ComboFix 08-01-23.1C - Tony 2008-01-25 15:29:53.3 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.245 [GMT -5:00] Running from: C:\Documents and Settings\Tony\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Tony\Desktop\CFScript.txt * Created a new restore point [color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color] FILE C:\WINDOWS\SYSTEM32\adssite-remove.exe C:\WINDOWS\SYSTEM32\hurjfnpu.ini C:\WINDOWS\SYSTEM32\jpewocmz.ini C:\WINDOWS\SYSTEM32\qhuxebwq.ini C:\WINDOWS\SYSTEM32\rightonadz-uninst.exe C:\WINDOWS\SYSTEM32\shbxdcjh.ini C:\WINDOWS\SYSTEM32\xgjrihqs.ini C:\WINDOWS\winshow .exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Program Files\AntiSpywareApp C:\Program Files\AntiSpywareApp\AntiSpyware.exe C:\Program Files\AntiSpywareApp\AntiSpyware.url C:\Program Files\AntiSpywareApp\Launcher.exe C:\Program Files\AntiSpywareApp\unins000.dat C:\Program Files\AntiSpywareApp\unins000.exe C:\temp\cEeer12 C:\temp\cEeer12\skAt.log C:\WINDOWS\SYSTEM32\adssite-remove.exe C:\WINDOWS\SYSTEM32\aj2 C:\WINDOWS\SYSTEM32\ardCo02 C:\WINDOWS\SYSTEM32\hurjfnpu.ini C:\WINDOWS\SYSTEM32\jpewocmz.ini C:\WINDOWS\SYSTEM32\mr9 C:\WINDOWS\SYSTEM32\qhuxebwq.ini C:\WINDOWS\SYSTEM32\rightonadz-uninst.exe C:\WINDOWS\SYSTEM32\shbxdcjh.ini C:\WINDOWS\SYSTEM32\xgjrihqs.ini C:\WINDOWS\winshow .exe . ((((((((((((((((((((((((( Files Created from 2007-12-25 to 2008-01-25 ))))))))))))))))))))))))))))))) . 2008-01-25 15:23 . 2008-01-25 15:23 <DIR> d-------- C:\WINDOWS\LastGood 2008-01-24 22:41 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe 2008-01-24 18:21 . 2008-01-24 22:09 <DIR> d-------- C:\VundoFix Backups 2008-01-23 23:40 . 2008-01-23 23:40 1,906 --a------ C:\WINDOWS\SYSTEM32\tmp.reg 2008-01-23 23:39 . 2008-01-23 23:38 289,144 --a------ C:\WINDOWS\SYSTEM32\VCCLSID.exe 2008-01-23 23:39 . 2008-01-23 23:38 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe 2008-01-23 23:39 . 2008-01-23 23:38 81,920 --a------ C:\WINDOWS\SYSTEM32\IEDFix.exe 2008-01-23 23:39 . 2008-01-23 23:38 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe 2008-01-23 23:39 . 2008-01-23 23:38 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe 2008-01-23 23:39 . 2008-01-23 23:38 25,600 --a------ C:\WINDOWS\SYSTEM32\WS2Fix.exe 2008-01-23 23:35 . 2008-01-23 23:35 <DIR> d-------- C:\Program Files\Trend Micro 2008-01-15 21:41 . 2008-01-15 21:41 81,920 --a------ C:\WINDOWS\SYSTEM32\csrcli32.dll 2008-01-15 21:41 . 2008-01-15 21:41 58,880 --a------ C:\WINDOWS\SYSTEM32\urikon.dll 2008-01-15 21:41 . 2008-01-15 21:41 18,944 --a------ C:\WINDOWS\SYSTEM32\msdfmap.dll 2008-01-15 21:41 . 2008-01-15 21:41 6,656 --a------ C:\WINDOWS\SYSTEM32\md4hsh.dll 2008-01-15 21:41 . 2008-01-15 21:41 2,528 --a------ C:\WINDOWS\SYSTEM32\nvnatv.sys 2008-01-13 22:07 . 2004-08-12 08:58 1,875,968 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\msir3jp.lex 2008-01-13 22:06 . 2004-08-12 08:58 13,463,552 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\hwxjpn.dll 2008-01-13 22:05 . 2004-08-12 08:58 1,677,824 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\chsbrkr.dll 2008-01-13 21:59 . 2008-01-13 21:59 749 -rah----- C:\WINDOWS\WindowsShell.Manifest 2008-01-13 21:59 . 2008-01-13 21:59 749 -rah----- C:\WINDOWS\SYSTEM32\wuaucpl.cpl.manifest 2008-01-13 21:59 . 2008-01-13 21:59 749 -rah----- C:\WINDOWS\SYSTEM32\sapi.cpl.manifest 2008-01-13 21:59 . 2008-01-13 21:59 749 -rah----- C:\WINDOWS\SYSTEM32\ncpa.cpl.manifest 2008-01-13 21:59 . 2008-01-13 21:59 488 -rah----- C:\WINDOWS\SYSTEM32\logonui.exe.manifest 2008-01-13 16:28 . 2008-01-21 17:28 536,141,824 --a------ C:\WINDOWS\MEMORY.DMP 2008-01-13 12:14 . 2008-01-24 21:36 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2008-01-13 12:14 . 2008-01-13 12:14 1,409 --a------ C:\WINDOWS\QTFont.for 2008-01-13 11:55 . 2008-01-13 11:57 <DIR> d-------- C:\Program Files\Windows Live Safety Center 2008-01-13 11:39 . 2008-01-13 11:39 268 --ah----- C:\sqmdata06.sqm 2008-01-13 11:39 . 2008-01-13 11:39 244 --ah----- C:\sqmnoopt06.sqm 2008-01-13 00:07 . 2008-01-13 08:39 155,648 --a------ C:\WINDOWS\SYSTEM32\NeroCheck.exe 2008-01-02 00:20 . 2008-01-13 03:55 174,592 --a------ C:\WINDOWS\SYSTEM32\lexpps.exe 2008-01-02 00:20 . 2008-01-02 00:20 172 --ah----- C:\sqmnoopt05.sqm 2008-01-02 00:20 . 2008-01-02 00:20 172 --ah----- C:\sqmdata05.sqm 2008-01-01 23:34 . 2008-01-01 23:34 268 --ah----- C:\sqmdata04.sqm 2008-01-01 23:34 . 2008-01-01 23:34 244 --ah----- C:\sqmnoopt04.sqm 2007-12-27 14:32 . 2007-12-27 14:32 268 --ah----- C:\sqmdata03.sqm 2007-12-27 14:32 . 2007-12-27 14:32 244 --ah----- C:\sqmnoopt03.sqm . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-01-25 20:29 --------- d-----w C:\Program Files\SymNetDrv 2008-01-25 20:29 --------- d-----w C:\Program Files\Norton Internet Security 2008-01-25 20:29 --------- d-----w C:\Program Files\MSN Messenger 2008-01-25 20:29 --------- d-----w C:\Program Files\iTunes 2008-01-25 20:29 --------- d-----w C:\Program Files\DellSupport 2008-01-25 20:29 --------- d-----w C:\Program Files\Common Files\Symantec Shared 2008-01-25 04:37 --------- d-----w C:\Program Files\QuickTime 2008-01-25 04:37 --------- d-----w C:\Program Files\Apoint 2008-01-02 05:52 --------- d-----w C:\Program Files\Pure Networks 2007-12-26 12:59 --------- d-----w C:\Program Files\MasterCook 2007-12-24 01:40 --------- d-----w C:\Program Files\America Online 9.0a 2007-12-20 01:35 --------- d-----w C:\Program Files\Common Files\Adobe 2007-12-02 13:10 --------- d-----w C:\Program Files\Windows Live Toolbar . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 08:56 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ] "{00-04-41-11-ZN}"="c:\windows\system32\dwdsrngt .exe" [ ] "BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 05:59 122880 C:\WINDOWS\BCMSMMSG.exe] "Apoint"="C:\Program Files\Apoint\Apoint.exe" [ ] [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HPAiODevice(hp officejet g series) - 1.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HPAiODevice(hp officejet g series) - 1.lnk backup=C:\WINDOWS\pss\HPAiODevice(hp officejet g series) - 1.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Tony^Start Menu^Programs^Startup^TA_Start.lnk] path=C:\Documents and Settings\Tony\Start Menu\Programs\Startup\TA_Start.lnk backup=C:\WINDOWS\pss\TA_Start.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection] C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer] --a------ 2008-01-13 08:39 34904 C:\Program Files\Common Files\AOL\ACS\AOLDial.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint] C:\Program Files\Apoint\Apoint.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA] --a------ 2008-01-13 08:39 339968 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG] --a------ 2003-08-29 05:59 122880 C:\WINDOWS\BCMSMMSG.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp] --a------ 2008-01-13 08:39 71280 C:\Program Files\Common Files\Symantec Shared\ccApp.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] --a------ 2004-08-12 08:56 15360 C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset .exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager] --a------ 2008-01-13 09:10 159832 C:\Program Files\Common Files\AOL\1107714629\ee\AOLHostManager.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2008-01-13 00:07 278528 C:\Program Files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM] --a------ 2008-01-13 08:40 32768 C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load] C:\WINDOWS\system32\awtqo.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair] --a------ 2008-01-13 08:39 188416 C:\Program Files\Logitech\Video\ISStart.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask] --a------ 2008-01-13 00:07 53248 c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent] --a------ 2008-01-13 00:08 200704 C:\Program Files\Microsoft Money\System\mnyexpr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] --------- 2004-08-04 01:06 1667584 C:\Program Files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnappau] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr] --a------ 2008-01-13 11:36 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] --a------ 2008-01-13 08:39 155648 C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService] --a------ 2008-01-13 00:31 290816 C:\Program Files\Dell\Media Experience\PCMService.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] C:\Program Files\QuickTime\qttask .exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray] --a------ 2008-01-13 00:07 208941 C:\Program Files\Real\RealPlayer\RealPlay.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sonic RecordNow!] --a------ 2008-01-13 11:36 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor] --a------ 2008-01-13 00:07 100056 C:\PROGRA~1\SYMNET~1\SNDMon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] --a------ 2008-01-13 00:07 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\troy44] C:\WINDOWS\troy44.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\troy44 ] C:\WINDOWS\troy44 .exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager] --a------ 2008-01-13 00:07 110592 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr] --a------ 2008-01-13 08:40 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\URLLSTCK.exe] --a------ 2008-01-13 00:07 70800 C:\Program Files\Norton Internet Security\UrlLstCk.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WT GameChannel] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{00-04-41-11-ZN}] c:\windows\system32\dwdsrngt .exe R1 nvnatv;NVidia Native rendering;C:\WINDOWS\system32\nvnatv.sys [2008-01-15 21:41] S3 NuVision;Hauppauge WinTV USB Pro (NTSC);C:\WINDOWS\system32\DRIVERS\NUVision.sys [2003-04-30 14:59] S3 PhilCam8116;Logitech QuickCam Pro 3000(PID_08B0);C:\WINDOWS\system32\DRIVERS\CamDrL21.sys [2002-12-10 05:53] . Contents of the 'Scheduled Tasks' folder "2008-01-24 23:14:48 C:\WINDOWS\Tasks\AntiSpyware Scheduled Scan.job" - C:\Program Files\AntiSpywareApp\AntiSpyware .ex - C:\Program Files\AntiSpywareApp "2008-01-25 10:35:03 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job" - C:\Program Files\Windows Live Toolbar\MSNTBUP.exe "2006-06-12 01:19:29 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Tony.job" - C:\PROGRA~1\NORTON~1\NORTON~1\NAVW32.EXEh/task: "2008-01-20 03:10:47 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job" - C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeh/task: "2008-01-25 02:21:28 C:\WINDOWS\Tasks\Symantec NetDetect.job" - C:\Program Files\Symantec\LiveUpdate\NDETECT.exe . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-01-25 15:32:58 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\system32\winlogon.exe -> C:\WINDOWS\system32\md4hsh.dll . Completion time: 2008-01-25 15:33:44 ComboFix-quarantined-files.txt 2008-01-25 20:33:43 ComboFix2.txt 2008-01-25 04:46:12 . 2008-01-25 10:36:21 --- E O F ---

0

Open Notepad and copy/paste everything between the X"s into it and make sure "File::" is at the very top of the page. XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX File:: C:\WINDOWS\system32\awtqo.exe C:\WINDOWS\troy44.exe Registry:: [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\troy44] XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop. Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run". Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok. Download ATF Cleaner from this link: ATF Cleaner Run ATF-Cleaner Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. Please run the BitDefender online scan this link: Bitdefender Online Scanner You will need to allow an active x install for the scan to run. Leave the scanning options at default and press "click here to scan" When finished scanning, click on "click here to export the scan report" Save it to your desktop, at "file name" type in "bdscan" then click save. Post a log in your reply.

0

BitDefender Online Scanner Scan report generated at: Fri, Jan 25, 2008 - 21:51:49 Scan path: C:\;D:\; Statistics Time 00:34:50 Files 157808 Folders 6157 Boot Sectors 4 Archives 3078 Packed Files 5904 Results Identified Viruses 17 Infected Files 53 Suspect Files 1 Warnings 0 Disinfected 0 Deleted Files 54 Engines Info Virus Definitions 977316 Engine build AVCORE v1.0 (build 2422) (i386) (Sep 25 2007 08:26:36) Scan plugins 16 Archive plugins 41 Unpack plugins 7 E-mail plugins 6 System plugins 5 Scan Settings First Action Disinfect Second Action Delete Heuristics Yes Enable Warnings Yes Scanned Extensions *; Exclude Extensions Scan Emails Yes Scan Archives Yes Scan Packed Yes Scan Files Yes Scan Boot Yes Scanned File Status C:\Documents and Settings\Guest\Local Settings\Temp\ybadd.ini Infected with: Trojan.Vundo.DVS C:\Documents and Settings\Guest\Local Settings\Temp\ybadd.ini Disinfection failed C:\Documents and Settings\Guest\Local Settings\Temp\ybadd.ini Deleted C:\Documents and Settings\HI\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-b825669-30964487.zip=>vmain.class Infected with: Exploit.Java.Gimsh.B C:\Documents and Settings\HI\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-b825669-30964487.zip=>vmain.class Deleted C:\Documents and Settings\HI\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-b825669-30964487.zip Updated C:\My Downloads\DAVIS'S DRUG GUIDE FOR NURSES Bittorrent downloader.zip=>BitDownload Setup.exe=>(NSIS o)=>lzma_nsis0006 Infected with: Trojan.Obfuscated.EN C:\My Downloads\DAVIS'S DRUG GUIDE FOR NURSES Bittorrent downloader.zip=>BitDownload Setup.exe=>(NSIS o)=>lzma_nsis0006 Deleted C:\My Downloads\DAVIS'S DRUG GUIDE FOR NURSES Bittorrent downloader.zip=>BitDownload Setup.exe=>(NSIS o) Update failed C:\My Downloads\davis's drug guide for nurses new.zip=>setup.exe Detected with: Adware.BHO.WPX C:\My Downloads\davis's drug guide for nurses new.zip=>setup.exe Deleted C:\My Downloads\davis's drug guide for nurses new.zip Updated C:\QooBox\Quarantine\C\Program Files\Apoint\Apoint.exe.vir Infected with: Trojan.Dropper.Vundo.D C:\QooBox\Quarantine\C\Program Files\Apoint\Apoint.exe.vir Deleted C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected with: Trojan.Dropper.Vundo.D C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Deleted C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected with: Trojan.Dropper.Vundo.D C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Deleted C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected with: Trojan.Dropper.Vundo.D C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Deleted C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected with: Trojan.Dropper.Vundo.D C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Deleted C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected with: Trojan.Dropper.Vundo.D C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Deleted C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected with: Trojan.Dropper.Vundo.D C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Deleted C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected with: Trojan.Dropper.Vundo.D C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Deleted C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected with: Trojan.Dropper.Vundo.D C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Deleted C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected with: Trojan.Dropper.Vundo.D C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Deleted C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected with: Trojan.Dropper.Vundo.D C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Deleted C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected with: Trojan.Dropper.Vundo.D C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Deleted C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected with: Trojan.Dropper.Vundo.D C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Deleted C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected with: Trojan.Dropper.Vundo.D C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Deleted C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected with: Trojan.Dropper.Vundo.D C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Deleted C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Infected with: Trojan.Dropper.Vundo.D C:\QooBox\Quarantine\C\Program Files\QuickTime\qttask .exe.vir Deleted C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\awtqo.dll.vir Infected with: Trojan.Vundo.DUH C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\awtqo.dll.vir Deleted C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\awtqo.exe.vir Infected with: Trojan.Dropper.Vundo.D C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\awtqo.exe.vir Deleted C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\bsellis.dll.vir Infected with: Trojan.Spy.Bzub.NGP C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\bsellis.dll.vir Disinfection failed C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\bsellis.dll.vir Deleted C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\bysyhffa.exe.vir Infected with: Trojan.Fotomoto.H C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\bysyhffa.exe.vir Disinfection failed C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\bysyhffa.exe.vir Deleted C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\ctfmon.exe.tmp.vir Infected with: Trojan.Dropper.Vundo.D C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\ctfmon.exe.tmp.vir Deleted C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\oqtwa.ini.vir Infected with: Trojan.Vundo.DVS C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\oqtwa.ini.vir Disinfection failed C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\oqtwa.ini.vir Deleted C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\oqtwa.ini2.vir Infected with: Trojan.Vundo.DVS C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\oqtwa.ini2.vir Disinfection failed C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\oqtwa.ini2.vir Deleted C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\rightonadz-uninst.exe.vir=>(NSIS o) Detected with: Adware.AdRotator.G C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\rightonadz-uninst.exe.vir=>(NSIS o) Deleted C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\rightonadz-uninst.exe.vir Update failed C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\tuvwtrr.dll.vir Infected with: Trojan.Vundo.DVO C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\tuvwtrr.dll.vir Disinfection failed C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\tuvwtrr.dll.vir Deleted C:\QooBox\Quarantine\C\WINDOWS\winshow .exe.vir Infected with: Trojan.Downloader.VB.VLT C:\QooBox\Quarantine\C\WINDOWS\winshow .exe.vir Disinfection failed C:\QooBox\Quarantine\C\WINDOWS\winshow .exe.vir Deleted C:\QooBox\Quarantine\catchme2008-01-24_234156.95.zip=>core.sys Infected with: Trojan.Downloader.Obfuscated.CF C:\QooBox\Quarantine\catchme2008-01-24_234156.95.zip=>core.sys Deleted C:\QooBox\Quarantine\catchme2008-01-24_234156.95.zip Updated C:\QooBox\Quarantine\catchme2008-01-24_234156.95.zip=>BSelLis.dll Infected with: Trojan.Spy.Bzub.NGP C:\QooBox\Quarantine\catchme2008-01-24_234156.95.zip=>BSelLis.dll Disinfection failed C:\QooBox\Quarantine\catchme2008-01-24_234156.95.zip=>BSelLis.dll Deleted C:\QooBox\Quarantine\catchme2008-01-24_234156.95.zip Updated C:\QooBox\Quarantine\catchme2008-01-24_234156.95.zip=>ignkzlxa.dat Infected with: Trojan.Rootkit.Agent.NDW C:\QooBox\Quarantine\catchme2008-01-24_234156.95.zip=>ignkzlxa.dat Deleted C:\QooBox\Quarantine\catchme2008-01-24_234156.95.zip Updated C:\QooBox\Quarantine\catchme2008-01-24_234156.95.zip=>bsellis.dll.1 Infected with: Trojan.Spy.Bzub.NGP C:\QooBox\Quarantine\catchme2008-01-24_234156.95.zip=>bsellis.dll.1 Disinfection failed C:\QooBox\Quarantine\catchme2008-01-24_234156.95.zip=>bsellis.dll.1 Deleted C:\QooBox\Quarantine\catchme2008-01-24_234156.95.zip Updated C:\QooBox\Quarantine\catchme2008-01-24_234156.95.zip=>awtqo.dll Infected with: Trojan.Vundo.DUH C:\QooBox\Quarantine\catchme2008-01-24_234156.95.zip=>awtqo.dll Deleted C:\QooBox\Quarantine\catchme2008-01-24_234156.95.zip Updated C:\VundoFix Backups\aiiyjrtv.dll.bad Infected with: Trojan.Vundo.DVC C:\VundoFix Backups\aiiyjrtv.dll.bad Disinfection failed C:\VundoFix Backups\aiiyjrtv.dll.bad Deleted C:\VundoFix Backups\awtqo.dll.bad Infected with: Trojan.Vundo.DUH C:\VundoFix Backups\awtqo.dll.bad Deleted C:\VundoFix Backups\awtqo.exe.bad Infected with: Trojan.Dropper.Vundo.D C:\VundoFix Backups\awtqo.exe.bad Deleted C:\VundoFix Backups\bysyhffa.exe.bad Infected with: Trojan.Fotomoto.H C:\VundoFix Backups\bysyhffa.exe.bad Disinfection failed C:\VundoFix Backups\bysyhffa.exe.bad Deleted C:\VundoFix Backups\dudfsjoc.dll.bad Infected with: Trojan.Vundo.DVC C:\VundoFix Backups\dudfsjoc.dll.bad Disinfection failed C:\VundoFix Backups\dudfsjoc.dll.bad Deleted C:\VundoFix Backups\fgxpwtpb.dll.bad Infected with: Trojan.Vundo.DVC C:\VundoFix Backups\fgxpwtpb.dll.bad Disinfection failed C:\VundoFix Backups\fgxpwtpb.dll.bad Deleted C:\VundoFix Backups\iiykxloq.dll.bad Infected with: Trojan.Vundo.DVC C:\VundoFix Backups\iiykxloq.dll.bad Disinfection failed C:\VundoFix Backups\iiykxloq.dll.bad Deleted C:\VundoFix Backups\ldedslgh.dll.bad Infected with: Trojan.Vundo.DWP C:\VundoFix Backups\ldedslgh.dll.bad Disinfection failed C:\VundoFix Backups\ldedslgh.dll.bad Deleted C:\VundoFix Backups\lhergufz.dll.bad Infected with: Trojan.Vundo.DWB C:\VundoFix Backups\lhergufz.dll.bad Deleted C:\VundoFix Backups\oocgmiio.exe.bad Infected with: Trojan.Fotomoto.H C:\VundoFix Backups\oocgmiio.exe.bad Disinfection failed C:\VundoFix Backups\oocgmiio.exe.bad Deleted C:\VundoFix Backups\oqtwa.ini.bad Infected with: Trojan.Vundo.DVS C:\VundoFix Backups\oqtwa.ini.bad Disinfection failed C:\VundoFix Backups\oqtwa.ini.bad Deleted C:\VundoFix Backups\oqtwa.ini2.bad Infected with: Trojan.Vundo.DVS C:\VundoFix Backups\oqtwa.ini2.bad Disinfection failed C:\VundoFix Backups\oqtwa.ini2.bad Deleted C:\VundoFix Backups\plxcstnn.dll.bad Infected with: Trojan.Vundo.DVC C:\VundoFix Backups\plxcstnn.dll.bad Disinfection failed C:\VundoFix Backups\plxcstnn.dll.bad Deleted C:\VundoFix Backups\qjpdaxsk.exe.bad Infected with: Trojan.Fotomoto.H C:\VundoFix Backups\qjpdaxsk.exe.bad Disinfection failed C:\VundoFix Backups\qjpdaxsk.exe.bad Deleted C:\VundoFix Backups\sqhirjgx.dll.bad Infected with: Trojan.Vundo.DWW C:\VundoFix Backups\sqhirjgx.dll.bad Deleted C:\VundoFix Backups\tcaxpmja.dll.bad Infected with: Trojan.Vundo.DWB C:\VundoFix Backups\tcaxpmja.dll.bad Deleted C:\VundoFix Backups\tuvwtrr.dll.bad Infected with: Trojan.Vundo.DVO C:\VundoFix Backups\tuvwtrr.dll.bad Disinfection failed C:\VundoFix Backups\tuvwtrr.dll.bad Deleted C:\VundoFix Backups\vajbtnjp.exe.bad Infected with: Trojan.Fotomoto.H C:\VundoFix Backups\vajbtnjp.exe.bad Disinfection failed C:\VundoFix Backups\vajbtnjp.exe.bad Deleted C:\WINDOWS\SYSTEM32\md4hsh.dll Suspected of: Generic.Malware.FYg.22728D8A C:\WINDOWS\SYSTEM32\md4hsh.dll Disinfection failed C:\WINDOWS\SYSTEM32\md4hsh.dll Deleted

0

Your java is out of date and can be exploited. Download the latest version of java from this link Java Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications". Click the "Download" button to the right. Check the box that says: "Accept License Agreement". The page will refresh. Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop. Close any programs you may have running - especially your web browser. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java. Check any item with Java Runtime Environment (JRE or J2SE) in the name. It should have the "coffee cup" icon next to it. Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions. Reboot your computer once all Java components are removed Then from your desktop double-click on jre-1_6_3-windowsi586-p.exe to install the newest version. Navigate to and delete these two folders: C:\QooBox C:\VundoFix Backups This should fix it. Go to start> run> type in notepad > ok. Copy paste the following into notepad making [autorun] the very top line: [autorun] ICON=C:\WINDOWS\SYSTEM\SHELL32.DLL,8 Click "save as"> then using the drop down arrow on the far right of the "save in" window select Local Disk C: to be displayed in the "save in" window. Next type "C:\autorun.inf" (you must use the quotes) in the file name window> click save. Restart the computer. Let us know how the computer is operating and if the red X is gone.

0

Everything seems to be working good, except for when windows loads it takes a long time to load icons on toolbar and some are missing such as volume control and WiFi strength meter. Any Sugesstions? What can i do to prevent this from occuring again?

0

On the speaker icon go to start> control panel> sound and audio devices> volumn tab> check the box to the left of " place volumn icon on taskbar"> apply ok. If it is already checked uncheck it > apply> ok> then recheck it> appply> ok. Please post a new hijack this log and a new combfix log and lets see if we missed something.

0

Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:37:19 PM, on 1/26/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.5730.0013) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.exe C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe C:\Program Files\Common Files\Symantec Shared\ccProxy.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\wanmpsvc.exe C:\WINDOWS\System32\WLTRYSVC.exe C:\WINDOWS\System32\bcmwltry.exe C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.exe C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\internet explorer\iexplore.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin... R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin... R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin... R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin... N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\TONY\Application Data\Mozilla\Profiles\default\c3b2oac2.slt\prefs.js) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/open... (file missing) O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?lin... O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computerchecku... O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd... O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/res... O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/re... O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://66.242.36.116/view22/View22R... O18 - Protocol: bw+0 - {E32038EC-18B3-4B9A-A1A0-57D2289C4299} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw+0s - {E32038EC-18B3-4B9A-A1A0-57D2289C4299} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw-0 - {E32038EC-18B3-4B9A-A1A0-57D2289C4299} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw-0s - {E32038EC-18B3-4B9A-A1A0-57D2289C4299} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw00 - {E32038EC-18B3-4B9A-A1A0-57D2289C4299} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw00s - {E32038EC-18B3-4B9A-A1A0-57D2289C4299} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw10 - {E32038EC-18B3-4B9A-A1A0-57D2289C4299} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw10s - {E32038EC-18B3-4B9A-A1A0-57D2289C4299} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw20 - {E32038EC-18B3-4B9A-A1A0-57D2289C4299} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw20s - {E32038EC-18B3-4B9A-A1A0-57D2289C4299} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw30 - {E32038EC-18B3-4B9A-A1A0-57D2289C4299} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw30s - {E32038EC-18B3-4B9A-A1A0-57D2289C4299} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw40 - {E32038EC-18B3-4B9A-A1A0-57D2289C4299} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw40s - {E32038EC-18B3-4B9A-A1A0-57D2289C4299} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw50 - {E32038EC-18B3-4B9A-A1A0-57D2289C4299} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw50s - {E32038EC-18B3-4B9A-A1A0-57D2289C4299} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw60 - {E32038EC-18B3-4B9A-A1A0-57D2289C4299} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw60s - {E32038EC-18B3-4B9A-A1A0-57D2289C4299} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw70 - {E32038EC-18B3-4B9A-A1A0-57D2289C4299} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw70s - {E32038EC-18B3-4B9A-A1A0-57D2289C4299} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw80 - {E32038EC-18B3-4B9A-A1A0-57D2289C4299} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw80s - {E32038EC-18B3-4B9A-A1A0-57D2289C4299} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw90 - {E32038EC-18B3-4B9A-A1A0-57D2289C4299} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw90s - {E32038EC-18B3-4B9A-A1A0-57D2289C4299} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwa0 - {E32038EC-18B3-4B9A-A1A0-57D2289C4299} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwa0s - {E32038EC-18B3-4B9A-A1A0-57D2289C4299} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwb0 - {E32038EC-18B3-4B9A-A1A0-57D2289C4299} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwb0s - {E32038EC-18B3-4B9A-A1A0-57D2289C4299} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwc0 - {E32038EC-18B3-4B9A-A1A0-57D2289C4299} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwc0s - {E32038EC-18B3-4B9A-A1A0-57D2289C4299} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwd0 - {E32038EC-18B3-4B9A-A1A0-57D2289C4299} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwd0s - {E32038EC-18B3-4B9A-A1A0-57D2289C4299} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwe0 - {E32038EC-18B3-4B9A-A1A0-57D2289C4299} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwe0s - {E32038EC-18B3-4B9A-A1A0-57D2289C4299} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwf0 - {E32038EC-18B3-4B9A-A1A0-57D2289C4299} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwf0s - {E32038EC-18B3-4B9A-A1A0-57D2289C4299} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll O18 - Protocol: bwg0 - {E32038EC-18B3-4B9A-A1A0-57D2289C4299} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwg0s - {E32038EC-18B3-4B9A-A1A0-57D2289C4299} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwh0 - {E32038EC-18B3-4B9A-A1A0-57D2289C4299} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwh0s - {E32038EC-18B3-4B9A-A1A0-57D2289C4299} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwi0 - {E32038EC-18B3-4B9A-A1A0-57D2289C4299} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwi0s - {E32038EC-18B3-4B9A-A1A0-57D2289C4299} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwj0 - {E32038EC-18B3-4B9A-A1A0-57D2289C4299} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwj0s - {E32038EC-18B3-4B9A-A1A0-57D2289C4299} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwk0 - {E32038EC-18B3-4B9A-A1A0-57D2289C4299} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwk0s - {E32038EC-18B3-4B9A-A1A0-57D2289C4299} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwl0 - {E32038EC-18B3-4B9A-A1A0-57D2289C4299} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwl0s - {E32038EC-18B3-4B9A-A1A0-57D2289C4299} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwm0 - {E32038EC-18B3-4B9A-A1A0-57D2289C4299} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwm0s - {E32038EC-18B3-4B9A-A1A0-57D2289C4299} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwn0 - {E32038EC-18B3-4B9A-A1A0-57D2289C4299} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwn0s - {E32038EC-18B3-4B9A-A1A0-57D2289C4299} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwo0 - {E32038EC-18B3-4B9A-A1A0-57D2289C4299} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwo0s - {E32038EC-18B3-4B9A-A1A0-57D2289C4299} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwp0 - {E32038EC-18B3-4B9A-A1A0-57D2289C4299} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwp0s - {E32038EC-18B3-4B9A-A1A0-57D2289C4299} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwq0 - {E32038EC-18B3-4B9A-A1A0-57D2289C4299} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwq0s - {E32038EC-18B3-4B9A-A1A0-57D2289C4299} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwr0 - {E32038EC-18B3-4B9A-A1A0-57D2289C4299} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwr0s - {E32038EC-18B3-4B9A-A1A0-57D2289C4299} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bws0 - {E32038EC-18B3-4B9A-A1A0-57D2289C4299} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bws0s - {E32038EC-18B3-4B9A-A1A0-57D2289C4299} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwt0 - {E32038EC-18B3-4B9A-A1A0-57D2289C4299} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwt0s - {E32038EC-18B3-4B9A-A1A0-57D2289C4299} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwu0 - {E32038EC-18B3-4B9A-A1A0-57D2289C4299} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwu0s - {E32038EC-18B3-4B9A-A1A0-57D2289C4299} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwv0 - {E32038EC-18B3-4B9A-A1A0-57D2289C4299} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwv0s - {E32038EC-18B3-4B9A-A1A0-57D2289C4299} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bww0 - {E32038EC-18B3-4B9A-A1A0-57D2289C4299} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bww0s - {E32038EC-18B3-4B9A-A1A0-57D2289C4299} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwx0 - {E32038EC-18B3-4B9A-A1A0-57D2289C4299} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwx0s - {E32038EC-18B3-4B9A-A1A0-57D2289C4299} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwy0 - {E32038EC-18B3-4B9A-A1A0-57D2289C4299} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwy0s - {E32038EC-18B3-4B9A-A1A0-57D2289C4299} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwz0 - {E32038EC-18B3-4B9A-A1A0-57D2289C4299} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwz0s - {E32038EC-18B3-4B9A-A1A0-57D2289C4299} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: offline-8876480 - {E32038EC-18B3-4B9A-A1A0-57D2289C4299} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.exe -- End of file - 20451 bytes ComboFix 08-01-23.1C - Tony 2008-01-26 22:38:46.5 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.222 [GMT -5:00] Running from: C:\Documents and Settings\Tony\Desktop\ComboFix.exe [color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color] . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Autorun.inf C:\Documents and Settings\Tony\Application Data\setup_en[1].exe . ((((((((((((((((((((((((( Files Created from 2007-12-27 to 2008-01-27 ))))))))))))))))))))))))))))))) . 2008-01-26 18:42 . 2008-01-26 18:42 <DIR> d-------- C:\Program Files\Sun 2008-01-26 18:42 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl 2008-01-26 18:38 . 2008-01-26 18:38 <DIR> d-------- C:\Program Files\Common Files\Java 2008-01-25 21:15 . 2008-01-25 21:51 <DIR> d-------- C:\WINDOWS\BDOSCAN8 2008-01-24 22:41 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe 2008-01-23 23:40 . 2008-01-23 23:40 1,906 --a------ C:\WINDOWS\SYSTEM32\tmp.reg 2008-01-23 23:39 . 2008-01-23 23:38 289,144 --a------ C:\WINDOWS\SYSTEM32\VCCLSID.exe 2008-01-23 23:39 . 2008-01-23 23:38 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe 2008-01-23 23:39 . 2008-01-23 23:38 81,920 --a------ C:\WINDOWS\SYSTEM32\IEDFix.exe 2008-01-23 23:39 . 2008-01-23 23:38 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe 2008-01-23 23:39 . 2008-01-23 23:38 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe 2008-01-23 23:39 . 2008-01-23 23:38 25,600 --a------ C:\WINDOWS\SYSTEM32\WS2Fix.exe 2008-01-23 23:35 . 2008-01-23 23:35 <DIR> d-------- C:\Program Files\Trend Micro 2008-01-15 21:41 . 2008-01-15 21:41 81,920 --a------ C:\WINDOWS\SYSTEM32\csrcli32.dll 2008-01-15 21:41 . 2008-01-15 21:41 58,880 --a------ C:\WINDOWS\SYSTEM32\urikon.dll 2008-01-15 21:41 . 2008-01-15 21:41 18,944 --a------ C:\WINDOWS\SYSTEM32\msdfmap.dll 2008-01-15 21:41 . 2008-01-15 21:41 2,528 --a------ C:\WINDOWS\SYSTEM32\nvnatv.sys 2008-01-13 22:07 . 2004-08-12 08:58 1,875,968 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\msir3jp.lex 2008-01-13 22:06 . 2004-08-12 08:58 13,463,552 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\hwxjpn.dll 2008-01-13 22:05 . 2004-08-12 08:58 1,677,824 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\chsbrkr.dll 2008-01-13 21:59 . 2008-01-13 21:59 749 -rah----- C:\WINDOWS\WindowsShell.Manifest 2008-01-13 21:59 . 2008-01-13 21:59 749 -rah----- C:\WINDOWS\SYSTEM32\wuaucpl.cpl.manifest 2008-01-13 21:59 . 2008-01-13 21:59 749 -rah----- C:\WINDOWS\SYSTEM32\sapi.cpl.manifest 2008-01-13 21:59 . 2008-01-13 21:59 749 -rah----- C:\WINDOWS\SYSTEM32\ncpa.cpl.manifest 2008-01-13 21:59 . 2008-01-13 21:59 488 -rah----- C:\WINDOWS\SYSTEM32\logonui.exe.manifest 2008-01-13 16:28 . 2008-01-21 17:28 536,141,824 --a------ C:\WINDOWS\MEMORY.DMP 2008-01-13 12:14 . 2008-01-24 21:36 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2008-01-13 12:14 . 2008-01-13 12:14 1,409 --a------ C:\WINDOWS\QTFont.for 2008-01-13 11:55 . 2008-01-13 11:57 <DIR> d-------- C:\Program Files\Windows Live Safety Center 2008-01-13 11:39 . 2008-01-13 11:39 268 --ah----- C:\sqmdata06.sqm 2008-01-13 11:39 . 2008-01-13 11:39 244 --ah----- C:\sqmnoopt06.sqm 2008-01-13 00:07 . 2008-01-13 08:39 155,648 --a------ C:\WINDOWS\SYSTEM32\NeroCheck.exe 2008-01-09 15:01 . 2008-01-09 15:01 53,248 --a------ C:\WINDOWS\bdoscandel.exe 2008-01-09 15:01 . 2008-01-09 15:01 453 --a------ C:\WINDOWS\bdoscandellang.ini 2008-01-02 00:20 . 2008-01-13 03:55 174,592 --a------ C:\WINDOWS\SYSTEM32\lexpps.exe 2008-01-02 00:20 . 2008-01-02 00:20 172 --ah----- C:\sqmnoopt05.sqm 2008-01-02 00:20 . 2008-01-02 00:20 172 --ah----- C:\sqmdata05.sqm 2008-01-01 23:34 . 2008-01-01 23:34 268 --ah----- C:\sqmdata04.sqm 2008-01-01 23:34 . 2008-01-01 23:34 244 --ah----- C:\sqmnoopt04.sqm 2007-12-27 14:32 . 2007-12-27 14:32 268 --ah----- C:\sqmdata03.sqm 2007-12-27 14:32 . 2007-12-27 14:32 244 --ah----- C:\sqmnoopt03.sqm . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-01-26 23:42 --------- d-----w C:\Program Files\Java 2008-01-25 20:29 --------- d-----w C:\Program Files\SymNetDrv 2008-01-25 20:29 --------- d-----w C:\Program Files\Norton Internet Security 2008-01-25 20:29 --------- d-----w C:\Program Files\MSN Messenger 2008-01-25 20:29 --------- d-----w C:\Program Files\iTunes 2008-01-25 20:29 --------- d-----w C:\Program Files\DellSupport 2008-01-25 20:29 --------- d-----w C:\Program Files\Common Files\Symantec Shared 2008-01-25 04:37 --------- d-----w C:\Program Files\QuickTime 2008-01-25 04:37 --------- d-----w C:\Program Files\Apoint 2008-01-02 05:52 --------- d-----w C:\Program Files\Pure Networks 2007-12-26 12:59 --------- d-----w C:\Program Files\MasterCook 2007-12-24 01:40 --------- d-----w C:\Program Files\America Online 9.0a 2007-12-20 01:35 --------- d-----w C:\Program Files\Common Files\Adobe 2007-12-02 13:10 --------- d-----w C:\Program Files\Windows Live Toolbar . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 08:56 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784] [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HPAiODevice(hp officejet g series) - 1.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HPAiODevice(hp officejet g series) - 1.lnk backup=C:\WINDOWS\pss\HPAiODevice(hp officejet g series) - 1.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Tony^Start Menu^Programs^Startup^TA_Start.lnk] path=C:\Documents and Settings\Tony\Start Menu\Programs\Startup\TA_Start.lnk backup=C:\WINDOWS\pss\TA_Start.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection] C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer] --a------ 2008-01-13 08:39 34904 C:\Program Files\Common Files\AOL\ACS\AOLDial.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint] C:\Program Files\Apoint\Apoint.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA] --a------ 2008-01-13 08:39 339968 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG] --a------ 2003-08-29 05:59 122880 C:\WINDOWS\BCMSMMSG.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp] --a------ 2008-01-13 08:39 71280 C:\Program Files\Common Files\Symantec Shared\ccApp.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] --a------ 2004-08-12 08:56 15360 C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset .exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager] --a------ 2008-01-13 09:10 159832 C:\Program Files\Common Files\AOL\1107714629\ee\AOLHostManager.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2008-01-13 00:07 278528 C:\Program Files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM] --a------ 2008-01-13 08:40 32768 C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load] C:\WINDOWS\system32\awtqo.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair] --a------ 2008-01-13 08:39 188416 C:\Program Files\Logitech\Video\ISStart.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask] --a------ 2008-01-13 00:07 53248 c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent] --a------ 2008-01-13 00:08 200704 C:\Program Files\Microsoft Money\System\mnyexpr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] --------- 2004-08-04 01:06 1667584 C:\Program Files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnappau] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr] --a------ 2008-01-13 11:36 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] --a------ 2008-01-13 08:39 155648 C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService] --a------ 2008-01-13 00:31 290816 C:\Program Files\Dell\Media Experience\PCMService.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] C:\Program Files\QuickTime\qttask .exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray] --a------ 2008-01-13 00:07 208941 C:\Program Files\Real\RealPlayer\RealPlay.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sonic RecordNow!] --a------ 2008-01-13 11:36 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor] --a------ 2008-01-13 00:07 100056 C:\PROGRA~1\SYMNET~1\SNDMon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] --a------ 2008-01-13 00:07 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\troy44 ] C:\WINDOWS\troy44 .exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager] --a------ 2008-01-13 00:07 110592 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr] --a------ 2008-01-13 08:40 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\URLLSTCK.exe] --a------ 2008-01-13 00:07 70800 C:\Program Files\Norton Internet Security\UrlLstCk.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WT GameChannel] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{00-04-41-11-ZN}] c:\windows\system32\dwdsrngt .exe R1 nvnatv;NVidia Native rendering;C:\WINDOWS\system32\nvnatv.sys [2008-01-15 21:41] S3 NuVision;Hauppauge WinTV USB Pro (NTSC);C:\WINDOWS\system32\DRIVERS\NUVision.sys [2003-04-30 14:59] S3 PhilCam8116;Logitech QuickCam Pro 3000(PID_08B0);C:\WINDOWS\system32\DRIVERS\CamDrL21.sys [2002-12-10 05:53] . Contents of the 'Scheduled Tasks' folder "2008-01-24 23:14:48 C:\WINDOWS\Tasks\AntiSpyware Scheduled Scan.job" - C:\Program Files\AntiSpywareApp\AntiSpyware .ex - C:\Program Files\AntiSpywareApp "2008-01-27 03:35:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job" - C:\Program Files\Windows Live Toolbar\MSNTBUP.exe "2006-06-12 01:19:29 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Tony.job" - C:\PROGRA~1\NORTON~1\NORTON~1\NAVW32.EXEh/task: "2008-01-20 03:10:47 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job" - C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeh/task: "2008-01-27 02:21:26 C:\WINDOWS\Tasks\Symantec NetDetect.job" - C:\Program Files\Symantec\LiveUpdate\NDETECT.exe . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-01-26 22:42:23 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.2180] -> C:\WINDOWS\system32\csrcli32.dll . Completion time: 2008-01-26 22:42:55 ComboFix-quarantined-files.txt 2008-01-27 03:42:47 ComboFix2.txt 2008-01-26 02:08:18 . 2008-01-27 00:23:07 --- E O F ---

0

Open Notepad and copy/paste everything between the X"s into it and make sure "File::" is at the very top of the page. XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX File:: C:\WINDOWS\system32\csrcli32.dll C:\WINDOWS\troy44 .exe Registry:: [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\troy44 ] XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop. Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run". Post a new Combofix log please. You must update your java or the infections will continue.

0

Java has been updated. Here is the Combofix log. Thanks again. ComboFix 08-01-23.1C - Tony 2008-01-27 7:28:05.6 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.222 [GMT -5:00] Running from: C:\Documents and Settings\Tony\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Tony\Desktop\CFScript.txt * Created a new restore point [color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color] FILE C:\WINDOWS\system32\csrcli32.dll C:\WINDOWS\troy44 .exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\system32\csrcli32.dll . ((((((((((((((((((((((((( Files Created from 2007-12-27 to 2008-01-27 ))))))))))))))))))))))))))))))) . 2008-01-26 18:42 . 2008-01-26 18:42 <DIR> d-------- C:\Program Files\Sun 2008-01-26 18:42 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl 2008-01-26 18:38 . 2008-01-26 18:38 <DIR> d-------- C:\Program Files\Common Files\Java 2008-01-25 21:15 . 2008-01-25 21:51 <DIR> d-------- C:\WINDOWS\BDOSCAN8 2008-01-24 22:41 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe 2008-01-23 23:40 . 2008-01-23 23:40 1,906 --a------ C:\WINDOWS\SYSTEM32\tmp.reg 2008-01-23 23:39 . 2008-01-23 23:38 289,144 --a------ C:\WINDOWS\SYSTEM32\VCCLSID.exe 2008-01-23 23:39 . 2008-01-23 23:38 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe 2008-01-23 23:39 . 2008-01-23 23:38 81,920 --a------ C:\WINDOWS\SYSTEM32\IEDFix.exe 2008-01-23 23:39 . 2008-01-23 23:38 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe 2008-01-23 23:39 . 2008-01-23 23:38 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe 2008-01-23 23:39 . 2008-01-23 23:38 25,600 --a------ C:\WINDOWS\SYSTEM32\WS2Fix.exe 2008-01-23 23:35 . 2008-01-23 23:35 <DIR> d-------- C:\Program Files\Trend Micro 2008-01-15 21:41 . 2008-01-15 21:41 58,880 --a------ C:\WINDOWS\SYSTEM32\urikon.dll 2008-01-15 21:41 . 2008-01-15 21:41 18,944 --a------ C:\WINDOWS\SYSTEM32\msdfmap.dll 2008-01-15 21:41 . 2008-01-15 21:41 2,528 --a------ C:\WINDOWS\SYSTEM32\nvnatv.sys 2008-01-13 22:07 . 2004-08-12 08:58 1,875,968 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\msir3jp.lex 2008-01-13 22:06 . 2004-08-12 08:58 13,463,552 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\hwxjpn.dll 2008-01-13 22:05 . 2004-08-12 08:58 1,677,824 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\chsbrkr.dll 2008-01-13 21:59 . 2008-01-13 21:59 749 -rah----- C:\WINDOWS\WindowsShell.Manifest 2008-01-13 21:59 . 2008-01-13 21:59 749 -rah----- C:\WINDOWS\SYSTEM32\wuaucpl.cpl.manifest 2008-01-13 21:59 . 2008-01-13 21:59 749 -rah----- C:\WINDOWS\SYSTEM32\sapi.cpl.manifest 2008-01-13 21:59 . 2008-01-13 21:59 749 -rah----- C:\WINDOWS\SYSTEM32\ncpa.cpl.manifest 2008-01-13 21:59 . 2008-01-13 21:59 488 -rah----- C:\WINDOWS\SYSTEM32\logonui.exe.manifest 2008-01-13 16:28 . 2008-01-21 17:28 536,141,824 --a------ C:\WINDOWS\MEMORY.DMP 2008-01-13 12:14 . 2008-01-24 21:36 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2008-01-13 12:14 . 2008-01-13 12:14 1,409 --a------ C:\WINDOWS\QTFont.for 2008-01-13 11:55 . 2008-01-13 11:57 <DIR> d-------- C:\Program Files\Windows Live Safety Center 2008-01-13 11:39 . 2008-01-13 11:39 268 --ah----- C:\sqmdata06.sqm 2008-01-13 11:39 . 2008-01-13 11:39 244 --ah----- C:\sqmnoopt06.sqm 2008-01-13 00:07 . 2008-01-13 08:39 155,648 --a------ C:\WINDOWS\SYSTEM32\NeroCheck.exe 2008-01-09 15:01 . 2008-01-09 15:01 53,248 --a------ C:\WINDOWS\bdoscandel.exe 2008-01-09 15:01 . 2008-01-09 15:01 453 --a------ C:\WINDOWS\bdoscandellang.ini 2008-01-02 00:20 . 2008-01-13 03:55 174,592 --a------ C:\WINDOWS\SYSTEM32\lexpps.exe 2008-01-02 00:20 . 2008-01-02 00:20 172 --ah----- C:\sqmnoopt05.sqm 2008-01-02 00:20 . 2008-01-02 00:20 172 --ah----- C:\sqmdata05.sqm 2008-01-01 23:34 . 2008-01-01 23:34 268 --ah----- C:\sqmdata04.sqm 2008-01-01 23:34 . 2008-01-01 23:34 244 --ah----- C:\sqmnoopt04.sqm 2007-12-27 14:32 . 2007-12-27 14:32 268 --ah----- C:\sqmdata03.sqm 2007-12-27 14:32 . 2007-12-27 14:32 244 --ah----- C:\sqmnoopt03.sqm . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-01-26 23:42 --------- d-----w C:\Program Files\Java 2008-01-25 20:29 --------- d-----w C:\Program Files\SymNetDrv 2008-01-25 20:29 --------- d-----w C:\Program Files\Norton Internet Security 2008-01-25 20:29 --------- d-----w C:\Program Files\MSN Messenger 2008-01-25 20:29 --------- d-----w C:\Program Files\iTunes 2008-01-25 20:29 --------- d-----w C:\Program Files\DellSupport 2008-01-25 20:29 --------- d-----w C:\Program Files\Common Files\Symantec Shared 2008-01-25 04:37 --------- d-----w C:\Program Files\QuickTime 2008-01-25 04:37 --------- d-----w C:\Program Files\Apoint 2008-01-02 05:52 --------- d-----w C:\Program Files\Pure Networks 2007-12-26 12:59 --------- d-----w C:\Program Files\MasterCook 2007-12-24 01:40 --------- d-----w C:\Program Files\America Online 9.0a 2007-12-20 01:35 --------- d-----w C:\Program Files\Common Files\Adobe 2007-12-02 13:10 --------- d-----w C:\Program Files\Windows Live Toolbar . ((((((((((((((((((((((((((((( snapshot@2008-01-26_22.42.29.56 ))))))))))))))))))))))))))))))))))))))))) . - 2008-01-26 02:03:52 233,472 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000001\NTUSER.DAT + 2008-01-27 12:27:59 233,472 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000001\NTUSER.DAT - 2008-01-26 02:03:52 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000002\UsrClass.dat + 2008-01-27 12:27:59 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000002\UsrClass.dat - 2008-01-26 02:03:52 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000003\NTUSER.DAT + 2008-01-27 12:27:59 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000003\NTUSER.DAT - 2008-01-26 02:03:52 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000004\UsrClass.dat + 2008-01-27 12:27:59 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000004\UsrClass.dat - 2008-01-26 02:03:52 5,480,448 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000005\NTUSER.DAT + 2008-01-27 12:27:59 5,480,448 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000005\NTUSER.DAT - 2008-01-26 02:03:52 12,288 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000006\UsrClass.dat + 2008-01-27 12:28:00 147,456 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000006\UsrClass.dat - 2008-01-27 03:37:43 8,704 ----a-w C:\WINDOWS\SYSTEM32\SPOOL\printer.dat + 2008-01-27 12:13:38 8,704 ----a-w C:\WINDOWS\SYSTEM32\SPOOL\printer.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 08:56 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784] [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HPAiODevice(hp officejet g series) - 1.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HPAiODevice(hp officejet g series) - 1.lnk backup=C:\WINDOWS\pss\HPAiODevice(hp officejet g series) - 1.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Tony^Start Menu^Programs^Startup^TA_Start.lnk] path=C:\Documents and Settings\Tony\Start Menu\Programs\Startup\TA_Start.lnk backup=C:\WINDOWS\pss\TA_Start.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection] C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer] --a------ 2008-01-13 08:39 34904 C:\Program Files\Common Files\AOL\ACS\AOLDial.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint] C:\Program Files\Apoint\Apoint.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA] --a------ 2008-01-13 08:39 339968 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG] --a------ 2003-08-29 05:59 122880 C:\WINDOWS\BCMSMMSG.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp] --a------ 2008-01-13 08:39 71280 C:\Program Files\Common Files\Symantec Shared\ccApp.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] --a------ 2004-08-12 08:56 15360 C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset .exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager] --a------ 2008-01-13 09:10 159832 C:\Program Files\Common Files\AOL\1107714629\ee\AOLHostManager.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2008-01-13 00:07 278528 C:\Program Files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM] --a------ 2008-01-13 08:40 32768 C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load] C:\WINDOWS\system32\awtqo.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair] --a------ 2008-01-13 08:39 188416 C:\Program Files\Logitech\Video\ISStart.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask] --a------ 2008-01-13 00:07 53248 c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent] --a------ 2008-01-13 00:08 200704 C:\Program Files\Microsoft Money\System\mnyexpr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] --------- 2004-08-04 01:06 1667584 C:\Program Files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnappau] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr] --a------ 2008-01-13 11:36 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] --a------ 2008-01-13 08:39 155648 C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService] --a------ 2008-01-13 00:31 290816 C:\Program Files\Dell\Media Experience\PCMService.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] C:\Program Files\QuickTime\qttask .exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray] --a------ 2008-01-13 00:07 208941 C:\Program Files\Real\RealPlayer\RealPlay.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sonic RecordNow!] --a------ 2008-01-13 11:36 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor] --a------ 2008-01-13 00:07 100056 C:\PROGRA~1\SYMNET~1\SNDMon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] --a------ 2008-01-13 00:07 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager] --a------ 2008-01-13 00:07 110592 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr] --a------ 2008-01-13 08:40 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\URLLSTCK.exe] --a------ 2008-01-13 00:07 70800 C:\Program Files\Norton Internet Security\UrlLstCk.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WT GameChannel] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{00-04-41-11-ZN}] c:\windows\system32\dwdsrngt .exe R1 nvnatv;NVidia Native rendering;C:\WINDOWS\system32\nvnatv.sys [2008-01-15 21:41] S3 NuVision;Hauppauge WinTV USB Pro (NTSC);C:\WINDOWS\system32\DRIVERS\NUVision.sys [2003-04-30 14:59] S3 PhilCam8116;Logitech QuickCam Pro 3000(PID_08B0);C:\WINDOWS\system32\DRIVERS\CamDrL21.sys [2002-12-10 05:53] . Contents of the 'Scheduled Tasks' folder "2008-01-27 08:00:00 C:\WINDOWS\Tasks\AntiSpyware Scheduled Scan.job" - C:\Program Files\AntiSpywareApp\AntiSpyware .ex - C:\Program Files\AntiSpywareApp "2008-01-27 11:35:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job" - C:\Program Files\Windows Live Toolbar\MSNTBUP.exe "2006-06-12 01:19:29 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Tony.job" - C:\PROGRA~1\NORTON~1\NORTON~1\NAVW32.EXEh/task: "2008-01-20 03:10:47 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job" - C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeh/task: "2008-01-27 10:21:21 C:\WINDOWS\Tasks\Symantec NetDetect.job" - C:\Program Files\Symantec\LiveUpdate\NDETECT.exe . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-01-27 07:30:25 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-01-27 7:31:08 ComboFix-quarantined-files.txt 2008-01-27 12:30:53 ComboFix2.txt 2008-01-27 03:42:56 ComboFix3.txt 2008-01-26 02:08:18 . 2008-01-27 08:00:19 --- E O F ---

0

Open Notepad and copy/paste everything between the X"s into it and make sure "File::" is at the very top of the page. XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Folder:: C:\VundoFix Backups C:\Qoobox XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop. Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run". Post a new Combofix log. This should fix the red X. Go to start> run> type in notepad > ok. Copy paste the following into notepad making [autorun] the very top line: [autorun] ICON=C:\WINDOWS\SYSTEM\SHELL32.DLL,8 Click "save as"> then using the drop down arrow on the far right of the "save in" window select Local Disk C: to be displayed in the "save in" window. Next type "C:\autorun.inf" (you must use the quotes) in the file name window> click save. Restart the computer. How is the computer operating?

0

The Red X is gone and POS.tmp files are gone. The Laptop seems to be back to normal except for the icons on the toolbar disapearing at startup. Normally i have 6 icons present AC/power, WIFI meter, Wireless, LAN, safely remove hardwar icon, and volume icon. On start up it take a minute to pop up only two icons wireless and LAN. Until these two icons pop up windows is very slow and unresponsive at times. Once the 2 icons are displayed every operates fine. Normally as soon as i log into windows all icons load immdiatly. Everytime i run Combofix the icons that are normally displayed appear, but when windows is restarted they disapear again..... ???? ComboFix 08-01-23.1C - Tony 2008-01-27 9:33:29.7 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.233 [GMT -5:00] Running from: C:\Documents and Settings\Tony\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Tony\Desktop\CFScript.txt * Created a new restore point [color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color] . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Qoobox C:\Qoobox\BackEnv\appdata.folder.dat C:\Qoobox\BackEnv\cache.folder.dat C:\Qoobox\BackEnv\desktop.folder.dat C:\Qoobox\BackEnv\favorites.folder.dat C:\Qoobox\BackEnv\local appdata.folder.dat C:\Qoobox\BackEnv\local settings.folder.dat C:\Qoobox\BackEnv\my pictures.folder.dat C:\Qoobox\BackEnv\personal.folder.dat C:\Qoobox\BackEnv\profiles.folder.dat C:\Qoobox\BackEnv\programs.folder.dat C:\Qoobox\BackEnv\setpath.bat C:\Qoobox\BackEnv\setpath.dat C:\Qoobox\BackEnv\start menu.folder.dat C:\Qoobox\BackEnv\startup.folder.dat C:\Qoobox\BackEnv\templates.folder.dat C:\Qoobox\CFScript_used_2008-01-27@7.28.txt C:\Qoobox\CFScript_used_2008-01-27@9.33.txt C:\Qoobox\ComboFix-quarantined-files.txt C:\Qoobox\ComboFix2.txt C:\Qoobox\ComboFix3.txt C:\Qoobox\ComboFix4.txt C:\Qoobox\snapshot@2008-01-26_22.42.29.56.dat C:\Qoobox\snapshot@2008-01-26_22.42.29.56_B.dat . ((((((((((((((((((((((((( Files Created from 2007-12-27 to 2008-01-27 ))))))))))))))))))))))))))))))) . 2008-01-27 08:15 . 2004-08-12 08:58 13,463,552 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\hwxjpn.dll 2008-01-27 08:14 . 2004-08-12 08:58 1,677,824 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\chsbrkr.dll 2008-01-27 08:13 . 2004-05-13 00:39 876,653 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\fp4awel.dll 2008-01-27 08:11 . 2008-01-27 08:11 749 -rah----- C:\WINDOWS\WindowsShell.Manifest 2008-01-27 08:11 . 2008-01-27 08:11 749 -rah----- C:\WINDOWS\SYSTEM32\wuaucpl.cpl.manifest 2008-01-27 08:11 . 2008-01-27 08:11 749 -rah----- C:\WINDOWS\SYSTEM32\sapi.cpl.manifest 2008-01-27 08:11 . 2008-01-27 08:11 749 -rah----- C:\WINDOWS\SYSTEM32\ncpa.cpl.manifest 2008-01-27 08:11 . 2008-01-27 08:11 488 -rah----- C:\WINDOWS\SYSTEM32\logonui.exe.manifest 2008-01-26 18:42 . 2008-01-26 18:42 <DIR> d-------- C:\Program Files\Sun 2008-01-26 18:42 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl 2008-01-26 18:38 . 2008-01-26 18:38 <DIR> d-------- C:\Program Files\Common Files\Java 2008-01-25 21:15 . 2008-01-25 21:51 <DIR> d-------- C:\WINDOWS\BDOSCAN8 2008-01-24 22:41 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe 2008-01-23 23:40 . 2008-01-23 23:40 1,906 --a------ C:\WINDOWS\SYSTEM32\tmp.reg 2008-01-23 23:39 . 2008-01-23 23:38 289,144 --a------ C:\WINDOWS\SYSTEM32\VCCLSID.exe 2008-01-23 23:39 . 2008-01-23 23:38 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe 2008-01-23 23:39 . 2008-01-23 23:38 81,920 --a------ C:\WINDOWS\SYSTEM32\IEDFix.exe 2008-01-23 23:39 . 2008-01-23 23:38 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe 2008-01-23 23:39 . 2008-01-23 23:38 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe 2008-01-23 23:39 . 2008-01-23 23:38 25,600 --a------ C:\WINDOWS\SYSTEM32\WS2Fix.exe 2008-01-23 23:35 . 2008-01-23 23:35 <DIR> d-------- C:\Program Files\Trend Micro 2008-01-15 21:41 . 2008-01-15 21:41 58,880 --a------ C:\WINDOWS\SYSTEM32\urikon.dll 2008-01-15 21:41 . 2008-01-15 21:41 18,944 --a------ C:\WINDOWS\SYSTEM32\msdfmap.dll 2008-01-15 21:41 . 2008-01-15 21:41 2,528 --a------ C:\WINDOWS\SYSTEM32\nvnatv.sys 2008-01-13 21:42 . 2004-08-12 09:02 1,086,058 -ra------ C:\WINDOWS\SETEC.tmp 2008-01-13 21:42 . 2004-08-12 09:06 1,042,903 -ra------ C:\WINDOWS\SETE9.tmp 2008-01-13 21:42 . 2004-08-12 08:58 13,753 -ra------ C:\WINDOWS\SETF8.tmp 2008-01-13 16:28 . 2008-01-21 17:28 536,141,824 --a------ C:\WINDOWS\MEMORY.DMP 2008-01-13 11:55 . 2008-01-13 11:57 <DIR> d-------- C:\Program Files\Windows Live Safety Center 2008-01-13 11:39 . 2008-01-13 11:39 268 --ah----- C:\sqmdata06.sqm 2008-01-13 11:39 . 2008-01-13 11:39 244 --ah----- C:\sqmnoopt06.sqm 2008-01-13 00:07 . 2008-01-13 08:39 155,648 --a------ C:\WINDOWS\SYSTEM32\NeroCheck.exe 2008-01-09 15:01 . 2008-01-09 15:01 53,248 --a------ C:\WINDOWS\bdoscandel.exe 2008-01-09 15:01 . 2008-01-09 15:01 453 --a------ C:\WINDOWS\bdoscandellang.ini 2008-01-02 00:20 . 2008-01-13 03:55 174,592 --a------ C:\WINDOWS\SYSTEM32\lexpps.exe 2008-01-02 00:20 . 2008-01-02 00:20 172 --ah----- C:\sqmnoopt05.sqm 2008-01-02 00:20 . 2008-01-02 00:20 172 --ah----- C:\sqmdata05.sqm 2008-01-01 23:34 . 2008-01-01 23:34 268 --ah----- C:\sqmdata04.sqm 2008-01-01 23:34 . 2008-01-01 23:34 244 --ah----- C:\sqmnoopt04.sqm 2007-12-27 14:32 . 2007-12-27 14:32 268 --ah----- C:\sqmdata03.sqm 2007-12-27 14:32 . 2007-12-27 14:32 244 --ah----- C:\sqmnoopt03.sqm . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-01-27 13:48 --------- d-----w C:\Program Files\IKEA HomePlanner 2008-01-27 13:06 --------- d-----w C:\Program Files\Apoint 2008-01-26 23:42 --------- d-----w C:\Program Files\Java 2008-01-25 20:29 --------- d-----w C:\Program Files\SymNetDrv 2008-01-25 20:29 --------- d-----w C:\Program Files\Norton Internet Security 2008-01-25 20:29 --------- d-----w C:\Program Files\MSN Messenger 2008-01-25 20:29 --------- d-----w C:\Program Files\iTunes 2008-01-25 20:29 --------- d-----w C:\Program Files\DellSupport 2008-01-25 20:29 --------- d-----w C:\Program Files\Common Files\Symantec Shared 2008-01-25 04:37 --------- d-----w C:\Program Files\QuickTime 2008-01-02 05:52 --------- d-----w C:\Program Files\Pure Networks 2007-12-26 12:59 --------- d-----w C:\Program Files\MasterCook 2007-12-24 01:40 --------- d-----w C:\Program Files\America Online 9.0a 2007-12-20 01:35 --------- d-----w C:\Program Files\Common Files\Adobe 2007-12-02 13:10 --------- d-----w C:\Program Files\Windows Live Toolbar . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 08:56 15360] "updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2008-01-13 08:40 313472] "MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2008-01-13 00:08 200704] "LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2008-01-13 08:40 32768] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784] "BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 05:59 122880 C:\WINDOWS\BCMSMMSG.exe] "Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-02-02 15:32 155648] "{00-04-41-11-ZN}"="c:\windows\system32\dwdsrngt .exe" [ ] "URLLSTCK.exe"="C:\Program Files\Norton Internet Security\UrlLstCk.exe" [2008-01-13 00:07 70800] "UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2008-01-13 00:07 110592] "Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2008-01-13 00:07 100056] "PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2008-01-13 00:31 290816] "mmtask"="c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2008-01-13 00:07 53248] "LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2008-01-13 08:39 188416] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-13 08:39 71280] "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2008-01-13 08:39 339968] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2004-08-04 05:00 44544] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 01:05:26 29696] HPAiODevice(hp officejet g series) - 1.lnk - C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe [2002-11-20 17:15:00 151552] Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2005-02-08 00:17:38 450560] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.exe [2001-02-13 01:01:04 83360] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection] C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer] --a------ 2008-01-13 08:39 34904 C:\Program Files\Common Files\AOL\ACS\AOLDial.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet] --a------ 2008-01-13 08:39 528384 C:\Program Files\Dell\QuickSet\quickset.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager] --a------ 2008-01-13 09:10 159832 C:\Program Files\Common Files\AOL\1107714629\ee\AOLHostManager.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2008-01-13 00:07 278528 C:\Program Files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load] C:\WINDOWS\system32\awtqo.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] --------- 2004-08-04 01:06 1667584 C:\Program Files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnappau] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr] --a------ 2008-01-13 11:36 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] --a------ 2008-01-13 08:39 155648 C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] C:\Program Files\QuickTime\qttask .exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray] --a------ 2008-01-13 00:07 208941 C:\Program Files\Real\RealPlayer\RealPlay.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sonic RecordNow!] --a------ 2008-01-13 11:36 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] --a------ 2008-01-13 00:07 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WT GameChannel] R1 nvnatv;NVidia Native rendering;C:\WINDOWS\system32\nvnatv.sys [2008-01-15 21:41] S3 NuVision;Hauppauge WinTV USB Pro (NTSC);C:\WINDOWS\system32\DRIVERS\NUVision.sys [2003-04-30 14:59] S3 PhilCam8116;Logitech QuickCam Pro 3000(PID_08B0);C:\WINDOWS\system32\DRIVERS\CamDrL21.sys [2002-12-10 05:53] . Contents of the 'Scheduled Tasks' folder "2008-01-27 08:00:00 C:\WINDOWS\Tasks\AntiSpyware Scheduled Scan.job" - C:\Program Files\AntiSpywareApp\AntiSpyware .ex - C:\Program Files\AntiSpywareApp "2008-01-27 14:35:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job" - C:\Program Files\Windows Live Toolbar\MSNTBUP.exe "2006-06-12 01:19:29 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Tony.job" - C:\PROGRA~1\NORTON~1\NORTON~1\NAVW32.EXEh/task: "2008-01-20 03:10:47 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job" - C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeh/task: "2008-01-27 14:21:22 C:\WINDOWS\Tasks\Symantec NetDetect.job" - C:\Program Files\Symantec\LiveUpdate\NDETECT.exe . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-01-27 09:37:17 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-01-27 9:37:57 . 2008-01-27 12:43:37 --- E O F ---

0

I think I see the virus, lets see if this scanner will remove it. Please run the BitDefender online scan this link: Bitdefender Online Scanner You will need to allow an active x install for the scan to run. Leave the scanning options at default and press "click here to scan" When finished scanning, click on "click here to export the scan report" Save it to your desktop, at "file name" type in "bdscan" then click save. Post a log in your reply.

0

BitDefender Online Scanner Scan report generated at: Sun, Jan 27, 2008 - 12:06:24 Scan path: C:\;D:\; Statistics Time 00:43:20 Files 265917 Folders 6665 Boot Sectors 4 Archives 3114 Packed Files 6844 Results Identified Viruses 2 Infected Files 2 Suspect Files 0 Warnings 0 Disinfected 0 Deleted Files 2 Engines Info Virus Definitions 977523 Engine build AVCORE v1.0 (build 2422) (i386) (Sep 25 2007 08:26:36) Scan plugins 16 Archive plugins 41 Unpack plugins 7 E-mail plugins 6 System plugins 5 Scan Settings First Action Disinfect Second Action Delete Heuristics Yes Enable Warnings Yes Scanned Extensions *; Exclude Extensions Scan Emails Yes Scan Archives Yes Scan Packed Yes Scan Files Yes Scan Boot Yes Scanned File Status C:\Documents and Settings\Tony\Local Settings\Temporary Internet Files\Content.IE5\K7TTTEXU\setup_en[1].exe Infected with: Trojan.Downloader.Agent.YYA C:\Documents and Settings\Tony\Local Settings\Temporary Internet Files\Content.IE5\K7TTTEXU\setup_en[1].exe Deleted C:\My Downloads\DAVIS'S DRUG GUIDE FOR NURSES Bittorrent downloader.zip=>BitDownload Setup.exe=>(NSIS o)=>lzma_nsis0006 Infected with: Trojan.Obfuscated.EN C:\My Downloads\DAVIS'S DRUG GUIDE FOR NURSES Bittorrent downloader.zip=>BitDownload Setup.exe=>(NSIS o)=>lzma_nsis0006 Deleted C:\My Downloads\DAVIS'S DRUG GUIDE FOR NURSES Bittorrent downloader.zip=>BitDownload Setup.exe=>(NSIS o) Update failed

0

Open Notepad and copy/paste everything between the X"s into it and make sure "File::" is at the very top of the page. XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Registry:: [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load] XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop. Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run". Post a new Combofix log. Do a search for the following files: csr32srv.dll urim.dll idscc.exe Then upload them into the scanner below if found and post the results. Please go to Virus Total and upload the following file for analysis: C:\WINDOWS\SYSTEM32\urikon.dll C:\WINDOWS\SYSTEM32\msdfmap.dll C:\WINDOWS\SYSTEM32\nvnatv.sys Post the results in your reply.

0

ComboFix 08-01-23.1C - Tony 2008-01-27 15:51:48.8 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.211 [GMT -5:00] Running from: C:\Documents and Settings\Tony\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Tony\Desktop\CFScript.txt * Created a new restore point [color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color] . ((((((((((((((((((((((((( Files Created from 2007-12-27 to 2008-01-27 ))))))))))))))))))))))))))))))) . 2008-01-27 15:20 . 2008-01-27 15:20 <DIR> d-------- C:\WINDOWS\LastGood 2008-01-27 08:15 . 2004-08-12 08:58 13,463,552 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\hwxjpn.dll 2008-01-27 08:14 . 2004-08-12 08:58 1,677,824 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\chsbrkr.dll 2008-01-27 08:13 . 2004-05-13 00:39 876,653 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\fp4awel.dll 2008-01-27 08:11 . 2008-01-27 08:11 749 -rah----- C:\WINDOWS\WindowsShell.Manifest 2008-01-27 08:11 . 2008-01-27 08:11 749 -rah----- C:\WINDOWS\SYSTEM32\wuaucpl.cpl.manifest 2008-01-27 08:11 . 2008-01-27 08:11 749 -rah----- C:\WINDOWS\SYSTEM32\sapi.cpl.manifest 2008-01-27 08:11 . 2008-01-27 08:11 749 -rah----- C:\WINDOWS\SYSTEM32\ncpa.cpl.manifest 2008-01-27 08:11 . 2008-01-27 08:11 488 -rah----- C:\WINDOWS\SYSTEM32\logonui.exe.manifest 2008-01-26 18:42 . 2008-01-26 18:42 <DIR> d-------- C:\Program Files\Sun 2008-01-26 18:42 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl 2008-01-26 18:38 . 2008-01-26 18:38 <DIR> d-------- C:\Program Files\Common Files\Java 2008-01-25 21:15 . 2008-01-27 11:22 <DIR> d-------- C:\WINDOWS\BDOSCAN8 2008-01-24 22:41 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe 2008-01-23 23:40 . 2008-01-23 23:40 1,906 --a------ C:\WINDOWS\SYSTEM32\tmp.reg 2008-01-23 23:39 . 2008-01-23 23:38 289,144 --a------ C:\WINDOWS\SYSTEM32\VCCLSID.exe 2008-01-23 23:39 . 2008-01-23 23:38 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe 2008-01-23 23:39 . 2008-01-23 23:38 81,920 --a------ C:\WINDOWS\SYSTEM32\IEDFix.exe 2008-01-23 23:39 . 2008-01-23 23:38 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe 2008-01-23 23:39 . 2008-01-23 23:38 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe 2008-01-23 23:39 . 2008-01-23 23:38 25,600 --a------ C:\WINDOWS\SYSTEM32\WS2Fix.exe 2008-01-23 23:35 . 2008-01-23 23:35 <DIR> d-------- C:\Program Files\Trend Micro 2008-01-15 21:41 . 2008-01-15 21:41 58,880 --a------ C:\WINDOWS\SYSTEM32\urikon.dll 2008-01-15 21:41 . 2008-01-15 21:41 18,944 --a------ C:\WINDOWS\SYSTEM32\msdfmap.dll 2008-01-15 21:41 . 2008-01-15 21:41 2,528 --a------ C:\WINDOWS\SYSTEM32\nvnatv.sys 2008-01-13 21:42 . 2004-08-12 09:02 1,086,058 -ra------ C:\WINDOWS\SETEC.tmp 2008-01-13 21:42 . 2004-08-12 09:06 1,042,903 -ra------ C:\WINDOWS\SETE9.tmp 2008-01-13 21:42 . 2004-08-12 08:58 13,753 -ra------ C:\WINDOWS\SETF8.tmp 2008-01-13 16:28 . 2008-01-21 17:28 536,141,824 --a------ C:\WINDOWS\MEMORY.DMP 2008-01-13 11:55 . 2008-01-13 11:57 <DIR> d-------- C:\Program Files\Windows Live Safety Center 2008-01-13 11:39 . 2008-01-13 11:39 268 --ah----- C:\sqmdata06.sqm 2008-01-13 11:39 . 2008-01-13 11:39 244 --ah----- C:\sqmnoopt06.sqm 2008-01-13 00:07 . 2008-01-13 08:39 155,648 --a------ C:\WINDOWS\SYSTEM32\NeroCheck.exe 2008-01-09 15:01 . 2008-01-09 15:01 53,248 --a------ C:\WINDOWS\bdoscandel.exe 2008-01-09 15:01 . 2008-01-09 15:01 453 --a------ C:\WINDOWS\bdoscandellang.ini 2008-01-02 00:20 . 2008-01-13 03:55 174,592 --a------ C:\WINDOWS\SYSTEM32\lexpps.exe 2008-01-02 00:20 . 2008-01-02 00:20 172 --ah----- C:\sqmnoopt05.sqm 2008-01-02 00:20 . 2008-01-02 00:20 172 --ah----- C:\sqmdata05.sqm 2008-01-01 23:34 . 2008-01-01 23:34 268 --ah----- C:\sqmdata04.sqm 2008-01-01 23:34 . 2008-01-01 23:34 244 --ah----- C:\sqmnoopt04.sqm 2007-12-27 14:32 . 2007-12-27 14:32 268 --ah----- C:\sqmdata03.sqm 2007-12-27 14:32 . 2007-12-27 14:32 244 --ah----- C:\sqmnoopt03.sqm . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-01-27 13:48 --------- d-----w C:\Program Files\IKEA HomePlanner 2008-01-27 13:06 --------- d-----w C:\Program Files\Apoint 2008-01-26 23:42 --------- d-----w C:\Program Files\Java 2008-01-25 20:29 --------- d-----w C:\Program Files\SymNetDrv 2008-01-25 20:29 --------- d-----w C:\Program Files\Norton Internet Security 2008-01-25 20:29 --------- d-----w C:\Program Files\MSN Messenger 2008-01-25 20:29 --------- d-----w C:\Program Files\iTunes 2008-01-25 20:29 --------- d-----w C:\Program Files\DellSupport 2008-01-25 20:29 --------- d-----w C:\Program Files\Common Files\Symantec Shared 2008-01-25 04:37 --------- d-----w C:\Program Files\QuickTime 2008-01-02 05:52 --------- d-----w C:\Program Files\Pure Networks 2007-12-26 12:59 --------- d-----w C:\Program Files\MasterCook 2007-12-24 01:40 --------- d-----w C:\Program Files\America Online 9.0a 2007-12-20 01:35 --------- d-----w C:\Program Files\Common Files\Adobe 2007-12-02 13:10 --------- d-----w C:\Program Files\Windows Live Toolbar . ((((((((((((((((((((((((((((( snapshot@2008-01-27_ 9.37.23.01 ))))))))))))))))))))))))))))))))))))))))) . - 2008-01-09 20:01:48 118,784 ----a-w C:\WINDOWS\BDOSCAN8\bdupd.dll + 2008-01-27 16:22:57 77,824 ----a-w C:\WINDOWS\BDOSCAN8\bdupd.dll - 2008-01-27 14:33:22 233,472 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000001\NTUSER.DAT + 2008-01-27 20:51:23 233,472 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000001\NTUSER.DAT - 2008-01-27 14:33:22 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000002\UsrClass.dat + 2008-01-27 20:51:23 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000002\UsrClass.dat - 2008-01-27 14:33:23 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000003\NTUSER.DAT + 2008-01-27 20:51:23 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000003\NTUSER.DAT - 2008-01-27 14:33:23 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000004\UsrClass.dat + 2008-01-27 20:51:23 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000004\UsrClass.dat - 2008-01-27 14:33:23 5,480,448 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000005\NTUSER.DAT + 2008-01-27 20:51:23 5,480,448 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000005\NTUSER.DAT - 2008-01-27 14:33:23 147,456 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000006\UsrClass.dat + 2008-01-27 20:51:24 147,456 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000006\UsrClass.dat - 2004-08-12 13:56:00 66,560 ----a-w C:\WINDOWS\SYSTEM32\cdm.dll + 2007-07-31 00:19:20 92,504 ----a-w C:\WINDOWS\SYSTEM32\cdm.dll - 2004-08-12 13:56:00 66,560 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\cdm.dll + 2007-07-31 00:19:20 92,504 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\cdm.dll - 2004-08-12 14:10:40 430,592 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuapi.dll + 2007-07-31 00:19:36 549,720 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuapi.dll - 2004-08-12 14:10:41 111,104 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuauclt.exe + 2007-07-31 00:19:16 53,080 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuauclt.exe - 2004-08-12 14:10:41 1,134,592 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuaueng.dll + 2007-07-31 00:19:42 1,712,984 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuaueng.dll - 2004-08-12 14:10:43 112,640 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wucltui.dll + 2007-07-31 00:19:32 325,976 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wucltui.dll - 2004-08-12 14:10:43 36,864 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wups.dll + 2007-07-30 23:18:40 33,624 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wups.dll - 2004-08-12 14:10:44 120,320 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuweb.dll + 2007-07-31 00:19:28 203,096 -c--a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuweb.dll - 2004-08-12 14:10:40 430,592 ----a-w C:\WINDOWS\SYSTEM32\wuapi.dll + 2007-07-31 00:19:36 549,720 ----a-w C:\WINDOWS\SYSTEM32\wuapi.dll - 2004-08-12 14:10:41 111,104 ----a-w C:\WINDOWS\SYSTEM32\wuauclt.exe + 2007-07-31 00:19:16 53,080 ----a-w C:\WINDOWS\SYSTEM32\wuauclt.exe - 2004-08-12 14:10:41 1,134,592 ----a-w C:\WINDOWS\SYSTEM32\wuaueng.dll + 2007-07-31 00:19:42 1,712,984 ----a-w C:\WINDOWS\SYSTEM32\wuaueng.dll - 2004-08-12 14:10:43 112,640 ----a-w C:\WINDOWS\SYSTEM32\wucltui.dll + 2007-07-31 00:19:32 325,976 ----a-w C:\WINDOWS\SYSTEM32\wucltui.dll - 2004-08-12 14:10:43 36,864 ----a-w C:\WINDOWS\SYSTEM32\wups.dll + 2007-07-30 23:18:40 33,624 ----a-w C:\WINDOWS\SYSTEM32\wups.dll - 2004-08-12 14:10:44 120,320 ----a-w C:\WINDOWS\SYSTEM32\wuweb.dll + 2007-07-31 00:19:28 203,096 ----a-w C:\WINDOWS\SYSTEM32\wuweb.dll . -- Snapshot reset to current date -- . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 08:56 15360] "updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2008-01-13 08:40 313472] "MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2008-01-13 00:08 200704] "LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2008-01-13 08:40 32768] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784] "Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-02-02 15:32 155648] "URLLSTCK.exe"="C:\Program Files\Norton Internet Security\UrlLstCk.exe" [2008-01-13 00:07 70800] "UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2008-01-13 00:07 110592] "Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2008-01-13 00:07 100056] "PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2008-01-13 00:31 290816] "mmtask"="c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2008-01-13 00:07 53248] "LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2008-01-13 08:39 188416] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-13 08:39 71280] "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2008-01-13 08:39 339968] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2004-08-04 05:00 44544] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 01:05:26 29696] HPAiODevice(hp officejet g series) - 1.lnk - C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe [2002-11-20 17:15:00 151552] Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2005-02-08 00:17:38 450560] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.exe [2001-02-13 01:01:04 83360] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection] C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer] --a------ 2008-01-13 08:39 34904 C:\Program Files\Common Files\AOL\ACS\AOLDial.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet] --a------ 2008-01-13 08:39 528384 C:\Program Files\Dell\QuickSet\quickset.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager] --a------ 2008-01-13 09:10 159832 C:\Program Files\Common Files\AOL\1107714629\ee\AOLHostManager.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2008-01-13 00:07 278528 C:\Program Files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] --------- 2004-08-04 01:06 1667584 C:\Program Files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnappau] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr] --a------ 2008-01-13 11:36 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] --a------ 2008-01-13 08:39 155648 C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] C:\Program Files\QuickTime\qttask .exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray] --a------ 2008-01-13 00:07 208941 C:\Program Files\Real\RealPlayer\RealPlay.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sonic RecordNow!] --a------ 2008-01-13 11:36 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] --a------ 2008-01-13 00:07 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WT GameChannel] R1 nvnatv;NVidia Native rendering;C:\WINDOWS\system32\nvnatv.sys [2008-01-15 21:41] S3 NuVision;Hauppauge WinTV USB Pro (NTSC);C:\WINDOWS\system32\DRIVERS\NUVision.sys [2003-04-30 14:59] S3 PhilCam8116;Logitech QuickCam Pro 3000(PID_08B0);C:\WINDOWS\system32\DRIVERS\CamDrL21.sys [2002-12-10 05:53] . Contents of the 'Scheduled Tasks' folder "2008-01-27 08:00:00 C:\WINDOWS\Tasks\AntiSpyware Scheduled Scan.job" - C:\Program Files\AntiSpywareApp\AntiSpyware .ex - C:\Program Files\AntiSpywareApp "2008-01-27 20:35:01 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job" - C:\Program Files\Windows Live Toolbar\MSNTBUP.exe "2006-06-12 01:19:29 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Tony.job" - C:\PROGRA~1\NORTON~1\NORTON~1\NAVW32.EXEh/task: "2008-01-20 03:10:47 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job" - C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeh/task: "2008-01-27 18:21:24 C:\WINDOWS\Tasks\Symantec NetDetect.job" - C:\Program Files\Symantec\LiveUpdate\NDETECT.exe . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-01-27 15:55:54 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-01-27 15:56:37 ComboFix2.txt 2008-01-27 14:37:57 . 2008-01-27 12:43:37 --- E O F --- I did a search for csr32srv.dll, urim.dll, and idscc.exe but they were not found. Virus Total results are below for files:C:\WINDOWS\SYSTEM32\urikon.dll C:\WINDOWS\SYSTEM32\msdfmap.dll C:\WINDOWS\SYSTEM32\nvnatv.sys File nvnatv.sys received on 01.27.2008 22:10:37 (CET) Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED Result: 7/32 (21.88%) Loading server information... Your file is queued in position: ___. Estimated start time is between ___ and ___ . Do not close the window until scan is complete. The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result. If you are waiting for more than five minutes you have to resend your file. Your file is being scanned by VirusTotal in this moment, results will be shown as they're generated. Compact Print results Your file has expired or does not exists. Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time. You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished. Email: Antivirus Version Last Update Result AhnLab-V3 2008.1.26.10 2008.01.25 - AntiVir 7.6.0.56 2008.01.27 TR/Rootkit.Gen Authentium 4.93.8 2008.01.26 - Avast 4.7.1098.0 2008.01.27 Win32:Small-IYC AVG 7.5.0.516 2008.01.27 - BitDefender 7.2 2008.01.27 - CAT-QuickHeal 9.00 2008.01.25 - ClamAV 0.91.2 2008.01.27 - DrWeb 4.44.0.09170 2008.01.27 - eSafe 7.0.15.0 2008.01.16 - eTrust-Vet 31.3.5486 2008.01.26 - Ewido 4.0 2008.01.27 - FileAdvisor 1 2008.01.27 - Fortinet 3.14.0.0 2008.01.27 - F-Prot 4.4.2.54 2008.01.27 - F-Secure 6.70.13260.0 2008.01.27 W32/Rootkit.BYV Ikarus T3.1.1.20 2008.01.27 - Kaspersky 7.0.0.125 2008.01.27 Trojan-Downloader.Win32.Agent.heo McAfee 5216 2008.01.26 - Microsoft 1.3109 2008.01.27 - NOD32v2 2825 2008.01.27 - Norman 5.80.02 2008.01.24 W32/Rootkit.BYV Panda 9.0.0.4 2008.01.27 Trj/Agent.HQX Prevx1 V2 2008.01.27 - Rising 20.28.62.00 2008.01.27 - Sophos 4.25.0 2008.01.27 - Sunbelt 2.2.907.0 2008.01.25 - Symantec 10 2008.01.27 - TheHacker 6.2.9.200 2008.01.27 - VBA32 3.12.2.5 2008.01.21 - VirusBuster 4.3.26:9 2008.01.27 - Webwasher-Gateway 6.6.2 2008.01.27 Trojan.Rootkit.Gen Additional information File size: 2528 bytes MD5: 662e89815fcc0b214d773b80c1ab3f0b SHA1: 584f3ce9f24e8b82db3707128492340f11a88219 PEiD: - File msdfmap.dll received on 01.27.2008 22:09:53 (CET) Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED Result: 1/32 (3.13%) Loading server information... Your file is queued in position: 6. Estimated start time is between 54 and 77 seconds. Do not close the window until scan is complete. The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result. If you are waiting for more than five minutes you have to resend your file. Your file is being scanned by VirusTotal in this moment, results will be shown as they're generated. Compact Print results Your file has expired or does not exists. Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time. You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished. Email: Antivirus Version Last Update Result AhnLab-V3 2008.1.26.10 2008.01.25 - AntiVir 7.6.0.56 2008.01.27 - Authentium 4.93.8 2008.01.26 - Avast 4.7.1098.0 2008.01.27 - AVG 7.5.0.516 2008.01.27 - BitDefender 7.2 2008.01.27 - CAT-QuickHeal 9.00 2008.01.25 - ClamAV 0.91.2 2008.01.27 - DrWeb 4.44.0.09170 2008.01.27 - eSafe 7.0.15.0 2008.01.16 - eTrust-Vet 31.3.5486 2008.01.26 - Ewido 4.0 2008.01.27 - FileAdvisor 1 2008.01.27 - Fortinet 3.14.0.0 2008.01.27 - F-Prot 4.4.2.54 2008.01.27 - F-Secure 6.70.13260.0 2008.01.27 - Ikarus T3.1.1.20 2008.01.27 - Kaspersky 7.0.0.125 2008.01.27 - McAfee 5216 2008.01.26 - Microsoft 1.3109 2008.01.27 - NOD32v2 2825 2008.01.27 - Norman 5.80.02 2008.01.24 - Panda 9.0.0.4 2008.01.27 - Prevx1 V2 2008.01.27 - Rising 20.28.62.00 2008.01.27 - Sophos 4.25.0 2008.01.27 - Sunbelt 2.2.907.0 2008.01.25 Trojan-PSW.Urimon.gen Symantec 10 2008.01.27 - TheHacker 6.2.9.200 2008.01.27 - VBA32 3.12.2.5 2008.01.21 - VirusBuster 4.3.26:9 2008.01.27 - Webwasher-Gateway 6.6.2 2008.01.27 - Additional information File size: 18944 bytes MD5: 9ebfc57b78caeca537558fb82b94a0e2 SHA1: 2b8a80e53436d71ef23b84d44a9148c89218558e PEiD: - File urikon.dll received on 01.27.2008 22:08:06 (CET) Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED Result: 8/32 (25%) Loading server information... Your file is queued in position: 4. Estimated start time is between 47 and 68 seconds. Do not close the window until scan is complete. The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result. If you are waiting for more than five minutes you have to resend your file. Your file is being scanned by VirusTotal in this moment, results will be shown as they're generated. Compact Print results Your file has expired or does not exists. Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time. You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished. Email: Antivirus Version Last Update Result AhnLab-V3 2008.1.26.10 2008.01.25 - AntiVir 7.6.0.56 2008.01.27 TR/Spy.Goldun.UX Authentium 4.93.8 2008.01.26 - Avast 4.7.1098.0 2008.01.27 - AVG 7.5.0.516 2008.01.27 PSW.Generic5.AHXS BitDefender 7.2 2008.01.27 - CAT-QuickHeal 9.00 2008.01.25 - ClamAV 0.91.2 2008.01.27 - DrWeb 4.44.0.09170 2008.01.27 Trojan.PWS.Banker.10587 eSafe 7.0.15.0 2008.01.16 - eTrust-Vet 31.3.5486 2008.01.26 - Ewido 4.0 2008.01.27 - FileAdvisor 1 2008.01.27 - Fortinet 3.14.0.0 2008.01.27 Spy/Goldun F-Prot 4.4.2.54 2008.01.27 - F-Secure 6.70.13260.0 2008.01.27 Trojan-Spy.Win32.Goldun.ux Ikarus T3.1.1.20 2008.01.27 - Kaspersky 7.0.0.125 2008.01.27 Trojan-Spy.Win32.Goldun.ux McAfee 5216 2008.01.26 - Microsoft 1.3109 2008.01.27 - NOD32v2 2825 2008.01.27 - Norman 5.80.02 2008.01.24 - Panda 9.0.0.4 2008.01.27 Suspicious file Prevx1 V2 2008.01.27 - Rising 20.28.62.00 2008.01.27 - Sophos 4.25.0 2008.01.27 - Sunbelt 2.2.907.0 2008.01.25 - Symantec 10 2008.01.27 - TheHacker 6.2.9.200 2008.01.27 - VBA32 3.12.2.5 2008.01.21 - VirusBuster 4.3.26:9 2008.01.27 - Webwasher-Gateway 6.6.2 2008.01.27 Trojan.Spy.Goldun.UX Additional information File size: 58880 bytes MD5: 42d5de4df83f31a6989d4b0cbfa83dcc SHA1: 943dc8510a3d76ad936996ef68f390f2ef366717 PEiD: -

0

Open Notepad and copy/paste everything between the X"s into it and make sure "File::" is at the very top of the page. XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX File: C:\WINDOWS\SYSTEM32\urikon.dll C:\WINDOWS\SYSTEM32\msdfmap.dll C:\WINDOWS\SYSTEM32\nvnatv.sys Driver:: nvnatv XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop. Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run". Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok. Download ATF Cleaner from this link: ATF Cleaner Run ATF-Cleaner Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. Post a new Combofix log. Run an online scan with Kaspersky from the following link: Kaspersky Online Scanner Note: If you have used this particular scanner before, you MAY HAVE YO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component Click Yes, when prompted to install its ActiveX component. (Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.) The program launches and downloads the latest definition files. Once the files are downloaded click on Next Click on Scan Settings and configure as follows: Scan using the following Anti-Virus database: Extended Scan Options: Scan Archives Scan Mail Base Click OK and, under select a target to scan, select My Computer When the scan is done, in the Scan is completed window (below), any infection is displayed. There is no option to clean/disinfect, however, we need to analyze the information on the report. To obtain the report: Click on: Save Report As (above - red blinking arrow) Next, in the Save as prompt, Save in area, select: Desktop In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select: Text file [*.txt] Then, click: Save Please post the Kaspersky Online Scanner Report in your reply.

0

ComboFix 08-01-23.1C - Tony 2008-01-27 18:21:02.10 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.217 [GMT -5:00] Running from: C:\Documents and Settings\Tony\Desktop\ComboFix.exe [color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color] . ((((((((((((((((((((((((( Files Created from 2007-12-27 to 2008-01-27 ))))))))))))))))))))))))))))))) . 2008-01-27 18:11 . 2008-01-27 18:11 <DIR> d-------- C:\WINDOWS\LastGood 2008-01-27 08:15 . 2004-08-12 08:58 13,463,552 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\hwxjpn.dll 2008-01-27 08:14 . 2004-08-12 08:58 1,677,824 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\chsbrkr.dll 2008-01-27 08:13 . 2004-05-13 00:39 876,653 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\fp4awel.dll 2008-01-27 08:11 . 2008-01-27 08:11 749 -rah----- C:\WINDOWS\WindowsShell.Manifest 2008-01-27 08:11 . 2008-01-27 08:11 749 -rah----- C:\WINDOWS\SYSTEM32\wuaucpl.cpl.manifest 2008-01-27 08:11 . 2008-01-27 08:11 749 -rah----- C:\WINDOWS\SYSTEM32\sapi.cpl.manifest 2008-01-27 08:11 . 2008-01-27 08:11 749 -rah----- C:\WINDOWS\SYSTEM32\ncpa.cpl.manifest 2008-01-27 08:11 . 2008-01-27 08:11 488 -rah----- C:\WINDOWS\SYSTEM32\logonui.exe.manifest 2008-01-26 18:42 . 2008-01-26 18:42 <DIR> d-------- C:\Program Files\Sun 2008-01-26 18:42 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl 2008-01-26 18:38 . 2008-01-26 18:38 <DIR> d-------- C:\Program Files\Common Files\Java 2008-01-25 21:15 . 2008-01-27 11:22 <DIR> d-------- C:\WINDOWS\BDOSCAN8 2008-01-24 22:41 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe 2008-01-23 23:40 . 2008-01-23 23:40 1,906 --a------ C:\WINDOWS\SYSTEM32\tmp.reg 2008-01-23 23:39 . 2008-01-23 23:38 289,144 --a------ C:\WINDOWS\SYSTEM32\VCCLSID.exe 2008-01-23 23:39 . 2008-01-23 23:38 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe 2008-01-23 23:39 . 2008-01-23 23:38 81,920 --a------ C:\WINDOWS\SYSTEM32\IEDFix.exe 2008-01-23 23:39 . 2008-01-23 23:38 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe 2008-01-23 23:39 . 2008-01-23 23:38 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe 2008-01-23 23:39 . 2008-01-23 23:38 25,600 --a------ C:\WINDOWS\SYSTEM32\WS2Fix.exe 2008-01-23 23:35 . 2008-01-23 23:35 <DIR> d-------- C:\Program Files\Trend Micro 2008-01-15 21:41 . 2008-01-15 21:41 58,880 --a------ C:\WINDOWS\SYSTEM32\urikon.dll 2008-01-15 21:41 . 2008-01-15 21:41 18,944 --a------ C:\WINDOWS\SYSTEM32\msdfmap.dll 2008-01-15 21:41 . 2008-01-15 21:41 2,528 --a------ C:\WINDOWS\SYSTEM32\nvnatv.sys 2008-01-13 21:42 . 2004-08-12 09:02 1,086,058 -ra------ C:\WINDOWS\SETEC.tmp 2008-01-13 21:42 . 2004-08-12 09:06 1,042,903 -ra------ C:\WINDOWS\SETE9.tmp 2008-01-13 21:42 . 2004-08-12 08:58 13,753 -ra------ C:\WINDOWS\SETF8.tmp 2008-01-13 16:28 . 2008-01-21 17:28 536,141,824 --a------ C:\WINDOWS\MEMORY.DMP 2008-01-13 11:55 . 2008-01-13 11:57 <DIR> d-------- C:\Program Files\Windows Live Safety Center 2008-01-13 11:39 . 2008-01-13 11:39 268 --ah----- C:\sqmdata06.sqm 2008-01-13 11:39 . 2008-01-13 11:39 244 --ah----- C:\sqmnoopt06.sqm 2008-01-13 00:07 . 2008-01-13 08:39 155,648 --a------ C:\WINDOWS\SYSTEM32\NeroCheck.exe 2008-01-09 15:01 . 2008-01-09 15:01 53,248 --a------ C:\WINDOWS\bdoscandel.exe 2008-01-09 15:01 . 2008-01-09 15:01 453 --a------ C:\WINDOWS\bdoscandellang.ini 2008-01-02 00:20 . 2008-01-13 03:55 174,592 --a------ C:\WINDOWS\SYSTEM32\lexpps.exe 2008-01-02 00:20 . 2008-01-02 00:20 172 --ah----- C:\sqmnoopt05.sqm 2008-01-02 00:20 . 2008-01-02 00:20 172 --ah----- C:\sqmdata05.sqm 2008-01-01 23:34 . 2008-01-01 23:34 268 --ah----- C:\sqmdata04.sqm 2008-01-01 23:34 . 2008-01-01 23:34 244 --ah----- C:\sqmnoopt04.sqm 2007-12-27 14:32 . 2007-12-27 14:32 268 --ah----- C:\sqmdata03.sqm 2007-12-27 14:32 . 2007-12-27 14:32 244 --ah----- C:\sqmnoopt03.sqm . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-01-27 13:48 --------- d-----w C:\Program Files\IKEA HomePlanner 2008-01-27 13:06 --------- d-----w C:\Program Files\Apoint 2008-01-26 23:42 --------- d-----w C:\Program Files\Java 2008-01-25 20:29 --------- d-----w C:\Program Files\SymNetDrv 2008-01-25 20:29 --------- d-----w C:\Program Files\Norton Internet Security 2008-01-25 20:29 --------- d-----w C:\Program Files\MSN Messenger 2008-01-25 20:29 --------- d-----w C:\Program Files\iTunes 2008-01-25 20:29 --------- d-----w C:\Program Files\DellSupport 2008-01-25 20:29 --------- d-----w C:\Program Files\Common Files\Symantec Shared 2008-01-25 04:37 --------- d-----w C:\Program Files\QuickTime 2008-01-02 05:52 --------- d-----w C:\Program Files\Pure Networks 2007-12-26 12:59 --------- d-----w C:\Program Files\MasterCook 2007-12-24 01:40 --------- d-----w C:\Program Files\America Online 9.0a 2007-12-20 01:35 --------- d-----w C:\Program Files\Common Files\Adobe 2007-12-02 13:10 --------- d-----w C:\Program Files\Windows Live Toolbar . ((((((((((((((((((((((((((((( snapshot_2008-01-27_15.56.02.93 ))))))))))))))))))))))))))))))))))))))))) . - 2008-01-27 20:51:23 233,472 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000001\NTUSER.DAT + 2008-01-27 23:03:54 233,472 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000001\NTUSER.DAT - 2008-01-27 20:51:23 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000002\UsrClass.dat + 2008-01-27 23:03:54 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000002\UsrClass.dat - 2008-01-27 20:51:23 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000003\NTUSER.DAT + 2008-01-27 23:03:54 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000003\NTUSER.DAT - 2008-01-27 20:51:23 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000004\UsrClass.dat + 2008-01-27 23:03:54 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000004\UsrClass.dat - 2008-01-27 20:51:23 5,480,448 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000005\NTUSER.DAT + 2008-01-27 23:03:55 5,480,448 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000005\NTUSER.DAT - 2008-01-27 20:51:24 147,456 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000006\UsrClass.dat + 2008-01-27 23:03:55 147,456 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000006\UsrClass.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 08:56 15360] "updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2008-01-13 08:40 313472] "MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2008-01-13 00:08 200704] "LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2008-01-13 08:40 32768] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784] "Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-02-02 15:32 155648] "URLLSTCK.exe"="C:\Program Files\Norton Internet Security\UrlLstCk.exe" [2008-01-13 00:07 70800] "UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2008-01-13 00:07 110592] "Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2008-01-13 00:07 100056] "PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2008-01-13 00:31 290816] "mmtask"="c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2008-01-13 00:07 53248] "LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2008-01-13 08:39 188416] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-13 08:39 71280] "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2008-01-13 08:39 339968] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2004-08-04 05:00 44544] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 01:05:26 29696] HPAiODevice(hp officejet g series) - 1.lnk - C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe [2002-11-20 17:15:00 151552] Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2005-02-08 00:17:38 450560] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.exe [2001-02-13 01:01:04 83360] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection] C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer] --a------ 2008-01-13 08:39 34904 C:\Program Files\Common Files\AOL\ACS\AOLDial.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet] --a------ 2008-01-13 08:39 528384 C:\Program Files\Dell\QuickSet\quickset.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager] --a------ 2008-01-13 09:10 159832 C:\Program Files\Common Files\AOL\1107714629\ee\AOLHostManager.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2008-01-13 00:07 278528 C:\Program Files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] --------- 2004-08-04 01:06 1667584 C:\Program Files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnappau] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr] --a------ 2008-01-13 11:36 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] --a------ 2008-01-13 08:39 155648 C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] C:\Program Files\QuickTime\qttask .exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray] --a------ 2008-01-13 00:07 208941 C:\Program Files\Real\RealPlayer\RealPlay.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sonic RecordNow!] --a------ 2008-01-13 11:36 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] --a------ 2008-01-13 00:07 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WT GameChannel] S3 NuVision;Hauppauge WinTV USB Pro (NTSC);C:\WINDOWS\system32\DRIVERS\NUVision.sys [2003-04-30 14:59] S3 PhilCam8116;Logitech QuickCam Pro 3000(PID_08B0);C:\WINDOWS\system32\DRIVERS\CamDrL21.sys [2002-12-10 05:53] . Contents of the 'Scheduled Tasks' folder "2008-01-27 08:00:00 C:\WINDOWS\Tasks\AntiSpyware Scheduled Scan.job" - C:\Program Files\AntiSpywareApp\AntiSpyware .ex - C:\Program Files\AntiSpywareApp "2008-01-27 22:35:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job" - C:\Program Files\Windows Live Toolbar\MSNTBUP.exe "2006-06-12 01:19:29 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Tony.job" - C:\PROGRA~1\NORTON~1\NORTON~1\NAVW32.EXEh/task: "2008-01-20 03:10:47 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job" - C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeh/task: "2008-01-27 22:21:24 C:\WINDOWS\Tasks\Symantec NetDetect.job" - C:\Program Files\Symantec\LiveUpdate\NDETECT.exe . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-01-27 18:23:15 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-01-27 18:23:58 ComboFix-quarantined-files.txt 2008-01-27 23:23:40 ComboFix2.txt 2008-01-27 23:14:30 ComboFix3.txt 2008-01-27 20:56:38 ComboFix4.txt 2008-01-27 14:37:57 . 2008-01-27 23:00:16 --- E O F --- --------------------- KASPERSKY ONLINE SCANNER REPORT Sunday, January 27, 2008 7:33:07 PM Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.98.0 Kaspersky Anti-Virus database last update: 27/01/2008 Kaspersky Anti-Virus database records: 534257 --------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: C:\ D:\ Scan Statistics: Total number of scanned objects: 59327 Number of viruses found: 6 Number of infected objects: 11 Number of suspicious objects: 0 Duration of the scan process: 00:52:15 Infected Object Name / Virus Name / Last Action C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\aolstderr.txt Object is locked skipped C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\aolstdout.txt Object is locked skipped C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\aoltsmon.lock Object is locked skipped C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\cache.db Object is locked skipped C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\server.lock Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped C:\Documents and Settings\HI\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmsecman.jar-69ee0d96-15ed778b.zip/vlocal.class Infected: Trojan-Downloader.Java.Agent.f skipped C:\Documents and Settings\HI\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmsecman.jar-69ee0d96-15ed778b.zip ZIP: infected - 1 skipped C:\Documents and Settings\HI\Cookies\index.dat Object is locked skipped C:\Documents and Settings\HI\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_59R.wmdb Object is locked skipped C:\Documents and Settings\HI\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\HI\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\HI\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped C:\Documents and Settings\HI\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\HI\NTUSER.DAT Object is locked skipped C:\Documents and Settings\HI\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\Tony\Application Data\AntiSpyware\Quarantine\19-01-2008-03-00-31\10074.qit Infected: Trojan-Downloader.Win32.Agent.haq skipped C:\Documents and Settings\Tony\Cookies\index.dat Object is locked skipped C:\Documents and Settings\Tony\Desktop\SmitfraudFix\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped C:\Documents and Settings\Tony\Desktop\SmitfraudFix.zip/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped C:\Documents and Settings\Tony\Desktop\SmitfraudFix.zip ZIP: infected - 1 skipped C:\Documents and Settings\Tony\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_219.wmdb Object is locked skipped C:\Documents and Settings\Tony\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\Tony\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\Tony\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped C:\Documents and Settings\Tony\Local Settings\History\History.IE5\MSHist012008012720080128\index.dat Object is locked skipped C:\Documents and Settings\Tony\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped C:\Documents and Settings\Tony\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\Tony\NTUSER.DAT Object is locked skipped C:\Documents and Settings\Tony\ntuser.dat.LOG Object is locked skipped C:\My Downloads\DAVIS'S DRUG GUIDE FOR NURSES Bittorrent downloader.zip/BitDownload Setup.exe/data0007 Infected: Trojan.Win32.Obfuscated.en skipped C:\My Downloads\DAVIS'S DRUG GUIDE FOR NURSES Bittorrent downloader.zip/BitDownload Setup.exe Infected: Trojan.Win32.Obfuscated.en skipped C:\My Downloads\DAVIS'S DRUG GUIDE FOR NURSES Bittorrent downloader.zip ZIP: infected - 2 skipped C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP12\change.log Object is locked skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\Sti_Trace.log Object is locked skipped C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\Internet.evt Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped C:\WINDOWS\SYSTEM32\nvnatv.sys Infected: Trojan-Downloader.Win32.Agent.heo skipped C:\WINDOWS\SYSTEM32\urikon.dll Infected: Trojan-Spy.Win32.Goldun.ux skipped C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\WIADEBUG.LOG Object is locked skipped C:\WINDOWS\WIASERVC.LOG Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped Scan process completed.

0

Open Notepad and copy/paste everything between the X"s into it and make sure "File::" is at the very top of the page. XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX File:: C:\Program Files\ mozilla firefox\ components\ nshelp.dll C:\Windows\System32\csr32srv.dll C:\Windows\System32\csrcli32.dll C:\Windows\System32\msdfmap.dll C:\Windows\System32\urikon.dll C:\Windows\System32\urimon.dll C:\Windows\csr32srv.dll C:\Windows\installer.exe C:\Windows\ldscc.exe C:\Windows\urimon.dll C:\Windows\v.exe C:\v.exe Driver:: nvnatv XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop. Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run". Post a new Combofix log.

0

ComboFix 08-01-23.1C - Tony 2008-01-28 17:50:29.11 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.227 [GMT -5:00] Running from: C:\Documents and Settings\Tony\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Tony\Desktop\CFScript.txt * Created a new restore point [color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color] FILE C:\Program Files\ mozilla firefox\ components\ nshelp.dll C:\v.exe C:\Windows\csr32srv.dll C:\Windows\installer.exe C:\Windows\ldscc.exe C:\Windows\System32\csr32srv.dll C:\Windows\System32\csrcli32.dll C:\Windows\System32\msdfmap.dll C:\Windows\System32\urikon.dll C:\Windows\System32\urimon.dll C:\Windows\urimon.dll C:\Windows\v.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Autorun.inf C:\Windows\System32\msdfmap.dll C:\Windows\System32\urikon.dll . ((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-28 ))))))))))))))))))))))))))))))) . 2008-01-27 18:25 . 2008-01-27 18:25 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab 2008-01-27 08:15 . 2004-08-12 08:58 13,463,552 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\hwxjpn.dll 2008-01-27 08:14 . 2004-08-12 08:58 1,677,824 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\chsbrkr.dll 2008-01-27 08:13 . 2004-05-13 00:39 876,653 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\fp4awel.dll 2008-01-27 08:11 . 2008-01-27 08:11 749 -rah----- C:\WINDOWS\WindowsShell.Manifest 2008-01-27 08:11 . 2008-01-27 08:11 749 -rah----- C:\WINDOWS\SYSTEM32\wuaucpl.cpl.manifest 2008-01-27 08:11 . 2008-01-27 08:11 749 -rah----- C:\WINDOWS\SYSTEM32\sapi.cpl.manifest 2008-01-27 08:11 . 2008-01-27 08:11 749 -rah----- C:\WINDOWS\SYSTEM32\ncpa.cpl.manifest 2008-01-27 08:11 . 2008-01-27 08:11 488 -rah----- C:\WINDOWS\SYSTEM32\logonui.exe.manifest 2008-01-26 18:42 . 2008-01-26 18:42 <DIR> d-------- C:\Program Files\Sun 2008-01-26 18:42 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl 2008-01-26 18:38 . 2008-01-26 18:38 <DIR> d-------- C:\Program Files\Common Files\Java 2008-01-25 21:15 . 2008-01-27 11:22 <DIR> d-------- C:\WINDOWS\BDOSCAN8 2008-01-24 22:41 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe 2008-01-23 23:40 . 2008-01-23 23:40 1,906 --a------ C:\WINDOWS\SYSTEM32\tmp.reg 2008-01-23 23:39 . 2008-01-23 23:38 289,144 --a------ C:\WINDOWS\SYSTEM32\VCCLSID.exe 2008-01-23 23:39 . 2008-01-23 23:38 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe 2008-01-23 23:39 . 2008-01-23 23:38 81,920 --a------ C:\WINDOWS\SYSTEM32\IEDFix.exe 2008-01-23 23:39 . 2008-01-23 23:38 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe 2008-01-23 23:39 . 2008-01-23 23:38 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe 2008-01-23 23:39 . 2008-01-23 23:38 25,600 --a------ C:\WINDOWS\SYSTEM32\WS2Fix.exe 2008-01-23 23:35 . 2008-01-23 23:35 <DIR> d-------- C:\Program Files\Trend Micro 2008-01-15 21:41 . 2008-01-15 21:41 2,528 --a------ C:\WINDOWS\SYSTEM32\nvnatv.sys 2008-01-13 21:42 . 2004-08-12 09:02 1,086,058 -ra------ C:\WINDOWS\SETEC.tmp 2008-01-13 21:42 . 2004-08-12 09:06 1,042,903 -ra------ C:\WINDOWS\SETE9.tmp 2008-01-13 21:42 . 2004-08-12 08:58 13,753 -ra------ C:\WINDOWS\SETF8.tmp 2008-01-13 16:28 . 2008-01-21 17:28 536,141,824 --a------ C:\WINDOWS\MEMORY.DMP 2008-01-13 11:55 . 2008-01-13 11:57 <DIR> d-------- C:\Program Files\Windows Live Safety Center 2008-01-13 11:39 . 2008-01-13 11:39 268 --ah----- C:\sqmdata06.sqm 2008-01-13 11:39 . 2008-01-13 11:39 244 --ah----- C:\sqmnoopt06.sqm 2008-01-13 00:07 . 2008-01-13 08:39 155,648 --a------ C:\WINDOWS\SYSTEM32\NeroCheck.exe 2008-01-09 15:01 . 2008-01-09 15:01 53,248 --a------ C:\WINDOWS\bdoscandel.exe 2008-01-09 15:01 . 2008-01-09 15:01 453 --a------ C:\WINDOWS\bdoscandellang.ini 2008-01-02 00:20 . 2008-01-13 03:55 174,592 --a------ C:\WINDOWS\SYSTEM32\lexpps.exe 2008-01-02 00:20 . 2008-01-02 00:20 172 --ah----- C:\sqmnoopt05.sqm 2008-01-02 00:20 . 2008-01-02 00:20 172 --ah----- C:\sqmdata05.sqm 2008-01-01 23:34 . 2008-01-01 23:34 268 --ah----- C:\sqmdata04.sqm 2008-01-01 23:34 . 2008-01-01 23:34 244 --ah----- C:\sqmnoopt04.sqm . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-01-27 13:48 --------- d-----w C:\Program Files\IKEA HomePlanner 2008-01-27 13:06 --------- d-----w C:\Program Files\Apoint 2008-01-26 23:42 --------- d-----w C:\Program Files\Java 2008-01-25 20:29 --------- d-----w C:\Program Files\SymNetDrv 2008-01-25 20:29 --------- d-----w C:\Program Files\Norton Internet Security 2008-01-25 20:29 --------- d-----w C:\Program Files\MSN Messenger 2008-01-25 20:29 --------- d-----w C:\Program Files\iTunes 2008-01-25 20:29 --------- d-----w C:\Program Files\DellSupport 2008-01-25 20:29 --------- d-----w C:\Program Files\Common Files\Symantec Shared 2008-01-25 04:37 --------- d-----w C:\Program Files\QuickTime 2008-01-02 05:52 --------- d-----w C:\Program Files\Pure Networks 2007-12-26 12:59 --------- d-----w C:\Program Files\MasterCook 2007-12-24 01:40 --------- d-----w C:\Program Files\America Online 9.0a 2007-12-20 01:35 --------- d-----w C:\Program Files\Common Files\Adobe 2007-12-02 13:10 --------- d-----w C:\Program Files\Windows Live Toolbar . ((((((((((((((((((((((((((((( snapshot_2008-01-27_15.56.02.93 ))))))))))))))))))))))))))))))))))))))))) . - 2008-01-27 20:51:23 233,472 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000001\NTUSER.DAT + 2008-01-28 22:50:01 233,472 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000001\NTUSER.DAT - 2008-01-27 20:51:23 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000002\UsrClass.dat + 2008-01-28 22:50:01 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000002\UsrClass.dat - 2008-01-27 20:51:23 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000003\NTUSER.DAT + 2008-01-28 22:50:01 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000003\NTUSER.DAT - 2008-01-27 20:51:23 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000004\UsrClass.dat + 2008-01-28 22:50:01 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000004\UsrClass.dat - 2008-01-27 20:51:23 5,480,448 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000005\NTUSER.DAT + 2008-01-28 22:50:01 5,480,448 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000005\NTUSER.DAT - 2008-01-27 20:51:24 147,456 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000006\UsrClass.dat + 2008-01-28 22:50:02 147,456 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000006\UsrClass.dat + 2005-05-24 17:27:16 213,048 ----a-w C:\WINDOWS\SYSTEM32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll + 2007-08-29 20:47:20 94,208 ----a-w C:\WINDOWS\SYSTEM32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe + 2007-08-29 20:49:54 950,272 ----a-w C:\WINDOWS\SYSTEM32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 08:56 15360] "updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2008-01-13 08:40 313472] "MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2008-01-13 00:08 200704] "LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2008-01-13 08:40 32768] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784] "Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-02-02 15:32 155648] "URLLSTCK.exe"="C:\Program Files\Norton Internet Security\UrlLstCk.exe" [2008-01-13 00:07 70800] "UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2008-01-13 00:07 110592] "Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2008-01-13 00:07 100056] "PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2008-01-13 00:31 290816] "mmtask"="c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2008-01-13 00:07 53248] "LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2008-01-13 08:39 188416] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-13 08:39 71280] "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2008-01-13 08:39 339968] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2004-08-04 05:00 44544] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 01:05:26 29696] HPAiODevice(hp officejet g series) - 1.lnk - C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe [2002-11-20 17:15:00 151552] Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2005-02-08 00:17:38 450560] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.exe [2001-02-13 01:01:04 83360] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection] C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer] --a------ 2008-01-13 08:39 34904 C:\Program Files\Common Files\AOL\ACS\AOLDial.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet] --a------ 2008-01-13 08:39 528384 C:\Program Files\Dell\QuickSet\quickset.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager] --a------ 2008-01-13 09:10 159832 C:\Program Files\Common Files\AOL\1107714629\ee\AOLHostManager.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2008-01-13 00:07 278528 C:\Program Files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] --------- 2004-08-04 01:06 1667584 C:\Program Files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnappau] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr] --a------ 2008-01-13 11:36 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] --a------ 2008-01-13 08:39 155648 C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] C:\Program Files\QuickTime\qttask .exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray] --a------ 2008-01-13 00:07 208941 C:\Program Files\Real\RealPlayer\RealPlay.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sonic RecordNow!] --a------ 2008-01-13 11:36 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] --a------ 2008-01-13 00:07 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WT GameChannel] S3 NuVision;Hauppauge WinTV USB Pro (NTSC);C:\WINDOWS\system32\DRIVERS\NUVision.sys [2003-04-30 14:59] S3 PhilCam8116;Logitech QuickCam Pro 3000(PID_08B0);C:\WINDOWS\system32\DRIVERS\CamDrL21.sys [2002-12-10 05:53] . Contents of the 'Scheduled Tasks' folder "2008-01-27 08:00:00 C:\WINDOWS\Tasks\AntiSpyware Scheduled Scan.job" - C:\Program Files\AntiSpywareApp\AntiSpyware .ex - C:\Program Files\AntiSpywareApp "2008-01-28 01:35:01 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job" - C:\Program Files\Windows Live Toolbar\MSNTBUP.exe "2006-06-12 01:19:29 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Tony.job" - C:\PROGRA~1\NORTON~1\NORTON~1\NAVW32.EXEh/task: "2008-01-20 03:10:47 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job" - C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeh/task: "2008-01-27 22:21:24 C:\WINDOWS\Tasks\Symantec NetDetect.job" - C:\Program Files\Symantec\LiveUpdate\NDETECT.exe . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-01-28 17:53:23 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-01-28 17:54:04 ComboFix-quarantined-files.txt 2008-01-28 22:53:49 ComboFix2.txt 2008-01-27 23:23:58 ComboFix3.txt 2008-01-27 23:14:30 ComboFix4.txt 2008-01-27 20:56:38 ComboFix5.txt 2008-01-27 14:37:57 . 2008-01-28 02:13:04 --- E O F ---

0

Open Notepad and copy/paste everything between the X"s into it and make sure "File::" is at the very top of the page. XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX File:: C:\WINDOWS\SYSTEM32\nvnatv.sys C:\WINDOWS\SETEC.tmp C:\WINDOWS\SETE9.tmp C:\WINDOWS\SETF8.tmp Driver:: nvnatv XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop. Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run". Post a new Combofix log.

0

ComboFix 08-01-23.1C - Tony 2008-01-29 16:44:59.12 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.244 [GMT -5:00] Running from: C:\Documents and Settings\Tony\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Tony\Desktop\CFScript.txt * Created a new restore point [color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color] FILE C:\WINDOWS\SETE9.tmp C:\WINDOWS\SETEC.tmp C:\WINDOWS\SETF8.tmp C:\WINDOWS\SYSTEM32\nvnatv.sys . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Autorun.inf C:\WINDOWS\SETE9.tmp C:\WINDOWS\SETEC.tmp C:\WINDOWS\SETF8.tmp C:\WINDOWS\SYSTEM32\nvnatv.sys . ((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-29 ))))))))))))))))))))))))))))))) . 2008-01-28 19:57 . 2008-01-28 19:57 2,312 --a------ C:\autorun.PNF 2008-01-27 18:25 . 2008-01-27 18:25 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab 2008-01-27 08:15 . 2004-08-12 08:58 13,463,552 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\hwxjpn.dll 2008-01-27 08:14 . 2004-08-12 08:58 1,677,824 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\chsbrkr.dll 2008-01-27 08:13 . 2004-05-13 00:39 876,653 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\fp4awel.dll 2008-01-27 08:11 . 2008-01-27 08:11 749 -rah----- C:\WINDOWS\WindowsShell.Manifest 2008-01-27 08:11 . 2008-01-27 08:11 749 -rah----- C:\WINDOWS\SYSTEM32\wuaucpl.cpl.manifest 2008-01-27 08:11 . 2008-01-27 08:11 749 -rah----- C:\WINDOWS\SYSTEM32\sapi.cpl.manifest 2008-01-27 08:11 . 2008-01-27 08:11 749 -rah----- C:\WINDOWS\SYSTEM32\ncpa.cpl.manifest 2008-01-27 08:11 . 2008-01-27 08:11 488 -rah----- C:\WINDOWS\SYSTEM32\logonui.exe.manifest 2008-01-26 18:42 . 2008-01-26 18:42 <DIR> d-------- C:\Program Files\Sun 2008-01-26 18:42 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl 2008-01-26 18:38 . 2008-01-26 18:38 <DIR> d-------- C:\Program Files\Common Files\Java 2008-01-25 21:15 . 2008-01-27 11:22 <DIR> d-------- C:\WINDOWS\BDOSCAN8 2008-01-24 22:41 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe 2008-01-23 23:40 . 2008-01-23 23:40 1,906 --a------ C:\WINDOWS\SYSTEM32\tmp.reg 2008-01-23 23:39 . 2008-01-23 23:38 289,144 --a------ C:\WINDOWS\SYSTEM32\VCCLSID.exe 2008-01-23 23:39 . 2008-01-23 23:38 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe 2008-01-23 23:39 . 2008-01-23 23:38 81,920 --a------ C:\WINDOWS\SYSTEM32\IEDFix.exe 2008-01-23 23:39 . 2008-01-23 23:38 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe 2008-01-23 23:39 . 2008-01-23 23:38 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe 2008-01-23 23:39 . 2008-01-23 23:38 25,600 --a------ C:\WINDOWS\SYSTEM32\WS2Fix.exe 2008-01-23 23:35 . 2008-01-23 23:35 <DIR> d-------- C:\Program Files\Trend Micro 2008-01-13 16:28 . 2008-01-21 17:28 536,141,824 --a------ C:\WINDOWS\MEMORY.DMP 2008-01-13 11:55 . 2008-01-13 11:57 <DIR> d-------- C:\Program Files\Windows Live Safety Center 2008-01-13 11:39 . 2008-01-13 11:39 268 --ah----- C:\sqmdata06.sqm 2008-01-13 11:39 . 2008-01-13 11:39 244 --ah----- C:\sqmnoopt06.sqm 2008-01-13 00:07 . 2008-01-13 08:39 155,648 --a------ C:\WINDOWS\SYSTEM32\NeroCheck.exe 2008-01-09 15:01 . 2008-01-09 15:01 53,248 --a------ C:\WINDOWS\bdoscandel.exe 2008-01-09 15:01 . 2008-01-09 15:01 453 --a------ C:\WINDOWS\bdoscandellang.ini 2008-01-02 00:20 . 2008-01-13 03:55 174,592 --a------ C:\WINDOWS\SYSTEM32\lexpps.exe 2008-01-02 00:20 . 2008-01-02 00:20 172 --ah----- C:\sqmnoopt05.sqm 2008-01-02 00:20 . 2008-01-02 00:20 172 --ah----- C:\sqmdata05.sqm 2008-01-01 23:34 . 2008-01-01 23:34 268 --ah----- C:\sqmdata04.sqm 2008-01-01 23:34 . 2008-01-01 23:34 244 --ah----- C:\sqmnoopt04.sqm . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-01-27 13:48 --------- d-----w C:\Program Files\IKEA HomePlanner 2008-01-27 13:06 --------- d-----w C:\Program Files\Apoint 2008-01-26 23:42 --------- d-----w C:\Program Files\Java 2008-01-25 20:29 --------- d-----w C:\Program Files\SymNetDrv 2008-01-25 20:29 --------- d-----w C:\Program Files\Norton Internet Security 2008-01-25 20:29 --------- d-----w C:\Program Files\MSN Messenger 2008-01-25 20:29 --------- d-----w C:\Program Files\iTunes 2008-01-25 20:29 --------- d-----w C:\Program Files\DellSupport 2008-01-25 20:29 --------- d-----w C:\Program Files\Common Files\Symantec Shared 2008-01-25 04:37 --------- d-----w C:\Program Files\QuickTime 2008-01-02 05:52 --------- d-----w C:\Program Files\Pure Networks 2007-12-26 12:59 --------- d-----w C:\Program Files\MasterCook 2007-12-24 01:40 --------- d-----w C:\Program Files\America Online 9.0a 2007-12-20 01:35 --------- d-----w C:\Program Files\Common Files\Adobe 2007-12-02 13:10 --------- d-----w C:\Program Files\Windows Live Toolbar . ((((((((((((((((((((((((((((( snapshot_2008-01-27_15.56.02.93 ))))))))))))))))))))))))))))))))))))))))) . + 2008-01-16 03:12:48 296,336 ----a-w C:\WINDOWS\Downloaded Program Files\rufsi.dll - 2008-01-27 20:51:23 233,472 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000001\NTUSER.DAT + 2008-01-29 21:44:32 233,472 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000001\NTUSER.DAT - 2008-01-27 20:51:23 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000002\UsrClass.dat + 2008-01-29 21:44:32 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000002\UsrClass.dat - 2008-01-27 20:51:23 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000003\NTUSER.DAT + 2008-01-29 21:44:32 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000003\NTUSER.DAT - 2008-01-27 20:51:23 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000004\UsrClass.dat + 2008-01-29 21:44:32 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000004\UsrClass.dat - 2008-01-27 20:51:23 5,480,448 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000005\NTUSER.DAT + 2008-01-29 21:44:33 5,480,448 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000005\NTUSER.DAT - 2008-01-27 20:51:24 147,456 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000006\UsrClass.dat + 2008-01-29 21:44:33 147,456 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000006\UsrClass.dat - 2008-01-14 03:11:34 209,696 ----a-w C:\WINDOWS\SYSTEM32\FNTCACHE.DAT + 2008-01-28 23:05:20 213,672 ----a-w C:\WINDOWS\SYSTEM32\FNTCACHE.DAT + 2005-05-24 17:27:16 213,048 ----a-w C:\WINDOWS\SYSTEM32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll + 2007-08-29 20:47:20 94,208 ----a-w C:\WINDOWS\SYSTEM32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe + 2007-08-29 20:49:54 950,272 ----a-w C:\WINDOWS\SYSTEM32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 08:56 15360] "updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2008-01-13 08:40 313472] "MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2008-01-13 00:08 200704] "LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2008-01-13 08:40 32768] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784] "Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-02-02 15:32 155648] "URLLSTCK.exe"="C:\Program Files\Norton Internet Security\UrlLstCk.exe" [2008-01-13 00:07 70800] "UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2008-01-13 00:07 110592] "Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2008-01-13 00:07 100056] "PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2008-01-13 00:31 290816] "mmtask"="c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2008-01-13 00:07 53248] "LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2008-01-13 08:39 188416] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-13 08:39 71280] "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2008-01-13 08:39 339968] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2004-08-04 05:00 44544] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 01:05:26 29696] HPAiODevice(hp officejet g series) - 1.lnk - C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe [2002-11-20 17:15:00 151552] Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2005-02-08 00:17:38 450560] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.exe [2001-02-13 01:01:04 83360] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection] C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer] --a------ 2008-01-13 08:39 34904 C:\Program Files\Common Files\AOL\ACS\AOLDial.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet] --a------ 2008-01-13 08:39 528384 C:\Program Files\Dell\QuickSet\quickset.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager] --a------ 2008-01-13 09:10 159832 C:\Program Files\Common Files\AOL\1107714629\ee\AOLHostManager.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2008-01-13 00:07 278528 C:\Program Files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] --------- 2004-08-04 01:06 1667584 C:\Program Files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnappau] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr] --a------ 2008-01-13 11:36 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] --a------ 2008-01-13 08:39 155648 C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] C:\Program Files\QuickTime\qttask .exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray] --a------ 2008-01-13 00:07 208941 C:\Program Files\Real\RealPlayer\RealPlay.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sonic RecordNow!] --a------ 2008-01-13 11:36 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] --a------ 2008-01-13 00:07 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WT GameChannel] S3 NuVision;Hauppauge WinTV USB Pro (NTSC);C:\WINDOWS\system32\DRIVERS\NUVision.sys [2003-04-30 14:59] S3 PhilCam8116;Logitech QuickCam Pro 3000(PID_08B0);C:\WINDOWS\system32\DRIVERS\CamDrL21.sys [2002-12-10 05:53] . Contents of the 'Scheduled Tasks' folder "2008-01-27 08:00:00 C:\WINDOWS\Tasks\AntiSpyware Scheduled Scan.job" - C:\Program Files\AntiSpywareApp\AntiSpyware .ex - C:\Program Files\AntiSpywareApp "2008-01-29 21:35:01 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job" - C:\Program Files\Windows Live Toolbar\MSNTBUP.exe "2006-06-12 01:19:29 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Tony.job" - C:\PROGRA~1\NORTON~1\NORTON~1\NAVW32.EXEh/task: "2008-01-20 03:10:47 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job" - C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeh/task: "2008-01-27 22:21:24 C:\WINDOWS\Tasks\Symantec NetDetect.job" - C:\Program Files\Symantec\LiveUpdate\NDETECT.exe . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-01-29 16:48:34 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-01-29 16:49:16 ComboFix-quarantined-files.txt 2008-01-29 21:49:00 ComboFix2.txt 2008-01-28 22:54:05 ComboFix3.txt 2008-01-27 23:23:58 ComboFix4.txt 2008-01-27 23:14:30 ComboFix5.txt 2008-01-27 20:56:38 . 2008-01-29 01:17:41 --- E O F ---

0

Open Notepad and copy/paste everything between the X"s into it and make sure "File::" is at the very top of the page. XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX File:: C:\autorun.PNF XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop. Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run". Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok. Download ATF Cleaner from this link: ATF Cleaner Run ATF-Cleaner Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. Post a new Combofix log. How is the computer operating?

0

ComboFix 08-01-23.1C - Tony 2008-01-29 21:12:26.14 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.187 [GMT -5:00] Running from: C:\Documents and Settings\Tony\Desktop\ComboFix.exe [color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color] . ((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-30 ))))))))))))))))))))))))))))))) . 2008-01-27 18:25 . 2008-01-27 18:25 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab 2008-01-27 08:15 . 2004-08-12 08:58 13,463,552 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\hwxjpn.dll 2008-01-27 08:14 . 2004-08-12 08:58 1,677,824 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\chsbrkr.dll 2008-01-27 08:13 . 2004-05-13 00:39 876,653 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\fp4awel.dll 2008-01-27 08:11 . 2008-01-27 08:11 749 -rah----- C:\WINDOWS\WindowsShell.Manifest 2008-01-27 08:11 . 2008-01-27 08:11 749 -rah----- C:\WINDOWS\SYSTEM32\wuaucpl.cpl.manifest 2008-01-27 08:11 . 2008-01-27 08:11 749 -rah----- C:\WINDOWS\SYSTEM32\sapi.cpl.manifest 2008-01-27 08:11 . 2008-01-27 08:11 749 -rah----- C:\WINDOWS\SYSTEM32\ncpa.cpl.manifest 2008-01-27 08:11 . 2008-01-27 08:11 488 -rah----- C:\WINDOWS\SYSTEM32\logonui.exe.manifest 2008-01-26 18:42 . 2008-01-26 18:42 <DIR> d-------- C:\Program Files\Sun 2008-01-26 18:42 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl 2008-01-26 18:38 . 2008-01-26 18:38 <DIR> d-------- C:\Program Files\Common Files\Java 2008-01-25 21:15 . 2008-01-27 11:22 <DIR> d-------- C:\WINDOWS\BDOSCAN8 2008-01-24 22:41 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe 2008-01-23 23:40 . 2008-01-23 23:40 1,906 --a------ C:\WINDOWS\SYSTEM32\tmp.reg 2008-01-23 23:39 . 2008-01-23 23:38 289,144 --a------ C:\WINDOWS\SYSTEM32\VCCLSID.exe 2008-01-23 23:39 . 2008-01-23 23:38 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe 2008-01-23 23:39 . 2008-01-23 23:38 81,920 --a------ C:\WINDOWS\SYSTEM32\IEDFix.exe 2008-01-23 23:39 . 2008-01-23 23:38 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe 2008-01-23 23:39 . 2008-01-23 23:38 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe 2008-01-23 23:39 . 2008-01-23 23:38 25,600 --a------ C:\WINDOWS\SYSTEM32\WS2Fix.exe 2008-01-23 23:35 . 2008-01-23 23:35 <DIR> d-------- C:\Program Files\Trend Micro 2008-01-13 16:28 . 2008-01-21 17:28 536,141,824 --a------ C:\WINDOWS\MEMORY.DMP 2008-01-13 11:55 . 2008-01-13 11:57 <DIR> d-------- C:\Program Files\Windows Live Safety Center 2008-01-13 11:39 . 2008-01-13 11:39 268 --ah----- C:\sqmdata06.sqm 2008-01-13 11:39 . 2008-01-13 11:39 244 --ah----- C:\sqmnoopt06.sqm 2008-01-13 00:07 . 2008-01-13 08:39 155,648 --a------ C:\WINDOWS\SYSTEM32\NeroCheck.exe 2008-01-09 15:01 . 2008-01-09 15:01 53,248 --a------ C:\WINDOWS\bdoscandel.exe 2008-01-09 15:01 . 2008-01-09 15:01 453 --a------ C:\WINDOWS\bdoscandellang.ini 2008-01-02 00:20 . 2008-01-13 03:55 174,592 --a------ C:\WINDOWS\SYSTEM32\lexpps.exe 2008-01-02 00:20 . 2008-01-02 00:20 172 --ah----- C:\sqmnoopt05.sqm 2008-01-02 00:20 . 2008-01-02 00:20 172 --ah----- C:\sqmdata05.sqm 2008-01-01 23:34 . 2008-01-01 23:34 268 --ah----- C:\sqmdata04.sqm 2008-01-01 23:34 . 2008-01-01 23:34 244 --ah----- C:\sqmnoopt04.sqm 2007-12-27 14:32 . 2007-12-27 14:32 268 --ah----- C:\sqmdata03.sqm 2007-12-27 14:32 . 2007-12-27 14:32 244 --ah----- C:\sqmnoopt03.sqm . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-01-27 13:48 --------- d-----w C:\Program Files\IKEA HomePlanner 2008-01-27 13:06 --------- d-----w C:\Program Files\Apoint 2008-01-26 23:42 --------- d-----w C:\Program Files\Java 2008-01-25 20:29 --------- d-----w C:\Program Files\SymNetDrv 2008-01-25 20:29 --------- d-----w C:\Program Files\Norton Internet Security 2008-01-25 20:29 --------- d-----w C:\Program Files\MSN Messenger 2008-01-25 20:29 --------- d-----w C:\Program Files\iTunes 2008-01-25 20:29 --------- d-----w C:\Program Files\DellSupport 2008-01-25 20:29 --------- d-----w C:\Program Files\Common Files\Symantec Shared 2008-01-25 04:37 --------- d-----w C:\Program Files\QuickTime 2008-01-02 05:52 --------- d-----w C:\Program Files\Pure Networks 2007-12-26 12:59 --------- d-----w C:\Program Files\MasterCook 2007-12-24 01:40 --------- d-----w C:\Program Files\America Online 9.0a 2007-12-20 01:35 --------- d-----w C:\Program Files\Common Files\Adobe 2007-12-02 13:10 --------- d-----w C:\Program Files\Windows Live Toolbar . ((((((((((((((((((((((((((((( snapshot_2008-01-27_15.56.02.93 ))))))))))))))))))))))))))))))))))))))))) . + 2008-01-16 03:12:48 296,336 ----a-w C:\WINDOWS\Downloaded Program Files\rufsi.dll - 2008-01-27 20:51:23 233,472 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000001\NTUSER.DAT + 2008-01-30 01:16:33 233,472 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000001\NTUSER.DAT - 2008-01-27 20:51:23 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000002\UsrClass.dat + 2008-01-30 01:16:33 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000002\UsrClass.dat - 2008-01-27 20:51:23 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000003\NTUSER.DAT + 2008-01-30 01:16:33 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000003\NTUSER.DAT - 2008-01-27 20:51:23 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000004\UsrClass.dat + 2008-01-30 01:16:34 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000004\UsrClass.dat - 2008-01-27 20:51:23 5,480,448 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000005\NTUSER.DAT + 2008-01-30 01:16:34 5,480,448 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000005\NTUSER.DAT - 2008-01-27 20:51:24 147,456 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000006\UsrClass.dat + 2008-01-30 01:16:34 147,456 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000006\UsrClass.dat - 2008-01-14 03:11:34 209,696 ----a-w C:\WINDOWS\SYSTEM32\FNTCACHE.DAT + 2008-01-28 23:05:20 213,672 ----a-w C:\WINDOWS\SYSTEM32\FNTCACHE.DAT + 2005-05-24 17:27:16 213,048 ----a-w C:\WINDOWS\SYSTEM32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll + 2007-08-29 20:47:20 94,208 ----a-w C:\WINDOWS\SYSTEM32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe + 2007-08-29 20:49:54 950,272 ----a-w C:\WINDOWS\SYSTEM32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 08:56 15360] "updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2008-01-13 08:40 313472] "MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2008-01-13 00:08 200704] "LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2008-01-13 08:40 32768] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784] "Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-02-02 15:32 155648] "URLLSTCK.exe"="C:\Program Files\Norton Internet Security\UrlLstCk.exe" [2008-01-13 00:07 70800] "UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2008-01-13 00:07 110592] "Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2008-01-13 00:07 100056] "PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2008-01-13 00:31 290816] "mmtask"="c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2008-01-13 00:07 53248] "LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2008-01-13 08:39 188416] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-13 08:39 71280] "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2008-01-13 08:39 339968] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2004-08-04 05:00 44544] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 01:05:26 29696] HPAiODevice(hp officejet g series) - 1.lnk - C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe [2002-11-20 17:15:00 151552] Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2005-02-08 00:17:38 450560] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.exe [2001-02-13 01:01:04 83360] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection] C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer] --a------ 2008-01-13 08:39 34904 C:\Program Files\Common Files\AOL\ACS\AOLDial.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet] --a------ 2008-01-13 08:39 528384 C:\Program Files\Dell\QuickSet\quickset.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager] --a------ 2008-01-13 09:10 159832 C:\Program Files\Common Files\AOL\1107714629\ee\AOLHostManager.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2008-01-13 00:07 278528 C:\Program Files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] --------- 2004-08-04 01:06 1667584 C:\Program Files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnappau] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr] --a------ 2008-01-13 11:36 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] --a------ 2008-01-13 08:39 155648 C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] C:\Program Files\QuickTime\qttask .exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray] --a------ 2008-01-13 00:07 208941 C:\Program Files\Real\RealPlayer\RealPlay.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sonic RecordNow!] --a------ 2008-01-13 11:36 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] --a------ 2008-01-13 00:07 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WT GameChannel] S3 NuVision;Hauppauge WinTV USB Pro (NTSC);C:\WINDOWS\system32\DRIVERS\NUVision.sys [2003-04-30 14:59] S3 PhilCam8116;Logitech QuickCam Pro 3000(PID_08B0);C:\WINDOWS\system32\DRIVERS\CamDrL21.sys [2002-12-10 05:53] . Contents of the 'Scheduled Tasks' folder "2008-01-27 08:00:00 C:\WINDOWS\Tasks\AntiSpyware Scheduled Scan.job" - C:\Program Files\AntiSpywareApp\AntiSpyware .ex - C:\Program Files\AntiSpywareApp "2008-01-30 01:35:01 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job" - C:\Program Files\Windows Live Toolbar\MSNTBUP.exe "2006-06-12 01:19:29 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Tony.job" - C:\PROGRA~1\NORTON~1\NORTON~1\NAVW32.EXEh/task: "2008-01-20 03:10:47 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job" - C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeh/task: "2008-01-29 22:21:25 C:\WINDOWS\Tasks\Symantec NetDetect.job" - C:\Program Files\Symantec\LiveUpdate\NDETECT.exe . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-01-29 21:13:34 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-01-29 21:14:17 ComboFix-quarantined-files.txt 2008-01-30 02:13:59 ComboFix2.txt 2008-01-30 01:19:52 ComboFix3.txt 2008-01-29 21:49:16 ComboFix4.txt 2008-01-28 22:54:05 ComboFix5.txt 2008-01-27 23:23:58 . 2008-01-29 01:17:41 --- E O F --- The computer seems to be working great. Do you have any suggestions to prevent this from occuring again?

0

Go to start> control panel> add/remove programs and uninstall AntiSpywareApp , it's a rogue antispyware program and probably haw you got infected. You should consider adding "Spywareblaster" to your arsenol of antispyware tools, you can download it from this link Spywareblaster Just download it,install it, and update it. Its free and runs in the background, so you don't actually run it, and re-writes malicious script before it can install on your computer. Look for updates weekly as there is no auto-update on the free version.

0

jabuck your fantastic. I used the info from this and the other posts you left to clean my friends system thanks. I found that to eliminate the red x on the drive you could modify the following registry key. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\C\DefaultIcon change the value from %SystemRoot%\system32\shell32.dll,131 to %SystemRoot%\system32\shell32.dll,8 The change takes affect immediately and the drive icon changes the next time you refresh or open a window. There are 238 different icons in shell32.dll you can use and they count going down each column from left to right. Your autorun.inf file change worked also but you don't have to leave any additional files on the root of your computer with the registry change. Thanks again you're the best.

0