Options
Big Malware problem-All malware progs crashing. Lost Admin rights
Some sort of Malware has really taken over my system.
It has hidden many files and folders, removed Administration priviledges, hidden the Folder Options icon. It has removed editing of the registry. Firefox and IE won't run, so I'm on another PC.
I have tried to run every virus/malware program on the instructions but most have crashed/ locked up or given me a blue screen at some point of the process.
I've found that one program causing grief is csrssc.exe but it is hidden and can't be deleted.
I'm generally pretty computer savvy but it's really driving me mental.
I look forward to getting this off my computer.
Here's the Hijack This log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:07:28 PM, on 19/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\igfxext.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\Apoint2K\HidFind.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\NewSoft\Presto! PVR\URemote.exe
C:\Program Files\NewSoft\Presto! PVR\Monitor.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\DOCUME~1\Friendy\LOCALS~1\Temp\csrssc.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Griffin Technology\AirClick\AirClick.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\AllChars\AllChars.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://online.westpac.com.au/esis/Login/SrvPage
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.computers.us.fujitsu.com/
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: PayPal Plug-In - {DC0F2F93-27FA-4f84-ACAA-9416F90B9511} - C:\Program Files\PayPal\PayPal Plug-In\OToolbar.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [BigPond] "E:\5100.exe" -r
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [URemote] C:\Program Files\NewSoft\Presto! PVR\URemote.exe
O4 - HKLM\..\Run: [ChangeFilterMerit] C:\Program Files\NewSoft\Presto! PVR\ChangeFilterMerit.exe
O4 - HKLM\..\Run: [Presto! PVR Monitor] C:\Program Files\NewSoft\Presto! PVR\Monitor.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [Jnskdfmf9eldfd] C:\DOCUME~1\Friendy\LOCALS~1\Temp\csrssc.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - Startup: AllChars.lnk = C:\Program Files\AllChars\AllChars.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AirClick.lnk = C:\Program Files\Griffin Technology\AirClick\AirClick.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.computers.us.fujitsu.com/
O16 - DPF: {EA1B8527-E422-4909-825A-70BE0694F18E} (PortfolioManagerWT ProfileManager Class) - https://online.westpac.com.au/wtoa/wtOtherAccounts/portfoliomanagerwt.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - C:\WINDOWS\system32\jfiehayd.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
--
End of file - 10800 bytes
It has hidden many files and folders, removed Administration priviledges, hidden the Folder Options icon. It has removed editing of the registry. Firefox and IE won't run, so I'm on another PC.
I have tried to run every virus/malware program on the instructions but most have crashed/ locked up or given me a blue screen at some point of the process.
I've found that one program causing grief is csrssc.exe but it is hidden and can't be deleted.
I'm generally pretty computer savvy but it's really driving me mental.
I look forward to getting this off my computer.
Here's the Hijack This log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:07:28 PM, on 19/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\igfxext.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\Apoint2K\HidFind.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\NewSoft\Presto! PVR\URemote.exe
C:\Program Files\NewSoft\Presto! PVR\Monitor.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\DOCUME~1\Friendy\LOCALS~1\Temp\csrssc.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Griffin Technology\AirClick\AirClick.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\AllChars\AllChars.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://online.westpac.com.au/esis/Login/SrvPage
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.computers.us.fujitsu.com/
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: PayPal Plug-In - {DC0F2F93-27FA-4f84-ACAA-9416F90B9511} - C:\Program Files\PayPal\PayPal Plug-In\OToolbar.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [BigPond] "E:\5100.exe" -r
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [URemote] C:\Program Files\NewSoft\Presto! PVR\URemote.exe
O4 - HKLM\..\Run: [ChangeFilterMerit] C:\Program Files\NewSoft\Presto! PVR\ChangeFilterMerit.exe
O4 - HKLM\..\Run: [Presto! PVR Monitor] C:\Program Files\NewSoft\Presto! PVR\Monitor.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [Jnskdfmf9eldfd] C:\DOCUME~1\Friendy\LOCALS~1\Temp\csrssc.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - Startup: AllChars.lnk = C:\Program Files\AllChars\AllChars.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AirClick.lnk = C:\Program Files\Griffin Technology\AirClick\AirClick.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.computers.us.fujitsu.com/
O16 - DPF: {EA1B8527-E422-4909-825A-70BE0694F18E} (PortfolioManagerWT ProfileManager Class) - https://online.westpac.com.au/wtoa/wtOtherAccounts/portfoliomanagerwt.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - C:\WINDOWS\system32\jfiehayd.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
--
End of file - 10800 bytes
0
Comments
Some serious enough infection showing on that system. We will go ahead with some preliminary scan and repair steps, but our first objectives to for you to get to a point where you are working here online from the problem computer. I am posting some standard steps, so you will know right now to download and transfer them to use, then transfer logs back to post here. All these references following will be targeting the problem computer and changes needed on it.
First follow the steps here to disable SpyBot's TeaTimer, as it will interfere with the repairs. Be sure to do all the steps, including the required reboot.
Also, to keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs. They are not capable at this point of helping, so be sure to keep them from stopping help from succeeding.
I don't usually do educated guess repair steps, but do this now in order to access some of the items you indicate are unavailable. It may, may not aid in that. I don't recommend this be done at any other time when nothing is known about why these items aren't working - this is not intended as some generic fix for those.
Open Notepad (Start, Run type notepad and select Enter) and copy/paste the following text.
Save this as correct.inf
Where it says "Files of Type", select All Files and click on Save and save it to your desktop. Exit Notepad, Then right-click on correct.inf and select Install.
Download SDFix.exe and save it to your desktop.
===================================================
Reboot into Safe Mode (at startup tap the F8 key and select Safe Mode).
In Safe Mode, click the SDFix.exe and allow it to extract to it's own folder (C:\SDFix). Navigate to that folder and double click RunThis.bat to start the script.
Next type Y to begin the script. Once the fix has run it will prompt you to restart your computer. Press any key to restart at this time. Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Then open the C:\SDFix folder and copy and paste the contents of the results file Report.txt back here.
=============================
After the reboot Download Deckard's System Scanner (dss.exe) to your Desktop. Note: You must be logged onto an account with administrator privileges.
Making sure dss.exe is directly on your desktop, go to Start - Run, and copy/paste the following (then press OK):
"%userprofile%\desktop\dss.exe" /config
When the DSS Configuration display opens click the "Check All" button (if the "Uncheck All" button shows, click that, then click "Check All"). Next, Under Main Log, uncheck the following:
System Restore
Temp Cleanup
Process Modules
Then under Options, place a check next to the following:
Backup Registry Hives
Don't make any other changes at this time. Then click the "Scan!" button to start the scan.
Once the scan has completed a textbox will appear - copy/paste those contents back here (main.txt). Also a second text file, extra.txt, will show as minimized in your Task Bar. Maximize/Open this, and copy/paste those contents back here along with the main.txt please. (The logs can also be found in the C:\Deckard\System Scanner folder)
Post those along with the SDFix report.txt log please.
Here are the reports from SDFix and Deckard's
SDFix: Version 1.172
Run by Friendy on Sun 20/04/2008 at 12:02 AM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix\SDFix
Checking Services :
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting
Checking Files :
Trojan Files Found:
C:\WINDOWS\SYSTEM32\MLJASSKD.DLL - Deleted
C:\WINDOWS\system32\jfiehayd.dll - Deleted
C:\WINDOWS\SYSTEM32\NSLAPI16.DLL - Deleted
C:\-14612~1 - Deleted
C:\DOCUME~1\Friendy\LOCALS~1\Temp\Csrssc.exe - Deleted
C:\WINDOWS\system32\sleep32.dll - Deleted
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1353.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-20 00:20:04
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\zsqalpdt]
"Type"=dword:00000001
"Start"=dword:00000001
"ErrorControl"=dword:00000000
"ImagePath"=str(2):"\??\C:\WINDOWS\zsqalpdt.sys"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\zsqalpdt\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\zsqalpdt]
"Type"=dword:00000001
"Start"=dword:00000001
"ErrorControl"=dword:00000000
"ImagePath"=str(2):"\??\C:\WINDOWS\zsqalpdt.sys"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\zsqalpdt\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,..
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services :
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"
"C:\\Program Files\\Palm\\HOTSYNC.EXE"="C:\\Program Files\\Palm\\HOTSYNC.EXE:*:Enabled:HotSyncr Manager Application"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\WINDOWS\\system32\\CIMSVR.exe"="C:\\WINDOWS\\system32\\CIMSVR.exe:*:Enabled:Logitech IM Video Companion Server"
"C:\\Program Files\\Trillian\\trillian.exe"="C:\\Program Files\\Trillian\\trillian.exe:*:Enabled:Trillian"
"C:\\Program Files\\Gizmo Project\\Gizmo.exe"="C:\\Program Files\\Gizmo Project\\Gizmo.exe:*:Enabled:Gizmo Project"
"C:\\WINDOWS\\system32\\fxsclnt.exe"="C:\\WINDOWS\\system32\\fxsclnt.exe:*:Enabled:Microsoft Fax Console"
"C:\\Program Files\\MiniMax\\Bin\\Maxon_MiniMax.exe"="C:\\Program Files\\MiniMax\\Bin\\Maxon_MiniMax.exe:*:Enabled:Maxon_MiniMax"
"C:\\Program Files\\SightSpeed\\SightSpeed.exe"="C:\\Program Files\\SightSpeed\\SightSpeed.exe:*:Enabled:SightSpeed"
"C:\\WINDOWS\\system32\\ftp.exe"="C:\\WINDOWS\\system32\\ftp.exe:*:Enabled:File Transfer Program"
"C:\\Program Files\\Telstra\\Cable Login\\bpcable.exe"="C:\\Program Files\\Telstra\\Cable Login\\bpcable.exe:*:Enabled:BigPond Cable Client"
"C:\\Program Files\\Telstra\\Cable Login\\bpcService.exe"="C:\\Program Files\\Telstra\\Cable Login\\bpcService.exe:*:Enabled:BigPond Cable Client (running as a service)"
"C:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"="C:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe:*:Enabled:Nokia Service Layer Host Process "
"C:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"="C:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe:*:Enabled:Nokia Software Updater"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:æTorrent"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
Remaining Files :
File Backups: - C:\SDFix\SDFix\backups\backups.zip
Files with Hidden Attributes :
Sat 1 Dec 2007 439,296 ...H. --- "C:\Program Files\Mio Backup\iBootDev.exe"
Sat 1 Dec 2007 72,192 ...H. --- "C:\Program Files\Mio Backup\MainShell.exe"
Sat 1 Dec 2007 7 ...H. --- "C:\Program Files\Mio Backup\MUI.exe"
Fri 24 Mar 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Fri 18 Apr 2008 15,505 ...H. --- "C:\Documents and Settings\Administrator\Local Settings\Temp\csrssc.exe"
Fri 2 Feb 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Wed 24 Oct 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fe95c915e785c18bf9cc0792fb5a73df\BITEA.tmp"
Wed 15 Aug 2007 180,736 ...H. --- "C:\Documents and Settings\Janey\Application Data\Microsoft\Word\~WRL2791.tmp"
Thu 7 Dec 2006 39,424 ...H. --- "C:\Documents and Settings\Janey\My Documents\My Documents\KYLIE - SHOWGIRL\~WRL1764.tmp"
Thu 7 Dec 2006 476,672 ...H. --- "C:\Documents and Settings\Janey\My Documents\My Documents\KYLIE - SHOWGIRL\~WRL3801.tmp"
Wed 17 Jan 2007 2,985,984 A.SH. --- "C:\Documents and Settings\All Users\Documents\My Pictures\Photos\2006\SIV3F7.tmp"
Wed 17 Jan 2007 2,260,992 A.SH. --- "C:\Documents and Settings\All Users\Documents\My Pictures\Photos\2006\SIV3F8.tmp"
Wed 17 Jan 2007 1,880,064 A.SH. --- "C:\Documents and Settings\All Users\Documents\My Pictures\Photos\2006\SIV3F9.tmp"
Wed 17 Jan 2007 1,495,040 A.SH. --- "C:\Documents and Settings\All Users\Documents\My Pictures\Photos\2006\SIV3FA.tmp"
Wed 17 Jan 2007 1,052,672 A.SH. --- "C:\Documents and Settings\All Users\Documents\My Pictures\Photos\2006\SIV3FB.tmp"
Wed 17 Jan 2007 1,036,288 A.SH. --- "C:\Documents and Settings\All Users\Documents\My Pictures\Photos\2006\SIV3FC.tmp"
Wed 17 Jan 2007 806,912 A.SH. --- "C:\Documents and Settings\All Users\Documents\My Pictures\Photos\2006\SIV3FD.tmp"
Tue 14 Mar 2006 243,712 ...H. --- "C:\Documents and Settings\Janey\Local Settings\Temporary Internet Files\Content.IE5\S1EB052V\~WRL0005.tmp"
Sun 13 Aug 2006 29,184 ...H. --- "C:\Documents and Settings\Janey\My Documents\My Documents\AUSTRALIA\NATIONAL 2006\~WRL0077.tmp"
Sun 13 Aug 2006 30,208 ...H. --- "C:\Documents and Settings\Janey\My Documents\My Documents\AUSTRALIA\NATIONAL 2006\~WRL0825.tmp"
Sun 13 Aug 2006 30,208 ...H. --- "C:\Documents and Settings\Janey\My Documents\My Documents\AUSTRALIA\NATIONAL 2006\~WRL1599.tmp"
Sun 13 Aug 2006 31,744 ...H. --- "C:\Documents and Settings\Janey\My Documents\My Documents\AUSTRALIA\NATIONAL 2006\~WRL2300.tmp"
Sun 13 Aug 2006 31,744 ...H. --- "C:\Documents and Settings\Janey\My Documents\My Documents\AUSTRALIA\NATIONAL 2006\~WRL2755.tmp"
Sun 13 Aug 2006 26,624 ...H. --- "C:\Documents and Settings\Janey\My Documents\My Documents\AUSTRALIA\NATIONAL 2006\~WRL3518.tmp"
Sun 13 Aug 2006 29,184 ...H. --- "C:\Documents and Settings\Janey\My Documents\My Documents\AUSTRALIA\NATIONAL 2006\~WRL3520.tmp"
Tue 19 Jun 2007 28,672 ...H. --- "C:\Documents and Settings\Janey\My Documents\My Documents\AUSTRALIA\NATIONAL 2007\INVOICES\~WRL0339.tmp"
Finished!
Deckard's System Scanner v20071014.68
Run by Friendy on 2008-04-20 00:43:37
Computer is in Normal Mode.
Percentage of Memory in Use: 78% (more than 75%).
Total Physical Memory: 503 MiB (512 MiB recommended).
-- HijackThis (run as Friendy.exe)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:44:03 AM, on 20/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
C:\WINDOWS\System32\igfxext.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Apoint2K\HidFind.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\NewSoft\Presto! PVR\URemote.exe
C:\Program Files\NewSoft\Presto! PVR\Monitor.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Griffin Technology\AirClick\AirClick.exe
C:\Documents and Settings\Friendy\desktop\dss.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\AllChars\AllChars.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Friendy.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://online.westpac.com.au/esis/Login/SrvPage
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.computers.us.fujitsu.com/
O2 - BHO: (no name) - {1b0ec294-39fb-4759-b09b-05a46e52414f} - C:\WINDOWS\system32\geBrrQgF.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: PayPal Plug-In - {DC0F2F93-27FA-4f84-ACAA-9416F90B9511} - C:\Program Files\PayPal\PayPal Plug-In\OToolbar.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [BigPond] "E:\5100.exe" -r
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [URemote] C:\Program Files\NewSoft\Presto! PVR\URemote.exe
O4 - HKLM\..\Run: [ChangeFilterMerit] C:\Program Files\NewSoft\Presto! PVR\ChangeFilterMerit.exe
O4 - HKLM\..\Run: [Presto! PVR Monitor] C:\Program Files\NewSoft\Presto! PVR\Monitor.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - Startup: AllChars.lnk = C:\Program Files\AllChars\AllChars.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AirClick.lnk = C:\Program Files\Griffin Technology\AirClick\AirClick.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.computers.us.fujitsu.com/
O16 - DPF: {EA1B8527-E422-4909-825A-70BE0694F18E} (PortfolioManagerWT ProfileManager Class) - https://online.westpac.com.au/wtoa/wtOtherAccounts/portfoliomanagerwt.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !saswinlogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: oiqmygdf - C:\WINDOWS\SYSTEM32\oiqmygdf.dll
O20 - Winlogon Notify: __c009eea6 - C:\WINDOWS\SYSTEM32\__c009EEA6.dat
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
--
End of file - 10063 bytes
-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\)
backup-20080418-180721-278 O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
backup-20080418-181043-974 O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - C:\WINDOWS\system32\jfiehayd.dll
backup-20080418-202125-112 O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
-- File Associations
All associations okay.
-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled
R1 sasdifsv - c:\program files\superantispyware\sasdifsv.sys
R1 saskutil - c:\program files\superantispyware\saskutil.sys
R2 BjsPort (Canon BJ Scanner Port Driver) - c:\windows\system32\drivers\bjsport.sys
R2 BtnHnd - c:\program files\fujitsu\btnhnd\btnhnd.sys <Not Verified; FUJITSU LIMITED; Button handler>
R2 MDC8021X (AEGIS Protocol (IEEE 802.1x) v2.2.1.0) - c:\windows\system32\drivers\mdc8021x.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 2.2>
R2 s24trans (WLAN Transport) - c:\windows\system32\drivers\s24trans.sys <Not Verified; Intel Corporation; Intel Wireless LAN Packet Driver>
R3 {E2B953A6-195A-44F9-9BA3-3D5F4E32BB55} (AIM 3.0 Part 01 Codec Driver CH-7009-A/CH-7011) - c:\windows\system32\drivers\wa301a.sys <Not Verified; Intel Corporation; Intel Graphics Accelerator Drivers for Windows95(R) & Windows98(TM)>
R3 AgereSoftModem (Agere Systems Soft Modem) - c:\windows\system32\drivers\agrsm.sys <Not Verified; Agere Systems; Agere SoftModem Driver>
R3 ApfiltrService (Alps Pointing-device Filter Driver) - c:\windows\system32\drivers\apfiltr.sys <Not Verified; Alps Electric Co., Ltd.; Alps Touch Pad Driver for Windows 2000/XP>
R3 CONAN - c:\windows\system32\drivers\o2mmb.sys <Not Verified; O2 Micro; o2mmb>
R3 FUJ02B1 (Fujitsu FUJ02B1 Device Driver) - c:\windows\system32\drivers\fuj02b1.sys <Not Verified; FUJITSU LIMITED; FUJ02B1>
R3 ialm - c:\windows\system32\drivers\ialmnt5.sys <Not Verified; Intel Corporation; Intel Graphics Accelerator Drivers for Windows NT(R)>
R3 MbxStby - c:\windows\system32\drivers\mbxstby.sys <Not Verified; O2 Micro; o2mmb>
R3 Pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell>
R3 STAC97 (Audio Driver (WDM) - SigmaTel CODEC) - c:\windows\system32\drivers\stac97.sys <Not Verified; SigmaTel, Inc.; AC'97 Audio Controller with SigmaTel CODEC device driver.>
S1 M9207 (Digital TV USB Mini Receiver) - c:\windows\system32\drivers\m9207bda.sys <Not Verified; ; Digital TV USB Mini Receiver>
S3 catchme - c:\docume~1\friendy\locals~1\temp\catchme.sys (file missing)
S3 cmusbser (5500 USB Modem Driver) - c:\windows\system32\drivers\cmusbser.sys <Not Verified; CMOTech co., LTD; CMOTech USB Modem/Serial Device Driver>
S3 gv3 (Intel GV3 Processor Driver) - c:\windows\system32\drivers\gv3.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 LHidFilt (Logitech SetPoint KMDF HID Filter Driver) - c:\windows\system32\drivers\lhidfilt.sys <Not Verified; Logitech, Inc.; Logitech SetPoint(TM)>
S3 LMouFilt (Logitech SetPoint KMDF Mouse Filter Driver) - c:\windows\system32\drivers\lmoufilt.sys <Not Verified; Logitech, Inc.; Logitech SetPoint(TM)>
S3 MPE (BDA MPE Filter) - c:\windows\system32\drivers\mpe.sys <Not Verified; Microsoft Corporation; Microsoft(R) Windows(R) Operating System>
S3 nmwcd (Nokia USB Phone Parent) - c:\windows\system32\drivers\nmwcd.sys <Not Verified; Nokia; >
S3 nmwcdc (Nokia USB Generic) - c:\windows\system32\drivers\nmwcdc.sys <Not Verified; Nokia; >
S3 nmwcdcj (Nokia USB Port) - c:\windows\system32\drivers\nmwcdcj.sys <Not Verified; Nokia; >
S3 nmwcdcm (Nokia USB Modem) - c:\windows\system32\drivers\nmwcdcm.sys <Not Verified; Nokia; >
S3 PhilCam8116 (Logitech QuickCam Pro 3000(PID_08B0)) - c:\windows\system32\drivers\camdrl21.sys <Not Verified; Philips Semiconductors; Audio and Video USB Camera>
S3 sasenum - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>
S3 Ser2pl (Prolific Serial port driver) - c:\windows\system32\drivers\ser2pl.sys <Not Verified; Prolific Technology Inc.; Prolific USB-to-Serial Bridge Cable>
S3 UDTT2BDA (Twinhan USB2 DVB-T receiver) - c:\windows\system32\drivers\udtt2bda.sys <Not Verified; Twinhan; Twinhan USB2 DVB-T>
S3 UDTTUSB (Twinhan - USB2 DVB-T adapter Driver) - c:\windows\system32\drivers\udtt2drv.sys <Not Verified; Twinhan; Twinhan USB2 DVB-T>
S3 USBAAPL (Apple Mobile USB Driver) - c:\windows\system32\drivers\usbaapl.sys <Not Verified; Apple, Inc.; Apple Mobile Device USB Driver>
S3 VPNET (DTVNet Ethernet Controller) - c:\windows\system32\drivers\dtvnet.sys <Not Verified; TwinHan Corp.; DTVNet DVB NDIS Driver for TwinHan series DVB PCI Adapters>
-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled
R2 aawservice (Ad-Aware 2007 Service) - "c:\program files\lavasoft\ad-aware 2007\aawservice.exe" <Not Verified; Lavasoft; Ad-Aware 2007 Service>
R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Computer, Inc.; Bonjour>
R2 RegSrvc - c:\windows\system32\regsrvc.exe <Not Verified; Intel Corporation; RegSrvc Module>
R3 ServiceLayer - "c:\program files\pc connectivity solution\servicelayer.exe" <Not Verified; Nokia.; PC Connectivity Solution>
S3 LBTServ (Logitech Bluetooth Service) - c:\program files\common files\logitech\bluetooth\lbtserv.exe <Not Verified; Logitech, Inc.; Logitech SetPoint>
-- Device Manager: Disabled
Class GUID: {EEC5AD98-8080-425F-922A-DABF3DE3F69A}
Description: Nokia Windows Portable Device Driver
Device ID: ROOT\WPD\0000
Manufacturer: Nokia
Name: Nokia 6100
PNP Device ID: ROOT\WPD\0000
Service: WUDFRd
Class GUID: {EEC5AD98-8080-425F-922A-DABF3DE3F69A}
Description: Nokia Windows Portable Device Driver
Device ID: ROOT\WPD\0001
Manufacturer: Nokia
Name: Nokia 6120 classic
PNP Device ID: ROOT\WPD\0001
Service: WUDFRd
Class GUID: {EEC5AD98-8080-425F-922A-DABF3DE3F69A}
Description: Nokia Windows Portable Device Driver
Device ID: ROOT\WPD\0002
Manufacturer: Nokia
Name: Nokia 6310i
PNP Device ID: ROOT\WPD\0002
Service: WUDFRd
Class GUID: {EEC5AD98-8080-425F-922A-DABF3DE3F69A}
Description: Nokia 6120 classic
Device ID: ROOT\WPD\0003
Manufacturer: Nokia
Name: Nokia 6120 classic
PNP Device ID: ROOT\WPD\0003
Service: WUDFRd
-- Scheduled Tasks
2008-04-20 00:42:04 428 --a
C:\WINDOWS\Tasks\Symantec NetDetect.job
2008-04-20 00:41:42 330 --ah
C:\WINDOWS\Tasks\MP Scheduled Scan.job
2008-04-11 20:00:00 546 --a
C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job
2008-04-02 06:02:03 284 --a
C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
-- Files created between 2008-03-20 and 2008-04-20
2008-04-19 23:56:17 0 d
C:\WINDOWS\ERUNT
2008-04-19 19:00:52 0 d
C:\Program Files\Lavasoft
2008-04-19 19:00:48 0 d
C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-19 18:57:54 0 d
C:\Documents and Settings\Janey\Application Data\Malwarebytes
2008-04-19 16:14:25 0 --a
C:\WINDOWS\PL-2303 DRIVERINSTALLER.EXE
2008-04-19 16:14:22 0 --a
C:\WINDOWS\ORUN32.EXE
2008-04-19 16:13:49 0 --a
C:\WINDOWS\system32\CMMGR32.EXE
2008-04-19 15:51:25 0 d
C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-19 15:51:09 0 d
C:\Documents and Settings\Friendy\Application Data\Malwarebytes
2008-04-19 15:50:48 0 d
C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-19 15:50:46 0 d
C:\Program Files\Malwarebytes' Anti-Malware
2008-04-19 15:46:37 0 d
C:\Program Files\Common Files\Download Manager
2008-04-19 15:45:40 0 d
C:\Program Files\SUPERAntiSpyware
2008-04-19 15:45:37 0 d
C:\Documents and Settings\Friendy\Application Data\SUPERAntiSpyware.com
2008-04-19 12:15:51 87616 --a
C:\WINDOWS\system32\jcelgxbh.dll
2008-04-19 12:13:17 32320 --a
C:\WINDOWS\system32\__c009EEA6.dat
2008-04-19 12:13:16 32320 --a
C:\WINDOWS\system32\oiqmygdf.dll
2008-04-19 12:12:09 32320 --a
C:\WINDOWS\system32\__c00A324A.dat
2008-04-19 12:12:04 32320 --a
C:\WINDOWS\system32\frsejevm.dll
2008-04-19 12:11:53 96320 --a
C:\WINDOWS\system32\ebrdyvob.dll
2008-04-18 18:02:45 0 d
C:\Program Files\Trend Micro
2008-04-18 17:54:35 0 d
C:\Documents and Settings\Administrator\Application Data\Macromedia
2008-04-18 17:05:18 0 d---s---- C:\Documents and Settings\Administrator\UserData
2008-04-18 17:03:16 0 d
C:\Documents and Settings\Administrator\Application Data\Adobe
2008-04-18 14:49:22 200972 --ahs---- C:\WINDOWS\system32\FgQrrBeg.ini2
2008-04-18 14:48:40 272896 --a
C:\WINDOWS\system32\geBrrQgF.dll
2008-04-18 14:18:51 55218 --a
C:\WINDOWS\zsqalpdt.sys
2008-04-18 14:17:44 38400 --a
C:\WINDOWS\system32\khfGxXrR.dll
2008-04-18 13:57:18 0 d
C:\Program Files\Investintech.com Inc
2008-04-13 14:56:19 0 d
C:\Program Files\iTunes
2008-04-13 14:51:12 0 d
C:\Program Files\QuickTime
2008-04-09 14:46:20 0 d
C:\Program Files\Common Files\xing shared
2008-03-24 20:33:04 0 d
C:\Program Files\Common Files\Pronto
2008-03-24 20:33:02 0 d
C:\Program Files\Philips
-- Find3M Report
2008-04-20 00:41:02 0 d
C:\Program Files\Common Files
2008-04-19 23:36:44 0 d
C:\Documents and Settings\Friendy\Application Data\Skype
2008-04-19 18:57:05 0 d
C:\Program Files\Common Files\Wise Installation Wizard
2008-04-18 09:27:19 0 d
C:\Documents and Settings\Friendy\Application Data\uTorrent
2008-04-16 22:35:30 0 d
C:\Documents and Settings\Friendy\Application Data\AdobeUM
2008-04-13 14:57:06 0 d
C:\Program Files\iPod
2008-04-09 14:45:31 0 d
C:\Program Files\Common Files\Real
2008-04-08 18:41:13 499 --a
C:\Documents and Settings\Friendy\Application Data\mainhst.zgh
2008-03-26 15:45:19 0 d
C:\Program Files\Documents To Go
2008-03-25 08:02:21 0 d
C:\Program Files\Palm
2008-03-20 18:49:07 0 d
C:\Documents and Settings\Friendy\Application Data\Real
2008-03-19 19:47:00 1845248 --a
C:\WINDOWS\system32\win32k.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-06 14:48:28 2905827 --a
C:\Documents and Settings\Friendy\Application Data\NMM-MetaData.db
2008-02-28 22:53:48 0 d
C:\Program Files\uTorrent
2008-02-26 12:17:23 0 d
C:\Program Files\Common Files\Logishrd
2008-02-26 12:16:34 0 d
C:\Program Files\Common Files\Logitech
2008-02-26 12:15:24 0 d--h
C:\Program Files\InstallShield Installation Information
2008-02-20 16:51:05 282624 --a
C:\WINDOWS\system32\gdi32.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-02-20 15:32:43 45568 --a
C:\WINDOWS\system32\dnsrslvr.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-02-18 09:51:33 664 --a
C:\WINDOWS\system32\d3d9caps.dat
2008-01-29 12:02:30 107368 --a
C:\WINDOWS\system32\GEARAspi.dll <Not Verified; GEAR Software Inc.; GEAR Software GEARAspi>
-- Registry Dump
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1b0ec294-39fb-4759-b09b-05a46e52414f}]
18/04/2008 02:48 PM 272896 --a
C:\WINDOWS\system32\geBrrQgF.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [02/10/2003 03:19 PM]
"AGRSMMSG"="AGRSMMSG.exe" [23/09/2003 06:06 PM C:\WINDOWS\AGRSMMSG.exe]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [16/07/2003 11:19 PM]
"PRONoMgr.exe"="C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe" [10/12/2003 08:36 PM]
"IndicatorUtility"="C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe" [14/11/2003 09:26 AM]
"LoadFujitsuQuickTouch"="C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe" [22/08/2003 03:29 AM]
"LoadBtnHnd"="C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe" [22/08/2003 03:37 AM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [09/03/2006 10:47 AM]
"NAV CfgWiz"="C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe" [05/12/2003 02:09 PM]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [09/01/2004 07:04 PM]
"BigPond"="E:\5100.exe" []
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [17/02/2006 06:00 PM]
"LogitechGalleryRepair"="C:\Program Files\Logitech\ImageStudio\ISStart.exe" [11/09/2002 11:58 AM]
"LogitechImageStudioTray"="C:\Program Files\Logitech\ImageStudio\LogiTray.exe" [11/09/2002 11:57 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [25/09/2007 12:11 AM]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [19/07/2005 05:32 PM]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [08/06/2005 03:24 PM]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [08/06/2005 03:14 PM]
"URemote"="C:\Program Files\NewSoft\Presto! PVR\URemote.exe" [29/11/2005 11:58 AM]
"ChangeFilterMerit"="C:\Program Files\NewSoft\Presto! PVR\ChangeFilterMerit.exe" [17/05/2005 09:54 AM]
"Presto! PVR Monitor"="C:\Program Files\NewSoft\Presto! PVR\Monitor.exe" [13/03/2006 06:12 PM]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [03/11/2006 05:20 PM]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [21/09/2007 02:10 AM C:\WINDOWS\KHALMNPR.Exe]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [18/06/2007 03:10 PM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [28/03/2008 11:37 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [30/03/2008 10:36 AM]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 06:56 PM]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
"Nokia.PCSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
C:\Documents and Settings\Friendy\Start Menu\Programs\Startup\
AllChars.lnk - C:\Program Files\AllChars\AllChars.exe [16/02/2006 2:58:24 PM]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [20/12/2006 12:55 PM 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!saswinlogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 27/02/2007 11:39 AM 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll 15/11/2007 09:10 AM 72208 c:\Program Files\Common Files\Logitech\Bluetooth\LBTWLgn.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\oiqmygdf]
oiqmygdf.dll 19/04/2008 12:13 PM 32320 C:\WINDOWS\system32\oiqmygdf.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
C:\WINDOWS\System32\LgNotify.dll 17/12/2003 10:49 AM 110592 C:\WINDOWS\system32\LgNotify.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c009eea6]
__c009EEA6.dat 19/04/2008 12:13 PM 32320 C:\WINDOWS\system32\__c009EEA6.dat
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\geBrrQgF
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jnskdfmf9eldfd]
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\csrssc.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
C:\Program Files\MySpace\IM\MySpaceIM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Presto! PVR Monitor]
C:\Program Files\NewSoft\Presto! PVR\Monitor.exe
-- End of Deckard's System Scanner: finished at 2008-04-20 00:48:08
Delete the earlier correct.inf you created. Again open Notepad (Start, Run type notepad and select Enter) and copy/paste the following text.
Save this as correct.inf
Where it says "Files of Type", select All Files and click on Save and save it to your desktop. Exit Notepad, Then right-click on correct.inf and select Install.
To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs.
Download The Avenger by Swandog from here and save it to your Desktop.
Disconnect from net access, close all open programs and unzip the downloaded avenger.zip file. Then in the new avenger folder created locate and click on avenger.exe to run the tool.
Okay the warning. When the Avenger display opens copy/paste the following text inside the Code box into the Avenger box titled "Input script here:". Then click the Execute button to run the repair, click Yes, then allow Avenger to reboot your system.
Drivers to delete: zsqalpdt Files to delete: C:\WINDOWS\zsqalpdt.sys C:\WINDOWS\system32\jfiehayd.dll C:\WINDOWS\system32\jcelgxbh.dll C:\WINDOWS\system32\__c009EEA6.dat C:\WINDOWS\system32\oiqmygdf.dll C:\WINDOWS\system32\__c00A324A.dat C:\WINDOWS\system32\frsejevm.dll C:\WINDOWS\system32\ebrdyvob.dll C:\WINDOWS\system32\FgQrrBeg.ini2 C:\WINDOWS\system32\geBrrQgF.dll C:\WINDOWS\zsqalpdt.sys C:\WINDOWS\system32\khfGxXrR.dll Folders to delete: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp Registry keys to delete: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C5AF49A2-94F3-42BD-F434-2604812C897D} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1b0ec294-39fb-4759-b09b-05a46e52414f} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C5AF49A2-94F3-42BD-F434-2604812C897D} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1b0ec294-39fb-4759-b09b-05a46e52414f} HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\oiqmygdf HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c009eea6 HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jnskdfmf9eldfdYour system may reboot twice to complete the repairs. After the reboot a text will open - copy/paste those contents back here please. The log can also be found at C:\avenger.txt.
Then reconnect to net access and Download Malwarebytes' Anti-Malware from Here or Here.
Double Click mbam-setup.exe to install the application.
* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy and Paste the entire report in your next reply. If it calls for a reboot to complete the repairs do that as well then.
Still making sure dss.exe is directly on your desktop, go to Start - Run, and copy/paste the following (then press OK):
"%userprofile%\desktop\dss.exe" /config
When the DSS Configuration display opens click the "Check All" button. Next, under Main Log, again uncheck the following:
System Restore
Temp Cleanup
Process Modules
Then under Extra Log, uncheck all the boxes.
Don't make any other changes at this time. Then click the "Scan!" button to start the scan.
Once the scan has completed a textbox will appear - copy/paste those contents back here please (main.txt). (The logs can also be found in the C:\Deckard\System Scanner folder)
Post back the that log along with the MBAM log and the avenger.txt log please.
Here are the logs.
Friendy
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com
Platform: Windows XP
*******************
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Rootkit scan active.
No rootkits found!
Driver "zsqalpdt" deleted successfully.
File "C:\WINDOWS\zsqalpdt.sys" deleted successfully.
Error: file "C:\WINDOWS\system32\jfiehayd.dll" not found!
Deletion of file "C:\WINDOWS\system32\jfiehayd.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
File "C:\WINDOWS\system32\jcelgxbh.dll" deleted successfully.
File "C:\WINDOWS\system32\__c009EEA6.dat" deleted successfully.
File "C:\WINDOWS\system32\oiqmygdf.dll" deleted successfully.
File "C:\WINDOWS\system32\__c00A324A.dat" deleted successfully.
File "C:\WINDOWS\system32\frsejevm.dll" deleted successfully.
File "C:\WINDOWS\system32\ebrdyvob.dll" deleted successfully.
File "C:\WINDOWS\system32\FgQrrBeg.ini2" deleted successfully.
File "C:\WINDOWS\system32\geBrrQgF.dll" deleted successfully.
Error: file "C:\WINDOWS\zsqalpdt.sys" not found!
Deletion of file "C:\WINDOWS\zsqalpdt.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
File "C:\WINDOWS\system32\khfGxXrR.dll" deleted successfully.
Folder "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp" deleted successfully.
Error: registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C5AF49A2-94F3-42BD-F434-2604812C897D}" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C5AF49A2-94F3-42BD-F434-2604812C897D}" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1b0ec294-39fb-4759-b09b-05a46e52414f}" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1b0ec294-39fb-4759-b09b-05a46e52414f}" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C5AF49A2-94F3-42BD-F434-2604812C897D}" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C5AF49A2-94F3-42BD-F434-2604812C897D}" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1b0ec294-39fb-4759-b09b-05a46e52414f}" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1b0ec294-39fb-4759-b09b-05a46e52414f}" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: registry key "HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\oiqmygdf" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\oiqmygdf" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Registry key "HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c009eea6" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jnskdfmf9eldfd" deleted successfully.
Completed script processing.
*******************
Finished! Terminate.
Malwarebytes' Anti-Malware 1.11
Database version: 663
Scan type: Quick Scan
Objects scanned: 97771
Time elapsed: 31 minute(s), 9 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 9
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\aldd (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\xcnmlbsd.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dsblmncx.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\GB8HM38D\sdferw[1].htm (Trojan.Agent) -> Quarantined and deleted successfully.
Deckard's System Scanner v20071014.68
Run by Friendy on 2008-04-21 23:51:32
Computer is in Normal Mode.
Backed up registry hives.
Percentage of Memory in Use: 76% (more than 75%).
Total Physical Memory: 503 MiB (512 MiB recommended).
-- HijackThis (run as Friendy.exe)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:53:00 PM, on 21/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\igfxext.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Apoint2K\HidFind.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\NewSoft\Presto! PVR\URemote.exe
C:\Program Files\NewSoft\Presto! PVR\Monitor.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Griffin Technology\AirClick\AirClick.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\Palm\Hotsync.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AllChars\AllChars.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Documents and Settings\Friendy\desktop\dss.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Friendy.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://online.westpac.com.au/esis/Login/SrvPage
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.computers.us.fujitsu.com/
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: PayPal Plug-In - {DC0F2F93-27FA-4f84-ACAA-9416F90B9511} - C:\Program Files\PayPal\PayPal Plug-In\OToolbar.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [BigPond] "E:\5100.exe" -r
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [URemote] C:\Program Files\NewSoft\Presto! PVR\URemote.exe
O4 - HKLM\..\Run: [ChangeFilterMerit] C:\Program Files\NewSoft\Presto! PVR\ChangeFilterMerit.exe
O4 - HKLM\..\Run: [Presto! PVR Monitor] C:\Program Files\NewSoft\Presto! PVR\Monitor.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: AllChars.lnk = C:\Program Files\AllChars\AllChars.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AirClick.lnk = C:\Program Files\Griffin Technology\AirClick\AirClick.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.computers.us.fujitsu.com/
O16 - DPF: {EA1B8527-E422-4909-825A-70BE0694F18E} (PortfolioManagerWT ProfileManager Class) - https://online.westpac.com.au/wtoa/wtOtherAccounts/portfoliomanagerwt.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !saswinlogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
--
End of file - 9879 bytes
-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\)
backup-20080418-180721-278 O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
backup-20080418-181043-974 O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - C:\WINDOWS\system32\jfiehayd.dll
backup-20080418-202125-112 O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
-- File Associations
.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*
-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled
R1 sasdifsv - c:\program files\superantispyware\sasdifsv.sys
R1 saskutil - c:\program files\superantispyware\saskutil.sys
R2 BjsPort (Canon BJ Scanner Port Driver) - c:\windows\system32\drivers\bjsport.sys
R2 BtnHnd - c:\program files\fujitsu\btnhnd\btnhnd.sys <Not Verified; FUJITSU LIMITED; Button handler>
R2 MDC8021X (AEGIS Protocol (IEEE 802.1x) v2.2.1.0) - c:\windows\system32\drivers\mdc8021x.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 2.2>
R2 s24trans (WLAN Transport) - c:\windows\system32\drivers\s24trans.sys <Not Verified; Intel Corporation; Intel Wireless LAN Packet Driver>
R3 {E2B953A6-195A-44F9-9BA3-3D5F4E32BB55} (AIM 3.0 Part 01 Codec Driver CH-7009-A/CH-7011) - c:\windows\system32\drivers\wa301a.sys <Not Verified; Intel Corporation; Intel Graphics Accelerator Drivers for Windows95(R) & Windows98(TM)>
R3 AgereSoftModem (Agere Systems Soft Modem) - c:\windows\system32\drivers\agrsm.sys <Not Verified; Agere Systems; Agere SoftModem Driver>
R3 ApfiltrService (Alps Pointing-device Filter Driver) - c:\windows\system32\drivers\apfiltr.sys <Not Verified; Alps Electric Co., Ltd.; Alps Touch Pad Driver for Windows 2000/XP>
R3 CONAN - c:\windows\system32\drivers\o2mmb.sys <Not Verified; O2 Micro; o2mmb>
R3 FUJ02B1 (Fujitsu FUJ02B1 Device Driver) - c:\windows\system32\drivers\fuj02b1.sys <Not Verified; FUJITSU LIMITED; FUJ02B1>
R3 ialm - c:\windows\system32\drivers\ialmnt5.sys <Not Verified; Intel Corporation; Intel Graphics Accelerator Drivers for Windows NT(R)>
R3 MbxStby - c:\windows\system32\drivers\mbxstby.sys <Not Verified; O2 Micro; o2mmb>
R3 Pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell>
S3 catchme - c:\docume~1\friendy\locals~1\temp\catchme.sys (file missing)
S3 cmusbser (5500 USB Modem Driver) - c:\windows\system32\drivers\cmusbser.sys <Not Verified; CMOTech co., LTD; CMOTech USB Modem/Serial Device Driver>
S3 gv3 (Intel GV3 Processor Driver) - c:\windows\system32\drivers\gv3.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 MPE (BDA MPE Filter) - c:\windows\system32\drivers\mpe.sys <Not Verified; Microsoft Corporation; Microsoft(R) Windows(R) Operating System>
S3 PhilCam8116 (Logitech QuickCam Pro 3000(PID_08B0)) - c:\windows\system32\drivers\camdrl21.sys <Not Verified; Philips Semiconductors; Audio and Video USB Camera>
S3 sasenum - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>
S3 Ser2pl (Prolific Serial port driver) - c:\windows\system32\drivers\ser2pl.sys <Not Verified; Prolific Technology Inc.; Prolific USB-to-Serial Bridge Cable>
S3 UDTTUSB (Twinhan - USB2 DVB-T adapter Driver) - c:\windows\system32\drivers\udtt2drv.sys <Not Verified; Twinhan; Twinhan USB2 DVB-T>
S3 VPNET (DTVNet Ethernet Controller) - c:\windows\system32\drivers\dtvnet.sys <Not Verified; TwinHan Corp.; DTVNet DVB NDIS Driver for TwinHan series DVB PCI Adapters>
-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled
R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Computer, Inc.; Bonjour>
R2 RegSrvc - c:\windows\system32\regsrvc.exe <Not Verified; Intel Corporation; RegSrvc Module>
R3 ServiceLayer - "c:\program files\pc connectivity solution\servicelayer.exe" <Not Verified; Nokia.; PC Connectivity Solution>
-- Device Manager: Disabled
Class GUID: {EEC5AD98-8080-425F-922A-DABF3DE3F69A}
Description: Nokia Windows Portable Device Driver
Device ID: ROOT\WPD\0000
Manufacturer: Nokia
Name: Nokia 6100
PNP Device ID: ROOT\WPD\0000
Service: WUDFRd
Class GUID: {EEC5AD98-8080-425F-922A-DABF3DE3F69A}
Description: Nokia Windows Portable Device Driver
Device ID: ROOT\WPD\0001
Manufacturer: Nokia
Name: Nokia 6120 classic
PNP Device ID: ROOT\WPD\0001
Service: WUDFRd
Class GUID: {EEC5AD98-8080-425F-922A-DABF3DE3F69A}
Description: Nokia Windows Portable Device Driver
Device ID: ROOT\WPD\0002
Manufacturer: Nokia
Name: Nokia 6310i
PNP Device ID: ROOT\WPD\0002
Service: WUDFRd
Class GUID: {EEC5AD98-8080-425F-922A-DABF3DE3F69A}
Description: Nokia 6120 classic
Device ID: ROOT\WPD\0003
Manufacturer: Nokia
Name: Nokia 6120 classic
PNP Device ID: ROOT\WPD\0003
Service: WUDFRd
-- Scheduled Tasks
2008-04-21 23:52:27 428 --a
C:\WINDOWS\Tasks\Symantec NetDetect.job
2008-04-21 23:45:28 330 --ah
C:\WINDOWS\Tasks\MP Scheduled Scan.job
2008-04-11 20:00:00 546 --a
C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job
2008-04-02 06:02:03 284 --a
C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
-- Files created between 2008-03-21 and 2008-04-21
2008-04-21 12:18:26 32320 --a
C:\WINDOWS\system32\otrwqtdh.dll
2008-04-21 12:15:26 32320 --a
C:\WINDOWS\system32\njnxldps.dll
2008-04-21 12:12:27 32320 --a
C:\WINDOWS\system32\iadtkbpo.dll
2008-04-21 12:06:34 96320 --a
C:\WINDOWS\system32\ltwvdfqv.dll
2008-04-19 23:56:17 0 d
C:\WINDOWS\ERUNT
2008-04-19 19:00:52 0 d
C:\Program Files\Lavasoft
2008-04-19 19:00:48 0 d
C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-19 18:57:54 0 d
C:\Documents and Settings\Janey\Application Data\Malwarebytes
2008-04-19 16:14:25 0 --a
C:\WINDOWS\PL-2303 DRIVERINSTALLER.EXE
2008-04-19 16:14:22 0 --a
C:\WINDOWS\ORUN32.EXE
2008-04-19 16:13:49 0 --a
C:\WINDOWS\system32\CMMGR32.EXE
2008-04-19 15:51:25 0 d
C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-19 15:51:09 0 d
C:\Documents and Settings\Friendy\Application Data\Malwarebytes
2008-04-19 15:50:48 0 d
C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-19 15:50:46 0 d
C:\Program Files\Malwarebytes' Anti-Malware
2008-04-19 15:46:37 0 d
C:\Program Files\Common Files\Download Manager
2008-04-19 15:45:40 0 d
C:\Program Files\SUPERAntiSpyware
2008-04-19 15:45:37 0 d
C:\Documents and Settings\Friendy\Application Data\SUPERAntiSpyware.com
2008-04-18 18:02:45 0 d
C:\Program Files\Trend Micro
2008-04-18 17:54:35 0 d
C:\Documents and Settings\Administrator\Application Data\Macromedia
2008-04-18 17:05:18 0 d---s---- C:\Documents and Settings\Administrator\UserData
2008-04-18 17:03:16 0 d
C:\Documents and Settings\Administrator\Application Data\Adobe
2008-04-18 13:57:18 0 d
C:\Program Files\Investintech.com Inc
2008-04-13 14:56:19 0 d
C:\Program Files\iTunes
2008-04-13 14:51:12 0 d
C:\Program Files\QuickTime
2008-04-09 14:46:20 0 d
C:\Program Files\Common Files\xing shared
2008-03-24 20:33:04 0 d
C:\Program Files\Common Files\Pronto
2008-03-24 20:33:02 0 d
C:\Program Files\Philips
-- Find3M Report
2008-04-21 23:43:43 0 d
C:\Program Files\Common Files
2008-04-21 18:27:27 586 --a
C:\Documents and Settings\Friendy\Application Data\mainhst.zgh
2008-04-21 13:28:30 0 d
C:\Program Files\Documents To Go
2008-04-19 23:36:44 0 d
C:\Documents and Settings\Friendy\Application Data\Skype
2008-04-19 18:57:05 0 d
C:\Program Files\Common Files\Wise Installation Wizard
2008-04-18 09:27:19 0 d
C:\Documents and Settings\Friendy\Application Data\uTorrent
2008-04-16 22:35:30 0 d
C:\Documents and Settings\Friendy\Application Data\AdobeUM
2008-04-13 14:57:06 0 d
C:\Program Files\iPod
2008-04-09 14:45:31 0 d
C:\Program Files\Common Files\Real
2008-03-25 08:02:21 0 d
C:\Program Files\Palm
2008-03-20 18:49:07 0 d
C:\Documents and Settings\Friendy\Application Data\Real
2008-03-06 14:48:28 2905827 --a
C:\Documents and Settings\Friendy\Application Data\NMM-MetaData.db
2008-02-28 22:53:48 0 d
C:\Program Files\uTorrent
2008-02-26 12:17:23 0 d
C:\Program Files\Common Files\Logishrd
2008-02-26 12:16:34 0 d
C:\Program Files\Common Files\Logitech
2008-02-26 12:15:24 0 d--h
C:\Program Files\InstallShield Installation Information
2008-02-18 09:51:33 664 --a
C:\WINDOWS\system32\d3d9caps.dat
-- Registry Dump
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [02/10/2003 03:19 PM]
"AGRSMMSG"="AGRSMMSG.exe" [23/09/2003 06:06 PM C:\WINDOWS\AGRSMMSG.exe]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [16/07/2003 11:19 PM]
"PRONoMgr.exe"="C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe" [10/12/2003 08:36 PM]
"IndicatorUtility"="C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe" [14/11/2003 09:26 AM]
"LoadFujitsuQuickTouch"="C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe" [22/08/2003 03:29 AM]
"LoadBtnHnd"="C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe" [22/08/2003 03:37 AM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [09/03/2006 10:47 AM]
"NAV CfgWiz"="C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe" [05/12/2003 02:09 PM]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [09/01/2004 07:04 PM]
"BigPond"="E:\5100.exe" []
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [17/02/2006 06:00 PM]
"LogitechGalleryRepair"="C:\Program Files\Logitech\ImageStudio\ISStart.exe" [11/09/2002 11:58 AM]
"LogitechImageStudioTray"="C:\Program Files\Logitech\ImageStudio\LogiTray.exe" [11/09/2002 11:57 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [25/09/2007 12:11 AM]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [19/07/2005 05:32 PM]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [08/06/2005 03:24 PM]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [08/06/2005 03:14 PM]
"URemote"="C:\Program Files\NewSoft\Presto! PVR\URemote.exe" [29/11/2005 11:58 AM]
"ChangeFilterMerit"="C:\Program Files\NewSoft\Presto! PVR\ChangeFilterMerit.exe" [17/05/2005 09:54 AM]
"Presto! PVR Monitor"="C:\Program Files\NewSoft\Presto! PVR\Monitor.exe" [13/03/2006 06:12 PM]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [03/11/2006 05:20 PM]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [21/09/2007 02:10 AM C:\WINDOWS\KHALMNPR.Exe]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [18/06/2007 03:10 PM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [28/03/2008 11:37 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [30/03/2008 10:36 AM]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 06:56 PM]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
"Nokia.PCSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [20/12/2006 12:55 PM 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!saswinlogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 27/02/2007 11:39 AM 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll 15/11/2007 09:10 AM 72208 c:\Program Files\Common Files\Logitech\Bluetooth\LBTWLgn.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
C:\WINDOWS\System32\LgNotify.dll 17/12/2003 10:49 AM 110592 C:\WINDOWS\system32\LgNotify.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\geBrrQgF
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
C:\Program Files\MySpace\IM\MySpaceIM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Presto! PVR Monitor]
C:\Program Files\NewSoft\Presto! PVR\Monitor.exe
-- End of Deckard's System Scanner: finished at 2008-04-21 23:56:14
Open Notepad and copy and paste the above text (inside the box) into the text file. Now go to File > Save As and call it lsafix.reg. Where it says "Files of Type", select All Files and click on Save. Exit Notepad, double-click on the file and ok the prompt asking if you wish to merge the file with your registry.
Click on avenger.exe again to run Avenger.
Okay the warning. When the Avenger display opens copy/paste the following text inside the Code box into the Avenger box titled "Input script here:". Then click the Execute button to run the repair, click Yes, then allow Avenger to reboot your system.
Your system may reboot twice to complete the repairs. After the reboot a text will open - copy/paste those contents back here please. The log can also be found at C:\avenger.txt.
Then go here and run the Kaspersky online scan, and post back the log it creates (it requires IE).
To use the scan, once the download has completed click Scan Settings, then make sure the "extended option" is checked (leave all others as they are) and click OK. Then click My Computer to begin the scan. Save the Report as a text file and post that back here.
To save it as a text file, still with the page in Internet Explorer, go to the top of the page and select File - Save As... Then make sure in the "Save as type" drop down you change it to "Text File(*.txt)".
Still making sure dss.exe is directly on your desktop, go to Start - Run, and copy/paste the following (then press OK):
"%userprofile%\desktop\dss.exe" /config
When the DSS Configuration display opens click the "Check All" button. Next, under Main Log, again uncheck the following:
System Restore
Temp Cleanup
Process Modules
Then under Extra Log, uncheck all the boxes.
Don't make any other changes at this time. Then click the "Scan!" button to start the scan.
Once the scan has completed a textbox will appear - copy/paste those contents back here please (main.txt). (The logs can also be found in the C:\Deckard\System Scanner folder)
Post back the that log along with the Kaspersky log and the avenger.txt log please.
The system locked up during the Kaspersky scan (after running for 1.5 hours) twice. Both times at the exact same position in Temporary Internet
Files - Content.IE5. I deleted the specific folder as we don't use IE anymore and I am presently running the scan again.
It had found quite a number of virus (8) - mostly, it seemed, in deleted emails.
Perhaps there is another scan that can be used ?
Here is the Avenger log -
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com
Platform: Windows XP
*******************
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Rootkit scan active.
No rootkits found!
File "C:\WINDOWS\system32\otrwqtdh.dll" deleted successfully.
File "C:\WINDOWS\system32\njnxldps.dll" deleted successfully.
File "C:\WINDOWS\system32\iadtkbpo.dll" deleted successfully.
File "C:\WINDOWS\system32\ltwvdfqv.dll" deleted successfully.
Error: file "C:\WINDOWS\system32\geBrrQgF.dll" not found!
Deletion of file "C:\WINDOWS\system32\geBrrQgF.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Completed script processing.
*******************
Finished! Terminate.
If you have them, you can also click on Firefox/Opera at the top and repeat the steps (and close ATF). Firefox/Opera will need to be closed first for the cleaning to be effective.
No, Kaspersky for this particular scenario if the preferred scan. Still hanging too much we will switch, but let's see how you do.
Here is the Kaspersky scan - After this I used ATF to clear all temp files and cleared everything from deleted mail.
Thanks
Friendy
KASPERSKY ONLINE SCANNER REPORT
Wednesday, April 23, 2008 11:35:45 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 22/04/2008
Kaspersky Anti-Virus database records: 720900
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
F:\
Scan Statistics:
Total number of scanned objects: 171822
Number of viruses found: 27
Number of infected objects: 124
Number of suspicious objects: 10
Duration of the scan process: 04:12:28
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-01142007-130121.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Documents\Applications\Download_mbam-setup.exe Infected: not-a-virus:Downloader.Win32.WinFixer.fs skipped
C:\Documents and Settings\Friendy\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Friendy\Local Settings\Application Data\ApplicationHistory\AirClick.exe.58306b3.ini.inuse Object is locked skipped
C:\Documents and Settings\Friendy\Local Settings\Application Data\Identities\{5A1E3249-BEF5-40C6-93EE-EE65D6CCE0C9}\Microsoft\Outlook Express\Deleted Items.dbx/[From "eBay" <csupport.ref008153997677.nf@ebay.com>][Date Thu, 02 Aug 2007 22:59:43 +0100]/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\Friendy\Local Settings\Application Data\Identities\{5A1E3249-BEF5-40C6-93EE-EE65D6CCE0C9}\Microsoft\Outlook Express\Deleted Items.dbx/[From "eBay" <customerdepmnt.refo372632193764m.nf@ebay.com>][Date Fri, 20 Jul 2007 14:53:00 +0000]/UNNAMED/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\Friendy\Local Settings\Application Data\Identities\{5A1E3249-BEF5-40C6-93EE-EE65D6CCE0C9}\Microsoft\Outlook Express\Deleted Items.dbx/[From "eBay" <customerdepmnt.refo372632193764m.nf@ebay.com>][Date Fri, 20 Jul 2007 14:53:00 +0000]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\Friendy\Local Settings\Application Data\Identities\{5A1E3249-BEF5-40C6-93EE-EE65D6CCE0C9}\Microsoft\Outlook Express\Deleted Items.dbx/[From "Citizens Bank and Charter One Bank" <corporateclients.refZI74215887131133.gps@citizensbank.com>][Date Mon, 23 Jul 2007 05:01:05 +0000]/UNNAMED/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\Friendy\Local Settings\Application Data\Identities\{5A1E3249-BEF5-40C6-93EE-EE65D6CCE0C9}\Microsoft\Outlook Express\Deleted Items.dbx/[From "Citizens Bank and Charter One Bank" <corporateclients.refZI74215887131133.gps@citizensbank.com>][Date Mon, 23 Jul 2007 05:01:05 +0000]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\Friendy\Local Settings\Application Data\Identities\{5A1E3249-BEF5-40C6-93EE-EE65D6CCE0C9}\Microsoft\Outlook Express\Deleted Items.dbx/[From "CitiBusiness" <service_messageY82895252.us@citibank.com>][Date Sun, 30 Dec 2007 05:58:40 +0000]/UNNAMED/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\Friendy\Local Settings\Application Data\Identities\{5A1E3249-BEF5-40C6-93EE-EE65D6CCE0C9}\Microsoft\Outlook Express\Deleted Items.dbx/[From "CitiBusiness" <service_messageY82895252.us@citibank.com>][Date Sun, 30 Dec 2007 05:58:40 +0000]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\Friendy\Local Settings\Application Data\Identities\{5A1E3249-BEF5-40C6-93EE-EE65D6CCE0C9}\Microsoft\Outlook Express\Deleted Items.dbx MailMSOutlook5: suspicious - 7 skipped
C:\Documents and Settings\Friendy\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Friendy\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Friendy\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{8B3ABEB7-619C-461F-925B-952D3C245CD8} Object is locked skipped
C:\Documents and Settings\Friendy\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Friendy\Local Settings\Temp\Perflib_Perfdata_cdc.dat Object is locked skipped
C:\Documents and Settings\Friendy\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Friendy\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Friendy\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Janey\Local Settings\Temporary Internet Files\Content.IE5\4VF3UST1\kriv[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.pmw skipped
C:\Documents and Settings\Janey\Local Settings\Temporary Internet Files\Content.IE5\51IR0PER\c_uz[1] Infected: Packed.Win32.Monder.gen skipped
C:\Documents and Settings\Janey\Local Settings\Temporary Internet Files\Content.IE5\HSENWANP\wbk21.tmp Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Janey\Local Settings\Temporary Internet Files\Content.IE5\RNXJRP8W\idkfa[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.pmx skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVError.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\Program Files\Norton AntiVirus\Quarantine\02A31E12 Infected: Email-Worm.Win32.NetSky.q skipped
C:\Program Files\Norton AntiVirus\Quarantine\02CA15E7 Infected: Email-Worm.Win32.NetSky.q skipped
C:\Program Files\Norton AntiVirus\Quarantine\0A7F3483 Infected: Net-Worm.Win32.Mytob.c skipped
C:\Program Files\Norton AntiVirus\Quarantine\0C05021D Infected: Email-Worm.Win32.NetSky.q skipped
C:\Program Files\Norton AntiVirus\Quarantine\0F1D7402 Infected: Email-Worm.Win32.NetSky.q skipped
C:\Program Files\Norton AntiVirus\Quarantine\0F3B6DE2 Infected: Email-Worm.Win32.NetSky.q skipped
C:\Program Files\Norton AntiVirus\Quarantine\0F446BD7 Infected: Email-Worm.Win32.NetSky.q skipped
C:\Program Files\Norton AntiVirus\Quarantine\0FC40415 Infected: Email-Worm.Win32.NetSky.q skipped
C:\Program Files\Norton AntiVirus\Quarantine\1352001A Infected: Email-Worm.Win32.NetSky.q skipped
C:\Program Files\Norton AntiVirus\Quarantine\137B3FB7.zip/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q skipped
C:\Program Files\Norton AntiVirus\Quarantine\137B3FB7.zip ZIP: infected - 1 skipped
C:\Program Files\Norton AntiVirus\Quarantine\137B3FB7.zip CryptFF: infected - 1 skipped
C:\Program Files\Norton AntiVirus\Quarantine\1AEF19A5 Infected: Email-Worm.Win32.NetSky.q skipped
C:\Program Files\Norton AntiVirus\Quarantine\1E056C4E Infected: Email-Worm.Win32.NetSky.q skipped
C:\Program Files\Norton AntiVirus\Quarantine\1E186838 Infected: Email-Worm.Win32.NetSky.q skipped
C:\Program Files\Norton AntiVirus\Quarantine\1E363549.HQX/Attachments,zip Infected: Virus.Win32.Xorala skipped
C:\Program Files\Norton AntiVirus\Quarantine\1E363549.HQX Mail: infected - 1 skipped
C:\Program Files\Norton AntiVirus\Quarantine\1E363549.HQX CryptFF: infected - 1 skipped
C:\Program Files\Norton AntiVirus\Quarantine\1E632DE6 Infected: Email-Worm.Win32.NetSky.q skipped
C:\Program Files\Norton AntiVirus\Quarantine\1E747FD4 Infected: Email-Worm.Win32.NetSky.q skipped
C:\Program Files\Norton AntiVirus\Quarantine\208F0F83 Infected: Email-Worm.Win32.NetSky.q skipped
C:\Program Files\Norton AntiVirus\Quarantine\209F6171 Infected: Email-Worm.Win32.NetSky.q skipped
C:\Program Files\Norton AntiVirus\Quarantine\20C32F49 Infected: Email-Worm.Win32.NetSky.q skipped
C:\Program Files\Norton AntiVirus\Quarantine\21D24C1F Infected: Email-Worm.Win32.NetSky.q skipped
C:\Program Files\Norton AntiVirus\Quarantine\25382DB0 Infected: Email-Worm.Win32.NetSky.q skipped
C:\Program Files\Norton AntiVirus\Quarantine\25CA5B4A Infected: Email-Worm.Win32.NetSky.q skipped
C:\Program Files\Norton AntiVirus\Quarantine\2CD60A57 Infected: Email-Worm.Win32.NetSky.q skipped
C:\Program Files\Norton AntiVirus\Quarantine\2DE16494 Infected: Email-Worm.Win32.NetSky.q skipped
C:\Program Files\Norton AntiVirus\Quarantine\2DFB3477 Infected: Email-Worm.Win32.NetSky.q skipped
C:\Program Files\Norton AntiVirus\Quarantine\315E6455 Infected: Email-Worm.Win32.Bagle.ai skipped
C:\Program Files\Norton AntiVirus\Quarantine\318F4755.tmp/BlackBox.class Infected: Exploit.Java.ByteVerify skipped
C:\Program Files\Norton AntiVirus\Quarantine\318F4755.tmp/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
C:\Program Files\Norton AntiVirus\Quarantine\318F4755.tmp/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped
C:\Program Files\Norton AntiVirus\Quarantine\318F4755.tmp ZIP: infected - 3 skipped
C:\Program Files\Norton AntiVirus\Quarantine\318F4755.tmp CryptFF: infected - 3 skipped
C:\Program Files\Norton AntiVirus\Quarantine\318F4755.zip/BlackBox.class Infected: Exploit.Java.ByteVerify skipped
C:\Program Files\Norton AntiVirus\Quarantine\318F4755.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
C:\Program Files\Norton AntiVirus\Quarantine\318F4755.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped
C:\Program Files\Norton AntiVirus\Quarantine\318F4755.zip ZIP: infected - 3 skipped
C:\Program Files\Norton AntiVirus\Quarantine\318F4755.zip CryptFF: infected - 3 skipped
C:\Program Files\Norton AntiVirus\Quarantine\3A27329F Infected: Email-Worm.Win32.NetSky.q skipped
C:\Program Files\Norton AntiVirus\Quarantine\3A943B68.tmp/BlackBox.class Infected: Exploit.Java.ByteVerify skipped
C:\Program Files\Norton AntiVirus\Quarantine\3A943B68.tmp/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
C:\Program Files\Norton AntiVirus\Quarantine\3A943B68.tmp/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped
C:\Program Files\Norton AntiVirus\Quarantine\3A943B68.tmp ZIP: infected - 3 skipped
C:\Program Files\Norton AntiVirus\Quarantine\3A943B68.tmp CryptFF: infected - 3 skipped
C:\Program Files\Norton AntiVirus\Quarantine\3A943B68.wm Infected: Trojan-Downloader.Win32.Agent.acd skipped
C:\Program Files\Norton AntiVirus\Quarantine\3A943B68.zip/BlackBox.class Infected: Exploit.Java.ByteVerify skipped
C:\Program Files\Norton AntiVirus\Quarantine\3A943B68.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
C:\Program Files\Norton AntiVirus\Quarantine\3A943B68.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped
C:\Program Files\Norton AntiVirus\Quarantine\3A943B68.zip ZIP: infected - 3 skipped
C:\Program Files\Norton AntiVirus\Quarantine\3A943B68.zip CryptFF: infected - 3 skipped
C:\Program Files\Norton AntiVirus\Quarantine\3C3E1851 Infected: Email-Worm.Win32.NetSky.q skipped
C:\Program Files\Norton AntiVirus\Quarantine\40AC076E Infected: Email-Worm.Win32.NetSky.q skipped
C:\Program Files\Norton AntiVirus\Quarantine\42295D8B Infected: Email-Worm.Win32.NetSky.q skipped
C:\Program Files\Norton AntiVirus\Quarantine\467F3CD5 Infected: Net-Worm.Win32.Mytob.c skipped
C:\Program Files\Norton AntiVirus\Quarantine\47CE184C Infected: Email-Worm.Win32.NetSky.q skipped
C:\Program Files\Norton AntiVirus\Quarantine\49FE2CFD Infected: Email-Worm.Win32.NetSky.q skipped
C:\Program Files\Norton AntiVirus\Quarantine\4A0E7EEB Infected: Email-Worm.Win32.NetSky.q skipped
C:\Program Files\Norton AntiVirus\Quarantine\4A2524D2 Infected: Net-Worm.Win32.Mytob.c skipped
C:\Program Files\Norton AntiVirus\Quarantine\4A4C1CA7 Infected: Net-Worm.Win32.Mytob.c skipped
C:\Program Files\Norton AntiVirus\Quarantine\50B81A2F.class Infected: Trojan-Downloader.Java.OpenStream.w skipped
C:\Program Files\Norton AntiVirus\Quarantine\52EE45CF Infected: Email-Worm.Win32.NetSky.q skipped
C:\Program Files\Norton AntiVirus\Quarantine\53E15235 Infected: Email-Worm.Win32.NetSky.f skipped
C:\Program Files\Norton AntiVirus\Quarantine\55E01574 Infected: Email-Worm.Win32.NetSky.q skipped
C:\Program Files\Norton AntiVirus\Quarantine\56A563D2 Infected: Email-Worm.Win32.NetSky.q skipped
C:\Program Files\Norton AntiVirus\Quarantine\5AE44C26 Infected: Email-Worm.Win32.NetSky.q skipped
C:\Program Files\Norton AntiVirus\Quarantine\6DDA43DA Infected: Net-Worm.Win32.Mytob.c skipped
C:\Program Files\Norton AntiVirus\Quarantine\6E3B6616 Infected: Email-Worm.Win32.NetSky.q skipped
C:\Program Files\Norton AntiVirus\Quarantine\6E625DEB Infected: Email-Worm.Win32.NetSky.q skipped
C:\Program Files\Norton AntiVirus\Quarantine\756D384B Infected: Email-Worm.Win32.Bagle.ai skipped
C:\Program Files\Norton AntiVirus\Quarantine\7B4F7D42 Infected: Net-Worm.Win32.Mytob.c skipped
C:\Program Files\Norton AntiVirus\Quarantine\7BC13AC4 Infected: Net-Worm.Win32.Mytob.c skipped
C:\Program Files\Norton AntiVirus\Quarantine\7BC852EC Infected: Email-Worm.Win32.NetSky.q skipped
C:\Program Files\Norton AntiVirus\Quarantine\7BD10CB2 Infected: Net-Worm.Win32.Mytob.c skipped
C:\Program Files\Norton AntiVirus\Quarantine\7BE83299 Infected: Net-Worm.Win32.Mytob.c skipped
C:\Program Files\Norton AntiVirus\Quarantine\7BF80487 Infected: Net-Worm.Win32.Mytob.c skipped
C:\Program Files\Norton AntiVirus\Quarantine\7C062C79 Infected: Net-Worm.Win32.Mytob.c skipped
C:\Program Files\Norton AntiVirus\Quarantine\7C13546A Infected: Net-Worm.Win32.Mytob.c skipped
C:\Program Files\Norton AntiVirus\Quarantine\7C337847 Infected: Net-Worm.Win32.Mytob.c skipped
C:\Program Files\Norton AntiVirus\Quarantine\7C517226 Infected: Net-Worm.Win32.Mytob.c skipped
C:\Program Files\Norton AntiVirus\Quarantine\7DAC18D8 Infected: Email-Worm.Win32.NetSky.q skipped
C:\Program Files\Norton AntiVirus\Quarantine\7FB31299 Infected: Email-Worm.Win32.NetSky.q skipped
C:\Program Files\Norton AntiVirus\Quarantine\7FD00C79 Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-3129648781-3367517080-2720238351-1005\Dc2\wbk1A8.tmp Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\SDFix\SDFix\backups\backups.zip/backups/csrssc.exe Infected: Trojan-Downloader.Win32.Agent.lfo skipped
C:\SDFix\SDFix\backups\backups.zip/backups/jfiehayd.dll Infected: Trojan-Downloader.Win32.Agent.lxt skipped
C:\SDFix\SDFix\backups\backups.zip/backups/mlJAsSKD.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mcg skipped
C:\SDFix\SDFix\backups\backups.zip/backups/sleep32.dll Infected: Trojan-PSW.Win32.Delf.bfh skipped
C:\SDFix\SDFix\backups\backups.zip ZIP: infected - 4 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{4540E63A-AAF7-4841-89AC-DE6E9265B91D}\RP908\A0223365.dll Infected: not-a-virus:AdWare.Win32.E404.f skipped
C:\System Volume Information\_restore{4540E63A-AAF7-4841-89AC-DE6E9265B91D}\RP909\A0224591.exe Infected: Trojan-Downloader.Win32.Small.ury skipped
C:\System Volume Information\_restore{4540E63A-AAF7-4841-89AC-DE6E9265B91D}\RP909\A0224593.exe/data.rar/crack.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.pae skipped
C:\System Volume Information\_restore{4540E63A-AAF7-4841-89AC-DE6E9265B91D}\RP909\A0224593.exe/data.rar/keygen.exe Infected: Trojan-Downloader.Win32.Small.ury skipped
C:\System Volume Information\_restore{4540E63A-AAF7-4841-89AC-DE6E9265B91D}\RP909\A0224593.exe/data.rar/serial.exe Infected: Trojan-Downloader.Win32.Small.ujl skipped
C:\System Volume Information\_restore{4540E63A-AAF7-4841-89AC-DE6E9265B91D}\RP909\A0224593.exe/data.rar Infected: Trojan-Downloader.Win32.Small.ujl skipped
C:\System Volume Information\_restore{4540E63A-AAF7-4841-89AC-DE6E9265B91D}\RP909\A0224593.exe RarSFX: infected - 4 skipped
C:\System Volume Information\_restore{4540E63A-AAF7-4841-89AC-DE6E9265B91D}\RP909\A0224594.exe/data.rar/crack.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.pae skipped
C:\System Volume Information\_restore{4540E63A-AAF7-4841-89AC-DE6E9265B91D}\RP909\A0224594.exe/data.rar/keygen.exe Infected: Trojan-Downloader.Win32.Small.ury skipped
C:\System Volume Information\_restore{4540E63A-AAF7-4841-89AC-DE6E9265B91D}\RP909\A0224594.exe/data.rar/serial.exe Infected: Trojan-Downloader.Win32.Small.ujl skipped
C:\System Volume Information\_restore{4540E63A-AAF7-4841-89AC-DE6E9265B91D}\RP909\A0224594.exe/data.rar Infected: Trojan-Downloader.Win32.Small.ujl skipped
C:\System Volume Information\_restore{4540E63A-AAF7-4841-89AC-DE6E9265B91D}\RP909\A0224594.exe RarSFX: infected - 4 skipped
C:\System Volume Information\_restore{4540E63A-AAF7-4841-89AC-DE6E9265B91D}\RP910\A0224603.exe Infected: Trojan-Clicker.Win32.Costrat.fv skipped
C:\System Volume Information\_restore{4540E63A-AAF7-4841-89AC-DE6E9265B91D}\RP910\A0224604.exe Infected: Trojan-Downloader.Win32.Homles.bi skipped
C:\System Volume Information\_restore{4540E63A-AAF7-4841-89AC-DE6E9265B91D}\RP911\A0228640.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mcg skipped
C:\System Volume Information\_restore{4540E63A-AAF7-4841-89AC-DE6E9265B91D}\RP911\A0228641.dll Infected: Trojan-Downloader.Win32.Agent.lxt skipped
C:\System Volume Information\_restore{4540E63A-AAF7-4841-89AC-DE6E9265B91D}\RP911\A0228643.dll Infected: Trojan-PSW.Win32.Delf.bfh skipped
C:\System Volume Information\_restore{4540E63A-AAF7-4841-89AC-DE6E9265B91D}\RP911\A0228648.exe Infected: Trojan-Downloader.Win32.Agent.lfo skipped
C:\System Volume Information\_restore{4540E63A-AAF7-4841-89AC-DE6E9265B91D}\RP911\A0228649.dll Infected: Trojan-Downloader.Win32.Agent.lxt skipped
C:\System Volume Information\_restore{4540E63A-AAF7-4841-89AC-DE6E9265B91D}\RP911\A0228650.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mcg skipped
C:\System Volume Information\_restore{4540E63A-AAF7-4841-89AC-DE6E9265B91D}\RP911\A0228652.dll Infected: Trojan-PSW.Win32.Delf.bfh skipped
C:\System Volume Information\_restore{4540E63A-AAF7-4841-89AC-DE6E9265B91D}\RP912\A0228834.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{4540E63A-AAF7-4841-89AC-DE6E9265B91D}\RP912\A0228835.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.pmt skipped
C:\System Volume Information\_restore{4540E63A-AAF7-4841-89AC-DE6E9265B91D}\RP912\A0228836.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.pjx skipped
C:\System Volume Information\_restore{4540E63A-AAF7-4841-89AC-DE6E9265B91D}\RP912\A0228837.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{4540E63A-AAF7-4841-89AC-DE6E9265B91D}\RP912\A0228838.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{4540E63A-AAF7-4841-89AC-DE6E9265B91D}\RP912\A0228839.sys Infected: Trojan-Clicker.Win32.Costrat.fv skipped
C:\System Volume Information\_restore{4540E63A-AAF7-4841-89AC-DE6E9265B91D}\RP913\A0228878.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{4540E63A-AAF7-4841-89AC-DE6E9265B91D}\RP913\A0228879.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.pmx skipped
C:\System Volume Information\_restore{4540E63A-AAF7-4841-89AC-DE6E9265B91D}\RP913\A0228880.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{4540E63A-AAF7-4841-89AC-DE6E9265B91D}\RP913\A0228881.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{4540E63A-AAF7-4841-89AC-DE6E9265B91D}\RP914\change.log Object is locked skipped
C:\WINDOWS\$NtUninstallKB824141$\user32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB824141$\win32k.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\accwiz.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\crypt32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\cryptsvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\hh.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\hhctrl.ocx Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\hhsetup.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\html32.cnv Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\itss.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\locator.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\magnify.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\migwiz.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\mrxsmb.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\msconv97.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\narrator.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\newdev.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\ntdll.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\ntkrnlpa.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\ntoskrnl.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\ole32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\osk.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\pchshell.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\raspptp.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\rpcrt4.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\rpcss.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\shdocvw.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\shell32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\shmedia.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\srrstr.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\srv.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\sysmain.sdb Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\urlmon.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\winsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\zipfldr.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\dhcpcsvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\ndis.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\ndisuio.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\netshell.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\wzcdlg.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\wzcsapi.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\wzcsvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828028$\msasn1.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828035$\msgsvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828035$\wkssvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB831880$\shell32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB831880$\xpsp2res.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ828026$\msdxm.ocx Object is locked skipped
C:\WINDOWS\$NtUninstallQ828026$\wmpcore.dll Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
C:\Documents and Settings\Janey\Local Settings\Temporary Internet Files\Content.IE5\4VF3UST1
C:\Documents and Settings\Janey\Local Settings\Temporary Internet Files\Content.IE5\51IR0PER
C:\Documents and Settings\Janey\Local Settings\Temporary Internet Files\Content.IE5\HSENWANP
C:\Documents and Settings\Janey\Local Settings\Temporary Internet Files\Content.IE5\RNXJRP8W
Just delete the folders themselves - they are created on demand each time the browser needs one.
And empty the Recycle there, and both Norton's Quarantine and it's Recycle folders as well. Then be sure to empty any stored Oulook email items, like the deleted items folder.
the remainder of the Kaspersky log shows MBAM's installer being mistaken for infection, which MBAM is trying to address, and then infection held harmless for now in System Restore. All that might remain if some cleaning up of what we added here, but first post back if there are any other issues we need to address first please.
I deleted everything and re-ran Kaspersky.
Firefox is running again now - great work.
Here's the Kaspersky log.
KASPERSKY ONLINE SCANNER REPORT
Wednesday, April 23, 2008 4:30:50 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 23/04/2008
Kaspersky Anti-Virus database records: 722460
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
E:\
F:\
Scan Statistics:
Total number of scanned objects: 108460
Number of viruses found: 15
Number of infected objects: 38
Number of suspicious objects: 0
Duration of the scan process: 03:17:20
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-01142007-130121.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Documents\Applications\Download_mbam-setup.exe Infected: not-a-virus:Downloader.Win32.WinFixer.fs skipped
C:\Documents and Settings\Friendy\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Friendy\Local Settings\Application Data\ApplicationHistory\AirClick.exe.58306b3.ini.inuse Object is locked skipped
C:\Documents and Settings\Friendy\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Friendy\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Friendy\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{BF9121DE-7D4A-49B8-8CD0-EE77C5CD0820} Object is locked skipped
C:\Documents and Settings\Friendy\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Friendy\Local Settings\History\History.IE5\MSHist012008042320080424\index.dat Object is locked skipped
C:\Documents and Settings\Friendy\Local Settings\Temp\Perflib_Perfdata_dd4.dat Object is locked skipped
C:\Documents and Settings\Friendy\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Friendy\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Friendy\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVError.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\SDFix\SDFix\backups\backups.zip/backups/csrssc.exe Infected: Trojan-Downloader.Win32.Agent.lfo skipped
C:\SDFix\SDFix\backups\backups.zip/backups/jfiehayd.dll Infected: Trojan-Downloader.Win32.Agent.lxt skipped
C:\SDFix\SDFix\backups\backups.zip/backups/mlJAsSKD.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mcg skipped
C:\SDFix\SDFix\backups\backups.zip/backups/sleep32.dll Infected: Trojan-PSW.Win32.Delf.bfh skipped
C:\SDFix\SDFix\backups\backups.zip ZIP: infected - 4 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{4540E63A-AAF7-4841-89AC-DE6E9265B91D}\RP908\A0223365.dll Infected: not-a-virus:AdWare.Win32.E404.f skipped
C:\System Volume Information\_restore{4540E63A-AAF7-4841-89AC-DE6E9265B91D}\RP909\A0224591.exe Infected: Trojan-Downloader.Win32.Small.ury skipped
C:\System Volume Information\_restore{4540E63A-AAF7-4841-89AC-DE6E9265B91D}\RP909\A0224593.exe/data.rar/crack.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.pae skipped
C:\System Volume Information\_restore{4540E63A-AAF7-4841-89AC-DE6E9265B91D}\RP909\A0224593.exe/data.rar/keygen.exe Infected: Trojan-Downloader.Win32.Small.ury skipped
C:\System Volume Information\_restore{4540E63A-AAF7-4841-89AC-DE6E9265B91D}\RP909\A0224593.exe/data.rar/serial.exe Infected: Trojan-Downloader.Win32.Small.ujl skipped
C:\System Volume Information\_restore{4540E63A-AAF7-4841-89AC-DE6E9265B91D}\RP909\A0224593.exe/data.rar Infected: Trojan-Downloader.Win32.Small.ujl skipped
C:\System Volume Information\_restore{4540E63A-AAF7-4841-89AC-DE6E9265B91D}\RP909\A0224593.exe RarSFX: infected - 4 skipped
C:\System Volume Information\_restore{4540E63A-AAF7-4841-89AC-DE6E9265B91D}\RP909\A0224594.exe/data.rar/crack.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.pae skipped
C:\System Volume Information\_restore{4540E63A-AAF7-4841-89AC-DE6E9265B91D}\RP909\A0224594.exe/data.rar/keygen.exe Infected: Trojan-Downloader.Win32.Small.ury skipped
C:\System Volume Information\_restore{4540E63A-AAF7-4841-89AC-DE6E9265B91D}\RP909\A0224594.exe/data.rar/serial.exe Infected: Trojan-Downloader.Win32.Small.ujl skipped
C:\System Volume Information\_restore{4540E63A-AAF7-4841-89AC-DE6E9265B91D}\RP909\A0224594.exe/data.rar Infected: Trojan-Downloader.Win32.Small.ujl skipped
C:\System Volume Information\_restore{4540E63A-AAF7-4841-89AC-DE6E9265B91D}\RP909\A0224594.exe RarSFX: infected - 4 skipped
C:\System Volume Information\_restore{4540E63A-AAF7-4841-89AC-DE6E9265B91D}\RP910\A0224603.exe Infected: Trojan-Clicker.Win32.Costrat.fv skipped
C:\System Volume Information\_restore{4540E63A-AAF7-4841-89AC-DE6E9265B91D}\RP910\A0224604.exe Infected: Trojan-Downloader.Win32.Homles.bi skipped
C:\System Volume Information\_restore{4540E63A-AAF7-4841-89AC-DE6E9265B91D}\RP911\A0228640.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mcg skipped
C:\System Volume Information\_restore{4540E63A-AAF7-4841-89AC-DE6E9265B91D}\RP911\A0228641.dll Infected: Trojan-Downloader.Win32.Agent.lxt skipped
C:\System Volume Information\_restore{4540E63A-AAF7-4841-89AC-DE6E9265B91D}\RP911\A0228643.dll Infected: Trojan-PSW.Win32.Delf.bfh skipped
C:\System Volume Information\_restore{4540E63A-AAF7-4841-89AC-DE6E9265B91D}\RP911\A0228648.exe Infected: Trojan-Downloader.Win32.Agent.lfo skipped
C:\System Volume Information\_restore{4540E63A-AAF7-4841-89AC-DE6E9265B91D}\RP911\A0228649.dll Infected: Trojan-Downloader.Win32.Agent.lxt skipped
C:\System Volume Information\_restore{4540E63A-AAF7-4841-89AC-DE6E9265B91D}\RP911\A0228650.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mcg skipped
C:\System Volume Information\_restore{4540E63A-AAF7-4841-89AC-DE6E9265B91D}\RP911\A0228652.dll Infected: Trojan-PSW.Win32.Delf.bfh skipped
C:\System Volume Information\_restore{4540E63A-AAF7-4841-89AC-DE6E9265B91D}\RP912\A0228834.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{4540E63A-AAF7-4841-89AC-DE6E9265B91D}\RP912\A0228835.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.pmt skipped
C:\System Volume Information\_restore{4540E63A-AAF7-4841-89AC-DE6E9265B91D}\RP912\A0228836.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.pjx skipped
C:\System Volume Information\_restore{4540E63A-AAF7-4841-89AC-DE6E9265B91D}\RP912\A0228837.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{4540E63A-AAF7-4841-89AC-DE6E9265B91D}\RP912\A0228838.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{4540E63A-AAF7-4841-89AC-DE6E9265B91D}\RP912\A0228839.sys Infected: Trojan-Clicker.Win32.Costrat.fv skipped
C:\System Volume Information\_restore{4540E63A-AAF7-4841-89AC-DE6E9265B91D}\RP913\A0228878.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{4540E63A-AAF7-4841-89AC-DE6E9265B91D}\RP913\A0228879.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.pmx skipped
C:\System Volume Information\_restore{4540E63A-AAF7-4841-89AC-DE6E9265B91D}\RP913\A0228880.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{4540E63A-AAF7-4841-89AC-DE6E9265B91D}\RP913\A0228881.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{4540E63A-AAF7-4841-89AC-DE6E9265B91D}\RP915\change.log Object is locked skipped
C:\WINDOWS\$NtUninstallKB824141$\user32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB824141$\win32k.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\accwiz.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\crypt32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\cryptsvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\hh.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\hhctrl.ocx Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\hhsetup.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\html32.cnv Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\itss.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\locator.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\magnify.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\migwiz.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\mrxsmb.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\msconv97.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\narrator.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\newdev.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\ntdll.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\ntkrnlpa.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\ntoskrnl.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\ole32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\osk.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\pchshell.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\raspptp.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\rpcrt4.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\rpcss.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\shdocvw.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\shell32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\shmedia.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\srrstr.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\srv.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\sysmain.sdb Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\urlmon.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\winsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\zipfldr.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\dhcpcsvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\ndis.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\ndisuio.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\netshell.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\wzcdlg.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\wzcsapi.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\wzcsvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828028$\msasn1.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828035$\msgsvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828035$\wkssvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB831880$\shell32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB831880$\xpsp2res.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ828026$\msdxm.ocx Object is locked skipped
C:\WINDOWS\$NtUninstallQ828026$\wmpcore.dll Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{78579F5D-0140-4CA0-B9D0-5D8C2716D746}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\_restore{4540E63A-AAF7-4841-89AC-DE6E9265B91D}\RP915\change.log Object is locked skipped
E:\Download_mbam-setup.exe Infected: not-a-virus:Downloader.Win32.WinFixer.fs skipped
Scan process completed.
For this system Kaspersky, if you don't plan to use it again, uninstalls through Add/Remove Programs.
You can also at this time delete the files/folders of the tools we used. To assist with some of that download OTMoveIt2 and save the file to your desktop. This will help by automatically removing some of the tools we used.
Please double-click OTMoveIt.exe to run it and click on Cleanup (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator"). When you do this list of malware removal programs will be downloaded from the internet. If you get a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet you should allow it to do so. After the list has downloaded, you'll be asked if you want to begin cleanup process? Select Yes.
OTMoveIt will search for and delete/uninstall all the tools that we have used to fix your problems and all their backup folders and then delete itself when you next reboot. At the end of the run you will receive a prompt to reboot, but save that for the next step resetting Restore.
Then reset the System Restore. To do this, right-click My Computer and select Properties. Click the System Restore tab in the window that appears, and check the box that says "Turn off System Restore on all drives" and click Apply.
You will be asked if you are sure, click Yes. This will delete the restore points. Then click OK in the Properties window and reboot your computer.
When your desktop appears, right-click My Computer and select Properties once more. Uncheck the "Turn off System Restore..." box and click Apply. OK.
In addition, I like to recommend reviewing the information Here to make sure you stay malware free.
If it has been 10 days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, this topic will not be reopened. If you still require help, please start a new topic and include a fresh HijackThis log and a link to this thread in your new topic.
If you are not the user who started this thread, you must start your own Thread instead