Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

I have been infected, need help please

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

I have been infected, need help please

Unread postby ironstorm30 » April 24th, 2008, 6:59 pm

My daughter was doing her homework on my computer and must have typed a web address wrong and infected my computer. she does not remember what site it was, but I have the hijackthis log below. I did a scan and it says that I have a rbot.trojan and Worm/suclove.A. Here is the log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:03:12 PM, on 4/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Speed Disk\nopdb.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\sysqkmwfedz.exe
C:\WINDOWS\syspyukrazv.exe
C:\WINDOWS\sysawpbkvnq.exe
C:\WINDOWS\sysrxmfdksp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Linksys\Wireless-B PCI Adapter\WMP11Cfg.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gateway.com/g/sidepanel.html ... TP&M=T6528
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html ... TP&M=T6528
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/g/startpage.html ... TP&M=T6528
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [readericon] "C:\Program Files\Digital Media Reader\readericon45G.exe"
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AtariBanner] "C:\Program Files\Infogrames\Atari Anniversary Edition\Volume 2\Banner.exe" /0
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [{157627A6-2A10-4aa1-B97F-90B8DC6F24AC}] "C:\WINDOWS\sysqkmwfedz.exe"
O4 - HKLM\..\Run: [{78B578D7-BCE1-4d83-9CD4-195BC34D8CB3}] "C:\WINDOWS\syspyukrazv.exe"
O4 - HKLM\..\Run: [{2C70168B-97CE-4f31-B85D-1FEC5002721D}] "C:\WINDOWS\sysawpbkvnq.exe"
O4 - HKLM\..\Run: [{E4785213-3EFE-4c26-A9B4-332440E31F6F}] "C:\WINDOWS\sysrxmfdksp.exe"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [igndlm.exe] "C:\Program Files\IGN\Download Manager\dlm.exe" /windowsstart /startifwork
O4 - HKCU\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Wireless-B Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-B PCI Adapter\Startup.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/ ... .6.108.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDow ... eqlab2.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/dd/ins ... utions.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v ... b34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/bingame/popcaploader_v10.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - (no file)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NICSer_WMP11 - Unknown owner - C:\Program Files\Linksys\Wireless-B PCI Adapter\NICServ.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Speed Disk\nopdb.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 11706 bytes
ironstorm30
Active Member
 
Posts: 7
Joined: April 24th, 2008, 6:25 pm
Advertisement
Register to Remove

Re: I have been infected, need help please

Unread postby Bio-Hazard » April 25th, 2008, 4:48 am

Welcome to the MWR forums. My name is Bio-Hazard. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research. Please be patient and I'd be grateful if you would note the following:

  • I will be working on your Malware issues this may or may not solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • If you don't know or understand something please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • It is important that you reply to this thread. Do not start a new topic.

Note: I am still in training here at Malware Removal, however I will be working under the direct supervision of one of our Malware Experts. Any recommendations will first be approved before being given to you. Because of this, there may be a short delay in getting our responses to you, however be assured that we will be working diligently on your problem.


Uninstall list

Make an uninstall list using HijackThis. To access the Uninstall Manager you would do the following:

  • Start HijackThis
  • Click on the Config button
  • Click on the Misc Tools button
  • Click on the Open Uninstall Manager button.
  • Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: I have been infected, need help please

Unread postby ironstorm30 » April 25th, 2008, 6:26 am

Also, just so you know, when I try to do a Norton scan, my computer reboots before it can finish. Here you go:

Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Reader 7.0.9
Adobe Shockwave Player
AGEIA PhysX Unreal Tournament 3 Mods
AGEIA PhysX v7.09.13
AppCore
Apple Mobile Device Support
Apple Software Update
Atari Anniversary Edition
AV
Battlefield 2142
Battlefield Vietnam(TM)
Battlefield Vietnam: WW2 Mod
Bonjour
Byteswarm LiveUpdate 2.1.0.3
Call of Duty - United Offensive
Call of Duty Game of the Year Edition
ccCommon
Digital Media Reader
Diner Dash (remove only)
Discware Lite
DivX Codec
DivX Content Uploader
DivX Player
DivX Web Player
DVD Solution
EA Download Manager
Easy SpyRemover 4.2
EQ2MAP Updater 1.0.6
EverQuest II: Kingdom of Sky
eXtreme
Guild Wars
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB896256)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB935448)
HP Image Zone 4.0
HP Software Update
HP Update
IGN Download Manager 2.2.1
Internet Worm Protection
iPod for Windows 2005-06-26
iTunes
J2SE Runtime Environment 5.0 Update 2
LimeWire 4.13.2
LiveReg (Symantec Corporation)
LiveUpdate 3.2 (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft ActiveX Control Pad
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Digital Image Starter Edition 2006
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2006
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Works
MONOPOLY CASINO Vegas Edition
Monopoly Tycoon
Movielink Manager
MS Access 97 SP2
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
Multimedia Keyboard Driver
My Sirius Studio
Norton AntiVirus
Norton AntiVirus (Symantec Corporation)
Norton AntiVirus Help
Norton AntiVirus Parent MSI
Norton AntiVirus SYMLT MSI
Norton Protection Center
Norton Utilities 2002 for Windows
NVIDIA Drivers
NVIDIA nTune
Odyssey Client
OpenMG AAC Add-on Module 1.0.00
OpenMG Limited Patch 4.5-06-05-12-01
OpenMG Secure Module 4.5.01
overland
PDF Manual NW-S200 Series
Photosmart 320,370,7400,8100,8400 Series
Power2Go 4.0
PowerDVD
PunkBuster for Battlefield Vietnam
QuickTime
RealPlayer
Realtek High Definition Audio Driver
Rhapsody Player Engine
Road Runner Medic 5.4
Safari
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
ServiceProvider
Shockwave
SimCity 3000 Unlimited
Skype™ 3.5
Soft Data Fax Modem with SmartCP
SonicStage 4.0
SPBBC 32bit
SpeechRedist
Spy Sweeper
Spybot - Search & Destroy 1.4
Spyware Doctor 5.5
Station Launcher
Symantec
Symantec KB-DocID:2003093015493306
System Requirements Lab
TeamSpeak 2 RC2
Turbo Lister 2
Unreal Tournament 2004
Unreal Tournament 3
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Vampire: The Masquerade - Bloodlines
Ventrilo Client
Ventrilo Server
Viewpoint Media Player
Windows Backup Utility
Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0)
Windows Internet Explorer 7
Windows Live installer
Windows Live Mail
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Writer
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
WinZip 11.1
Wireless-B PCI Adapter
ironstorm30
Active Member
 
Posts: 7
Joined: April 24th, 2008, 6:25 pm

Re: I have been infected, need help please

Unread postby Bio-Hazard » April 25th, 2008, 9:47 am

I see that Viewpoint is installed. Viewpoint, Viewpoint Manager, Viewpoint Media Player are Viewpoint components which are installed as a side effect of installing other software, most notably AOL and AOL Instant Messenger (AIM). Viewpoint Manager is responsible for managing and updating Viewpoint Media Player’s components. You can disable this using the Viewpoint Manager Control Panel found in the Windows Control Panel menu. By selecting Disable auto-updating for the Viewpoint Manager -- the player will no longer attempt to check for updates. Anything that is installed without your consent is suspect. Read what Viewpoint says and make your own decision.
To provide a satisfying consumer experience and to operate effectively, the Viewpoint Media Player periodically sends information to servers at Viewpoint. Each installation of the Viewpoint Media Player is identifiable to Viewpoint via a Customer Unique Identifier (CUID), an alphanumeric identifier embedded in the Viewpoint Media Player. The Viewpoint Media Player randomly generates the CUID during installation and uses it to indicate a unique installation of the product. A CUID is never connected to a user's name, email address, or other personal contact information. CUIDs are used for the sole purpose of filtering redundant information. Each of these information exchanges occurs anonymously.

Viewpoint Manager is considered as foistware instead of malware since it is installed without user's approval but doesn't spy or do anything
bad
. This may change, read Viewpoint to Plunge Into Adware.
I recommend that you remove the Viewpoint products; however, decide for yourself. To uninstall the the Viewpoint components :
  1. Click Start, point to Settings, and then click Control Panel.
  2. In Control Panel, double-click Add or Remove Programs.
  3. In Add or Remove Programs, highlight >>Viewpoint component<< , click Remove.



    How to prevent it from being recreated every time you run the AOL software:
    • Open AOL
    • Go to Help on the toolbar
    • Select About AOL
    • Hit Ctrl D and a secret panel can be accessed which will allow you to disable all desktop and IM features associated with Viewpoint.


P2P Warning!

LimeWire 4.13.2

Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources you can expect infestations of malware to occur. Once upon a time P2P file sharing was fairly safe. That is no longer true. You may continue to use P2P sharing at your own risk; however please keep in mind that this practice may be the source of your current malware infestation Additional information on the safety of Peer to Peer programs themselves is here: Clean/Infected P2P Programs Please decide if you want to keep using P2P so I can put it in my next speech of you don't want to keep it.

If you wish to keep them, please do not use them until your computer is cleaned.



Stop processes with Task Manager

Press Control+Alt+Del to enter the Task Manager. Click on the Processes tab and end the following processes (if present). To organize them alphabetically Click Image Name tab once.

    sysqkmwfedz.exe
    syspyukrazv.exe
    sysawpbkvnq.exe
    sysrxmfdksp.exe

Exit the Task Manager when finished.



Remove bad HijackThis entries

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [{157627A6-2A10-4aa1-B97F-90B8DC6F24AC}] "C:\WINDOWS\sysqkmwfedz.exe"
    O4 - HKLM\..\Run: [{78B578D7-BCE1-4d83-9CD4-195BC34D8CB3}] "C:\WINDOWS\syspyukrazv.exe"
    O4 - HKLM\..\Run: [{2C70168B-97CE-4f31-B85D-1FEC5002721D}] "C:\WINDOWS\sysawpbkvnq.exe"
    O4 - HKLM\..\Run: [{E4785213-3EFE-4c26-A9B4-332440E31F6F}] "C:\WINDOWS\sysrxmfdksp.exe"
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/bingame/popcaploader_v10.cab
    O18 - Filter hijack: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - (no file)


  • Close all open windows and browsers/email etc...
  • Click on the Fix Checked button
  • When completed close the application.

REBOOT AFTER WHEN YOU HAVE COMPLETED ALL THESE STEPS



Show All Files And Folders Windows XP

  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck Hide file extensions for known file types
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Apply to confirm.
  • Click OK.



Delete bad files and folders

Using Windows Explore by right-clicking the start button and left clicking Explore navigate to and find the following files and folders: if found, delete them (some may not be present after previous steps):

    Files:
    C:\WINDOWS\sysqkmwfedz.exe
    C:\WINDOWS\syspyukrazv.exe
    C:\WINDOWS\sysawpbkvnq.exe
    C:\WINDOWS\sysrxmfdksp.exe


Malwarebytes' Anti-Malware

  • Please download Malwarebytes' Anti-Malware and save it to a convenient location.
  • Double click on mbam-setup.exe to install it.
  • Before clicking the Finish button, make sure that these 2 boxes are checked (ticked):
      Update Malwarebytes' Anti-Malware
      Launch Malwarebytes' Anti-Malware
  • Malwarebytes' Anti-Malware will now check for updates. If your firewall prompts, please allow it. If you can't update it, select the Update tab. Under Update Mirror, select one of the websites and click on Check for Updates.
  • Select the Scanner tab. Click on Perform full scan, then click on Scan.
  • Leave the default options as it is and click on Start Scan.
  • When done, you will be prompted. Click OK, then click on Show Results.
  • Checked (ticked) all items and click on Remove Selected.
  • After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest.



Logs/Information to Post in Reply

Please post the following logs/Information in your reply

  • Malwarebytes' Anti-Malware
  • A fresh HijackThis Log ( after all the above has been done)
  • How are things running now ?
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: I have been infected, need help please

Unread postby ironstorm30 » April 25th, 2008, 9:20 pm

My computer seems to be running better and the symptoms seem to be gone. Here is the Malwarebytes' Anti-malware log:
Malwarebytes' Anti-Malware 1.11
Database version: 682

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 168463
Time elapsed: 1 hour(s), 13 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run\user32.dll (Trojan.Zlob) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Here is a fresh Hijack this file log:
ironstorm30
Active Member
 
Posts: 7
Joined: April 24th, 2008, 6:25 pm

Re: I have been infected, need help please

Unread postby ironstorm30 » April 25th, 2008, 9:22 pm

oops...forgot to paste the hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:17:45 PM, on 4/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Speed Disk\nopdb.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Linksys\Wireless-B PCI Adapter\OdHost.exe
C:\Program Files\Linksys\Wireless-B PCI Adapter\WMP11Cfg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gateway.com/g/sidepanel.html ... TP&M=T6528
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html ... TP&M=T6528
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/g/startpage.html ... TP&M=T6528
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [readericon] "C:\Program Files\Digital Media Reader\readericon45G.exe"
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AtariBanner] "C:\Program Files\Infogrames\Atari Anniversary Edition\Volume 2\Banner.exe" /0
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Easy SpyRemover] C:\Program Files\Easy SpyRemover\EasySpyRemover.exe /smart
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [igndlm.exe] "C:\Program Files\IGN\Download Manager\dlm.exe" /windowsstart /startifwork
O4 - HKCU\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Wireless-B Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-B PCI Adapter\Startup.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/ ... .6.108.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDow ... eqlab2.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/dd/ins ... utions.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v ... b34246.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - (no file)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NICSer_WMP11 - Unknown owner - C:\Program Files\Linksys\Wireless-B PCI Adapter\NICServ.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Speed Disk\nopdb.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 11231 bytes
ironstorm30
Active Member
 
Posts: 7
Joined: April 24th, 2008, 6:25 pm

Re: I have been infected, need help please

Unread postby Bio-Hazard » April 26th, 2008, 5:22 am

Remove bad HijackThis entries

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    O18 - Filter hijack: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - (no file)
  • Close all open windows and browsers/email etc...
  • Click on the Fix Checked button
  • When completed close the application.

REBOOT AFTER WHEN YOU HAVE COMPLETED ALL THESE STEPS



Delisted Rogue Antispyware Program

You have a program called EasySpyRemover installed on your computer. This program was until recently classified as a Rogue antispyware program. Typically, rogue programs do not provide any security benefits, and use false positives to goad users into purchasing a full version of the program. Due to it's tainted history, and the availability of more reputable programs for free, I strongly suggest you remove it- to do so:

  • Click Start
  • Go to Control Panel
  • Go to Add/Remove Programs
  • Find and click Remove for the following (if present):

    EasySpyRemover

NOTE: Take care when answering any questions posed by an uninstaller. Some questions may be worded to deceive you into keeping the program.



Update Java Runtime:

You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason it's extremely important that you keep the program up to date and also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 6.
  • Go to http://java.sun.com/javase/downloads/index.jsp
  • Click on the link named Java Runtime Environment (JRE) 6 Update 6
  • Click on the radio button to Accept License Agreement
  • Click on Windows Offline Installation Multi-language and save the downloaded file to your hard disk
  • Go to Start => Control Panel => Add or Remove Programs
  • Uninstall all old versions of Java (Java 2 Runtime Environment JRE or JSE)
  • Reboot your computer
  • Delete the folder C:\Program Files\Java if present
  • Install the new version by running the newly-downloaded file and follow the on-screen instructions.
  • Reboot your computer



ATF-Cleaner

Please download ATF Cleaner by Atribune.

  • Save it to your desktop
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.

    If you use Firefox browser
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.

    NOTE: If you would like to keep your saved passwords
    please click No at the prompt.


    If you use Opera browser
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.

    NOTE: If you would like to keep your saved passwords
    please click No at the prompt.

  • Click Exit on the Main menu to close the program.

For Technical Support double-click the e-mail address located at the bottom of each menu.



Kaspersky Online Scan

With the exception of Internet Explorer, which must be used for this scan, keep ALL programs closed
Please do an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75%. Once the licence accepted, reset to 100%.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    o Scan using the following Anti-Virus database:
    + Extended (If available otherwise Standard)
    o Scan Options:
    + Scan Archives
    + Scan Mail Bases
  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run.
  • Please do not use your computer while the scan is running. Once the scan is complete it will display if your system has been infected.
  • Click the Save Report As... button (see red arrow below)

    Image
  • In the Save as... prompt, select Desktop
  • In the File name box, name the file KasScan-ddmmyy (or similar)
  • In the Save as type prompt, select Text file (see below)

    Image
  • Copy and paste the report in your next post.

Note: It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and to speed up scan time.Please don't go surfing while your resident protection is disabled!Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware application you use.



Logs/Information to Post in Reply

Please post the following logs/Information in your reply

  • Kaspersky Log
  • A fresh HijackThis Log ( after all the above has been done)
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: I have been infected, need help please

Unread postby ironstorm30 » April 26th, 2008, 1:16 pm

I tried to remove the O18 - Filter hijack: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - (no file)
on Hijack this, but it would not remove. I have done everything else that you requested.
Here is the KasScan log:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, April 26, 2008 1:07:57 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 26/04/2008
Kaspersky Anti-Virus database records: 726402
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\

Scan Statistics:
Total number of scanned objects: 210430
Number of viruses found: 12
Number of infected objects: 26
Number of suspicious objects: 3
Duration of the scan process: 03:01:11

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Support.com\profiles\Owner\triggers.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2008-04-26_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\37CFA8A6.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\B54387AB.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SubEng\submissions.idx Object is locked skipped
C:\Documents and Settings\Ashley\My Documents\My Documents\incredimail_install.exe Infected: not-a-virus:Downloader.Win32.ImLoader.g skipped
C:\Documents and Settings\Ashley\Shared\eve ruff ryders first lady man.wm Infected: Trojan-Downloader.WMA.Wimad.m skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Data\settings.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{9F3F1FB5-9CCB-44C4-8345-B1DFB7F0F848}\Microsoft\Outlook Express\Deleted Items.dbx/[From chase <securemail@chase.com>][Date Fri, 25 Aug 2006 04:42:58 -0400]/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{9F3F1FB5-9CCB-44C4-8345-B1DFB7F0F848}\Microsoft\Outlook Express\Deleted Items.dbx/[From PayPal <support@paypal.com>][Date Thu, 07 Sep 2006 02:36:23 +0330]/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{9F3F1FB5-9CCB-44C4-8345-B1DFB7F0F848}\Microsoft\Outlook Express\Deleted Items.dbx MailMSOutlook5: suspicious - 2 skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{9F3F1FB5-9CCB-44C4-8345-B1DFB7F0F848}\Microsoft\Outlook Express\Hotmail - Bulk Mail.dbx/[From "MedSale" <grysbok@NilayoungQN.com>][Date 13 Oct 2006 13:43:38 -0700]/Nilayoung_RX_DEALZ.htm Infected: Trojan.JS.Redirector.b skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{9F3F1FB5-9CCB-44C4-8345-B1DFB7F0F848}\Microsoft\Outlook Express\Hotmail - Bulk Mail.dbx/[From "MedSale" <grysbok@NilayoungQN.com>][Date 13 Oct 2006 13:43:38 -0700]/UNNAMED/Nilayoung_RX_DEALZ.htm Infected: Trojan.JS.Redirector.b skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{9F3F1FB5-9CCB-44C4-8345-B1DFB7F0F848}\Microsoft\Outlook Express\Hotmail - Bulk Mail.dbx/[From "MedSale" <grysbok@NilayoungQN.com>][Date 13 Oct 2006 13:43:38 -0700]/UNNAMED Infected: Trojan.JS.Redirector.b skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{9F3F1FB5-9CCB-44C4-8345-B1DFB7F0F848}\Microsoft\Outlook Express\Hotmail - Bulk Mail.dbx MailMSOutlook5: infected - 3 skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Deleted Items/03 Jan 2007 14:11 from Pilllovers:PharmacyGradeMeds.eml/Enter-the-PharmaShop.html Infected: Trojan.JS.Redirector.b skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Deleted Items/03 Jan 2007 14:11 from Pilllovers:PharmacyGradeMeds.eml Infected: Trojan.JS.Redirector.b skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Deleted Items/03 Jan 2007 14:11 from Pilllovers:PharmacyGradeMeds/Enter-the-PharmaShop.html Infected: Trojan.JS.Redirector.b skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Deleted Items/04 Jan 2007 22:57 from PharmaShop Lydia:/Buy_Meds_Here.html Infected: Trojan.JS.Redirector.b skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\archive.pst MailMSMaill: infected - 4 skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\NFWEVT.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVError.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\masters.bak Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\Masters.const Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\masters.mst Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters.base Object is locked skipped
C:\RECYCLER\NPROTECT\NPROTECT.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP590\A0098267.exe Infected: Trojan-Clicker.Win32.Agent.aby skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP590\A0098268.exe Infected: Trojan-Clicker.Win32.Agent.abw skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP590\A0098269.exe Infected: Trojan-Clicker.Win32.Agent.abx skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP590\A0098270.exe Infected: not-virus:Hoax.Win32.Agent.cc skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP592\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{1017AEE0-DE18-4E2E-A7BB-C1AB0409D193}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\Recycled\NPROTECT\NPROTECT.LOG Object is locked skipped
D:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP592\change.log Object is locked skipped
J:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\DSS\MachineKeys\80d9b84d8f75ef4515be03750a08e602_e6f25a60-4b66-468a-9c73-231c2d6defe5 Object is locked skipped
J:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\DSS\MachineKeys\9aab0eb740e9541a6474aee328ccb276_e6f25a60-4b66-468a-9c73-231c2d6defe5 Object is locked skipped
J:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\436cc56d4817ec196451fb6ca33ada50_e6f25a60-4b66-468a-9c73-231c2d6defe5 Object is locked skipped
J:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\4e24565fb0f0bb5e6a1583b5caa87728_e6f25a60-4b66-468a-9c73-231c2d6defe5 Object is locked skipped
J:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\62c48b888276f98bb49ac582a9e27b1b_e6f25a60-4b66-468a-9c73-231c2d6defe5 Object is locked skipped
J:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6c63625f8628e719a670b75857d2ecfe_e6f25a60-4b66-468a-9c73-231c2d6defe5 Object is locked skipped
J:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\7027082a49662f73aecb5349ab1ed9cd_e6f25a60-4b66-468a-9c73-231c2d6defe5 Object is locked skipped
J:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\980924c1269511092f8bb25affd16ab7_e6f25a60-4b66-468a-9c73-231c2d6defe5 Object is locked skipped
J:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
J:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\37233C0E.dll Infected: not-a-virus:AdWare.Win32.WebRebates.n skipped
J:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\4B11772A.tmp Object is locked skipped
J:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\579D2CE3.dll Infected: not-a-virus:AdWare.Win32.WebRebates.n skipped
J:\Documents and Settings\Ashley\Local Settings\Temp\ImInstaller\IncrediMail\incredimail_install.exe Infected: not-a-virus:Downloader.Win32.ImLoader.g skipped
J:\Documents and Settings\Ashley\My Documents\incredimail_install.exe Infected: not-a-virus:Downloader.Win32.ImLoader.g skipped
J:\Documents and Settings\Shannon\Local Settings\Temporary Internet Files\Content.IE5\M51YZM5O\ebatesmoemoneymaker[1].exe/data0004 Infected: not-a-virus:AdWare.Win32.WebRebates.p skipped
J:\Documents and Settings\Shannon\Local Settings\Temporary Internet Files\Content.IE5\M51YZM5O\ebatesmoemoneymaker[1].exe/data0005 Infected: not-a-virus:AdWare.Win32.WebRebates.n skipped
J:\Documents and Settings\Shannon\Local Settings\Temporary Internet Files\Content.IE5\M51YZM5O\ebatesmoemoneymaker[1].exe NSIS: infected - 2 skipped
J:\Program Files\Audible\Bin\ADMDebug.log Object is locked skipped
J:\Program Files\GameSpy Arcade\Services\_assets\_int439c3ee3-25811.js Object is locked skipped
J:\Program Files\HP\HP Creative Scrapbook Assistant\projects\fun university\pages.sok Object is locked skipped
J:\Program Files\InstallShield Installation Information\{127B684B-A002-44C8-99A7-6CF8F1E26873}\setup.ilg Object is locked skipped
J:\Program Files\InstallShield Installation Information\{2157961D-0507-44A8-BCF2-1EE2D439E8DF}\Setup.ilg Object is locked skipped
J:\Program Files\InstallShield Installation Information\{25AF48AC-E3A3-431E-BA93-D534D146C10E}\Setup.ilg Object is locked skipped
J:\Program Files\InstallShield Installation Information\{3CB41017-F5CA-4C56-934C-ED02156251E6}\Setup.ilg Object is locked skipped
J:\Program Files\InstallShield Installation Information\{3D047C15-C859-45F7-81CE-F2681778069B}\Setup.ilg Object is locked skipped
J:\Program Files\InstallShield Installation Information\{3FCAADB8-EB1B-11D6-AB2D-0090271A23A2}\setup.ilg Object is locked skipped
J:\Program Files\InstallShield Installation Information\{47808F78-F178-49DC-B708-15FE538B16FF}\Setup.ilg Object is locked skipped
J:\Program Files\InstallShield Installation Information\{58582977-44D2-44A0-A09B-031CC2AE5938}\setup.ilg Object is locked skipped
J:\Program Files\InstallShield Installation Information\{5AAFE9B0-B60B-4B12-B22D-6B15507502E5}\setup.ilg Object is locked skipped
J:\Program Files\InstallShield Installation Information\{654F0312-CB3D-4FE2-962C-6BB9752E9146}\Setup.ilg Object is locked skipped
J:\Program Files\InstallShield Installation Information\{698D7E61-E4BF-4CA6-8A09-CF6BDBFDEF65}\setup.ilg Object is locked skipped
J:\Program Files\InstallShield Installation Information\{98E8A2EF-4EAE-43B8-A172-74842B764777}\setup.ilg Object is locked skipped
J:\Program Files\InstallShield Installation Information\{9A4D2983-4662-4387-BE3D-4CFC2FA9C100}\setup.ilg Object is locked skipped
J:\Program Files\InstallShield Installation Information\{9E1F626B-4B9F-4EA1-9C0B-074D89939C5B}\Setup.ilg Object is locked skipped
J:\Program Files\InstallShield Installation Information\{A731533B-B325-4D9C-91A4-D93C8E294C19}\setup.ilg Object is locked skipped
J:\Program Files\InstallShield Installation Information\{B023185F-F1EF-4F97-B0BD-AE6D802226D1}\setup.ilg Object is locked skipped
J:\Program Files\InstallShield Installation Information\{B73B4A99-4173-4747-BBEC-0F05E966F9D2}\setup.ilg Object is locked skipped
J:\Program Files\InstallShield Installation Information\{BE20E2F5-1903-4AAE-B1AF-2046E586C925}\Setup.ilg Object is locked skipped
J:\Program Files\InstallShield Installation Information\{D057AA08-8CBF-42E3-9EAB-23B8FED1C279}\setup.ilg Object is locked skipped
J:\Program Files\InstallShield Installation Information\{D07643A3-CE41-4286-8C78-EB9C83E76DDB}\setup.ilg Object is locked skipped
J:\Program Files\InstallShield Installation Information\{D3F8E1D3-2659-4A18-A433-BE431FA3C769}\Setup.ilg Object is locked skipped
J:\Program Files\InstallShield Installation Information\{E35B3C63-E958-4E31-A178-95D22024109A}\setup.ilg Object is locked skipped
J:\Program Files\InstallShield Installation Information\{F989306B-9287-444F-AE73-E30C7E4AF0F5}\setup.ilg Object is locked skipped
J:\Program Files\InstallShield Installation Information\{FD851F7E-F887-405D-9E1C-488811113EF3}\setup.ilg Object is locked skipped
J:\RECYCLER\NPROTECT\NPROTECT.LOG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc100.ini Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc101.gif Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc102.gif Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc103.gif Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc104.dll Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc107.gif Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc108.html Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc109.gif Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc110.ini Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc111.gif Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc112.gif Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc113.gif Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc114.dll Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc115.gif Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc116.html Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc117.gif Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc118.ini Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc119.gif Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc120.gif Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc121.gif Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc122.dll Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc123.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc124.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc125.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc126.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc127.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc128.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc129.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc130.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc131.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc132.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc133.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc134.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc135.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc136.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc137.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc138.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc139.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc140.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc141.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc142.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc143.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc144.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc145.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc146.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc147.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc148.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc149.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc150.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc151.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc152.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc153.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc154.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc155.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc156.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc157.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc158.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc159.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc160.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc161.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc162.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc163.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc164.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc165.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc166.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc167.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc168.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc169.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc170.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc171.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc172.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc173.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc174.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc175.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc176.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc177.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc178.jpg Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc179.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc180.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc181.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc182.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc183.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc184.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc185.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc186.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc187.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc188.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc189.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc190.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc191.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc192.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc193.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc194.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc195.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc196.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc197.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc198.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc199.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc2.url Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc200.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc201.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc202.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc203.jpg Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc204.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc205.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc206.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc207.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc208.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc209.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc210.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc211.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc212.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc213.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc214.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc215.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc216.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc217.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc218.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc219.jpg Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc220.jpg Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc221.jpg Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc222.jpg Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc223.jpg Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc224.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc225.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc226.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc227.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc228.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc229.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc230.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc231.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc232.JPG Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc233.lnk Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc234.lnk Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc235.url Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc24.txt Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc25.txt Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc26.txt Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc27.txt Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc28.txt Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc29.txt Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc31.url Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc32.url Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc33.url Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc34.ogg Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc35.ogg Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc37.lnk Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc42.m4a Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc43.m4a Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc44.m4a Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc45.m4a Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc46.m4a Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc47.m4a Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc48.m4a Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc49.m4a Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc50.m4a Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc51.m4a Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc52.m4a Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc53.m4a Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc54.m4a Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc55.m4a Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc56.m4a Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc57.m4a Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc58.m4a Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc59.m4a Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc60.m4a Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc61.m4a Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc62.m4a Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc63.m4a Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc64.m4a Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc65.m4a Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc66.m4a Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc67.m4a Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc68.m4a Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc69.m4a Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc70.m4a Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc71.url Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc72.url Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc73.gif Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc74.html Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc75.gif Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc76.ini Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc77.gif Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc78.gif Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc79.gif Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc80.dll Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc81.gif Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc82.html Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc83.gif Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc84.ini Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc85.gif Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc86.gif Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc87.gif Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc88.dll Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc89.gif Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc90.html Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc91.gif Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc92.ini Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc93.gif Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc94.gif Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc95.gif Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc96.dll Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc97.gif Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc98.html Object is locked skipped
J:\RECYCLER\S-1-5-21-213051012-2539320074-2884173136-1005\Dc99.gif Object is locked skipped
J:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
J:\System Volume Information\_restore{D29C36E0-A054-4AC3-8E60-7C35F3A99B95}\RP644\A0099556.DLL Infected: not-a-virus:AdWare.Win32.180Solutions.au skipped
J:\System Volume Information\_restore{D29C36E0-A054-4AC3-8E60-7C35F3A99B95}\RP644\A0099567.DLL Infected: not-a-virus:AdWare.Win32.180Solutions.au skipped
J:\System Volume Information\_restore{D29C36E0-A054-4AC3-8E60-7C35F3A99B95}\RP644\A0099568.dll Infected: not-a-virus:AdWare.Win32.180Solutions.ao skipped
J:\System Volume Information\_restore{D29C36E0-A054-4AC3-8E60-7C35F3A99B95}\RP644\A0099570.exe Infected: not-a-virus:AdWare.Win32.180Solutions.ao skipped
J:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP592\change.log Object is locked skipped
J:\WINDOWS\$NtUninstallKB828741$\catsrvut.dll Object is locked skipped
J:\WINDOWS\$NtUninstallKB828741$\clbcatex.dll Object is locked skipped
J:\WINDOWS\$NtUninstallKB828741$\clbcatq.dll Object is locked skipped
J:\WINDOWS\$NtUninstallKB828741$\colbact.dll Object is locked skipped
J:\WINDOWS\$NtUninstallKB828741$\comadmin.dll Object is locked skipped
J:\WINDOWS\$NtUninstallKB828741$\comrepl.exe Object is locked skipped
J:\WINDOWS\$NtUninstallKB828741$\comsvcs.dll Object is locked skipped
J:\WINDOWS\$NtUninstallKB828741$\comuid.dll Object is locked skipped
J:\WINDOWS\$NtUninstallKB828741$\es.dll Object is locked skipped
J:\WINDOWS\$NtUninstallKB828741$\msdtcprx.dll Object is locked skipped
J:\WINDOWS\$NtUninstallKB828741$\msdtctm.dll Object is locked skipped
J:\WINDOWS\$NtUninstallKB828741$\msdtcuiu.dll Object is locked skipped
J:\WINDOWS\$NtUninstallKB828741$\mtxclu.dll Object is locked skipped
J:\WINDOWS\$NtUninstallKB828741$\mtxoci.dll Object is locked skipped
J:\WINDOWS\$NtUninstallKB828741$\ole32.dll Object is locked skipped
J:\WINDOWS\$NtUninstallKB828741$\rpcrt4.dll Object is locked skipped
J:\WINDOWS\$NtUninstallKB828741$\rpcss.dll Object is locked skipped
J:\WINDOWS\$NtUninstallKB828741$\txflog.dll Object is locked skipped
J:\WINDOWS\$NtUninstallKB835732$\callcont.dll Object is locked skipped
J:\WINDOWS\$NtUninstallKB835732$\gdi32.dll Object is locked skipped
J:\WINDOWS\$NtUninstallKB835732$\h323.tsp Object is locked skipped
J:\WINDOWS\$NtUninstallKB835732$\h323msp.dll Object is locked skipped
J:\WINDOWS\$NtUninstallKB835732$\ipnathlp.dll Object is locked skipped
J:\WINDOWS\$NtUninstallKB835732$\lsasrv.dll Object is locked skipped
J:\WINDOWS\$NtUninstallKB835732$\mf3216.dll Object is locked skipped
J:\WINDOWS\$NtUninstallKB835732$\msasn1.dll Object is locked skipped
J:\WINDOWS\$NtUninstallKB835732$\msgina.dll Object is locked skipped
J:\WINDOWS\$NtUninstallKB835732$\mst120.dll Object is locked skipped
J:\WINDOWS\$NtUninstallKB835732$\netapi32.dll Object is locked skipped
J:\WINDOWS\$NtUninstallKB835732$\nmcom.dll Object is locked skipped
J:\WINDOWS\$NtUninstallKB835732$\rtcdll.dll Object is locked skipped
J:\WINDOWS\$NtUninstallKB835732$\schannel.dll Object is locked skipped
J:\WINDOWS\$NtUninstallKB837001$\dao360.dll Object is locked skipped
J:\WINDOWS\$NtUninstallKB837001$\expsrv.dll Object is locked skipped
J:\WINDOWS\$NtUninstallKB837001$\msexch40.dll Object is locked skipped
J:\WINDOWS\$NtUninstallKB837001$\msexcl40.dll Object is locked skipped
J:\WINDOWS\$NtUninstallKB837001$\msjet40.dll Object is locked skipped
J:\WINDOWS\$NtUninstallKB837001$\msjetoledb40.dll Object is locked skipped
J:\WINDOWS\$NtUninstallKB837001$\msjint40.dll Object is locked skipped
J:\WINDOWS\$NtUninstallKB837001$\msjter40.dll Object is locked skipped
J:\WINDOWS\$NtUninstallKB837001$\msjtes40.dll Object is locked skipped
J:\WINDOWS\$NtUninstallKB837001$\msltus40.dll Object is locked skipped
J:\WINDOWS\$NtUninstallKB837001$\mspbde40.dll Object is locked skipped
J:\WINDOWS\$NtUninstallKB837001$\msrd2x40.dll Object is locked skipped
J:\WINDOWS\$NtUninstallKB837001$\msrd3x40.dll Object is locked skipped
J:\WINDOWS\$NtUninstallKB837001$\msrepl40.dll Object is locked skipped
J:\WINDOWS\$NtUninstallKB837001$\mstext40.dll Object is locked skipped
J:\WINDOWS\$NtUninstallKB837001$\mswdat10.dll Object is locked skipped
J:\WINDOWS\$NtUninstallKB837001$\mswstr10.dll Object is locked skipped
J:\WINDOWS\$NtUninstallKB837001$\msxbde40.dll Object is locked skipped
J:\WINDOWS\$NtUninstallKB837001$\vbajet32.dll Object is locked skipped
J:\WINDOWS\$NtUninstallKB839645$\fldrclnr.dll Object is locked skipped
J:\WINDOWS\$NtUninstallKB839645$\shell32.dll Object is locked skipped
J:\WINDOWS\$NtUninstallKB839645$\shlwapi.dll Object is locked skipped
J:\WINDOWS\$NtUninstallKB839645$\sxs.dll Object is locked skipped
J:\WINDOWS\$NtUninstallKB839645$\xpsp2res.dll Object is locked skipped
J:\WINDOWS\$NtUninstallQ828026$\msdxm.ocx Object is locked skipped
J:\WINDOWS\$NtUninstallQ828026$\wmp.dll Object is locked skipped

Scan process completed.

And here is the latest Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:12:16 PM, on 4/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Speed Disk\nopdb.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Linksys\Wireless-B PCI Adapter\OdHost.exe
C:\Program Files\Linksys\Wireless-B PCI Adapter\WMP11Cfg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Norton AntiVirus\NAVW32.exe
C:\Program Files\Common Files\Symantec Shared\COH\coh32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gateway.com/g/sidepanel.html ... TP&M=T6528
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html ... TP&M=T6528
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/g/startpage.html ... TP&M=T6528
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [readericon] "C:\Program Files\Digital Media Reader\readericon45G.exe"
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AtariBanner] "C:\Program Files\Infogrames\Atari Anniversary Edition\Volume 2\Banner.exe" /0
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Easy SpyRemover] "C:\Program Files\Easy SpyRemover\EasySpyRemover.exe" /smart
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [igndlm.exe] "C:\Program Files\IGN\Download Manager\dlm.exe" /windowsstart /startifwork
O4 - HKCU\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Wireless-B Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-B PCI Adapter\Startup.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/ ... .6.108.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDow ... eqlab2.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/dd/ins ... utions.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v ... b34246.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - (no file)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NICSer_WMP11 - Unknown owner - C:\Program Files\Linksys\Wireless-B PCI Adapter\NICServ.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Speed Disk\nopdb.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 11828 bytes
ironstorm30
Active Member
 
Posts: 7
Joined: April 24th, 2008, 6:25 pm

Re: I have been infected, need help please

Unread postby Bio-Hazard » April 28th, 2008, 6:43 am

Disable Spysweeper

From your log i can see this that you are running a Spysweeper. This might interfere with fixes we are about to do so we need to disable it. To disable SpySweeper:

  • Open SpySweeper
  • Click Options
  • Click program options
  • Uncheck load at windows startup
  • On the left click shields and uncheck all there
  • Uncheck home page shield
  • Uncheck automaticly restore default without notifiction
  • Close SpySweeper

Note:Once your log is clean you can re-enable those settings in SpySweeper.


Backup Your Registry with ERUNT

  • Please use the following link and scroll down to ERUNT and download it on to your desktop.
    HERE
  • Click on the erunt-setup.exe
  • Follow the prompts to install ERUNT
  • Backup your registry to the default location

Note: To restore your registry, go to the folder and start ERDNT.exe

  • Open Notepad!
  • Copy and Paste everything from the Quote box into Notepad:

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/html]

[-HKEY_CLASSES_ROOT\CLSID\{2AB289AE-4B90-4281-B2AE-1F4BB034B647}]



Note: Make sure there are NO blank lines before REGEDIT4
Note: Make sure there IS one blank line at the end of the file.

  • Go to File > Save As
  • Save File name as Fix.reg
  • Change Save as Type to All Files and save the file to your desktop
  • Close Notepad, and double-click Fix.reg on your Desktop
  • When it asks if you want to merge the info to the registry, hit YES/OK
    Reboot computer



Remove bad HijackThis entries

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    O4 - HKLM\..\Run: [Easy SpyRemover] "C:\Program Files\Easy SpyRemover\EasySpyRemover.exe" /smart

  • Close all open windows and browsers/email etc...
  • Click on the Fix Checked button
  • When completed close the application.




Kspersky Log shows some infected emails. You can delete them.


    C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{9F3F1FB5-9CCB-44C4-8345-B1DFB7F0F848}\Microsoft\Outlook Express\Deleted Items.dbx
    /[From chase <securemail@chase.com>][Date Fri, 25 Aug 2006 04:42:58 -0400]
    /[From PayPal <support@paypal.com>][Date Thu, 07 Sep 2006 02:36:23 +0330]

    C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{9F3F1FB5-9CCB-44C4-8345-B1DFB7F0F848}\Microsoft\Outlook Express\Hotmail - Bulk Mail.dbx
    /[From "MedSale" <grysbok@NilayoungQN.com>][Date 13 Oct 2006 13:43:38 -0700]

    C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\archive.pst
    /Archive Folders/Deleted Items/03 Jan 2007 14:11 from Pilllovers:PharmacyGradeMeds.eml
    /Archive Folders/Deleted Items/03 Jan 2007 14:11 from Pilllovers:PharmacyGradeMeds
    /Archive Folders/Deleted Items/04 Jan 2007 22:57 from PharmaShop Lydia:

Show All Files And Folders Windows XP

  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck Hide file extensions for known file types
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Apply to confirm.
  • Click OK.


Delete file from Content.IE5

  • Click Start
  • Click Run and copy and paste line in the code box and the press enter

    Code: Select all
    J:\Documents and Settings\Shannon\Local Settings\Temporary Internet Files\Content.IE5\M51YZM5O

  • Windows Explorer window will open to the M51YZM5O folder
  • Delete following file ebatesmoemoneymaker[1].exe



Delete bad file

Using Windows Explore by right-clicking the start button and left clicking Explore navigate to and find the following file: if found, delete it:

    File:
    C:\Documents and Settings\Ashley\Shared\eve ruff ryders first lady man.wm



Logs/Information to Post in Reply

Please post the following logs/Information in your reply

  • A fresh HijackThis Log ( after all the above has been done)
  • How are things running now ?
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: I have been infected, need help please

Unread postby ironstorm30 » April 28th, 2008, 9:13 pm

Did all of the above and here is my fresh Hijack this file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:12:15 PM, on 4/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Speed Disk\nopdb.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Linksys\Wireless-B PCI Adapter\OdHost.exe
C:\Program Files\Linksys\Wireless-B PCI Adapter\WMP11Cfg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gateway.com/g/sidepanel.html ... TP&M=T6528
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html ... TP&M=T6528
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/g/startpage.html ... TP&M=T6528
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [readericon] "C:\Program Files\Digital Media Reader\readericon45G.exe"
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AtariBanner] "C:\Program Files\Infogrames\Atari Anniversary Edition\Volume 2\Banner.exe" /0
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [igndlm.exe] "C:\Program Files\IGN\Download Manager\dlm.exe" /windowsstart /startifwork
O4 - HKCU\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Wireless-B Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-B PCI Adapter\Startup.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/ ... .6.108.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDow ... eqlab2.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/dd/ins ... utions.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v ... b34246.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NICSer_WMP11 - Unknown owner - C:\Program Files\Linksys\Wireless-B PCI Adapter\NICServ.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Speed Disk\nopdb.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 11530 bytes
ironstorm30
Active Member
 
Posts: 7
Joined: April 24th, 2008, 6:25 pm

Re: I have been infected, need help please

Unread postby Bio-Hazard » April 29th, 2008, 8:33 pm

Your log now appears to be clean. Congratulations!

You can get rid of the tools we used:
  • ATF Cleaner (You can just delete the atf file from your desktop)
  • Erunt
  • Malwarebytes' Anti-Malware(I would recommed to keep this program)

This is how you can uninstall it/them:

  • Click Start
  • Go to Control Panel
  • Go to Add/Remove Programs
  • Find and click Remove for the following (if present):

    Malwarebytes' Anti-Malware

NOTE: Take care when answering any questions posed by an uninstaller. Some questions may be worded to deceive you into keeping the program.


Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints Malware Complaints. You need to be registered to post as, unfortunately, we were hit with too many spam posts to allow guest posting to continue. Just find your country room and register your complaint.

    Protection Programs
    Don't forget to re-enable any protection programs we disabled during your fix.

      Enable Spysweeper

      • Open SpySweeper
      • Click Options
      • Click program options
      • Check load at windows startup
      • On the left click shields and check all there
      • Check home page shield
      • Check automaticly restore default without notifiction
      • Close SpySweeper


    General Security and Computer Health
    Below are some steps to follow in order to dramatically lower the chances of reinfection. You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented.

    • Clear Infected System Restore Points
      • Turn System Restore off
      • On the Desktop, right click on the My Computer icon.
      • Click Properties.
      • Click the System Restore tab.
      • Check Turn off System Restore.
      • Click Apply, and then click OK.
        Restart your computer
      • Turn System Restore on
      • On the Desktop, right click on the My Computer icon.
      • Click Properties.
      • Click the System Restore tab.
      • Uncheck *Turn off System Restore*.
      • Click Apply, and then click OK.
      Note: only do this once,and not on a regular basis

    • Set correct settings for files
      • Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
      • Under Hidden files and folders if necessary select Do not show hidden files and folders.
      • If unchecked please check Hide protected operating system files (Recommended)
      • If necessary check Display content of system folders
      • If necessary Uncheck Hide file extensions for known file types.
      • Click OK

    • Make sure that you keep your antivirus updated
      New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
      Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
    • Install and use a firewall with outbound protection
      The Windows firewall only monitors incoming traffic, NOT outgoing. Using a software firewall in its default configuration to replace the Windows firewall greatly reduces the risk of your computer being hacked. Make sure your firewall is always enabled while your computer is connected to the internet.
      Note: You should only have one firewall installed at a time. Having more than one firewall installed at once is likely to cause conflicts and may well decrease your overall protection as well as seriously impairing the performance of your PC.
    • Security Updates for Windows, Internet Explorer & Microsoft Office
      Whenever a security problem in its software is found, Microsoft will usually create a patch so that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malicious software being installed on your PC. Ensure you are registered for Windows updates via Start > right-click on My Computer > Properties > Automatic Updates tab or visit the Microsoft Update site on a regular basis.
      Note: The update process uses ActiveX, so you will need to use internet explorer for it and allow the ActiveX control to install.
    • Update Non-Microsoft Programs
      Microsoft isn't the only company whose products can contain security vulnerabilities. To check whether other programs running on your PC are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month.
    • Make Internet Explorer More Secure
      You are using Internet Explorer v. 7. Therefore please read and follow the recommendations at this SITE


    Recommended Programs

    I would recommend the download and installation of some or all of the following programs (if not already present), and the updating of them on a regular basis.

    • WinPatrol
      As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge. For more information, please visit HERE.
    • SpywareBlaster
      SpywareBlaster sets killbits in the registry to prevent known malicious ActiveX controls from installing on your computer. If you don't know what ActiveX controls are, see HERE. You can download SpywareBlaster from HERE.
    • Hosts File
      For added protection you may also like to add a host file. A simple explanation of what a Hosts file does is HERE and for more information regarding host files read HERE
    • Use an alternative Internet Browser
      Many of the exploits are directed to users of Internet Explorer. Try using a different browser instead:
      Firefox
      Opera


Finally I am trying to make one point very clear. It is absolutely essential to keep all of your security programs up to date.

Also please read this great article by Tony Klein So How Did I Get Infected In First Place

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.

Happy surfing and stay clean!

Bio-Hazard
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: I have been infected, need help please

Unread postby ironstorm30 » April 29th, 2008, 9:54 pm

Thank you very much for your help. I am so gratefull for you and this website for being able to fix my computer. It is people like you and websites like this that makes the world a better place. I will definatly use your suggestions to help keep my computer clean. Thanks again!! :)
ironstorm30
Active Member
 
Posts: 7
Joined: April 24th, 2008, 6:25 pm

Re: I have been infected, need help please

Unread postby silver » April 30th, 2008, 4:28 am

This topic is now closed
We are pleased to have been of assistance in getting you clean.

If you have been helped and wish to donate with the costs of this volunteer site, you can do so using this link
Donations For Malware Removal
User avatar
silver
Regular Member
 
Posts: 9219
Joined: August 7th, 2006, 9:40 pm
Location: GMT+7
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 64 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware