Spyware, Malware, Trojans, Virii, I think I've got it all!

Unknown

Please help!

Symptoms include:

Desktop replaced with teal colored background that states "Warning: Spyware threat has been detected on your PC" with a link to scan for spyware

Frequent fake alerts popping up in the system tray with messages such as "Your computer is working slowly" "Warning: Your computer is affected with spyware" "Internet attack attempt detected" etc

Bogus Windows Security Center pop ups.

Ctrl-Alt-Del produces "Task Manager has been disabled by your administrator"

I went through the steps to do before posting a HJT log. I have PandaActive Scan and Kapersky logs if needed

HJT

---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:20:03 PM, on 3/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\mgmrwmrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wuauclt.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\mgmrwmrv.exe,
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [AIM] D:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKLM\..\Policies\Explorer\Run: [voV0HCStd9] rundll32.exe "C:\WINDOWS\levermjo.dll",DllCleanServer
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1134950895296
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 6046 bytes

---

Awaiting reply, thanks in advance!

Joe

gringo_pr

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems. HijackThis logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that it happens.

Please reply to this thread, do not start another.
Please tell me about any problems that have occurred during the fix.
Please tell me of any other symptoms you may be having as these can help also.
Please try as much as possible not to run anything while executing a fix.

As I am still in training, everything that I post to you, must be checked by one of the teachers. Thus, there may be a tiny bit of a delay between posts, but it shouldn't be too long.

If you follow these instructions, everything should go smoothly.

we are currently looking at your log now and will be back as soon as possible with your instructions.
while you are waiting one other thing that can be of good use is an uninstall list so please do the following

Make an uninstall list using HijackThis
To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here in your next reply.


Gringo

ZoSo

I have actually made some progress on my own, no longer getting the fake notifications or pop-ups. I still cannot access the Task Manager though.
I will post an updated HJT log and uninstall list.

HJT

---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:36:11 PM, on 3/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\Program Files\AIM\aim.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
D:\Program Files\mIRC\mirc.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\mgmrwmrv.exe,
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [AIM] D:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKLM\..\Policies\Explorer\Run: [voV0HCStd9] rundll32.exe "C:\WINDOWS\levermjo.dll",DllCleanServer
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1134950895296
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 6396 bytes



Here is the uninstall list.

---

3Com HomeConnect PC Digital Camera Utilities (Remove only)
7-Zip 4.32
Ad-Aware SE Personal
Adobe Acrobat 4.0
Adobe Flash Player 9 ActiveX
Adobe Flash Player Plugin
Adobe Photoshop 6.0
Adobe Shockwave Player
Adobe SVG Viewer
AOL Instant Messenger
ATI - Software Uninstall Utility
Auto Gordian Knot 2.45
AVG Free Edition
AviSynth 2.5
BitPim 1.0.0
CD_DRV_81
Collectorz.com Music Collector
Creative System Information
DefilerPak 1.22 (Remove Only)
Defraggler (remove only)
Digital Guitar Tuner
DivX Content Uploader
DivX Web Player
DivxToDVD 0.5.2
DVD Profiler Version 2.4.0
DVD Shrink 3.2
Exact Audio Copy 0.95b3
Eye Candy 3
Game Elements PC Recoil Pad
GetDiz 4.0
Google Toolbar for Internet Explorer
HijackThis 2.0.2
Hoyle Card Games 2005
Hoyle Friday Night Poker
IrfanView (remove only)
J2SE Runtime Environment 5.0 Update 9
Java(TM) 6 Update 5
Kaspersky Online Scanner
LGUsbDriver
Logitech iTouch Software
Microsoft .NET Framework 2.0
Microsoft Office 2000 Premium
mIRC
Mozilla Firefox (2.0.0.12)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
Nero 6 Ultra Edition
NVIDIA Drivers
Panda ActiveScan
Photo Viewer
Porrasturvat - Stair Dismount
Power Tab Editor 1.7
PowerDVD
PureVoice
QuickTime
QuickTime Alternative 1.68
Realtek AC'97 Audio
Rolling Stone - Cover to Cover
Sam Spade version 1.14
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB946026)
Sid Meier's SimGolf
Sony USB Driver
SoulSeek 157 test 8
Sound Blaster Live! 24-bit
Spybot - Search & Destroy
SpywareBlaster 4.0
Syntax Rebels Mass Text Replacer
The Game Of Life
Truck Dismount (remove only)
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
Uplink
VIA Rhine-Family Fast Ethernet Adapter
Winamp
Windows Driver Package - (mr7910) Image (08/08/2006 1.4.0.0)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
WinRAR archiver
WinZip
World of Warcraft
XviD MPEG4 Video Codec (remove only)
Yahoo! Messenger
ZoneAlarm

gringo_pr

hello ZoSo

:run combofix:

Download

Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: how-to-use-combofix

Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall



:information and logs:

In your next post I need the following

1.combofix log 2.new hijackthis log

Gringo

ZoSo

ComboFix log:

---

ComboFix 08-03-10.1 - ZoSo 2008-03-10 23:51:28.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.621 [GMT -4:00]
Running from: C:\Documents and Settings\ZoSo\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\ZoSo\Start Menu\Programs\Internet Speed Monitor
C:\Documents and Settings\ZoSo\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\ZoSo\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\Program Files\Common Files\crosof~1
C:\Program Files\Common Files\crosof~1\??crosoft\
C:\Program Files\Common Files\crosof~1\taskmgr.exe
C:\Program Files\seekmo
C:\Program Files\seekmo\seekmohook.dll
C:\WINDOWS\180ax.exe
C:\WINDOWS\2020search.dll
C:\WINDOWS\2020search2.dll
C:\WINDOWS\bjam.dll
C:\WINDOWS\bokja.exe
C:\WINDOWS\cdsm32.dll
C:\WINDOWS\default.htm
C:\WINDOWS\Downloaded Program Files\Quarantine
C:\WINDOWS\mspphe.dll
C:\WINDOWS\mssvr.exe
C:\WINDOWS\PerfInfo
C:\WINDOWS\PerfInfo\voV0HCStd9wp.exe.bak
C:\WINDOWS\saiemod.dll
C:\WINDOWS\salm.exe
C:\WINDOWS\stcloader.exe
C:\WINDOWS\swin32.dll
C:\WINDOWS\system32\appatc~1
C:\WINDOWS\system32\appatc~1\w?nlogon.exe
C:\WINDOWS\system32\msixu.dll
C:\WINDOWS\system32\wer8274.dll
C:\WINDOWS\updatetc.exe
C:\WINDOWS\voiceip.dll
.
((((((((((((((((((((((((( Files Created from 2008-02-11 to 2008-03-11 )))))))))))))))))))))))))))))))
.
2008-03-10 01:52 . 2008-03-10 01:58 <DIR> d

---

C:\Documents and Settings\ZoSo\Application Data\gtk-2.0
2008-03-10 01:51 . 2008-03-10 01:53 <DIR> d

---

C:\Documents and Settings\ZoSo\avidemux
2008-03-09 17:51 . 2008-02-22 02:33 69,632 --a

---

C:\WINDOWS\system32\javacpl.cpl
2008-03-09 14:05 . 2008-03-09 14:05 <DIR> d

---

C:\WINDOWS\FLEOK
2008-03-09 14:05 . 2008-03-09 14:05 <DIR> d

---

C:\Program Files\zango
2008-03-09 14:05 . 2008-03-09 14:05 <DIR> d

---

C:\Program Files\180solutions
2008-03-09 14:05 . 2008-03-09 14:05 <DIR> d

---

C:\Program Files\180searchassistant
2008-03-09 14:05 . 2008-03-09 14:05 <DIR> d

---

C:\Program Files\180search assistant
2008-03-09 14:02 . 2008-03-10 23:52 5,611,552 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-03-09 14:02 . 2008-03-09 17:33 58,136 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-03-09 14:00 . 2008-03-09 14:00 <DIR> d

---

C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-03-09 14:00 . 2007-11-14 16:05 75,248 --a

---

C:\WINDOWS\zllsputility.exe
2008-03-09 14:00 . 2004-04-27 04:40 11,264 --a

---

C:\WINDOWS\system32\SpOrder.dll
2008-03-09 14:00 . 2008-03-09 14:01 4,212 ---h

---

C:\WINDOWS\system32\zllictbl.dat
2008-03-09 13:59 . 2008-03-09 14:00 <DIR> d

---

C:\WINDOWS\system32\ZoneLabs
2008-03-09 13:59 . 2007-11-14 16:05 1,086,952 --a

---

C:\WINDOWS\system32\zpeng24.dll
2008-03-09 13:59 . 2008-03-09 17:34 353,366 --a

---

C:\WINDOWS\system32\vsconfig.xml
2008-03-09 13:58 . 2008-03-10 23:24 <DIR> d

---

C:\WINDOWS\Internet Logs
2008-03-09 13:52 . 2008-03-09 17:36 <DIR> d-a

---

C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-09 11:15 . 2008-03-09 11:15 <DIR> d

---

C:\WINDOWS\system32\Kaspersky Lab
2008-03-09 11:15 . 2008-03-09 11:15 <DIR> d

---

C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-09 10:16 . 2007-06-05 10:56 44,928 --a

---

C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-03-09 03:15 . 2008-03-09 03:15 30,590 --a

---

C:\WINDOWS\system32\pavas.ico
2008-03-09 03:14 . 2008-03-09 10:32 <DIR> d

---

C:\WINDOWS\system32\ActiveScan
2008-03-09 00:49 . 2008-03-09 02:46 283 --a

---

C:\WINDOWS\wininit.ini
2008-03-09 00:27 . 2008-03-09 00:27 <DIR> d

---

C:\Program Files\Sysmnt
2008-03-09 00:27 . 2008-03-09 00:27 <DIR> d

---

C:\Program Files\stc
2008-03-08 15:30 . 2008-03-08 15:30 30,976 --a

---

C:\WINDOWS\ati2dvag32.dll
2008-03-08 15:17 . 2008-03-08 15:17 3,805,830 --a

---

C:\WINDOWS\voV0HCStd9.exe
2008-03-08 15:16 . 2008-03-08 15:16 <DIR> d

---

C:\WINDOWS\cuwflltt
2008-03-08 15:16 . 2008-03-08 15:16 178,688 --a

---

C:\WINDOWS\levermjo.dll
2008-03-08 15:16 . 2008-03-08 15:16 46,592 --a

---

C:\WINDOWS\qjinqtgh.exe
2008-03-08 15:15 . 2008-03-08 15:15 295,819 --a

---

C:\WINDOWS\system32\L5C68.tmp
2008-03-08 15:15 . 2008-03-08 15:15 4 --a

---

C:\WINDOWS\system32\winfrun32.bin
2008-03-07 23:09 . 2008-03-07 23:09 <DIR> d

---

C:\Documents and Settings\ZoSo\Application Data\Outertech
2008-03-07 22:48 . 2008-03-07 22:48 43,698 --a

---

C:\WINDOWS\system32\xvid-uninstall.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-11 03:26

---

d

---

w C:\Documents and Settings\ZoSo\Application Data\uTorrent
2008-03-09 21:51

---

d

---

w C:\Program Files\Java
2008-03-09 18:52

---

d

---

w C:\Documents and Settings\ZoSo\Application Data\AVG7
2008-03-09 14:24

---

d

---

w C:\Program Files\Google
2008-03-09 06:49

---

d

---

w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-08 19:31 30,208 ----a-w C:\WINDOWS\system32\MSNSA32.dll
2008-03-08 19:31 29,696 ----a-w C:\WINDOWS\msapasrc.dll
2008-03-08 19:31 28,160 ----a-w C:\WINDOWS\system32\SIPSPI32.dll
2008-03-08 19:31 22,784 ----a-w C:\WINDOWS\shdocpe.dll
2008-03-08 19:31 20,992 ----a-w C:\WINDOWS\system32\ntnut32.exe
2008-03-08 19:31 20,480 ----a-w C:\WINDOWS\msa64chk.dll
2008-03-08 19:31 18,688 ----a-w C:\WINDOWS\ntnut.exe
2008-03-08 19:31 14,848 ----a-w C:\WINDOWS\shdocpl.dll
2008-03-08 19:31 10,752 ----a-w C:\WINDOWS\system32\shdocpe.dll
2008-02-03 05:50

---

d

---

w C:\Program Files\Common Files\Blizzard Entertainment
2008-01-22 06:41

---

d--h--w C:\Program Files\InstallShield Installation Information
2008-01-22 06:41

---

d

---

w C:\Program Files\ATI Multimedia
2006-03-23 04:02 89 ----a-w C:\Program Files\INSTALL.LOG
1998-12-09 02:53 99,840 ----a-w C:\Program Files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 70,144 ----a-w C:\Program Files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 48,640 ----a-w C:\Program Files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 31,744 ----a-w C:\Program Files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 186,368 ----a-w C:\Program Files\Common Files\IRAREG.DLL
1998-12-09 02:53 17,920 ----a-w C:\Program Files\Common Files\IRASRIAL.DLL
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="D:\Program Files\AIM\aim.exe" [2003-08-01 11:31 61440]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-14 09:51 68856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2005-01-20 08:04 77824 C:\WINDOWS\SOUNDMAN.EXE]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50 155648]
"CTSysVol"="C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 11:43 57344]
"zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [2004-03-18 09:33 892928]
"AVG7_CC"="D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-12-21 09:50 579072]
"QuickTime Task"="D:\Program Files\QuickTime\qttask.exe" [2006-12-14 08:39 282624]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-03-09 15:29 7561216]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"ZoneAlarm Client"="D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="D:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-24 10:04 219136]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - D:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 16:05:56 65588]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"voV0HCStd9"= rundll32.exe "C:\WINDOWS\levermjo.dll",DllCleanServer
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Symantec Fax Starter Edition Port.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Symantec Fax Starter Edition Port.lnk
backup=C:\WINDOWS\pss\Symantec Fax Starter Edition Port.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P17Helper]
--a

---

2005-05-03 19:38 64512 C:\WINDOWS\system32\P17.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a

---

2006-12-14 08:39 282624 D:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\XPdefender]
C:\Program Files\XPdefender\XPdefender.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Documents and Settings\\ZoSo\\Desktop\\utorrent.exe"=
"D:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"=
"D:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"=
"D:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"=
"D:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"=
"D:\\Program Files\\AIM\\aim.exe"=
"F:\\Program Files\\WS_FTP Pro\\ftp95pro.exe"=
"D:\\Program Files\\Soulseek-Test\\slsk.exe"=
"D:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"D:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"=
"D:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"=
R2 ViCAM;ViCAM;C:\WINDOWS\system32\drivers\ViCAM.sys [1999-04-15 16:17]
R3 VICAMUSB;3Com HomeConnect USB Camera;C:\WINDOWS\system32\drivers\vicamusb.sys [1999-04-27 13:52]
S2 BT848;BtCap, WDM Video Capture;C:\WINDOWS\system32\drivers\BT848.SYS [2000-08-11 03:24]
S3 cusbohcn;cusbohcn;C:\DOCUME~1\ZoSo\LOCALS~1\Temp\cusbohcn.sys []
S3 lgatbus;LG USB Composite Device driver (WDM);C:\WINDOWS\system32\DRIVERS\lgatbus.sys [2002-10-15 16:03]
S3 lgatmdm;LG CDMA USB Modem Drivers;C:\WINDOWS\system32\DRIVERS\lgatmdm.sys [2002-10-15 16:05]
S3 lgatserd;LG CDMA USB Modem Diagnostic Serial Port Drivers (WDM);C:\WINDOWS\system32\DRIVERS\lgatserd.sys [2002-10-15 16:07]
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-10 23:52:45
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-03-10 23:53:11
ComboFix-quarantined-files.txt 2008-03-11 03:53:09
.
2008-02-28 17:23:46 --- E O F ---

---

HJT Log:

---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:58:33 PM, on 3/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
D:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [AIM] D:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKLM\..\Policies\Explorer\Run: [voV0HCStd9] rundll32.exe "C:\WINDOWS\levermjo.dll",DllCleanServer
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1134950895296
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 5604 bytes

gringo_pr

hello ZoSo

P2P Warning!

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

uTorrent

Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. You may continue to use P2P sharing at your own risk; however, please keep in mind that this practice may be the source of your current malware infestation

I'd like you to read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.

References for the risk of these programs can be found in these links: http://www.microsoft.com/windows/ie/community/columns/protection.mspx
http://www.techweb.com/wire/160500554
http://www.internetworldstats.com/articles/art053.htm
See Clean/Infected P2P Programs here

I would recommend that you uninstall uTorrent, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

KILLALL::

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"voV0HCStd9"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\XPdefender]

File::
C:\WINDOWS\levermjo.dll
C:\WINDOWS\qjinqtgh.exe
C:\WINDOWS\system32\L5C68.tmp
C:\WINDOWS\system32\winfrun32.bin
C:\WINDOWS\system32\MSNSA32.dll
C:\WINDOWS\msapasrc.dll
C:\WINDOWS\system32\SIPSPI32.dll
C:\WINDOWS\shdocpe.dll
C:\WINDOWS\system32\ntnut32.exe
C:\WINDOWS\msa64chk.dll
C:\WINDOWS\ntnut.exe
C:\WINDOWS\shdocpl.dll
C:\WINDOWS\system32\shdocpe.dll
C:\WINDOWS\voV0HCStd9.exe

Folder::
C:\WINDOWS\cuwflltt
C:\WINDOWS\FLEOK
C:\Program Files\zango
C:\Program Files\180solutions
C:\Program Files\180searchassistant
C:\Program Files\180search assistant

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall


: Malwarebytes' Anti-Malware :

Please download

Malwarebytes' Anti-Malware to your desktop.

[*]Double-click mbam-setup.exe and follow the prompts to install the program.
[*]At the end, be sure a checkmark is placed next to

• Update Malwarebytes' Anti-Malware
• and Launch Malwarebytes' Anti-Malware

[*] then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select Perform full scan, then click Scan.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Be sure that everything is checked, and click Remove Selected.
[*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

• If you accidently close it, the log file is saved here and will be named like this:
• C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

:Run Kaspersky Online AV Scanner:

Order to use it you have to use Internet Explorer.
Go to Kaspersky and click the Accept button at the end of the page.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

• Read the Requirements and limitations before you click Accept.
• Allow the ActiveX download if necessary.
• Once the database has downloaded, click Next.
• Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
• Click on "My Computer"
• When the scan has completed, click Save Report As...
• Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
• Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

Copy and paste the report into your next reply

:information and logs:

In your next post I need the following

1.log from combofix 2.log fro MBAM 3.log from kaspersky 4.

let me know how the computer is doing


Gringo

ZoSo

ComboFix

---

ComboFix 08-03-10.1 - ZoSo 2008-03-12 10:18:31.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.636 [GMT -4:00]
Running from: C:\Documents and Settings\ZoSo\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\ZoSo\Desktop\CFScript.txt
* Created a new restore point
FILE ::
C:\WINDOWS\levermjo.dll
C:\WINDOWS\msa64chk.dll
C:\WINDOWS\msapasrc.dll
C:\WINDOWS\ntnut.exe
C:\WINDOWS\qjinqtgh.exe
C:\WINDOWS\shdocpe.dll
C:\WINDOWS\shdocpl.dll
C:\WINDOWS\system32\L5C68.tmp
C:\WINDOWS\system32\MSNSA32.dll
C:\WINDOWS\system32\ntnut32.exe
C:\WINDOWS\system32\shdocpe.dll
C:\WINDOWS\system32\SIPSPI32.dll
C:\WINDOWS\system32\winfrun32.bin
C:\WINDOWS\voV0HCStd9.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\180search assistant
C:\Program Files\180search assistant\180sa.exe
C:\Program Files\180search assistant\sau.exe
C:\Program Files\180searchassistant
C:\Program Files\180searchassistant\saap.exe
C:\Program Files\180searchassistant\sac.exe
C:\Program Files\180solutions
C:\Program Files\180solutions\sais.exe
C:\Program Files\zango
C:\Program Files\zango\zango.exe
C:\WINDOWS\cuwflltt
C:\WINDOWS\cuwflltt\1.png
C:\WINDOWS\cuwflltt\2.png
C:\WINDOWS\cuwflltt\3.png
C:\WINDOWS\cuwflltt\4.png
C:\WINDOWS\cuwflltt\5.png
C:\WINDOWS\cuwflltt\6.png
C:\WINDOWS\cuwflltt\7.png
C:\WINDOWS\cuwflltt\8.png
C:\WINDOWS\cuwflltt\9.png
C:\WINDOWS\cuwflltt\bottom-rc.gif
C:\WINDOWS\cuwflltt\config.png
C:\WINDOWS\cuwflltt\content.png
C:\WINDOWS\cuwflltt\download.gif
C:\WINDOWS\cuwflltt\frame-bg.gif
C:\WINDOWS\cuwflltt\frame-bottom-left.gif
C:\WINDOWS\cuwflltt\frame-h1bg.gif
C:\WINDOWS\cuwflltt\head.png
C:\WINDOWS\cuwflltt\icon.png
C:\WINDOWS\cuwflltt\indexwp.html
C:\WINDOWS\cuwflltt\main.css
C:\WINDOWS\cuwflltt\memory-prots.png
C:\WINDOWS\cuwflltt\net.png
C:\WINDOWS\cuwflltt\pc-mag.gif
C:\WINDOWS\cuwflltt\pc.gif
C:\WINDOWS\cuwflltt\poloska1.png
C:\WINDOWS\cuwflltt\poloska2.png
C:\WINDOWS\cuwflltt\poloska3.png
C:\WINDOWS\cuwflltt\promowp1.html
C:\WINDOWS\cuwflltt\promowp2.html
C:\WINDOWS\cuwflltt\promowp3.html
C:\WINDOWS\cuwflltt\promowp4.html
C:\WINDOWS\cuwflltt\promowp5.html
C:\WINDOWS\cuwflltt\reg.png
C:\WINDOWS\cuwflltt\repair.png
C:\WINDOWS\cuwflltt\scr-1.png
C:\WINDOWS\cuwflltt\scr-2.png
C:\WINDOWS\cuwflltt\start.png
C:\WINDOWS\cuwflltt\styles.css
C:\WINDOWS\cuwflltt\Thumbs.db
C:\WINDOWS\cuwflltt\top-rc.gif
C:\WINDOWS\cuwflltt\vline.gif
C:\WINDOWS\cuwflltt\wp.png
C:\WINDOWS\FLEOK
C:\WINDOWS\FLEOK\180ax.exe
C:\WINDOWS\levermjo.dll
C:\WINDOWS\msa64chk.dll
C:\WINDOWS\msapasrc.dll
C:\WINDOWS\ntnut.exe
C:\WINDOWS\qjinqtgh.exe
C:\WINDOWS\shdocpe.dll
C:\WINDOWS\shdocpl.dll
C:\WINDOWS\system32\L5C68.tmp
C:\WINDOWS\system32\MSNSA32.dll
C:\WINDOWS\system32\ntnut32.exe
C:\WINDOWS\system32\shdocpe.dll
C:\WINDOWS\system32\SIPSPI32.dll
C:\WINDOWS\system32\winfrun32.bin
C:\WINDOWS\voV0HCStd9.exe
.
((((((((((((((((((((((((( Files Created from 2008-02-12 to 2008-03-12 )))))))))))))))))))))))))))))))
.
2008-03-10 01:52 . 2008-03-10 01:58 <DIR> d

---

C:\Documents and Settings\ZoSo\Application Data\gtk-2.0
2008-03-10 01:51 . 2008-03-10 01:53 <DIR> d

---

C:\Documents and Settings\ZoSo\avidemux
2008-03-09 17:51 . 2008-02-22 02:33 69,632 --a

---

C:\WINDOWS\system32\javacpl.cpl
2008-03-09 14:02 . 2008-03-12 10:23 6,172,704 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-03-09 14:02 . 2008-03-12 10:21 74,432 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-03-09 14:00 . 2008-03-09 14:00 <DIR> d

---

C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-03-09 14:00 . 2007-11-14 16:05 75,248 --a

---

C:\WINDOWS\zllsputility.exe
2008-03-09 14:00 . 2004-04-27 04:40 11,264 --a

---

C:\WINDOWS\system32\SpOrder.dll
2008-03-09 14:00 . 2008-03-09 14:01 4,212 ---h

---

C:\WINDOWS\system32\zllictbl.dat
2008-03-09 13:59 . 2008-03-09 14:00 <DIR> d

---

C:\WINDOWS\system32\ZoneLabs
2008-03-09 13:59 . 2007-11-14 16:05 1,086,952 --a

---

C:\WINDOWS\system32\zpeng24.dll
2008-03-09 13:59 . 2008-03-12 10:22 353,366 --a

---

C:\WINDOWS\system32\vsconfig.xml
2008-03-09 13:58 . 2008-03-12 10:11 <DIR> d

---

C:\WINDOWS\Internet Logs
2008-03-09 13:52 . 2008-03-09 17:36 <DIR> d-a

---

C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-09 11:15 . 2008-03-09 11:15 <DIR> d

---

C:\WINDOWS\system32\Kaspersky Lab
2008-03-09 11:15 . 2008-03-09 11:15 <DIR> d

---

C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-09 10:16 . 2007-06-05 10:56 44,928 --a

---

C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-03-09 03:15 . 2008-03-09 03:15 30,590 --a

---

C:\WINDOWS\system32\pavas.ico
2008-03-09 03:14 . 2008-03-09 10:32 <DIR> d

---

C:\WINDOWS\system32\ActiveScan
2008-03-09 00:49 . 2008-03-09 02:46 283 --a

---

C:\WINDOWS\wininit.ini
2008-03-09 00:27 . 2008-03-09 00:27 <DIR> d

---

C:\Program Files\Sysmnt
2008-03-09 00:27 . 2008-03-09 00:27 <DIR> d

---

C:\Program Files\stc
2008-03-08 15:31 . 2008-03-08 15:31 32,512 --a

---

C:\WINDOWS\didduid.ini
2008-03-08 15:31 . 2008-03-08 15:31 30,464 --a

---

C:\WINDOWS\123messenger.per
2008-03-07 23:09 . 2008-03-07 23:09 <DIR> d

---

C:\Documents and Settings\ZoSo\Application Data\Outertech
2008-03-07 22:48 . 2008-03-07 22:48 43,698 --a

---

C:\WINDOWS\system32\xvid-uninstall.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-12 14:14

---

d

---

w C:\Documents and Settings\ZoSo\Application Data\uTorrent
2008-03-09 21:51

---

d

---

w C:\Program Files\Java
2008-03-09 18:52

---

d

---

w C:\Documents and Settings\ZoSo\Application Data\AVG7
2008-03-09 14:24

---

d

---

w C:\Program Files\Google
2008-03-09 06:49

---

d

---

w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-03 05:50

---

d

---

w C:\Program Files\Common Files\Blizzard Entertainment
2008-01-22 06:41

---

d--h--w C:\Program Files\InstallShield Installation Information
2008-01-22 06:41

---

d

---

w C:\Program Files\ATI Multimedia
2006-03-23 04:02 89 ----a-w C:\Program Files\INSTALL.LOG
1998-12-09 02:53 99,840 ----a-w C:\Program Files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 70,144 ----a-w C:\Program Files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 48,640 ----a-w C:\Program Files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 31,744 ----a-w C:\Program Files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 186,368 ----a-w C:\Program Files\Common Files\IRAREG.DLL
1998-12-09 02:53 17,920 ----a-w C:\Program Files\Common Files\IRASRIAL.DLL
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="D:\Program Files\AIM\aim.exe" [2003-08-01 11:31 61440]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-14 09:51 68856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2005-01-20 08:04 77824 C:\WINDOWS\SOUNDMAN.EXE]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50 155648]
"CTSysVol"="C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 11:43 57344]
"zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [2004-03-18 09:33 892928]
"AVG7_CC"="D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-12-21 09:50 579072]
"QuickTime Task"="D:\Program Files\QuickTime\qttask.exe" [2006-12-14 08:39 282624]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-03-09 15:29 7561216]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"ZoneAlarm Client"="D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="D:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-24 10:04 219136]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - D:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 16:05:56 65588]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Symantec Fax Starter Edition Port.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Symantec Fax Starter Edition Port.lnk
backup=C:\WINDOWS\pss\Symantec Fax Starter Edition Port.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P17Helper]
--a

---

2005-05-03 19:38 64512 C:\WINDOWS\system32\P17.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a

---

2006-12-14 08:39 282624 D:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Documents and Settings\\ZoSo\\Desktop\\utorrent.exe"=
"D:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"=
"D:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"=
"D:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"=
"D:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"=
"D:\\Program Files\\AIM\\aim.exe"=
"F:\\Program Files\\WS_FTP Pro\\ftp95pro.exe"=
"D:\\Program Files\\Soulseek-Test\\slsk.exe"=
"D:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"D:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"=
"D:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"=
R2 ViCAM;ViCAM;C:\WINDOWS\system32\drivers\ViCAM.sys [1999-04-15 16:17]
R3 VICAMUSB;3Com HomeConnect USB Camera;C:\WINDOWS\system32\drivers\vicamusb.sys [1999-04-27 13:52]
S2 BT848;BtCap, WDM Video Capture;C:\WINDOWS\system32\drivers\BT848.SYS [2000-08-11 03:24]
S3 cusbohcn;cusbohcn;C:\DOCUME~1\ZoSo\LOCALS~1\Temp\cusbohcn.sys []
S3 lgatbus;LG USB Composite Device driver (WDM);C:\WINDOWS\system32\DRIVERS\lgatbus.sys [2002-10-15 16:03]
S3 lgatmdm;LG CDMA USB Modem Drivers;C:\WINDOWS\system32\DRIVERS\lgatmdm.sys [2002-10-15 16:05]
S3 lgatserd;LG CDMA USB Modem Diagnostic Serial Port Drivers (WDM);C:\WINDOWS\system32\DRIVERS\lgatserd.sys [2002-10-15 16:07]
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-12 10:23:05
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.

---

Other Running Processes

---

.
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2008-03-12 10:24:32 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-12 14:24:27
ComboFix2.txt 2008-03-11 03:53:12
.
2008-02-28 17:23:46 --- E O F ---


MBAM

---

Malwarebytes' Anti-Malware 1.08
Database version: 471
Scan type: Full Scan (C:\|D:\|F:\|G:\|)
Objects scanned: 142480
Time elapsed: 41 minute(s), 45 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 11
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\AppID\{f663b917-591f-4172-8d87-3d7d729007ca} (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bat.batbho (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bat.batbho.1 (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d279bc2b-a85b-4559-8fd9-ddc55f5d402d} (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{b80a3586-caa5-41c8-89bf-e617f0b6cfbf} (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\BATCO (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Batco (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\bat.DLL (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\xflock (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\PostInstallC (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\XPdefender (Rogue.XPDefender) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\System Volume Information\_restore{147C1ABE-F064-4CB8-9675-0420A8914A5C}\RP774\A0058289.exe (Adware.ClickSpring) -> Quarantined and deleted successfully.

Kaspersky

---

---

KASPERSKY ONLINE SCANNER REPORT
Wednesday, March 12, 2008 9:15:23 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 12/03/2008
Kaspersky Anti-Virus database records: 626007

---

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
Scan Statistics:
Total number of scanned objects: 112743
Number of viruses found: 26
Number of infected objects: 79
Number of suspicious objects: 12
Duration of the scan process: 01:44:30
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SolutionsSearchAssistant.zip/sais.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SolutionsSearchAssistant.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SolutionsSearchAssistant2.zip/180ax.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SolutionsSearchAssistant2.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SolutionsSearchAssistant4.zip/saap.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SolutionsSearchAssistant4.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SolutionsSearchAssistant9.zip/180sa.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SolutionsSearchAssistant9.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Yazzle.zip/Yazzle1552OinUninstaller.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Yazzle.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\ZoSo\.housecall6.6\Quarantine\arr3.jar-44f46a26-658d765a.zip.bac_a03992/Counter.class Infected: Trojan.Java.ClassLoader.i skipped
C:\Documents and Settings\ZoSo\.housecall6.6\Quarantine\arr3.jar-44f46a26-658d765a.zip.bac_a03992/VerifierBug.class Infected: Trojan.Java.ClassLoader.k skipped
C:\Documents and Settings\ZoSo\.housecall6.6\Quarantine\arr3.jar-44f46a26-658d765a.zip.bac_a03992 ZIP: infected - 2 skipped
C:\Documents and Settings\ZoSo\.housecall6.6\Quarantine\arr3.jar-44f46a26-658d765a.zip.bac_a03992 CryptFF.b: infected - 2 skipped
C:\Documents and Settings\ZoSo\.housecall6.6\Quarantine\ie0601a.jar-686cd5c0-4f063349.zip.bac_a03992/Installer.class Infected: Trojan-Downloader.Java.OpenStream.z skipped
C:\Documents and Settings\ZoSo\.housecall6.6\Quarantine\ie0601a.jar-686cd5c0-4f063349.zip.bac_a03992 ZIP: infected - 1 skipped
C:\Documents and Settings\ZoSo\.housecall6.6\Quarantine\ie0601a.jar-686cd5c0-4f063349.zip.bac_a03992 CryptFF.b: infected - 1 skipped
C:\Documents and Settings\ZoSo\.housecall6.6\Quarantine\mm21.ocx.bac_a03992 Infected: Trojan-Downloader.Win32.VB.ez skipped
C:\Documents and Settings\ZoSo\.housecall6.6\Quarantine\mmwork.exe.bac_a03992 Infected: not-a-virus:AdWare.Win32.MediaMotor.a skipped
C:\Documents and Settings\ZoSo\.housecall6.6\Quarantine\optimize.exe.bac_a03992 Infected: Trojan-Downloader.Win32.Dyfuca.ds skipped
C:\Documents and Settings\ZoSo\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\ZoSo\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\ZoSo\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\ZoSo\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\ZoSo\Local Settings\History\History.IE5\MSHist012008031220080313\index.dat Object is locked skipped
C:\Documents and Settings\ZoSo\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\ZoSo\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\ZoSo\NTUSER.DAT.LOG Object is locked skipped
C:\QooBox\Quarantine\C\Program Files\Common Files\CROSOF~1\taskmgr.exe.vir Infected: Trojan-Downloader.Win32.Agent.kwg skipped
C:\QooBox\Quarantine\C\WINDOWS\levermjo.dll.vir Infected: Trojan.Win32.Obfuscated.gx skipped
C:\QooBox\Quarantine\C\WINDOWS\qjinqtgh.exe.vir Infected: Trojan.Win32.Obfuscated.gx skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\APPATC~1\wіnlogon.exe.vir Infected: not-a-virus:AdWare.Win32.PurityScan.gw skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\L5C68.tmp.vir/stream/data0001 Infected: not-a-virus:AdWare.Win32.AdBand.m skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\L5C68.tmp.vir/stream Infected: not-a-virus:AdWare.Win32.AdBand.m skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\L5C68.tmp.vir NSIS: infected - 2 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{147C1ABE-F064-4CB8-9675-0420A8914A5C}\RP774\A0058287.exe Object is locked skipped
C:\System Volume Information\_restore{147C1ABE-F064-4CB8-9675-0420A8914A5C}\RP776\A0058966.dll Infected: Trojan.Win32.Obfuscated.gx skipped
C:\System Volume Information\_restore{147C1ABE-F064-4CB8-9675-0420A8914A5C}\RP776\A0058970.exe Infected: Trojan.Win32.Obfuscated.gx skipped
C:\System Volume Information\_restore{147C1ABE-F064-4CB8-9675-0420A8914A5C}\RP776\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\Internet Logs\ZOSO2.ldb Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{A2F40F45-E471-4E22-8D12-40292EE402CB}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\TEMP\ZLT03fb4.TMP Object is locked skipped
C:\WINDOWS\TEMP\ZLT06cfc.TMP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\Program Files\HomeKeylogger\KeyLogger.Dll Infected: not-a-virus:Monitor.Win32.HomeKeyLogger.170 skipped
D:\Program Files\HomeKeylogger\KeyLogger.exe Infected: not-a-virus:Monitor.Win32.HomeKeyLogger.170 skipped
D:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.601 skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{147C1ABE-F064-4CB8-9675-0420A8914A5C}\RP776\change.log Object is locked skipped
F:\WINDOWS\Application Data\Identities\{6DEE6AA0-8B9F-11D5-A86E-C91388C5FF7F}\Microsoft\Outlook Express\MasterZoSo - Deleted Items.dbx/[From "MALENLARG CHANGESIZE" Vicky8165 <[EMAIL="Vicky8165@Vicky8165.bj.china.com>]"]Vicky8165@Vicky8165.bj.china.com>][/EMAIL][Date Sat, 03 Dec 2005 07:59:49 -0800]/Cross_Buy_PermanentEnlarger.HTML Infected: Trojan.JS.Redirector.b skipped
F:\WINDOWS\Application Data\Identities\{6DEE6AA0-8B9F-11D5-A86E-C91388C5FF7F}\Microsoft\Outlook Express\MasterZoSo - Deleted Items.dbx/[From "MALEGROWTH BIGGERISBETTER" Masterzoso <[EMAIL="Masterzoso@Masterzoso.bgyrdqeeeq.ba>]"]Masterzoso@Masterzoso.bgyrdqeeeq.ba>][/EMAIL][Date Tue, 13 Dec 2005 18:08:39 -0800]/Benton_Buy_PermanentEnlarger.HTML Infected: Trojan.JS.Redirector.b skipped
F:\WINDOWS\Application Data\Identities\{6DEE6AA0-8B9F-11D5-A86E-C91388C5FF7F}\Microsoft\Outlook Express\MasterZoSo - Deleted Items.dbx/[From "MALEGROWTH BIGGERISBETTER" Masterzoso <[EMAIL="Masterzoso@Masterzoso.bhlvrxddhl.is>]"]Masterzoso@Masterzoso.bhlvrxddhl.is>][/EMAIL][Date Wed, 14 Dec 2005 06:06:36 -0800]/Strickland_Buy_PermanentEnlarger.HTML Infected: Trojan.JS.Redirector.b skipped
F:\WINDOWS\Application Data\Identities\{6DEE6AA0-8B9F-11D5-A86E-C91388C5FF7F}\Microsoft\Outlook Express\MasterZoSo - Deleted Items.dbx Mail MS Outlook 5: infected - 3 skipped
F:\WINDOWS\Application Data\Identities\{6DEE6AA0-8B9F-11D5-A86E-C91388C5FF7F}\Microsoft\Outlook Express\Deleted Items.dbx/[From eBay Inc <[EMAIL="support_num_164908411814@ebay.com>]"]support_num_164908411814@ebay.com>][/EMAIL][Date Sat, 17 Dec 2005 15:31:27 +0500]/UNNAMED/html Infected: Trojan-Spy.HTML.Bayfraud.hn skipped
F:\WINDOWS\Application Data\Identities\{6DEE6AA0-8B9F-11D5-A86E-C91388C5FF7F}\Microsoft\Outlook Express\Deleted Items.dbx/[From eBay Inc <[EMAIL="support_num_164908411814@ebay.com>]"]support_num_164908411814@ebay.com>][/EMAIL][Date Sat, 17 Dec 2005 15:31:27 +0500]/UNNAMED Infected: Trojan-Spy.HTML.Bayfraud.hn skipped
F:\WINDOWS\Application Data\Identities\{6DEE6AA0-8B9F-11D5-A86E-C91388C5FF7F}\Microsoft\Outlook Express\Deleted Items.dbx Mail MS Outlook 5: infected - 2 skipped
F:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\LookMeTopconverting1.zip/VT00.exe Suspicious: Password-protected-EXE skipped
F:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\LookMeTopconverting1.zip ZIP: suspicious - 1 skipped
F:\WINDOWS\Downloaded Program Files\CONFLICT.1\HDPlugin1014.dll Infected: not-a-virus:AdWare.Win32.Gator.1015 skipped
F:\WINDOWS\Downloaded Program Files\CONFLICT.2\HDPlugin1014.dll Infected: not-a-virus:AdWare.Win32.Gator.1015 skipped
F:\WINDOWS\unstall.exe Infected: not-a-virus:AdWare.Win32.MediaMotor.a skipped
F:\WINDOWS\minigolf_affiliate.exe/data0001 Infected: Trojan-Downloader.NSIS.Agent.g skipped
F:\WINDOWS\minigolf_affiliate.exe NSIS: infected - 1 skipped
F:\WINDOWS\banner.dll Infected: not-a-virus:AdWare.Win32.Banex.a skipped
F:\WINDOWS\adp8038_MARKETING27.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.BargainBuddy.y skipped
F:\WINDOWS\adp8038_MARKETING27.exe/stream/data0005 Infected: not-a-virus:AdWare.Win32.BargainBuddy.w skipped
F:\WINDOWS\adp8038_MARKETING27.exe/stream/data0006 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped
F:\WINDOWS\adp8038_MARKETING27.exe/stream/data0007 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped
F:\WINDOWS\adp8038_MARKETING27.exe/stream/data0008 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped
F:\WINDOWS\adp8038_MARKETING27.exe/stream Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped
F:\WINDOWS\adp8038_MARKETING27.exe NSIS: infected - 6 skipped
F:\Program Files\Netscape\Users\zoso\Mail\Sent/[From ZoSo <[EMAIL="zoso@stny.rr.com>]"]zoso@stny.rr.com>][/EMAIL][Date Fri, 13 Apr 2001 00:31:17 -0400]/UNNAMED/[From ZoSo <[EMAIL="zoso@stny.rr.com>]"]zoso@stny.rr.com>][/EMAIL][Date Mon, 04 Nov 2002 06:17:05 -0500]/text/[From ZoSo <[EMAIL="zoso@stny.rr.com>]"]zoso@stny.rr.com>][/EMAIL][Date Sat, 01 May 2004 09:31:06 -0400]/UNNAMED/[From ZoSo <[EMAIL="zoso@stny.rr.com>]"]zoso@stny.rr.com>][/EMAIL][Date Mon, 25 Oct 2004 22:07:09 -0400]/UNNAMED/[From Services PayPal <[EMAIL="services@paypal.com>]"]services@paypal.com>][/EMAIL][Date Sat, 18 Dec 2004 17:31:39 -0500]/html Infected: Trojan-Spy.HTML.Paylap.bg skipped
F:\Program Files\Netscape\Users\zoso\Mail\Sent/[From ZoSo <[EMAIL="zoso@stny.rr.com>]"]zoso@stny.rr.com>][/EMAIL][Date Fri, 13 Apr 2001 00:31:17 -0400]/UNNAMED/[From ZoSo <[EMAIL="zoso@stny.rr.com>]"]zoso@stny.rr.com>][/EMAIL][Date Mon, 04 Nov 2002 06:17:05 -0500]/text/[From ZoSo <[EMAIL="zoso@stny.rr.com>]"]zoso@stny.rr.com>][/EMAIL][Date Sat, 01 May 2004 09:31:06 -0400]/UNNAMED/[From ZoSo <[EMAIL="zoso@stny.rr.com>]"]zoso@stny.rr.com>][/EMAIL][Date Mon, 25 Oct 2004 22:07:09 -0400]/UNNAMED Infected: Trojan-Spy.HTML.Paylap.bg skipped
F:\Program Files\Netscape\Users\zoso\Mail\Sent/[From ZoSo <[EMAIL="zoso@stny.rr.com>]"]zoso@stny.rr.com>][/EMAIL][Date Fri, 13 Apr 2001 00:31:17 -0400]/UNNAMED/[From ZoSo <[EMAIL="zoso@stny.rr.com>]"]zoso@stny.rr.com>][/EMAIL][Date Mon, 04 Nov 2002 06:17:05 -0500]/text/[From ZoSo <[EMAIL="zoso@stny.rr.com>]"]zoso@stny.rr.com>][/EMAIL][Date Sat, 01 May 2004 09:31:06 -0400]/UNNAMED Infected: Trojan-Spy.HTML.Paylap.bg skipped
F:\Program Files\Netscape\Users\zoso\Mail\Sent/[From ZoSo <[EMAIL="zoso@stny.rr.com>]"]zoso@stny.rr.com>][/EMAIL][Date Fri, 13 Apr 2001 00:31:17 -0400]/UNNAMED/[From ZoSo <[EMAIL="zoso@stny.rr.com>]"]zoso@stny.rr.com>][/EMAIL][Date Mon, 04 Nov 2002 06:17:05 -0500]/text Infected: Trojan-Spy.HTML.Paylap.bg skipped
F:\Program Files\Netscape\Users\zoso\Mail\Sent/[From ZoSo <[EMAIL="zoso@stny.rr.com>]"]zoso@stny.rr.com>][/EMAIL][Date Fri, 13 Apr 2001 00:31:17 -0400]/UNNAMED Infected: Trojan-Spy.HTML.Paylap.bg skipped
F:\Program Files\Netscape\Users\zoso\Mail\Sent Mail Berkeley mbox: infected - 5 skipped
F:\Program Files\Serv-U\Serv-U32.exe Infected: not-a-virus:Server-FTP.Win32.Serv-U.24.a skipped
F:\Program Files\Norton AntiVirus\Quarantine\14870000.VBN/[From "Catherine Russell" <[EMAIL="zosogirl18@hotmail.com>]"]zosogirl18@hotmail.com>][/EMAIL][Date Tue, 22 May 2001 19:37:08 -0000]/text/[From Stephen Moss <[EMAIL="steve@memlo.net>]"]steve@memlo.net>][/EMAIL][Date Wed, 23 Jan 2002 03:17:06 -0500]/text/[From Tara <[EMAIL="giggleberry22@yahoo.com>]"]giggleberry22@yahoo.com>][/EMAIL][Date Tue, 22 Oct 2002 12:12:09 -0700 (PDT)]/text/[From Brian Jangler <[EMAIL="yardbirdjanglin@yahoo.com>]"]yardbirdjanglin@yahoo.com>][/EMAIL][Date Sat, 9 Nov 2002 10:21:41 -0800 (PST)]/UNNAMED/[From ... /[From Medical B ... ... /[From Flora Hensman <[EMAIL="sologreen7@corninglink.com>]"]sologreen7@corninglink.com>][/EMAIL][Date Fri, 16 May 2003 12:10:55 -0400]/html Infected: Email-Worm.VBS.KakWorm skipped
F:\Program Files\Norton AntiVirus\Quarantine\14870000.VBN/[From "Catherine Russell" <[EMAIL="zosogirl18@hotmail.com>]"]zosogirl18@hotmail.com>][/EMAIL][Date Tue, 22 May 2001 19:37:08 -0000]/text/[From Stephen Moss <[EMAIL="steve@memlo.net>]"]steve@memlo.net>][/EMAIL][Date Wed, 23 Jan 2002 03:17:06 -0500]/text/[From Tara <[EMAIL="giggleberry22@yahoo.com>]"]giggleberry22@yahoo.com>][/EMAIL][Date Tue, 22 Oct 2002 12:12:09 -0700 (PDT)]/text/[From Brian Jangler <[EMAIL="yardbirdjanglin@yahoo.com>]"]yardbirdjanglin@yahoo.com>][/EMAIL][Date Sat, 9 Nov 2002 10:21:41 -0800 (PST)]/UNNAMED/[From ... /[From Medical B ... /[From FreeLotto Prize Award <[EMAIL="offers@freelotto.com>]"]offers@freelotto.com>][/EMAIL][Date Fri, 16 May 2003 07:14:29 -0400]/UNNAMED Infected: Email-Worm.VBS.KakWorm skipped
F:\Program Files\Norton AntiVirus\Quarantine\14870000.VBN/[From "Catherine Russell" <[EMAIL="zosogirl18@hotmail.com>]"]zosogirl18@hotmail.com>][/EMAIL][Date Tue, 22 May 2001 19:37:08 -0000]/text/[From Stephen Moss <[EMAIL="steve@memlo.net>]"]steve@memlo.net>][/EMAIL][Date Wed, 23 Jan 2002 03:17:06 -0500]/text/[From Tara <[EMAIL="giggleberry22@yahoo.com>]"]giggleberry22@yahoo.com>][/EMAIL][Date Tue, 22 Oct 2002 12:12:09 -0700 (PDT)]/text/[From Brian Jangler <[EMAIL="yardbirdjanglin@yahoo.com>]"]yardbirdjanglin@yahoo.com>][/EMAIL][Date Sat, 9 Nov 2002 10:21:41 -0800 (PST)]/UNNAMED/[From ... /[From Medical Breakt ... /[From A ... /[From [EMAIL="dambakly255lsmr@canada.com]"]dambakly255lsmr@canada.com][/EMAIL][Date Fri, 16 May 2003 06:28:56 -0800]/UNNAMED Infected: Email-Worm.VBS.KakWorm skipped
F:\Program Files\Norton AntiVirus\Quarantine\14870000.VBN/[From "Catherine Russell" <[EMAIL="zosogirl18@hotmail.com>]"]zosogirl18@hotmail.com>][/EMAIL][Date Tue, 22 May 2001 19:37:08 -0000]/text/[From Stephen Moss <[EMAIL="steve@memlo.net>]"]steve@memlo.net>][/EMAIL][Date Wed, 23 Jan 2002 03:17:06 -0500]/text/[From Tara <[EMAIL="giggleberry22@yahoo.com>]"]giggleberry22@yahoo.com>][/EMAIL][Date Tue, 22 Oct 2002 12:12:09 -0700 (PDT)]/text/[From Brian Jangler <[EMAIL="yardbirdjanglin@yahoo.com>]"]yardbirdjanglin@yahoo.com>][/EMAIL][Date Sat, 9 Nov 2002 10:21:41 -0800 (PST)]/UNNAMED/[From ... /[From Medical Breakt ... /[From Angela Browne <[EMAIL="1vlwhrky@yahoo.ca>]"]1vlwhrky@yahoo.ca>][/EMAIL][Date Mon, 28 Jan 2002 12:57:37 +0000 (GMT)]/UNNAMED Infected: Email-Worm.VBS.KakWorm skipped
F:\Program Files\Norton AntiVirus\Quarantine\14870000.VBN/[From "Catherine Russell" <[EMAIL="zosogirl18@hotmail.com>]"]zosogirl18@hotmail.com>][/EMAIL][Date Tue, 22 May 2001 19:37:08 -0000]/text/[From Stephen Moss <[EMAIL="steve@memlo.net>]"]steve@memlo.net>][/EMAIL][Date Wed, 23 Jan 2002 03:17:06 -0500]/text/[From Tara <[EMAIL="giggleberry22@yahoo.com>]"]giggleberry22@yahoo.com>][/EMAIL][Date Tue, 22 Oct 2002 12:12:09 -0700 (PDT)]/text/[From Brian Jangler <[EMAIL="yardbirdjanglin@yahoo.com>]"]yardbirdjanglin@yahoo.com>][/EMAIL][Date Sat, 9 Nov 2002 10:21:41 -0800 (PST)]/UNNAMED/[From ... /[From Medical Breakthroughs <[EMAIL="editor-gokdtzvqhuvaq@monterey.liz5000.net>]"]editor-gokdtzvqhuvaq@monterey.liz5000.net>][/EMAIL][Date Thu, 15 May 2003 14:52:08 -0700]/UNNAMED Infected: Email-Worm.VBS.KakWorm skipped
F:\Program Files\Norton AntiVirus\Quarantine\14870000.VBN/[From "Catherine Russell" <[EMAIL="zosogirl18@hotmail.com>]"]zosogirl18@hotmail.com>][/EMAIL][Date Tue, 22 May 2001 19:37:08 -0000]/text/[From Stephen Moss <[EMAIL="steve@memlo.net>]"]steve@memlo.net>][/EMAIL][Date Wed, 23 Jan 2002 03:17:06 -0500]/text/[From Tara <[EMAIL="giggleberry22@yahoo.com>]"]giggleberry22@yahoo.com>][/EMAIL][Date Tue, 22 Oct 2002 12:12:09 -0700 (PDT)]/text/[From Brian Jangler <[EMAIL="yardbirdjanglin@yahoo.com>]"]yardbirdjanglin@yahoo.com>][/EMAIL][Date Sat, 9 Nov 2002 10:21:41 -0800 (PST)]/UNNAMED/[From "Ken Be ... /[From "Credit Dept." <[EMAIL="editor-lzuuytnxprzbh@monterey.liz5000.net>]"]editor-lzuuytnxprzbh@monterey.liz5000.net>][/EMAIL][Date Wed, 14 May 2003 17:42:44 -0700]/UNNAMED Infected: Email-Worm.VBS.KakWorm skipped
F:\Program Files\Norton AntiVirus\Quarantine\14870000.VBN/[From "Catherine Russell" <[EMAIL="zosogirl18@hotmail.com>]"]zosogirl18@hotmail.com>][/EMAIL][Date Tue, 22 May 2001 19:37:08 -0000]/text/[From Stephen Moss <[EMAIL="steve@memlo.net>]"]steve@memlo.net>][/EMAIL][Date Wed, 23 Jan 2002 03:17:06 -0500]/text/[From Tara <[EMAIL="giggleberry22@yahoo.com>]"]giggleberry22@yahoo.com>][/EMAIL][Date Tue, 22 Oct 2002 12:12:09 -0700 (PDT)]/text/[From Brian Jangler <[EMAIL="yardbirdjanglin@yahoo.com>]"]yardbirdjanglin@yahoo.com>][/EMAIL][Date Sat, 9 Nov 2002 10:21:41 -0800 (PST)]/UNNAMED/[From "Ken Be ... /[From "Roy at SEVENtwentyfour Inc." <[EMAIL="roybryant@seventwentyfour.com>]"]roybryant@seventwentyfour.com>][/EMAIL][Date Wed, 14 May 2003 17:18:59 -0400]/text Infected: Email-Worm.VBS.KakWorm skipped
F:\Program Files\Norton AntiVirus\Quarantine\14870000.VBN/[From "Catherine Russell" <[EMAIL="zosogirl18@hotmail.com>]"]zosogirl18@hotmail.com>][/EMAIL][Date Tue, 22 May 2001 19:37:08 -0000]/text/[From Stephen Moss <[EMAIL="steve@memlo.net>]"]steve@memlo.net>][/EMAIL][Date Wed, 23 Jan 2002 03:17:06 -0500]/text/[From Tara <[EMAIL="giggleberry22@yahoo.com>]"]giggleberry22@yahoo.com>][/EMAIL][Date Tue, 22 Oct 2002 12:12:09 -0700 (PDT)]/text/[From Brian Jangler <[EMAIL="yardbirdjanglin@yahoo.com>]"]yardbirdjanglin@yahoo.com>][/EMAIL][Date Sat, 9 Nov 2002 10:21:41 -0800 (PST)]/UNNAMED/[From "Ken Behn" <[EMAIL="kbehn1@stny.rr.co"]kbehn1@stny.rr.co[/EMAIL] ... /[Fro ... /[From sam <[EMAIL="sammer21@hotmail.com>]"]sammer21@hotmail.com>][/EMAIL][Date Wed, 14 May 2003 15:02:02 -0400]/UNNAMED Infected: Email-Worm.VBS.KakWorm skipped
F:\Program Files\Norton AntiVirus\Quarantine\14870000.VBN/[From "Catherine Russell" <[EMAIL="zosogirl18@hotmail.com>]"]zosogirl18@hotmail.com>][/EMAIL][Date Tue, 22 May 2001 19:37:08 -0000]/text/[From Stephen Moss <[EMAIL="steve@memlo.net>]"]steve@memlo.net>][/EMAIL][Date Wed, 23 Jan 2002 03:17:06 -0500]/text/[From Tara <[EMAIL="giggleberry22@yahoo.com>]"]giggleberry22@yahoo.com>][/EMAIL][Date Tue, 22 Oct 2002 12:12:09 -0700 (PDT)]/text/[From Brian Jangler <[EMAIL="yardbirdjanglin@yahoo.com>]"]yardbirdjanglin@yahoo.com>][/EMAIL][Date Sat, 9 Nov 2002 10:21:41 -0800 (PST)]/UNNAMED/[From "Ken Behn" <[EMAIL="kbehn1@stny.rr.co"]kbehn1@stny.rr.co[/EMAIL] ... /[Fro ... /[From sam <[EMAIL="sammer21@hotmail.com>]"]sammer21@hotmail.com>][/EMAIL][Date Wed, 14 May 2003 14:53:37 -0400]/UNNAMED Infected: Email-Worm.VBS.KakWorm skipped
F:\Program Files\Norton AntiVirus\Quarantine\14870000.VBN/[From "Catherine Russell" <[EMAIL="zosogirl18@hotmail.com>]"]zosogirl18@hotmail.com>][/EMAIL][Date Tue, 22 May 2001 19:37:08 -0000]/text/[From Stephen Moss <[EMAIL="steve@memlo.net>]"]steve@memlo.net>][/EMAIL][Date Wed, 23 Jan 2002 03:17:06 -0500]/text/[From Tara <[EMAIL="giggleberry22@yahoo.com>]"]giggleberry22@yahoo.com>][/EMAIL][Date Tue, 22 Oct 2002 12:12:09 -0700 (PDT)]/text/[From Brian Jangler <[EMAIL="yardbirdjanglin@yahoo.com>]"]yardbirdjanglin@yahoo.com>][/EMAIL][Date Sat, 9 Nov 2002 10:21:41 -0800 (PST)]/UNNAMED/[From "Ken Behn" <[EMAIL="kbehn1@stny.rr.co"]kbehn1@stny.rr.co[/EMAIL] ... /[From "Savannah C. Kidd" <[EMAIL="s.kidd76@cisco.com>]"]s.kidd76@cisco.com>][/EMAIL][Date Wed, 26 Mar 2003 13:19:58 +0000]/html Infected: Email-Worm.VBS.KakWorm skipped
F:\Program Files\Norton AntiVirus\Quarantine\14870000.VBN/[From "Catherine Russell" <[EMAIL="zosogirl18@hotmail.com>]"]zosogirl18@hotmail.com>][/EMAIL][Date Tue, 22 May 2001 19:37:08 -0000]/text/[From Stephen Moss <[EMAIL="steve@memlo.net>]"]steve@memlo.net>][/EMAIL][Date Wed, 23 Jan 2002 03:17:06 -0500]/text/[From Tara <[EMAIL="giggleberry22@yahoo.com>]"]giggleberry22@yahoo.com>][/EMAIL][Date Tue, 22 Oct 2002 12:12:09 -0700 (PDT)]/text/[From Brian Jangler <[EMAIL="yardbirdjanglin@yahoo.com>]"]yardbirdjanglin@yahoo.com>][/EMAIL][Date Sat, 9 Nov 2002 10:21:41 -0800 (PST)]/UNNAMED/[From "Ken Behn" <[EMAIL="kbehn1@stny.rr.com"]kbehn1@stny.rr.com[/EMAIL]>] ... /[From Tara ... /[From [EMAIL="The_scene@mp3.com]"]The_scene@mp3.com][/EMAIL][Date Sat, 10 May 2003 09:32:29 -0700]/UNNAMED Infected: Email-Worm.VBS.KakWorm skipped
F:\Program Files\Norton AntiVirus\Quarantine\14870000.VBN/[From "Catherine Russell" <[EMAIL="zosogirl18@hotmail.com>]"]zosogirl18@hotmail.com>][/EMAIL][Date Tue, 22 May 2001 19:37:08 -0000]/text/[From Stephen Moss <[EMAIL="steve@memlo.net>]"]steve@memlo.net>][/EMAIL][Date Wed, 23 Jan 2002 03:17:06 -0500]/text/[From Tara <[EMAIL="giggleberry22@yahoo.com>]"]giggleberry22@yahoo.com>][/EMAIL][Date Tue, 22 Oct 2002 12:12:09 -0700 (PDT)]/text/[From Brian Jangler <[EMAIL="yardbirdjanglin@yahoo.com>]"]yardbirdjanglin@yahoo.com>][/EMAIL][Date Sat, 9 Nov 2002 10:21:41 -0800 (PST)]/UNNAMED/[From "Ken Behn" <[EMAIL="kbehn1@stny.rr.com"]kbehn1@stny.rr.com[/EMAIL]>] ... /[From Tara <[EMAIL="giggleberry22@yahoo.com>]"]giggleberry22@yahoo.com>][/EMAIL][Date Wed, 26 Feb 2003 10:59:52 -0800 (PST)]/text Infected: Email-Worm.VBS.KakWorm skipped
F:\Program Files\Norton AntiVirus\Quarantine\14870000.VBN/[From "Catherine Russell" <[EMAIL="zosogirl18@hotmail.com>]"]zosogirl18@hotmail.com>][/EMAIL][Date Tue, 22 May 2001 19:37:08 -0000]/text/[From Stephen Moss <[EMAIL="steve@memlo.net>]"]steve@memlo.net>][/EMAIL][Date Wed, 23 Jan 2002 03:17:06 -0500]/text/[From Tara <[EMAIL="giggleberry22@yahoo.com>]"]giggleberry22@yahoo.com>][/EMAIL][Date Tue, 22 Oct 2002 12:12:09 -0700 (PDT)]/text/[From Brian Jangler <[EMAIL="yardbirdjanglin@yahoo.com>]"]yardbirdjanglin@yahoo.com>][/EMAIL][Date Sat, 9 Nov 2002 10:21:41 -0800 (PST)]/UNNAMED/[From "Ken Behn" <[EMAIL="kbehn1@stny.rr.com>]"]kbehn1@stny.rr.com>][/EMAIL][Date ... /[From "Tony" <[EMAIL="bonfire@stny.rr.com>]"]bonfire@stny.rr.com>][/EMAIL][Date Mon, 16 Dec 2002 12:04:19 -0500]/UNNAMED Infected: Email-Worm.VBS.KakWorm skipped
F:\Program Files\Norton AntiVirus\Quarantine\14870000.VBN/[From "Catherine Russell" <[EMAIL="zosogirl18@hotmail.com>]"]zosogirl18@hotmail.com>][/EMAIL][Date Tue, 22 May 2001 19:37:08 -0000]/text/[From Stephen Moss <[EMAIL="steve@memlo.net>]"]steve@memlo.net>][/EMAIL][Date Wed, 23 Jan 2002 03:17:06 -0500]/text/[From Tara <[EMAIL="giggleberry22@yahoo.com>]"]giggleberry22@yahoo.com>][/EMAIL][Date Tue, 22 Oct 2002 12:12:09 -0700 (PDT)]/text/[From Brian Jangler <[EMAIL="yardbirdjanglin@yahoo.com>]"]yardbirdjanglin@yahoo.com>][/EMAIL][Date Sat, 9 Nov 2002 10:21:41 -0800 (PST)]/UNNAMED/[From "Ken Behn" <[EMAIL="kbehn1@stny.rr.com>]"]kbehn1@stny.rr.com>][/EMAIL][Date Wed, 27 Nov 2002 18:12:14 -0500]/UNNAMED Infected: Email-Worm.VBS.KakWorm skipped
F:\Program Files\Norton AntiVirus\Quarantine\14870000.VBN/[From "Catherine Russell" <[EMAIL="zosogirl18@hotmail.com>]"]zosogirl18@hotmail.com>][/EMAIL][Date Tue, 22 May 2001 19:37:08 -0000]/text/[From Stephen Moss <[EMAIL="steve@memlo.net>]"]steve@memlo.net>][/EMAIL][Date Wed, 23 Jan 2002 03:17:06 -0500]/text/[From Tara <[EMAIL="giggleberry22@yahoo.com>]"]giggleberry22@yahoo.com>][/EMAIL][Date Tue, 22 Oct 2002 12:12:09 -0700 (PDT)]/text/[From Brian Jangler <[EMAIL="yardbirdjanglin@yahoo.com>]"]yardbirdjanglin@yahoo.com>][/EMAIL][Date Sat, 9 Nov 2002 10:21:41 -0800 (PST)]/UNNAMED Infected: Email-Worm.VBS.KakWorm skipped
F:\Program Files\Norton AntiVirus\Quarantine\14870000.VBN/[From "Catherine Russell" <[EMAIL="zosogirl18@hotmail.com>]"]zosogirl18@hotmail.com>][/EMAIL][Date Tue, 22 May 2001 19:37:08 -0000]/text/[From Stephen Moss <[EMAIL="steve@memlo.net>]"]steve@memlo.net>][/EMAIL][Date Wed, 23 Jan 2002 03:17:06 -0500]/text/[From Tara <[EMAIL="giggleberry22@yahoo.com>]"]giggleberry22@yahoo.com>][/EMAIL][Date Tue, 22 Oct 2002 12:12:09 -0700 (PDT)]/text Infected: Email-Worm.VBS.KakWorm skipped
F:\Program Files\Norton AntiVirus\Quarantine\14870000.VBN/[From "Catherine Russell" <[EMAIL="zosogirl18@hotmail.com>]"]zosogirl18@hotmail.com>][/EMAIL][Date Tue, 22 May 2001 19:37:08 -0000]/text/[From Stephen Moss <[EMAIL="steve@memlo.net>]"]steve@memlo.net>][/EMAIL][Date Wed, 23 Jan 2002 03:17:06 -0500]/text Infected: Email-Worm.VBS.KakWorm skipped
F:\Program Files\Norton AntiVirus\Quarantine\14870000.VBN/[From "Catherine Russell" <[EMAIL="zosogirl18@hotmail.com>]"]zosogirl18@hotmail.com>][/EMAIL][Date Tue, 22 May 2001 19:37:08 -0000]/text Infected: Email-Worm.VBS.KakWorm skipped
F:\Program Files\Norton AntiVirus\Quarantine\14870000.VBN Mail Berkeley mbox: infected - 18 skipped
F:\Program Files\Norton AntiVirus\Quarantine\14870000.VBN CryptZ: infected - 18 skipped
F:\Program Files\Norton AntiVirus\Quarantine\98530000.VBN Infected: Virus.VBS.Redlof.a skipped
F:\Program Files\Norton AntiVirus\Quarantine\98530002.VBN Infected: Virus.VBS.Redlof.a skipped
F:\Program Files\Norton AntiVirus\Quarantine\B87B0000.VBN Infected: Trojan.Win32.TalkStocks.a skipped
F:\Program Files\Norton AntiVirus\Quarantine\B87B0002.VBN Infected: Trojan.Win32.TalkStocks.a skipped
F:\Program Files\Norton AntiVirus\Quarantine\B87B0004.VBN Infected: Trojan.Win32.TalkStocks.a skipped
F:\Program Files\Norton AntiVirus\Quarantine\B87B0006.VBN Infected: Trojan.Win32.TalkStocks.a skipped
F:\Program Files\Norton AntiVirus\Quarantine\B87B0008.VBN Infected: Trojan.Win32.TalkStocks.a skipped
F:\Program Files\Norton AntiVirus\Quarantine\B87B000A.VBN Infected: Trojan.Win32.TalkStocks.a skipped
F:\Program Files\Norton AntiVirus\Quarantine\B87B000C.VBN Infected: Trojan.Win32.TalkStocks.a skipped
F:\Program Files\Norton AntiVirus\Quarantine\B87B000E.VBN Infected: Trojan.Win32.TalkStocks.a skipped
F:\System Volume Information\_restore{147C1ABE-F064-4CB8-9675-0420A8914A5C}\RP776\change.log Object is locked skipped
Scan process completed.


4) Computer seems to be running fine, no more pop-ups, fake Windows security alerts, I can once again access task manager, etc...

gringo_pr

hello ZoSo

first I am going to ask if you installed these programs on your computer (Home Keylogger), (Serv-U) and (mIRC Internet Relay Chat utility)

also you need to clean out your sent emails from your netscape account


:Delete files and folders:

I need you to right click on the

start button
click on explore
and navegate to and delete everything that is in this folder:


C:\Documents and Settings\ZoSo\.housecall6.6\Quarantine<----this folder



:Clean temp files:

Download and Run AFT Cleaner Download

ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.Double-click ATF Cleaner.exe to open it.

Under Main choose:

Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
recycle bin
*The other boxes are optional*
Then click the Empty Selected button.

if you use Firefox:

Click

Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

if you use Opera:

Click

Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.


Click Exit on the Main menu to close the program


:uninstall some programs:

1. click on start
2. then go to settings
3. after that you need control panel
4. look for the icon add remove programs
click on the following programs

J2SE Runtime Environment 5.0 Update 9

and click on remove


:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

File:: 
F:\WINDOWS\unstall.exe 	
F:\WINDOWS\minigolf_affiliate.exe 	
F:\WINDOWS\banner.dll 	
F:\WINDOWS\adp8038_MARKETING27.exe


Folder:: 
F:\WINDOWS\Downloaded Program Files\CONFLICT.1
F:\WINDOWS\Downloaded Program Files\CONFLICT.2
F:\Program Files\Norton AntiVirus\Quarantine

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

:information and logs:

In your next post I need the following

1.let me know about the three programs 2.let me have the compofix log 3.new hijackthis log

Gringo

ZoSo

1) I installed all three. I regularly use mIRC, occasionally use HomeKey logger (keep track of kids), and no longer use Serv-U.

2) Combo Fix

ComboFix 08-03-10.1 - ZoSo 2008-03-15 23:35:00.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.603 [GMT -4:00]
Running from: C:\Documents and Settings\ZoSo\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\ZoSo\Desktop\CFScript.txt
* Created a new restore point
FILE ::
F:\WINDOWS\adp8038_MARKETING27.exe
F:\WINDOWS\banner.dll
F:\WINDOWS\minigolf_affiliate.exe
F:\WINDOWS\unstall.exe
.
((((((((((((((((((((((((( Files Created from 2008-02-16 to 2008-03-16 )))))))))))))))))))))))))))))))
.
2008-03-15 08:35 . 2008-03-15 08:35 14,336 --a

---

C:\Documents and Settings\ZoSo\~.exe
2008-03-15 00:39 . 2004-08-04 01:07 59,264 --a

---

C:\WINDOWS\system32\drivers\USBAUDIO.sys
2008-03-15 00:39 . 2004-08-04 01:07 59,264 --a--c--- C:\WINDOWS\system32\dllcache\usbaudio.sys
2008-03-15 00:39 . 2004-08-04 01:08 31,616 --a

---

C:\WINDOWS\system32\drivers\usbccgp.sys
2008-03-15 00:39 . 2004-08-04 01:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-03-12 10:29 . 2008-03-12 10:29 <DIR> d

---

C:\Documents and Settings\ZoSo\Application Data\Malwarebytes
2008-03-12 10:29 . 2008-03-12 10:29 <DIR> d

---

C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-10 01:52 . 2008-03-10 01:58 <DIR> d

---

C:\Documents and Settings\ZoSo\Application Data\gtk-2.0
2008-03-10 01:51 . 2008-03-10 01:53 <DIR> d

---

C:\Documents and Settings\ZoSo\avidemux
2008-03-09 17:51 . 2008-02-22 02:33 69,632 --a

---

C:\WINDOWS\system32\javacpl.cpl
2008-03-09 14:02 . 2008-03-15 23:36 7,712,800 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-03-09 14:02 . 2008-03-12 10:21 74,432 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-03-09 14:00 . 2008-03-09 14:00 <DIR> d

---

C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-03-09 14:00 . 2007-11-14 16:05 75,248 --a

---

C:\WINDOWS\zllsputility.exe
2008-03-09 14:00 . 2004-04-27 04:40 11,264 --a

---

C:\WINDOWS\system32\SpOrder.dll
2008-03-09 14:00 . 2008-03-09 14:01 4,212 ---h

---

C:\WINDOWS\system32\zllictbl.dat
2008-03-09 13:59 . 2008-03-09 14:00 <DIR> d

---

C:\WINDOWS\system32\ZoneLabs
2008-03-09 13:59 . 2007-11-14 16:05 1,086,952 --a

---

C:\WINDOWS\system32\zpeng24.dll
2008-03-09 13:59 . 2008-03-12 10:33 353,366 --a

---

C:\WINDOWS\system32\vsconfig.xml
2008-03-09 13:58 . 2008-03-15 23:15 <DIR> d

---

C:\WINDOWS\Internet Logs
2008-03-09 13:52 . 2008-03-09 17:36 <DIR> d-a

---

C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-09 11:15 . 2008-03-09 11:15 <DIR> d

---

C:\WINDOWS\system32\Kaspersky Lab
2008-03-09 11:15 . 2008-03-09 11:15 <DIR> d

---

C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-09 10:16 . 2007-06-05 10:56 44,928 --a

---

C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-03-09 03:15 . 2008-03-09 03:15 30,590 --a

---

C:\WINDOWS\system32\pavas.ico
2008-03-09 03:14 . 2008-03-09 10:32 <DIR> d

---

C:\WINDOWS\system32\ActiveScan
2008-03-09 00:49 . 2008-03-09 02:46 283 --a

---

C:\WINDOWS\wininit.ini
2008-03-09 00:27 . 2008-03-09 00:27 <DIR> d

---

C:\Program Files\Sysmnt
2008-03-09 00:27 . 2008-03-09 00:27 <DIR> d

---

C:\Program Files\stc
2008-03-08 15:31 . 2008-03-08 15:31 32,512 --a

---

C:\WINDOWS\didduid.ini
2008-03-08 15:31 . 2008-03-08 15:31 30,464 --a

---

C:\WINDOWS\123messenger.per
2008-03-07 23:09 . 2008-03-07 23:09 <DIR> d

---

C:\Documents and Settings\ZoSo\Application Data\Outertech
2008-03-07 22:48 . 2008-03-07 22:48 43,698 --a

---

C:\WINDOWS\system32\xvid-uninstall.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-16 03:15

---

d

---

w C:\Documents and Settings\ZoSo\Application Data\uTorrent
2008-03-16 03:05

---

d

---

w C:\Program Files\Java
2008-03-15 12:35 14,336 ----a-w C:\Documents and Settings\ZoSo\~.exe
2008-03-09 18:52

---

d

---

w C:\Documents and Settings\ZoSo\Application Data\AVG7
2008-03-09 14:24

---

d

---

w C:\Program Files\Google
2008-03-09 06:49

---

d

---

w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-03 05:50

---

d

---

w C:\Program Files\Common Files\Blizzard Entertainment
2008-01-22 06:41

---

d--h--w C:\Program Files\InstallShield Installation Information
2008-01-22 06:41

---

d

---

w C:\Program Files\ATI Multimedia
2006-03-23 04:02 89 ----a-w C:\Program Files\INSTALL.LOG
1998-12-09 02:53 99,840 ----a-w C:\Program Files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 70,144 ----a-w C:\Program Files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 48,640 ----a-w C:\Program Files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 31,744 ----a-w C:\Program Files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 186,368 ----a-w C:\Program Files\Common Files\IRAREG.DLL
1998-12-09 02:53 17,920 ----a-w C:\Program Files\Common Files\IRASRIAL.DLL
.
((((((((((((((((((((((((((((( [EMAIL="snapshot@2008-03-10_23.52.59.75"]snapshot@2008-03-10_23.52.59.75[/EMAIL] )))))))))))))))))))))))))))))))))))))))))
.
- 2008-02-04 23:09:46 18,214,008 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2008-03-05 16:30:54 19,148,408 ----a-w C:\WINDOWS\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="D:\Program Files\AIM\aim.exe" [2003-08-01 11:31 61440]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-14 09:51 68856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2005-01-20 08:04 77824 C:\WINDOWS\SOUNDMAN.EXE]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50 155648]
"CTSysVol"="C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 11:43 57344]
"zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [2004-03-18 09:33 892928]
"AVG7_CC"="D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-12-21 09:50 579072]
"QuickTime Task"="D:\Program Files\QuickTime\qttask.exe" [2006-12-14 08:39 282624]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-03-09 15:29 7561216]
"ZoneAlarm Client"="D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="D:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-24 10:04 219136]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - D:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 16:05:56 65588]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Symantec Fax Starter Edition Port.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Symantec Fax Starter Edition Port.lnk
backup=C:\WINDOWS\pss\Symantec Fax Starter Edition Port.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P17Helper]
--a

---

2005-05-03 19:38 64512 C:\WINDOWS\system32\P17.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a

---

2006-12-14 08:39 282624 D:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Documents and Settings\\ZoSo\\Desktop\\utorrent.exe"=
"D:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"=
"D:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"=
"D:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"=
"D:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"=
"D:\\Program Files\\AIM\\aim.exe"=
"F:\\Program Files\\WS_FTP Pro\\ftp95pro.exe"=
"D:\\Program Files\\Soulseek-Test\\slsk.exe"=
"D:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"D:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"=
"D:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"=
R2 ViCAM;ViCAM;C:\WINDOWS\system32\drivers\ViCAM.sys [1999-04-15 16:17]
R3 VICAMUSB;3Com HomeConnect USB Camera;C:\WINDOWS\system32\drivers\vicamusb.sys [1999-04-27 13:52]
S2 BT848;BtCap, WDM Video Capture;C:\WINDOWS\system32\drivers\BT848.SYS [2000-08-11 03:24]
S3 cusbohcn;cusbohcn;C:\DOCUME~1\ZoSo\LOCALS~1\Temp\cusbohcn.sys []
S3 lgatbus;LG USB Composite Device driver (WDM);C:\WINDOWS\system32\DRIVERS\lgatbus.sys [2002-10-15 16:03]
S3 lgatmdm;LG CDMA USB Modem Drivers;C:\WINDOWS\system32\DRIVERS\lgatmdm.sys [2002-10-15 16:05]
S3 lgatserd;LG CDMA USB Modem Diagnostic Serial Port Drivers (WDM);C:\WINDOWS\system32\DRIVERS\lgatserd.sys [2002-10-15 16:07]
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-15 23:36:08
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-03-15 23:36:45
ComboFix-quarantined-files.txt 2008-03-16 03:36:42
ComboFix2.txt 2008-03-16 03:22:39
ComboFix3.txt 2008-03-12 14:24:33
ComboFix4.txt 2008-03-11 03:53:12
.
2008-03-13 13:11:37 --- E O F ---

3) HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:26:50 PM, on 3/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\WINDOWS\explorer.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [AIM] D:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1134950895296
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 5226 bytes

gringo_pr

hello Zoso

sorry for the delay my internet has been giving me problems

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

File::
C:\WINDOWS\didduid.ini
C:\WINDOWS\123messenger.per
C:\Documents and Settings\ZoSo\~.exe

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

send me the log from combofix



gringo

ZoSo

ComboFix 08-03-10.1 - ZoSo 2008-03-20 23:25:25.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.586 [GMT -4:00]
Running from: C:\Documents and Settings\ZoSo\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\ZoSo\Desktop\CFScript.txt
* Created a new restore point
FILE ::
C:\Documents and Settings\ZoSo\~.exe
C:\WINDOWS\123messenger.per
C:\WINDOWS\didduid.ini
.
((((((((((((((((((((((((( Files Created from 2008-02-21 to 2008-03-21 )))))))))))))))))))))))))))))))
.
2008-03-20 23:25 . 2008-03-20 23:25 <DIR> d

---

C:\WINDOWS\LastGood
2008-03-15 00:39 . 2004-08-04 01:07 59,264 --a

---

C:\WINDOWS\system32\drivers\USBAUDIO.sys
2008-03-15 00:39 . 2004-08-04 01:07 59,264 --a--c--- C:\WINDOWS\system32\dllcache\usbaudio.sys
2008-03-15 00:39 . 2004-08-04 01:08 31,616 --a

---

C:\WINDOWS\system32\drivers\usbccgp.sys
2008-03-15 00:39 . 2004-08-04 01:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-03-12 10:29 . 2008-03-12 10:29 <DIR> d

---

C:\Documents and Settings\ZoSo\Application Data\Malwarebytes
2008-03-12 10:29 . 2008-03-12 10:29 <DIR> d

---

C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-10 01:52 . 2008-03-10 01:58 <DIR> d

---

C:\Documents and Settings\ZoSo\Application Data\gtk-2.0
2008-03-10 01:51 . 2008-03-10 01:53 <DIR> d

---

C:\Documents and Settings\ZoSo\avidemux
2008-03-09 17:51 . 2008-02-22 02:33 69,632 --a

---

C:\WINDOWS\system32\javacpl.cpl
2008-03-09 14:02 . 2008-03-20 23:26 9,349,152 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-03-09 14:02 . 2008-03-12 10:21 74,432 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-03-09 14:00 . 2008-03-09 14:00 <DIR> d

---

C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-03-09 14:00 . 2007-11-14 16:05 75,248 --a

---

C:\WINDOWS\zllsputility.exe
2008-03-09 14:00 . 2004-04-27 04:40 11,264 --a

---

C:\WINDOWS\system32\SpOrder.dll
2008-03-09 14:00 . 2008-03-09 14:01 4,212 ---h

---

C:\WINDOWS\system32\zllictbl.dat
2008-03-09 13:59 . 2008-03-09 14:00 <DIR> d

---

C:\WINDOWS\system32\ZoneLabs
2008-03-09 13:59 . 2007-11-14 16:05 1,086,952 --a

---

C:\WINDOWS\system32\zpeng24.dll
2008-03-09 13:59 . 2008-03-12 10:33 353,366 --a

---

C:\WINDOWS\system32\vsconfig.xml
2008-03-09 13:58 . 2008-03-20 23:23 <DIR> d

---

C:\WINDOWS\Internet Logs
2008-03-09 13:52 . 2008-03-09 17:36 <DIR> d-a

---

C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-09 11:15 . 2008-03-09 11:15 <DIR> d

---

C:\WINDOWS\system32\Kaspersky Lab
2008-03-09 11:15 . 2008-03-09 11:15 <DIR> d

---

C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-09 10:16 . 2007-06-05 10:56 44,928 --a

---

C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-03-09 03:15 . 2008-03-09 03:15 30,590 --a

---

C:\WINDOWS\system32\pavas.ico
2008-03-09 03:14 . 2008-03-09 10:32 <DIR> d

---

C:\WINDOWS\system32\ActiveScan
2008-03-09 00:49 . 2008-03-09 02:46 283 --a

---

C:\WINDOWS\wininit.ini
2008-03-07 23:09 . 2008-03-07 23:09 <DIR> d

---

C:\Documents and Settings\ZoSo\Application Data\Outertech
2008-03-07 22:48 . 2008-03-07 22:48 43,698 --a

---

C:\WINDOWS\system32\xvid-uninstall.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-20 17:14

---

d

---

w C:\Documents and Settings\ZoSo\Application Data\uTorrent
2008-03-18 16:40

---

d

---

w C:\Program Files\Common Files\Adobe
2008-03-16 03:05

---

d

---

w C:\Program Files\Java
2008-03-09 18:52

---

d

---

w C:\Documents and Settings\ZoSo\Application Data\AVG7
2008-03-09 14:24

---

d

---

w C:\Program Files\Google
2008-03-09 06:49

---

d

---

w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-03 05:50

---

d

---

w C:\Program Files\Common Files\Blizzard Entertainment
2008-01-22 06:41

---

d--h--w C:\Program Files\InstallShield Installation Information
2008-01-22 06:41

---

d

---

w C:\Program Files\ATI Multimedia
2006-03-23 04:02 89 ----a-w C:\Program Files\INSTALL.LOG
1998-12-09 02:53 99,840 ----a-w C:\Program Files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 70,144 ----a-w C:\Program Files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 48,640 ----a-w C:\Program Files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 31,744 ----a-w C:\Program Files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 186,368 ----a-w C:\Program Files\Common Files\IRAREG.DLL
1998-12-09 02:53 17,920 ----a-w C:\Program Files\Common Files\IRASRIAL.DLL
.
((((((((((((((((((((((((((((( [EMAIL="snapshot@2008-03-10_23.52.59.75"]snapshot@2008-03-10_23.52.59.75[/EMAIL] )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-03-18 16:41:02 295,606 ----a-r C:\WINDOWS\Installer\{AC76BA86-7AD7-1033-7B44-A81200000003}\SC_Reader.exe
- 2008-02-04 23:09:46 18,214,008 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2008-03-05 16:30:54 19,148,408 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2006-06-05 18:14:28 479,232 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\msvcm80.dll
+ 2006-06-05 18:14:28 548,864 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\msvcp80.dll
+ 2006-06-05 18:14:28 626,688 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\msvcr80.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="D:\Program Files\AIM\aim.exe" [2003-08-01 11:31 61440]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-14 09:51 68856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2005-01-20 08:04 77824 C:\WINDOWS\SOUNDMAN.EXE]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50 155648]
"CTSysVol"="C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 11:43 57344]
"zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [2004-03-18 09:33 892928]
"AVG7_CC"="D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-12-21 09:50 579072]
"QuickTime Task"="D:\Program Files\QuickTime\qttask.exe" [2006-12-14 08:39 282624]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-03-09 15:29 7561216]
"ZoneAlarm Client"="D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="D:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-24 10:04 219136]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - D:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 16:05:56 65588]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Symantec Fax Starter Edition Port.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Symantec Fax Starter Edition Port.lnk
backup=C:\WINDOWS\pss\Symantec Fax Starter Edition Port.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P17Helper]
--a

---

2005-05-03 19:38 64512 C:\WINDOWS\system32\P17.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a

---

2006-12-14 08:39 282624 D:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Documents and Settings\\ZoSo\\Desktop\\utorrent.exe"=
"D:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"=
"D:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"=
"D:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"=
"D:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"=
"D:\\Program Files\\AIM\\aim.exe"=
"F:\\Program Files\\WS_FTP Pro\\ftp95pro.exe"=
"D:\\Program Files\\Soulseek-Test\\slsk.exe"=
"D:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"D:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"=
"D:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"=
R2 ViCAM;ViCAM;C:\WINDOWS\system32\drivers\ViCAM.sys [1999-04-15 16:17]
R3 VICAMUSB;3Com HomeConnect USB Camera;C:\WINDOWS\system32\drivers\vicamusb.sys [1999-04-27 13:52]
S2 BT848;BtCap, WDM Video Capture;C:\WINDOWS\system32\drivers\BT848.SYS [2000-08-11 03:24]
S3 cusbohcn;cusbohcn;C:\DOCUME~1\ZoSo\LOCALS~1\Temp\cusbohcn.sys []
S3 lgatbus;LG USB Composite Device driver (WDM);C:\WINDOWS\system32\DRIVERS\lgatbus.sys [2002-10-15 16:03]
S3 lgatmdm;LG CDMA USB Modem Drivers;C:\WINDOWS\system32\DRIVERS\lgatmdm.sys [2002-10-15 16:05]
S3 lgatserd;LG CDMA USB Modem Diagnostic Serial Port Drivers (WDM);C:\WINDOWS\system32\DRIVERS\lgatserd.sys [2002-10-15 16:07]
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-20 23:26:56
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.

---

DLLs Loaded Under Running Processes

---

PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156]
-> D:\Program Files\AIM\idlemon.dll [0.00.0000.0000]
.
Completion time: 2008-03-20 23:27:33
ComboFix-quarantined-files.txt 2008-03-21 03:27:29
ComboFix2.txt 2008-03-16 03:36:46
ComboFix3.txt 2008-03-16 03:22:39
ComboFix4.txt 2008-03-12 14:24:33
ComboFix5.txt 2008-03-11 03:53:12
.
2008-03-13 13:11:37 --- E O F ---

gringo_pr

hello Zoso

This is my general post for when your logs show no more signs of malware - Please let me know if you still are having problems with your computer and what these problems are

:Time for some housekeeping:

• Click START then RUN
• Now type Combofix /u in the runbox and click OK
• 
• When shown the disclaimer, Select "2"

:Set correct settings for files:

• Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
• Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
• If unchecked please check Hide protected operating system files (Recommended)
• If necessary check "Display content of system folders"
• If necessary Uncheck Hide file extensions for known file types.
• Click OK

:Make your Internet Explorer more secure:

• From within Internet Explorer click on the Tools menu and then click on Options.
• Click once on the Security tab
• Click once on the Internet icon so it becomes highlighted.
• Click once on the Custom Level button.
• Change the Download signed ActiveX controls to Prompt
• Change the Download unsigned ActiveX controls to Disable
• Change the Initialise and script ActiveX controls not marked as safe to Disable
• Change the Installation of desktop items to Prompt
• Change the Launching programs and files in an IFRAME to Prompt
• Change the Navigate sub-frames across different domains to Prompt
• When all these settings have been made, click on the OK button.
• If it prompts you as to whether or not you want to save the settings, press the Yes button.
  Next press the Apply button and then the OK to exit the Internet Properties page.

:Turn On Automatic Updates:

Turn On Automatic Updates 1. Click

Start, click Run, type sysdm.cpl, and then press ENTER.
2. Click the Automatic Updates tab, and then click to select one of the following options. We recommend that you select the Automatic (recommended) Automatically download recommended updates for my computer and install them

If you click this setting, click to select the day and time for scheduled updates to occur. You can schedule Automatic Updates for any time of day. Remember, your computer must be on at the scheduled time for updates to be installed. After you set this option, Windows recognizes when you are online and uses your Internet connection to find updates on the Windows Update Web site or on the Microsoft Update Web site that apply to your computer. Updates are downloaded automatically in the background, and you are not notified or interrupted during this process. An icon appears in the notification area of your taskbar when the updates are being downloaded. You can point to the icon to view the download status. To pause or to resume the download, right-click the icon, and then click Pause or Resume. When the download is completed, another message appears in the notification area so that you can review the updates that are scheduled for installation. If you choose not to install at that time, Windows starts the installation on your set schedule.

or visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.



:antispyware programs:

you have a couple of good antispyware programs on this computer but you still can try some of these others to see if you like them also I would recomend the download and installation of some or all of the following programs (all free),

and the updating of them regularly:

• WinPatrol As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.
  
• Spybot Search & Destroy - Spybot is a tool like Ad-Aware SE whereas it seeks out and removes known spyware from your machine. These two tools (Ad-Aware & spybot) are perfect complements to each other as one will most always find something the other missed.
  
• Spyware Blaster - By altering your registry, this program stops harmful sites from installing things like ActiveX Controls on your machines.
  
• IE_Spyad - Works by placing known "bad" sites into your Internet Explorer "Restricted Zones" prohibiting them from doing potentially problematic things to your computer.

Consider a custom hosts file

Consider a custom hosts file such as

MVPS HOSTS. This custom hosts file effectively blocks a wide range of unwanted ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.
For information on how to download and install, please read this tutorial by WinHelp2002
Note: Be sure to follow the instructions to disable the DNS Client service before installing a custom hosts file.


Also please read this great article by Tony Klein So How Did I Get Infected In First Place

Now you have followed my advice - it's time to lodge a complaint against what you have suffered.........

Malware Complaints
If you were infected .... Stand Up and be Counted.

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed.


Gringo

halo2_god

Hey, Zoso just a little tip if you are going to continue using P2P applications you should use one of these websites they host an online malware scanner. Links:http://virusscan.jotti.org/ and http://www.virustotal.com/ there boath great and secure. You can use these to scan the files you download with your P2P programs. hope this helped.

gringo_pr

Glad we could be of assistance! The help you received here was free.

As this topic looks to be resolved This topic is now closed. If you wish it reopened, please send a Private Message to Trogan with a link to your thread.

If you are not the user who started this thread, you must start your own Thread instead
_______________________________

Have we helped you with any issues you have had with your PCs or other items? If so, you can now help us by Joining Team 93 and fold for a cure.