Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

girlfriends computer messed with popups

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

next post

Unread postby wakeboarder540 » July 22nd, 2007, 11:22 pm

C:\DOCUME~1\Nish\Desktop\internet.lnk
C:\DOCUME~1\Nish\MYDOCU~1.\dobe~1
C:\Documents and Settings\Nish.\err.log
C:\Program Files\Common Files\drivecleaner free
C:\Program Files\Common Files\drivecleaner free\udcpas.exe
C:\Program Files\Common Files\drivecleaner free\udcsdr.exe
C:\Program Files\Common Files\smbols~1
C:\Program Files\inetget2
C:\Program Files\network monitor
C:\Program Files\network monitor\netmon.exe
C:\Program Files\outerinfo
C:\Program Files\outerinfo\OiUninstaller.exe
C:\WINDOWS\b122.exe
C:\WINDOWS\b136.exe
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\hedfx.dll
C:\WINDOWS\system32\netstat.com
C:\WINDOWS\system32\taskkill.com
C:\WINDOWS\system32\wnsapitr.exe
C:\WINDOWS\uninstall_nmon.vbs
C:\WINDOWS\wr.txt


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CMDSERVICE
-------\LEGACY_CORE
-------\core


((((((((((((((((((((((((( Files Created from 2007-06-17 to 2007-07-17 )))))))))))))))))))))))))))))))


2007-07-16 22:15 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-14 19:17 274,432 --a------ C:\WINDOWS\TLCUninstall.exe
2007-07-14 19:16 <DIR> d-------- C:\Program Files\The Learning Company
2007-06-27 00:49 75,932 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-06-27 00:49 75,248 --a------ C:\WINDOWS\zllsputility.exe
2007-06-27 00:49 74,396 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-06-27 00:49 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-06-27 00:49 378,912 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-06-27 00:49 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-06-27 00:49 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\MailFrontier
2007-06-27 00:48 110,360 --a------ C:\WINDOWS\system32\drivers\kl1.sys
2007-06-27 00:48 1,086,952 --a------ C:\WINDOWS\system32\zpeng24.dll
2007-06-27 00:48 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2007-06-26 22:31 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-06-25 17:39 <DIR> d-------- C:\Hijackthis


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-15 23:20:10 5,420 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-06-25 23:25:55 -------- d-----w C:\Program Files\Shareaza
2007-06-25 23:15:33 -------- d-----w C:\Program Files\Anti-Blaxx 1.18
2007-06-25 23:10:14 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-06-25 23:10:13 -------- d-----w C:\Program Files\Symantec
2007-06-25 23:07:34 -------- d-----w C:\Program Files\Norton SystemWorks
2007-06-25 23:07:33 -------- d-----w C:\Program Files\Google
2007-06-25 22:48:48 -------- d-----w C:\Program Files\Save
2007-06-25 22:48:46 -------- d-----w C:\Program Files\Common Files\WhenU
2007-06-25 22:45:17 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-22 19:09:57 359,808 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2007-06-15 12:36:38 -------- d-----w C:\DOCUME~1\Nish\APPLIC~1\SPAMfighter
2007-06-15 12:36:23 -------- d-----w C:\Program Files\Common Files\Ankiro
2007-06-15 12:36:22 -------- d-----w C:\Program Files\SPAMfighter
2007-06-15 12:35:58 -------- d-----w C:\Program Files\Common Files\Application
2007-06-12 13:30:15 -------- d-----w C:\Program Files\MyWebSearch
2007-06-12 13:28:37 -------- d-----w C:\Program Files\MSN Messenger
2007-06-09 16:42:22 -------- d-----w C:\Program Files\Kodak
2007-06-09 16:41:54 -------- d-----w C:\Program Files\Common Files\Kodak
2007-06-05 16:34:44 1,184,664 ----a-w C:\WINDOWS\system32\FreeImage.dll
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 04:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 04:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 04:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 04:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 04:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 04:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 04:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 04:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2006-09-03 00:11:00 21,848 ----a-w C:\DOCUME~1\Nish\APPLIC~1\GDIPFONTCACHEV1.DAT
wakeboarder540
Regular Member
 
Posts: 72
Joined: March 12th, 2006, 5:06 am
Advertisement
Register to Remove

ok last post of combofix log

Unread postby wakeboarder540 » July 22nd, 2007, 11:24 pm

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2001-03-02 12:02 37808 --------- C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2007-07-12 04:00 501136 --a------ C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA1F9DDB-E605-4ba6-81D4-E427DEE012AD}]
2006-10-26 08:12 77824 --a------ C:\WINDOWS\system32\TwcToolbarBho.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-06-21 21:54]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2005-12-13 18:27]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=C:\WINDOWS\pss\Kodak software updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Nish^Start Menu^Programs^Startup^services.lnk]
path=C:\Documents and Settings\Nish\Start Menu\Programs\Startup\services.lnk
backup=C:\WINDOWS\pss\services.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Grey safe]
C:\DOCUME~1\Nish\APPLIC~1\32ROAM~1\RdrName.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Hdjzor]
"C:\Documents and Settings\Nish\My Documents\?dobe\m?dtc.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\WINDOWS\system32\xoscmcr\services.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
C:\WINDOWS\system32\xoscmcr\services.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\services]
?

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Shareaza]
"C:\Program Files\Shareaza\Shareaza.exe" -tray


**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-16 22:30:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-16 22:31:57 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-16 22:31

--- E O F ---
wakeboarder540
Regular Member
 
Posts: 72
Joined: March 12th, 2006, 5:06 am

Re: ok last post of combofix log

Unread postby Trogan » July 23rd, 2007, 12:44 am

Hi,

There are some suspicious files in your log, which I'd like to get analysed.

1. Do this...
  • Go to VirusTotal
  • Copy and paste the following file path into the Search Box at the top of the page:
      C:\WINDOWS\system32\xoscmcr\services.exe
  • Click on the Send button
  • Save a copy of the results and post them in your next reply.

2. Click Start > Run > type: Services.msc > OK
This will open a Services windows
Look through the list, and check if you see something similar to the following...
?
The service name should start with a Question Mark (?) and have some different characters next to it.
If you find this, double-click to open it. Make a note of everything that is under the General tab.


Post the info regarding the Service, along with the file results and a new HijackThis log.
User avatar
Trogan
MRU Teacher Emeritus
 
Posts: 2291
Joined: November 26th, 2005, 9:31 am
Location: London

ok

Unread postby wakeboarder540 » July 23rd, 2007, 10:12 pm

so i tried to submit the file online to the virus site but the file doesn't exist, and i ran a search for it on the comp and couldnt find it.

also i tried to find some info on that service, and there was no service with a ? in it


here is the new hijackthis log



Logfile of HijackThis v1.99.1
Scan saved at 8:08:08 PM, on 7/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Hijackthis\Hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: TwcToolbarBhoApp Class - {AA1F9DDB-E605-4ba6-81D4-E427DEE012AD} - C:\WINDOWS\system32\TwcToolbarBho.dll
O3 - Toolbar: The Weather Channel Toolbar - {2E5E800E-6AC0-411E-940A-369530A35E43} - C:\WINDOWS\system32\TwcToolbarIe7.dll
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: AVG Control Center.lnk = C:\Program Files\Grisoft\AVG7\avgcc.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra 'Tools' menuitem: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocach ... 0.0.15.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
wakeboarder540
Regular Member
 
Posts: 72
Joined: March 12th, 2006, 5:06 am

Unread postby Trogan » July 23rd, 2007, 10:32 pm

Hi,

OK, please do the following...

Open Notepad and copy/paste the text in the Quote Box below into it:

File::
C:\Documents and Settings\Nish\My Documents\?dobe\m?dtc.exe

Folder::
C:\DOCUME~1\Nish\APPLIC~1\32ROAM~1
C:\WINDOWS\system32\xoscmcr
C:\Program Files\Save
C:\Program Files\Common Files\WhenU
C:\Program Files\MyWebSearch

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Grey safe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Hdjzor]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]

Save this as CFScript to your Desktop.

Image

Refering to the picture above, drag CFScript into ComboFix.exe
A new log will be created, post that back here.
User avatar
Trogan
MRU Teacher Emeritus
 
Posts: 2291
Joined: November 26th, 2005, 9:31 am
Location: London

ok

Unread postby wakeboarder540 » July 27th, 2007, 10:40 pm

"Nish" - 2007-07-27 18:06:46 - ComboFix 07-07-14.6 - Service Pack 2 NTFS
Command switches used :: C:\Documents and Settings\Nish\Desktop\CFScript.txt


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\WhenU
C:\Program Files\MyWebSearch
C:\Program Files\MyWebSearch\bar\History\search2
C:\Program Files\MyWebSearch\bar\Settings\dxva_sig.txt
C:\Program Files\MyWebSearch\bar\Settings\prevcfg2.htm
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat
C:\Program Files\MyWebSearch\bar\Settings\setting2.htm
C:\Program Files\MyWebSearch\bar\Settings\settings.dat
C:\Program Files\Save
C:\Program Files\Save\SaveNowupdate.exe
C:\WINDOWS\system32\xoscmcr
C:\WINDOWS\system32\xoscmcr\services.ini


((((((((((((((((((((((((( Files Created from 2007-06-28 to 2007-07-28 )))))))))))))))))))))))))))))))


2007-07-16 22:15 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-14 19:17 274,432 --a------ C:\WINDOWS\TLCUninstall.exe
2007-07-14 19:16 <DIR> d-------- C:\Program Files\The Learning Company
2007-06-27 00:49 75,932 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-06-27 00:49 75,248 --a------ C:\WINDOWS\zllsputility.exe
2007-06-27 00:49 74,396 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-06-27 00:49 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-06-27 00:49 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-06-27 00:49 1,036,320 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-06-27 00:49 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\MailFrontier
2007-06-27 00:48 110,360 --a------ C:\WINDOWS\system32\drivers\kl1.sys
2007-06-27 00:48 1,086,952 --a------ C:\WINDOWS\system32\zpeng24.dll
2007-06-27 00:48 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-23 20:56:48 11,852 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-07-19 04:06:59 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-06-25 23:25:55 -------- d-----w C:\Program Files\Shareaza
2007-06-25 23:15:33 -------- d-----w C:\Program Files\Anti-Blaxx 1.18
2007-06-25 23:10:14 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-06-25 23:10:13 -------- d-----w C:\Program Files\Symantec
2007-06-25 23:07:34 -------- d-----w C:\Program Files\Norton SystemWorks
2007-06-25 23:07:33 -------- d-----w C:\Program Files\Google
2007-06-25 22:45:17 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-22 19:09:57 359,808 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2007-06-15 12:36:38 -------- d-----w C:\DOCUME~1\Nish\APPLIC~1\SPAMfighter
2007-06-15 12:36:23 -------- d-----w C:\Program Files\Common Files\Ankiro
2007-06-15 12:36:22 -------- d-----w C:\Program Files\SPAMfighter
2007-06-15 12:35:58 -------- d-----w C:\Program Files\Common Files\Application
2007-06-12 13:28:37 -------- d-----w C:\Program Files\MSN Messenger
2007-06-09 16:42:22 -------- d-----w C:\Program Files\Kodak
2007-06-09 16:41:54 -------- d-----w C:\Program Files\Common Files\Kodak
2007-06-05 16:34:44 1,184,664 ----a-w C:\WINDOWS\system32\FreeImage.dll
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2006-09-03 00:11:00 21,848 ----a-w C:\DOCUME~1\Nish\APPLIC~1\GDIPFONTCACHEV1.DAT


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2001-03-02 12:02 37808 --------- C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2007-07-12 04:00 501136 --a------ C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA1F9DDB-E605-4ba6-81D4-E427DEE012AD}]
2006-10-26 08:12 77824 --a------ C:\WINDOWS\system32\TwcToolbarBho.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-06-21 21:54]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2005-12-13 18:27]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=C:\WINDOWS\pss\Kodak software updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Nish^Start Menu^Programs^Startup^services.lnk]
path=C:\Documents and Settings\Nish\Start Menu\Programs\Startup\services.lnk
backup=C:\WINDOWS\pss\services.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\services]
?

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Shareaza]
"C:\Program Files\Shareaza\Shareaza.exe" -tray


**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-27 18:10:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-27 18:12:05
C:\ComboFix-quarantined-files.txt ... 2007-07-27 18:12
C:\ComboFix2.txt ... 2007-07-16 22:31

--- E O F ---
wakeboarder540
Regular Member
 
Posts: 72
Joined: March 12th, 2006, 5:06 am

Unread postby Trogan » July 29th, 2007, 7:59 am

You may wish to Print or Save the following instructions, as the internet will not be available once in Safe Mode!

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
  • Install AVG Anti-Spyware by double clicking the installer.
  • Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
  • On the main screen under Your Computer's security.
    • Click on Change state next to Resident shield. It should now change to inactive.
    • Click on Change state next to Automatic updates. It should now change to inactive.
    • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
    • Wait until you see the Update succesfull message.
  • Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.
Once in Safe Mode:

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act?
      • Click on Recommended Action and choose Quarantine from the popup menu.
    • Under How to scan?
      • All checkboxes should be ticked.
    • Under Possibly unwanted software:
      • All checkboxes should be ticked.
    • Under Reports:
      • Select Do not automatically generate reports
    • Under What to scan?
      • Select Scan every file.
  • Click on the Scan tab.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
  • When the scan has finished, follow the instructions below.
    IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
    • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
    • At the bottom of the window click on the Apply all Actions button. (3)
      Image
  • When done, click the Save Scan Report button. (4)
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes
. Reboot back into Normal Mode, and post a new HJT log, along with the AVG anti-spyware log.
User avatar
Trogan
MRU Teacher Emeritus
 
Posts: 2291
Joined: November 26th, 2005, 9:31 am
Location: London

ok

Unread postby wakeboarder540 » August 1st, 2007, 1:03 am

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 10:54:18 PM 7/31/2007

+ Scan result:



C:\Documents and Settings\Nish\Local Settings\Temporary Internet Files\Content.IE5\6G8I12LM\B2375692[1].htm -> Downloader.Agent.ao : Cleaned with backup (quarantined).
C:\WINDOWS\b128.exe -> Downloader.PurityScan.eh : Cleaned with backup (quarantined).
C:\WINDOWS\b104.exe -> Downloader.Small.buy : Cleaned with backup (quarantined).
C:\Program Files\Shareaza\Downloads\stand down 18.wma -> Downloader.Wimad.d : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\b136.exe.vir -> Dropper.Agent.bfr : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\catchme2007-07-16_223013.23.zip/core.sys -> Rootkit.Agent.eq : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\system32\wnsapitr.exe.vir -> Trojan.Small : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\uninstall_nmon.vbs.vir -> Trojan.Small : Cleaned with backup (quarantined).


::Report end



---------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 11:00:58 PM, on 7/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Hijackthis\Hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: TwcToolbarBhoApp Class - {AA1F9DDB-E605-4ba6-81D4-E427DEE012AD} - C:\WINDOWS\system32\TwcToolbarBho.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: The Weather Channel Toolbar - {2E5E800E-6AC0-411E-940A-369530A35E43} - C:\WINDOWS\system32\TwcToolbarIe7.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: AVG Control Center.lnk = C:\Program Files\Grisoft\AVG7\avgcc.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?7e4723039fe64d03b86eb754ad9acd64
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?7e4723039fe64d03b86eb754ad9acd64
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra 'Tools' menuitem: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocach ... 0.0.15.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
wakeboarder540
Regular Member
 
Posts: 72
Joined: March 12th, 2006, 5:06 am

Unread postby Trogan » August 1st, 2007, 10:47 am

Good job!

I'd like to run one more scan, but first:

Open HijackThis
- Click the Do a system scan only button
- Check the following entries (below)

O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)


- Close ALL open windows (especially Internet Explorer!)
- Click Fix Checked
Close HiajckThis

Next, please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
      Extended (if available otherwise Standard)
    • Scan Options:
      Scan Archives
      Scan Mail Bases

  • Click OK
  • Now under select a target to scan:
      Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.

Post the Kaspersky log, along with a new HijackThis log.
User avatar
Trogan
MRU Teacher Emeritus
 
Posts: 2291
Joined: November 26th, 2005, 9:31 am
Location: London

ok

Unread postby wakeboarder540 » August 7th, 2007, 5:25 pm

Tuesday, August 07, 2007 3:20:55 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 7/08/2007
Kaspersky Anti-Virus database records: 376885


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
E:\

Scan Statistics
Total number of scanned objects 85581
Number of viruses found 25
Number of infected objects 89
Number of suspicious objects 0
Duration of the scan process 01:06:29

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Nish\Application Data\Microsoft\MSNLiveFav\LiveFavorites.xml Object is locked skipped

C:\Documents and Settings\Nish\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Nish\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Nish\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Nish\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Nish\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Nish\My Documents\My Music\alanna\(New Release) stand down 00.wma Infected: Trojan-Downloader.WMA.Wimad.d skipped

C:\Documents and Settings\Nish\My Documents\My Music\OCB taylor the late boy 30.wma Infected: Trojan-Downloader.WMA.Wimad.d skipped

C:\Documents and Settings\Nish\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Nish\ntuser.dat.LOG Object is locked skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\03EB0EAA.exe Infected: P2P-Worm.Win32.VB.dw skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\05D83686.exe Infected: not-a-virus:AdWare.Win32.Lop.bb skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\09A53638.exe Infected: not-a-virus:AdWare.Win32.Lop.bb skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\09A86035.exe Infected: not-a-virus:AdWare.Win32.Lop.bb skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\09AB0A31.exe Infected: Trojan-Downloader.Win32.Swizzor.fg skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\09AF342D.exe Infected: not-a-virus:AdWare.Win32.Lop.bb skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\09B25E2A.exe Infected: not-a-virus:AdWare.Win32.Lop.bb skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\09B50826.exe Infected: not-a-virus:AdWare.Win32.Lop.bb skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\09B93223.exe Infected: not-a-virus:AdWare.Win32.Lop.ag skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\09BC5C1F.exe Infected: not-a-virus:AdWare.Win32.Lop.bb skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\09BF061B.exe Infected: Trojan-Downloader.Win32.Swizzor.de skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0A6E40B4.exe Infected: Trojan-Dropper.Win32.VB.me skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\15FC4D79.exe Infected: not-a-virus:AdWare.Win32.Lop.bb skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\17426AB2.exe Infected: not-a-virus:AdWare.Win32.Lop.bb skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1D1C1F75.exe Infected: Trojan-Downloader.Win32.Swizzor.de skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\22D226B1.exe Infected: not-a-virus:AdWare.Win32.Lop.bb skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\2E2345DD.exe Infected: not-a-virus:AdWare.Win32.Lop.bb skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\2E6362B0.exe Infected: not-a-virus:AdWare.Win32.Lop.bb skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\32D313E2.exe Infected: Trojan-Downloader.Win32.Swizzor.fg skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\33E85664.htm Infected: Trojan-Downloader.JS.Psyme.cb skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\348A6472.zip/BlackBox.class Infected: Exploit.Java.ByteVerify skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\348A6472.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\348A6472.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\348A6472.zip ZIP: infected - 3 skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\348A6472.zip CryptFF: infected - 3 skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\34FA1D37.htm Infected: Trojan-Downloader.JS.Psyme.cb skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\354317D9.exe Infected: not-a-virus:AdWare.Win32.Lop.bb skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\39F31EAE.exe Infected: not-a-virus:AdWare.Win32.Lop.ag skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3E634FE1.exe Infected: not-a-virus:AdWare.Win32.Lop.bb skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\454D452F.exe Infected: not-a-virus:AdWare.Win32.Lop.bb skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\45506F2B.exe Infected: not-a-virus:AdWare.Win32.Lop.bb skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\45541927.exe Infected: Trojan-Downloader.Win32.Swizzor.fg skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\45574324.exe Infected: Trojan-Downloader.Win32.Swizzor.dv skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\455A6D20.tmp/stream Infected: Trojan-Downloader.Win32.IstBar.no skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\455A6D20.tmp NSIS: infected - 1 skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\455A6D20.tmp UPX: infected - 1 skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\455A6D20.tmp CryptFF: infected - 1 skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\45614119.tmp/stream Infected: Trojan-Downloader.Win32.IstBar.no skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\45614119.tmp NSIS: infected - 1 skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\45614119.tmp UPX: infected - 1 skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\45614119.tmp CryptFF: infected - 1 skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\45672ECC.exe Infected: not-a-virus:AdWare.Win32.Lop.bb skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\45D75ACC.zip/Counter.class Infected: Trojan.Java.Femad skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\45D75ACC.zip/VerifierBug.class Infected: Trojan.Java.Femad skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\45D75ACC.zip/web.exe Infected: Trojan.Win32.Small.ev skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\45D75ACC.zip/Worker.class Infected: Trojan.Java.Femad skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\45D75ACC.zip/Xeyond.class Infected: Trojan.Java.Femad skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\45D75ACC.zip ZIP: infected - 5 skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\45D75ACC.zip CryptFF: infected - 5 skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\4A242011.wmf Infected: Trojan-Downloader.Win32.Agent.acd skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\4A274A0E.zip/Counter.class Infected: Trojan.Java.Femad skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\4A274A0E.zip/VerifierBug.class Infected: Trojan.Java.Femad skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\4A274A0E.zip/web.exe Infected: Trojan.Win32.LowZones.dm skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\4A274A0E.zip/Worker.class Infected: Trojan.Java.Femad skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\4A274A0E.zip/Xeyond.class Infected: Trojan.Java.Femad skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\4A274A0E.zip ZIP: infected - 5 skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\4A274A0E.zip CryptFF: infected - 5 skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\4C8700C7.exe Infected: not-a-virus:AdWare.Win32.Lop.bb skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\517A0CB3.exe Infected: not-a-virus:AdWare.Win32.Lop.bb skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\5D0A48B2.exe Infected: not-a-virus:AdWare.Win32.Lop.bb skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\689B04B0.exe Infected: not-a-virus:AdWare.Win32.Lop.bb skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\6D0B35E3.exe Infected: not-a-virus:AdWare.Win32.Lop.bb skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\6DB13E22.exe Infected: not-a-virus:AdWare.Win32.Lop.bb skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\742B40AF.exe Infected: not-a-virus:AdWare.Win32.Lop.bb skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\74D2101E.exe Infected: not-a-virus:AdWare.Win32.Lop.bb skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\789B71E2.exe Infected: not-a-virus:AdWare.Win32.Lop.bb skipped

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7FBB7CAE.exe Infected: not-a-virus:AdWare.Win32.Lop.bb skipped

C:\Program Files\Shareaza\Downloads\++++++++ moulin rouge roxane 43.wma Infected: Trojan-Downloader.WMA.Wimad.d skipped

C:\Program Files\Shareaza\Downloads\---===== the happiest place on earth 1 27.wma Infected: Trojan-Downloader.WMA.Wimad.d skipped

C:\Program Files\Shareaza\Downloads\fallen leaves 1 22.wma Infected: Trojan-Downloader.WMA.Wimad.d skipped

C:\Program Files\Shareaza\Downloads\shared by moby my hips don't lie 18.wma Infected: Trojan-Downloader.WMA.Wimad.d skipped

C:\Program Files\Shareaza\Downloads\_uncensored_ boden anna 1 29.wma Infected: Trojan-Downloader.WMA.Wimad.d skipped

C:\QooBox\Quarantine\C\Program Files\Common Files\DriveCleaner Free\udcpas.exe.vir Infected: not-a-virus:Downloader.Win32.WinFixer.l skipped

C:\QooBox\Quarantine\C\Program Files\Common Files\DriveCleaner Free\udcsdr.exe.vir Infected: not-a-virus:Downloader.Win32.WinFixer.l skipped

C:\QooBox\Quarantine\C\Program Files\Network Monitor\netmon.exe.vir Infected: not-a-virus:Monitor.Win32.NetMon.a skipped

C:\QooBox\Quarantine\C\Program Files\Outerinfo\OiUninstaller.exe.vir/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.fk skipped

C:\QooBox\Quarantine\C\Program Files\Outerinfo\OiUninstaller.exe.vir/data0003 Infected: not-a-virus:AdWare.Win32.PurityScan.bu skipped

C:\QooBox\Quarantine\C\Program Files\Outerinfo\OiUninstaller.exe.vir NSIS: infected - 2 skipped

C:\QooBox\Quarantine\C\Program Files\Save\SaveNowupdate.exe.vir/Acm.dll Infected: not-a-virus:AdTool.Win32.WhenU.i skipped

C:\QooBox\Quarantine\C\Program Files\Save\SaveNowupdate.exe.vir/Save.exe Infected: not-a-virus:AdTool.Win32.WhenU.i skipped

C:\QooBox\Quarantine\C\Program Files\Save\SaveNowupdate.exe.vir CAB: infected - 2 skipped

C:\QooBox\Quarantine\C\WINDOWS\b122.exe.vir/stream/data0002 Infected: not-a-virus:AdWare.Win32.Rond.b skipped

C:\QooBox\Quarantine\C\WINDOWS\b122.exe.vir/stream/data0004 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped

C:\QooBox\Quarantine\C\WINDOWS\b122.exe.vir/stream Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped

C:\QooBox\Quarantine\C\WINDOWS\b122.exe.vir NSIS: infected - 3 skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\hedfx.dll.vir Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped

C:\RECYCLER\NPROTECT\01500270.exe Infected: not-a-virus:AdWare.Win32.Rond.a skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped

C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped

C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped

C:\WINDOWS\Internet Logs\MILLA.ldb Object is locked skipped

C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\Temp\ZLT07441.TMP Object is locked skipped

C:\WINDOWS\Temp\ZLT07457.TMP Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.



-------------------------------------------
===============================
++++++++++++++++++++++++++++++++++++++++++




Logfile of HijackThis v1.99.1
Scan saved at 3:24:21 PM, on 8/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Hijackthis\Hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: TwcToolbarBhoApp Class - {AA1F9DDB-E605-4ba6-81D4-E427DEE012AD} - C:\WINDOWS\system32\TwcToolbarBho.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: The Weather Channel Toolbar - {2E5E800E-6AC0-411E-940A-369530A35E43} - C:\WINDOWS\system32\TwcToolbarIe7.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: AVG Control Center.lnk = C:\Program Files\Grisoft\AVG7\avgcc.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?7e4723039fe64d03b86eb754ad9acd64
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?7e4723039fe64d03b86eb754ad9acd64
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra 'Tools' menuitem: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocach ... 0.0.15.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
wakeboarder540
Regular Member
 
Posts: 72
Joined: March 12th, 2006, 5:06 am

Unread postby Trogan » August 14th, 2007, 8:08 pm

Sorry for the delay; I was away. I will reply back with some instructions soon.
User avatar
Trogan
MRU Teacher Emeritus
 
Posts: 2291
Joined: November 26th, 2005, 9:31 am
Location: London

Unread postby Trogan » August 16th, 2007, 7:07 am

Sorry for the delay.

Please do the following...

1. Find and delete the following in RED:

C:\Documents and Settings\Nish\My Documents\My Music\alanna\(New Release) stand down 00.wma
C:\Documents and Settings\Nish\My Documents\My Music\OCB taylor the late boy 30.wma
C:\Program Files\Shareaza\Downloads\++++++++ moulin rouge roxane 43.wma
C:\Program Files\Shareaza\Downloads\---===== the happiest place on earth 1 27.wma
C:\Program Files\Shareaza\Downloads\fallen leaves 1 22.wma
C:\Program Files\Shareaza\Downloads\shared by moby my hips don't lie 18.wma
C:\Program Files\Shareaza\Downloads\_uncensored_ boden anna 1 29.wma

2. Clean Norton Quarantine - Instruction here.

3. Download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

IMPORTANT: Do NOT run any other options until you are asked to do so!

4. Run a new Kaspersky scan.

5. Please post the following...

SmitfraudFix report
Kaspersky log
New HijackThis log
User avatar
Trogan
MRU Teacher Emeritus
 
Posts: 2291
Joined: November 26th, 2005, 9:31 am
Location: London

Unread postby NonSuch » August 26th, 2007, 12:39 am

This topic is now closed due to inactivity. If you wish it to be reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

If it has been 10 days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, this topic will not be reopened. If you still require help, please start a new topic and include a fresh HijackThis log and a link to this thread in your new topic.

You can help support this site from this link :
Donations For Malware Removal

Please do not contact us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 476 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware