Virus Alert! on Taskbar

Computing.Net > Forums > Security and Virus > Virus Alert! on Taskbar

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to start participating now! Also, be sure to check out the New User Guide.

Virus Alert! on Taskbar

Name: xbato
Date: September 7, 2008 at 18:32:10 Pacific
OS: winxp pro
CPU/Ram: 3.0 ghz/1gb
Product: Intel

Comment:

Good Day! Can you help me get rid the VIRUS ALERT! on my taskbar, also the red icon with a white X..
and the pop-ups too, SPYWARE ALERT, WINDOWS SECURITY ALERT.
Thanks in Advance

Sponsored Link

Ads by Google

Response Number 1

Name: jabuck
Date: September 7, 2008 at 18:39:38 Pacific

Reply:

Please download Malwarebytes' Anti-Malware from one of these sites:
MalwareBytes1
MalwareBytes2
1. Double Click mbam-setup.exe to install the application.
2. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
3. If an update is found, it will download and install the latest version.
4. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient.
5. When the scan is complete, click OK, then Show Results to view the results.
6. Make sure that everything found is checked, and click Remove Selected.
7. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
8. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
9. Copy&Paste the entire report in your next reply.

Please download and install the latest version of HijackThis v2.0.2:

Download the "HijackThis" Installer from this link:
Hijack This

1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

Response Number 2

Name: xbato
Date: September 7, 2008 at 19:16:21 Pacific

Reply:

RESULTS:
MALWAREBYTES
Malwarebytes' Anti-Malware 1.26
Database version: 1126
Windows 5.1.2600 Service Pack 2
9/8/2008 11:10:44 AM
mbam-log-2008-09-08 (11-10-44).txt
Scan type: Quick Scan
Objects scanned: 46492
Time elapsed: 7 minute(s), 1 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 4
Registry Keys Infected: 14
Registry Values Infected: 4
Registry Data Items Infected: 17
Folders Infected: 1
Files Infected: 22
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\WINDOWS\vanwxemgkpv.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\xrdwbfgn.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\gksraemq.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\dgksvbpn.dll (Trojan.FakeAlert) -> Delete on reboot.
Registry Keys Infected:
HKEY_CLASSES_ROOT\TypeLib\{c264211a-19f9-4e76-9130-b79df1e2e75d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{257660ce-2957-48df-ac59-1549053d628d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f043ecd6-9a1b-4412-8dc5-3e9cea264d94} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e638a808-9e2f-4867-b753-8c03620a3e54} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e638a808-9e2f-4867-b753-8c03620a3e54} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d389a92c-bf77-434e-8bce-ddd656167870} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\webvideo (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{61a52cde-9344-4e28-83d1-f94329b1c1e8} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{b6f2a92c-912a-4113-86d3-922db1fa95c4} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{89f51b26-a3fb-487c-b4e8-334cc35795a1} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2c792cd8-689d-46e9-abde-389595e99edb} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VSPlugin (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\gksraemq.bwxf (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\gksraemq.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0\source (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\xrdwbfgn (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{89f51b26-a3fb-487c-b4e8-334cc35795a1} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\dgksvbpn (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page (Hijack.Homepage) -> Bad: (http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductId (Trojan.FakeAlert) -> Bad: (VIRUS ALERT!) Good: () -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\International\sTimeFormat (Trojan.FakeAlert) -> Bad: (HH:mm: VIRUS ALERT!) Good: (h:mm:ss tt) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowControlPanel (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowRun (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMorePrograms (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives (Hijack.Drives) -> Bad: (12) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoToolbarCustomize (Hijack.Explorer) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders (Hijack.Explorer) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispCPL (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
C:\Program Files\PCHealthCenter (Trojan.Fakealert) -> Quarantined and deleted successfully.
Files Infected:
C:\WINDOWS\system32\MSa.cpl (Rogue.MSAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\0.exe (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\0.gif (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\1.exe (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\1.gif (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\1.ico (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\2.exe (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\2.gif (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\2.ico (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\3.gif (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\5.exe (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\sc.html (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\cleanup.bat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\vanwxemgkpv.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\xrdwbfgn.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\sxmaokgf.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\gksraemq.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\dgksvbpn.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\Server\Application Data\TmpRecentIcons\MS Antivirus.lnk (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Server\Favorites\Error Cleaner.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Server\Favorites\Privacy Protector.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Server\Favorites\Spyware&Malware Protection.url (Rogue.Link) -> Quarantined and deleted successfully.

HIJACKTHIS
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:16:12 AM, on 9/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20583)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avwsc.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie...
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie...
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Winamp Search Class - {57BCA5FA-5DBB-45a2-B558-1755C3F6253B} - C:\Program Files\Winamp Toolbar\winamptb.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O4 - Global Startup: BlueSoleil.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: Add to Banner Ad Blocker - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll,C:\PROGRA~1\KASPER~1\KASPER~1\adialhk.dll,C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O24 - Desktop Component 0: Privacy Protection - (no file)
--
End of file - 8553 bytes

Response Number 3

Name: jabuck
Date: September 7, 2008 at 19:41:54 Pacific

Reply:

Looks as though you have two antivirus programs running, Kaspersky and Avira. You need to unistall one of them as they will conflict and cause you problems.
Run Hijack This, close all windows and browsers except Hijack This, place a check to the left of the following items and press "fix checked':
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O24 - Desktop Component 0: Privacy Protection - (no file)
Exit Hijack This.
Please download ComboFix to the desktop from one of the following links:
Link1
Link 2
Link 3
Combofix is a powerful tool so follow the instructions exactly or you could damage your computer.
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with Combofix and remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
In your case to run Combofix do the following:
1. Go offline turn off your Antivirus (One of then should be uninstalled by now) and any antispyware that you may have.
2. Run Combofix and save its log.
3. Restart the computer to get the antivirus running again but leave the antispyware programs off until we get the computer cleaned.
4. Post the Combofix log.

Remember to re-enable the protection again afterwards before connecting to the Internet.

Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running or move the mouse, it will cause your system to hang.)
Please post the log it produces.

Response Number 4

Name: xbato
Date: September 7, 2008 at 20:08:08 Pacific

Reply:

Here is the COMBOFIX LOG:
ComboFix 08-09-05.05 - Server 2008-09-08 10:59:07.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.703 [GMT -7:00]
Running from: D:\INSTALLERS\UTILITIES\virus alert removed\ComboFix.exe
* Created a new restore point
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\Server\Application Data\Adobe\crc.dat
C:\WINDOWS\exge.exe
----- BITS: Possible infected sites -----
http://pornotube30.net
.
((((((((((((((((((((((((( Files Created from 2008-08-08 to 2008-09-08 )))))))))))))))))))))))))))))))
.
2008-09-08 11:00 . 2008-09-08 11:00 <DIR> d-------- C:\Documents and Settings\Server\Application Data\Malwarebytes
2008-09-08 11:00 . 2008-09-02 00:16 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-08 11:00 . 2008-09-02 00:16 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-08 10:59 . 2008-09-08 11:00 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-08 10:59 . 2008-09-08 10:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-07 20:01 . 2008-09-07 20:01 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-07 16:56 . 2008-09-07 17:27 96,976 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-09-07 16:56 . 2008-09-07 17:27 87,855 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-09-07 16:55 . 2008-09-08 10:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-09-07 16:55 . 2008-09-08 11:04 2,304,544 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-09-07 16:55 . 2008-09-08 11:02 270,368 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-09-07 16:55 . 2008-09-08 11:04 20,160 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-09-07 16:55 . 2008-09-08 11:02 3,052 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-09-07 16:51 . 2008-09-07 16:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-08-30 15:55 . 2008-08-30 15:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FarmFrenzy2
2008-08-30 15:52 . 2008-08-30 15:52 <DIR> d-------- C:\games
2008-08-22 21:54 . 2008-08-22 21:54 <DIR> d-------- C:\Program Files\Electronic Arts
2008-08-22 21:54 . 2007-10-12 15:14 3,734,536 --a------ C:\WINDOWS\system32\d3dx9_36.dll
2008-08-22 21:54 . 2007-10-12 15:14 1,374,232 --a------ C:\WINDOWS\system32\D3DCompiler_36.dll
2008-08-22 21:54 . 2007-07-19 18:14 1,358,192 --a------ C:\WINDOWS\system32\D3DCompiler_35.dll
2008-08-22 21:54 . 2007-05-16 16:45 1,124,720 --a------ C:\WINDOWS\system32\D3DCompiler_34.dll
2008-08-22 21:54 . 2007-03-12 16:42 1,123,696 --a------ C:\WINDOWS\system32\D3DCompiler_33.dll
2008-08-22 21:54 . 2007-10-02 09:56 444,776 --a------ C:\WINDOWS\system32\d3dx10_36.dll
2008-08-22 21:54 . 2007-07-19 18:14 444,776 --a------ C:\WINDOWS\system32\d3dx10_35.dll
2008-08-22 21:54 . 2007-05-16 16:45 443,752 --a------ C:\WINDOWS\system32\d3dx10_34.dll
2008-08-22 21:54 . 2007-03-15 16:57 443,752 --a------ C:\WINDOWS\system32\d3dx10_33.dll
2008-08-22 21:54 . 2007-10-22 03:39 267,272 --a------ C:\WINDOWS\system32\xactengine2_10.dll
2008-08-21 08:17 . 2008-08-21 08:17 <DIR> d-------- C:\Documents and Settings\Server\Application Data\com.Multiply.AutoUploader.C7DF09F73C2059D294831784007C5F0856677385.1
2008-08-21 08:16 . 2008-08-21 08:16 <DIR> d-------- C:\Program Files\Multiply
2008-08-21 08:16 . 2008-08-21 08:16 <DIR> d-------- C:\Program Files\Common Files\Adobe AIR
2008-08-19 16:43 . 2008-08-19 16:44 <DIR> d-------- C:\Program Files\FLV to AVI MPEG WMV 3GP MP4 iPod Converter
2008-08-19 16:39 . 2008-08-19 16:39 <DIR> d-------- C:\Documents and Settings\Server\Application Data\PlayFirst
2008-08-19 16:39 . 2008-08-19 16:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-08-19 16:38 . 2008-08-19 16:38 <DIR> d-------- C:\WINDOWS\Cooking Dash
2008-08-19 16:38 . 2008-08-20 12:28 <DIR> d-------- C:\Program Files\Cooking Dash
2008-08-19 15:24 . 2008-08-19 15:24 <DIR> d-------- C:\Documents and Settings\Server\Application Data\Go-Go Gourmet Chef of the Year
2008-08-19 15:23 . 2008-08-19 15:23 <DIR> d-------- C:\WINDOWS\Go-Go Gourmet 2 - Chef of the Year
2008-08-19 15:23 . 2008-08-19 15:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trymedia
2008-08-19 10:31 . 2008-08-18 14:01 302 --a------ C:\WINDOWS\removeWinzip.bat
2008-08-15 16:06 . 2008-08-15 16:06 <DIR> d-------- C:\WINDOWS\Baby Blimp
2008-08-14 16:24 . 2005-07-30 04:55 90,624 --a------ C:\WINDOWS\system32\kswdmcap.ax
2008-08-14 16:24 . 2005-07-30 04:55 90,624 --a--c--- C:\WINDOWS\system32\dllcache\kswdmcap.ax
2008-08-14 16:24 . 2004-08-04 00:56 61,952 --a------ C:\WINDOWS\system32\kstvtune.ax
2008-08-14 16:24 . 2004-08-04 00:56 61,952 --a--c--- C:\WINDOWS\system32\dllcache\kstvtune.ax
2008-08-14 16:24 . 2004-08-04 00:56 53,760 --a------ C:\WINDOWS\system32\vfwwdm32.dll
2008-08-14 16:24 . 2004-08-04 00:56 53,760 --a--c--- C:\WINDOWS\system32\dllcache\vfwwdm32.dll
2008-08-14 16:24 . 2004-08-04 00:56 43,008 --a------ C:\WINDOWS\system32\ksxbar.ax
2008-08-14 16:24 . 2004-08-04 00:56 43,008 --a--c--- C:\WINDOWS\system32\dllcache\ksxbar.ax
2008-08-14 16:24 . 2004-08-04 00:56 28,672 --a------ C:\WINDOWS\system32\vidcap.ax
2008-08-14 16:24 . 2004-08-04 00:56 28,672 --a--c--- C:\WINDOWS\system32\dllcache\vidcap.ax
2008-08-14 16:22 . 2008-08-14 16:22 <DIR> d-------- C:\Program Files\Vimicro
2008-08-14 15:55 . 2008-08-14 15:55 <DIR> d-------- C:\WINDOWS\Sun
2008-08-11 16:59 . 2008-08-11 16:59 <DIR> d-------- C:\logs
2008-08-11 13:21 . 2008-08-27 17:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-08-11 12:25 . 2008-09-08 09:48 35 --a------ C:\WINDOWS\Ulead32.INI
2008-08-11 12:24 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-08-11 12:24 . 2004-08-03 22:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-08-11 10:56 . 2008-08-11 10:56 <DIR> d-------- C:\Program Files\Common Files\INCA Shared
2008-08-11 10:56 . 2003-07-20 20:17 5,174 --a------ C:\WINDOWS\system32\nppt9x.vxd
2008-08-11 10:56 . 2005-01-04 11:43 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys
2008-08-09 21:31 . 2008-08-09 21:31 <DIR> d-------- C:\Kpcms
2008-08-09 21:31 . 1998-09-14 08:41 285,216 --a------ C:\WINDOWS\system32\drivers\Onsio.sys
2008-08-09 21:31 . 1998-08-01 12:00 60,928 --a------ C:\WINDOWS\system32\drivers\Smplscsi.sys
2008-08-09 21:31 . 2003-06-11 12:03 15,396 --a------ C:\WINDOWS\system32\Msmusd5.dll
2008-08-09 21:31 . 2001-06-20 15:44 13,962 --a------ C:\WINDOWS\system32\Msmusd6.dll
2008-08-09 21:31 . 2003-07-17 16:12 12,499 --a------ C:\WINDOWS\system32\Msmusd7.dll
2008-08-09 21:31 . 1997-02-14 13:10 7,680 --a------ C:\WINDOWS\system32\drivers\Onsreged.sys
2008-08-09 14:48 . 2008-08-09 14:48 <DIR> d-------- C:\Program Files\Winamp Toolbar
2008-08-09 14:48 . 2008-08-09 14:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Winamp Toolbar
2008-08-09 14:47 . 2008-08-09 14:48 <DIR> d-------- C:\Program Files\Winamp
2008-08-09 14:47 . 2008-08-09 14:57 <DIR> d-------- C:\Documents and Settings\Server\Application Data\Winamp
2008-08-09 14:12 . 2008-08-09 14:14 <DIR> d-------- C:\Program Files\MpcStar
2008-08-09 12:15 . 2004-08-03 23:10 59,648 --a------ C:\WINDOWS\system32\drivers\rfcomm.sys
2008-08-09 12:15 . 2004-08-03 23:10 59,648 --a--c--- C:\WINDOWS\system32\dllcache\rfcomm.sys
2008-08-09 12:15 . 2004-08-03 23:10 17,024 --a------ C:\WINDOWS\system32\drivers\BthEnum.sys
2008-08-09 12:15 . 2004-08-03 23:10 17,024 --a--c--- C:\WINDOWS\system32\dllcache\bthenum.sys
2008-08-09 12:14 . 2004-08-04 00:56 152,576 --a------ C:\WINDOWS\system32\irftp.exe
2008-08-09 12:14 . 2004-08-04 00:56 152,576 --a--c--- C:\WINDOWS\system32\dllcache\irftp.exe
2008-08-09 12:14 . 2004-08-04 00:56 27,136 --a------ C:\WINDOWS\system32\irmon.dll
2008-08-09 12:14 . 2004-08-04 00:56 27,136 --a--c--- C:\WINDOWS\system32\dllcache\irmon.dll
2008-08-09 12:14 . 2004-08-04 00:56 8,192 --a------ C:\WINDOWS\system32\wshirda.dll
2008-08-09 12:14 . 2004-08-04 00:56 8,192 --a--c--- C:\WINDOWS\system32\dllcache\wshirda.dll
2008-08-09 12:06 . 2008-08-09 12:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-08-09 11:56 . 2008-08-09 11:56 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-08-09 11:55 . 2008-08-09 12:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Bluetooth
2008-08-09 11:55 . 2004-08-03 23:10 274,304 --a------ C:\WINDOWS\system32\drivers\bthport.sys
2008-08-09 11:55 . 2004-08-03 23:10 274,304 --a--c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-08-09 11:55 . 2004-08-03 23:10 18,944 --a------ C:\WINDOWS\system32\drivers\BTHUSB.SYS
2008-08-09 11:55 . 2004-08-03 23:10 18,944 --a--c--- C:\WINDOWS\system32\dllcache\bthusb.sys
2008-08-09 11:53 . 2008-08-21 16:42 <DIR> d-------- C:\Documents and Settings\Server\Application Data\Apple Computer
2008-08-09 11:52 . 2008-08-09 11:53 <DIR> d-------- C:\Program Files\iTunes
2008-08-09 11:52 . 2008-08-09 11:52 <DIR> d-------- C:\Program Files\iPod
2008-08-09 11:51 . 2008-08-09 11:52 <DIR> d-------- C:\Program Files\QuickTime
2008-08-09 11:51 . 2008-08-09 11:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-08-09 11:50 . 2008-08-09 11:50 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-08-09 11:50 . 2008-08-09 11:50 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-08-09 11:50 . 2008-08-09 11:50 <DIR> d-------- C:\Program Files\Apple Software Update
2008-08-09 11:50 . 2008-09-07 22:02 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-08-09 11:49 . 2008-08-09 11:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-08-09 11:45 . 2008-08-09 11:45 <DIR> d-------- C:\Program Files\Chikka Messenger
2008-08-09 11:43 . 2008-08-20 19:33 <DIR> d-------- C:\Program Files\BearShare
2008-08-09 11:40 . 2008-08-15 09:54 <DIR> d-------- C:\Documents and Settings\Server\Application Data\Ahead
2008-08-09 11:37 . 2008-08-09 11:37 <DIR> d-------- C:\Program Files\Nero
2008-08-09 11:37 . 2008-08-09 11:41 <DIR> d-------- C:\Program Files\Common Files\Ahead
2008-08-09 11:37 . 2008-08-09 11:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2008-08-09 11:35 . 2008-09-07 12:10 <DIR> d-------- C:\Documents and Settings\Server\Application Data\OpenOffice.org2
2008-08-09 11:20 . 2004-08-03 23:10 17,024 --a------ C:\WINDOWS\system32\drivers\CCDECODE.sys
2008-08-09 11:20 . 2004-08-03 23:10 17,024 --a--c--- C:\WINDOWS\system32\dllcache\ccdecode.sys
2008-08-09 11:20 . 2004-08-03 22:58 5,504 --a------ C:\WINDOWS\system32\drivers\MSTEE.sys
2008-08-09 11:20 . 2004-08-03 22:58 5,504 --a--c--- C:\WINDOWS\system32\dllcache\mstee.sys
2008-08-09 11:19 . 2005-07-30 04:55 90,624 --a------ C:\WINDOWS\system32\drivers\kswdmcap.ax
2008-08-09 11:19 . 2004-08-04 00:56 61,952 --a------ C:\WINDOWS\system32\drivers\kstvtune.ax
2008-08-09 11:19 . 2004-08-04 00:56 53,760 --a------ C:\WINDOWS\system32\drivers\vfwwdm32.dll
2008-08-09 11:19 . 2004-08-04 00:56 43,008 --a------ C:\WINDOWS\system32\drivers\ksxbar.ax
2008-08-09 11:19 . 2004-08-04 00:56 28,672 --a------ C:\WINDOWS\system32\drivers\vidcap.ax
2008-08-09 11:18 . 2008-08-09 11:18 <DIR> d-------- C:\Program Files\IVT Corporation
2008-08-09 11:16 . 2008-08-09 21:17 12,033 --a------ C:\test.spr
2008-08-09 11:13 . 2008-08-19 20:57 <DIR> d-------- C:\Program Files\ABBYY FineReader 6.0 Sprint
2008-08-09 11:11 . 2008-08-09 11:11 <DIR> d-------- C:\Program Files\Microtek
2008-08-09 11:11 . 2008-08-14 16:22 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-08-09 10:14 . 2006-10-26 19:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2008-08-09 10:11 . 2008-08-09 10:11 <DIR> d-------- C:\Program Files\MSBuild
2008-08-09 10:11 . 2008-08-09 10:11 <DIR> d-------- C:\Program Files\Microsoft Works
2008-08-09 10:03 . 2008-08-09 10:09 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-08-09 10:02 . 2008-08-09 10:02 <DIR> dr-h----- C:\MSOCache
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-14 23:22 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-08-09 14:43 --------- d-----w C:\Program Files\microsoft frontpage
2008-08-09 14:39 --------- d-----w C:\Program Files\Windows Media Connect 2
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{57BCA5FA-5DBB-45a2-B558-1755C3F6253B}"= "C:\Program Files\Winamp Toolbar\winamptb.dll" [2008-07-16 1266992]
[HKEY_CLASSES_ROOT\clsid\{57bca5fa-5dbb-45a2-b558-1755c3f6253b}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-08-30 4670704]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-04-18 7700480]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2008-04-25 201992]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
BlueSoleil.lnk - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe [2008-08-09 1048576]
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"mW[íµˆÖ¾`=µú¾˜v%S8’ÿÙêé>grl>Ý\†Ð=ŸàÛ±Þ"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"D:\\Program Files\\BearShare\\BearShare.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 2009\\English\\setup.exe"=
R0 klbg;Kaspersky Lab Boot Guard Driver;C:\WINDOWS\system32\drivers\klbg.sys [2008-01-29 32784]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 14336]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;C:\WINDOWS\system32\DRIVERS\klfltdev.sys [2008-03-13 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2008-03-25 24592]
S3 AVPsys;AVPsys;C:\WINDOWS\system32\drivers\tdi.sys [2004-08-04 18560]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-08-09 307968]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{284ddcd9-6a14-11dd-ba3b-00116776468a}]
\Shell\AutoRun\command - K:\password_viewer.exe %1
\Shell\Explore\command - K:\password_viewer.exe %1
\Shell\Open\command - K:\password_viewer.exe %1
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{291739e1-6ecf-11dd-ba46-00116776468a}]
\Shell\AutoRun\command - hbq.exe
\Shell\explore\Command - hbq.exe
\Shell\open\Command - hbq.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2b9c1f65-688c-11dd-ba39-00116776468a}]
\Shell\AutoRun\command - K:\bar311.exe %1
\Shell\Explore\command - K:\bar311.exe %1
\Shell\Open\command - K:\bar311.exe %1
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3116173c-738f-11dd-b521-00116776468a}]
\Shell\AutoRun\command - K:\password_viewer.exe %1
\Shell\Explore\command - K:\password_viewer.exe %1
\Shell\Open\command - K:\password_viewer.exe %1
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{311629d1-738f-11dd-b521-00116776468a}]
\Shell\AutoRun\command - K:\u9dyi.exe
\Shell\explore\Command - K:\u9dyi.exe
\Shell\open\Command - K:\u9dyi.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{40ce458a-7482-11dd-b526-00116776468a}]
\Shell\[u]0[/u]pen\command - krag.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.exe Shell32.DLL,ShellExec_RunDLL krag.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{41b8eab7-790d-11dd-b52b-00116776468a}]
\Shell\AutoRun\command - g.exe
\Shell\explore\Command - g.exe
\Shell\open\Command - g.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{41b8eb98-790d-11dd-b52b-00116776468a}]
\Shell\AutoRun\command - password_viewer.exe %1
\Shell\Explore\command - password_viewer.exe %1
\Shell\Open\command - password_viewer.exe %1
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{41b8ee6c-790d-11dd-b52b-00116776468a}]
\Shell\AutoRun\command - password_viewer.exe %1
\Shell\Explore\command - password_viewer.exe %1
\Shell\Open\command - password_viewer.exe %1
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{41b8f4ed-790d-11dd-b52b-00116776468a}]
\Shell\AutoRun\command - L:\bar311.exe %1
\Shell\Explore\command - L:\bar311.exe %1
\Shell\Open\command - L:\bar311.exe %1
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{46a3baa8-7c51-11dd-b536-00116776468a}]
\Shell\AutoRun\command - p.bat
\Shell\explore\Command - p.bat
\Shell\open\Command - p.bat
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{574da2dc-7c2c-11dd-b533-00116776468a}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.exe Shell32.DLL,ShellExec_RunDLL wscript.exe MyMP3.vbs
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5d02ff4e-75d8-11dd-b528-00116776468a}]
\Shell\AutoRun\command - K:\password_viewer.exe %1
\Shell\Explore\command - K:\password_viewer.exe %1
\Shell\Open\command - K:\password_viewer.exe %1
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5d03019a-75d8-11dd-b528-00116776468a}]
\Shell\AutoRun\command - bar311.exe %1
\Shell\Explore\command - bar311.exe %1
\Shell\Open\command - bar311.exe %1
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5d0309b8-75d8-11dd-b528-00116776468a}]
\Shell\Auto\command - Recycled/dllcache32.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.exe Shell32.DLL,ShellExec_RunDLL Recycled/dllcache32.exe
\Shell\explore\Command - Recycled/dllcache32.exe
\Shell\open\Command - Recycled/dllcache32.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5f897bc1-67cb-11dd-ba38-00116776468a}]
\Shell\AutoRun\command - K:\ojbss9gv.com
\Shell\explore\Command - K:\ojbss9gv.com
\Shell\open\Command - K:\ojbss9gv.com
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5f897d99-67cb-11dd-ba38-00116776468a}]
\Shell\AutoRun\command - K:\password_viewer.exe %1
\Shell\Explore\command - K:\password_viewer.exe %1
\Shell\Open\command - K:\password_viewer.exe %1
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5f897e7f-67cb-11dd-ba38-00116776468a}]
\Shell\Auto\command - K:\keybd.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.exe Shell32.DLL,ShellExec_RunDLL keybd.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7b4939a7-6e13-11dd-ba45-00116776468a}]
\Shell\AutoRun\command - password_viewer.exe %1
\Shell\Explore\command - password_viewer.exe %1
\Shell\Open\command - password_viewer.exe %1
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{80e0dc44-79dc-11dd-b52c-00116776468a}]
\Shell\Auto\command - K:\Recycled/dllcache32.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.exe Shell32.DLL,ShellExec_RunDLL Recycled/dllcache32.exe
\Shell\explore\Command - K:\Recycled/dllcache32.exe
\Shell\open\Command - K:\Recycled/dllcache32.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{80e0e551-79dc-11dd-b52c-00116776468a}]
\Shell\AutoRun\command - bar311.exe %1
\Shell\Explore\command - bar311.exe %1
\Shell\Open\command - bar311.exe %1
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{84fb8dfb-6f92-11dd-b519-00116776468a}]
\Shell\AutoRun\command - password_viewer.exe %1
\Shell\Explore\command - password_viewer.exe %1
\Shell\Open\command - password_viewer.exe %1
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{84fb90b5-6f92-11dd-b519-00116776468a}]
\Shell\AutoRun\command - K:\password_viewer.exe %1
\Shell\Explore\command - K:\password_viewer.exe %1
\Shell\Open\command - K:\password_viewer.exe %1
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{84fb9110-6f92-11dd-b519-00116776468a}]
\Shell\AutoRun\command - K:\password_viewer.exe %1
\Shell\Explore\command - K:\password_viewer.exe %1
\Shell\Open\command - K:\password_viewer.exe %1
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8f02cc82-7063-11dd-b51b-00116776468a}]
\Shell\Auto\command - K:\Recycled/dllcache32.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.exe Shell32.DLL,ShellExec_RunDLL Recycled/dllcache32.exe
\Shell\explore\Command - K:\Recycled/dllcache32.exe
\Shell\open\Command - K:\Recycled/dllcache32.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9bbe04ad-751c-11dd-b527-00116776468a}]
\Shell\AutoRun\command - K:\password_viewer.exe %1
\Shell\Explore\command - K:\password_viewer.exe %1
\Shell\Open\command - K:\password_viewer.exe %1
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aec1b936-6644-11dd-ba35-00030d000001}]
\Shell\[u]0[/u]pen\command - K:\krag.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.exe Shell32.DLL,ShellExec_RunDLL krag.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b1e4f20a-6d48-11dd-ba40-00116776468a}]
\Shell\AutoRun\command - K:\password_viewer.exe %1
\Shell\Explore\command - K:\password_viewer.exe %1
\Shell\Open\command - K:\password_viewer.exe %1
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b2064d99-696b-11dd-ba3a-00116776468a}]
\Shell\AutoRun\command - K:\bar311.exe %1
\Shell\Explore\command - K:\bar311.exe %1
\Shell\Open\command - K:\bar311.exe %1
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b837329c-6d6d-11dd-ba42-00116776468a}]
\Shell\AutoRun\command - K:\c9hehpa.bat
\Shell\explore\Command - K:\c9hehpa.bat
\Shell\open\Command - K:\c9hehpa.bat
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b8373464-6d6d-11dd-ba42-00116776468a}]
\Shell\AutoRun\command - K:\c9hehpa.bat
\Shell\explore\Command - K:\c9hehpa.bat
\Shell\open\Command - K:\c9hehpa.bat
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cfcdd3e4-7208-11dd-b51e-00116776468a}]
\Shell\AutoRun\command - password_viewer.exe %1
\Shell\Explore\command - password_viewer.exe %1
\Shell\Open\command - password_viewer.exe %1
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{eaaa9544-6adf-11dd-ba3c-00116776468a}]
\Shell\AutoRun\command - K:\password_viewer.exe %1
\Shell\Explore\command - K:\password_viewer.exe %1
\Shell\Open\command - K:\password_viewer.exe %1
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{eaaa9b2a-6adf-11dd-ba3c-00116776468a}]
\Shell\AutoRun\command - bar311.exe %1
\Shell\Explore\command - bar311.exe %1
\Shell\Open\command - bar311.exe %1
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{eaaa9b4e-6adf-11dd-ba3c-00116776468a}]
\Shell\AutoRun\command - K:\password_viewer.exe %1
\Shell\Explore\command - K:\password_viewer.exe %1
\Shell\Open\command - K:\password_viewer.exe %1
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ed65caff-72ca-11dd-b51f-00116776468a}]
\Shell\AutoRun\command - K:\password_viewer.exe %1
\Shell\Explore\command - K:\password_viewer.exe %1
\Shell\Open\command - K:\password_viewer.exe %1
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ff968993-6f01-11dd-b514-00116776468a}]
\Shell\AutoRun\command - K:\bar311.exe %1
\Shell\Explore\command - K:\bar311.exe %1
\Shell\Open\command - K:\bar311.exe %1
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Server\Application Data\Mozilla\Firefox\Profiles\nb6l88aq.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-ytie&p=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.yahoo.com/
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\Yahoo!\Shared\npYState.dll
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-08 11:04:39
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...

**************************************************************************
.
r Running Proce
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-09-08 11:07:52 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-08 18:07:48
Pre-Run: 35,702,431,744 bytes free
Post-Run: 38,521,339,904 bytes free
379

thanks :D

Response Number 5

Name: DAVEINCAPS
Date: September 7, 2008 at 21:05:10 Pacific

Reply:

After removing the malware, if 'virus alert!' still ahows as either a product ID or in the taskbar you can fix it by editing the registry. See my #2 and #3 here:
http://www.computing.net/answers/se...

Web traffic protection statistics hijack.startmenu AVP.EXE	fntcache.dat virus vista windows security alert virus dev builds kaspersky labs avp tool setup 290 2009
See More

Response Number 6

Name: xbato
Date: September 7, 2008 at 21:18:44 Pacific

Reply:

thanks to malwarebytes.. it removed the virus alert on my taskbar :D
mr. jabuck after i run the combifix, what's next? ^^

Response Number 7

Name: DAVEINCAPS
Date: September 7, 2008 at 23:07:29 Pacific

Reply:

The logs show your product ID may have been changed to 'virus alert!'. If so, malwarebytes may have removed it, but did it replace it with the correct ID? Right click on 'my computer' and choose properties. Does 'virus alert!' show there?

Response Number 8

Name: xbato
Date: September 8, 2008 at 19:00:10 Pacific

Reply:

not anymore mr. daveincaps.. no more VIRUS ALERT!

Response Number 9

Name: DAVEINCAPS
Date: September 8, 2008 at 22:28:26 Pacific

Reply:

That's good. As long as your product ID shows in properties then you're OK.
Malwarebytes can fix the 'virus alert!' in the taskbar by simply removing it from the time format entry in the registry. However, I wasn't sure it would know what to do when the product ID was replaced with 'virus alert!'. Just removing the term would leave it blank--no product ID. This line from your log:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductId (Trojan.FakeAlert) -> Bad: (VIRUS ALERT!) Good: () -> Quarantined and deleted successfully.
indicates one of your product ID locations was corrupted. But I'm glad everything seems to be OK now.

Response Number 10

Name: jabuck
Date: September 9, 2008 at 15:05:04 Pacific

Reply:

Sorry for the delay, work is a must.
Your computer is still infected, post a new Combofix log and the requested Hijack This log please.

Response Number 11

Name: xbato
Date: September 12, 2008 at 06:21:18 Pacific

Reply:

omg. i just read your post mr. jabuck do i still need to run the combofix?

Response Number 12

Name: xbato
Date: September 12, 2008 at 06:35:22 Pacific

Reply:

Here's the combofix log ang highjack this log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:45:11 PM, on 9/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20583)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie...
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Winamp Search Class - {57BCA5FA-5DBB-45a2-B558-1755C3F6253B} - C:\Program Files\Winamp Toolbar\winamptb.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O4 - Global Startup: BlueSoleil.lnk = ?
O8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: Add to Banner Ad Blocker - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O24 - Desktop Component 1: Privacy Protection - (no file)
--
End of file - 7106 bytes
ComboFix 08-09-05.05 - Server 2008-09-12 21:40:52.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.674 [GMT -7:00]
Running from: D:\INSTALLERS\UTILITIES\virus alert removed\ComboFix.exe
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.
((((((((((((((((((((((((( Files Created from 2008-08-13 to 2008-09-13 )))))))))))))))))))))))))))))))
.
2008-09-10 15:17 . 2008-09-10 15:17 <DIR> d-------- C:\Documents and Settings\Server\Application Data\ViquaSoft
2008-09-10 15:16 . 2008-09-10 15:16 <DIR> d-------- C:\Program Files\First Class Flurry
2008-09-08 17:13 . 2008-09-08 17:17 <DIR> d-------- C:\Documents and Settings\Server\Application Data\BeachPartyCraze
2008-09-08 17:09 . 2008-09-08 17:09 <DIR> d-------- C:\WINDOWS\Beach Party Craze
2008-09-08 17:09 . 2008-09-08 17:17 <DIR> d-------- C:\Program Files\Beach Party Craze
2008-09-08 11:00 . 2008-09-08 11:00 <DIR> d-------- C:\Documents and Settings\Server\Application Data\Malwarebytes
2008-09-08 11:00 . 2008-09-02 00:16 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-08 11:00 . 2008-09-02 00:16 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-08 10:59 . 2008-09-08 11:00 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-08 10:59 . 2008-09-08 10:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-07 20:01 . 2008-09-07 20:01 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-07 16:56 . 2008-09-07 17:27 96,976 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-09-07 16:56 . 2008-09-07 17:27 87,855 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-09-07 16:55 . 2008-09-12 16:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-09-07 16:55 . 2008-09-12 21:15 2,516,000 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-09-07 16:55 . 2008-09-12 00:35 344,096 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-09-07 16:55 . 2008-09-12 21:15 21,784 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-09-07 16:55 . 2008-09-12 00:35 3,304 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-09-07 16:51 . 2008-09-07 16:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-08-30 15:55 . 2008-08-30 15:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FarmFrenzy2
2008-08-30 15:52 . 2008-08-30 15:52 <DIR> d-------- C:\games
2008-08-22 21:54 . 2008-08-22 21:54 <DIR> d-------- C:\Program Files\Electronic Arts
2008-08-22 21:54 . 2007-10-12 15:14 3,734,536 --a------ C:\WINDOWS\system32\d3dx9_36.dll
2008-08-22 21:54 . 2007-10-12 15:14 1,374,232 --a------ C:\WINDOWS\system32\D3DCompiler_36.dll
2008-08-22 21:54 . 2007-07-19 18:14 1,358,192 --a------ C:\WINDOWS\system32\D3DCompiler_35.dll
2008-08-22 21:54 . 2007-05-16 16:45 1,124,720 --a------ C:\WINDOWS\system32\D3DCompiler_34.dll
2008-08-22 21:54 . 2007-03-12 16:42 1,123,696 --a------ C:\WINDOWS\system32\D3DCompiler_33.dll
2008-08-22 21:54 . 2007-10-02 09:56 444,776 --a------ C:\WINDOWS\system32\d3dx10_36.dll
2008-08-22 21:54 . 2007-07-19 18:14 444,776 --a------ C:\WINDOWS\system32\d3dx10_35.dll
2008-08-22 21:54 . 2007-05-16 16:45 443,752 --a------ C:\WINDOWS\system32\d3dx10_34.dll
2008-08-22 21:54 . 2007-03-15 16:57 443,752 --a------ C:\WINDOWS\system32\d3dx10_33.dll
2008-08-22 21:54 . 2007-10-22 03:39 267,272 --a------ C:\WINDOWS\system32\xactengine2_10.dll
2008-08-21 08:17 . 2008-08-21 08:17 <DIR> d-------- C:\Documents and Settings\Server\Application Data\com.Multiply.AutoUploader.C7DF09F73C2059D294831784007C5F0856677385.1
2008-08-21 08:16 . 2008-08-21 08:16 <DIR> d-------- C:\Program Files\Multiply
2008-08-21 08:16 . 2008-08-21 08:16 <DIR> d-------- C:\Program Files\Common Files\Adobe AIR
2008-08-19 16:43 . 2008-08-19 16:44 <DIR> d-------- C:\Program Files\FLV to AVI MPEG WMV 3GP MP4 iPod Converter
2008-08-19 16:39 . 2008-08-19 16:39 <DIR> d-------- C:\Documents and Settings\Server\Application Data\PlayFirst
2008-08-19 16:39 . 2008-08-19 16:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-08-19 16:38 . 2008-08-19 16:38 <DIR> d-------- C:\WINDOWS\Cooking Dash
2008-08-19 16:38 . 2008-08-20 12:28 <DIR> d-------- C:\Program Files\Cooking Dash
2008-08-19 15:24 . 2008-08-19 15:24 <DIR> d-------- C:\Documents and Settings\Server\Application Data\Go-Go Gourmet Chef of the Year
2008-08-19 15:23 . 2008-08-19 15:23 <DIR> d-------- C:\WINDOWS\Go-Go Gourmet 2 - Chef of the Year
2008-08-19 15:23 . 2008-08-19 15:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trymedia
2008-08-19 10:31 . 2008-08-18 14:01 302 --a------ C:\WINDOWS\removeWinzip.bat
2008-08-15 16:06 . 2008-08-15 16:06 <DIR> d-------- C:\WINDOWS\Baby Blimp
2008-08-14 16:24 . 2005-07-30 04:55 90,624 --a------ C:\WINDOWS\system32\kswdmcap.ax
2008-08-14 16:24 . 2005-07-30 04:55 90,624 --a--c--- C:\WINDOWS\system32\dllcache\kswdmcap.ax
2008-08-14 16:24 . 2004-08-04 00:56 61,952 --a------ C:\WINDOWS\system32\kstvtune.ax
2008-08-14 16:24 . 2004-08-04 00:56 61,952 --a--c--- C:\WINDOWS\system32\dllcache\kstvtune.ax
2008-08-14 16:24 . 2004-08-04 00:56 53,760 --a------ C:\WINDOWS\system32\vfwwdm32.dll
2008-08-14 16:24 . 2004-08-04 00:56 53,760 --a--c--- C:\WINDOWS\system32\dllcache\vfwwdm32.dll
2008-08-14 16:24 . 2004-08-04 00:56 43,008 --a------ C:\WINDOWS\system32\ksxbar.ax
2008-08-14 16:24 . 2004-08-04 00:56 43,008 --a--c--- C:\WINDOWS\system32\dllcache\ksxbar.ax
2008-08-14 16:24 . 2004-08-04 00:56 28,672 --a------ C:\WINDOWS\system32\vidcap.ax
2008-08-14 16:24 . 2004-08-04 00:56 28,672 --a--c--- C:\WINDOWS\system32\dllcache\vidcap.ax
2008-08-14 16:22 . 2008-08-14 16:22 <DIR> d-------- C:\Program Files\Vimicro
2008-08-14 15:55 . 2008-08-14 15:55 <DIR> d-------- C:\WINDOWS\Sun
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-11 20:33 --------- d-----w C:\Documents and Settings\Server\Application Data\OpenOffice.org2
2008-09-07 23:55 --------- d-----w C:\Program Files\Kaspersky Lab
2008-08-28 00:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-08-26 18:30 --------- d-----w C:\Program Files\Common Files\Adobe
2008-08-25 23:56 --------- d-----w C:\Program Files\Java
2008-08-23 04:51 --------- d-----w C:\Program Files\MagicDisc
2008-08-21 23:42 --------- d-----w C:\Documents and Settings\Server\Application Data\Apple Computer
2008-08-21 02:33 --------- d-----w C:\Program Files\BearShare
2008-08-20 03:57 --------- d-----w C:\Program Files\ABBYY FineReader 6.0 Sprint
2008-08-19 04:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-08-15 16:54 --------- d-----w C:\Documents and Settings\Server\Application Data\Ahead
2008-08-14 23:22 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-14 23:22 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-08-11 20:21 --------- d--h--r C:\Documents and Settings\Server\Application Data\yahoo!
2008-08-11 17:56 --------- d-----w C:\Program Files\Common Files\INCA Shared
2008-08-09 21:57 --------- d-----w C:\Documents and Settings\Server\Application Data\Winamp
2008-08-09 21:48 --------- d-----w C:\Program Files\Winamp Toolbar
2008-08-09 21:48 --------- d-----w C:\Program Files\Winamp
2008-08-09 21:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Winamp Toolbar
2008-08-09 21:14 --------- d-----w C:\Program Files\MpcStar
2008-08-09 19:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-08-09 19:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Bluetooth
2008-08-09 18:53 --------- d-----w C:\Program Files\iTunes
2008-08-09 18:52 --------- d-----w C:\Program Files\QuickTime
2008-08-09 18:52 --------- d-----w C:\Program Files\iPod
2008-08-09 18:52 --------- d-----w C:\Program Files\Bonjour
2008-08-09 18:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-08-09 18:50 --------- d-----w C:\Program Files\Common Files\Apple
2008-08-09 18:50 --------- d-----w C:\Program Files\Apple Software Update
2008-08-09 18:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-08-09 18:45 --------- d-----w C:\Program Files\Chikka Messenger
2008-08-09 18:41 --------- d-----w C:\Program Files\Common Files\Ahead
2008-08-09 18:37 --------- d-----w C:\Program Files\Nero
2008-08-09 18:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2008-08-09 18:18 --------- d-----w C:\Program Files\IVT Corporation
2008-08-09 18:11 --------- d-----w C:\Program Files\Microtek
2008-08-09 17:11 --------- d-----w C:\Program Files\MSBuild
2008-08-09 17:11 --------- d-----w C:\Program Files\Microsoft Works
2008-08-09 16:57 --------- d-----w C:\Program Files\MagicISO
2008-08-09 16:48 --------- d-----w C:\Program Files\uTorrent
2008-08-09 16:47 --------- d-----w C:\Program Files\OpenOffice.org 2.3
2008-08-09 16:46 --------- d-----w C:\Program Files\Common Files\Java
2008-08-09 15:33 --------- d--h--w C:\Documents and Settings\All Users\Application Data\CanonBJ
2008-08-09 15:33 --------- d-----w C:\Program Files\Canon
2008-08-09 15:32 --------- d--h--w C:\Program Files\CanonBJ
2008-08-09 15:31 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2008-08-09 15:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-08-09 15:19 --------- d-----w C:\Program Files\Yahoo!
2008-08-09 15:18 307,968 ----a-w C:\WINDOWS\system32\TuneUpDefragService.exe
2008-08-09 15:18 --------- d-----w C:\Program Files\TuneUp Utilities 2008
2008-08-09 15:18 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-08-09 15:18 --------- d-----w C:\Documents and Settings\Server\Application Data\TuneUp Software
2008-08-09 15:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\TuneUp Software
2008-08-09 14:43 --------- d-----w C:\Program Files\microsoft frontpage
2008-08-09 14:39 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-07-29 00:19 116,736 ----a-w C:\WINDOWS\system32\drivers\mcdbus.sys
.
((((((((((((((((((((((((((((( snapshot@2008-09-08_11.06.24.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-09-09 00:09:05 451,072 ----a-w C:\WINDOWS\Beach Party Craze\uninstall.exe
- 2008-09-04 16:31:50 1,580,872 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-09-11 21:57:56 1,589,416 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
- 2008-09-02 16:37:57 41,040 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-09-11 19:48:51 41,040 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-09-02 16:37:57 314,838 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-09-11 19:48:51 314,838 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{57BCA5FA-5DBB-45a2-B558-1755C3F6253B}"= "C:\Program Files\Winamp Toolbar\winamptb.dll" [2008-07-16 1266992]
[HKEY_CLASSES_ROOT\clsid\{57bca5fa-5dbb-45a2-b558-1755c3f6253b}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-08-30 4670704]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-04-18 7700480]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2008-04-25 201992]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
BlueSoleil.lnk - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe [2008-08-09 1048576]
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"mW[íµˆÖ¾`=µú¾˜v%S8’ÿÙêé>grl>Ý\†Ð=ŸàÛ±Þ"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"D:\\Program Files\\BearShare\\BearShare.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 2009\\English\\setup.exe"=
R0 klbg;Kaspersky Lab Boot Guard Driver;C:\WINDOWS\system32\drivers\klbg.sys [2008-01-29 32784]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 14336]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;C:\WINDOWS\system32\DRIVERS\klfltdev.sys [2008-03-13 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2008-03-25 24592]
S3 AVPsys;AVPsys;C:\WINDOWS\system32\drivers\tdi.sys [2004-08-04 18560]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-08-09 307968]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{284ddcd9-6a14-11dd-ba3b-00116776468a}]
\Shell\AutoRun\command - K:\password_viewer.exe %1
\Shell\Explore\command - K:\password_viewer.exe %1
\Shell\Open\command - K:\password_viewer.exe %1
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{291739e1-6ecf-11dd-ba46-00116776468a}]
\Shell\AutoRun\command - hbq.exe
\Shell\explore\Command - hbq.exe
\Shell\open\Command - hbq.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2b9c1f5c-688c-11dd-ba39-00116776468a}]
\Shell\AutoRun\command - L:\password_viewer.exe %1
\Shell\Explore\command - L:\password_viewer.exe %1
\Shell\Open\command - L:\password_viewer.exe %1
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3116173c-738f-11dd-b521-00116776468a}]
\Shell\AutoRun\command - K:\password_viewer.exe %1
\Shell\Explore\command - K:\password_viewer.exe %1
\Shell\Open\command - K:\password_viewer.exe %1
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{311629d1-738f-11dd-b521-00116776468a}]
\Shell\AutoRun\command - K:\u9dyi.exe
\Shell\explore\Command - K:\u9dyi.exe
\Shell\open\Command - K:\u9dyi.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3543f0a6-7f5e-11dd-b54a-00116776468a}]
\Shell\AutoRun\command - E:\password_viewer.exe %1
\Shell\Explore\command - E:\password_viewer.exe %1
\Shell\Open\command - E:\password_viewer.exe %1
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3a81e7ea-8051-11dd-b54e-00116776468a}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.exe Shell32.DLL,ShellExec_RunDLL wscript.exe MyMP3.vbs
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{40ce458a-7482-11dd-b526-00116776468a}]
\Shell\[u]0[/u]pen\command - krag.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.exe Shell32.DLL,ShellExec_RunDLL krag.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{41b8eab7-790d-11dd-b52b-00116776468a}]
\Shell\AutoRun\command - g.exe
\Shell\explore\Command - g.exe
\Shell\open\Command - g.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{41b8eb98-790d-11dd-b52b-00116776468a}]
\Shell\AutoRun\command - password_viewer.exe %1
\Shell\Explore\command - password_viewer.exe %1
\Shell\Open\command - password_viewer.exe %1
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{41b8ee6c-790d-11dd-b52b-00116776468a}]
\Shell\AutoRun\command - password_viewer.exe %1
\Shell\Explore\command - password_viewer.exe %1
\Shell\Open\command - password_viewer.exe %1
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{41b8f4ed-790d-11dd-b52b-00116776468a}]
\Shell\AutoRun\command - L:\bar311.exe %1
\Shell\Explore\command - L:\bar311.exe %1
\Shell\Open\command - L:\bar311.exe %1
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{46a3baa8-7c51-11dd-b536-00116776468a}]
\Shell\AutoRun\command - p.bat
\Shell\explore\Command - p.bat
\Shell\open\Command - p.bat
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{574da2dc-7c2c-11dd-b533-00116776468a}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.exe Shell32.DLL,ShellExec_RunDLL wscript.exe MyMP3.vbs
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5d02ff4e-75d8-11dd-b528-00116776468a}]
\Shell\AutoRun\command - K:\password_viewer.exe %1
\Shell\Explore\command - K:\password_viewer.exe %1
\Shell\Open\command - K:\password_viewer.exe %1
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5d03019a-75d8-11dd-b528-00116776468a}]
\Shell\AutoRun\command - bar311.exe %1
\Shell\Explore\command - bar311.exe %1
\Shell\Open\command - bar311.exe %1
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5d0309b8-75d8-11dd-b528-00116776468a}]
\Shell\Auto\command - Recycled/dllcache32.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.exe Shell32.DLL,ShellExec_RunDLL Recycled/dllcache32.exe
\Shell\explore\Command - Recycled/dllcache32.exe
\Shell\open\Command - Recycled/dllcache32.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5f897bc1-67cb-11dd-ba38-00116776468a}]
\Shell\AutoRun\command - K:\ojbss9gv.com
\Shell\explore\Command - K:\ojbss9gv.com
\Shell\open\Command - K:\ojbss9gv.com
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5f897d99-67cb-11dd-ba38-00116776468a}]
\Shell\AutoRun\command - K:\password_viewer.exe %1
\Shell\Explore\command - K:\password_viewer.exe %1
\Shell\Open\command - K:\password_viewer.exe %1
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5f897e7f-67cb-11dd-ba38-00116776468a}]
\Shell\Auto\command - K:\keybd.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.exe Shell32.DLL,ShellExec_RunDLL keybd.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7b4939a7-6e13-11dd-ba45-00116776468a}]
\Shell\AutoRun\command - password_viewer.exe %1
\Shell\Explore\command - password_viewer.exe %1
\Shell\Open\command - password_viewer.exe %1
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{80e0dc44-79dc-11dd-b52c-00116776468a}]
\Shell\Auto\command - K:\Recycled/dllcache32.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.exe Shell32.DLL,ShellExec_RunDLL Recycled/dllcache32.exe
\Shell\explore\Command - K:\Recycled/dllcache32.exe
\Shell\open\Command - K:\Recycled/dllcache32.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{80e0e551-79dc-11dd-b52c-00116776468a}]
\Shell\AutoRun\command - bar311.exe %1
\Shell\Explore\command - bar311.exe %1
\Shell\Open\command - bar311.exe %1
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{84fb90b5-6f92-11dd-b519-00116776468a}]
\Shell\AutoRun\command - K:\password_viewer.exe %1
\Shell\Explore\command - K:\password_viewer.exe %1
\Shell\Open\command - K:\password_viewer.exe %1
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{84fb9110-6f92-11dd-b519-00116776468a}]
\Shell\AutoRun\command - K:\password_viewer.exe %1
\Shell\Explore\command - K:\password_viewer.exe %1
\Shell\Open\command - K:\password_viewer.exe %1
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8f02cc82-7063-11dd-b51b-00116776468a}]
\Shell\Auto\command - K:\Recycled/dllcache32.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.exe Shell32.DLL,ShellExec_RunDLL Recycled/dllcache32.exe
\Shell\explore\Command - K:\Recycled/dllcache32.exe
\Shell\open\Command - K:\Recycled/dllcache32.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9bbe04ad-751c-11dd-b527-00116776468a}]
\Shell\AutoRun\command - K:\password_viewer.exe %1
\Shell\Explore\command - K:\password_viewer.exe %1
\Shell\Open\command - K:\password_viewer.exe %1
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aec1b936-6644-11dd-ba35-00030d000001}]
\Shell\[u]0[/u]pen\command - L:\krag.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.exe Shell32.DLL,ShellExec_RunDLL krag.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b14d692b-7e03-11dd-b547-00116776468a}]
\Shell\AutoRun\command - K:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b14d692c-7e03-11dd-b547-00116776468a}]
\Shell\AutoRun\command - L:\password_viewer.exe %1
\Shell\Explore\command - L:\password_viewer.exe %1
\Shell\Open\command - L:\password_viewer.exe %1
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b14d692e-7e03-11dd-b547-00116776468a}]
\Shell\AutoRun\command - K:\password_viewer.exe %1
\Shell\Explore\command - K:\password_viewer.exe %1
\Shell\Open\command - K:\password_viewer.exe %1
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b1e4f20a-6d48-11dd-ba40-00116776468a}]
\Shell\AutoRun\command - K:\password_viewer.exe %1
\Shell\Explore\command - K:\password_viewer.exe %1
\Shell\Open\command - K:\password_viewer.exe %1
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b2064d99-696b-11dd-ba3a-00116776468a}]
\Shell\AutoRun\command - K:\bar311.exe %1
\Shell\Explore\command - K:\bar311.exe %1
\Shell\Open\command - K:\bar311.exe %1
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b837329c-6d6d-11dd-ba42-00116776468a}]
\Shell\AutoRun\command - K:\c9hehpa.bat
\Shell\explore\Command - K:\c9hehpa.bat
\Shell\open\Command - K:\c9hehpa.bat
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b8373464-6d6d-11dd-ba42-00116776468a}]
\Shell\AutoRun\command - K:\c9hehpa.bat
\Shell\explore\Command - K:\c9hehpa.bat
\Shell\open\Command - K:\c9hehpa.bat
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cfcdd3e4-7208-11dd-b51e-00116776468a}]
\Shell\AutoRun\command - password_viewer.exe %1
\Shell\Explore\command - password_viewer.exe %1
\Shell\Open\command - password_viewer.exe %1
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{eaaa9544-6adf-11dd-ba3c-00116776468a}]
\Shell\AutoRun\command - K:\password_viewer.exe %1
\Shell\Explore\command - K:\password_viewer.exe %1
\Shell\Open\command - K:\password_viewer.exe %1
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{eaaa9b2a-6adf-11dd-ba3c-00116776468a}]
\Shell\AutoRun\command - bar311.exe %1
\Shell\Explore\command - bar311.exe %1
\Shell\Open\command - bar311.exe %1
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{eaaa9b4e-6adf-11dd-ba3c-00116776468a}]
\Shell\AutoRun\command - K:\password_viewer.exe %1
\Shell\Explore\command - K:\password_viewer.exe %1
\Shell\Open\command - K:\password_viewer.exe %1
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ed65caff-72ca-11dd-b51f-00116776468a}]
\Shell\AutoRun\command - K:\password_viewer.exe %1
\Shell\Explore\command - K:\password_viewer.exe %1
\Shell\Open\command - K:\password_viewer.exe %1
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ff968993-6f01-11dd-b514-00116776468a}]
\Shell\AutoRun\command - K:\bar311.exe %1
\Shell\Explore\command - K:\bar311.exe %1
\Shell\Open\command - K:\bar311.exe %1
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Server\Application Data\Mozilla\Firefox\Profiles\nb6l88aq.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-ytie&p=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.yahoo.com/
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\Yahoo!\Shared\npYState.dll
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-12 21:43:00
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-09-12 21:44:17
ComboFix-quarantined-files.txt 2008-09-13 04:44:14
ComboFix2.txt 2008-09-08 18:07:54
Pre-Run: 34,626,060,288 bytes free
Post-Run: 35,542,978,560 bytes free
368

Response Number 13

Name: jabuck
Date: September 13, 2008 at 12:07:56 Pacific

Reply:

Open notepad (Start Menu > Run > Type notepad and press "ok".
Copy and paste everything into notepad between the x's making regedit4 the top line.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
REGEDIT4
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{284ddcd9-6a14-11dd-ba3b-00116776468a}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{291739e1-6ecf-11dd-ba46-00116776468a}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2b9c1f5c-688c-11dd-ba39-00116776468a}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3116173c-738f-11dd-b521-00116776468a}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{311629d1-738f-11dd-b521-00116776468a}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3543f0a6-7f5e-11dd-b54a-00116776468a}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{40ce458a-7482-11dd-b526-00116776468a}]
\[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{41b8eab7-790d-11dd-b52b-00116776468a}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{41b8eb98-790d-11dd-b52b-00116776468a}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{41b8ee6c-790d-11dd-b52b-00116776468a}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{41b8f4ed-790d-11dd-b52b-00116776468a}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{46a3baa8-7c51-11dd-b536-00116776468a}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5d02ff4e-75d8-11dd-b528-00116776468a}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5d03019a-75d8-11dd-b528-00116776468a}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5d0309b8-75d8-11dd-b528-00116776468a}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5f897bc1-67cb-11dd-ba38-00116776468a}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5f897d99-67cb-11dd-ba38-00116776468a}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5f897e7f-67cb-11dd-ba38-00116776468a}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7b4939a7-6e13-11dd-ba45-00116776468a}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{80e0dc44-79dc-11dd-b52c-00116776468a}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{80e0e551-79dc-11dd-b52c-00116776468a}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{84fb90b5-6f92-11dd-b519-00116776468a}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{84fb9110-6f92-11dd-b519-00116776468a}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8f02cc82-7063-11dd-b51b-00116776468a}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9bbe04ad-751c-11dd-b527-00116776468a}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aec1b936-6644-11dd-ba35-00030d000001}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b14d692c-7e03-11dd-b547-00116776468a}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b14d692e-7e03-11dd-b547-00116776468a}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b1e4f20a-6d48-11dd-ba40-00116776468a}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b2064d99-696b-11dd-ba3a-00116776468a}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b837329c-6d6d-11dd-ba42-00116776468a}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b8373464-6d6d-11dd-ba42-00116776468a}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cfcdd3e4-7208-11dd-b51e-00116776468a}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{eaaa9544-6adf-11dd-ba3c-00116776468a}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{eaaa9b2a-6adf-11dd-ba3c-00116776468a}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{eaaa9b4e-6adf-11dd-ba3c-00116776468a}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ed65caff-72ca-11dd-b51f-00116776468a}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ff968993-6f01-11dd-b514-00116776468a}]

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it Fix.reg then save it to your desktop.
Double click Fix.reg (or right click and choose Merge) and it will ask if you want to merge the contents into the registry, choose Yes.
Post a new Combofix log please and follow the procedure you used on the first Combofix scan.

Sponsored Link

Ads by Google

VIRUS ALERT! w/ spybot 1s...

Another Google Redirect. ...

Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.

Go to Security and Virus Forum Home

Sponsored links

Ads by Google

Results for: Virus Alert! on Taskbar

VIRUS ALERT! on taskbar (9/17/2008)

Summary

www.computing.net/answers/security/virus-alert-on-taskbar-9172008/23440.html

VIRUS ALERT on Taskbar

Summary

www.computing.net/answers/security/virus-alert-on-taskbar-/23003.html

Virus Alert on Taskbar

Summary

www.computing.net/answers/security/virus-alert-on-taskbar/24363.html

From the Geek Dictionary
slow learner - A person who tends to take longer to understand things than the average per...

Ask a Question!

Weekly Poll
What do you think of the new preview of Chrome OS?

Poll Finishes In 4 Days.
Discuss in The Lounge
Poll History

Recent Posts
Right-click, Left-click buttons

SaaS (Software as a Service)

Not Reading Graphics card

dvd buring withh out pause play

AVAST messed up my computer.

All Awaiting Reply

Tom's News
Microsoft Fires Back at Xbox Live Lawsuit

Xbox 360 is Now Four Years Old

Star Trek Online Goes Open Beta in January

AOL Getting New Logos Made From Random Stuff

AT&T Sets the Coverage Map Record Straight

More Tom's Guide News

Data Recovery

Manufacturer List | About Us | Advertising Info | Contact Us
The information on Computing.Net is the opinions of its users. Such opinions may not be accurate and they are to be used at your own risk. Computing.Net cannot verify the validity of the statements made on this site. Computing.Net and Computing.Net LLC hereby disclaim all responsibility and liability for the content of Computing.Net and its accuracy.
PLEASE READ THE FULL DISCLAIMER AND LEGAL TERMS BY CLICKING HERE