Trojan Horse and/or Malware/Spyware

Unknown

Hi all,

I found this forum through a google search. I recently purchased Norton 360 because I had to renew my Norton virus definition subscription. Unfortunately, it doesn't let you scan individual files and I download a bunch of different stuff from the web. To make a long story short, I believe I have a virus and/or malware/spyware on my machine now.

I have since uninstalled Norton 360, installed and ran avast!, used search and destroy, used ad aware, used spyware blaster, and installed and use Zone Alarm. And even though I eliminated two trojan horses and several spyware programs, I am still having the same problems. I get random pop-ups with IE even when using Firefox, for some reason I am getting runtime errors when running Quicktime or any java apps (i.e. Yahoo Mail beta), and I get weird banner ads on Yahoo that I know for 100% certain they would never be on Yahoo's homepage (i.e. annoying flashing porn ads, etc.).

I've run through the Steps to Take Before Posting my Hijack (except for the online scans because I don't want to open IE). But still no luck. I am posting my Hijack file. Please anyone, help me get back to normal. Thanks.

************************************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:19:58 PM, on 10/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DwlClient] c:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [{C6-6F-F3-3B-ZN}] C:\Documents and Settings\Me\Local Settings\Temp\thinksnet.exe CHD003
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - S-1-5-18 Startup: TA_Start.lnk = C:\Documents and Settings\Me\Local Settings\Temp\thinksnet.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: TA_Start.lnk = C:\Documents and Settings\Me\Local Settings\Temp\thinksnet.exe (User 'Default user')
O4 - Startup: TA_Start.lnk = C:\Documents and Settings\Me\Local Settings\Temp\thinksnet.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1192720257625
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1192720244812
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
--
End of file - 9371 bytes

giddup

Update:

I just wanted to give an update. Since my last post (a few hours ago), I rebooted my computer in safe mode and reran all the spyware programs and avast again. I was able to find a few more things (notably one thing that kept reappearing was ZenoSearch spyware). I removed everything I found and rebooted in normal mode.

I seem to have fixed my java issue and my quicktime issue as I haven't gotten any runtime errors since then. However, I notice two weird things with ZoneAlarm. First, when I connect with Firefox, two other programs try to access the internet (Internet Explorer and Windows Explorer) which leads me to believe I still have a trojan on my system. Second, over the last 10 minutes, I have had over 30 attempts to connect to my PC which ZoneAlarm has blocked (most were medium alerts, but at least 10 were high alerts). I have even changed my IP address and I still get these alerts. Again, this does not seem normal and leads me to believe that my system is still out of wack.

I was going to post an update of my Hijack log file, but now when I try and run the system scan and log at the same time the program crashes. Again, leading my to believe my system is messed up.

I have tried reading some of the other posters' issues on the forum and I am wondering if it would just be easier to completely wipe out my system and start over? Advice please?

giddup

Another update 10/21/07: I have run the FixVundo.exe from Symantec thinking that I might have the Vundo trojan, but it didn't find anything. Still can't run HijackThis with saving the log file without it crashing.

giddup

Okay yet another update (I promise I am not trying to bump my thread). I downloaded SuperAntiSpyware as I have been running out of hope. Surprisingly, it found 35 issues! Most were Vundo, Trojan NewJuan, and ZenoSearch. I rescanned after cleaning those up and so far no issues, but I don't think I am clear yet. Here is the log from the SuperAntiSpyware scan:


**************


SUPERAntiSpyware Scan Log

Generated 10/21/2007 at 07:06 PM

Application Version : 3.9.1008

Core Rules Database Version : 3328
Trace Rules Database Version: 1329

Scan type : Complete Scan
Total Scan Time : 00:49:33

Memory items scanned : 458
Memory threats detected : 2
Registry items scanned : 6680
Registry threats detected : 11
File items scanned : 52540
File threats detected : 22

Adware.Vundo Variant
C:\WINDOWS\SYSTEM32\VTSTS.DLL
C:\WINDOWS\SYSTEM32\VTSTS.DLL
HKLM\Software\Classes\CLSID\{89AD4D75-2429-462e-BD4E-443F233F6033}
HKCR\CLSID\{89AD4D75-2429-462E-BD4E-443F233F6033}
HKCR\CLSID\{89AD4D75-2429-462E-BD4E-443F233F6033}\InprocServer32
HKCR\CLSID\{89AD4D75-2429-462E-BD4E-443F233F6033}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{EB9F1976-47E8-4974-9808-91135292DB1A}
HKCR\CLSID\{EB9F1976-47E8-4974-9808-91135292DB1A}
HKCR\CLSID\{EB9F1976-47E8-4974-9808-91135292DB1A}\InprocServer32
HKCR\CLSID\{EB9F1976-47E8-4974-9808-91135292DB1A}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{89AD4D75-2429-462e-BD4E-443F233F6033}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EB9F1976-47E8-4974-9808-91135292DB1A}
HKCR\CLSID\{89AD4D75-2429-462E-BD4E-443F233F6033}

Trojan.Downloader-NewJuan/VM
C:\WINDOWS\SYSTEM32\XEBLSFPG.DLL
C:\WINDOWS\SYSTEM32\XEBLSFPG.DLL

Adware.Tracking Cookie
C:\Documents and Settings\Me\Cookies\me@interclick[2].txt
C:\Documents and Settings\Me\Cookies\me@shortmedia.us.intellitxt[1].txt
C:\Documents and Settings\Me\Cookies\me@pandasoftware.112.2o7[1].txt
C:\Documents and Settings\Me\Cookies\me@ads.revsci[1].txt

Trojan.ZenoSearch
C:\WINDOWS\system32\msnav32.ax

Adware.ZenoSearch-NVON
C:\DOCUMENTS AND SETTINGS\ME\LOCAL SETTINGS\TEMP\THINKSNET.EXE
C:\DOCUMENTS AND SETTINGS\ME\START MENU\PROGRAMS\STARTUP\TA_START.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1031\A0109270.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1031\A0109278.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1031\A0109744.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1031\A0109745.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1036\A0109886.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1036\A0109887.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1036\A0109907.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1037\A0109935.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1038\A0109962.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1038\A0109963.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1038\A0110964.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1038\A0110999.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1038\A0111055.LNK

peku006

Hi giddup and welcome to Icrontic Spyware & Virus Removal

Step 1 RENAME HIJACKTHIS

Using Windows Explore by right-clicking the Start button and left clicking Explore navigate to: C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
Right-click on HijackThis.exe & select Rename to scanner.exe

---

Step 2: Download and Run ComboFix

• Download this file from either of the two below listed places :
  
  http://download.bleepingcomputer.com/sUBs/ComboFix.exe
  http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
• Then double click combofix.exe & follow the prompts.
• When finished, it shall produce a log for you. Post that log in your next reply

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Please, post these logs:
combofix.txt
a fresh hjT log

giddup

Peku006,

Thanks so much for replying. I have followed your directions exactly. Below is the new HijackThis log.

***********************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:12:47 PM, on 10/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {232D2677-68EE-4FA1-B988-279EBC8969ED} - C:\WINDOWS\system32\hggfcay.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DwlClient] c:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [{C6-6F-F3-3B-ZN}] C:\Documents and Settings\Me\Local Settings\Temp\thinksnet.exe CHD003
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1192720257625
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1192720244812
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: hggfcay - C:\WINDOWS\SYSTEM32\hggfcay.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 10266 bytes

giddup

Here is my ComboFix Log:

*********************
ComboFix 07-10-23.2 - Me 2007-10-22 19:18:25.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.123 [GMT -7:00]
Running from: C:\Documents and Settings\Me\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\fCOe
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\ebligatk.dll
C:\WINDOWS\SYSTEM32\kjkmp.bak1
C:\WINDOWS\SYSTEM32\kjkmp.ini
C:\WINDOWS\system32\oTt02e
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pmkjk.dll
C:\WINDOWS\SYSTEM32\siiruwgy.ini
C:\WINDOWS\SYSTEM32\ststv.bak1
C:\WINDOWS\SYSTEM32\ststv.ini
C:\WINDOWS\SYSTEM32\ststv.ini2
C:\WINDOWS\system32\ygwuriis.dll

.
((((((((((((((((((((((((( Files Created from 2007-09-23 to 2007-10-23 )))))))))))))))))))))))))))))))
.

2007-10-22 19:16 51,200 --a

---

C:\WINDOWS\NirCmd.exe
2007-10-21 20:02 <DIR> d

---

C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-10-21 18:14 <DIR> d

---

C:\Program Files\SUPERAntiSpyware
2007-10-21 18:14 <DIR> d

---

C:\Documents and Settings\Me\Application Data\SUPERAntiSpyware.com
2007-10-21 18:13 <DIR> d

---

C:\Program Files\Common Files\Wise Installation Wizard
2007-10-21 02:23 <DIR> d

---

C:\WINDOWS\SYSTEM32\ActiveScan
2007-10-20 22:10 1,888,288 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.dat
2007-10-20 21:20 <DIR> d

---

C:\Program Files\Trend Micro
2007-10-20 17:29 <DIR> d

---

C:\Program Files\Alwil Software
2007-10-20 17:29 801,144 --a

---

C:\WINDOWS\SYSTEM32\aswBoot.exe
2007-10-20 17:29 95,608 --a

---

C:\WINDOWS\SYSTEM32\AvastSS.scr
2007-10-20 17:29 94,416 --a

---

C:\WINDOWS\SYSTEM32\DRIVERS\aswmon2.sys
2007-10-20 17:29 92,848 --a

---

C:\WINDOWS\SYSTEM32\DRIVERS\aswmon.sys
2007-10-20 17:29 42,912 --a

---

C:\WINDOWS\SYSTEM32\DRIVERS\aswTdi.sys
2007-10-20 17:29 26,624 --a

---

C:\WINDOWS\SYSTEM32\DRIVERS\aavmker4.sys
2007-10-20 17:29 23,152 --a

---

C:\WINDOWS\SYSTEM32\DRIVERS\aswRdr.sys
2007-10-19 23:03 34,304 --a

---

C:\WINDOWS\SYSTEM32\hggfcay.dll
2007-10-18 09:21 <DIR> d

---

C:\Program Files\Norton 360
2007-10-18 09:04 <DIR> d

---

C:\Documents and Settings\All Users\Symantec Temporary Files
2007-10-18 08:17 582,656

---

C:\WINDOWS\SYSTEM32\DLLCACHE\rpcrt4.dll
2007-09-27 14:05 <DIR> d----c--- C:\WINDOWS\SYSTEM32\DRVSTORE
2007-09-27 14:05 <DIR> d

---

C:\Program Files\Western Digital Technologies
2007-09-27 14:05 <DIR> d

---

C:\Program Files\DIFX
2007-09-27 14:05 364,544 --a

---

C:\WINDOWS\SYSTEM32\WDBtnMgr.exe
2007-09-27 14:05 10,112 --a

---

C:\WINDOWS\SYSTEM32\DRIVERS\wdcsam.sys
2007-09-25 18:57 <DIR> d

---

C:\Program Files\Orbitdownloader
2007-09-25 18:57 <DIR> d

---

C:\Downloads
2007-09-25 18:57 <DIR> d

---

C:\Documents and Settings\Me\Application Data\Orbit

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-23 02:25 25,268 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-10-22 02:51

---

d

---

w C:\Program Files\Java
2007-10-21 02:36

---

d

---

w C:\Program Files\SpywareBlaster
2007-10-20 23:43

---

d

---

w C:\Program Files\EphPod
2007-10-20 23:38

---

d

---

w C:\Program Files\Common Files\Symantec Shared
2007-10-20 23:36

---

d

---

w C:\Program Files\Symantec
2007-09-06 23:14 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2007-08-24 03:34

---

d

---

w C:\Program Files\eMule
2001-06-20 23:19 40,960 ----a-w C:\Program Files\ACMonitor_X83.exe
2004-09-30 04:57:32 848 --sha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{232D2677-68EE-4FA1-B988-279EBC8969ED}]
2007-10-19 23:03 34304 --a

---

C:\WINDOWS\system32\hggfcay.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"IAAnotif"="C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-03-23 10:16]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-05-25 20:35]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 09:43]
"CTSysVol"="C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 08:43]
"P17Helper"="P17.dll" [2004-06-10 09:51 C:\WINDOWS\SYSTEM32\P17.dll]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-10 23:00]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-18 23:01]
"DwlClient"="c:\Program Files\Common Files\Dell\EUSW\Support.exe" [2004-05-27 18:05]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2003-05-15 16:41]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2005-12-04 17:38]
"WD Button Manager"="WDBtnMgr.exe" [2007-09-27 14:10 C:\WINDOWS\SYSTEM32\WDBtnMgr.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-04-18 20:32]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-07-20 19:03]
"{C6-6F-F3-3B-ZN}"="C:\Documents and Settings\Me\Local Settings\Temp\thinksnet.exe" []
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 03:06]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24]
"Sonic RecordNow!"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
"{232D2677-68EE-4FA1-B988-279EBC8969ED}"= C:\WINDOWS\system32\hggfcay.dll [2007-10-19 23:03 34304]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hggfcay]
hggfcay.dll 2007-10-19 23:03 34304 C:\WINDOWS\SYSTEM32\hggfcay.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\pmkjk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk
backup=C:\WINDOWS\pss\AutoCAD Startup Accelerator.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
"C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
"C:\Program Files\Dell\Media Experience\PCMService.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

R1 NEOFLTR_510_10575;Juniper Networks TDI Filter Driver (NEOFLTR_510_10575);\??\C:\WINDOWS\system32\Drivers\NEOFLTR_510_10575.SYS
R3 P17;Sound Blaster Live! 24-bit;C:\WINDOWS\system32\drivers\P17.sys
S2 BulkUsb;Genesys Logic USB Scanner Controller NT 5.0;C:\WINDOWS\system32\Drivers\usbscan.sys
S3 WDC_SAM;WD SCSI Pass Thru driver;C:\WINDOWS\system32\DRIVERS\wdcsam.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{56faebc2-6b07-11dc-954e-00038a000015}]
AutoRun\command - F:\wd_windows_tools\WDEULA.exe

.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer
Rootkit scan 2007-10-22 19:29:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-22 19:31:19 - machine was rebooted
.
--- E O F ---

peku006

Hi giddup
Please do the following...

Step 1: Remove bad HijackThis entries

• Run HijackThis
• Click on the Scan button
• Put a check beside all of the items listed below (if present):
  
  
  O2 - BHO: (no name) - {232D2677-68EE-4FA1-B988-279EBC8969ED} - C:\WINDOWS\system32\hggfcay
  O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
  O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
  O4 - HKLM\..\Run: [{C6-6F-F3-3B-ZN}] C:\Documents and Settings\Me\Local Settings\Temp\thinksnet.exe CHD003
  O20 - Winlogon Notify: hggfcay - C:\WINDOWS\SYSTEM32\hggfcay.dll
• Close all open windows and browsers/email, etc...
• Click on the "Fix Checked" button
• When completed, close the application.

---

Step 2: Run ComboFix
Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\SYSTEM32\hggfcay.dll

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks]
"{232D2677-68EE-4FA1-B988-279EBC8969ED}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hggfcay] 
[-HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa]

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



This will start ComboFix again. After reboot, (in case it asks to reboot),

---

Step 3: Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.

---

Step 4: Run Kaspersky Online Scan
Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky,
Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
• Now click on Scan Settings
• In the scan settings make sure that the following are selected:
  • Scan using the following Anti-Virus database:
  • Extended (if available otherwise Standard)
  • Scan Options:
  • Scan Archives Scan Mail Bases
• Click OK
• Now under select a target to scan:
  • Select My Computer
• The program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
• Save the file to your desktop.

After you have completed the above, please provide:
Combofix.txt
Kaspersky Online Scanner report
new HijackThis log
description of any problems you are having with your PC

giddup

Peku006,

Thanks again for the reply! I have followed all of your instructions to the word, except for the Kaspersky Online Scan. I am going to run that before I sleep and will then post that log.

Here is the new ComboFix Log:

****************
ComboFix 07-10-23.2 - Me 2007-10-23 0:10:14.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.137 [GMT -7:00]
Running from: C:\Documents and Settings\Me\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Me\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\SYSTEM32\hggfcay.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\SYSTEM32\hggfcay.dll

.
((((((((((((((((((((((((( Files Created from 2007-09-23 to 2007-10-23 )))))))))))))))))))))))))))))))
.

2007-10-22 19:16 51,200 --a

---

C:\WINDOWS\NirCmd.exe
2007-10-21 20:02 <DIR> d

---

C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-10-21 18:14 <DIR> d

---

C:\Program Files\SUPERAntiSpyware
2007-10-21 18:14 <DIR> d

---

C:\Documents and Settings\Me\Application Data\SUPERAntiSpyware.com
2007-10-21 18:13 <DIR> d

---

C:\Program Files\Common Files\Wise Installation Wizard
2007-10-21 02:23 <DIR> d

---

C:\WINDOWS\SYSTEM32\ActiveScan
2007-10-20 22:10 2,007,072 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.dat
2007-10-20 21:20 <DIR> d

---

C:\Program Files\Trend Micro
2007-10-20 17:29 <DIR> d

---

C:\Program Files\Alwil Software
2007-10-20 17:29 801,144 --a

---

C:\WINDOWS\SYSTEM32\aswBoot.exe
2007-10-20 17:29 95,608 --a

---

C:\WINDOWS\SYSTEM32\AvastSS.scr
2007-10-20 17:29 94,416 --a

---

C:\WINDOWS\SYSTEM32\DRIVERS\aswmon2.sys
2007-10-20 17:29 92,848 --a

---

C:\WINDOWS\SYSTEM32\DRIVERS\aswmon.sys
2007-10-20 17:29 42,912 --a

---

C:\WINDOWS\SYSTEM32\DRIVERS\aswTdi.sys
2007-10-20 17:29 26,624 --a

---

C:\WINDOWS\SYSTEM32\DRIVERS\aavmker4.sys
2007-10-20 17:29 23,152 --a

---

C:\WINDOWS\SYSTEM32\DRIVERS\aswRdr.sys
2007-10-18 09:21 <DIR> d

---

C:\Program Files\Norton 360
2007-10-18 09:04 <DIR> d

---

C:\Documents and Settings\All Users\Symantec Temporary Files
2007-10-18 08:17 582,656

---

C:\WINDOWS\SYSTEM32\DLLCACHE\rpcrt4.dll
2007-09-27 14:05 <DIR> d----c--- C:\WINDOWS\SYSTEM32\DRVSTORE
2007-09-27 14:05 <DIR> d

---

C:\Program Files\Western Digital Technologies
2007-09-27 14:05 <DIR> d

---

C:\Program Files\DIFX
2007-09-27 14:05 364,544 --a

---

C:\WINDOWS\SYSTEM32\WDBtnMgr.exe
2007-09-27 14:05 10,112 --a

---

C:\WINDOWS\SYSTEM32\DRIVERS\wdcsam.sys
2007-09-25 18:57 <DIR> d

---

C:\Program Files\Orbitdownloader
2007-09-25 18:57 <DIR> d

---

C:\Downloads
2007-09-25 18:57 <DIR> d

---

C:\Documents and Settings\Me\Application Data\Orbit

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-23 07:16 26,660 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-10-22 02:51

---

d

---

w C:\Program Files\Java
2007-10-21 02:36

---

d

---

w C:\Program Files\SpywareBlaster
2007-10-20 23:43

---

d

---

w C:\Program Files\EphPod
2007-10-20 23:38

---

d

---

w C:\Program Files\Common Files\Symantec Shared
2007-10-20 23:36

---

d

---

w C:\Program Files\Symantec
2007-09-06 23:14 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2007-08-24 03:34

---

d

---

w C:\Program Files\eMule
2001-06-20 23:19 40,960 ----a-w C:\Program Files\ACMonitor_X83.exe
2004-09-30 04:57:32 848 --sha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2007-10-22_19.30.44.71 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-10-23 07:17:02 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_130.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"IAAnotif"="C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-03-23 10:16]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-05-25 20:35]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 09:43]
"CTSysVol"="C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 08:43]
"P17Helper"="P17.dll" [2004-06-10 09:51 C:\WINDOWS\SYSTEM32\P17.dll]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-10 23:00]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-18 23:01]
"DwlClient"="c:\Program Files\Common Files\Dell\EUSW\Support.exe" [2004-05-27 18:05]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2003-05-15 16:41]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2005-12-04 17:38]
"WD Button Manager"="WDBtnMgr.exe" [2007-09-27 14:10 C:\WINDOWS\SYSTEM32\WDBtnMgr.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-04-18 20:32]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-07-20 19:03]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 03:06]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24]
"Sonic RecordNow!"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk
backup=C:\WINDOWS\pss\AutoCAD Startup Accelerator.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
"C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
"C:\Program Files\Dell\Media Experience\PCMService.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

R1 NEOFLTR_510_10575;Juniper Networks TDI Filter Driver (NEOFLTR_510_10575);\??\C:\WINDOWS\system32\Drivers\NEOFLTR_510_10575.SYS
R3 P17;Sound Blaster Live! 24-bit;C:\WINDOWS\system32\drivers\P17.sys
S2 BulkUsb;Genesys Logic USB Scanner Controller NT 5.0;C:\WINDOWS\system32\Drivers\usbscan.sys
S3 WDC_SAM;WD SCSI Pass Thru driver;C:\WINDOWS\system32\DRIVERS\wdcsam.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{56faebc2-6b07-11dc-954e-00038a000015}]
AutoRun\command - F:\wd_windows_tools\WDEULA.exe

.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-23 00:17:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-23 0:20:40 - machine was rebooted
C:\ComboFix2.txt ... 2007-10-22 19:31
.
--- E O F ---

giddup

Here is my updated HiJackThis Log:

***********************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:25:16 AM, on 10/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\WINDOWS\system32\WDBtnMgr.exe
c:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DwlClient] c:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1192720257625
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1192720244812
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 9616 bytes

giddup

Like I said, I will run the K Online scan and post in the morning. Other than that I haven't noticed any unusual attempts to connect to the internet from unauthorized programs, no pop ups when running Firefox now (knock on wood), and things appear to be going well.

I really appreciate you taking the time to help me out--and this forum has really been a life saver.

I'll post the K Online Scan later. Thanks.

giddup

Here is my Kaspersky Online Scan:

**************

---

KASPERSKY ONLINE SCANNER REPORT
Tuesday, October 23, 2007 8:14:16 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 23/10/2007
Kaspersky Anti-Virus database records: 443077

---

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
G:\
H:\

Scan Statistics:
Total number of scanned objects: 120678
Number of viruses found: 2
Number of infected objects: 5
Number of suspicious objects: 0
Duration of the scan process: 01:39:02

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2007-10-23_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Me\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SUPERANTISPYWARE.LOG Object is locked skipped
C:\Documents and Settings\Me\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Me\Local Settings\Application Data\ApplicationHistory\NotifyAlert.exe.83a8f8c0.ini.inuse Object is locked skipped
C:\Documents and Settings\Me\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Me\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Me\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Me\Local Settings\History\History.IE5\MSHist012007102320071024\index.dat Object is locked skipped
C:\Documents and Settings\Me\Local Settings\Temp\Perflib_Perfdata_35c.dat Object is locked skipped
C:\Documents and Settings\Me\Local Settings\Temp\Perflib_Perfdata_b9c.dat Object is locked skipped
C:\Documents and Settings\Me\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Me\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Me\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\ebligatk.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ady skipped
C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\ygwuriis.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ady skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1040\A0112130.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aea skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1042\A0112250.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ady skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1042\A0112252.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ady skipped
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1043\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\MBED.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Antivirus.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Internet.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\DRIVERS\atapi.sys Object is locked skipped
C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.dat Object is locked skipped
C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.idx Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_130.dat Object is locked skipped
C:\WINDOWS\Temp\ZLT068ff.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT06902.TMP Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
G:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
G:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1043\change.log Object is locked skipped
H:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
H:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1043\change.log Object is locked skipped

Scan process completed.

peku006

Hi giddup

Congratulations you are clean!
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

This is a good time to clear your existing system restore points and establish a new clean restore point:

• Go to Start > All Programs > Accessories > System Tools > System Restore
• Select Create a restore point, and Ok it.
• Next, go to Start > Run and type in cleanmgr
• Select the More options tab
• Choose the option to clean up system restore and OK it.

This will remove all restore points except the new one you just created.

Here are some free programs I recommend that could help you improve your computer's security.

Ad-aware 2007
Download it from here
Find here the tutorial on how to use Adaware properly here

Spybot Search and Destroy 1.5.1
Download it from here. Just choose a mirror and off you go.
Find here the tutorial on how to use Spybot properly here
Find here changes from older version 1.4 here

Install Spyware Guard
Download it from here
Find here the tutorial on how to use Spyware Guard here

Install SpyWare Blaster
Download it from here
Find here the tutorial on how to use Spyware Blaster here

Install WinPatrol
Download it from here
Here you can find information about how WinPatrol works here

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.

Please check out Tony Klein's article "How did I get infected in the first place?"

Happy safe surfing!

giddup

Hi Peku,

Thanks so much for your help. A few questions. First, the Kaspersky Online Scan said that it detected 2 viruses and 5 objects (see my log). Should I not do anything about these? I recently downloaded a new avant! virus definition and when I ran the scan again it said it found a virus (I renamed it and moved it into the Chest). Are these just false alarms?

Second, I am thinking about purchasing the Zaspersky Security Suite (it contains the Zaspersky Anti-Virus and the Zone Alarm premium). Is this the best main stream consumer security suite? Or will avant! and the regular Zone Alarm be exactly the same?


Thanks again!

peku006

Hi giddup ....... again

First, the Kaspersky Online Scan said that it detected 2 viruses and 5 objects (see my log). Should I not do anything about these? I recently downloaded a new avant! virus definition and when I ran the scan again it said it found a virus (I renamed it and moved it into the Chest). Are these just false alarms?

Kaspersky Online Scan

1.C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\ebligatk.d ll.vir

---

> AdWare.Win32.Virtumonde.ady skipped
2. C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\ygwuriis.d ll.vir

---

> AdWare.Win32.Virtumonde.ady skipped
3. C:\qoobox\Quarantine{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1040\A0112130.dll

---

> AdWare.Win32.Virtumonde.aea skipped
4. C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1042\A0112250.dll

---

> AdWare.Win32.Virtumonde.ady skipped
5. C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1042\A0112252.dll

---

> AdWare.Win32.Virtumonde.ady skipped

ComboFix create a folder called QooBox in C: (C:\QooBox)
Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete that “QooBox” folder

This is a good time to clear your existing system restore points and establish a new clean restore point:

==============================================================

Second, I am thinking about purchasing the Zaspersky Security Suite (it contains the Zaspersky Anti-Virus and the Zone Alarm premium). Is this the best main stream consumer security suite? Or will avant! and the regular Zone Alarm be exactly the same?

I'm Sorry, I Don't Know Anything About Zaspersky Security Suite

some Anti Virus products which are free for personal use and most used:
AntiVir
Avast
BitDefender

some Firewall products which are free for personal use and most used:
Comodo
Kerio
ZoneAlarm
:smiles:

giddup

Okay, deleted all the previous restore points and created a brand new restore point, and I deleted the qoobox.

Again, I appreciate all your help.

Mods, this topic has been resolved and can be moved, thanks to Peku!

peku006

Glad I could be of assistance! The help you received here was free. Please read through some of these Prevention Tips that Short-Media offers.

This topic is now closed. If you wish it reopened, please send a Private Message (PM) to one of the Spyware Mods with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required.

If you are not the user who started this thread, you must start a new Thread instead

Would you also be interested to join Short-Media (Team #93) with the Folding@Home Project? More information available here