zonebac.b and smitfraud c coreservi

Computing.Net > Forums > Security and Virus > zonebac.b and smitfraud c coreservi

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Click here to start participating now! Also, check out the New User Guide.

zonebac.b and smitfraud c coreservi

Name: healys818
Date: March 5, 2008 at 19:16:17 Pacific
OS: windows xp
CPU/Ram: x86
Product: toshiba

Comment:

For the past week I have been getting popups while i am on internet explorer..they started out just plain blank popups but now they have ads on them and are coming up more often..my windows defender finds zonebac.b and spybot finds smitfraud..i try to delete them but they keep coming up every day that i check..Any help would be great thanks!!

Sponsored Link

Ads by Google

Response Number 1

Name: Kaithlyn
Date: March 6, 2008 at 03:02:45 Pacific

Reply:

update both windows defender and spybot and then run a scan again. i also recommend running scans in safe mode since most of malicious files are inactive in a safe mode and they can't interfere with security tools. here's safe mode tutorial
tc;

Response Number 2

Name: healys818
Date: March 6, 2008 at 11:32:20 Pacific

Reply:

Thanks for the help..so I ran the scans in safemode and deleted the problems but I'm still getting popups so I'm guessing that didn't work..any other suggestions?

Response Number 3

Name: jabuck
Date: March 6, 2008 at 17:51:00 Pacific

Reply:

You have two different infections that will need to be remove one at the time. Lets start with the zonebac infection.
Please download FindAWF from the following link:
http://noahdfear.geekstogo.com/FindAWF.exe

Double-click on the FindAWF.exe file to run it. It will open a command prompt and ask you to "Press any key to continue". You will be presented with a Menu.
1. Press 1 then Enter to scan for bak folders
2. Press 2 then Enter to restore files from bak folders
3. Press 3 then Enter to remove bak folders
4. Press 4 then Enter to reset domain zones
5. Press E then Enter to EXIT
Press 1 then press Enter. Copy and paste the contents of the AWF.txt file in your next reply.

Response Number 4

Name: healys818
Date: March 7, 2008 at 08:48:23 Pacific

Reply:

Thanks! Here's the results of FindAWF
Find AWF report by noahdfear ©2006
Version 1.40
The current date is: Fri 03/07/2008
The current time is: 11:43:44.02

bak folders found
~~~~~~~~~~~

Directory of C:\WINDOWS\BAK
0 File(s) 0 bytes
Directory of C:\PROGRA~1\ITUNES\BAK
07/31/2007 05:44 PM 271,672 iTunesHelper.exe
1 File(s) 271,672 bytes
Directory of C:\PROGRA~1\LEXMAR~1\BAK
02/07/2006 12:10 AM 98,304 ezprint.exe
03/06/2006 12:48 PM 286,720 lxcymon.exe
2 File(s) 385,024 bytes
Directory of C:\PROGRA~1\LEXMAR~3\BAK
02/02/2006 03:11 AM 290,816 fm3032.exe
1 File(s) 290,816 bytes
Directory of C:\PROGRA~1\MESSEN~1\BAK
0 File(s) 0 bytes
Directory of C:\PROGRA~1\QUICKT~1\BAK
06/29/2007 05:24 AM 286,720 QTTask.exe
1 File(s) 286,720 bytes
Directory of C:\PROGRA~1\SPYBOT~1\BAK
08/31/2007 04:46 PM 1,460,560 TeaTimer.exe
1 File(s) 1,460,560 bytes
Directory of C:\PROGRA~1\SPYDEF~1\BAK
0 File(s) 0 bytes
Directory of C:\PROGRA~1\SYMANT~1\BAK
06/23/2005 09:27 PM 85,696 VPTray.exe
1 File(s) 85,696 bytes
Directory of C:\PROGRA~1\WIFD1F~1\BAK
11/03/2006 07:20 PM 866,584 MSASCui.exe
1 File(s) 866,584 bytes
Directory of C:\WINDOWS\EHOME\BAK
08/05/2005 04:56 PM 64,512 ehtray.exe
1 File(s) 64,512 bytes
Directory of C:\WINDOWS\SYSTEM32\BAK
08/10/2004 07:00 AM 15,360 ctfmon.exe
1 File(s) 15,360 bytes
Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK
06/02/2005 11:21 AM 48,752 ccApp.exe
1 File(s) 48,752 bytes
Directory of C:\PROGRA~1\MCAFEE.COM\AGENT\BAK
09/22/2005 08:29 PM 303,104 mcagent.exe
03/04/2008 03:37 PM 24,592 McUpdate.exe
2 File(s) 327,696 bytes
Directory of C:\PROGRA~1\MCAFEE.COM\VSO\BAK
07/08/2005 09:18 PM 151,552 mcmnhdlr.exe
08/10/2005 03:49 PM 163,840 mcvsshld.exe
08/12/2005 01:02 AM 53,248 oasclnt.exe
3 File(s) 368,640 bytes
Directory of C:\PROGRA~1\SYNAPT~1\SYNTP\BAK
12/16/2005 03:32 AM 761,945 SynTPEnh.exe
12/16/2005 03:34 AM 82,009 SynTPLpr.exe
2 File(s) 843,954 bytes
Directory of C:\PROGRA~1\TOSHIBA\TOSCDSPD\BAK
12/30/2004 03:32 AM 65,536 toscdspd.exe
1 File(s) 65,536 bytes
Directory of C:\PROGRA~1\TOSHIBA\TOSHIB~1\BAK
01/05/2006 05:02 PM 352,256 thotkey.exe
1 File(s) 352,256 bytes
Directory of C:\PROGRA~1\TOSHIBA\TOSHIB~4\BAK
04/26/2005 07:13 PM 122,880 SmoothView.exe
1 File(s) 122,880 bytes
Directory of C:\PROGRA~1\TOSHIBA\TVS\BAK
11/30/2005 03:25 PM 73,728 TvsTray.exe
1 File(s) 73,728 bytes
Directory of C:\PROGRA~1\YAHOO!\MESSEN~1\BAK
06/11/2007 05:16 PM 4,670,968 YahooMessenger.exe
1 File(s) 4,670,968 bytes
Directory of C:\TOSHIBA\IVP\ISM\BAK
03/17/2005 08:37 PM 151,552 pinger.exe
1 File(s) 151,552 bytes
Directory of C:\PROGRA~1\ADOBE\READER~1.0\READER\BAK
05/11/2007 02:06 AM 40,048 Reader_sl.exe
1 File(s) 40,048 bytes
Directory of C:\PROGRA~1\COMMON~1\MICROS~1\DW\BAK
03/13/2007 04:38 PM 39,264 dwtrig20.exe
1 File(s) 39,264 bytes
Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK
09/13/2007 03:42 PM 185,632 realsched.exe
1 File(s) 185,632 bytes
Directory of C:\PROGRA~1\INTEL\WIRELESS\BIN\BAK
11/28/2005 01:41 PM 602,182 ifrmewrk.exe
12/05/2005 02:37 PM 667,718 ZCfgSvc.exe
2 File(s) 1,269,900 bytes
Directory of C:\PROGRA~1\JAVA\JRE16~1.0_0\BIN\BAK
02/22/2008 04:25 AM 144,784 jusched.exe
1 File(s) 144,784 bytes
Directory of C:\PROGRA~1\MCAFEE.COM\AGENT\BAK\BAK
0 File(s) 0 bytes
Directory of C:\WINDOWS\PCHEALTH\HELPCTR\BINARIES\BAK
08/10/2004 07:00 AM 158,208 MSConfig.exe
1 File(s) 158,208 bytes
Directory of C:\PROGRA~1\MCAFEE.COM\AGENT\BAK\BAK\BAK
01/11/2006 02:05 PM 212,992 McUpdate.exe
1 File(s) 212,992 bytes

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
267048 Dec 11 2007 "C:\Program Files\iTunes\iTunesHelper.exe1204585337"
271672 Jul 31 2007 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Mar 6 2008 "C:\WINDOWS\Installer\{18388EF8-E0A3-442B-8BFE-E2F1B3D05C91}\iTunesIco.exe"
116008 Dec 30 2007 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.5.0.20\iTunesSetupAdmin.exe"
98304 Feb 7 2006 "C:\Program Files\Lexmark 3400 Series\bak\ezprint.exe"
286720 Mar 6 2006 "C:\Program Files\Lexmark 3400 Series\bak\lxcymon.exe"
290816 Feb 2 2006 "C:\Program Files\Lexmark Fax Solutions\bak\fm3032.exe"
286720 Jun 29 2007 "C:\Program Files\QuickTime\bak\QTTask.exe"
1460560 Aug 31 2007 "C:\Program Files\Spybot - Search & Destroy\bak\TeaTimer.exe"
85696 Jun 23 2005 "C:\Program Files\Symantec AntiVirus\bak\VPTray.exe"
866584 Nov 3 2006 "C:\Program Files\Windows Defender\bak\MSASCui.exe"
59392 Aug 10 2004 "C:\WINDOWS\$NtUninstallKB900325$\ehtray.exe"
64512 Aug 5 2005 "C:\WINDOWS\ehome\ehtray.exe"
64512 Aug 5 2005 "C:\WINDOWS\ehome\bak\ehtray.exe"
15360 Aug 10 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 10 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
48752 Jun 2 2005 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
303104 Sep 22 2005 "C:\Program Files\McAfee.com\Agent\bak\mcagent.exe"
24592 Sep 27 2007 "C:\Program Files\McAfee.com\Agent\mcupdate.exe"
24592 Mar 4 2008 "C:\Program Files\McAfee.com\Agent\bak\McUpdate.exe"
212992 Jan 11 2006 "C:\Program Files\McAfee.com\Agent\bak\bak\bak\McUpdate.exe"
24592 Sep 27 2007 "C:\Program Files\McAfee.com\Agent\mcupdate.exe"
24592 Mar 4 2008 "C:\Program Files\McAfee.com\Agent\bak\McUpdate.exe"
212992 Jan 11 2006 "C:\Program Files\McAfee.com\Agent\bak\bak\bak\McUpdate.exe"
151552 Jul 8 2005 "C:\Program Files\McAfee.com\VSO\bak\mcmnhdlr.exe"
163840 Aug 10 2005 "C:\Program Files\McAfee.com\VSO\bak\mcvsshld.exe"
53248 Aug 12 2005 "C:\Program Files\McAfee.com\VSO\bak\oasclnt.exe"
761945 Dec 16 2005 "C:\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe"
761945 Dec 16 2005 "C:\Program Files\Synaptics\SynTP\Media\SynTPEnh.exe"
82009 Dec 16 2005 "C:\Program Files\Synaptics\SynTP\bak\SynTPLpr.exe"
82009 Dec 16 2005 "C:\Program Files\Synaptics\SynTP\Media\SynTPLpr.exe"
65536 Dec 30 2004 "C:\Program Files\TOSHIBA\TOSCDSPD\bak\toscdspd.exe"
352256 Jan 5 2006 "C:\Program Files\TOSHIBA\TOSHIBA Applet\bak\thotkey.exe"
122880 Apr 26 2005 "C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\bak\SmoothView.exe"
73728 Nov 30 2005 "C:\Program Files\TOSHIBA\Tvs\bak\TvsTray.exe"
4829184 Jul 22 2005 "C:\Program Files\Yahoo!\Yahoo! Music Engine\YahooMusicEngine.exe"
4670968 Jun 11 2007 "C:\Program Files\Yahoo!\Messenger\bak\YahooMessenger.exe"
151552 Mar 17 2005 "C:\TOSHIBA\IVP\ISM\bak\pinger.exe"
40048 May 11 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
39264 Mar 13 2007 "C:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.exe"
39264 Mar 13 2007 "C:\Program Files\Common Files\Microsoft Shared\DW\bak\dwtrig20.exe"
34880 Jul 14 2003 "C:\WORKSSETUP\OFFICE\FILES\PFILES\COMMON\MSSHARED\DW\DWTRIG20.exe"
34880 Dec 3 2006 "C:\MSOCache\All Users\90000409-6000-11D3-8CFE-0150048383C9\FILES\PFILES\COMMON\MSSHARED\DW\DWTRIG20.exe"
185632 Sep 13 2007 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
602182 Nov 28 2005 "C:\Program Files\Intel\Wireless\Bin\bak\ifrmewrk.exe"
667718 Dec 5 2005 "C:\Program Files\Intel\Wireless\Bin\bak\ZCfgSvc.exe"
144784 Feb 22 2008 "C:\Program Files\Java\jre1.6.0_05\bin\bak\jusched.exe"
24592 Sep 27 2007 "C:\Program Files\McAfee.com\Agent\mcupdate.exe"
24592 Mar 4 2008 "C:\Program Files\McAfee.com\Agent\bak\McUpdate.exe"
212992 Jan 11 2006 "C:\Program Files\McAfee.com\Agent\bak\bak\bak\McUpdate.exe"
158208 Aug 10 2004 "C:\WINDOWS\pchealth\helpctr\binaries\msconfig.exe"
158208 Aug 10 2004 "C:\WINDOWS\pchealth\helpctr\binaries\bak\MSConfig.exe"
24592 Sep 27 2007 "C:\Program Files\McAfee.com\Agent\mcupdate.exe"
24592 Mar 4 2008 "C:\Program Files\McAfee.com\Agent\bak\McUpdate.exe"
212992 Jan 11 2006 "C:\Program Files\McAfee.com\Agent\bak\bak\bak\McUpdate.exe"

end of report

Response Number 5

Name: jabuck
Date: March 7, 2008 at 20:01:19 Pacific

Reply:

Double-click the FindAWF icon once again
If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 3 then Enter to remove bak folders
A text file opens called: folders.txt
Copy /paste the following list of bolded folders to be removed:

C:\Program Files\iTunes\bak
C:\Program Files\Lexmark 3400 Series\bak
C:\Program Files\Lexmark Fax Solutions\bak
C:\Program Files\QuickTime\bak
C:\Program Files\Spybot - Search & Destroy\bak
C:\Program Files\Windows Defender\bak
C:\WINDOWS\ehome\bak
C:\WINDOWS\system32\bak
C:\Program Files\Common Files\Symantec Shared\bak
C:\Program Files\McAfee.com\VSO\bak
C:\Program Files\Synaptics\SynTP\bak
C:\Program Files\TOSHIBA\TOSCDSPD\bak
C:\Program Files\TOSHIBA\TOSHIBA Applet\bak
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\bak
C:\Program Files\TOSHIBA\Tvs\bak
C:\Program Files\Yahoo!\Messenger\bak
C:\TOSHIBA\IVP\ISM\bak
C:\Program Files\Adobe\Reader 8.0\Reader\bak
C:\Program Files\Common Files\Microsoft Shared\DW\bak
C:\Program Files\Common Files\Real\Update_OB\bak
C:\Program Files\Intel\Wireless\Bin\bak
C:\Program Files\Java\jre1.6.0_05\bin\bak
C:\WINDOWS\pchealth\helpctr\binaries\bak
C:\Program Files\McAfee.com\Agent\bak
C:\Program Files\McAfee.com\Agent\bak\bak\bak

Next, close and click Yes to save the changes.
Once folders.txt is saved, FindAWF does the following:
-It deletes the contents of the bak folders
-Removes the bak folders
When done with the above, it automatically runs a new scan and opens a new log.
Please provide the new FindAWF log in your reply.

Your java is out of date and can be exploited.
Download the latest version of java from this link Java
Click on the JDK 6 Update 5 download button.
Check the box that says: "Accept License Agreement". The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java. Check any item with Java Runtime Environment (JRE or J2SE) in the name. It should have the "coffee cup" icon next to it.
Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed
Then from your desktop double-click on jdk-6u5-windows-i586-p.exe
to install the newest version.
Please download ComboFix to the desktop from one of the following links:
Link1
Link 2
Link 3

Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to hang.)
Please post the log it produces.

THotkey microsoft c download File Helper i586 del command switches laplink 5 download centering monitor sun v60x windows 2008 EEPRO100-DIAG.c download driver cache folder	toshiba e studio 45 driver Detection of product '{90E00409-6000-11D3-8CFE-0150048383C9}', feature 'Out software.log B A T C H R E C U R S I O N exceeds STACK limits + windows 2003 + .bat viewpoint manager service blank popups cache folder dllhost.exe uninstall avg free antivirus C:\Temp
See More

Response Number 6

Name: healys818
Date: March 9, 2008 at 18:14:28 Pacific

Reply:

Thanks..here are the logs
Find AWF report by noahdfear ©2006
Version 1.40
Option 3 run successfully
The current date is: Sun 03/09/2008
The current time is: 21:12:52.44

bak folders found
~~~~~~~~~~~

Directory of C:\WINDOWS\BAK
0 File(s) 0 bytes
Directory of C:\PROGRA~1\LTMOH\BAK
08/18/2004 07:37 AM 184,320 Ltmoh.exe
1 File(s) 184,320 bytes
Directory of C:\PROGRA~1\MESSEN~1\BAK
0 File(s) 0 bytes
Directory of C:\PROGRA~1\SPYBOT~1\BAK
08/31/2007 05:46 PM 1,460,560 TeaTimer.exe
1 File(s) 1,460,560 bytes
Directory of C:\PROGRA~1\SPYDEF~1\BAK
0 File(s) 0 bytes
Directory of C:\PROGRA~1\SYMANT~1\BAK
06/23/2005 10:27 PM 85,696 VPTray.exe
1 File(s) 85,696 bytes
Directory of C:\PROGRA~1\MCAFEE.COM\AGENT\BAK
0 File(s) 0 bytes
Directory of C:\WINDOWS\SYSTEM32\DLA\BAK
10/06/2005 09:20 AM 122,940 DLACTRLW.exe
1 File(s) 122,940 bytes
Directory of C:\PROGRA~1\MCAFEE.COM\AGENT\BAK\BAK
03/07/2008 12:45 PM 24,592 McUpdate.exe
1 File(s) 24,592 bytes
Directory of C:\PROGRA~1\MCAFEE.COM\AGENT\BAK\BAK\BAK
01/11/2006 03:05 PM 212,992 McUpdate.exe
1 File(s) 212,992 bytes

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
24592 Mar 7 2008 "C:\Program Files\ltmoh\Ltmoh.exe"
184320 Aug 18 2004 "C:\Program Files\ltmoh\bak\Ltmoh.exe"
24592 Mar 7 2008 "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
1460560 Aug 31 2007 "C:\Program Files\Spybot - Search & Destroy\bak\TeaTimer.exe"
24592 Mar 7 2008 "C:\Program Files\Symantec AntiVirus\VPTray.exe"
85696 Jun 23 2005 "C:\Program Files\Symantec AntiVirus\bak\VPTray.exe"
24592 Sep 27 2007 "C:\Program Files\McAfee.com\Agent\mcupdate.exe"
24592 Mar 7 2008 "C:\Program Files\McAfee.com\Agent\bak\bak\McUpdate.exe"
212992 Jan 11 2006 "C:\Program Files\McAfee.com\Agent\bak\bak\bak\McUpdate.exe"
24592 Sep 27 2007 "C:\Program Files\McAfee.com\Agent\mcupdate.exe"
24592 Mar 7 2008 "C:\Program Files\McAfee.com\Agent\bak\bak\McUpdate.exe"
212992 Jan 11 2006 "C:\Program Files\McAfee.com\Agent\bak\bak\bak\McUpdate.exe"
24592 Mar 7 2008 "C:\WINDOWS\system32\DLA\DLACTRLW.exe"
122940 Oct 6 2005 "C:\Program Files\Sonic\DLA\install\dlactrlw.exe"
122940 Oct 6 2005 "C:\WINDOWS\system32\DLA\bak\DLACTRLW.exe"
24592 Sep 27 2007 "C:\Program Files\McAfee.com\Agent\mcupdate.exe"
24592 Mar 7 2008 "C:\Program Files\McAfee.com\Agent\bak\bak\McUpdate.exe"
212992 Jan 11 2006 "C:\Program Files\McAfee.com\Agent\bak\bak\bak\McUpdate.exe"
24592 Sep 27 2007 "C:\Program Files\McAfee.com\Agent\mcupdate.exe"
24592 Mar 7 2008 "C:\Program Files\McAfee.com\Agent\bak\bak\McUpdate.exe"
212992 Jan 11 2006 "C:\Program Files\McAfee.com\Agent\bak\bak\bak\McUpdate.exe"
24592 Sep 27 2007 "C:\Program Files\McAfee.com\Agent\mcupdate.exe"
24592 Mar 7 2008 "C:\Program Files\McAfee.com\Agent\bak\bak\McUpdate.exe"
212992 Jan 11 2006 "C:\Program Files\McAfee.com\Agent\bak\bak\bak\McUpdate.exe"

end of report

ComboFix 08-03-09.1 - Susan 2008-03-09 20:53:38.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.430 [GMT -4:00]
Running from: C:\Documents and Settings\Susan\Local Settings\Temporary Internet Files\Content.IE5\1S7UR3DB\ComboFix[1].exe
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Susan\Application Data\SSTEM3~1
C:\Program Files\ppatch~1
C:\Program Files\WinBudget
C:\Program Files\WinBudget\bin\matrix.dat
C:\Program Files\WinBudget\bin\matrix.dll
C:\Program Files\WinBudget\bin\tempzor
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\cookies.ini
C:\WINDOWS\Downloaded Program Files\UGA6P_0001_N122M2802NetInstaller.exe
C:\WINDOWS\system32\aybeg.ini
C:\WINDOWS\system32\aybeg.ini2
C:\WINDOWS\system32\crosof~1.net
C:\WINDOWS\system32\gebya.dll
C:\WINDOWS\system32\hxjjfpbs.ini
C:\WINDOWS\system32\iiigfff.dll
C:\WINDOWS\system32\jkkkkhh.dll
C:\WINDOWS\system32\krqxwugq.ini
C:\WINDOWS\system32\ljjhife.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\nGpxx01
C:\WINDOWS\system32\nnnopqr.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\srqss.ini
C:\WINDOWS\system32\srqss.ini2
C:\WINDOWS\system32\tttss.ini
C:\WINDOWS\system32\tttss.ini2
C:\WINDOWS\system32\uvvwa.ini
C:\WINDOWS\system32\uvvwa.ini2
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_CMDSERVICE
-------\LEGACY_NETWORK_MONITOR

((((((((((((((((((((((((( Files Created from 2008-02-10 to 2008-03-10 )))))))))))))))))))))))))))))))
.
2008-03-06 16:44 . 2008-03-06 16:54 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-06 16:44 . 2008-03-06 16:44 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-05 22:45 . 2008-02-22 03:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-04 23:24 . 2008-03-04 23:24 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-03-02 20:58 . 2008-03-09 20:15 <DIR> d-------- C:\Program Files\Windows Defender
2008-03-02 20:41 . 2008-03-02 20:43 <DIR> d-------- C:\Program Files\RegistryCleanFix
2008-03-02 19:28 . 2008-03-02 23:42 <DIR> d-------- C:\Program Files\RegistryFix
2008-03-02 19:20 . 2008-03-02 19:27 <DIR> d-------- C:\Program Files\Max Registry Cleaner
2008-03-02 19:20 . 2007-05-24 17:57 143,360 --a------ C:\WINDOWS\system32\GetHardDiskNo.dll
2008-03-02 19:20 . 2008-03-02 19:20 63 --a------ C:\WINDOWS\system\SYSRegC.dll
2008-03-02 17:59 . 2008-03-02 17:59 <DIR> d-------- C:\Program Files\Trend Micro
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-10 00:15 --------- d-----w C:\Program Files\QuickTime
2008-03-10 00:15 --------- d-----w C:\Program Files\Lexmark Fax Solutions
2008-03-10 00:15 --------- d-----w C:\Program Files\Lexmark 3400 Series
2008-03-10 00:15 --------- d-----w C:\Program Files\iTunes
2008-03-10 00:15 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-10 00:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-03-07 16:47 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-03-07 16:47 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-07 16:47 --------- d-----w C:\Program Files\ltmoh
2008-03-07 16:45 24,592 ----a-w C:\WINDOWS\system32\igfxtray.exe
2008-03-07 16:45 24,592 ----a-w C:\WINDOWS\system32\igfxpers.exe
2008-03-07 16:45 24,592 ----a-w C:\WINDOWS\system32\hkcmd.exe
2008-03-06 23:14 99 ----a-w C:\Program Files\FxVundoB.log
2008-03-06 02:45 --------- d-----w C:\Program Files\Java
2008-03-03 23:02 --------- d-----w C:\Program Files\SpyDefender Pro
2008-03-03 00:52 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-29 22:31 --------- d-----w C:\Program Files\lx_cats
2008-02-18 01:31 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLec.DAT
2008-02-09 22:05 --------- d-----w C:\Documents and Settings\Susan\Application Data\PlayFirst
2008-02-09 22:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-02-09 22:04 --------- d-----w C:\Program Files\Toshiba Games
2008-01-27 18:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-27 17:34 --------- d-----w C:\Program Files\Enigma Software Group
2008-01-27 01:24 --------- d-----w C:\Program Files\Google
2008-01-27 01:20 --------- d-----w C:\Program Files\AIM
2008-01-26 23:57 --------- d-----w C:\Program Files\AdwareAlert
2008-01-26 23:52 --------- d-----w C:\Documents and Settings\Susan\Application Data\AdwareAlert
2008-01-25 20:11 --------- d-----w C:\Program Files\DIGStream
2008-01-25 19:14 5,044 ----a-w C:\WINDOWS\system32\tmp.reg
2008-01-16 02:13 --------- d--h--w C:\Documents and Settings\Susan\Application Data\Move Networks
2008-01-12 20:14 --------- d-----w C:\Documents and Settings\Susan\Application Data\Sandlot Games
2008-01-12 20:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sandlot Games
2008-01-10 22:54 --------- d-----w C:\Documents and Settings\Susan\Application Data\Jane s Hotel
2007-12-21 04:11 81,920 ----a-w C:\WINDOWS\system32\IEDFix.exe
2007-12-11 22:34 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-12-11 22:34 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2006-11-29 00:56 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2006-11-11 07:20 582 ----a-w C:\Documents and Settings\Susan\Application Data\wklnhst.dat
2006-09-21 03:31 322,560 ----a-w C:\Program Files\AIMFix.exe
2006-09-16 18:07 8,506,408 ----a-w C:\Program Files\Install_AIM.exe
2006-09-06 18:56 37,518,744 ----a-w C:\Program Files\iTunesSetup.exe
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 184,320 2004-08-18 11:37:44 C:\Program Files\ltmoh\bak\Ltmoh.exe
----a-w 24,592 2008-03-07 16:45:09 C:\Program Files\ltmoh\Ltmoh.exe
----a-w 24,592 2008-03-07 16:45:09 C:\Program Files\McAfee.com\Agent\bak\bak\McUpdate.exe
----a-w 24,592 2007-09-28 03:39:04 C:\Program Files\McAfee.com\Agent\mcupdate.exe
----a-w 212,992 2006-01-11 19:05:42 C:\Program Files\McAfee.com\Agent\bak\bak\bak\McUpdate.exe
----a-w 24,592 2007-09-28 03:39:04 C:\Program Files\McAfee.com\Agent\mcupdate.exe
----a-w 24,592 2008-03-07 16:45:09 C:\Program Files\McAfee.com\Agent\bak\bak\McUpdate.exe
----a-w 212,992 2006-01-11 19:05:42 C:\Program Files\McAfee.com\Agent\bak\bak\bak\McUpdate.exe
----a-w 212,992 2006-01-11 19:05:42 C:\Program Files\McAfee.com\Agent\bak\bak\bak\McUpdate.exe
----a-w 24,592 2008-03-07 16:45:09 C:\Program Files\McAfee.com\Agent\bak\bak\McUpdate.exe
----a-w 1,460,560 2007-08-31 21:46:28 C:\Program Files\Spybot - Search & Destroy\bak\TeaTimer.exe
----a-w 24,592 2008-03-07 16:45:09 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
----a-w 85,696 2005-06-24 02:27:36 C:\Program Files\Symantec AntiVirus\bak\VPTray.exe
----a-w 24,592 2008-03-07 16:45:09 C:\Program Files\Symantec AntiVirus\VPTray.exe
----a-w 77,824 2005-11-28 05:52:00 C:\WINDOWS\system32\bak\hkcmd.exe
----a-w 24,592 2008-03-07 16:45:09 C:\WINDOWS\system32\hkcmd.exe
----a-w 118,784 2005-11-28 05:55:58 C:\WINDOWS\system32\bak\igfxpers.exe
----a-w 24,592 2008-03-07 16:45:09 C:\WINDOWS\system32\igfxpers.exe
----a-w 98,304 2005-11-28 05:55:14 C:\WINDOWS\system32\bak\igfxtray.exe
----a-w 24,592 2008-03-07 16:45:09 C:\WINDOWS\system32\igfxtray.exe
----a-w 122,940 2005-10-06 13:20:00 C:\WINDOWS\system32\DLA\bak\DLACTRLW.exe
----a-w 24,592 2008-03-07 16:45:09 C:\WINDOWS\system32\DLA\DLACTRLW.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1743A767-3141-44F2-8365-03041927DD6F}]
C:\WINDOWS\system32\ssqrs.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{18BFC1E2-BE4B-4B28-92A0-FCD4914A0AFA}]
C:\Program Files\Common Files\nibym4444.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{40E56444-A577-4D82-A4C5-FF38E4363D44}]
C:\WINDOWS\system32\awvvu.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B652C042-BFB0-4C4A-A395-15D42A1E5CA9}]
C:\WINDOWS\system32\ssttt.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E04E78AA-A805-41FB-ACD6-1425066BFEAF}]
C:\Program Files\Common Files\nibym83122.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e32efd97-6ca4-4d17-979f-ed2255755ddd}]
C:\WINDOWS\system32\fvcqoip.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F10587E9-0E47-4CBE-84AE-7DD20B8685CC}]
C:\Program Files\Helper\1201246873.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2008-03-07 12:45 24592]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 08:00 15360]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2008-03-07 12:45 24592]
"Aim6"="" []
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-03-07 12:45 24592]
"SpyDefender Shield"="C:\Program Files\SpyDefender Pro\SpyDefender.exe" [ ]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\bak\bak\McUpdate.exe" [2008-03-07 12:45 24592]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2008-03-07 12:45 24592]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 17:56 64512]
"THotkey"="C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe" [2008-03-07 12:45 24592]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2008-03-07 12:45 24592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-07 12:45 24592]
"Tvs"="C:\Program Files\Toshiba\Tvs\TvsTray.exe" [2008-03-07 12:45 24592]
"TPSMain"="TPSMain.exe" [2005-06-01 01:00 282624 C:\WINDOWS\system32\TPSMain.exe]
"PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [ ]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2008-03-07 12:45 24592]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2008-03-07 12:45 24592]
"VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [2008-03-07 12:45 24592]
"VirusScan Online"="C:\Program Files\McAfee.com\VSO\mcvsshld.exe" [2008-03-07 12:45 24592]
"OASClnt"="C:\Program Files\McAfee.com\VSO\oasclnt.exe" [2008-03-07 12:45 24592]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2008-03-07 12:45 24592]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2008-03-07 12:45 24592]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-03-07 12:45 24592]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2008-03-07 12:45 24592]
"lxcymon.exe"="C:\Program Files\Lexmark 3400 Series\lxcymon.exe" [2008-03-07 12:45 24592]
"EzPrint"="C:\Program Files\Lexmark 3400 Series\ezprint.exe" [2008-03-07 12:45 24592]
"FaxCenterServer"="C:\Program Files\Lexmark Fax Solutions\fm3032.exe" [2008-03-07 12:45 24592]
"LXCYCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll" [2006-02-24 07:54 65536]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-03-07 12:45 24592]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-03-07 12:45 24592]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-07 12:45 24592]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-07 12:45 24592]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2008-03-07 12:45 24592]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-03-07 12:45 24592]
"TFncKy"="TFncKy.exe" []
"TDispVol"="TDispVol.exe" [2005-03-11 19:03 73728 C:\WINDOWS\system32\TDispVol.exe]
"NDSTray.exe"="NDSTray.exe" []
"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [2008-03-07 12:45 24592]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2008-03-07 12:45 24592]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2008-03-07 12:45 24592]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2008-03-07 12:45 24592]
"dla"="C:\WINDOWS\system32\dla\DLACTRLW.exe" [2008-03-07 12:45 24592]
"CFSServ.exe"="CFSServ.exe" []
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-15 10:29 88203 C:\WINDOWS\agrsmmsg.exe]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2006-10-23 01:39:31 124912]
NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [2006-12-11 16:27:33 118784]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2006-02-15 12:31:42 155648]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"C:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= C:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
R0 KR10N;KR10N;C:\WINDOWS\system32\drivers\KR10N.sys [2005-01-12 04:05]
R2 NkPtpEnumP2;NkPtpEnumP2;"C:\Program Files\Nikon\Wireless Camera Setup Utility\NkPtpEnum.exe" -a -d="C:\Program Files\Nikon\Wireless Camera Setup Utility\NkPtpip.dll" []
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]
R3 EraserUtilDrv10741;EraserUtilDrv10741;C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10741.sys [2008-02-13 15:21]
R3 lxcy_device;lxcy_device;C:\WINDOWS\system32\lxcycoms.exe [2006-02-20 15:23]
R3 VBus;Virtual Bus;C:\WINDOWS\system32\DRIVERS\NkVBus.sys [2005-06-17 12:11]
S3 GameConsoleService;GameConsoleService;"C:\Program Files\WildTangent\Apps\TOSHIBA Game Console\GameConsoleService.exe" [2008-01-29 13:09]
S3 tosrfec;Bluetooth ACPI from TOSHIBA;C:\WINDOWS\system32\DRIVERS\tosrfec.sys [2005-09-09 18:47]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{68dd525b-9c95-11dc-9eed-00a0d1493303}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e0ddeb4a-6f61-11db-9eb5-001302b29e63}]
\Shell\AutoRun\command - E:\LaunchU3.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-03-01 08:00:00 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job"
- C:\Program Files\AdwareAlert\AdwareAlert.ex
- C:\Program Files\AdwareAlert
"2008-03-01 13:11:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-10 01:08:12 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-09 21:05:43
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.2180]
-> C:\WINDOWS\system32\TDispVol.dll
.
r Running Proce
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Nikon\Wireless Camera Setup Utility\NkPtpEnum.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
.
**************************************************************************
.
Completion time: 2008-03-09 21:09:33 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-10 01:09:29

Response Number 7

Name: jabuck
Date: March 10, 2008 at 15:38:09 Pacific

Reply:

Double-click the FindAWF icon once again
If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 3 then Enter to remove bak folders
A text file opens called: folders.txt
Copy /paste the following list of bolded folders to be removed:

C:\Program Files\ltmoh\bak
C:\Program Files\Spybot - Search & Destroy\bak
C:\Program Files\Symantec AntiVirus\bak
C:\WINDOWS\system32\DLA\bak
C:\Program Files\McAfee.com\Agent\bak
C:\Program Files\McAfee.com\Agent\bak\bak
C:\Program Files\McAfee.com\Agent\bak\bak\bak\

Next, close and click Yes to save the changes.
Once folders.txt is saved, FindAWF does the following:
-It deletes the contents of the bak folders
-Removes the bak folders
When done with the above, it automatically runs a new scan and opens a new log.
Please provide the new FindAWF log in your reply.
Open Notepad and copy/paste everything between the X"s into it and make sure "Registry::" is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1743A767-3141-44F2-8365-03041927DD6F}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{18BFC1E2-BE4B-4B28-92A0-FCD4914A0AFA}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{40E56444-A577-4D82-A4C5-FF38E4363D44}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B652C042-BFB0-4C4A-A395-15D42A1E5CA9}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E04E78AA-A805-41FB-ACD6-1425066BFEAF}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e32efd97-6ca4-4d17-979f-ed2255755ddd}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F10587E9-0E47-4CBE-84AE-7DD20B8685CC}]

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run".
Post a new Combofix log.

Response Number 8

Name: healys818
Date: March 11, 2008 at 08:39:37 Pacific

Reply:

Thanks I actually haven't had any problems since I did the last thing you told me.
Find AWF report by noahdfear ©2006
Version 1.40
Option 3 run successfully
The current date is: Tue 03/11/2008
The current time is: 11:38:25.75

bak folders found
~~~~~~~~~~~

Directory of C:\WINDOWS\BAK
0 File(s) 0 bytes
Directory of C:\PROGRA~1\MESSEN~1\BAK
0 File(s) 0 bytes
Directory of C:\PROGRA~1\SPYBOT~1\BAK
08/31/2007 05:46 PM 1,460,560 TeaTimer.exe
1 File(s) 1,460,560 bytes
Directory of C:\PROGRA~1\SPYDEF~1\BAK
0 File(s) 0 bytes
Directory of C:\PROGRA~1\MCAFEE.COM\AGENT\BAK
0 File(s) 0 bytes
Directory of C:\PROGRA~1\MCAFEE.COM\AGENT\BAK\BAK
03/07/2008 12:45 PM 24,592 McUpdate.exe
1 File(s) 24,592 bytes
Directory of C:\PROGRA~1\MCAFEE.COM\AGENT\BAK\BAK\BAK
01/11/2006 03:05 PM 212,992 McUpdate.exe
1 File(s) 212,992 bytes

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
1460560 Aug 31 2007 "C:\Program Files\Spybot - Search & Destroy\bak\TeaTimer.exe"
24592 Sep 27 2007 "C:\Program Files\McAfee.com\Agent\mcupdate.exe"
24592 Mar 7 2008 "C:\Program Files\McAfee.com\Agent\bak\bak\McUpdate.exe"
212992 Jan 11 2006 "C:\Program Files\McAfee.com\Agent\bak\bak\bak\McUpdate.exe"
24592 Sep 27 2007 "C:\Program Files\McAfee.com\Agent\mcupdate.exe"
24592 Mar 7 2008 "C:\Program Files\McAfee.com\Agent\bak\bak\McUpdate.exe"
212992 Jan 11 2006 "C:\Program Files\McAfee.com\Agent\bak\bak\bak\McUpdate.exe"
24592 Sep 27 2007 "C:\Program Files\McAfee.com\Agent\mcupdate.exe"
24592 Mar 7 2008 "C:\Program Files\McAfee.com\Agent\bak\bak\McUpdate.exe"
212992 Jan 11 2006 "C:\Program Files\McAfee.com\Agent\bak\bak\bak\McUpdate.exe"
24592 Sep 27 2007 "C:\Program Files\McAfee.com\Agent\mcupdate.exe"
24592 Mar 7 2008 "C:\Program Files\McAfee.com\Agent\bak\bak\McUpdate.exe"
212992 Jan 11 2006 "C:\Program Files\McAfee.com\Agent\bak\bak\bak\McUpdate.exe"
24592 Sep 27 2007 "C:\Program Files\McAfee.com\Agent\mcupdate.exe"
24592 Mar 7 2008 "C:\Program Files\McAfee.com\Agent\bak\bak\McUpdate.exe"
212992 Jan 11 2006 "C:\Program Files\McAfee.com\Agent\bak\bak\bak\McUpdate.exe"

end of report
ComboFix 08-03-10.1 - Susan 2008-03-11 11:30:50.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.478 [GMT -4:00]
Running from: C:\Program Files\ComboFix.exe
Command switches used :: C:\Documents and Settings\Susan\Desktop\CFScript.txt
* Created a new restore point
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.
((((((((((((((((((((((((( Files Created from 2008-02-11 to 2008-03-11 )))))))))))))))))))))))))))))))
.
2008-03-11 11:29 . 2008-03-11 11:29 1,584,403 --a------ C:\Program Files\ComboFix.exe
2008-03-11 11:22 . 2008-03-11 11:22 189,718 --a------ C:\Program Files\FindAWF.exe
2008-03-05 22:45 . 2008-02-22 03:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-04 23:24 . 2008-03-04 23:24 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-03-02 20:58 . 2008-03-11 08:38 <DIR> d-------- C:\Program Files\Windows Defender
2008-03-02 20:41 . 2008-03-02 20:43 <DIR> d-------- C:\Program Files\RegistryCleanFix
2008-03-02 19:28 . 2008-03-02 23:42 <DIR> d-------- C:\Program Files\RegistryFix
2008-03-02 19:20 . 2008-03-02 19:27 <DIR> d-------- C:\Program Files\Max Registry Cleaner
2008-03-02 19:20 . 2007-05-24 17:57 143,360 --a------ C:\WINDOWS\system32\GetHardDiskNo.dll
2008-03-02 19:20 . 2008-03-02 19:20 63 --a------ C:\WINDOWS\system\SYSRegC.dll
2008-03-02 17:59 . 2008-03-02 17:59 <DIR> d-------- C:\Program Files\Trend Micro
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-11 15:23 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-03-11 15:23 --------- d-----w C:\Program Files\ltmoh
2008-03-11 12:38 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-11 12:38 --------- d-----w C:\Program Files\QuickTime
2008-03-11 12:38 --------- d-----w C:\Program Files\Lexmark Fax Solutions
2008-03-11 12:38 --------- d-----w C:\Program Files\Lexmark 3400 Series
2008-03-11 12:38 --------- d-----w C:\Program Files\iTunes
2008-03-11 12:38 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-11 01:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-03-06 23:14 99 ----a-w C:\Program Files\FxVundoB.log
2008-03-06 02:45 --------- d-----w C:\Program Files\Java
2008-03-03 23:02 --------- d-----w C:\Program Files\SpyDefender Pro
2008-03-03 00:52 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-29 22:31 --------- d-----w C:\Program Files\lx_cats
2008-02-18 01:31 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLec.DAT
2008-02-09 22:05 --------- d-----w C:\Documents and Settings\Susan\Application Data\PlayFirst
2008-02-09 22:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-02-09 22:04 --------- d-----w C:\Program Files\Toshiba Games
2008-01-27 18:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-27 17:34 --------- d-----w C:\Program Files\Enigma Software Group
2008-01-27 01:24 --------- d-----w C:\Program Files\Google
2008-01-27 01:20 --------- d-----w C:\Program Files\AIM
2008-01-26 23:57 --------- d-----w C:\Program Files\AdwareAlert
2008-01-26 23:52 --------- d-----w C:\Documents and Settings\Susan\Application Data\AdwareAlert
2008-01-25 20:11 --------- d-----w C:\Program Files\DIGStream
2008-01-25 19:14 5,044 ----a-w C:\WINDOWS\system32\tmp.reg
2008-01-16 02:13 --------- d--h--w C:\Documents and Settings\Susan\Application Data\Move Networks
2008-01-12 20:14 --------- d-----w C:\Documents and Settings\Susan\Application Data\Sandlot Games
2008-01-12 20:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sandlot Games
2007-12-21 04:11 81,920 ----a-w C:\WINDOWS\system32\IEDFix.exe
2007-12-11 22:34 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-12-11 22:34 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2006-11-29 00:56 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2006-11-11 07:20 582 ----a-w C:\Documents and Settings\Susan\Application Data\wklnhst.dat
2006-09-21 03:31 322,560 ----a-w C:\Program Files\AIMFix.exe
2006-09-16 18:07 8,506,408 ----a-w C:\Program Files\Install_AIM.exe
2006-09-06 18:56 37,518,744 ----a-w C:\Program Files\iTunesSetup.exe
.
((((((((((((((((((((((((((((( snapshot@2008-03-09_21.09.12.74 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-03-03 00:50:24 61,440 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-03-10 01:10:31 61,440 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-03-03 00:50:24 399,284 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-03-10 01:10:31 399,284 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2006-01-09 14:36:06 40,960 ----a-w C:\WINDOWS\system32\swsc.exe
+ 2000-08-31 12:00:00 136,704 ----a-w C:\WINDOWS\system32\swsc.exe
- 2006-12-01 10:20:32 79,360 ----a-w C:\WINDOWS\system32\swxcacls.exe
+ 2000-08-31 12:00:00 212,480 ----a-w C:\WINDOWS\system32\swxcacls.exe
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 24,592 2008-03-07 16:45:09 C:\Program Files\McAfee.com\Agent\bak\bak\McUpdate.exe
----a-w 24,592 2007-09-28 03:39:04 C:\Program Files\McAfee.com\Agent\mcupdate.exe
----a-w 212,992 2006-01-11 19:05:42 C:\Program Files\McAfee.com\Agent\bak\bak\bak\McUpdate.exe
----a-w 24,592 2007-09-28 03:39:04 C:\Program Files\McAfee.com\Agent\mcupdate.exe
----a-w 24,592 2008-03-07 16:45:09 C:\Program Files\McAfee.com\Agent\bak\bak\McUpdate.exe
----a-w 212,992 2006-01-11 19:05:42 C:\Program Files\McAfee.com\Agent\bak\bak\bak\McUpdate.exe
----a-w 212,992 2006-01-11 19:05:42 C:\Program Files\McAfee.com\Agent\bak\bak\bak\McUpdate.exe
----a-w 24,592 2008-03-07 16:45:09 C:\Program Files\McAfee.com\Agent\bak\bak\McUpdate.exe
----a-w 1,460,560 2007-08-31 21:46:28 C:\Program Files\Spybot - Search & Destroy\bak\TeaTimer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [ ]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 08:00 15360]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [ ]
"Aim6"="" []
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [ ]
"SpyDefender Shield"="C:\Program Files\SpyDefender Pro\SpyDefender.exe" [ ]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 10:37 2321600]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\bak\bak\bak\McUpdate.exe" [2006-01-11 15:05 212992]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2008-03-07 12:45 24592]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 17:56 64512]
"THotkey"="C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe" [ ]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [ ]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [ ]
"Tvs"="C:\Program Files\Toshiba\Tvs\TvsTray.exe" [ ]
"TPSMain"="TPSMain.exe" [2005-06-01 01:00 282624 C:\WINDOWS\system32\TPSMain.exe]
"PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [ ]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [ ]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [ ]
"VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [ ]
"VirusScan Online"="C:\Program Files\McAfee.com\VSO\mcvsshld.exe" [ ]
"OASClnt"="C:\Program Files\McAfee.com\VSO\oasclnt.exe" [ ]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [ ]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [ ]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [ ]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [ ]
"lxcymon.exe"="C:\Program Files\Lexmark 3400 Series\lxcymon.exe" [ ]
"EzPrint"="C:\Program Files\Lexmark 3400 Series\ezprint.exe" [ ]
"FaxCenterServer"="C:\Program Files\Lexmark Fax Solutions\fm3032.exe" [ ]
"LXCYCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll" [2006-02-24 07:54 65536]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [ ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [ ]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [ ]
"TFncKy"="TFncKy.exe" []
"TDispVol"="TDispVol.exe" [2005-03-11 19:03 73728 C:\WINDOWS\system32\TDispVol.exe]
"NDSTray.exe"="NDSTray.exe" []
"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [ ]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [ ]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [ ]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [ ]
"dla"="C:\WINDOWS\system32\dla\DLACTRLW.exe" [ ]
"CFSServ.exe"="CFSServ.exe" []
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-15 10:29 88203 C:\WINDOWS\agrsmmsg.exe]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2006-10-23 01:39:31 124912]
NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [2006-12-11 16:27:33 118784]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2006-02-15 12:31:42 155648]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
R0 KR10N;KR10N;C:\WINDOWS\system32\drivers\KR10N.sys [2005-01-12 04:05]
R2 NkPtpEnumP2;NkPtpEnumP2;"C:\Program Files\Nikon\Wireless Camera Setup Utility\NkPtpEnum.exe" -a -d="C:\Program Files\Nikon\Wireless Camera Setup Utility\NkPtpip.dll" []
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]
R3 lxcy_device;lxcy_device;C:\WINDOWS\system32\lxcycoms.exe [2006-02-20 15:23]
R3 VBus;Virtual Bus;C:\WINDOWS\system32\DRIVERS\NkVBus.sys [2005-06-17 12:11]
S3 GameConsoleService;GameConsoleService;"C:\Program Files\WildTangent\Apps\TOSHIBA Game Console\GameConsoleService.exe" [2008-01-29 13:09]
S3 tosrfec;Bluetooth ACPI from TOSHIBA;C:\WINDOWS\system32\DRIVERS\tosrfec.sys [2005-09-09 18:47]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{68dd525b-9c95-11dc-9eed-00a0d1493303}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e0ddeb4a-6f61-11db-9eb5-001302b29e63}]
\Shell\AutoRun\command - E:\LaunchU3.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-03-01 08:00:00 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job"
- C:\Program Files\AdwareAlert\AdwareAlert.ex
- C:\Program Files\AdwareAlert
"2008-03-01 13:11:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-10 14:15:27 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-11 11:31:49
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.2180]
-> C:\WINDOWS\system32\TDispVol.dll
.
Completion time: 2008-03-11 11:32:25
ComboFix-quarantined-files.txt 2008-03-11 15:32:23
ComboFix2.txt 2008-03-10 01:09:33

Response Number 9

Name: jabuck
Date: March 11, 2008 at 18:40:24 Pacific

Reply:

Go to start> control panel> add/remove programs and uninstall this rogue program
AdwareAlert
Double-click the FindAWF icon once again
If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 3 then Enter to remove bak folders
A text file opens called: folders.txt
Copy /paste the following list of bolded folders to be removed:

C:\Program Files\Spybot - Search & Destroy\bak
C:\Program Files\McAfee.com\Agent\bak

Next, close and click Yes to save the changes.
Once folders.txt is saved, FindAWF does the following:
-It deletes the contents of the bak folders
-Removes the bak folders
When done with the above, it automatically runs a new scan and opens a new log.
Please provide the new FindAWF log in your reply.

Response Number 10

Name: healys818
Date: March 11, 2008 at 19:51:31 Pacific

Reply:

Find AWF report by noahdfear ©2006
Version 1.40
Option 3 run successfully
The current date is: Tue 03/11/2008
The current time is: 22:49:47.32

bak folders found
~~~~~~~~~~~

Directory of C:\WINDOWS\BAK
0 File(s) 0 bytes
Directory of C:\PROGRA~1\MESSEN~1\BAK
0 File(s) 0 bytes
Directory of C:\PROGRA~1\SPYBOT~1\BAK
08/31/2007 05:46 PM 1,460,560 TeaTimer.exe
1 File(s) 1,460,560 bytes
Directory of C:\PROGRA~1\SPYDEF~1\BAK
0 File(s) 0 bytes
Directory of C:\PROGRA~1\MCAFEE.COM\AGENT\BAK
0 File(s) 0 bytes
Directory of C:\PROGRA~1\MCAFEE.COM\AGENT\BAK\BAK
03/07/2008 12:45 PM 24,592 McUpdate.exe
1 File(s) 24,592 bytes
Directory of C:\PROGRA~1\MCAFEE.COM\AGENT\BAK\BAK\BAK
01/11/2006 03:05 PM 212,992 McUpdate.exe
1 File(s) 212,992 bytes

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
1460560 Aug 31 2007 "C:\Program Files\Spybot - Search & Destroy\bak\TeaTimer.exe"
24592 Sep 27 2007 "C:\Program Files\McAfee.com\Agent\mcupdate.exe"
24592 Mar 7 2008 "C:\Program Files\McAfee.com\Agent\bak\bak\McUpdate.exe"
212992 Jan 11 2006 "C:\Program Files\McAfee.com\Agent\bak\bak\bak\McUpdate.exe"
24592 Sep 27 2007 "C:\Program Files\McAfee.com\Agent\mcupdate.exe"
24592 Mar 7 2008 "C:\Program Files\McAfee.com\Agent\bak\bak\McUpdate.exe"
212992 Jan 11 2006 "C:\Program Files\McAfee.com\Agent\bak\bak\bak\McUpdate.exe"
24592 Sep 27 2007 "C:\Program Files\McAfee.com\Agent\mcupdate.exe"
24592 Mar 7 2008 "C:\Program Files\McAfee.com\Agent\bak\bak\McUpdate.exe"
212992 Jan 11 2006 "C:\Program Files\McAfee.com\Agent\bak\bak\bak\McUpdate.exe"
24592 Sep 27 2007 "C:\Program Files\McAfee.com\Agent\mcupdate.exe"
24592 Mar 7 2008 "C:\Program Files\McAfee.com\Agent\bak\bak\McUpdate.exe"
212992 Jan 11 2006 "C:\Program Files\McAfee.com\Agent\bak\bak\bak\McUpdate.exe"
24592 Sep 27 2007 "C:\Program Files\McAfee.com\Agent\mcupdate.exe"
24592 Mar 7 2008 "C:\Program Files\McAfee.com\Agent\bak\bak\McUpdate.exe"
212992 Jan 11 2006 "C:\Program Files\McAfee.com\Agent\bak\bak\bak\McUpdate.exe"

end of report

Response Number 11

Name: jabuck
Date: March 12, 2008 at 19:55:28 Pacific

Reply:

Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.
Download CCleaner from the following link:
http://filehippo.com/download_ccleaner/
After you download it to your desktop and begin installing it only allow the "install icon on desktop" to install . Then run it, use only as suggested, it's powerful use only the prechecked items.
Run an online scan with Kaspersky from the following link:
Kaspersky Online Scanner
Note: If you have used this particular scanner before, you MAY HAVE YO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component
Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program launches and downloads the latest definition files.
Once the files are downloaded click on Next
Click on Scan Settings and configure as follows:
Scan using the following Anti-Virus database:
Extended
Scan Options:
Scan Archives
Scan Mail Base
Click OK and, under select a target to scan, select My Computer
When the scan is done, in the Scan is completed window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.
To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply.

Response Number 12

Name: healys818
Date: March 13, 2008 at 20:15:34 Pacific

Reply:

---------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, March 13, 2008 11:13:04 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 13/03/2008
Kaspersky Anti-Virus database records: 628516
---------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
Scan Statistics:
Total number of scanned objects: 83007
Number of viruses found: 7
Number of infected objects: 48
Number of suspicious objects: 0
Duration of the scan process: 01:04:07
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\Logs\TaskScheduler\McTskshd002.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-03022008-195841.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Susan\.housecall6.6\Quarantine\bmp[1].exe.bac_a01372 Infected: Backdoor.Win32.HacDef.fw skipped
C:\Documents and Settings\Susan\.housecall6.6\Quarantine\d222_test1[1].exe.bac_a01372 Infected: Backdoor.Win32.HacDef.fw skipped
C:\Documents and Settings\Susan\.housecall6.6\Quarantine\d222_test1[2].exe.bac_a01372 Infected: Backdoor.Win32.HacDef.fw skipped
C:\Documents and Settings\Susan\.housecall6.6\Quarantine\ntms.exe.bac_a01372 Infected: Backdoor.Win32.HacDef.fw skipped
C:\Documents and Settings\Susan\.housecall6.6\Quarantine\ntp.exe.bac_a01372 Infected: Backdoor.Win32.HacDef.fw skipped
C:\Documents and Settings\Susan\.housecall6.6\Quarantine\pcst2.exe.bac_a01372 Infected: Backdoor.Win32.HacDef.fw skipped
C:\Documents and Settings\Susan\Application Data\Aim\jtdlyvix\angelgurl2460\cert8.db Object is locked skipped
C:\Documents and Settings\Susan\Application Data\Aim\jtdlyvix\angelgurl2460\key3.db Object is locked skipped
C:\Documents and Settings\Susan\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Susan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Susan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Susan\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Susan\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Susan\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Susan\ntuser.dat.LOG Object is locked skipped
C:\Downloads\BellesBeautyBoutiqueSetup-dm[1].exe Infected: not-a-virus:AdWare.Win32.Trymedia.b skipped
C:\Program Files\McAfee.com\Agent\bak\bak\McUpdate.exe Infected: Trojan.Win32.Pakes.abl skipped
C:\Program Files\McAfee.com\Agent\mcagent.exe Infected: Trojan.Win32.Pakes.abl skipped
C:\Program Files\McAfee.com\Agent\mcupdate.exe Infected: Trojan.Win32.Pakes.abl skipped
C:\Program Files\Windows Media Player\vivortyk.html Infected: Trojan-Clicker.HTML.IFrame.dn skipped
C:\QooBox\Quarantine\C\WINDOWS\Downloaded Program Files\UGA6P_0001_N122M2802NetInstaller.exe.vir Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\iiigfff.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.dxb skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\jkkkkhh.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.dxb skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\nnnopqr.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.dxb skipped
C:\QooBox\Quarantine\catchme2008-03-09_210523.01.zip/gebya.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\catchme2008-03-09_210523.01.zip/ljjhife.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dxb skipped
C:\QooBox\Quarantine\catchme2008-03-09_210523.01.zip ZIP: infected - 2 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP2\A0000055.exe Infected: Trojan.Win32.Pakes.abl skipped
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP2\A0000056.exe Infected: Trojan.Win32.Pakes.abl skipped
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP2\A0000057.exe Infected: Trojan.Win32.Pakes.abl skipped
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP2\A0000058.exe Infected: Trojan.Win32.Pakes.abl skipped
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP2\A0000059.exe Infected: Trojan.Win32.Pakes.abl skipped
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP2\A0000060.exe Infected: Trojan.Win32.Pakes.abl skipped
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP2\A0000061.exe Infected: Trojan.Win32.Pakes.abl skipped
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP2\A0000062.exe Infected: Trojan.Win32.Pakes.abl skipped
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP2\A0000063.exe Infected: Trojan.Win32.Pakes.abl skipped
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP2\A0000064.exe Infected: Trojan.Win32.Pakes.abl skipped
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP2\A0000065.exe Infected: Trojan.Win32.Pakes.abl skipped
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP2\A0000066.exe Infected: Trojan.Win32.Pakes.abl skipped
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP2\A0000067.exe Infected: Trojan.Win32.Pakes.abl skipped
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP2\A0000068.exe Infected: Trojan.Win32.Pakes.abl skipped
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP2\A0000069.exe Infected: Trojan.Win32.Pakes.abl skipped
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP2\A0000070.exe Infected: Trojan.Win32.Pakes.abl skipped
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP2\A0000071.exe Infected: Trojan.Win32.Pakes.abl skipped
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP2\A0000072.exe Infected: Trojan.Win32.Pakes.abl skipped
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP2\A0000073.exe Infected: Trojan.Win32.Pakes.abl skipped
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP2\A0000074.exe Infected: Trojan.Win32.Pakes.abl skipped
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP2\A0000075.exe Infected: Trojan.Win32.Pakes.abl skipped
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP2\A0000076.exe Infected: Trojan.Win32.Pakes.abl skipped
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP2\A0000077.exe Infected: Trojan.Win32.Pakes.abl skipped
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP2\A0000078.exe Infected: Trojan.Win32.Pakes.abl skipped
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP2\A0000079.exe Infected: Trojan.Win32.Pakes.abl skipped
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP2\A0000080.exe Infected: Trojan.Win32.Pakes.abl skipped
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP2\A0000081.exe Infected: Trojan.Win32.Pakes.abl skipped
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP2\A0000082.exe Infected: Trojan.Win32.Pakes.abl skipped
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP2\A0000083.exe Infected: Trojan.Win32.Pakes.abl skipped
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP2\A0000084.exe Infected: Trojan.Win32.Pakes.abl skipped
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP5\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{5F71518E-FAFE-4D82-93D4-F1D0EAB5E6DB}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.

Response Number 13

Name: jabuck
Date: March 14, 2008 at 03:42:46 Pacific

Reply:

McAfee is corrupt, you need to uninstall it, reinstall it then update.
You can download AVG free Antivirus it at this link:
AVG Free Antivirus then update it and run it untill you get McAfee reinstall of just run it instead of McAfee.
Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.
Navigate to and delete the contenets of this folder but not the folder itself:
C:\Documents and Settings\Susan\.housecall6.6\Quarantine
Open Notepad and copy/paste everything between the X"s into it and make sure "File::" is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
File::
C:\Downloads\BellesBeautyBoutiqueSetup-dm[1].exe

Folder::
C:\QooBox

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run".

Response Number 14

Name: healys818
Date: March 14, 2008 at 14:34:57 Pacific

Reply:

ComboFix 08-03-14.2 - Susan 2008-03-14 16:42:49.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.547 [GMT -4:00]
Running from: C:\Documents and Settings\Susan\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Susan\Desktop\CFScript.txt
* Created a new restore point
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
FILE ::
C:\Downloads\BellesBeautyBoutiqueSetup-dm[1].exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\QooBox
C:\QooBox\BackEnv\appdata.folder.dat
C:\QooBox\BackEnv\cache.folder.dat
C:\QooBox\BackEnv\desktop.folder.dat
C:\QooBox\BackEnv\favorites.folder.dat
C:\QooBox\BackEnv\localappdata.folder.dat
C:\QooBox\BackEnv\localsettings.folder.dat
C:\QooBox\BackEnv\mypictures.folder.dat
C:\QooBox\BackEnv\personal.folder.dat
C:\QooBox\BackEnv\profiles.folder.dat
C:\QooBox\BackEnv\programs.folder.dat
C:\QooBox\BackEnv\SetPath.bat
C:\QooBox\BackEnv\startmenu.folder.dat
C:\QooBox\BackEnv\startup.folder.dat
C:\QooBox\BackEnv\SysPath.dat
C:\QooBox\BackEnv\templates.folder.dat
C:\QooBox\CFScript_used_2008-03-14@16.42.txt
.
((((((((((((((((((((((((( Files Created from 2008-02-14 to 2008-03-14 )))))))))))))))))))))))))))))))
.
2008-03-13 21:24 . 2008-03-13 21:24 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-13 21:24 . 2008-03-13 21:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-13 21:22 . 2008-03-13 21:22 <DIR> d-------- C:\Program Files\CCleaner
2008-03-13 21:21 . 2008-03-13 21:21 2,733,520 --a------ C:\Program Files\ccsetup205.exe
2008-03-11 18:41 . 2008-03-14 14:30 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-11 18:41 . 2008-03-11 18:41 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-11 11:29 . 2008-03-11 11:29 1,584,403 --a------ C:\Program Files\ComboFix.exe
2008-03-11 11:22 . 2008-03-11 11:22 189,718 --a------ C:\Program Files\FindAWF.exe
2008-03-05 22:45 . 2008-02-22 03:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-04 23:24 . 2008-03-04 23:24 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-03-02 20:58 . 2008-03-13 21:18 <DIR> d-------- C:\Program Files\Windows Defender
2008-03-02 20:41 . 2008-03-02 20:43 <DIR> d-------- C:\Program Files\RegistryCleanFix
2008-03-02 19:28 . 2008-03-02 23:42 <DIR> d-------- C:\Program Files\RegistryFix
2008-03-02 19:20 . 2008-03-02 19:27 <DIR> d-------- C:\Program Files\Max Registry Cleaner
2008-03-02 19:20 . 2007-05-24 17:57 143,360 --a------ C:\WINDOWS\system32\GetHardDiskNo.dll
2008-03-02 19:20 . 2008-03-02 19:20 63 --a------ C:\WINDOWS\system\SYSRegC.dll
2008-03-02 17:59 . 2008-03-02 17:59 <DIR> d-------- C:\Program Files\Trend Micro
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-14 18:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2008-03-14 13:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-03-12 23:07 --------- d-----w C:\Program Files\iTunes
2008-03-12 02:48 --------- d-----w C:\Documents and Settings\Susan\Application Data\Lavasoft
2008-03-11 22:41 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLec.DAT
2008-03-11 15:23 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-03-11 15:23 --------- d-----w C:\Program Files\ltmoh
2008-03-11 12:38 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-11 12:38 --------- d-----w C:\Program Files\QuickTime
2008-03-11 12:38 --------- d-----w C:\Program Files\Lexmark Fax Solutions
2008-03-11 12:38 --------- d-----w C:\Program Files\Lexmark 3400 Series
2008-03-11 12:38 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-06 23:14 99 ----a-w C:\Program Files\FxVundoB.log
2008-03-06 02:45 --------- d-----w C:\Program Files\Java
2008-03-03 23:02 --------- d-----w C:\Program Files\SpyDefender Pro
2008-03-03 00:52 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-29 22:31 --------- d-----w C:\Program Files\lx_cats
2008-02-09 22:05 --------- d-----w C:\Documents and Settings\Susan\Application Data\PlayFirst
2008-02-09 22:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-02-09 22:04 --------- d-----w C:\Program Files\Toshiba Games
2008-01-27 18:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-27 17:34 --------- d-----w C:\Program Files\Enigma Software Group
2008-01-27 01:24 --------- d-----w C:\Program Files\Google
2008-01-27 01:20 --------- d-----w C:\Program Files\AIM
2008-01-26 23:57 --------- d-----w C:\Program Files\AdwareAlert
2008-01-26 23:52 --------- d-----w C:\Documents and Settings\Susan\Application Data\AdwareAlert
2008-01-25 20:11 --------- d-----w C:\Program Files\DIGStream
2008-01-25 19:14 5,044 ----a-w C:\WINDOWS\system32\tmp.reg
2008-01-16 02:13 --------- d--h--w C:\Documents and Settings\Susan\Application Data\Move Networks
2007-12-21 04:11 81,920 ----a-w C:\WINDOWS\system32\IEDFix.exe
2006-11-29 00:56 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2006-11-11 07:20 582 ----a-w C:\Documents and Settings\Susan\Application Data\wklnhst.dat
2006-09-21 03:31 322,560 ----a-w C:\Program Files\AIMFix.exe
2006-09-16 18:07 8,506,408 ----a-w C:\Program Files\Install_AIM.exe
2006-09-06 18:56 37,518,744 ----a-w C:\Program Files\iTunesSetup.exe
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 1,460,560 2007-08-31 21:46:28 C:\Program Files\Spybot - Search & Destroy\bak\TeaTimer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [ ]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 08:00 15360]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [ ]
"Aim6"="" []
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [ ]
"SpyDefender Shield"="C:\Program Files\SpyDefender Pro\SpyDefender.exe" [ ]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 10:37 2321600]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 17:56 64512]
"THotkey"="C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe" [ ]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [ ]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [ ]
"Tvs"="C:\Program Files\Toshiba\Tvs\TvsTray.exe" [ ]
"TPSMain"="TPSMain.exe" [2005-06-01 01:00 282624 C:\WINDOWS\system32\TPSMain.exe]
"PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [ ]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [ ]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [ ]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [ ]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [ ]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [ ]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [ ]
"lxcymon.exe"="C:\Program Files\Lexmark 3400 Series\lxcymon.exe" [ ]
"EzPrint"="C:\Program Files\Lexmark 3400 Series\ezprint.exe" [ ]
"FaxCenterServer"="C:\Program Files\Lexmark Fax Solutions\fm3032.exe" [ ]
"LXCYCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll" [2006-02-24 07:54 65536]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [ ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 12:10 267048]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [ ]
"TFncKy"="TFncKy.exe" []
"TDispVol"="TDispVol.exe" [2005-03-11 19:03 73728 C:\WINDOWS\system32\TDispVol.exe]
"NDSTray.exe"="NDSTray.exe" []
"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [ ]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [ ]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [ ]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [ ]
"dla"="C:\WINDOWS\system32\dla\DLACTRLW.exe" [ ]
"CFSServ.exe"="CFSServ.exe" []
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-15 10:29 88203 C:\WINDOWS\agrsmmsg.exe]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2006-10-23 01:39:31 124912]
NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [2006-12-11 16:27:33 118784]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2006-02-15 12:31:42 155648]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
R0 KR10N;KR10N;C:\WINDOWS\system32\drivers\KR10N.sys [2005-01-12 04:05]
R2 NkPtpEnumP2;NkPtpEnumP2;"C:\Program Files\Nikon\Wireless Camera Setup Utility\NkPtpEnum.exe" -a -d="C:\Program Files\Nikon\Wireless Camera Setup Utility\NkPtpip.dll" []
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]
R3 lxcy_device;lxcy_device;C:\WINDOWS\system32\lxcycoms.exe [2006-02-20 15:23]
R3 VBus;Virtual Bus;C:\WINDOWS\system32\DRIVERS\NkVBus.sys [2005-06-17 12:11]
S3 GameConsoleService;GameConsoleService;"C:\Program Files\WildTangent\Apps\TOSHIBA Game Console\GameConsoleService.exe" [2008-01-29 13:09]
S3 tosrfec;Bluetooth ACPI from TOSHIBA;C:\WINDOWS\system32\DRIVERS\tosrfec.sys [2005-09-09 18:47]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{68dd525b-9c95-11dc-9eed-00a0d1493303}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e0ddeb4a-6f61-11db-9eb5-001302b29e63}]
\Shell\AutoRun\command - E:\LaunchU3.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-03-01 08:00:00 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job"
- C:\Program Files\AdwareAlert\AdwareAlert.ex
- C:\Program Files\AdwareAlert
"2008-03-01 13:11:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-14 18:32:29 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-14 16:45:04
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-03-14 16:45:31

Response Number 15

Name: jabuck
Date: March 14, 2008 at 19:29:32 Pacific

Reply:

Set up the computer to view hidden files:
To show hidden files do the following:
Click Start > My Computer
On the Tools menu, click Folder Options.
Click the View tab.
Uncheck Hide file extensions for known file types.
Uncheck Hide protected operating system files.
Under the Hidden files folder, locate and check Show hidden files and folders.
If you see a warning message, click Yes.
Click Apply > OK.
Navigate to and delete this file if found:

C:\Program Files\Spybot - Search & Destroy\bak\TeaTimer.exe
C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job
C:\Program Files\AdwareAlert\AdwareAlert.ex
Navigate to and delete these folders

C:\Program Files\Spybot - Search & Destroy\bak
C:\Program Files\Spybot - Search & Destroy
C:\Program Files\AdwareAlert
Post a new Combofix log please.

Response Number 16

Name: healys818
Date: March 18, 2008 at 17:19:30 Pacific

Reply:

It wouldnt let me delete C:\Program Files\Spybot - Search & Destroy. Should I reset the settings that you told me to change?
ComboFix 08-03-14.2 - Susan 2008-03-18 20:08:29.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.591 [GMT -4:00]
Running from: C:\Documents and Settings\Susan\Desktop\ComboFix.exe
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.
((((((((((((((((((((((((( Files Created from 2008-02-19 to 2008-03-19 )))))))))))))))))))))))))))))))
.
2008-03-13 21:24 . 2008-03-13 21:24 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-13 21:24 . 2008-03-13 21:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-13 21:22 . 2008-03-13 21:22 <DIR> d-------- C:\Program Files\CCleaner
2008-03-13 21:21 . 2008-03-13 21:21 2,733,520 --a------ C:\Program Files\ccsetup205.exe
2008-03-11 18:41 . 2008-03-14 14:30 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-11 18:41 . 2008-03-11 18:41 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-11 11:29 . 2008-03-11 11:29 1,584,403 --a------ C:\Program Files\ComboFix.exe
2008-03-11 11:22 . 2008-03-11 11:22 189,718 --a------ C:\Program Files\FindAWF.exe
2008-03-05 22:45 . 2008-02-22 03:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-04 23:24 . 2008-03-04 23:24 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-03-02 20:58 . 2008-03-13 21:18 <DIR> d-------- C:\Program Files\Windows Defender
2008-03-02 20:41 . 2008-03-02 20:43 <DIR> d-------- C:\Program Files\RegistryCleanFix
2008-03-02 19:28 . 2008-03-02 23:42 <DIR> d-------- C:\Program Files\RegistryFix
2008-03-02 19:20 . 2008-03-02 19:27 <DIR> d-------- C:\Program Files\Max Registry Cleaner
2008-03-02 19:20 . 2007-05-24 17:57 143,360 --a------ C:\WINDOWS\system32\GetHardDiskNo.dll
2008-03-02 19:20 . 2008-03-02 19:20 63 --a------ C:\WINDOWS\system\SYSRegC.dll
2008-03-02 17:59 . 2008-03-02 17:59 <DIR> d-------- C:\Program Files\Trend Micro
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-19 00:03 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-18 23:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-03-18 23:22 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLec.DAT
2008-03-14 18:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2008-03-12 23:07 --------- d-----w C:\Program Files\iTunes
2008-03-12 02:48 --------- d-----w C:\Documents and Settings\Susan\Application Data\Lavasoft
2008-03-11 15:23 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-03-11 15:23 --------- d-----w C:\Program Files\ltmoh
2008-03-11 12:38 --------- d-----w C:\Program Files\QuickTime
2008-03-11 12:38 --------- d-----w C:\Program Files\Lexmark Fax Solutions
2008-03-11 12:38 --------- d-----w C:\Program Files\Lexmark 3400 Series
2008-03-11 12:38 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-06 23:14 99 ----a-w C:\Program Files\FxVundoB.log
2008-03-06 02:45 --------- d-----w C:\Program Files\Java
2008-03-03 23:02 --------- d-----w C:\Program Files\SpyDefender Pro
2008-03-03 00:52 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-29 22:31 --------- d-----w C:\Program Files\lx_cats
2008-02-09 22:05 --------- d-----w C:\Documents and Settings\Susan\Application Data\PlayFirst
2008-02-09 22:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-02-09 22:04 --------- d-----w C:\Program Files\Toshiba Games
2008-01-27 18:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-27 17:34 --------- d-----w C:\Program Files\Enigma Software Group
2008-01-27 01:24 --------- d-----w C:\Program Files\Google
2008-01-27 01:20 --------- d-----w C:\Program Files\AIM
2008-01-26 23:52 --------- d-----w C:\Documents and Settings\Susan\Application Data\AdwareAlert
2008-01-25 20:11 --------- d-----w C:\Program Files\DIGStream
2008-01-25 19:14 5,044 ----a-w C:\WINDOWS\system32\tmp.reg
2007-12-21 04:11 81,920 ----a-w C:\WINDOWS\system32\IEDFix.exe
2006-11-29 00:56 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2006-11-11 07:20 582 ----a-w C:\Documents and Settings\Susan\Application Data\wklnhst.dat
2006-09-21 03:31 322,560 ----a-w C:\Program Files\AIMFix.exe
2006-09-16 18:07 8,506,408 ----a-w C:\Program Files\Install_AIM.exe
2006-09-06 18:56 37,518,744 ----a-w C:\Program Files\iTunesSetup.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [ ]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 08:00 15360]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [ ]
"Aim6"="" []
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [ ]
"SpyDefender Shield"="C:\Program Files\SpyDefender Pro\SpyDefender.exe" [ ]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 10:37 2321600]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 17:56 64512]
"THotkey"="C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe" [ ]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [ ]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [ ]
"Tvs"="C:\Program Files\Toshiba\Tvs\TvsTray.exe" [ ]
"TPSMain"="TPSMain.exe" [2005-06-01 01:00 282624 C:\WINDOWS\system32\TPSMain.exe]
"PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [ ]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [ ]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [ ]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [ ]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [ ]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [ ]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [ ]
"lxcymon.exe"="C:\Program Files\Lexmark 3400 Series\lxcymon.exe" [ ]
"EzPrint"="C:\Program Files\Lexmark 3400 Series\ezprint.exe" [ ]
"FaxCenterServer"="C:\Program Files\Lexmark Fax Solutions\fm3032.exe" [ ]
"LXCYCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll" [2006-02-24 07:54 65536]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [ ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 12:10 267048]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [ ]
"TFncKy"="TFncKy.exe" []
"TDispVol"="TDispVol.exe" [2005-03-11 19:03 73728 C:\WINDOWS\system32\TDispVol.exe]
"NDSTray.exe"="NDSTray.exe" []
"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [ ]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [ ]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [ ]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [ ]
"dla"="C:\WINDOWS\system32\dla\DLACTRLW.exe" [ ]
"CFSServ.exe"="CFSServ.exe" []
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-15 10:29 88203 C:\WINDOWS\agrsmmsg.exe]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2006-10-23 01:39:31 124912]
NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [2006-12-11 16:27:33 118784]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2006-02-15 12:31:42 155648]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
R0 KR10N;KR10N;C:\WINDOWS\system32\drivers\KR10N.sys [2005-01-12 04:05]
R2 NkPtpEnumP2;NkPtpEnumP2;"C:\Program Files\Nikon\Wireless Camera Setup Utility\NkPtpEnum.exe" -a -d="C:\Program Files\Nikon\Wireless Camera Setup Utility\NkPtpip.dll" []
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]
R3 lxcy_device;lxcy_device;C:\WINDOWS\system32\lxcycoms.exe [2006-02-20 15:23]
R3 VBus;Virtual Bus;C:\WINDOWS\system32\DRIVERS\NkVBus.sys [2005-06-17 12:11]
S3 GameConsoleService;GameConsoleService;"C:\Program Files\WildTangent\Apps\TOSHIBA Game Console\GameConsoleService.exe" [2008-01-29 13:09]
S3 tosrfec;Bluetooth ACPI from TOSHIBA;C:\WINDOWS\system32\DRIVERS\tosrfec.sys [2005-09-09 18:47]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{68dd525b-9c95-11dc-9eed-00a0d1493303}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e0ddeb4a-6f61-11db-9eb5-001302b29e63}]
\Shell\AutoRun\command - E:\LaunchU3.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-03-01 13:11:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-18 06:01:00 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-18 20:10:49
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.2180]
-> C:\WINDOWS\system32\TDispVol.dll
.
Completion time: 2008-03-18 20:11:18
ComboFix2.txt 2008-03-14 20:45:32

Response Number 17

Name: jabuck
Date: March 20, 2008 at 18:30:19 Pacific

Reply:

Your logs are clean.
How is the computer operating?

Response Number 18

Name: healys818
Date: March 21, 2008 at 09:28:06 Pacific

Reply:

Everything has been working great..thanks for all your help

Response Number 19

Name: jabuck
Date: March 21, 2008 at 12:29:37 Pacific

Reply:

Glad we could help.

Sponsored Link

Ads by Google

Windows steady state

Red X on Local Disk. Plea...

Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.

Go to Security and Virus Forum Home

Sponsored links

Ads by Google

Results for: zonebac.b and smitfraud c coreservi

Win Defender finds Win32/zonebac.b

Summary

www.computing.net/answers/security/win-defender-finds-win32zonebacb-/21775.html

help remove smitfraud-c. and others

Summary

www.computing.net/answers/security/help-remove-smitfraudc-and-others/21936.html

Smitfraud-C and noskrnl ??

Summary

www.computing.net/answers/security/smitfraudc-and-noskrnl-/21791.html

From the Geek Dictionary
win - 1. exclamation used to express that you're lucky or happy about something, ...

Ask a Question!

Weekly Poll
Do you think Comcast should have bought NBC?

Poll Finishes In 3 Days.
Discuss in The Lounge
Poll History

Recent Posts
Batch files ip address

You think I cant carry on

wanderer the git

Create a wireless bridge from old wireless ro

Macro Copy and Paste

All Awaiting Reply

Tom's News
Warner, Sony BMG, EMI, Universal Sued for Piracy

Virgin Reveals World's First Commercial Spaceship

Verizon's 3G "Map For That" Campaign Continues

See the N64 Emulator for iPhone 3GS in Action

LG Set to Release 3D LCDs with Full HD

More Tom's Guide News

Data Recovery

Manufacturer List | About Us | Advertising Info | Contact Us
The information on Computing.Net is the opinions of its users. Such opinions may not be accurate and they are to be used at your own risk. Computing.Net cannot verify the validity of the statements made on this site. Computing.Net and Computing.Net LLC hereby disclaim all responsibility and liability for the content of Computing.Net and its accuracy.
PLEASE READ THE FULL DISCLAIMER AND LEGAL TERMS BY CLICKING HERE