spads.dll\[UPX]" file.
27/12/2007 15:09:59 SYSTEM 1072 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\Program Files\PlayMP3z\PlayMP3.exe" file.
27/12/2007 18:37:18 SYSTEM 1072 AAVM - scanning warning: x_AavmCheckFileDirectEx: http://www.top5soft.com/files/avi-pro_r77019.exe (C:\WINDOWS\TEMP\_avast4_\unp165446069.tmp) returning error, 00000084.
27/12/2007 19:09:43 SYSTEM 1072 AAVM - scanning warning: x_AavmCheckFileDirectEx: http://wgt.digitalriver.com/wgt/9ae15da ... Thk707.exe (C:\WINDOWS\TEMP\_avast4_\unp66718165.tmp) returning error, 00000084.
08/01/2008 21:32:07 SYSTEM 1076 Function setifaceUpdatePackages() has failed. Return code is 0xC0000142, dwRes is C0000142.
08/01/2008 21:32:07 SYSTEM 1076 An error has occured while attempting to update. Please check the logs.
09/01/2008 15:11:35 User 2372 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\Program Files\ezt\webhancer.exe\whAgent.exe" file.
09/01/2008 16:59:26 User 2372 Sign of "Win32:Spyware-gen [Trj]" has been found in "C:\Program Files\ezt\webhancer.exe\whInstaller.exe" file.
09/01/2008 16:59:32 User 2372 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\Program Files\ezt\webhancer.exe\webhdll.dll" file.
09/01/2008 16:59:38 User 2372 Sign of "Win32:Dialer-567 [Trj]" has been found in "C:\Program Files\ezt\webhancer.exe\whiehlpr.dll" file.
09/01/2008 17:08:44 User 2372 Sign of "Win32:180Solutions-C [Adw]" has been found in "C:\Program Files\ZangoToolbar\ZangoInstaller.exe" file.
09/01/2008 17:14:08 User 2372 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP345\A0027882.exe\$INSTDIR\Downloads\webhancer.exe\whAgent.exe" file.
09/01/2008 17:14:15 User 2372 Sign of "Win32:Spyware-gen [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP345\A0027882.exe\$INSTDIR\Downloads\webhancer.exe\whInstaller.exe" file.
09/01/2008 17:14:21 User 2372 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP345\A0027882.exe\$INSTDIR\Downloads\webhancer.exe\webhdll.dll" file.
09/01/2008 17:14:25 User 2372 Sign of "Win32:Dialer-567 [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP345\A0027882.exe\$INSTDIR\Downloads\webhancer.exe\whiehlpr.dll" file.
09/01/2008 17:19:01 User 2372 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP381\A0030314.exe\whAgent.exe" file.
09/01/2008 17:19:09 User 2372 Sign of "Win32:Spyware-gen [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP381\A0030314.exe\whInstaller.exe" file.
09/01/2008 17:19:14 User 2372 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP381\A0030314.exe\webhdll.dll" file.
09/01/2008 17:19:18 User 2372 Sign of "Win32:Dialer-567 [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP381\A0030314.exe\whiehlpr.dll" file.
09/01/2008 17:19:21 User 2372 Sign of "Win32:180Solutions-C [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP381\A0030315.exe" file.
13/01/2008 16:30:41 User 972 Sign of "Win32:Adan-156 [Adw]" has been found in "C:\Program Files\DivX\DivX Pro Codec\Gain_Trickler.exe" file.
16/01/2008 11:10:35 User 3760 Sign of "Win32:WimAD-I [Trj]" has been found in "C:\Documents and Settings\User\My Documents\My Music\TOTALLY HIP TRACK.wma" file.
16/01/2008 11:20:33 User 3760 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\Program Files\ezt\webhancer.exe\whAgent.exe" file.
16/01/2008 11:20:39 User 3760 Sign of "Win32:Spyware-gen [Trj]" has been found in "C:\Program Files\ezt\webhancer.exe\whInstaller.exe" file.
16/01/2008 11:20:46 User 3760 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\Program Files\ezt\webhancer.exe\webhdll.dll" file.
16/01/2008 11:20:51 User 3760 Sign of "Win32:Dialer-567 [Trj]" has been found in "C:\Program Files\ezt\webhancer.exe\whiehlpr.dll" file.
16/01/2008 11:33:51 User 3760 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP345\A0027882.exe\$INSTDIR\Downloads\webhancer.exe\whAgent.exe" file.
16/01/2008 11:34:05 User 3760 Sign of "Win32:Spyware-gen [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP345\A0027882.exe\$INSTDIR\Downloads\webhancer.exe\whInstaller.exe" file.
16/01/2008 11:34:11 User 3760 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP345\A0027882.exe\$INSTDIR\Downloads\webhancer.exe\webhdll.dll" file.
16/01/2008 11:34:14 User 3760 Sign of "Win32:Dialer-567 [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP345\A0027882.exe\$INSTDIR\Downloads\webhancer.exe\whiehlpr.dll" file.
16/01/2008 11:38:46 User 3760 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP381\A0030314.exe\whAgent.exe" file.
16/01/2008 11:38:57 User 3760 Sign of "Win32:Spyware-gen [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP381\A0030314.exe\whInstaller.exe" file.
16/01/2008 11:38:59 User 3760 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP381\A0030314.exe\webhdll.dll" file.
16/01/2008 11:39:02 User 3760 Sign of "Win32:Dialer-567 [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP381\A0030314.exe\whiehlpr.dll" file.
16/01/2008 11:39:50 User 3760 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP387\A0030621.exe\whAgent.exe" file.
16/01/2008 11:40:00 User 3760 Sign of "Win32:Spyware-gen [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP387\A0030621.exe\whInstaller.exe" file.
16/01/2008 11:40:05 User 3760 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP387\A0030621.exe\webhdll.dll" file.
16/01/2008 11:40:29 User 3760 Sign of "Win32:Dialer-567 [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP387\A0030621.exe\whiehlpr.dll" file.
16/01/2008 11:58:16 User 3760 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\Program Files\ezt\webhancer.exe\whAgent.exe" file.
16/01/2008 11:58:42 User 3760 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\Program Files\ezt\webhancer.exe\whAgent.exe" file.
16/01/2008 11:59:07 User 3760 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\Program Files\ezt\webhancer.exe\whAgent.exe" file.
16/01/2008 12:19:37 User 3760 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\Program Files\ezt\webhancer.exe\whAgent.exe" file.
16/01/2008 12:19:50 User 3760 Sign of "Win32:Spyware-gen [Trj]" has been found in "C:\Program Files\ezt\webhancer.exe\whInstaller.exe" file.
16/01/2008 12:19:50 User 3760 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\Program Files\ezt\webhancer.exe\webhdll.dll" file.
16/01/2008 12:19:50 User 3760 Sign of "Win32:Dialer-567 [Trj]" has been found in "C:\Program Files\ezt\webhancer.exe\whiehlpr.dll" file.
16/01/2008 12:32:47 User 3760 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP345\A0027882.exe\$INSTDIR\Downloads\webhancer.exe\whAgent.exe" file.
16/01/2008 12:32:47 User 3760 Sign of "Win32:Spyware-gen [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP345\A0027882.exe\$INSTDIR\Downloads\webhancer.exe\whInstaller.exe" file.
16/01/2008 12:32:47 User 3760 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP345\A0027882.exe\$INSTDIR\Downloads\webhancer.exe\webhdll.dll" file.
16/01/2008 12:32:47 User 3760 Sign of "Win32:Dialer-567 [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP345\A0027882.exe\$INSTDIR\Downloads\webhancer.exe\whiehlpr.dll" file.
16/01/2008 12:37:56 User 3760 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP381\A0030314.exe\whAgent.exe" file.
16/01/2008 12:37:56 User 3760 Sign of "Win32:Spyware-gen [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP381\A0030314.exe\whInstaller.exe" file.
16/01/2008 12:37:56 User 3760 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP381\A0030314.exe\webhdll.dll" file.
16/01/2008 12:37:56 User 3760 Sign of "Win32:Dialer-567 [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP381\A0030314.exe\whiehlpr.dll" file.
16/01/2008 12:38:41 User 3760 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP387\A0030621.exe\whAgent.exe" file.
16/01/2008 12:38:41 User 3760 Sign of "Win32:Spyware-gen [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP387\A0030621.exe\whInstaller.exe" file.
16/01/2008 12:38:41 User 3760 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP387\A0030621.exe\webhdll.dll" file.
16/01/2008 12:38:42 User 3760 Sign of "Win32:Dialer-567 [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP387\A0030621.exe\whiehlpr.dll" file.
16/01/2008 15:21:17 User 1080 Sign of "Win32:Adan-156 [Adw]" has been found in "C:\Program Files\DivX\DivX Pro Codec\Gain_Trickler.exe" file.
28/01/2008 08:06:23 User 1092 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL" file.
29/01/2008 08:44:12 User 5660 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\Program Files\ezt\webhancer.exe\whAgent.exe" file.
29/01/2008 08:51:36 User 5660 Sign of "Win32:Spyware-gen [Trj]" has been found in "C:\Program Files\ezt\webhancer.exe\whInstaller.exe" file.
29/01/2008 08:51:39 User 5660 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\Program Files\ezt\webhancer.exe\webhdll.dll" file.
29/01/2008 08:51:42 User 5660 Sign of "Win32:Dialer-567 [Trj]" has been found in "C:\Program Files\ezt\webhancer.exe\whiehlpr.dll" file.
29/01/2008 09:03:50 User 5660 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP345\A0027882.exe\$INSTDIR\Downloads\webhancer.exe\whAgent.exe" file.
29/01/2008 09:18:47 User 5660 Sign of "Win32:Spyware-gen [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP345\A0027882.exe\$INSTDIR\Downloads\webhancer.exe\whInstaller.exe" file.
29/01/2008 09:18:47 User 5660 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP345\A0027882.exe\$INSTDIR\Downloads\webhancer.exe\webhdll.dll" file.
29/01/2008 09:18:48 User 5660 Sign of "Win32:Dialer-567 [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP345\A0027882.exe\$INSTDIR\Downloads\webhancer.exe\whiehlpr.dll" file.
29/01/2008 09:23:30 User 5660 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP381\A0030314.exe\whAgent.exe" file.
29/01/2008 09:31:57 User 5660 Sign of "Win32:Spyware-gen [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP381\A0030314.exe\whInstaller.exe" file.
29/01/2008 09:32:08 User 5660 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP381\A0030314.exe\webhdll.dll" file.
29/01/2008 09:32:10 User 5660 Sign of "Win32:Dialer-567 [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP381\A0030314.exe\whiehlpr.dll" file.
29/01/2008 09:32:58 User 5660 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP387\A0030621.exe\whAgent.exe" file.
29/01/2008 09:38:34 User 5660 Sign of "Win32:Spyware-gen [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP387\A0030621.exe\whInstaller.exe" file.
29/01/2008 09:38:37 User 5660 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP387\A0030621.exe\webhdll.dll" file.
29/01/2008 09:38:38 User 5660 Sign of "Win32:Dialer-567 [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP387\A0030621.exe\whiehlpr.dll" file.
29/01/2008 09:39:35 User 5660 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP396\A0030922.DLL" file.
29/01/2008 10:07:01 User 5660 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP397\A0030995.exe\whAgent.exe" file.
29/01/2008 10:30:57 User 5660 Sign of "Win32:Spyware-gen [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP397\A0030995.exe\whInstaller.exe" file.
29/01/2008 10:31:08 User 5660 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP397\A0030995.exe\webhdll.dll" file.
29/01/2008 10:31:08 User 5660 Sign of "Win32:Dialer-567 [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP397\A0030995.exe\whiehlpr.dll" file.
06/02/2008 10:14:02 SYSTEM 948 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
06/02/2008 10:14:03 SYSTEM 948 An error has occured while attempting to update. Please check the logs.
06/02/2008 20:30:40 User 1756 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\Program Files\ezt\webhancer.exe\whAgent.exe" file.
06/02/2008 20:31:03 User 1756 Sign of "Win32:Spyware-gen [Trj]" has been found in "C:\Program Files\ezt\webhancer.exe\whInstaller.exe" file.
06/02/2008 20:31:11 User 1756 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\Program Files\ezt\webhancer.exe\webhdll.dll" file.
06/02/2008 20:31:25 User 1756 Sign of "Win32:Dialer-567 [Trj]" has been found in "C:\Program Files\ezt\webhancer.exe\whiehlpr.dll" file.
06/02/2008 20:43:03 User 1756 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP345\A0027882.exe\$INSTDIR\Downloads\webhancer.exe\whAgent.exe" file.
06/02/2008 20:43:37 User 1756 Sign of "Win32:Spyware-gen [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP345\A0027882.exe\$INSTDIR\Downloads\webhancer.exe\whInstaller.exe" file.
06/02/2008 20:43:43 User 1756 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP345\A0027882.exe\$INSTDIR\Downloads\webhancer.exe\webhdll.dll" file.
06/02/2008 20:43:48 User 1756 Sign of "Win32:Dialer-567 [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP345\A0027882.exe\$INSTDIR\Downloads\webhancer.exe\whiehlpr.dll" file.
06/02/2008 20:48:40 User 1756 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP381\A0030314.exe\whAgent.exe" file.
06/02/2008 20:49:15 User 1756 Sign of "Win32:Spyware-gen [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP381\A0030314.exe\whInstaller.exe" file.
06/02/2008 20:49:18 User 1756 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP381\A0030314.exe\webhdll.dll" file.
06/02/2008 20:49:22 User 1756 Sign of "Win32:Dialer-567 [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP381\A0030314.exe\whiehlpr.dll" file.
06/02/2008 20:50:19 User 1756 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP387\A0030621.exe\whAgent.exe" file.
06/02/2008 20:50:25 User 1756 Sign of "Win32:Spyware-gen [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP387\A0030621.exe\whInstaller.exe" file.
06/02/2008 20:50:29 User 1756 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP387\A0030621.exe\webhdll.dll" file.
06/02/2008 20:50:33 User 1756 Sign of "Win32:Dialer-567 [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP387\A0030621.exe\whiehlpr.dll" file.
06/02/2008 20:51:38 User 1756 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP397\A0030995.exe\whAgent.exe" file.
06/02/2008 20:51:51 User 1756 Sign of "Win32:Spyware-gen [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP397\A0030995.exe\whInstaller.exe" file.
06/02/2008 20:51:54 User 1756 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP397\A0030995.exe\webhdll.dll" file.
06/02/2008 20:51:58 User 1756 Sign of "Win32:Dialer-567 [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP397\A0030995.exe\whiehlpr.dll" file.
06/02/2008 20:53:43 User 1756 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP404\A0031448.exe\whAgent.exe" file.
06/02/2008 20:53:50 User 1756 Sign of "Win32:Spyware-gen [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP404\A0031448.exe\whInstaller.exe" file.
06/02/2008 20:53:54 User 1756 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP404\A0031448.exe\webhdll.dll" file.
06/02/2008 20:53:57 User 1756 Sign of "Win32:Dialer-567 [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP404\A0031448.exe\whiehlpr.dll" file.
14/02/2008 09:27:45 SYSTEM 892 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: D:\VBRUN300.DLL (D:\VBRUN300.DLL) returning error, 0000001E.
06/03/2008 17:56:54 User 3956 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\Program Files\ezt\webhancer.exe\whAgent.exe" file.
06/03/2008 17:57:08 User 3956 Sign of "Win32:Spyware-gen [Trj]" has been found in "C:\Program Files\ezt\webhancer.exe\whInstaller.exe" file.
06/03/2008 17:57:15 User 3956 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\Program Files\ezt\webhancer.exe\webhdll.dll" file.
06/03/2008 17:57:21 User 3956 Sign of "Win32:Dialer-567 [Trj]" has been found in "C:\Program Files\ezt\webhancer.exe\whiehlpr.dll" file.
06/03/2008 18:09:14 User 3956 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP345\A0027882.exe\$INSTDIR\Downloads\webhancer.exe\whAgent.exe" file.
06/03/2008 18:09:24 User 3956 Sign of "Win32:Spyware-gen [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP345\A0027882.exe\$INSTDIR\Downloads\webhancer.exe\whInstaller.exe" file.
06/03/2008 18:09:31 User 3956 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP345\A0027882.exe\$INSTDIR\Downloads\webhancer.exe\webhdll.dll" file.
06/03/2008 18:09:36 User 3956 Sign of "Win32:Dialer-567 [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP345\A0027882.exe\$INSTDIR\Downloads\webhancer.exe\whiehlpr.dll" file.
06/03/2008 18:13:39 User 3956 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP369\A0029931.exe" file.
06/03/2008 18:13:57 User 3956 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP369\A0029944.dll" file.
06/03/2008 18:15:22 User 3956 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP381\A0030314.exe\whAgent.exe" file.
06/03/2008 18:15:28 User 3956 Sign of "Win32:Spyware-gen [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP381\A0030314.exe\whInstaller.exe" file.
06/03/2008 18:15:35 User 3956 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP381\A0030314.exe\webhdll.dll" file.
06/03/2008 18:15:42 User 3956 Sign of "Win32:Dialer-567 [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP381\A0030314.exe\whiehlpr.dll" file.
06/03/2008 18:16:41 User 3956 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP387\A0030621.exe\whAgent.exe" file.
06/03/2008 18:16:46 User 3956 Sign of "Win32:Spyware-gen [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP387\A0030621.exe\whInstaller.exe" file.
06/03/2008 18:16:52 User 3956 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP387\A0030621.exe\webhdll.dll" file.
06/03/2008 18:16:57 User 3956 Sign of "Win32:Dialer-567 [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP387\A0030621.exe\whiehlpr.dll" file.
06/03/2008 18:18:12 User 3956 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP397\A0030995.exe\whAgent.exe" file.
06/03/2008 18:18:17 User 3956 Sign of "Win32:Spyware-gen [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP397\A0030995.exe\whInstaller.exe" file.
06/03/2008 18:18:22 User 3956 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP397\A0030995.exe\webhdll.dll" file.
06/03/2008 18:18:28 User 3956 Sign of "Win32:Dialer-567 [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP397\A0030995.exe\whiehlpr.dll" file.
06/03/2008 18:19:45 User 3956 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP403\A0031360.dll" file.
06/03/2008 18:19:53 User 3956 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP403\A0031366.dll" file.
06/03/2008 18:20:26 User 3956 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP404\A0031448.exe\whAgent.exe" file.
06/03/2008 18:20:33 User 3956 Sign of "Win32:Spyware-gen [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP404\A0031448.exe\whInstaller.exe" file.
06/03/2008 18:20:38 User 3956 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP404\A0031448.exe\webhdll.dll" file.
06/03/2008 18:20:43 User 3956 Sign of "Win32:Dialer-567 [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP404\A0031448.exe\whiehlpr.dll" file.
06/03/2008 18:22:23 User 3956 Sign of "Win32:Gaobot-2435 [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP412\A0032350.exe" file.
06/03/2008 18:25:30 User 3956 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP427\A0035041.exe\whAgent.exe" file.
06/03/2008 18:25:35 User 3956 Sign of "Win32:Spyware-gen [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP427\A0035041.exe\whInstaller.exe" file.
06/03/2008 18:25:41 User 3956 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP427\A0035041.exe\webhdll.dll" file.
06/03/2008 18:25:47 User 3956 Sign of "Win32:Dialer-567 [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP427\A0035041.exe\whiehlpr.dll" file.
13/03/2008 14:38:21 User 892 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\Program Files\PlayMP3z\PlayMP3.exe" file.
14/03/2008 07:32:03 User 892 Sign of "Win32:Agent-OQR [Trj]" has been found in "C:\DOCUME~1\User\LOCALS~1\Temp\GUQF296\en.exe" file.
14/03/2008 07:32:18 User 892 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\DOCUME~1\User\LOCALS~1\Temp\GUQF296\vnk.exe" file.
14/03/2008 07:32:22 User 892 Sign of "Win32:Small-IKZ [Trj]" has been found in "C:\DOCUME~1\User\LOCALS~1\Temp\GUQF296\we.exe\[UPX]" file.
14/03/2008 09:36:18 User 892 Sign of "Win32:Agent-OQR [Trj]" has been found in "C:\DOCUME~1\User\LOCALS~1\Temp\GUQF296\en.exe" file.
14/03/2008 09:36:22 User 892 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\DOCUME~1\User\LOCALS~1\Temp\GUQF296\vnk.exe" file.
14/03/2008 09:36:25 User 892 Sign of "Win32:Small-IKZ [Trj]" has been found in "C:\DOCUME~1\User\LOCALS~1\Temp\GUQF296\we.exe\[UPX]" file.
15/03/2008 10:17:32 User 3900 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\Program Files\ezt\webhancer.exe\whAgent.exe" file.
15/03/2008 15:26:26 User 3900 Sign of "Win32:Spyware-gen [Trj]" has been found in "C:\Program Files\ezt\webhancer.exe\whInstaller.exe" file.
15/03/2008 15:26:27 User 3900 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\Program Files\ezt\webhancer.exe\webhdll.dll" file.
15/03/2008 15:26:28 User 3900 Sign of "Win32:Dialer-567 [Trj]" has been found in "C:\Program Files\ezt\webhancer.exe\whiehlpr.dll" file.
15/03/2008 15:41:00 User 3900 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP381\A0030314.exe\whAgent.exe" file.
15/03/2008 15:41:03 User 3900 Sign of "Win32:Spyware-gen [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP381\A0030314.exe\whInstaller.exe" file.
15/03/2008 15:41:04 User 3900 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP381\A0030314.exe\webhdll.dll" file.
15/03/2008 15:41:05 User 3900 Sign of "Win32:Dialer-567 [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP381\A0030314.exe\whiehlpr.dll" file.
15/03/2008 15:41:54 User 3900 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP387\A0030621.exe\whAgent.exe" file.
15/03/2008 15:41:59 User 3900 Sign of "Win32:Spyware-gen [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP387\A0030621.exe\whInstaller.exe" file.
15/03/2008 15:42:00 User 3900 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP387\A0030621.exe\webhdll.dll" file.
15/03/2008 15:42:01 User 3900 Sign of "Win32:Dialer-567 [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP387\A0030621.exe\whiehlpr.dll" file.
15/03/2008 15:43:14 User 3900 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP397\A0030995.exe\whAgent.exe" file.
15/03/2008 15:43:18 User 3900 Sign of "Win32:Spyware-gen [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP397\A0030995.exe\whInstaller.exe" file.
15/03/2008 15:43:19 User 3900 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP397\A0030995.exe\webhdll.dll" file.
15/03/2008 15:43:21 User 3900 Sign of "Win32:Dialer-567 [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP397\A0030995.exe\whiehlpr.dll" file.
15/03/2008 15:45:05 User 3900 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP404\A0031448.exe\whAgent.exe" file.
15/03/2008 15:45:08 User 3900 Sign of "Win32:Spyware-gen [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP404\A0031448.exe\whInstaller.exe" file.
15/03/2008 15:45:09 User 3900 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP404\A0031448.exe\webhdll.dll" file.
15/03/2008 15:45:11 User 3900 Sign of "Win32:Dialer-567 [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP404\A0031448.exe\whiehlpr.dll" file.
15/03/2008 15:49:26 User 3900 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP427\A0035041.exe\whAgent.exe" file.
15/03/2008 15:49:31 User 3900 Sign of "Win32:Spyware-gen [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP427\A0035041.exe\whInstaller.exe" file.
15/03/2008 15:49:33 User 3900 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP427\A0035041.exe\webhdll.dll" file.
15/03/2008 15:49:34 User 3900 Sign of "Win32:Dialer-567 [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP427\A0035041.exe\whiehlpr.dll" file.
15/03/2008 15:51:28 User 3900 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP436\A0035798.exe\whAgent.exe" file.
15/03/2008 15:51:36 User 3900 Sign of "Win32:Spyware-gen [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP436\A0035798.exe\whInstaller.exe" file.
15/03/2008 15:51:37 User 3900 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP436\A0035798.exe\webhdll.dll" file.
15/03/2008 15:51:39 User 3900 Sign of "Win32:Dialer-567 [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP436\A0035798.exe\whiehlpr.dll" file.
19/03/2008 08:03:19 SYSTEM 920 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\Program Files\IntelligentAdvisor\IntelligentAdvisor-2.dll" file.
20/03/2008 12:22:30 User 2972 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\Program Files\ezt\webhancer.exe\whAgent.exe" file.
20/03/2008 12:22:40 User 2972 Sign of "Win32:Spyware-gen [Trj]" has been found in "C:\Program Files\ezt\webhancer.exe\whInstaller.exe" file.
20/03/2008 12:22:52 User 2972 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\Program Files\ezt\webhancer.exe\webhdll.dll" file.
20/03/2008 12:23:06 User 2972 Sign of "Win32:Dialer-567 [Trj]" has been found in "C:\Program Files\ezt\webhancer.exe\whiehlpr.dll" file.
20/03/2008 12:35:06 User 2972 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP370\A0029973.dll" file.
20/03/2008 12:36:14 User 2972 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP381\A0030314.exe\whAgent.exe" file.
20/03/2008 13:02:02 User 2972 Sign of "Win32:Spyware-gen [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP381\A0030314.exe\whInstaller.exe" file.
20/03/2008 13:02:06 User 2972 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP381\A0030314.exe\webhdll.dll" file.
20/03/2008 13:02:08 User 2972 Sign of "Win32:Dialer-567 [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP381\A0030314.exe\whiehlpr.dll" file.
20/03/2008 13:02:56 User 2972 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP387\A0030621.exe\whAgent.exe" file.
20/03/2008 13:03:03 User 2972 Sign of "Win32:Spyware-gen [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP387\A0030621.exe\whInstaller.exe" file.
20/03/2008 13:03:06 User 2972 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP387\A0030621.exe\webhdll.dll" file.
20/03/2008 13:03:07 User 2972 Sign of "Win32:Dialer-567 [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP387\A0030621.exe\whiehlpr.dll" file.
20/03/2008 13:04:09 User 2972 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP397\A0030995.exe\whAgent.exe" file.
20/03/2008 13:04:13 User 2972 Sign of "Win32:Spyware-gen [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP397\A0030995.exe\whInstaller.exe" file.
20/03/2008 13:04:15 User 2972 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP397\A0030995.exe\webhdll.dll" file.
20/03/2008 13:05:00 User 2972 Sign of "Win32:Dialer-567 [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP397\A0030995.exe\whiehlpr.dll" file.
20/03/2008 13:06:17 User 2972 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP403\A0031375.dll" file.
20/03/2008 13:06:44 User 2972 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP403\A0031395.exe" file.
20/03/2008 13:06:56 User 2972 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP404\A0031448.exe\whAgent.exe" file.
20/03/2008 13:07:01 User 2972 Sign of "Win32:Spyware-gen [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP404\A0031448.exe\whInstaller.exe" file.
20/03/2008 13:07:20 User 2972 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP404\A0031448.exe\webhdll.dll" file.
20/03/2008 13:07:22 User 2972 Sign of "Win32:Dialer-567 [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP404\A0031448.exe\whiehlpr.dll" file.
20/03/2008 13:11:29 User 2972 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP427\A0035041.exe\whAgent.exe" file.
20/03/2008 13:11:36 User 2972 Sign of "Win32:Spyware-gen [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP427\A0035041.exe\whInstaller.exe" file.
20/03/2008 13:11:38 User 2972 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP427\A0035041.exe\webhdll.dll" file.
20/03/2008 13:11:41 User 2972 Sign of "Win32:Dialer-567 [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP427\A0035041.exe\whiehlpr.dll" file.
20/03/2008 13:13:40 User 2972 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP436\A0035798.exe\whAgent.exe" file.
20/03/2008 13:13:45 User 2972 Sign of "Win32:Spyware-gen [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP436\A0035798.exe\whInstaller.exe" file.
20/03/2008 13:13:48 User 2972 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP436\A0035798.exe\webhdll.dll" file.
20/03/2008 13:13:49 User 2972 Sign of "Win32:Dialer-567 [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP436\A0035798.exe\whiehlpr.dll" file.
20/03/2008 13:14:08 User 2972 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP439\A0035894.dll" file.
20/03/2008 13:14:21 User 2972 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP440\A0035924.exe" file.
20/03/2008 13:14:24 User 2972 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP440\A0035929.exe\whAgent.exe" file.
20/03/2008 13:14:26 User 2972 Sign of "Win32:Spyware-gen [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP440\A0035929.exe\whInstaller.exe" file.
20/03/2008 13:14:28 User 2972 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP440\A0035929.exe\webhdll.dll" file.
20/03/2008 13:14:29 User 2972 Sign of "Win32:Dialer-567 [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP440\A0035929.exe\whiehlpr.dll" file.
20/03/2008 17:03:36 SYSTEM 892 Function setifaceUpdatePackages() has failed. Return code is 0xC0000142, dwRes is C0000142.
20/03/2008 17:03:38 SYSTEM 892 An error has occured while attempting to update. Please check the logs.
20/03/2008 21:26:12 User 2140 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\Program Files\ezt\webhancer.exe\whAgent.exe" file.
20/03/2008 21:26:25 User 2140 Sign of "Win32:Spyware-gen [Trj]" has been found in "C:\Program Files\ezt\webhancer.exe\whInstaller.exe" file.
20/03/2008 21:26:27 User 2140 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\Program Files\ezt\webhancer.exe\webhdll.dll" file.
20/03/2008 21:26:28 User 2140 Sign of "Win32:Dialer-567 [Trj]" has been found in "C:\Program Files\ezt\webhancer.exe\whiehlpr.dll" file.
20/03/2008 21:39:47 User 2140 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP381\A0030314.exe\whAgent.exe" file.
20/03/2008 21:39:58 User 2140 Sign of "Win32:Spyware-gen [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP381\A0030314.exe\whInstaller.exe" file.
20/03/2008 21:40:00 User 2140 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP381\A0030314.exe\webhdll.dll" file.
20/03/2008 21:40:01 User 2140 Sign of "Win32:Dialer-567 [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP381\A0030314.exe\whiehlpr.dll" file.
20/03/2008 21:40:50 User 2140 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP387\A0030621.exe\whAgent.exe" file.
20/03/2008 21:40:56 User 2140 Sign of "Win32:Spyware-gen [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP387\A0030621.exe\whInstaller.exe" file.
20/03/2008 21:40:57 User 2140 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP387\A0030621.exe\webhdll.dll" file.
20/03/2008 21:40:58 User 2140 Sign of "Win32:Dialer-567 [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP387\A0030621.exe\whiehlpr.dll" file.
20/03/2008 21:42:02 User 2140 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP397\A0030995.exe\whAgent.exe" file.
20/03/2008 21:43:42 User 2140 Sign of "Win32:Spyware-gen [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP397\A0030995.exe\whInstaller.exe" file.
20/03/2008 21:43:45 User 2140 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP397\A0030995.exe\webhdll.dll" file.
20/03/2008 21:43:47 User 2140 Sign of "Win32:Dialer-567 [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP397\A0030995.exe\whiehlpr.dll" file.
20/03/2008 21:45:14 User 2140 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP404\A0031448.exe\whAgent.exe" file.
20/03/2008 21:45:21 User 2140 Sign of "Win32:Spyware-gen [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP404\A0031448.exe\whInstaller.exe" file.
20/03/2008 21:45:22 User 2140 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP404\A0031448.exe\webhdll.dll" file.
20/03/2008 21:45:23 User 2140 Sign of "Win32:Dialer-567 [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP404\A0031448.exe\whiehlpr.dll" file.
20/03/2008 21:49:33 User 2140 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP427\A0035041.exe\whAgent.exe" file.
20/03/2008 21:49:42 User 2140 Sign of "Win32:Spyware-gen [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP427\A0035041.exe\whInstaller.exe" file.
20/03/2008 21:49:43 User 2140 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP427\A0035041.exe\webhdll.dll" file.
20/03/2008 21:49:44 User 2140 Sign of "Win32:Dialer-567 [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP427\A0035041.exe\whiehlpr.dll" file.
20/03/2008 21:51:40 User 2140 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP436\A0035798.exe\whAgent.exe" file.
20/03/2008 21:51:47 User 2140 Sign of "Win32:Spyware-gen [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP436\A0035798.exe\whInstaller.exe" file.
20/03/2008 21:51:48 User 2140 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP436\A0035798.exe\webhdll.dll" file.
20/03/2008 21:51:49 User 2140 Sign of "Win32:Dialer-567 [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP436\A0035798.exe\whiehlpr.dll" file.
20/03/2008 21:52:14 User 2140 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP440\A0035929.exe\whAgent.exe" file.
20/03/2008 21:52:20 User 2140 Sign of "Win32:Spyware-gen [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP440\A0035929.exe\whInstaller.exe" file.
20/03/2008 21:52:20 User 2140 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP440\A0035929.exe\webhdll.dll" file.
20/03/2008 21:52:21 User 2140 Sign of "Win32:Dialer-567 [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP440\A0035929.exe\whiehlpr.dll" file.
20/03/2008 21:53:07 User 2140 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP442\A0036349.exe\whAgent.exe" file.
20/03/2008 21:53:10 User 2140 Sign of "Win32:Spyware-gen [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP442\A0036349.exe\whInstaller.exe" file.
20/03/2008 21:53:11 User 2140 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP442\A0036349.exe\webhdll.dll" file.
20/03/2008 21:53:12 User 2140 Sign of "Win32:Dialer-567 [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP442\A0036349.exe\whiehlpr.dll" file.
03/04/2008 18:47:27 User 2496 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP381\A0030314.exe\whAgent.exe" file.
03/04/2008 19:05:21 User 2496 Sign of "Win32:Spyware-gen [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP381\A0030314.exe\whInstaller.exe" file.
03/04/2008 19:05:42 User 2496 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP381\A0030314.exe\webhdll.dll" file.
03/04/2008 19:05:48 User 2496 Sign of "Win32:Dialer-567 [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP381\A0030314.exe\whiehlpr.dll" file.
03/04/2008 19:06:37 User 2496 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP387\A0030621.exe\whAgent.exe" file.
03/04/2008 19:06:42 User 2496 Sign of "Win32:Spyware-gen [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP387\A0030621.exe\whInstaller.exe" file.
03/04/2008 19:06:44 User 2496 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP387\A0030621.exe\webhdll.dll" file.
03/04/2008 19:06:45 User 2496 Sign of "Win32:Dialer-567 [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP387\A0030621.exe\whiehlpr.dll" file.
03/04/2008 19:07:52 User 2496 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP397\A0030995.exe\whAgent.exe" file.
03/04/2008 19:08:25 User 2496 Sign of "Win32:Spyware-gen [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP397\A0030995.exe\whInstaller.exe" file.
03/04/2008 19:08:28 User 2496 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP397\A0030995.exe\webhdll.dll" file.
03/04/2008 19:08:30 User 2496 Sign of "Win32:Dialer-567 [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP397\A0030995.exe\whiehlpr.dll" file.
03/04/2008 19:09:57 User 2496 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP404\A0031448.exe\whAgent.exe" file.
03/04/2008 19:10:28 User 2496 Sign of "Win32:Spyware-gen [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP404\A0031448.exe\whInstaller.exe" file.
03/04/2008 19:10:32 User 2496 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP404\A0031448.exe\webhdll.dll" file.
03/04/2008 19:10:34 User 2496 Sign of "Win32:Dialer-567 [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP404\A0031448.exe\whiehlpr.dll" file.
03/04/2008 19:14:47 User 2496 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP427\A0035041.exe\whAgent.exe" file.
03/04/2008 19:15:27 User 2496 Sign of "Win32:Spyware-gen [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP427\A0035041.exe\whInstaller.exe" file.
03/04/2008 19:15:28 User 2496 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP427\A0035041.exe\webhdll.dll" file.
03/04/2008 19:15:42 User 2496 Sign of "Win32:Dialer-567 [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP427\A0035041.exe\whiehlpr.dll" file.
03/04/2008 19:17:37 User 2496 Sign of "Win32:Agent-TPR [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP435\A0035760.exe\$INSTDIR\vnk.dat" file.
03/04/2008 19:18:15 User 2496 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP436\A0035798.exe\whAgent.exe" file.
03/04/2008 19:18:23 User 2496 Sign of "Win32:Spyware-gen [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP436\A0035798.exe\whInstaller.exe" file.
03/04/2008 19:18:25 User 2496 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP436\A0035798.exe\webhdll.dll" file.
03/04/2008 19:18:26 User 2496 Sign of "Win32:Dialer-567 [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP436\A0035798.exe\whiehlpr.dll" file.
03/04/2008 19:18:51 User 2496 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP440\A0035929.exe\whAgent.exe" file.
03/04/2008 19:18:57 User 2496 Sign of "Win32:Spyware-gen [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP440\A0035929.exe\whInstaller.exe" file.
03/04/2008 19:18:59 User 2496 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP440\A0035929.exe\webhdll.dll" file.
03/04/2008 19:19:00 User 2496 Sign of "Win32:Dialer-567 [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP440\A0035929.exe\whiehlpr.dll" file.
03/04/2008 19:19:46 User 2496 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP442\A0036349.exe\whAgent.exe" file.
03/04/2008 19:19:49 User 2496 Sign of "Win32:Spyware-gen [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP442\A0036349.exe\whInstaller.exe" file.
03/04/2008 19:19:49 User 2496 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP442\A0036349.exe\webhdll.dll" file.
03/04/2008 19:19:50 User 2496 Sign of "Win32:Dialer-567 [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP442\A0036349.exe\whiehlpr.dll" file.
03/04/2008 19:21:38 User 2496 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP453\A0037674.exe\whAgent.exe" file.
03/04/2008 19:21:40 User 2496 Sign of "Win32:Spyware-gen [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP453\A0037674.exe\whInstaller.exe" file.
03/04/2008 19:21:41 User 2496 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP453\A0037674.exe\webhdll.dll" file.
03/04/2008 19:21:42 User 2496 Sign of "Win32:Dialer-567 [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP453\A0037674.exe\whiehlpr.dll" file.
03/04/2008 20:44:09 User 2496 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP381\A0030314.exe\whAgent.exe" file.
03/04/2008 20:44:31 User 2496 Sign of "Win32:Spyware-gen [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP381\A0030314.exe\whInstaller.exe" file.
03/04/2008 20:44:34 User 2496 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP381\A0030314.exe\webhdll.dll" file.
03/04/2008 20:44:37 User 2496 Sign of "Win32:Dialer-567 [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP381\A0030314.exe\whiehlpr.dll" file.
03/04/2008 20:45:26 User 2496 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP387\A0030621.exe\whAgent.exe" file.
03/04/2008 20:45:31 User 2496 Sign of "Win32:Spyware-gen [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP387\A0030621.exe\whInstaller.exe" file.
03/04/2008 20:45:35 User 2496 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP387\A0030621.exe\webhdll.dll" file.
03/04/2008 20:45:45 User 2496 Sign of "Win32:Dialer-567 [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP387\A0030621.exe\whiehlpr.dll" file.
03/04/2008 20:46:49 User 2496 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP397\A0030995.exe\whAgent.exe" file.
03/04/2008 20:48:20 User 2496 Sign of "Win32:Spyware-gen [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP397\A0030995.exe\whInstaller.exe" file.
03/04/2008 20:48:22 User 2496 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP397\A0030995.exe\webhdll.dll" file.
03/04/2008 20:48:31 User 2496 Sign of "Win32:Dialer-567 [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP397\A0030995.exe\whiehlpr.dll" file.
03/04/2008 20:50:00 User 2496 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP404\A0031448.exe\whAgent.exe" file.
03/04/2008 20:51:31 User 2496 Sign of "Win32:Spyware-gen [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP404\A0031448.exe\whInstaller.exe" file.
03/04/2008 20:51:34 User 2496 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP404\A0031448.exe\webhdll.dll" file.
03/04/2008 20:51:37 User 2496 Sign of "Win32:Dialer-567 [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP404\A0031448.exe\whiehlpr.dll" file.
03/04/2008 20:55:41 User 2496 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP427\A0035041.exe\whAgent.exe" file.
03/04/2008 20:56:06 User 2496 Sign of "Win32:Spyware-gen [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP427\A0035041.exe\whInstaller.exe" file.
03/04/2008 20:56:09 User 2496 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP427\A0035041.exe\webhdll.dll" file.
03/04/2008 20:56:11 User 2496 Sign of "Win32:Dialer-567 [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP427\A0035041.exe\whiehlpr.dll" file.
03/04/2008 20:58:04 User 2496 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP436\A0035798.exe\whAgent.exe" file.
03/04/2008 20:58:30 User 2496 Sign of "Win32:Spyware-gen [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP436\A0035798.exe\whInstaller.exe" file.
03/04/2008 20:58:33 User 2496 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP436\A0035798.exe\webhdll.dll" file.
03/04/2008 20:58:37 User 2496 Sign of "Win32:Dialer-567 [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP436\A0035798.exe\whiehlpr.dll" file.
03/04/2008 20:59:03 User 2496 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP440\A0035929.exe\whAgent.exe" file.
03/04/2008 20:59:47 User 2496 Sign of "Win32:Spyware-gen [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP440\A0035929.exe\whInstaller.exe" file.
03/04/2008 20:59:49 User 2496 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP440\A0035929.exe\webhdll.dll" file.
03/04/2008 20:59:52 User 2496 Sign of "Win32:Dialer-567 [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP440\A0035929.exe\whiehlpr.dll" file.
03/04/2008 21:00:42 User 2496 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP442\A0036349.exe\whAgent.exe" file.
03/04/2008 21:00:46 User 2496 Sign of "Win32:Spyware-gen [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP442\A0036349.exe\whInstaller.exe" file.
03/04/2008 21:00:48 User 2496 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP442\A0036349.exe\webhdll.dll" file.
03/04/2008 21:00:50 User 2496 Sign of "Win32:Dialer-567 [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP442\A0036349.exe\whiehlpr.dll" file.
03/04/2008 21:02:36 User 2496 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP453\A0037674.exe\whAgent.exe" file.
03/04/2008 21:02:41 User 2496 Sign of "Win32:Spyware-gen [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP453\A0037674.exe\whInstaller.exe" file.
03/04/2008 21:02:42 User 2496 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP453\A0037674.exe\webhdll.dll" file.
03/04/2008 21:02:45 User 2496 Sign of "Win32:Dialer-567 [Trj]" has been found in "C:\System Volume Information\_restore{699879A5-F0CA-4BBE-849F-43E6EABBFA94}\RP453\A0037674.exe\whiehlpr.dll" file.



13/07/2007 13:40:21 SYSTEM 844 AAVM - initialization error: Unhandled exception in AavmProviderStop, STANDARD.
29/07/2007 14:55:17 SYSTEM 616 AAVM - initialization error: Unhandled exception in AavmProviderStop, STANDARD.
27/12/2007 18:37:18 SYSTEM 1072 AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of http://www.top5soft.com/files/avi-pro_r77019.exe failed, 00000084.
27/12/2007 19:09:43 SYSTEM 1072 AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of http://wgt.digitalriver.com/wgt/9ae15da ... Thk707.exe failed, 00000084.
14/02/2008 09:27:45 SYSTEM 892 AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of D:\VBRUN300.DLL failed, 0000001E.
03/04/2008 19:54:38 User 5636 aswChestInterface - Program error description: CChestListView::OnFileEmailToAlwilSoftware() basNetAlert() failed: 42011.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:31:22, on 03/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Maxtor\Sync\SyncServices.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Documents and Settings\User\Local Settings\Application Data\Google\Update\1.1.25.0\GoogleUpdate.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Shrink Pic\shrink_pic.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Documents and Settings\User\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: IEWatchObj Class - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINDOWS\system32\IETie.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O2 - BHO: Ask Toolbar BHO - {FE063DB1-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Ask Toolbar - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe" -s
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\update.exe -silent
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\User\Local Settings\Application Data\Google\Update\1.1.25.0\GoogleUpdate.exe" /lang en
O4 - HKCU\..\RunOnce: [WCIEClnOnce] C:\Program Files\blcorp\WCCSC\WCOC\WCNSCln.exe /WCI
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Shrink Pic.lnk = C:\Program Files\Shrink Pic\shrink_pic.exe
O4 - Startup: YouTube Uploader.lnk = C:\Documents and Settings\User\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btinternet.com/template ... rol023.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CEC56E2C-5CA0-4E9F-BD10-B4CB3DA37D18}: NameServer = 80.58.0.33,80.58.32.97
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Messenger Sharing Folders USN Journal Reader service (usnjsvc) - Unknown owner - C:\Program Files\MSN Messenger\usnsvc.exe (file missing)
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe

--
End of file - 13294 bytes
peterC
Active Member
 
Posts: 14
Joined: March 22nd, 2008, 6:49 am

Re: malware

Unread postby Carolyn » April 4th, 2008, 12:12 pm

Hi Peter,

Please download ATF cleaner
Make sure that all browser windows are closed.
    Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.
If you use Firefox browser
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
    Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.


Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine

Re: malware

Unread postby peterC » April 4th, 2008, 1:42 pm

Hi Carolyn,
No problemb with combofix, and here is the log,
Regards,
Peter.


ComboFix 08-04-03.5 - User 2008-04-04 18:34:48.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.500 [GMT 1:00]
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-03-04 to 2008-04-04 )))))))))))))))))))))))))))))))
.

2008-04-02 18:39 . 2008-04-02 18:31 1,018,520 --a------ C:\fsbl.exe
2008-03-29 10:30 . 2008-03-29 10:30 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-29 10:30 . 2008-03-29 10:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-29 09:51 . 2008-03-29 09:51 <DIR> d-------- C:\Program Files\CCleaner
2008-03-27 09:12 . 2008-03-27 09:12 <DIR> d-------- C:\Deckard
2008-03-27 08:59 . 2008-03-27 08:59 <DIR> d-------- C:\Documents and Settings\User\Application Data\Malwarebytes
2008-03-27 08:58 . 2008-03-27 08:59 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-27 08:58 . 2008-03-27 08:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-22 12:07 . 2008-03-22 12:07 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-14 09:46 . 2008-04-04 17:50 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-14 09:46 . 2008-03-14 09:46 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-14 09:45 . 2008-03-14 09:46 <DIR> d-------- C:\Program Files\iTunes
2008-03-14 09:45 . 2008-03-14 09:45 <DIR> d-------- C:\Program Files\iPod
2008-03-14 09:45 . 2008-03-14 09:45 <DIR> d-------- C:\Program Files\Bonjour
2008-03-14 09:43 . 2008-03-14 09:44 <DIR> d-------- C:\Program Files\QuickTime
2008-03-14 09:43 . 2008-03-14 09:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-03-14 09:42 . 2008-03-14 09:42 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-03-06 20:05 . 2008-04-02 17:48 <DIR> d-------- C:\Program Files\Unlocker
2008-03-06 20:05 . 2008-03-06 20:05 <DIR> d-------- C:\Documents and Settings\User\Application Data\Desktopicon
2008-03-06 20:04 . 2008-03-10 15:08 <DIR> d-------- C:\Program Files\DupKiller

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-03 21:23 --------- d-----w C:\Documents and Settings\User\Application Data\shrink_pic
2008-04-03 19:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-04-02 18:02 --------- d-----w C:\Program Files\Java
2008-04-02 16:30 --------- d-----w C:\Program Files\UltimateZip 2007
2008-03-27 07:54 --------- d-----w C:\Program Files\eMule
2008-03-26 20:18 --------- d-----w C:\Program Files\Weather Watcher
2008-03-23 20:04 --------- d-----w C:\Documents and Settings\User\Application Data\FrostWire
2008-03-15 08:16 --------- d-----w C:\Program Files\IntelligentAdvisor
2008-03-14 08:46 --------- d-----w C:\Documents and Settings\User\Application Data\Apple Computer
2008-03-11 14:46 --------- d-----w C:\Documents and Settings\User\Application Data\Skype
2008-03-10 14:14 --------- d-----w C:\Program Files\FrostWire
2008-02-06 17:14 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-11 18:01 54,240 ----a-w C:\Documents and Settings\User\Application Data\GDIPFONTCACHEV1.DAT
2007-12-23 17:13 30,601 ----a-w C:\Documents and Settings\User\x.exe
2007-10-03 11:15 0 ----a-w C:\Program Files\gamingGamePuzzleVB.DB
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]
2008-01-12 10:15 66912 --a------ C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
2008-01-12 10:15 267592 --a------ C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= "C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL" [2008-01-12 10:15 267592]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL [2008-01-12 10:15 267592]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-06 10:51 68856]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2006-09-15 13:27 2048000]
"Google Update"="C:\Documents and Settings\User\Local Settings\Application Data\Google\Update\1.1.25.0\GoogleUpdate.exe" [2008-03-17 18:12 51184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 13:00 110592 C:\WINDOWS\system32\bthprops.cpl]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-03-23 21:17 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-03-23 21:13 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-03-23 21:17 118784]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2006-08-03 19:51 1032192]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 18:30 282624 C:\WINDOWS\stsystra.exe]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2005-10-07 15:13 176128]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-10-18 19:04 802816]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-10-18 18:58 696320]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-07-28 15:24 1836544]
"Norton Ghost 9.0"="C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe" [2004-07-29 04:41 1122304]
"TomTomHOME.exe"="C:\Program Files\TomTom HOME 2\HOMERunner.exe" [2007-08-15 16:59 374688]
"mxomssmenu"="C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe" [2007-09-06 15:53 169264]
"Media Codec Update Service"="C:\Program Files\Essentials Codec Pack\update.exe" [2007-04-08 17:44 303104]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-02-01 00:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 14:10 267048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:00 15360]

C:\Documents and Settings\User\Start Menu\Programs\Startup\
Shrink Pic.lnk - C:\Program Files\Shrink Pic\shrink_pic.exe [2007-09-18 21:08:02 3032472]
YouTube Uploader.lnk - C:\Documents and Settings\User\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe [2007-11-09 14:33:08 71152]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2005-11-18 18:46:00 1724416]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-01-31 18:10:45 124912]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSVideo8"= VfWWDM32.dll
"vidc.SEDG"= mcs_vfw.dll
"vidc.xvid"= xvid.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Program Files\LimeWire\LimeWire On Startup.lnk
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 17:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 15:40 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC-Checkup]
C:\Program Files\Speeditup Free\PCCheckup\PCCheckUp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2007-09-24 13:11 22880040 C:\Program Files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USRobotics USB Internet Mini Phone]
C:\Program Files\U.S. Robotics\USB Internet Mini Phone\USRobotics USB Internet Mini Phone.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USRobotics USB Internet Mini Phone Control Panel]
C:\Program Files\U.S. Robotics\USB Internet Mini Phone\USB Internet Mini Phone UI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Ahead\\Nero ShowTime\\ShowTime.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Outlook Express\\msimn.exe"=
"C:\\Program Files\\Lavasoft\\Ad-aware 6\\Ad-aware.exe"=
"C:\\Program Files\\FrostWire\\FrostWire.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R0 PQV2i;PQV2i;C:\WINDOWS\system32\drivers\PQV2i.sys [2004-07-29 03:33]
R1 PQIMount;PQIMount;C:\WINDOWS\system32\drivers\PQIMount.sys [2004-07-29 04:13]
R2 Maxtor Sync Service;Maxtor Service;"C:\Program Files\Maxtor\Sync\SyncServices.exe" [2007-09-28 13:24]
S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\NSNDIS5.SYS []

.
Contents of the 'Scheduled Tasks' folder
"2008-04-02 19:14:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-04 18:36:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-04 18:37:28
ComboFix-quarantined-files.txt 2008-04-04 17:37:14
Pre-Run: 50,179,170,304 bytes free
Post-Run: 50,165,874,688 bytes free
.
2008-03-12 14:11:29 --- E O F ---
peterC
Active Member
 
Posts: 14
Joined: March 22nd, 2008, 6:49 am
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 26 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware