Options
Odd Spyware
My wife went somewhere on myspace and got some spyware or malware. I have a yellow box that pops up in the bottom right hand corner telling me to buy something (but that left with the scans) and the desktop in her profile has a red screen over it. The computer runs pretty slow. I ran Ad-Aware, Spybot, Super Spyware Blaster, and Panda and Kaspersky scans. Most of the problems are gone, but something nasty is still lurking. It also managed to shut off the Task Manager on my wife's profile.
Any help would be greatly appreciated.
Here is the Panda Scan Results:
Incident Status Location
Adware:adware/ncase Not disinfected C:\WINDOWS\System32\SALM.EXE
Adware:adware/tubby Not disinfected c:\windows\system32\WER8274.DLL
Adware:adware/keenvalue Not disinfected Windows Registry
Potentially unwanted tool:application/myway Not disinfected hkey_classes_root\clsid\{66FC8717-EFA7-4546-8C4A-E224F3A80C76}
Adware:Adware/BraveSentry Not disinfected C:\WINDOWS\SYSTEM32\KB_963493.exe
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\COOKIES.TXT[ad.yieldmanager.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\COOKIES.TXT[.com.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\COOKIES.TXT[.mediaplex.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\COOKIES.TXT[.2o7.net/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\COOKIES.TXT[.247realmedia.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\COOKIES.TXT[.adrevolver.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\COOKIES.TXT[.ads.pointroll.com/]
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\COOKIES.TXT[.adultfriendfinder.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\COOKIES.TXT[.advertising.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\COOKIES.TXT[.atdmt.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\COOKIES.TXT[.bs.serving-sys.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\COOKIES.TXT[.burstnet.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\COOKIES.TXT[.casalemedia.com/]
Spyware:Cookie/cs.sexcounter Not disinfected C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\COOKIES.TXT[.cs.sexcounter.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\COOKIES.TXT[.doubleclick.net/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\COOKIES.TXT[.ehg-dig.hitbox.com/]
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\COOKIES.TXT[.errorsafe.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\COOKIES.TXT[.fastclick.net/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\COOKIES.TXT[.go.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\COOKIES.TXT[.overture.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\COOKIES.TXT[.questionmarket.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\COOKIES.TXT[.realmedia.com/]
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\COOKIES.TXT[.revenue.net/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\COOKIES.TXT[.serving-sys.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\COOKIES.TXT[.statcounter.com/]
Spyware:Cookie/Systemdoctor Not disinfected C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\COOKIES.TXT[.systemdoctor.com/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\COOKIES.TXT[.trafficmp.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\COOKIES.TXT[.tribalfusion.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\COOKIES.TXT[.zedo.com/]
Spyware:Cookie/Bridgetrack Not disinfected C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\COOKIES.TXT[citi.bridgetrack.com/]
Spyware:Cookie/Hitslink Not disinfected C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\COOKIES.TXT[counter.hitslink.com/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\COOKIES.TXT[searchportal.information.com/]
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\COOKIES.TXT[stats1.reliablestats.com/]
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\COOKIES.TXT[statse.webtrendslive.com/]
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\COOKIES.TXT[www.burstbeacon.com/]
Here is the Kaspersky Scan Results
KASPERSKY ONLINE SCANNER REPORT
Friday, August 03, 2007 9:27:49 PM
Operating System: Microsoft Windows XP Professional, (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 4/08/2007
Kaspersky Anti-Virus database records: 349684
Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
Scan Statistics:
Total number of scanned objects: 59674
Number of viruses found: 2
Number of infected objects: 2 / 0
Number of suspicious objects: 0
Duration of the scan process: 02:20:51
Infected Object Name / Virus Name / Last Action
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.idx Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.dat Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\Temp\~DFC3A1.tmp Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Debug\oakley.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\AVP6\Report\report.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\AVP6\Report\eventlog.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\AVP6\Report\detected.idx Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\AVP6\Report\detected.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\AVP6\Report\05cc_File_Monitoring_eventlog.rpt Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\James\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\James\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\James\Local Settings\Temp\~DFA807.tmp Object is locked skipped
C:\Documents and Settings\James\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\James\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\James\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\James\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\James\Cookies\index.dat Object is locked skipped
C:\System Volume Information\_restore{A62616A7-F67A-4EC2-9CF8-67022E9EE006}\RP458\A0041808.exe Infected: Trojan.Win32.Agent.amk skipped
C:\System Volume Information\_restore{A62616A7-F67A-4EC2-9CF8-67022E9EE006}\RP482\A0055317.exe Infected: not-virus:Hoax.Win32.Renos.fn skipped
C:\System Volume Information\_restore{A62616A7-F67A-4EC2-9CF8-67022E9EE006}\RP483\change.log Object is locked skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
Scan process completed.
And finally here is the Hijackthis log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:29:17 PM, on 8/3/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {279A05E3-C129-4189-BA16-F0DB908C89B0} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {FE2172CC-6C75-4C5C-872B-5029A9559B7a} - (no file)
O2 - BHO: (no name) - {FF83D35E-CC6D-4D3A-9491-68AAB9E96869} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [kav] "C:\Program Files\AOL\Active Virus Shield\avp.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CA2C86C6-B6F7-4C6E-BDC3-F4B2515F8A0B}: NameServer = 68.87.71.226,68.87.73.242
O23 - Service: Active Virus Shield (AVP) - AOL - C:\Program Files\AOL\Active Virus Shield\avp.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
--
End of file - 4656 bytes
Again thanks for any help you can provide. You guys are great.
Any help would be greatly appreciated.
Here is the Panda Scan Results:
Incident Status Location
Adware:adware/ncase Not disinfected C:\WINDOWS\System32\SALM.EXE
Adware:adware/tubby Not disinfected c:\windows\system32\WER8274.DLL
Adware:adware/keenvalue Not disinfected Windows Registry
Potentially unwanted tool:application/myway Not disinfected hkey_classes_root\clsid\{66FC8717-EFA7-4546-8C4A-E224F3A80C76}
Adware:Adware/BraveSentry Not disinfected C:\WINDOWS\SYSTEM32\KB_963493.exe
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\COOKIES.TXT[ad.yieldmanager.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\COOKIES.TXT[.com.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\COOKIES.TXT[.mediaplex.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\COOKIES.TXT[.2o7.net/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\COOKIES.TXT[.247realmedia.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\COOKIES.TXT[.adrevolver.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\COOKIES.TXT[.ads.pointroll.com/]
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\COOKIES.TXT[.adultfriendfinder.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\COOKIES.TXT[.advertising.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\COOKIES.TXT[.atdmt.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\COOKIES.TXT[.bs.serving-sys.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\COOKIES.TXT[.burstnet.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\COOKIES.TXT[.casalemedia.com/]
Spyware:Cookie/cs.sexcounter Not disinfected C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\COOKIES.TXT[.cs.sexcounter.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\COOKIES.TXT[.doubleclick.net/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\COOKIES.TXT[.ehg-dig.hitbox.com/]
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\COOKIES.TXT[.errorsafe.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\COOKIES.TXT[.fastclick.net/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\COOKIES.TXT[.go.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\COOKIES.TXT[.overture.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\COOKIES.TXT[.questionmarket.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\COOKIES.TXT[.realmedia.com/]
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\COOKIES.TXT[.revenue.net/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\COOKIES.TXT[.serving-sys.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\COOKIES.TXT[.statcounter.com/]
Spyware:Cookie/Systemdoctor Not disinfected C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\COOKIES.TXT[.systemdoctor.com/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\COOKIES.TXT[.trafficmp.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\COOKIES.TXT[.tribalfusion.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\COOKIES.TXT[.zedo.com/]
Spyware:Cookie/Bridgetrack Not disinfected C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\COOKIES.TXT[citi.bridgetrack.com/]
Spyware:Cookie/Hitslink Not disinfected C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\COOKIES.TXT[counter.hitslink.com/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\COOKIES.TXT[searchportal.information.com/]
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\COOKIES.TXT[stats1.reliablestats.com/]
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\COOKIES.TXT[statse.webtrendslive.com/]
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\COOKIES.TXT[www.burstbeacon.com/]
Here is the Kaspersky Scan Results
KASPERSKY ONLINE SCANNER REPORT
Friday, August 03, 2007 9:27:49 PM
Operating System: Microsoft Windows XP Professional, (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 4/08/2007
Kaspersky Anti-Virus database records: 349684
Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
Scan Statistics:
Total number of scanned objects: 59674
Number of viruses found: 2
Number of infected objects: 2 / 0
Number of suspicious objects: 0
Duration of the scan process: 02:20:51
Infected Object Name / Virus Name / Last Action
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.idx Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.dat Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\Temp\~DFC3A1.tmp Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Debug\oakley.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\AVP6\Report\report.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\AVP6\Report\eventlog.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\AVP6\Report\detected.idx Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\AVP6\Report\detected.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\AVP6\Report\05cc_File_Monitoring_eventlog.rpt Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\James\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\James\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\James\Local Settings\Temp\~DFA807.tmp Object is locked skipped
C:\Documents and Settings\James\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\James\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\James\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\James\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\James\Cookies\index.dat Object is locked skipped
C:\System Volume Information\_restore{A62616A7-F67A-4EC2-9CF8-67022E9EE006}\RP458\A0041808.exe Infected: Trojan.Win32.Agent.amk skipped
C:\System Volume Information\_restore{A62616A7-F67A-4EC2-9CF8-67022E9EE006}\RP482\A0055317.exe Infected: not-virus:Hoax.Win32.Renos.fn skipped
C:\System Volume Information\_restore{A62616A7-F67A-4EC2-9CF8-67022E9EE006}\RP483\change.log Object is locked skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
Scan process completed.
And finally here is the Hijackthis log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:29:17 PM, on 8/3/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {279A05E3-C129-4189-BA16-F0DB908C89B0} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {FE2172CC-6C75-4C5C-872B-5029A9559B7a} - (no file)
O2 - BHO: (no name) - {FF83D35E-CC6D-4D3A-9491-68AAB9E96869} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [kav] "C:\Program Files\AOL\Active Virus Shield\avp.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CA2C86C6-B6F7-4C6E-BDC3-F4B2515F8A0B}: NameServer = 68.87.71.226,68.87.73.242
O23 - Service: Active Virus Shield (AVP) - AOL - C:\Program Files\AOL\Active Virus Shield\avp.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
--
End of file - 4656 bytes
Again thanks for any help you can provide. You guys are great.
0
Comments
But here is a fresh hijackthis log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:11:24 AM, on 8/8/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {279A05E3-C129-4189-BA16-F0DB908C89B0} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {FE2172CC-6C75-4C5C-872B-5029A9559B7a} - (no file)
O2 - BHO: (no name) - {FF83D35E-CC6D-4D3A-9491-68AAB9E96869} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [kav] "C:\Program Files\AOL\Active Virus Shield\avp.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [ISMModule2] "C:\Program Files\ISM\ISMModule2.exe"
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CA2C86C6-B6F7-4C6E-BDC3-F4B2515F8A0B}: NameServer = 68.87.71.226,68.87.73.242
O23 - Service: Active Virus Shield (AVP) - AOL - C:\Program Files\AOL\Active Virus Shield\avp.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
--
End of file - 4726 bytes
( 1 )
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.2. Restart your computer.
3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
System Restore will now be active again.
( 2 )
Please download SmitfraudFix
Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.
Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
Scan done at 17:56:40.70, Wed 08/08/2007
Run from C:\Documents and Settings\James\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is FAT32
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» Process
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cmd.exe
»»»»»»»»»»»»»»»»»»»»»»»» hosts
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
C:\WINDOWS\system32\susp.exe FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\James
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\James\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\JAMES\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Rustock
»»»»»»»»»»»»»»»»»»»»»»»» DNS
Description: Instant Wireless PCI Card V2.7 - Packet Scheduler Miniport
DNS Server Search Order: 68.87.71.226
DNS Server Search Order: 68.87.73.242
HKLM\SYSTEM\CCS\Services\Tcpip\..\{CA2C86C6-B6F7-4C6E-BDC3-F4B2515F8A0B}: NameServer=68.87.71.226,68.87.73.242
HKLM\SYSTEM\CS1\Services\Tcpip\..\{CA2C86C6-B6F7-4C6E-BDC3-F4B2515F8A0B}: NameServer=68.87.71.226,68.87.73.242
HKLM\SYSTEM\CS2\Services\Tcpip\..\{CA2C86C6-B6F7-4C6E-BDC3-F4B2515F8A0B}: NameServer=68.87.71.226,68.87.73.242
»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
Please reboot your computer in Safe Mode by doing the following :
- Restart your computer
- After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
- Instead of Windows loading as normal, a menu with options should appear;
- Select the first option, to run Windows in Safe Mode, then press "Enter".
- Choose your usual account.
Once in Safe Mode, double-click SmitfraudFix.exeSelect option #2 - Clean by typing 2 and press "Enter" to delete infected files.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".
The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new HijackThis log.
The report can also be found at the root of the system drive, usually at C:\rapport.txt
Warning : running option #2 on a non infected computer will remove your Desktop background
SmitFraudFix v2.210
Scan done at 19:30:40.18, Wed 08/08/2007
Run from C:\Documents and Settings\James\Desktop\Spyware Tools\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is FAT32
Fix run in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» hosts
127.0.0.1 localhost
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
C:\WINDOWS\system32\susp.exe Deleted
»»»»»»»»»»»»»»»»»»»»»»»» DNS
HKLM\SYSTEM\CCS\Services\Tcpip\..\{CA2C86C6-B6F7-4C6E-BDC3-F4B2515F8A0B}: NameServer=68.87.71.226,68.87.73.242
HKLM\SYSTEM\CS1\Services\Tcpip\..\{CA2C86C6-B6F7-4C6E-BDC3-F4B2515F8A0B}: NameServer=68.87.71.226,68.87.73.242
HKLM\SYSTEM\CS2\Services\Tcpip\..\{CA2C86C6-B6F7-4C6E-BDC3-F4B2515F8A0B}: NameServer=68.87.71.226,68.87.73.242
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End
And here is the new Hijack this log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:39:39 PM, on 8/8/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {279A05E3-C129-4189-BA16-F0DB908C89B0} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {FE2172CC-6C75-4C5C-872B-5029A9559B7a} - (no file)
O2 - BHO: (no name) - {FF83D35E-CC6D-4D3A-9491-68AAB9E96869} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [kav] "C:\Program Files\AOL\Active Virus Shield\avp.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [ISMModule2] "C:\Program Files\ISM\ISMModule2.exe"
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CA2C86C6-B6F7-4C6E-BDC3-F4B2515F8A0B}: NameServer = 68.87.71.226,68.87.73.242
O23 - Service: Active Virus Shield (AVP) - AOL - C:\Program Files\AOL\Active Virus Shield\avp.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
--
End of file - 4482 bytes
Thanks again.
Download AVG Anti-Spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program
- Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
- Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
- On the main screen select the icon "Update" then select the "Update now" link.
- Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
- Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
- Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
- Under "Reports"
- Select "Automatically generate report after every scan"
- Un-Select "Only if threats were found"
Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
Once the scan is complete do the following:
AVG Anti-Spyware - Scan Report
+ Created at: 8:01:23 PM 8/9/2007
+ Scan result:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo -> Adware.Generic : Cleaned with backup (quarantined).
HKLM\SOFTWARE\PerfectNav -> Adware.KeenValue : Cleaned with backup (quarantined).
:mozilla.184:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.185:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.186:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.187:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.305:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\cookies.txt -> TrackingCookie.Adengage : Cleaned.
:mozilla.200:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.201:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.202:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.203:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.204:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.263:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.131:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.132:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.133:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.134:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.135:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.136:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.137:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.138:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.196:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned.
:mozilla.197:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned.
:mozilla.198:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned.
:mozilla.199:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned.
:mozilla.307:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\cookies.txt -> TrackingCookie.Information : Cleaned.
:mozilla.62:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\cookies.txt -> TrackingCookie.Paypal : Cleaned.
:mozilla.100:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.101:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.102:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.103:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.104:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.99:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.306:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\cookies.txt -> TrackingCookie.Revenue : Cleaned.
:mozilla.98:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.309:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.231:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.232:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.233:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.234:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.47:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.48:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.49:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.50:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.51:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.60:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.68:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.69:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.70:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.71:C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\mwn5ezca.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
::Report end
Please download Combofix to your desktop.
- Double click on Combofix.exe & follow the prompts.
- When finished, it shall produce a log for you. Post that log & a fresh HJT log in your next reply
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stallWell, here's the Combofix log:
ComboFix 07-08-09.3 - "James" 2007-08-10 5:35:02.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1033.18.43 [GMT -4:00]
* Created a new restore point
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
C:\WINDOWS\764.exe
C:\WINDOWS\7search.dll
C:\WINDOWS\bjam.dll
C:\WINDOWS\bokja.exe
C:\WINDOWS\cdsm32.dll
C:\WINDOWS\flt.dll
C:\WINDOWS\mspphe.dll
C:\WINDOWS\pbar.dll
C:\WINDOWS\saiemod.dll
C:\WINDOWS\stcloader.exe
C:\WINDOWS\swin32.dll
C:\WINDOWS\system32\180ax.exe
C:\WINDOWS\system32\biprep.exe
C:\WINDOWS\system32\gtv_sd.bin
C:\WINDOWS\system32\msixu.dll
C:\WINDOWS\system32\salm.exe
C:\WINDOWS\system32\satmat.exe
C:\WINDOWS\system32\updatetc.exe
C:\WINDOWS\system32\vxddsk.exe
C:\WINDOWS\system32\wer8274.dll
C:\WINDOWS\system32\wml.exe
C:\WINDOWS\voiceip.dll
((((((((((((((((((((((((( Files Created from 2007-07-10 to 2007-08-10 )))))))))))))))))))))))))))))))
2007-08-10 05:33 51,200 --a
C:\WINDOWS\nircmd.exe
2007-08-09 17:47 3,968 --a
C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-08-08 17:56 816 --a
C:\WINDOWS\system32\tmp.reg
2007-08-08 17:56 53,248 --a
C:\WINDOWS\system32\Process.exe
2007-08-08 17:56 51,200 --a
C:\WINDOWS\system32\dumphive.exe
2007-08-08 17:56 288,417 --a
C:\WINDOWS\system32\SrchSTS.exe
2007-08-03 18:31 <DIR> d
C:\WINDOWS\system32\Kaspersky Lab
2007-08-03 05:43 <DIR> d
C:\WINDOWS\system32\ActiveScan
2007-08-03 05:41 <DIR> d
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2007-08-02 20:59 <DIR> d
C:\Program Files\Trend Micro
2007-08-02 20:43 <DIR> d
C:\DOCUME~1\James\APPLIC~1\Comodo
2007-08-02 20:42 <DIR> d
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Comodo
2007-08-02 20:40 <DIR> d
C:\Program Files\Comodo
2007-08-02 20:28 <DIR> d
C:\Program Files\SpywareBlaster
2007-08-02 19:43 63 --a
C:\WINDOWS\system\SYSRegC.dll
2007-08-02 19:43 143,360 --a
C:\WINDOWS\system32\GetHardDiskNo.dll
2007-08-02 19:43 <DIR> d
C:\Program Files\Max Registry Cleaner
2007-08-02 19:31 <DIR> d
C:\Program Files\Yahoo!
2007-08-02 19:30 <DIR> d
C:\Program Files\CCleaner
2007-08-02 15:52 <DIR> d
C:\DOCUME~1\Erica\APPLIC~1\Lavasoft
2007-08-02 15:43 <DIR> d
C:\Program Files\AntispyStorm
2007-07-27 07:06 1,744 --a
C:\WINDOWS\system32\d3d9caps.dat
2007-07-27 07:03 <DIR> d
C:\Program Files\Google
2007-07-27 07:03 <DIR> d
C:\DOCUME~1\James\APPLIC~1\Google
2007-07-23 10:55 <DIR> d
C:\DOCUME~1\Erica\APPLIC~1\MySpace
2007-07-22 11:54 <DIR> d
C:\Program Files\MySpace
2007-07-22 11:54 <DIR> d
C:\DOCUME~1\James\APPLIC~1\MySpace
2007-07-21 22:35 <DIR> d
C:\Program Files\iTunes
2007-07-21 22:30 <DIR> d
C:\Program Files\QuickTime
2007-07-21 22:26 <DIR> d
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-08-10 05:40 651296 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-08-10 05:40 26816 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-08-10 05:40 2147996 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2007-08-10 05:40 1695744 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-08-08 08:03 25 --a
C:\WINDOWS\popcinfo.dat
2007-08-02 15:06 979 --a
C:\WINDOWS\system32\drivers\product_2_name_small.gif
2007-08-02 15:06 918 --a
C:\WINDOWS\system32\drivers\s_detect.htm
2007-08-02 15:06 837 --a
C:\WINDOWS\system32\drivers\blank.gif
2007-08-02 15:06 835 --a
C:\WINDOWS\system32\drivers\style.css
2007-08-02 15:06 6575 --a
C:\WINDOWS\system32\drivers\remove_spyware_button.gif
2007-08-02 15:06 65 --a
C:\WINDOWS\system32\drivers\sep_hor.gif
2007-08-02 15:06 64 --a
C:\WINDOWS\system32\drivers\close_icon.gif
2007-08-02 15:06 639 --a
C:\WINDOWS\system32\drivers\star.gif
2007-08-02 15:06 6373 --a
C:\WINDOWS\system32\drivers\secuity_center_logo.gif
2007-08-02 15:06 550 --a
C:\WINDOWS\system32\drivers\star_small.gif
2007-08-02 15:06 53 --a
C:\WINDOWS\system32\drivers\sep_vert.gif
2007-08-02 15:06 49 --a
C:\WINDOWS\system32\drivers\spacer.gif
2007-08-02 15:06 48933 --a
C:\WINDOWS\system32\drivers\pt.htm
2007-08-02 15:06 4723 --a
C:\WINDOWS\system32\drivers\detect.htm
2007-08-02 15:06 425 --a
C:\WINDOWS\system32\drivers\star_gray.gif
2007-08-02 15:06 3877 --a
C:\WINDOWS\system32\drivers\warning_icon.gif
2007-08-02 15:06 360 --a
C:\WINDOWS\system32\drivers\header_bg.gif
2007-08-02 15:06 3080 --a
C:\WINDOWS\system32\drivers\product_3_header.gif
2007-08-02 15:06 2922 --a
C:\WINDOWS\system32\drivers\footer_back.jpg
2007-08-02 15:06 291 --a
C:\WINDOWS\system32\drivers\v.gif
2007-08-02 15:06 28459 --a
C:\WINDOWS\system32\drivers\header_1.gif
2007-08-02 15:06 283 --a
C:\WINDOWS\system32\drivers\x.gif
2007-08-02 15:06 2604 --a
C:\WINDOWS\system32\drivers\product_1_header.gif
2007-08-02 15:06 2238 --a
C:\WINDOWS\system32\drivers\download_box.gif
2007-08-02 15:06 223 --a
C:\WINDOWS\system32\drivers\star_gray_small.gif
2007-08-02 15:06 2214 --a
C:\WINDOWS\system32\drivers\product_2_header.gif
2007-08-02 15:06 2186 --a
C:\WINDOWS\system32\drivers\alert_icon.gif
2007-08-02 15:06 215 --a
C:\WINDOWS\system32\drivers\main_back.gif
2007-08-02 15:06 2090 --a
C:\WINDOWS\system32\drivers\shadow.jpg
2007-08-02 15:06 1791 --a
C:\WINDOWS\system32\drivers\win_logo.gif
2007-08-02 15:06 1714 --a
C:\WINDOWS\system32\drivers\product_3_name_small.gif
2007-08-02 15:06 1647 --a
C:\WINDOWS\system32\drivers\button_freescan.gif
2007-08-02 15:06 1619 --a
C:\WINDOWS\system32\drivers\button_buynow.gif
2007-08-02 15:06 15421 --a
C:\WINDOWS\system32\drivers\header_2.gif
2007-08-02 15:06 13618 --a
C:\WINDOWS\system32\drivers\spy_away_box.jpg
2007-08-02 15:06 1330 --a
C:\WINDOWS\system32\drivers\product_features.gif
2007-08-02 15:06 1253 --a
C:\WINDOWS\system32\drivers\product_1_name_small.gif
2007-08-02 15:06 12326 --a
C:\WINDOWS\system32\drivers\box_3.gif
2007-08-02 15:06 12313 --a
C:\WINDOWS\system32\drivers\box_1.gif
2007-08-02 15:06 1204 --a
C:\WINDOWS\system32\drivers\infected.gif
2007-08-02 15:06 11927 --a
C:\WINDOWS\system32\drivers\box_2.gif
2007-08-02 15:06 11077 --a
C:\WINDOWS\system32\drivers\header_4.gif
2007-08-02 15:06 10260 --a
C:\WINDOWS\system32\drivers\perfect_cleaner_box.jpg
2007-08-02 15:06 10193 --a
C:\WINDOWS\system32\drivers\header_3.gif
2007-08-02 15:06 1014 --a
C:\WINDOWS\system32\drivers\icon_warning.gif
2007-07-27 07:08 1632 --a
C:\WINDOWS\system32\d3d8caps.dat
2007-06-14 13:05
d
C:\DOCUME~1\James\APPLIC~1\uTorrent
2007-06-11 11:26 23 --a
C:\WINDOWS\raptinfo.dat
2007-06-10 21:56
d
C:\DOCUME~1\James\APPLIC~1\WinRAR
2007-05-15 09:41 12965 --a
C:\WINDOWS\system32\KB_963493.exe
2007-05-13 19:36 1165 --a
C:\WINDOWS\mozver.dat
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{279A05E3-C129-4189-BA16-F0DB908C89B0}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FE2172CC-6C75-4C5C-872B-5029A9559B7a}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FF83D35E-CC6D-4D3A-9491-68AAB9E96869}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"kav"="C:\Program Files\AOL\Active Virus Shield\avp.exe" [2006-05-30 12:13]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-10 09:18]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2007-08-02 20:40]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-08-09 17:50]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISMModule2"="C:\Program Files\ISM\ISMModule2.exe" []
[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 nwprovau
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"RunOnce2Upd"="C:\WINDOWS\System32\KB_963493.exe"
R0 Inspect;Comodo Network Engine;C:\WINDOWS\System32\DRIVERS\inspect.sys
R2 NWCWorkstation;Client Service for NetWare;C:\WINDOWS\System32\svchost.exe -k netsvcs
R2 NwSapAgent;SAP Agent;C:\WINDOWS\System32\svchost.exe -k netsvcs
R3 NWRDR;NetWare Rdr;C:\WINDOWS\System32\DRIVERS\nwrdr.sys
R3 USR1806V;U.S. Robotics Voice Modem Driver 1806;C:\WINDOWS\System32\DRIVERS\USR1806V.SYS
R3 WMP11V27;Instant Wireless PCI Card V2.7 Driver;C:\WINDOWS\System32\DRIVERS\WMP11V27.sys
S3 Bridge;MAC Bridge;C:\WINDOWS\System32\DRIVERS\bridge.sys
S3 BridgeMP;MAC Bridge Miniport;C:\WINDOWS\System32\DRIVERS\bridge.sys
S3 nm;Network Monitor Driver;C:\WINDOWS\System32\DRIVERS\NMnt.sys
Contents of the 'Scheduled Tasks' folder
2005-05-14 22:14:20 C:\WINDOWS\Tasks\XoftSpy.job - C:\Program Files\XoftSpy\XoftSpy.exe
2007-08-05 00:11:08 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-10 05:43:31
Windows 5.1.2600 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-08-10 5:47:57 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-10 05:47
--- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:24:04 AM, on 8/10/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {279A05E3-C129-4189-BA16-F0DB908C89B0} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {FE2172CC-6C75-4C5C-872B-5029A9559B7a} - (no file)
O2 - BHO: (no name) - {FF83D35E-CC6D-4D3A-9491-68AAB9E96869} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [kav] "C:\Program Files\AOL\Active Virus Shield\avp.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ISMModule2] "C:\Program Files\ISM\ISMModule2.exe"
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CA2C86C6-B6F7-4C6E-BDC3-F4B2515F8A0B}: NameServer = 68.87.71.226,68.87.73.242
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Active Virus Shield (AVP) - AOL - C:\Program Files\AOL\Active Virus Shield\avp.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
--
End of file - 4944 bytes
( 1 )
Please run a BitDefender Online Scan
- Click I Agree to agree to the EULA.
- Allow the ActiveX control to install when prompted.
- Click Click here to scan to begin the scan.
- Please refrain from using the computer until the scan is finished. This might take a while to run, but it is important that nothing else is running while you scan.
- When the scan is finished, click on Click here to export the scan results.
- Save the report to your desktop so you can post it in your next reply.
( 2 )More information with a screenshot, can be found Here.
Let me know the results.
<HTML>
<HEAD>
<TITLE>BitDefender Online Scanner -Scan Report</TITLE>
****** HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
****** name="generator" content="Namo WebEditor v5.0(Trial)">
</HEAD>
<BODY BGCOLOR=#FFFFFF leftmargin="10" marginwidth="0" topmargin="20" marginheight="0" >
<table align="center" border="0" cellpadding="0" cellspacing="0" width="90%">
<tr>
<td width="458">
<p><font face="Arial" color=red><span style="font-size:14pt;"><b>BitDefender
Online Scanner</b></span></font></p>
</td>
<td width="40%">
<p> </p>
</td>
<td width="10%">
<p> </p>
</td>
</tr>
<tr>
<td colspan="3" width="912">
<p><font face="Arial"><span style="font-size:11pt;"><B>Scan report generated
at: Fri, Aug 10, 2007 - 20:16:45</b></span></font></p>
</td>
</tr>
<tr>
<td width="458">
<p><font face="Arial"><span style="font-size:11pt;"><B> </b></span></font></p>
</td>
<td width="40%">
<p> </p>
</td>
<td width="10%">
<p> </p>
</td>
</tr>
<tr>
<td width="458">
<p><font face="Arial"><span style="font-size:11pt;"><B>Scan
path: </b></span><span style="font-size:10pt;">A:\;C:\;D:\;E:\;F:\;</span></font></p>
</td>
<td width="40%">
<p> </p>
</td>
<td width="10%">
<p> </p>
</td>
</tr>
<tr>
<td width="458">
<p><font face="Arial"><span style="font-size:11pt;"><B> </b></span></font></p>
</td>
<td width="40%">
<p> </p>
</td>
<td width="10%">
<p> </p>
</td>
</tr>
<tr>
<td width="458">
<table border="1" cellspacing="0" bordercolordark="white" bordercolorlight="black" width="100%">
<tr>
<td width="451" colspan="2" bgcolor="#CCCCCC">
<p><font face="Arial" size="2"><B>Statistics</b></font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Time</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">02:04:05</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Files</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">235600</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Folders</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">6569</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Boot Sectors</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">4</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Archives</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">1319</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Packed Files</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">4625</font></p>
</td>
</tr>
</table>
</td>
<td width="40%">
<p> </p>
</td>
<td width="10%">
<p> </p>
</td>
</tr>
<tr>
<td width="458">
<table border="1" cellspacing="0" bordercolordark="white" bordercolorlight="black" width="100%">
<tr>
<td width="451" colspan="2" bgcolor="#CCCCCC">
<p><font face="Arial" size="2"><B>Results</b></font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Identified Viruses </font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">1</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Infected Files </font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">2</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Suspect Files </font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">0</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Warnings</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">0</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Disinfected</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">0</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Deleted Files</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">2</font></p>
</td>
</tr>
</table>
</td>
<td width="40%">
<p> </p>
</td>
<td width="10%">
<p> </p>
</td>
</tr>
<tr>
<td width="458">
<table border="1" cellspacing="0" bordercolordark="white" bordercolorlight="black" width="100%">
<tr>
<td width="451" colspan="2" bgcolor="#CCCCCC">
<p><font face="Arial" size="2"><B>Engines Info</b></font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Virus Definitions</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">690713</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Engine build</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">AVCORE v1.0 (build 2410) (i386) (Jun 12 2007 21:08:27)</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Scan plugins</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">14</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Archive plugins</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">37</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Unpack plugins</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">6</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">E-mail plugins</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">6</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">System plugins</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">1</font></p>
</td>
</tr>
</table>
</td>
<td width="40%">
<p> </p>
</td>
<td width="10%">
<p> </p>
</td>
</tr>
<tr>
<td width="458">
<table border="1" cellspacing="0" bordercolordark="white" bordercolorlight="black" width="100%">
<tr>
<td width="451" colspan="2" bgcolor="#CCCCCC">
<p><font face="Arial" size="2"><B>Scan Settings</b></font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">First Action</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">Disinfect</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Second Action</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">Delete</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Heuristics</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">Yes</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Enable Warnings</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">Yes</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Scanned Extensions</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">*;</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Exclude Extensions</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2"> </font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Scan Emails</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">Yes</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Scan Archives</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">Yes</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Scan Packed</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">Yes</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Scan Files</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">Yes</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Scan Boot</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">Yes</font></p>
</td>
</tr>
</table>
</td>
<td width="40%">
<p> </p>
</td>
<td width="10%">
<p> </p>
</td>
</tr>
<tr>
<td colspan=2>
<table border="1" cellspacing="0" bordercolordark="white" bordercolorlight="black" width="100%">
<tr>
<td width="252" bgcolor="#CCCCCC">
<p><font face="Arial" size="2"><B>Scanned File</b></font></p>
</td>
<td width="195" bgcolor="#CCCCCC" align="right">
<p align="left"><b><font size="2" face="Arial"> Status</font></b></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">C:\WINDOWS\system32\KB_963493.exe</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Infected with: Trojan.Delphi.Downloader.GV</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\WINDOWS\system32\KB_963493.exe</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Disinfection failed</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\WINDOWS\system32\KB_963493.exe</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Deleted</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\System Volume Information\_restore{A62616A7-F67A-4EC2-9CF8-67022E9EE006}\RP2\A0000205.exe</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Infected with: Trojan.Delphi.Downloader.GV</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\System Volume Information\_restore{A62616A7-F67A-4EC2-9CF8-67022E9EE006}\RP2\A0000205.exe</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Disinfection failed</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\System Volume Information\_restore{A62616A7-F67A-4EC2-9CF8-67022E9EE006}\RP2\A0000205.exe</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Deleted</font></p>
</td>
</tr>
</table>
</td>
<td width="10%">
<p> </p>
</td>
</tr>
<tr>
<td width="458">
<p><font face="Arial"><span style="font-size:11pt;"><B> </b></span></font></p>
</td>
<td width="40%">
<p> </p>
</td>
<td width="10%">
<p> </p>
</td>
</tr>
<tr>
<td width="458">
<p><font face="Arial"><span style="font-size:11pt;"><B> </b></span></font></p>
</td>
<td width="40%">
<p> </p>
</td>
<td width="10%">
<p> </p>
</td>
</tr>
</table>
<p> </p>
</body>
</html>
And here's my uninstall list.
µTorrent
Abexo Free Registry Cleaner
Active Virus Shield
Ad-Aware SE Personal
Adobe Download Manager 2.0 (Remove Only)
Adobe Flash Player 9 ActiveX
Adobe Reader 7.0
Apple Software Update
AVG Anti-Spyware 7.5
Bejeweled Deluxe 1.6z
CCleaner (remove only)
Chuzzle Gold 1.0
COMODO Firewall Pro
DirectX 9 Hotfix - KB839643
Google Earth
HijackThis 2.0.2
Internet Speed Monitor
iPod for Windows 2006-01-10
iPod Updater 2004-08-06
iTunes
J2SE Runtime Environment 5.0 Update 8
Java 2 Runtime Environment, SE v1.4.1_03
Java(TM) SE Runtime Environment 6 Update 1
Kaspersky Online Scanner
Microsoft .NET Framework 1.1
Microsoft Broadband Networking
Microsoft Data Access Components KB870669
Mozilla Firefox (2.0.0.6)
MySpaceIM
Panda ActiveScan
PeerGuardian 2.0
QuickTime
Registry Mechanic 6.0
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
Windows Media Player Hotfix [See wm828026 for more information]
Windows XP Hotfix - KB821557
Windows XP Hotfix - KB823182
Windows XP Hotfix - KB823559
Windows XP Hotfix - KB823980
Windows XP Hotfix - KB824105
Windows XP Hotfix - KB824141
Windows XP Hotfix - KB824146
Windows XP Hotfix - KB825119
Windows XP Hotfix - KB828028
Windows XP Hotfix - KB828035
Windows XP Hotfix - KB828741
Windows XP Hotfix - KB833987
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB837001
Windows XP Hotfix - KB839645
Windows XP Hotfix - KB840315
Windows XP Hotfix - KB840374
Windows XP Hotfix - KB840987
Windows XP Hotfix - KB841356
Windows XP Hotfix - KB841533
Windows XP Hotfix - KB841873
Windows XP Hotfix - KB842773
Windows XP Hotfix - KB873376
Windows XP Hotfix - KB887822
Windows XP Hotfix (SP1) [See Q282010 for more information]
Windows XP Hotfix (SP1) [See Q307869 for more information]
Windows XP Hotfix (SP1) [See Q308210 for more information]
Windows XP Hotfix (SP1) [See Q309521 for more information]
Windows XP Hotfix (SP1) [See Q310437 for more information]
Windows XP Hotfix (SP1) [See Q310510 for more information]
Windows XP Hotfix (SP1) [See Q311542 for more information]
Windows XP Hotfix (SP1) [See Q311889 for more information]
Windows XP Hotfix (SP1) [See Q311967 for more information]
Windows XP Hotfix (SP1) [See Q313450 for more information]
Windows XP Hotfix (SP1) [See Q314862 for more information]
Windows XP Hotfix (SP1) [See Q315000 for more information]
Windows XP Hotfix (SP1) [See Q315403 for more information]
Windows XP Hotfix (SP1) [See Q316397 for more information]
Windows XP Hotfix (SP1) [See Q317181 for more information]
Windows XP Hotfix (SP1) [See Q317277 for more information]
Windows XP Hotfix (SP1) [See Q318138 for more information]
Windows XP Hotfix (SP1) [See Q318388 for more information]
Windows XP Hotfix (SP1) [See Q318966 for more information]
Windows XP Hotfix (SP1) [See Q319322 for more information]
Windows XP Hotfix (SP1) [See Q319949 for more information]
Windows XP Hotfix (SP1) [See Q320174 for more information]
Windows XP Hotfix (SP1) [See Q320552 for more information]
Windows XP Hotfix (SP1) [See Q320678 for more information]
Windows XP Hotfix (SP1) [See Q323172 for more information]
Windows XP Hotfix (SP1) [See Q323322 for more information]
Windows XP Hotfix (SP1) [See Q324096 for more information]
Windows XP Hotfix (SP1) [See Q324380 for more information]
Windows XP Hotfix (SP1) [See Q326830 for more information]
Windows XP Hotfix (SP1) [See Q328940 for more information]
Windows XP Hotfix (SP1) [See Q329048 for more information]
Windows XP Hotfix (SP1) [See Q329390 for more information]
Windows XP Hotfix (SP1) [See Q329441 for more information]
Windows XP Hotfix (SP1) [See Q329834 for more information]
Windows XP Hotfix (SP1) Q328310
Windows XP Hotfix (SP1) Q329170
Windows XP Hotfix (SP1) Q331953
Windows XP Hotfix (SP1) Q810577
Windows XP Hotfix (SP1) Q810833
Windows XP Hotfix (SP1) Q811493
Windows XP Hotfix (SP1) Q815021
Windows XP Hotfix (SP1) Q817606
WinRAR archiver
WinZip
Wireless PCI Card Configuration Utility
XoftSpy
Yahoo! Install Manager
Yahoo! Toolbar
Zuma Deluxe 1.0
( 1 )
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.2. Restart your computer.
3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
System Restore will now be active again.
( 2 )
Download the latest version of Java Runtime Environment (JRE) 6/02
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download to install the newest version.
( 3 )
Please download Deckard's System Scanner (DSS) to your desktop.
Deckard's System Scanner v20070809.63
Run by James on 2007-08-11 at 13:53:24
Computer is in Normal Mode.
-- System Restore
System Restore is disabled; attempting to re-enable...success.
-- Last 1 Restore Point(s) --
1: 2007-08-11 17:54:08 UTC - RP1 - System Checkpoint
Backed up registry hives.
Performed disk cleanup.
Total Physical Memory: 192 MiB (512 MiB recommended).
-- HijackThis (run as James.exe)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:24:04 AM, on 8/10/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {279A05E3-C129-4189-BA16-F0DB908C89B0} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {FE2172CC-6C75-4C5C-872B-5029A9559B7a} - (no file)
O2 - BHO: (no name) - {FF83D35E-CC6D-4D3A-9491-68AAB9E96869} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [kav] "C:\Program Files\AOL\Active Virus Shield\avp.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ISMModule2] "C:\Program Files\ISM\ISMModule2.exe"
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CA2C86C6-B6F7-4C6E-BDC3-F4B2515F8A0B}: NameServer = 68.87.71.226,68.87.73.242
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Active Virus Shield (AVP) - AOL - C:\Program Files\AOL\Active Virus Shield\avp.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
--
End of file - 4944 bytes
-- File Associations
.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell>
R3 WMP11V27 (Instant Wireless PCI Card V2.7 Driver) - c:\windows\system32\drivers\wmp11v27.sys <Not Verified; The Linksys Group, Inc; Instant Wireless PCI Card>
S3 catchme - c:\docume~1\james\locals~1\temp\catchme.sys (file missing)
S3 PCANDIS5 (PCANDIS5 Protocol Driver) - e:\autorun\pcandis5.sys (file missing)
-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled
All services whitelisted.
-- Device Manager: Disabled
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 3Com EtherLink XL 10/100 PCI For Complete PC Management NIC (3C905C-TX)
Device ID: PCI\VEN_10B7&DEV_9200&SUBSYS_100010B7&REV_6C\3&61AAA01&0&68
Manufacturer: 3Com
Name: 3Com EtherLink XL 10/100 PCI For Complete PC Management NIC (3C905C-TX)
PNP Device ID: PCI\VEN_10B7&DEV_9200&SUBSYS_100010B7&REV_6C\3&61AAA01&0&68
Service: EL90XBC
-- Scheduled Tasks
2007-08-04 20:11:08 284 --a
C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2005-05-14 18:14:20 296 --a
C:\WINDOWS\Tasks\XoftSpy.job
-- Files created between 2007-07-11 and 2007-08-11
2007-08-11 13:45:51 0 d
C:\Program Files\Common Files\Java
2007-08-10 18:08:38 0 d
C:\WINDOWS\BDOSCAN8
2007-08-09 17:54:36 0 d
C:\Documents and Settings\All Users\Application Data\Grisoft
2007-08-08 17:56:54 816 --a
C:\WINDOWS\System32\tmp.reg
2007-08-08 17:56:21 51200 --a
C:\WINDOWS\System32\dumphive.exe
2007-08-08 17:56:20 288417 --a
C:\WINDOWS\System32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2007-08-08 17:56:16 53248 --a
C:\WINDOWS\System32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2007-08-08 06:11:56 0 dr-h
C:\Documents and Settings\James\Recent
2007-08-03 18:31:59 0 d
C:\WINDOWS\System32\Kaspersky Lab
2007-08-03 05:43:14 0 d
C:\WINDOWS\System32\ActiveScan
2007-08-02 20:59:07 0 d
C:\Program Files\Trend Micro
2007-08-02 20:43:04 0 d
C:\Documents and Settings\James\Application Data\Comodo
2007-08-02 20:42:58 0 d
C:\Documents and Settings\All Users\Application Data\Comodo
2007-08-02 20:40:07 0 d
C:\Program Files\Comodo
2007-08-02 20:28:26 0 d
C:\Program Files\SpywareBlaster
2007-08-02 19:43:39 63 --a
C:\WINDOWS\system\SYSRegC.dll
2007-08-02 19:43:11 143360 --a
C:\WINDOWS\System32\GetHardDiskNo.dll <Not Verified; MaxSecure Software; MaxSecure Registration Module>
2007-08-02 19:43:08 0 d
C:\Program Files\Max Registry Cleaner
2007-08-02 19:34:43 0 dr-h
C:\Documents and Settings\Erica\Recent
2007-08-02 19:31:07 0 d
C:\Program Files\Yahoo!
2007-08-02 19:30:44 0 d
C:\Program Files\CCleaner
2007-08-02 15:52:47 0 d
C:\Documents and Settings\Erica\Application Data\Lavasoft
2007-08-02 15:43:02 0 d
C:\Program Files\AntispyStorm
2007-07-27 07:06:06 1744 --a
C:\WINDOWS\System32\d3d9caps.dat
2007-07-27 07:03:32 0 d
C:\Program Files\Google
2007-07-27 07:03:32 0 d
C:\Documents and Settings\James\Application Data\Google
2007-07-23 13:45:28 0 d
C:\Documents and Settings\Erica\Application Data\Sun
2007-07-23 11:01:41 0 d
C:\Documents and Settings\Erica\Application Data\Macromedia
2007-07-23 10:55:49 0 d
C:\Documents and Settings\Erica\Application Data\MySpace
2007-07-22 11:54:59 0 d
C:\Documents and Settings\James\Application Data\MySpace
2007-07-22 11:54:48 0 d
C:\Program Files\MySpace
2007-07-21 22:35:59 0 d
C:\Program Files\iTunes
2007-07-21 22:30:04 0 d
C:\Program Files\QuickTime
2007-07-21 22:26:56 0 d
C:\Documents and Settings\All Users\Application Data\Apple
-- Find3M Report
2007-08-08 08:03:18 25 --a
C:\WINDOWS\popcinfo.dat
2007-07-27 07:08:52 1632 --a
C:\WINDOWS\System32\d3d8caps.dat
2007-06-15 09:50:50 0 d
C:\Documents and Settings\James\Application Data\Adobe
2007-06-14 13:05:20 0 d
C:\Documents and Settings\James\Application Data\uTorrent
2007-06-11 11:26:08 23 --a
C:\WINDOWS\raptinfo.dat
2007-05-13 19:55:36 2 --a
C:\131008272
2007-05-13 19:36:16 1165 --a
C:\WINDOWS\mozver.dat
-- Registry Dump
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{279A05E3-C129-4189-BA16-F0DB908C89B0}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FE2172CC-6C75-4C5C-872B-5029A9559B7a}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FF83D35E-CC6D-4D3A-9491-68AAB9E96869}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"kav"="C:\Program Files\AOL\Active Virus Shield\avp.exe" [05/30/2006 12:13 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [07/10/2007 09:18 AM]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [08/02/2007 08:40 PM]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [08/09/2007 05:50 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [07/12/2007 04:00 AM]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISMModule2"="C:\Program Files\ISM\ISMModule2.exe" []
[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 nwprovau
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"RunOnce2Upd"="C:\WINDOWS\System32\KB_963493.exe"
-- End of Deckard's System Scanner: finished at 2007-08-11 at 13:58:26
And here is extra.txt
Deckard's System Scanner v20070809.63
Extra logfile - please post this as an attachment with your post.
-- System Information
Microsoft Windows XP Professional (build 2600)
Architecture: X86; Language: English
CPU 0: Intel Pentium III processor
Percentage of Memory in Use: 75%
Physical Memory (total/avail): 191.54 MiB / 46.75 MiB
Pagefile Memory (total/avail): 371.75 MiB / 148.77 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1980.61 MiB
A: is Removable (No Media)
C: is Fixed (FAT32) - 12.72 GiB total, 8.3 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)
F: is Fixed (NTFS) - 114.49 GiB total, 45.52 GiB free.
-- Security Center
AUOptions is disabled.
-- Environment Variables
ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\James\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_01\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=JEN
ComSpec=C:\WINDOWS\system32\cmd.exe
HOMEDRIVE=C:
HOMEPATH=\
LOGONSERVER=\\JEN
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\QuickTime\QTSystem"
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 7 Stepping 2, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0702
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_01\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\James\LOCALS~1\Temp
TMP=C:\DOCUME~1\James\LOCALS~1\Temp
USERDOMAIN=JEN
USERNAME=James
USERPROFILE=C:\Documents and Settings\James
windir=C:\WINDOWS
-- User Profiles
Jen (admin)
James (admin)
Erica (admin)
Administrator (admin)
Guest (new local, guest)
-- Add/Remove Programs
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
µTorrent --> "C:\Program Files\uTorrent\uninstall.exe"
Abexo Free Registry Cleaner --> C:\Program Files\Abexo\afrc\uninst.exe
Active Virus Shield --> MsiExec.exe /I{75193929-9A52-4CA4-98DE-8C7296940920}
Ad-Aware SE Personal --> MsiExec.exe /X{78CC3BAB-DE2A-4FB4-8FBB-E4DADDC26747}
Adobe Download Manager 2.0 (Remove Only) --> "C:\Program Files\Common Files\Adobe\ESD\uninst.exe"
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\System32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
Adobe Reader 7.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70000000000}
Apple Software Update --> MsiExec.exe /I{74EC78BC-B379-4E29-9006-8F161DCAABA6}
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
Bejeweled Deluxe 1.6z --> C:\Program Files\PopCap Games\Bejeweled Deluxe\UnGins.exe "C:\Program Files\PopCap Games\Bejeweled Deluxe\install.log"
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
Chuzzle Gold 1.0 --> "C:\Program Files\Raptisoft\Chuzzle Gold\unins000.exe"
COMODO Firewall Pro --> C:\Program Files\Comodo\Firewall\fwconfig.exe -uninstalln
DirectX 9 Hotfix - KB839643 --> C:\WINDOWS\$NtUninstallKB839643-DirectX9$\spuninst\spuninst.exe
Google Earth --> MsiExec.exe /I{407B9B5C-DAC5-4F44-A756-B57CAB4E6A8B}
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Internet Speed Monitor --> C:\Program Files\ISM\Uninstall.exe
iPod for Windows 2006-01-10 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{3D047C15-C859-45F7-81CE-F2681778069B} /l1033
iPod Updater 2004-08-06 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{2F8C106A-7DFC-45DE-8006-F9145AADF1D8} /l1033
iTunes --> MsiExec.exe /I{9357AE3A-B2ED-4138-BB9B-0564352C3F0A}
Java(TM) 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Kaspersky Online Scanner --> C:\WINDOWS\System32\KASPER~1\KASPER~1\kavuninstall.exe
Microsoft Broadband Networking --> MsiExec.exe /I{8CC15633-2327-43F4-BA85-B83FDB4B59BE}
Microsoft Data Access Components KB870669 --> C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Mozilla Firefox (2.0.0.6) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MySpaceIM --> C:\Program Files\MySpace\IM\Uninstall.exe
Panda ActiveScan --> C:\WINDOWS\System32\ASUninst.exe Panda ActiveScan
PeerGuardian 2.0 --> "C:\Program Files\PeerGuardian2\unins000.exe"
QuickTime --> MsiExec.exe /I{95A890AA-B3B1-44B6-9C18-A8F7AB3EE7FC}
Registry Mechanic 6.0 --> "C:\Program Files\Registry Mechanic\unins000.exe"
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SpywareBlaster v3.5.1 --> "C:\Program Files\SpywareBlaster\unins000.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
Wireless PCI Card Configuration Utility --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5C6956F3-B586-4674-BCD0-CCF7EC1DF766}\Setup.exe" -l0x9
XoftSpy --> C:\Program Files\XoftSpy\uninstall.exe
Zuma Deluxe 1.0 --> C:\Program Files\PopCap Games\Zuma Deluxe\PopUninstall.exe "C:\Program Files\PopCap Games\Zuma Deluxe\Install.log"
-- Application Event Log
Event ID #5182: Warning
Event Submitted/Written: 08/11/2007 01:32:10 PM
Event Source: Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.
Event ID #5177: Warning
Event Submitted/Written: 08/11/2007 01:11:57 PM
Event Source: Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.
Event ID #5174: Warning
Event Submitted/Written: 08/11/2007 00:40:54 AM
Event Source: Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.
Event ID #5171: Warning
Event Submitted/Written: 08/10/2007 08:34:40 PM
Event Source: Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.
Event ID #5168: Warning
Event Submitted/Written: 08/10/2007 04:41:23 PM
Event Source: Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.
-- Security Event Log
No Errors/Warnings found.
-- System Event Log
Event ID #26052: Warning
Event Submitted/Written: 08/11/2007 01:33:55 PM
Event Source: Server
Event Description:
The server service was unable to recreate the share Nintendo because the directory C:\Documents and Settings\DAN\Desktop\Nintendo no longer exists. Please run "net share Nintendo /delete" to delete the share, or recreate the directory C:\Documents and Settings\DAN\Desktop\Nintendo.
Event ID #26051: Warning
Event Submitted/Written: 08/11/2007 01:33:55 PM
Event Source: Server
Event Description:
The server service was unable to recreate the share Shared Music because the directory C:\Documents and Settings\DAN\My Documents\My Music no longer exists. Please run "net share Shared Music /delete" to delete the share, or recreate the directory C:\Documents and Settings\DAN\My Documents\My Music.
Event ID #26029: Warning
Event Submitted/Written: 08/11/2007 01:13:48 PM
Event Source: Server
Event Description:
The server service was unable to recreate the share Nintendo because the directory C:\Documents and Settings\DAN\Desktop\Nintendo no longer exists. Please run "net share Nintendo /delete" to delete the share, or recreate the directory C:\Documents and Settings\DAN\Desktop\Nintendo.
Event ID #26028: Warning
Event Submitted/Written: 08/11/2007 01:13:48 PM
Event Source: Server
Event Description:
The server service was unable to recreate the share Shared Music because the directory C:\Documents and Settings\DAN\My Documents\My Music no longer exists. Please run "net share Shared Music /delete" to delete the share, or recreate the directory C:\Documents and Settings\DAN\My Documents\My Music.
Event ID #26008: Warning
Event Submitted/Written: 08/11/2007 06:47:37 AM
Event Source: Server
Event Description:
The server service was unable to recreate the share Nintendo because the directory C:\Documents and Settings\DAN\Desktop\Nintendo no longer exists. Please run "net share Nintendo /delete" to delete the share, or recreate the directory C:\Documents and Settings\DAN\Desktop\Nintendo.
-- End of Deckard's System Scanner: finished at 2007-08-11 at 13:58:26
Please open HiJackThis and scan. Check the boxes next to all the entries listed below
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {279A05E3-C129-4189-BA16-F0DB908C89B0} - (no file)
O2 - BHO: (no name) - {FE2172CC-6C75-4C5C-872B-5029A9559B7a} - (no file)
O2 - BHO: (no name) - {FF83D35E-CC6D-4D3A-9491-68AAB9E96869} - (no file)
O4 - HKCU\..\Run: [ISMModule2] "C:\Program Files\ISM\ISMModule2.exe"
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis
( 2 )
Open notepad and copy/paste the text in the quotebox below into it: ( Please make sure you copy everything in the code box )
Save this as CFScript.txt
Refering to the picture above, drag CFScript.txt into ComboFix.exe
( 3 )
Please download Sophos Anti Rootkit to your desktop.
Run the program sarsfx.exe.
Let me know the results of the scan.
Also Post the result log from Combofix.
Here are the results of the scan that Combofix ran when i dropped the txt document in it.
ComboFix 07-08-09.3 - "James" 2007-08-12 6:11:54.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1033.18.43 [GMT -4:00]
Command switches used :: C:\Documents and Settings\James\Desktop\CFScript.txt
* Created a new restore point
FILE::
C:\WINDOWS\System32\KB_963493.exe
C:\Windows\System32\Narrator.exe
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\Windows\System32\Narrator.exe
((((((((((((((((((((((((( Files Created from 2007-07-12 to 2007-08-12 )))))))))))))))))))))))))))))))
2007-08-11 13:53 <DIR> d
C:\Deckard
2007-08-10 18:08 <DIR> d
C:\WINDOWS\BDOSCAN8
2007-08-10 05:33 51,200 --a
C:\WINDOWS\nircmd.exe
2007-08-09 17:47 3,968 --a
C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-08-08 17:56 816 --a
C:\WINDOWS\system32\tmp.reg
2007-08-08 17:56 53,248 --a
C:\WINDOWS\system32\Process.exe
2007-08-08 17:56 51,200 --a
C:\WINDOWS\system32\dumphive.exe
2007-08-08 17:56 288,417 --a
C:\WINDOWS\system32\SrchSTS.exe
2007-08-03 18:31 <DIR> d
C:\WINDOWS\system32\Kaspersky Lab
2007-08-03 05:43 <DIR> d
C:\WINDOWS\system32\ActiveScan
2007-08-02 20:59 <DIR> d
C:\Program Files\Trend Micro
2007-08-02 20:43 <DIR> d
C:\DOCUME~1\James\APPLIC~1\Comodo
2007-08-02 20:42 <DIR> d
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Comodo
2007-08-02 20:40 <DIR> d
C:\Program Files\Comodo
2007-08-02 20:28 <DIR> d
C:\Program Files\SpywareBlaster
2007-08-02 19:43 63 --a
C:\WINDOWS\system\SYSRegC.dll
2007-08-02 19:43 143,360 --a
C:\WINDOWS\system32\GetHardDiskNo.dll
2007-08-02 19:43 <DIR> d
C:\Program Files\Max Registry Cleaner
2007-08-02 19:31 <DIR> d
C:\Program Files\Yahoo!
2007-08-02 19:30 <DIR> d
C:\Program Files\CCleaner
2007-08-02 15:52 <DIR> d
C:\DOCUME~1\Erica\APPLIC~1\Lavasoft
2007-08-02 15:43 <DIR> d
C:\Program Files\AntispyStorm
2007-07-27 07:06 1,744 --a
C:\WINDOWS\system32\d3d9caps.dat
2007-07-27 07:03 <DIR> d
C:\Program Files\Google
2007-07-27 07:03 <DIR> d
C:\DOCUME~1\James\APPLIC~1\Google
2007-07-23 10:55 <DIR> d
C:\DOCUME~1\Erica\APPLIC~1\MySpace
2007-07-22 11:54 <DIR> d
C:\Program Files\MySpace
2007-07-22 11:54 <DIR> d
C:\DOCUME~1\James\APPLIC~1\MySpace
2007-07-21 22:35 <DIR> d
C:\Program Files\iTunes
2007-07-21 22:30 <DIR> d
C:\Program Files\QuickTime
2007-07-21 22:26 <DIR> d
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-08-11 15:09 651296 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-08-11 15:09 2147996 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2007-08-11 15:08 28640 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-08-11 15:08 1826080 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-08-08 08:03 25 --a
C:\WINDOWS\popcinfo.dat
2007-08-02 15:06 979 --a
C:\WINDOWS\system32\drivers\product_2_name_small.gif
2007-08-02 15:06 918 --a
C:\WINDOWS\system32\drivers\s_detect.htm
2007-08-02 15:06 837 --a
C:\WINDOWS\system32\drivers\blank.gif
2007-08-02 15:06 835 --a
C:\WINDOWS\system32\drivers\style.css
2007-08-02 15:06 6575 --a
C:\WINDOWS\system32\drivers\remove_spyware_button.gif
2007-08-02 15:06 65 --a
C:\WINDOWS\system32\drivers\sep_hor.gif
2007-08-02 15:06 64 --a
C:\WINDOWS\system32\drivers\close_icon.gif
2007-08-02 15:06 639 --a
C:\WINDOWS\system32\drivers\star.gif
2007-08-02 15:06 6373 --a
C:\WINDOWS\system32\drivers\secuity_center_logo.gif
2007-08-02 15:06 550 --a
C:\WINDOWS\system32\drivers\star_small.gif
2007-08-02 15:06 53 --a
C:\WINDOWS\system32\drivers\sep_vert.gif
2007-08-02 15:06 49 --a
C:\WINDOWS\system32\drivers\spacer.gif
2007-08-02 15:06 48933 --a
C:\WINDOWS\system32\drivers\pt.htm
2007-08-02 15:06 4723 --a
C:\WINDOWS\system32\drivers\detect.htm
2007-08-02 15:06 425 --a
C:\WINDOWS\system32\drivers\star_gray.gif
2007-08-02 15:06 3877 --a
C:\WINDOWS\system32\drivers\warning_icon.gif
2007-08-02 15:06 360 --a
C:\WINDOWS\system32\drivers\header_bg.gif
2007-08-02 15:06 3080 --a
C:\WINDOWS\system32\drivers\product_3_header.gif
2007-08-02 15:06 2922 --a
C:\WINDOWS\system32\drivers\footer_back.jpg
2007-08-02 15:06 291 --a
C:\WINDOWS\system32\drivers\v.gif
2007-08-02 15:06 28459 --a
C:\WINDOWS\system32\drivers\header_1.gif
2007-08-02 15:06 283 --a
C:\WINDOWS\system32\drivers\x.gif
2007-08-02 15:06 2604 --a
C:\WINDOWS\system32\drivers\product_1_header.gif
2007-08-02 15:06 2238 --a
C:\WINDOWS\system32\drivers\download_box.gif
2007-08-02 15:06 223 --a
C:\WINDOWS\system32\drivers\star_gray_small.gif
2007-08-02 15:06 2214 --a
C:\WINDOWS\system32\drivers\product_2_header.gif
2007-08-02 15:06 2186 --a
C:\WINDOWS\system32\drivers\alert_icon.gif
2007-08-02 15:06 215 --a
C:\WINDOWS\system32\drivers\main_back.gif
2007-08-02 15:06 2090 --a
C:\WINDOWS\system32\drivers\shadow.jpg
2007-08-02 15:06 1791 --a
C:\WINDOWS\system32\drivers\win_logo.gif
2007-08-02 15:06 1714 --a
C:\WINDOWS\system32\drivers\product_3_name_small.gif
2007-08-02 15:06 1647 --a
C:\WINDOWS\system32\drivers\button_freescan.gif
2007-08-02 15:06 1619 --a
C:\WINDOWS\system32\drivers\button_buynow.gif
2007-08-02 15:06 15421 --a
C:\WINDOWS\system32\drivers\header_2.gif
2007-08-02 15:06 13618 --a
C:\WINDOWS\system32\drivers\spy_away_box.jpg
2007-08-02 15:06 1330 --a
C:\WINDOWS\system32\drivers\product_features.gif
2007-08-02 15:06 1253 --a
C:\WINDOWS\system32\drivers\product_1_name_small.gif
2007-08-02 15:06 12326 --a
C:\WINDOWS\system32\drivers\box_3.gif
2007-08-02 15:06 12313 --a
C:\WINDOWS\system32\drivers\box_1.gif
2007-08-02 15:06 1204 --a
C:\WINDOWS\system32\drivers\infected.gif
2007-08-02 15:06 11927 --a
C:\WINDOWS\system32\drivers\box_2.gif
2007-08-02 15:06 11077 --a
C:\WINDOWS\system32\drivers\header_4.gif
2007-08-02 15:06 10260 --a
C:\WINDOWS\system32\drivers\perfect_cleaner_box.jpg
2007-08-02 15:06 10193 --a
C:\WINDOWS\system32\drivers\header_3.gif
2007-08-02 15:06 1014 --a
C:\WINDOWS\system32\drivers\icon_warning.gif
2007-07-27 07:08 1632 --a
C:\WINDOWS\system32\d3d8caps.dat
2007-06-14 13:05
d
C:\DOCUME~1\James\APPLIC~1\uTorrent
2007-06-11 11:26 23 --a
C:\WINDOWS\raptinfo.dat
2007-05-13 19:36 1165 --a
C:\WINDOWS\mozver.dat
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"kav"="C:\Program Files\AOL\Active Virus Shield\avp.exe" [2006-05-30 12:13]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-10 09:18]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2007-08-02 20:40]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-08-09 17:50]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 nwprovau
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"RunOnce2Upd"="C:\WINDOWS\System32\KB_963493.exe"
R0 Inspect;Comodo Network Engine;C:\WINDOWS\System32\DRIVERS\inspect.sys
R2 NWCWorkstation;Client Service for NetWare;C:\WINDOWS\System32\svchost.exe -k netsvcs
R2 NwSapAgent;SAP Agent;C:\WINDOWS\System32\svchost.exe -k netsvcs
R3 NWRDR;NetWare Rdr;C:\WINDOWS\System32\DRIVERS\nwrdr.sys
R3 USR1806V;U.S. Robotics Voice Modem Driver 1806;C:\WINDOWS\System32\DRIVERS\USR1806V.SYS
R3 WMP11V27;Instant Wireless PCI Card V2.7 Driver;C:\WINDOWS\System32\DRIVERS\WMP11V27.sys
S3 Bridge;MAC Bridge;C:\WINDOWS\System32\DRIVERS\bridge.sys
S3 BridgeMP;MAC Bridge Miniport;C:\WINDOWS\System32\DRIVERS\bridge.sys
S3 nm;Network Monitor Driver;C:\WINDOWS\System32\DRIVERS\NMnt.sys
Contents of the 'Scheduled Tasks' folder
2005-05-14 22:14:20 C:\WINDOWS\Tasks\XoftSpy.job - C:\Program Files\XoftSpy\XoftSpy.exe
2007-08-05 00:11:08 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-12 06:16:36
Windows 5.1.2600 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-08-12 6:19:13
C:\ComboFix-quarantined-files.txt ... 2007-08-12 06:19
C:\ComboFix2.txt ... 2007-08-10 05:48
--- E O F ---
And here is what the Sophos Anti-Root Kit came up with.
Just one hidden registry key.
Area: Windows registry
Description: Hidden registry key
Location: \HKEY_USERS\S-1-5-21-776561741-1957994488-1708537768-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.doc?bsession=2620689&bsession_str=session_id=2620689,user_id_pk1=198213,user_id_sos_id_pk2=1,user_id=garritye001,one_time_token=,batch_uid=gar
Removable: No
Notes: (no more detail available)
Open notepad and copy/paste the text in the quotebox below into it: ( Please make sure you copy everything in the code box )
Save this as CFScript.txt
Refering to the picture above, drag CFScript.txt into ComboFix.exe
( 2 )
Please go Here to see how to show hidden files in windows.
Now, Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these files (if present):
C:\WINDOWS\nircmd.exe
C:\WINDOWS\System32\KB_963493.exe
( 3 )
Please run Panda's ActiveScan You will need to use Internet Explorer to run it.
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
o If it wants to install an ActiveX component allow ito It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
o When download is complete, click on My Computer to start the scan
o When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the ActiveScan report
How are things running?
Then I deleted C:\WINDOWS\nircmd.exe
The other one isn't there.
Then I tried to run a Panda Scan. Four hours later, it was halfway through and I needed to go to sleep. I woke up and it had froze. I tried it again today while I was at work. It froze six hours later. I wasn't even able to stop it and get a partial report.
Aside from that, everything seems to be getting better. Once I installed teh Comodo firewall the pop-ups stopped. It recently asked if I wanted to allow ISMmodule.exe to connect. I said no and it hasn't done it again since. So I don't know if that was what was doing it but it seems possible. I found a couple mentions of it in other forums.
http://forums.microsoft.com/windowsonecare/rss.aspx?postid=1932435&forumid=1253&siteid=2
http://www.lavasoftsupport.com/index.php?showtopic=11428&pid=51201&mode=threaded&start=
I'm just notsure on how to proceed if this is the problem (which it seems to be). I have almost the same problems described by them. Virus scans take forever, pop-ups when I'm not on the internet. I have no speakers so I don't know if it plays music, but that would be odd.
Internet Speed Monitor is on my Add/Remove Programs list.
Files containing some variation of Internet Speed Monitor are
C:\Documents and Settings\James\Start Menu\Programs\Internet Speed Monitor . This folder contains two shortcuts which refer to C:\Program Files\ISM and that path doesn't exist.
Also, the general area where the Panda Scan failed both time was C:\Program Files\AOL\Active Virus Shield in which every folder is stuffed with .tmp files I can't delete. They are all 0kb, so that just seems fishy. There seems to be a lot of weird stuff in my folders.
( 1 )
Please run the F-Secure Online Scanner
Note: This Scanner is for Internet Explorer Only!
- Follow the Instruction Here for installation.
- Accept the License Agreement.
- Once the ActiveX installs,Click Full System Scan
- Once the download completes,the scan will begin automatically.
- The scan will take some time to finish,so please be patient.
- When the scan completes, click the Automatic cleaning (recommended) button.
- Click the Show Report button and Copy&Paste the entire report in your next reply.
( 2 )More information with a screenshot, can be found Here.
An error has occurred! Please close the scanner and your browser, then try again. (Id: 24)
So, I don't know whats going on with that. I am going to uninstall the AOL virus protection and install AVG if you think that's good. I want to see if it will delete all those tmp files.
And here is my uninstall list.
µTorrent
Abexo Free Registry Cleaner
Active Virus Shield
Ad-Aware SE Personal
Adobe Download Manager 2.0 (Remove Only)
Adobe Flash Player 9 ActiveX
Adobe Reader 7.0
Apple Software Update
AVG Anti-Spyware 7.5
Bejeweled Deluxe 1.6z
CCleaner (remove only)
Chuzzle Gold 1.0
COMODO Firewall Pro
DirectX 9 Hotfix - KB839643
Google Earth
HijackThis 2.0.2
Internet Speed Monitor
iPod for Windows 2006-01-10
iPod Updater 2004-08-06
iTunes
Java(TM) 6 Update 2
Kaspersky Online Scanner
Microsoft .NET Framework 1.1
Microsoft Broadband Networking
Microsoft Data Access Components KB870669
Mozilla Firefox (2.0.0.6)
MySpaceIM
Panda ActiveScan
PeerGuardian 2.0
QuickTime
Registry Mechanic 6.0
Sophos Anti-Rootkit 1.3
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
Windows Media Player Hotfix [See wm828026 for more information]
Windows XP Hotfix - KB821557
Windows XP Hotfix - KB823182
Windows XP Hotfix - KB823559
Windows XP Hotfix - KB823980
Windows XP Hotfix - KB824105
Windows XP Hotfix - KB824141
Windows XP Hotfix - KB824146
Windows XP Hotfix - KB825119
Windows XP Hotfix - KB828028
Windows XP Hotfix - KB828035
Windows XP Hotfix - KB828741
Windows XP Hotfix - KB833987
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB837001
Windows XP Hotfix - KB839645
Windows XP Hotfix - KB840315
Windows XP Hotfix - KB840374
Windows XP Hotfix - KB840987
Windows XP Hotfix - KB841356
Windows XP Hotfix - KB841533
Windows XP Hotfix - KB841873
Windows XP Hotfix - KB842773
Windows XP Hotfix - KB873376
Windows XP Hotfix - KB887822
Windows XP Hotfix (SP1) [See Q282010 for more information]
Windows XP Hotfix (SP1) [See Q307869 for more information]
Windows XP Hotfix (SP1) [See Q308210 for more information]
Windows XP Hotfix (SP1) [See Q309521 for more information]
Windows XP Hotfix (SP1) [See Q310437 for more information]
Windows XP Hotfix (SP1) [See Q310510 for more information]
Windows XP Hotfix (SP1) [See Q311542 for more information]
Windows XP Hotfix (SP1) [See Q311889 for more information]
Windows XP Hotfix (SP1) [See Q311967 for more information]
Windows XP Hotfix (SP1) [See Q313450 for more information]
Windows XP Hotfix (SP1) [See Q314862 for more information]
Windows XP Hotfix (SP1) [See Q315000 for more information]
Windows XP Hotfix (SP1) [See Q315403 for more information]
Windows XP Hotfix (SP1) [See Q316397 for more information]
Windows XP Hotfix (SP1) [See Q317181 for more information]
Windows XP Hotfix (SP1) [See Q317277 for more information]
Windows XP Hotfix (SP1) [See Q318138 for more information]
Windows XP Hotfix (SP1) [See Q318388 for more information]
Windows XP Hotfix (SP1) [See Q318966 for more information]
Windows XP Hotfix (SP1) [See Q319322 for more information]
Windows XP Hotfix (SP1) [See Q319949 for more information]
Windows XP Hotfix (SP1) [See Q320174 for more information]
Windows XP Hotfix (SP1) [See Q320552 for more information]
Windows XP Hotfix (SP1) [See Q320678 for more information]
Windows XP Hotfix (SP1) [See Q323172 for more information]
Windows XP Hotfix (SP1) [See Q323322 for more information]
Windows XP Hotfix (SP1) [See Q324096 for more information]
Windows XP Hotfix (SP1) [See Q324380 for more information]
Windows XP Hotfix (SP1) [See Q326830 for more information]
Windows XP Hotfix (SP1) [See Q328940 for more information]
Windows XP Hotfix (SP1) [See Q329048 for more information]
Windows XP Hotfix (SP1) [See Q329390 for more information]
Windows XP Hotfix (SP1) [See Q329441 for more information]
Windows XP Hotfix (SP1) [See Q329834 for more information]
Windows XP Hotfix (SP1) Q328310
Windows XP Hotfix (SP1) Q329170
Windows XP Hotfix (SP1) Q331953
Windows XP Hotfix (SP1) Q810577
Windows XP Hotfix (SP1) Q810833
Windows XP Hotfix (SP1) Q811493
Windows XP Hotfix (SP1) Q815021
Windows XP Hotfix (SP1) Q817606
WinRAR archiver
WinZip
Wireless PCI Card Configuration Utility
XoftSpy
Zuma Deluxe 1.0
So, is it just me or is this something extra bad? I don't want to try to uninstall it, because god knows what that would set off. Thanks for helping me with this.
Also, jusched.exe tried accessing the internet today. I blocked it with Comodo, but I figured I would mention it since the firewall has been up for a week or so and that's the first time that happened.
I realize it's the java automatic updater but I don't know how to check where it's running from and I didn't want to give it approval and I don't know how to ensure it's not that ism thing trying to get out another way.
See here : http://www.neuber.com/taskmanager/process/jusched.exe.html
No it's nothing too special.
You should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.
Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.
Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".
Scan with DrWeb-CureIt as follows:
(This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
Process.exe;C:\WINDOWS\system32;Tool.Prockill;Incurable.Moved.;
RegUBP2b-James.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots;Trojan.StartPage.1505;Deleted.;
Process.exe;C:\Documents and Settings\James\Desktop\Spyware Tools\SmitfraudFix;Tool.Prockill;Incurable.Moved.;
restart.exe;C:\Documents and Settings\James\Desktop\Spyware Tools\SmitfraudFix;Tool.ShutDown.11;Incurable.Moved.;
A0000302.reg;C:\System Volume Information\_restore{A62616A7-F67A-4EC2-9CF8-67022E9EE006}\RP4;Trojan.StartPage.1505;Deleted.;
( 1 )
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.2. Restart your computer.
3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
System Restore will now be active again.
( 2 )
Download GMER and Unzip it to the desktop.
Unzip it and double click the gmer.exe file
Open the program and click on the Rootkit tab.
Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
Click on Scan.
When the scan has run click Copy and paste the results (if any) into this thread.
GMER 1.0.12.12011 - http://www.gmer.net
Rootkit scan 2007-08-16 18:15:09
Windows 5.1.2600
---- System - GMER 1.0.12 ----
SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwClose
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwConnectPort
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwCreateFile
SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwCreateKey
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwCreatePort
SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwCreateProcess
SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwCreateProcessEx
SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwCreateSection
SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwCreateSymbolicLinkObject
SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwCreateThread
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwDeleteFile
SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwDeleteKey
SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwDeleteValueKey
SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwDuplicateObject
SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwEnumerateKey
SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwEnumerateValueKey
SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwFlushKey
SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwInitializeRegistry
SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwLoadKey
SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwLoadKey2
SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwNotifyChangeKey
SSDT kl1.sys ZwOpenFile
SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwOpenKey
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess
SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwOpenSection
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwOpenThread
SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwQueryKey
SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwQueryMultipleValueKey
SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwQuerySystemInformation
SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwQueryValueKey
SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwReplaceKey
SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwRestoreKey
SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwResumeThread
SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwSaveKey
SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwSetContextThread
SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwSetInformationFile
SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwSetInformationKey
SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwSetInformationProcess
SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwSetSecurityObject
SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwSetValueKey
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwShutdownSystem
SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwSuspendThread
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess
SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwUnloadKey
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwWriteFile
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwWriteFileGather
SSDT \??\C:\WINDOWS\System32\drivers\klif.sys ZwWriteVirtualMemory
SSDT \??\C:\WINDOWS\System32\drivers\klif.sys SSDT[284]
SSDT \??\C:\WINDOWS\System32\drivers\klif.sys SSDT[285]
SSDT \??\C:\WINDOWS\System32\drivers\klif.sys SSDT[286]
SSDT \??\C:\WINDOWS\System32\drivers\klif.sys SSDT[287]
SSDT \??\C:\WINDOWS\System32\drivers\klif.sys SSDT[288]
SSDT \??\C:\WINDOWS\System32\drivers\klif.sys SSDT[289]
SSDT \??\C:\WINDOWS\System32\drivers\klif.sys SSDT[290]
SSDT \??\C:\WINDOWS\System32\drivers\klif.sys SSDT[291]
SSDT \??\C:\WINDOWS\System32\drivers\klif.sys SSDT[292]
SSDT \??\C:\WINDOWS\System32\drivers\klif.sys SSDT[293]
SSDT \??\C:\WINDOWS\System32\drivers\klif.sys SSDT[294]
SSDT \??\C:\WINDOWS\System32\drivers\klif.sys SSDT[295]
SSDT \??\C:\WINDOWS\System32\drivers\klif.sys SSDT[296]
---- Kernel code sections - GMER 1.0.12 ----
.text ntoskrnl.exe!ZwCallbackReturn + 20D4 804F73A0 8 Bytes [ B0, 0C, 44, F9, C0, FE, 43, ... ]
.text ntoskrnl.exe!ZwCallbackReturn + 2424 804F76F0 8 Bytes [ 4A, 11, 44, F9, B4, 0F, 44, ... ]
.text ntoskrnl.exe!KiDispatchInterrupt + BA 8052C6BA 7 Bytes JMP F936ED70 \??\C:\WINDOWS\System32\drivers\klif.sys
.text ntdll.dll!NtClose 77F5B458 5 Bytes JMP 72033FAA
.text ntdll.dll!NtCreateProcess 77F5B5B8 5 Bytes JMP 72034135
.text ntdll.dll!NtCreateProcessEx 77F5B5C8 5 Bytes JMP 72034019
.text ntdll.dll!NtCreateSection 77F5B5E8 5 Bytes JMP 72033FC8
---- User code sections - GMER 1.0.12 ----
.text C:\Program Files\Comodo\Firewall\cpf.exe[496] ntdll.dll!LdrLoadDll 77F56EA1 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Comodo\Firewall\cpf.exe[496] ntdll.dll!LdrLoadDll + 4 77F56EA5 2 Bytes [ 05, 5F ]
.text C:\Program Files\Comodo\Firewall\cpf.exe[496] kernel32.dll!LoadLibraryExW 77E8CE3C 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
---- Threads - GMER 1.0.12 ----
Thread 4:120 FFB52D00
Thread 4:124 FFB52D00
Thread 4:128 FF901430
Thread 4:132 FF901430
Thread 4:136 FF901430
Thread 4:460 FFB52D00
Thread 4:712 FFB52D00
---- Files - GMER 1.0.12 ----
ADS F:\My Music\A Silver Mt. Zion\He Has Left Us Alone But Shafts Of Light\Long March Rocket Or Doomed Airliner.m4a:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
---- EOF - GMER 1.0.12 ----
could you post a fresh Panda active scan thank you.