Free Malware Removal Forum

[woowoo]

My son clickedon a image file on MSN and now I still have probelems fter running AVG antvirus and spyware remover - help please
Logfile of HijackThis v1.99.1
Scan saved at 21:38:01, on 05/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Documents and Settings\comet\winstall.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Common Files\{C4ECF849-0574-1033-0824-05050817002c}\Update.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\9129837.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-gb\bin\WindowsSearch.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-gb\bin\WindowsSearchIndexer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\comet\My Documents\Unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lboro.ac.uk/
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{34ECF~1\Bar888.dll
O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll (file missing)
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{34ECF~1\Bar888.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Toshiba Hotkey Utility] "C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe" /lang en
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [explorer] C:\Documents and Settings\comet\winstall.exe
O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe
O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ttool] C:\WINDOWS\9129837.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-gb\bin\WindowsSearch.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll/search.htm
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0000.1105\en-gb\msntabres.dll/229?455e2b92a0574c19b31ff436632aaa53
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0000.1105\en-gb\msntabres.dll/230?455e2b92a0574c19b31ff436632aaa53
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} (Installer Class) - http://activex.matcash.com/speedtest2.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{68797706-0285-41D2-8334-544815B484B3}: NameServer = 212.139.132.20 212.139.132.21
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)

[tim s]

Hi woowoo,

Welcome to the MalWare Removal forums! I'll be glad to help you with your computer problems.
HijackThis logs can take some time to research, so please be patient with me. I know that you need
your computer working as quickly as possible, and I will work hard to help see that happens.

In order to help me help you, please observe the following while we work:

1. If you don't know, stop and ask! Don't continue, we don't want to start all over again!
2. Understand that cleaning your computer can sometimes take multiple passes/posts,
   and it's important to follow the steps as listed including re-running scans as listed
3. Please reply to this thread, do not start another.

If you can do those three things, everything should go smoothly

[woowoo]

Ok - thanks for your help

[tim s]

Hello woowoo,

I do see infections in your log. We are going to remove certain infections with this post and I will work on the others in next. Please do the following;

Disable program can interfer(block removal of infection) with HJT fix.
Open AVG Anti-Spyware 7.5

• On the main screen under Your Computer's security.
• Click on Change state next to Resident shield. It should now change to inactive.
• Close AVG Anti-Spyware 7.5
• Right-click the AVG Anti-Spyware 7.5 Tray Icon and choose Exit. Confirm by clicking Yes.

------------------------------------------------------------------------------

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).
• Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

---------------------------------------------------

Please do the followng:

Download SmitfraudFix (by S!Ri) make sure to click the Save button not Run button and save to your Desktop.
http://siri.urz.free.fr/Fix/SmitfraudFix.exe

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

IMPORTANT: Do NOT run any other options until you are asked to do so!

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a 'RiskTool'; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between 'good' and 'malicious' use of such programs, therefore they may alert the user.
-----------------------------------------------------

This in next:
Make a uninstall list using HijackThis
To access the Uninstall Manager you would do the following:

1.Start HijackThis



2. Click on the Open the Misc tool section button
3. Click on the Misc Tools button



4. Click on the Open Uninstall Manager button.

You will now be presented with a screen similar to the one below:



5. Click on the Save list... button and specify where you would like to save this file. When you press Save list button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply. Note: please uncheck word wrap under format in notepad

Post HJT Uninstall list in next reply
-----------------------------------------------------

Please post in your next reply to this thread the following logs:
SDFix Report.txt
SmitfraudFix's rapport.txt
HJT Uninstall list
New HJT log

[woowoo]

sdfix report

SDFix: Version 1.55
****************

06/01/2007 - 13:21:31.60

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Stage One - Safe Mode

Checking Services...

Service Name:

hide_evr2
MsaSvc

File Path:

\??\C:\WINDOWS\hide_evr2.sys
C:\WINDOWS\system32\msasvc.exe

hide_evr2 Deleted...
MsaSvc Deleted...

Starting Registry Repairs...

Restoring Default Hosts File...

Stage One Complete

Rebooting...

Stage Two - Normal Mode

Checking For Malware:
--------------------


Backing Up and Removing any Files Found...

Alternate Stream Check:

C:\WINDOWS\system32
No streams found.
Final Check:

Remaining Services:
------------------

Rootkit PE386 Found!


Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Checking for files with Hidden Attributes:

C:\NTDETECT.COM
C:\Documents and Settings\comet\Local Settings\Temp\Temporary Directory 2 for Microsoft Office Xp Pro (Word, Excel, Powerpoint, Outlook, A.zip\MSDE2000\SQLRESLD.DLL
C:\Documents and Settings\comet\My Documents\Unzipped\Microsoft Office Xp Pro (Word, Excel, Powerpoint, Outlook, A\MSDE2000\SQLRESLD.DLL
C:\WINDOWS\system32\cdplayer.exe.manifest
C:\WINDOWS\system32\logonui.exe.manifest
C:\hiberfil.sys
C:\IO.SYS
C:\MSDOS.SYS
C:\pagefile.sys
C:\Documents and Settings\comet\Local Settings\Temp\$b17a2e8.tmp
C:\Program Files\InterActual\InterActual Player\itiEB.tmp
C:\WINDOWS\Temp\$_2341233.TMP
C:\WINDOWS\Temp\$_2341235.TMP

FINISHED!

[woowoo]

Hijackthis log
Logfile of HijackThis v1.99.1
Scan saved at 13:32:24, on 06/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Documents and Settings\comet\winstall.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Common Files\{C4ECF849-0574-1033-0824-05050817002c}\Update.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-gb\bin\WindowsSearch.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-gb\bin\WindowsSearchIndexer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\comet\My Documents\Unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lboro.ac.uk/
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{34ECF~1\Bar888.dll
O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll (file missing)
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{34ECF~1\Bar888.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Toshiba Hotkey Utility] "C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe" /lang en
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [explorer] C:\Documents and Settings\comet\winstall.exe
O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe
O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-gb\bin\WindowsSearch.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll/search.htm
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0000.1105\en-gb\msntabres.dll/229?455e2b92a0574c19b31ff436632aaa53
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0000.1105\en-gb\msntabres.dll/230?455e2b92a0574c19b31ff436632aaa53
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} (Installer Class) - http://activex.matcash.com/speedtest2.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{68797706-0285-41D2-8334-544815B484B3}: NameServer = 212.139.132.20 212.139.132.21
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

[woowoo]

Raport.txt
SmitFraudFix v2.132

Scan done at 13:36:51.67, 06/01/2007
Run from C:\Documents and Settings\comet\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\comet


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\comet\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\comet\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32

pe386 detected, use a Rootkit scanner

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

[woowoo]

AC97 Data Fax SoftModem with SmartCP
Adobe Flash Player 9 ActiveX
Adobe Reader 7.0.8
Atheros Client Utility
Atheros Wireless LAN MiniPCI card Driver
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
AVG Anti-Spyware 7.5
AVG Free Edition
CD/DVD Drive Acoustic Silencer
Conexant AC-Link Audio
Google Toolbar for Internet Explorer
HijackThis 1.99.1
Hotfix for Windows XP (KB895200)
InterActual Player
InterVideo WinDVD for TOSHIBA
IpWins
iTunes
J2SE Runtime Environment 5.0 Update 2
Leisure Suit Larry - Magna Cum Laude
Macromedia Flash Player
Macromedia Shockwave Player
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Office OneNote 2003
Microsoft Office XP Professional with FrontPage
MSN
MSN Search Toolbar
PCFriendly
QuickTime
REALTEK Gigabit and Fast Ethernet NIC Driver
SAGEM F@st 800-840
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB926255)
Seekmo Search Assistant
Seekmo Toolbar
Sonic DLA
Sonic RecordNow!
Synaptics Pointing Device Driver
TOSHIBA Assist
TOSHIBA ConfigFree
TOSHIBA Manuals
TOSHIBA PC Diagnostic Tool
Toshiba Touchpad Utility
Toshiba Utility
TOSHIBA Zooming Utility
Touch and Launch
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
webHancer Customer Companion
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888239
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB889673
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893056
Windows XP Hotfix - KB893086
WinZip
Yahoo! Toolbar

[woowoo]

Hi Tim S
I believe I have done all your instructions correctly - hope so. Looking forward to your next set.
Thanks
Fiona

[tim s]

Hello woowoo,

Yes you have done a very good job following instructions and thanks for posting logs.
We will need to use more tools to get rid of this infection. There are programs in your Add/Remove program list that need removing first.

This Add or Remove Programs entry corresponds to a program that is either malware, installs malware, or is bundled with malware.


Add/Remove Programs

• Click Start
• Go to Control Panel
• Go to Add/Remove Programs
• Find and click Remove for the following:
  
  IpWins
  Seekmo Search Assistant
  Seekmo ToolbarwebHancer Customer Companion
  

You will need to reboot computer to complete uninstall.

----------------------------------------------------

This part is to double check and make sure program in turned off
Disable program can interfer (block removal of infection) with fix.

• Right-click the AVG Anti-Spyware 7.5 Tray Icon (on bottom right corner of monitor screen) and choose Exit. Confirm by clicking Yes.

---------------------------------------------------------------------------

Download RustBFix from one of the following locations...

http://www.uploads.ejvindh.net/rustbfix.exe

http://uploads.ejvindh.andymanchesta.com/Rustbfix.exe

...and save it to your desktop.

Double click on rustbfix.exe to run the tool. If a Rustock.b-infection is found, you will shortly hereafter be asked to reboot the computer. The reboot will probably take quite a while, and perhaps 2 reboots will be needed. But this will happen automatically. After the reboot 2 logfiles will open (%root%\avenger.txt & %root%\rustbfix\pelog.txt). Post the content of these logfiles along with a new HijackThis log.

[woowoo]

************************* Rustock.b-fix -- By ejvindh *************************
07/01/2007 10:08:50.56

******************* Pre-run Status of system *******************

Rootkit driver PE386 is found. Starting the unload-procedure....

Rustock.b-ADS attached to the System32-folder:
:lzx32.sys 69038
Total size: 69038 bytes.
Attempting to remove ADS...
system32: deleted 69038 bytes in 1 streams.

Looking for Rustock.b-files in the System32-folder:
No Rustock.b-files found in system32


******************* Post-run Status of system *******************

Rustock.b-driver on the system: NONE!

Rustock.b-ADS attached to the System32-folder:
No System32-ADS found.

Looking for Rustock.b-files in the System32-folder:
No Rustock.b-files found in system32


******************************* End of Logfile ********************************

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\yykpgvpv

*******************

Script file located at: \??\C:\Program Files\ekvlembo.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Driver PE386 unloaded successfully.
Program C:\Rustbfix\2run.bat successfully set up to run once on reboot.

Completed script processing.

*******************

Finished! Terminate.

[woowoo]

Logfile of HijackThis v1.99.1
Scan saved at 10:19:06, on 07/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\NOTEPAD.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Documents and Settings\comet\winstall.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Common Files\{C4ECF849-0574-1033-0824-05050817002c}\Update.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-gb\bin\WindowsSearch.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-gb\bin\WindowsSearchIndexer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\comet\My Documents\Unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lboro.ac.uk/
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{34ECF~1\Bar888.dll
O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll (file missing)
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{34ECF~1\Bar888.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Toshiba Hotkey Utility] "C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe" /lang en
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [explorer] C:\Documents and Settings\comet\winstall.exe
O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-gb\bin\WindowsSearch.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll/search.htm
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0000.1105\en-gb\msntabres.dll/229?455e2b92a0574c19b31ff436632aaa53
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0000.1105\en-gb\msntabres.dll/230?455e2b92a0574c19b31ff436632aaa53
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} (Installer Class) - http://activex.matcash.com/speedtest2.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{68797706-0285-41D2-8334-544815B484B3}: NameServer = 212.139.132.20 212.139.132.21
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

[tim s]

Hello woowoo,

Thanks for posting logs

I still see files in your log that we need to take care of.

This is next:

This program AVG Anti-Spyware can block removal of infection if not turned off. If you have already disabled move to next step.

Disable program can interfer (block removal of infection) with HJT fix.
Open AVG Anti-Spyware 7.5

• On the main screen under Your Computer's security.
• Click on Change state next to Resident shield. It should now change to inactive.
• Close AVG Anti-Spyware 7.5
• Right-click the AVG Anti-Spyware 7.5 Tray Icon and choose Exit. Confirm by clicking Yes.

----------------------------------------------------------------

Please do the following:
Here we are going to clean out cookies and temp files from your computer.

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders. If you have anything in a temp folder, back it up or move it to a permanent folder prior to running CCleaner!

Download CCleaner from here It will start to download automatically. If ask if you want to download let it. Save to your Desktop.
Note: If you get and Error page from this link.
Try again you will see this message Your download of CCleaner will automatically start in 5 seconds. Click here if it does not do not wait go ahead and click on it.

• Double click on the file to start the installation of the program.
• Select your language and click OK, then next.
• Follow prompts to install finish to complete installation.
• Double click the CCleaner shortcut on the desktop to start the program.
  
  • On the Windows tab, under Internet Explorer,
    
    • All Boxes should have a check mark. (You will need to reenter your passwords at all sites where a cookie is used to recognize you when you visit).
  • On the Windows tab, under Windows Explorer,
    
    • All Boxes should have a check mark.
  • On the Windows tab, under System,
    
    • All Boxes should have a check mark.
  • On the Windows tab, under Advanced,
    
    • NO check marks
• If you use either the Firefox or Mozilla browsers, the box to put check in for "Cookies" is on the Applications tab, under Firefox/Mozilla. If already checked move to next step.
• Click on the "Options" icon at the left side of the window, then click on "Advanced."
  deselect "Only delete files in Windows Temp folders older than 48 hours."
• Click on the "Cleaner" icon on the left side of the window, then click Run Cleaner to run the program.
• Caution: It is not recommended that you use the "Issues" feature unless you are very familiar with the registry as it has been known to find legitimate items.
• After CCleaner has completed its process, click Exit.
• You will need to reboot here if not ask to do so.

_______________________________


Next do the following:
1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

reboot computer again here
--------------------------------------------------------------------------

Please do an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then start to download the latest definition files.
• Once the scanner is installed and the definitions downloaded, click Next.
• Now click on Scan Settings
• In the scan settings make sure that the following are selected:

• Scan using the following Anti-Virus database:
  
• Extended (If available otherwise Standard)
  
• Scan Options:
  
  • Scan Archives
  • Scan Mail Bases
• Click OK
• Now under select a target to scan select My Computer
• The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
• Now click on the Save as Text button
• Save the file to your desktop.
• Copy and paste that information in your next post.

---------------------------------------------------------------------

Please post in your next reply to this thread the following logs:
combofix's log
kaspersky scan report
New HJT log

[woowoo]

Hi - thanks once more for your help - here are todays logs
comet - 07-01-08 10:06:52.71 Service Pack 2
ComboFix 06.11.27 - Running from: "C:\Documents and Settings\comet\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Inetget2
C:\Program Files\Common Files\{34ECF849-0574-1033-0824-05050817002c}
C:\Program Files\Common Files\{C4ECF849-0574-1033-0824-05050817002c}


((((((((((((((((((((((((((((((( Files Created from 2006-12-08 to 2007-01-08 ))))))))))))))))))))))))))))))))))


2007-01-08 10:05 <DIR> d--h----- C:\WINDOWS\system32\vidmon
2007-01-08 10:05 <DIR> d--h----- C:\WINDOWS\system32\nfomon
2007-01-08 10:05 <DIR> d--h----- C:\Program Files\Common Files\Uninstall Information
2007-01-08 10:05 <DIR> d--h----- C:\Documents and Settings\All Users\Application Data\vidmon
2007-01-08 10:05 <DIR> d--h----- C:\Documents and Settings\All Users\Application Data\nfo
2007-01-08 09:58 <DIR> dr-h----- C:\Documents and Settings\comet\Recent
2007-01-08 09:55 <DIR> d-------- C:\Program Files\CCleaner
2007-01-07 10:12 <DIR> d-------- C:\avenger
2007-01-07 10:08 <DIR> d-------- C:\Rustbfix
2007-01-06 13:36 79,360 --a------ C:\WINDOWS\system32\swxcacls.exe
2007-01-06 13:36 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-01-06 13:36 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-01-06 13:36 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2007-01-06 13:36 3,290 --a------ C:\WINDOWS\system32\tmp.reg
2007-01-06 13:36 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-01-06 13:36 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2007-01-06 12:56 <DIR> d-------- C:\SDFix
2007-01-05 20:11 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-01-05 18:07 <DIR> dr-h----- C:\$VAULT$.AVG
2007-01-05 18:06 816,672 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2007-01-05 18:06 4,224 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2007-01-05 18:06 3,968 --a------ C:\WINDOWS\system32\drivers\avgclean.sys
2007-01-05 18:06 28,416 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2007-01-05 18:06 18,240 --a------ C:\WINDOWS\system32\drivers\avgmfx86.sys
2007-01-05 18:06 <DIR> d-------- C:\Documents and Settings\comet\Application Data\AVG7
2007-01-05 18:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-01-05 18:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-01-05 18:05 <DIR> d-------- C:\Program Files\Grisoft
2006-12-14 18:19 <DIR> d-------- C:\Program Files\webHancer
2006-12-13 12:56 77,824 --a------ C:\WINDOWS\system32\fsetup.exe
2006-12-13 12:56 77,824 --a------ C:\Documents and Settings\comet\fsetup.exe
2006-12-12 04:03 77,824 --a------ C:\Documents and Settings\comet\qsetup.exe
2006-12-11 18:57 <DIR> d-------- C:\WINDOWS\Minidump
2006-12-11 03:23 19,648 --a------ C:\namn.exe
2006-12-11 03:22 77,824 --a------ C:\WINDOWS\system32\isetup.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-01-08 10:08 -------- d-------- C:\Program Files\Common Files
2007-01-06 15:30 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2006-12-14 04:00 -------- d-------- C:\Program Files\Internet Explorer
2006-12-14 03:59 -------- d-------- C:\Program Files\Outlook Express
2006-12-14 03:59 -------- d-------- C:\Program Files\Common Files\System
2006-12-13 19:29 -------- d-------- C:\Program Files\MSN Messenger
2006-12-12 14:35 -------- d-------- C:\Program Files\QuickTime
2006-12-11 13:30 -------- d-------- C:\Program Files\STOPzilla!
2006-12-07 06:40 2362184 --a------ C:\WINDOWS\system32\wmvcore.dll
2006-11-08 05:06 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-10-19 13:56 713216 --a------ C:\WINDOWS\system32\sxs.dll
2006-10-13 12:35 142336 --a------ C:\WINDOWS\system32\nwprovau.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"TOSCDSPD"="C:\\Program Files\\TOSHIBA\\TOSCDSPD\\toscdspd.exe"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATIPTA"="\"C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe\""
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"Toshiba Hotkey Utility"="\"C:\\Program Files\\Toshiba\\Windows Utilities\\Hotkey.exe\" /lang en"
"NDSTray.exe"="NDSTray.exe"
"SmoothView"="C:\\Program Files\\TOSHIBA\\TOSHIBA Zooming Utility\\SmoothView.exe"
"PadTouch"="C:\\Program Files\\TOSHIBA\\Touch and Launch\\PadExe.exe"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"CFSServ.exe"="CFSServ.exe -NoClient"
"adiras"="adiras.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"Nfo"="C:\\WINDOWS\\system32\\nfomon\\nfomon.exe"
"vidmon"="C:\\WINDOWS\\system32\\vidmon\\vidmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Completion time: 07-01-08 10:08:38.31
C:\ComboFix.txt ... 07-01-08 10:08

[woowoo]

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, January 08, 2007 11:15:11 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 8/01/2007
Kaspersky Anti-Virus database records: 256761
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 35144
Number of viruses found: 12
Number of infected objects: 53 / 0
Number of suspicious objects: 0
Duration of the scan process: 00:51:20

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\nfo\mon0104.dbd Object is locked skipped
C:\Documents and Settings\All Users\Application Data\nfo\mon0106.ddx Object is locked skipped
C:\Documents and Settings\All Users\Application Data\nfo\mon0204.ddx Object is locked skipped
C:\Documents and Settings\All Users\Application Data\nfo\mon0315.ddx Object is locked skipped
C:\Documents and Settings\All Users\Application Data\nfo\mon0412.ddx Object is locked skipped
C:\Documents and Settings\All Users\Application Data\nfo\mon0504.ddx Object is locked skipped
C:\Documents and Settings\All Users\Application Data\nfo\mon0904.ddx Object is locked skipped
C:\Documents and Settings\All Users\Application Data\nfo\mon1125.ddx Object is locked skipped
C:\Documents and Settings\All Users\Application Data\nfo\mon1204.ddx Object is locked skipped
C:\Documents and Settings\All Users\Application Data\nfo\mon1215.dbd Object is locked skipped
C:\Documents and Settings\All Users\Application Data\nfo\mon1909.ddx Object is locked skipped
C:\Documents and Settings\All Users\Application Data\nfo\mon1920.dbd Object is locked skipped
C:\Documents and Settings\All Users\Application Data\nfo\mon2007.dbd Object is locked skipped
C:\Documents and Settings\comet\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\comet\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\comet\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\comet\Desktop\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\comet\Desktop\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\comet\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\GatherLogs\MyIndex\MyIndex.194.Crwl Object is locked skipped
C:\Documents and Settings\comet\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\GatherLogs\MyIndex\MyIndex.194.gthr Object is locked skipped
C:\Documents and Settings\comet\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\Build\Indexer\CiFiles\00010006.ci Object is locked skipped
C:\Documents and Settings\comet\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\Build\Indexer\CiFiles\CiPT0000.000 Object is locked skipped
C:\Documents and Settings\comet\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\Build\Indexer\CiFiles\INDEX.000 Object is locked skipped
C:\Documents and Settings\comet\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\Build\Indexer\NlFiles\CiST0000.000 Object is locked skipped
C:\Documents and Settings\comet\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\Build\Indexer\NlFiles\DocId.Map Object is locked skipped
C:\Documents and Settings\comet\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.chk1.gthr Object is locked skipped
C:\Documents and Settings\comet\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.chk2.gthr Object is locked skipped
C:\Documents and Settings\comet\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Hash.gthr Object is locked skipped
C:\Documents and Settings\comet\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Hash.gthr.Dir Object is locked skipped
C:\Documents and Settings\comet\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Hash.gthr.h0 Object is locked skipped
C:\Documents and Settings\comet\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Hash.gthr.h0.Dir Object is locked skipped
C:\Documents and Settings\comet\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Hash.gthr.h1 Object is locked skipped
C:\Documents and Settings\comet\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Hash.gthr.h1.Dir Object is locked skipped
C:\Documents and Settings\comet\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Hash.gthr.h3 Object is locked skipped
C:\Documents and Settings\comet\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Hash.gthr.h4A Object is locked skipped
C:\Documents and Settings\comet\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Hash.gthr.h4A.Dir Object is locked skipped
C:\Documents and Settings\comet\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Hash.gthr.h4B Object is locked skipped
C:\Documents and Settings\comet\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Hash.gthr.h4B.Dir Object is locked skipped
C:\Documents and Settings\comet\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Hash.gthr.idx Object is locked skipped
C:\Documents and Settings\comet\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Idm.gthr Object is locked skipped
C:\Documents and Settings\comet\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Ntfy16.gthr Object is locked skipped
C:\Documents and Settings\comet\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Properties\MSS.log Object is locked skipped
C:\Documents and Settings\comet\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Properties\RSApp.edb Object is locked skipped
C:\Documents and Settings\comet\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Properties\tmp.edb Object is locked skipped
C:\Documents and Settings\comet\Local Settings\Application Data\Microsoft\Desktop Search\Logs\MAPI.txt Object is locked skipped
C:\Documents and Settings\comet\Local Settings\Application Data\Microsoft\Desktop Search\Temp\rssgthrsvc\NtfC.tmp Object is locked skipped
C:\Documents and Settings\comet\Local Settings\Application Data\Microsoft\Desktop Search\Temp\rssgthrsvc\NtfF.tmp Object is locked skipped
C:\Documents and Settings\comet\Local Settings\Application Data\Microsoft\Desktop Search\Temp\rssgthrsvc\Perflib_Perfdata_9b0.dat Object is locked skipped
C:\Documents and Settings\comet\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\comet\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\comet\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\comet\Local Settings\History\History.IE5\MSHist012007010820070109\index.dat Object is locked skipped
C:\Documents and Settings\comet\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\comet\ntuser.dat Object is locked skipped
C:\Documents and Settings\comet\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\comet\winstall.exe Infected: not-a-virus:AdWare.Win32.PurityScan.u skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\namn.exe Infected: Trojan-PSW.Win32.Small.bs skipped
C:\Program Files\Common Files\Uninstall Information\RemoveWebDP.exe Infected: not-a-virus:AdWare.Win32.DelphinMediaViewer.f skipped
C:\Program Files\webHancer\Programs\whinstaller.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP179\A0105481.sys Object is locked skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP179\A0105482.dll Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP179\A0105484.exe Object is locked skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP179\A0105485.exe Infected: Trojan-PSW.Win32.Small.bs skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP179\A0105486.exe Object is locked skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP179\A0105487.exe Object is locked skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP179\A0105488.exe Object is locked skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP179\A0105489.exe Object is locked skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP179\A0105490.exe Object is locked skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP179\A0105491.exe Object is locked skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP180\A0105560.exe Infected: Trojan-PSW.Win32.Small.bs skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP180\A0105561.exe Object is locked skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP180\A0105562.exe Object is locked skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP180\A0105563.exe Object is locked skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP180\A0105564.exe Object is locked skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP180\A0105565.exe Object is locked skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP180\A0105566.exe Object is locked skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP180\A0105568.exe Object is locked skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP180\A0105570.exe Object is locked skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP180\A0105606.sys Object is locked skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP180\A0105607.exe Object is locked skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP180\A0105608.dll Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP180\A0105610.exe Object is locked skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP180\A0105611.exe Infected: Trojan-PSW.Win32.Small.bs skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP180\A0105612.exe Object is locked skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP180\A0105613.exe Object is locked skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP180\A0106606.sys Object is locked skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP180\A0106607.exe Object is locked skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP180\A0106608.exe Object is locked skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP180\A0106609.exe Infected: Trojan-PSW.Win32.Small.bs skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP180\A0106610.exe Object is locked skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP180\A0106611.exe Object is locked skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP180\A0106612.exe Object is locked skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP180\A0106613.exe Object is locked skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP180\A0106614.exe Object is locked skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP180\A0106615.exe Object is locked skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP180\A0107606.sys Object is locked skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP180\A0107607.exe Object is locked skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP180\A0107609.exe Object is locked skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP180\A0107610.sys Object is locked skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP180\A0107611.exe Object is locked skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP180\A0108606.dll Object is locked skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP180\A0108608.exe Object is locked skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP180\A0108609.sys Object is locked skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP180\A0108610.exe Infected: Trojan-PSW.Win32.Small.bs skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP180\A0108611.exe Object is locked skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP180\A0108612.exe Object is locked skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP180\A0108613.exe Object is locked skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP180\A0108614.sys Object is locked skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP181\A0109614.sys Object is locked skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP181\A0109628.sys Object is locked skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP181\A0109642.exe Infected: not-a-virus:AdWare.Win32.PurityScan.u skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP181\A0110628.sys Object is locked skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP181\A0110629.exe Object is locked skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP181\A0110630.exe Infected: Trojan-PSW.Win32.Small.bs skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP181\A0110631.exe Object is locked skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP181\A0110632.exe Object is locked skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP181\A0110634.exe Object is locked skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP181\A0110635.exe Object is locked skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP181\A0110636.exe Object is locked skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP182\A0110670.exe Object is locked skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP182\A0110671.exe Object is locked skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP182\A0111628.sys Object is locked skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP183\A0111633.rbf Infected: Backdoor.Win32.MSNMaker.ab skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP183\A0111670.sys Object is locked skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP183\A0112670.sys Object is locked skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP184\A0112779.sys Object is locked skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP184\A0112814.sys Object is locked skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP184\A0112836.sys Object is locked skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP184\A0113836.sys Object is locked skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP184\A0114836.sys Object is locked skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP184\A0115836.sys Object is locked skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP184\A0116836.sys Object is locked skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP184\A0117837.sys Object is locked skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP185\A0118836.sys Object is locked skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP185\A0118864.dll Object is locked skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP185\A0118872.sys Object is locked skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP185\A0118873.dll Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP185\A0118888.exe Object is locked skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP185\A0118889.exe Object is locked skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP185\A0118890.exe Object is locked skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP185\A0118891.exe Object is locked skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP185\A0118892.exe Object is locked skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP185\A0118893.exe Object is locked skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP185\A0118894.exe Object is locked skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP185\A0118895.exe Object is locked skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP185\A0118896.exe Object is locked skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP185\A0118897.exe Object is locked skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP185\A0118898.dll Object is locked skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP185\A0118899.dll Object is locked skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP185\A0118900.dll Object is locked skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP185\A0118901.exe Object is locked skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP185\A0118902.dll Object is locked skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP185\A0118903.exe Object is locked skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP185\A0118904.exe Object is locked skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP185\A0118905.exe Object is locked skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP185\A0118906.sys Object is locked skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP185\A0118907.exe Object is locked skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP185\A0118908.exe Object is locked skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP185\A0118909.exe Object is locked skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP185\A0118910.exe Object is locked skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP187\A0119392.sys Object is locked skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP187\A0119409.sys Object is locked skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP187\A0119442.sys Object is locked skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP187\A0119443.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.aa skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP187\A0119444.exe Infected: Trojan-PSW.Win32.Small.bs skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP187\A0119898.dll Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP187\A0119899.exe Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP187\A0119900.dll Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP187\A0119901.exe Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP187\A0119902.dll Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP187\A0119903.exe Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP187\A0119904.dll Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP187\A0119905.exe Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP187\A0119906.dll Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP187\A0119907.exe Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP187\A0119908.dll Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP187\A0119909.exe Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP187\A0119910.dll Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP187\A0119911.exe Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP187\A0119912.dll Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP187\A0119913.exe Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP187\A0119914.dll Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP187\A0119915.exe Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP187\A0119916.dll Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP187\A0119917.exe Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP187\A0119918.dll Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP187\A0119919.exe Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP187\A0119985.dll Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP187\A0119986.dll Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP187\A0119987.exe Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\System Volume Information\_restore{1C4AEEF7-E5F8-4C55-A67C-AFE20A94E538}\RP188\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Downloaded Program Files\speedtest2.dll Infected: not-a-virus:Downloader.Win32.InsTool.a skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\nfomon\nfo.ocx Infected: not-a-virus:AdWare.Win32.DelphinMediaViewer.c skipped
C:\WINDOWS\system32\nfomon\nfom.dll Infected: not-a-virus:AdWare.Win32.DelphinMediaViewer.f skipped
C:\WINDOWS\system32\nfomon\nfomon.exe Infected: not-a-virus:AdWare.Win32.DelphinMediaViewer.f skipped
C:\WINDOWS\system32\oobe\ISPSoftware\BTYahoo\BroadbandFromBT.exe/webcontrol/btwebcontrol.dll Infected: not-a-virus:Dialer.Win32.BT.g skipped
C:\WINDOWS\system32\oobe\ISPSoftware\BTYahoo\BroadbandFromBT.exe CAB: infected - 1 skipped
C:\WINDOWS\system32\vidmon\vidmon.exe Infected: not-a-virus:AdWare.Win32.DelphinMediaViewer.j skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
Logfile of HijackThis v1.99.1
Scan saved at 11:16:45, on 08/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\acs.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\nfomon\nfomon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\vidmon\vidmon.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-gb\bin\WindowsSearch.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-gb\bin\WindowsSearchIndexer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\comet\My Documents\Unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lboro.ac.uk/
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{34ECF~1\Bar888.dll (file missing)
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{34ECF~1\Bar888.dll (file missing)
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Toshiba Hotkey Utility] "C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe" /lang en
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Nfo] C:\WINDOWS\system32\nfomon\nfomon.exe
O4 - HKLM\..\Run: [vidmon] C:\WINDOWS\system32\vidmon\vidmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-gb\bin\WindowsSearch.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll/search.htm
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0000.1105\en-gb\msntabres.dll/229?455e2b92a0574c19b31ff436632aaa53
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0000.1105\en-gb\msntabres.dll/230?455e2b92a0574c19b31ff436632aaa53
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} (Installer Class) - http://activex.matcash.com/speedtest2.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{68797706-0285-41D2-8334-544815B484B3}: NameServer = 212.139.132.20 212.139.132.21
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

Will it ever be free?