# computer definitely infected



## Aztec97gt

my computer is definitely infected with something all kinds of adds for stuff pop up and come threw my speakers but theres nothing to close out i have to pull up the windows task manager and it shows that its an internet explorer program


----------



## ceewi1

Post a HijackThis log and we'll take it from there:

Please download the HijackThis installer from http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe.

Run the installer and choose *Install*, indicating that you accept the licence agreement.  The installer will place a shortcut on your desktop and launch HijackThis.

Click *Do a system scan and save a logfile*

When the Notepad window opens choose Edit -> Select All to select the entire log, and copy and paste the log into a reply post.
_Most of what it lists will be harmless or even essential, don't fix anything yet._


----------



## chibicitiberiu

[size="-1"]*1.*[/size] Use and post a log after running ComboFix; here are download links and instructions: http://www.bleepingcomputer.com/combofix/how-to-use-combofix
[size="-1"]*2.*[/size] Post a fresh HijackThis log. Here is a download link: http://www.download.com/Trend-Micro-HijackThis/3000-8022_4-10227353.html


----------



## Aztec97gt

ok here we go


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:48:25 PM, on 8/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\inf\svchoct.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Microsoft Works\WksSb.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\system32\AFinding.exe
C:\WINDOWS\system32\afisicx.exe
C:\Program Files\Verizon Online\bin\mpbtn.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\smss.exe
C:\WINDOWS\system32\macidwe.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system\proxy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\NewDotNet\nnrun.exe
C:\WINDOWS\system32\Nobicyt.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\noxtcyr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\perfs.exe
C:\WINDOWS\system32\routing.exe
C:\WINDOWS\system32\roxtctm.exe
C:\WINDOWS\system32\sobicyt.exe
C:\WINDOWS\system32\tdxdowkc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\system32\WServing.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\wsldoekd.exe
C:\Program Files\NewDotNet\nnrun.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\1024\SVCHOST.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\oduxftw.sys
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://as.starware.com/dp/search?x=...SIuOAJI+XHrNuKGOc/ISSogmtwpEMJpbjj/DrdfyWPdc=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://as.starware.com/dp/search?x=...XZe4IDoQuIjQ2Fi5C8H1SVWxT2xHUMaxwWdHTOxaaBt4=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) -  - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: MySearch Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MySearch\SrchAstt\1.bin\MYSRCHAS.DLL (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [svchost.exe] "C:\WINDOWS\system32\1024\SVCHOST.EXE"
O4 - HKLM\..\RunOnce: [svchost.exe] "C:\WINDOWS\system32\1024\SVCHOST.EXE"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [System Soap Pro] C:\PROGRA~1\SYSTEM~1\soap.exe min
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [minitnyus] C:\WINDOWS\system32\inf\svchosd.exe C:\WINDOWS\wftadfi16_080821a.dll tanlt88
O4 - HKLM\..\Policies\Explorer\Run: [mininyust] C:\WINDOWS\system32\inf\svchoct.exe C:\WINDOWS\wftadfi16_080825a.dll tanlt88
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: CreataCard Gold 2 Forget Me Not Reminders.lnk = C:\Program Files\CreataCard\Gold\fmrmd32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: moffice.lnk = C:\WINDOWS\system\sgcxcxxaspf080823.exe
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\bin\matcli.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: Encarta &Definition - http://encarta.msn.com/encnet/features/dictionary/quickDictionary.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\mmchost.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mmchost.dll
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://www.sidestep.com/get/k42037/sb028.cab
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://targetphoto.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
O16 - DPF: {7D5DD829-6C90-42C5-B54C-2AFA82F988BA} - http://www.antivirusxp08.net/tools/virusremover.dll
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://ak.imgag.com/imgag/cp/install/AxCtp2.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: afinding Service (afinding) - Unknown owner - C:\WINDOWS\system32\AFinding.exe
O23 - Service: afisicx  Manages  messages (afisicx) - Unknown owner - C:\WINDOWS\system32\afisicx.exe
O23 - Service: AutoComplete Service (Autocomplete) - Unknown owner - C:\PROGRA~1\SYSTEM~1\autocomp.exe (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Internet Service - Unknown owner - C:\WINDOWS\smss.exe
O23 - Service: macidwe Service (macidwe) - Unknown owner - C:\WINDOWS\system32\macidwe.exe
O23 - Service: MsService - Unknown owner - C:\WINDOWS\system\proxy.exe
O23 - Service: NNServ - New.net, Inc. - C:\Program Files\NewDotNet\nnrun.exe
O23 - Service: nobicyt Service (nobicyt) - Unknown owner - C:\WINDOWS\system32\Nobicyt.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: noxtcyr  Manages  messages (noxtcyr) - Unknown owner - C:\WINDOWS\system32\noxtcyr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: perfs Service (perfs) - Unknown owner - C:\WINDOWS\system32\perfs.exe
O23 - Service: routing Service (routing) - Unknown owner - C:\WINDOWS\system32\routing.exe
O23 - Service: roxtctm  Co. Ltd. (roxtctm) - Unknown owner - C:\WINDOWS\system32\roxtctm.exe
O23 - Service: sobicyt Service (sobicyt) - Unknown owner - C:\WINDOWS\system32\sobicyt.exe
O23 - Service: tdxdowkc Service (tdxdowkc) - Unknown owner - C:\WINDOWS\system32\tdxdowkc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
O23 - Service: wserving Service (wserving) - Unknown owner - C:\WINDOWS\system32\WServing.exe
O23 - Service: wsldoekd  Settings storage service (wsldoekd) - Unknown owner - C:\WINDOWS\system32\wsldoekd.exe

--
End of file - 10892 bytes


----------



## johnb35

You have a bunch of bad stuff on there.  Download and run combofix from here.  

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

After that has run come back here and post the log that it displays along with a new hijackthis log.


----------



## cohen

johnb35 said:


> You have a bunch of bad stuff on there.  Download and run combofix from here.
> 
> http://download.bleepingcomputer.com/sUBs/ComboFix.exe
> 
> After that has run come back here and post the log that it displays along with a new hijackthis log.



Also for the OP pls remove Viewpoint manager: Start > Control Panel > Add / Remove Programs > Remove Viewpoint manager.

Thanks.


----------



## ceewi1

This system is very badly infected.

Please download *SDFix* and save it to your Desktop.

Double click *SDFix.exe* and it will extract the files to *C:\SDFix*

You may wish to print out these instructions or copy them to a notepad document since you will be unable to access the Internet while in Safe Mode to read from this site.

Please then reboot your computer in *Safe Mode* (tap F8 just before Windows starts to load and select Safe Mode from the list).
 Open the extracted SDFix folder and double click *RunThis.bat* to start the script.
 Type *Y* to begin the cleanup process.
 It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
 Press any Key and it will restart the PC.
 When the PC restarts the Fixtool will run again and complete the removal process then display *Finished*, press any key to end the script and load your desktop icons.
 Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as *Report.txt*
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
 Please paste the contents of the Report.txt back on the forum in your next reply

Please download *Malwarebytes' Anti-Malware* to your desktop.

Double-click *mbam-setup.exe* and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to
*Update Malwarebytes' Anti-Malware*
and *Launch Malwarebytes' Anti-Malware*

then click *Finish*.
If an update is found, it will download and install the latest version.
Once the program has loaded, select *Perform full scan*, then click *Scan*.
When the scan is complete, click *OK*, then *Show Results* to view the results.
Be sure that everything is checked, and click *Remove Selected*.
When completed, a log will open in Notepad. please copy and paste the log into your next reply
You can also access the log in the *Logs* tab of Malwarebytes' Anti-Malware.

Please post
The SDFix report
The Malwarebytes' AntiMalware log
A new HijackThis log


----------



## Aztec97gt

*SDFix*

*SDFix: Version 1.219 *
Run by michele on Thu 08/28/2008 at 03:14 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

*Checking Services *:

*Name *: 
afinding
macidwe
nobicyt
perfs
routing
sobicyt
tdxdowkc
wserving

*Path *:
C:\WINDOWS\system32\AFinding.exe 
C:\WINDOWS\system32\macidwe.exe 
C:\WINDOWS\system32\Nobicyt.exe 
C:\WINDOWS\system32\perfs.exe 
C:\WINDOWS\system32\routing.exe 
C:\WINDOWS\system32\sobicyt.exe 
C:\WINDOWS\system32\tdxdowkc.exe 
C:\WINDOWS\system32\WServing.exe 

afinding - Deleted
macidwe - Deleted
nobicyt - Deleted
perfs - Deleted
routing - Deleted
sobicyt - Deleted
tdxdowkc - Deleted
wserving - Deleted



Restoring Default Security Values
Restoring Default Hosts File

Rebooting


*Checking Files *: 

Trojan Files Found:

C:\WINDOWS\system32\AFinding.exe  - Deleted
C:\WINDOWS\system32\atsxyzd.sys  - Deleted
C:\WINDOWS\system32\comsa32.sys  - Deleted
C:\WINDOWS\system32\edtxfst.sys  - Deleted
C:\WINDOWS\system32\macidwe.exe  - Deleted
C:\WINDOWS\system32\Nobicyt.exe  - Deleted
C:\WINDOWS\system32\perfs.exe  - Deleted
C:\WINDOWS\system32\routing.exe  - Deleted
C:\WINDOWS\system32\rtl60.bpl  - Deleted
C:\WINDOWS\system32\sobicyt.exe  - Deleted
C:\WINDOWS\system32\tdxdowkc.exe  - Deleted
C:\WINDOWS\system32\WServing.exe  - Deleted





Removing Temp Files

*ADS Check *:



*Final Check *:

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-28 03:21:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

C:\Documents and Settings\michele\Cookies\system@narutoanko[2].txt 372 bytes

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 1


*Remaining Services *:




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"C:\\Program Files\\Abacast\\Abaclient.exe"="C:\\Program Files\\Abacast\\Abaclient.exe:*isabled:Abaclient"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*isabled:Internet Explorer"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*isabled:RealPlayer"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Common Files\\AOL\\1143661978\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1143661978\\ee\\aolsoftware.exe:*:Enabled:AOL Services"
"C:\\Program Files\\Common Files\\AOL\\1143661978\\ee\\aim6.exe"="C:\\Program Files\\Common Files\\AOL\\1143661978\\ee\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000"
"C:\\WINDOWS\\system32\\1024\\SVCHOST.EXE"="C:\\WINDOWS\\system32\\1024\\SVCHOST.EXE:*:Enabled:SVCHOST.EXE"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000"

*Remaining Files *:


File Backups: - C:\SDFix\backups\backups.zip

*Files with Hidden Attributes *:

Wed 27 Aug 2008        15,360 A..H. --- "C:\WINDOWS\system32\dbi102.dll"
Wed 27 Aug 2008        14,848 A..H. --- "C:\WINDOWS\system32\zordisa.dll"
Mon  7 Jul 2008        26,624 ...H. --- "C:\Documents and Settings\michele\My Documents\~WRL3746.tmp"
Thu  7 Dec 2006     3,096,576 A..H. --- "C:\Documents and Settings\michele\Application Data\U3\temp\Launchpad Removal.exe"

*Finished!*


----------



## Aztec97gt

*Malwarebytes*

Malwarebytes' Anti-Malware 1.25
Database version: 1090
Windows 5.1.2600 Service Pack 2

3:57:15 AM 8/28/2008
mbam-log-08-28-2008 (03-57-15).txt

Scan type: Full Scan (C:\|G:\|)
Objects scanned: 80063
Time elapsed: 28 minute(s), 5 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 1
Registry Keys Infected: 20
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 40
Files Infected: 81

Memory Processes Infected:
C:\WINDOWS\system\proxy.exe (Trojan.Proxy) -> Unloaded process successfully.
C:\WINDOWS\smss.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\MSSqlServer.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msservice (Trojan.Proxy) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\msservice (Trojan.Proxy) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msservice (Trojan.Proxy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{014da6c4-189f-421a-88cd-07cfe51cff10} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{014da6c6-189f-421a-88cd-07cfe51cff10} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{014da6cc-189f-421a-88cd-07cfe51cff10} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d714a94f-123a-45cc-8f03-040bcaf82ad6} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\c:/windows/downloaded program files/sbcie028.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{7d5dd829-6c90-42c5-b54c-2afa82f988ba} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Internet Service (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\internet service (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\internet service (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\saap (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\starware358 (Adware.Starware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\starware358 (Adware.Starware) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Downloaded Program Files\SbCIe028.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search\searchassistant (Adware.Starware) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\All Users\Application Data\Starware358 (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware358\buttons (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware358\contexts (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware358\EntertainmentMarketingSP (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware358\EntertainmentMarketingSP\images (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware358\EntertainmentMarketingSP\images\active (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware358\EntertainmentMarketingSP\images\default (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware358\Games (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware358\Games\images (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware358\Games\images\active (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware358\Games\images\default (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware358\Movies (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware358\Movies\images (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware358\Movies\images\active (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware358\Movies\images\default (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware358\ScreensaversMarketingSitePager (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware358\ScreensaversMarketingSitePager\images (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware358\ScreensaversMarketingSitePager\images\active (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware358\ScreensaversMarketingSitePager\images\default (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware358\SimpleUpdate (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\michele\Application Data\Starware358 (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\michele\Application Data\Starware358\BrowserSearch (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\michele\Application Data\Starware358\CelebrityNews (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\michele\Application Data\Starware358\CelebritySearch (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\michele\Application Data\Starware358\Configurator (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\michele\Application Data\Starware358\EntertainmentMarketingSP (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\michele\Application Data\Starware358\ErrorSearch (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\michele\Application Data\Starware358\Games (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\michele\Application Data\Starware358\Layouts (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\michele\Application Data\Starware358\Manager (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\michele\Application Data\Starware358\Movies (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\michele\Application Data\Starware358\RelatedSearch (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\michele\Application Data\Starware358\ScreensaversMarketingSitePager (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\michele\Application Data\Starware358\SearchAssistPlus (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\michele\Application Data\Starware358\SearchMatch (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\michele\Application Data\Starware358\SearchMatch\searchMatchPages (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\michele\Application Data\Starware358\Toolbar (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\michele\Application Data\Starware358\ToolbarLogo (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\michele\Application Data\Starware358\ToolbarSearch (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\michele\Application Data\Starware358\TravelSearch (Adware.Starware) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system\proxy.exe (Trojan.Proxy) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\SbCIe028.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5BA07873-9C5D-45AE-BC15-5B1489014F3D}\RP1724\A0131244.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5BA07873-9C5D-45AE-BC15-5B1489014F3D}\RP1730\A0131374.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5BA07873-9C5D-45AE-BC15-5B1489014F3D}\RP1730\A0132231.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5BA07873-9C5D-45AE-BC15-5B1489014F3D}\RP1730\A0132257.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5BA07873-9C5D-45AE-BC15-5B1489014F3D}\RP1731\A0132282.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS\dcbdcatys32_080827a.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware358\U28B33D60.exe (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware358\buttons\celebrity_news.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware358\buttons\celebrity_search.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware358\buttons\FindIt.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware358\buttons\FindItHot.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware358\buttons\findithotxp.png (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware358\buttons\finditxp.png (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware358\buttons\Highlight.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware358\buttons\HighlightHot.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware358\buttons\highlighthotxp.png (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware358\buttons\highlightxp.png (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware358\buttons\logo.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware358\buttons\logoxp.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware358\contexts\error.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware358\contexts\Related.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware358\contexts\Travel.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware358\EntertainmentMarketingSP\images\active\EntertainmentMarketingSP0.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware358\Games\images\active\Games0.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware358\Movies\images\active\Movies0.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware358\ScreensaversMarketingSitePager\images\active\ScreensaversMarketingSitePager0.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware358\SimpleUpdate\ProductMessagingConfig.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware358\SimpleUpdate\ProductMessagingConfig.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware358\SimpleUpdate\SimpleUpdateConfig.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware358\SimpleUpdate\SimpleUpdateConfig.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware358\SimpleUpdate\TimerManagerConfig.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware358\SimpleUpdate\TimerManagerConfig.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\michele\Application Data\Starware358\BrowserSearch\BrowserSearch.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\michele\Application Data\Starware358\BrowserSearch\BrowserSearch.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\michele\Application Data\Starware358\CelebrityNews\CelebrityNewsOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\michele\Application Data\Starware358\CelebrityNews\CelebrityNewsOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\michele\Application Data\Starware358\CelebritySearch\CelebritySearchOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\michele\Application Data\Starware358\CelebritySearch\CelebritySearchOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\michele\Application Data\Starware358\Configurator\Configurator.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\michele\Application Data\Starware358\Configurator\Configurator.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\michele\Application Data\Starware358\EntertainmentMarketingSP\EntertainmentMarketingSPOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\michele\Application Data\Starware358\EntertainmentMarketingSP\EntertainmentMarketingSPOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\michele\Application Data\Starware358\ErrorSearch\ErrorSearchOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\michele\Application Data\Starware358\ErrorSearch\ErrorSearchOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\michele\Application Data\Starware358\Games\GamesOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\michele\Application Data\Starware358\Games\GamesOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\michele\Application Data\Starware358\Layouts\PitchLayout.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\michele\Application Data\Starware358\Layouts\PitchLayout.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\michele\Application Data\Starware358\Layouts\ToolbarLayout.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\michele\Application Data\Starware358\Layouts\ToolbarLayout.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\michele\Application Data\Starware358\Manager\ManagerOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\michele\Application Data\Starware358\Manager\ManagerOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\michele\Application Data\Starware358\Movies\MoviesOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\michele\Application Data\Starware358\Movies\MoviesOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\michele\Application Data\Starware358\RelatedSearch\RelatedSearchOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\michele\Application Data\Starware358\RelatedSearch\RelatedSearchOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\michele\Application Data\Starware358\ScreensaversMarketingSitePager\ScreensaversMarketingSitePagerOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\michele\Application Data\Starware358\ScreensaversMarketingSitePager\ScreensaversMarketingSitePagerOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\michele\Application Data\Starware358\SearchAssistPlus\SearchAssistPlusOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\michele\Application Data\Starware358\SearchAssistPlus\SearchAssistPlusOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\michele\Application Data\Starware358\SearchMatch\SearchMatchOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\michele\Application Data\Starware358\SearchMatch\SearchMatchOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\michele\Application Data\Starware358\Toolbar\TBProductsOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\michele\Application Data\Starware358\Toolbar\TBProductsOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\michele\Application Data\Starware358\ToolbarLogo\ToolbarLogoOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\michele\Application Data\Starware358\ToolbarLogo\ToolbarLogoOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\michele\Application Data\Starware358\ToolbarSearch\ToolbarSearchOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\michele\Application Data\Starware358\ToolbarSearch\ToolbarSearchOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\michele\Application Data\Starware358\TravelSearch\TravelSearchOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\michele\Application Data\Starware358\TravelSearch\TravelSearchOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\1024\svchost.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\dbi102.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\inf\scsys16_080827.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\inf\sppdcrs080827.scr (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\MSSqlServer.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\smss.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\wftadfi16_080825a.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\wftadfi16_080827a.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system\sgcxcxxaspf080827.exe (Trojan.Agent) -> Quarantined and deleted successfully.


----------



## Aztec97gt

*HijackThis*

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:18:49 AM, on 8/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NewDotNet\nnrun.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\NewDotNet\nnrun.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Microsoft Works\WksSb.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Verizon Online\bin\mpbtn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\dwbins.exe
C:\WINDOWS\system32\inf\svchoct.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\noxtcyr.exe
C:\WINDOWS\system32\wsldoekd.exe
C:\WINDOWS\system32\afisicx.exe
C:\WINDOWS\system32\roxtctm.exe
C:\WINDOWS\system32\tdxdowkc.exe
C:\WINDOWS\system32\macidwe.exe
C:\WINDOWS\system32\sotpeca.exe
C:\WINDOWS\system32\xdufytw.sys
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://as.starware.com/dp/search?x=...XZe4IDoQuIjQ2Fi5C8H1SVWxT2xHUMaxwWdHTOxaaBt4=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) -  - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: MySearch Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MySearch\SrchAstt\1.bin\MYSRCHAS.DLL (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [System Soap Pro] C:\PROGRA~1\SYSTEM~1\soap.exe min
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [mininyust] C:\WINDOWS\system32\inf\svchoct.exe C:\WINDOWS\wftadfi16_080827a.dll tanlt88
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: CreataCard Gold 2 Forget Me Not Reminders.lnk = C:\Program Files\CreataCard\Gold\fmrmd32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: moffice.lnk = C:\WINDOWS\system\sgcxcxxaspf080823.exe
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\bin\matcli.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: Encarta &Definition - http://encarta.msn.com/encnet/features/dictionary/quickDictionary.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\mmchost.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mmchost.dll
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://www.sidestep.com/get/k42037/sb028.cab
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://targetphoto.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://ak.imgag.com/imgag/cp/install/AxCtp2.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: afisicx  Manages  messages (afisicx) - Unknown owner - C:\WINDOWS\system32\afisicx.exe
O23 - Service: AutoComplete Service (Autocomplete) - Unknown owner - C:\PROGRA~1\SYSTEM~1\autocomp.exe (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: macidwe  Manages messages (macidwe) - Unknown owner - C:\WINDOWS\system32\macidwe.exe
O23 - Service: NNServ - New.net, Inc. - C:\Program Files\NewDotNet\nnrun.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: noxtcyr  Manages  messages (noxtcyr) - Unknown owner - C:\WINDOWS\system32\noxtcyr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: roxtctm  Co. Ltd. (roxtctm) - Unknown owner - C:\WINDOWS\system32\roxtctm.exe
O23 - Service: sotpeca  Event propagation service (sotpeca) - Unknown owner - C:\WINDOWS\system32\sotpeca.exe
O23 - Service: tdxdowkc  Settings storage service (tdxdowkc) - Unknown owner - C:\WINDOWS\system32\tdxdowkc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
O23 - Service: wsldoekd  Settings storage service (wsldoekd) - Unknown owner - C:\WINDOWS\system32\wsldoekd.exe

--
End of file - 9605 bytes


----------



## cohen

Can you pls do the following:

Pls remove viewpoint manager - Start > Control Panel > add / remove programs >  Remove Viewpoint Manager

*Download and Run ComboFix*
*If you already have Combofix, please delete this copy and download it again as it's being updated regularly.*

*Download this file* from one of the three below listed places :

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Then double click *combofix.exe* & follow the prompts.
When finished, it shall produce *a log* for you. *Post that log* in your next reply
*Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall*

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open *Task Manager* then *Processes* tab (press ctrl, alt and del at the same time) and end any processes of *findstr, find, sed or swreg*, then combofix should continue.
If that happened we want to know, and also what process you had to end.

In your reply:

Post the combo fix log
Post a Fresh Hijackthis log

Thankyou


----------



## ceewi1

That's gotten rid of a number of infections, but there's still a lot more to be done.

Please click on *Start* -> *Control Panel* -> *Add or Remove Programs*.  If *NewDotNet* appears, click on it and click *Remove*.  While you're there, I recommend you optionally uninstall the following programs as well (if present):
*System Soap Pro*
_This bundles other unwanted programs without your consent._
*Weatherbug*
_Weatherbug is often installed as a secondary application along with other popular programs. It gives you information about local weather conditions, however also displays ads. If you're looking for a free alternative that doesn't display ads, you may want to try WeatherPulse. _
*Viewpoint*
_Viewpoint is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything bad. It is known to be intrusive, but there is some possibility that it is now being used by those companies to give them info about your habits. It is not considered spyware since this is not clear, but I would not tolerate it on my machine if I didn't install it._

Once done, please download *LSPfix*.
Unzip it to the desktop and run it.  Check *I know what I'm doing*, and then select each instance of *mmchost.dll* in the left-hand panel and click >> to move it to the right-hand panel.  Then click Finish to allow LSPfix to rebuild the LSP chain.

Please run HijackThis and choose *Do a system scan only*.

Place a check next to the following entries:
*
[*]R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://as.starware.com/dp/search?x=w...xwWdHTOxaaBt4=
[*]R3 - URLSearchHook: (no name) - - (no file)
[*]O2 - BHO: MySearch Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MySearch\SrchAstt\1.bin\MYSRCHAS.DLL (file missing)
[*]O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
[*]O4 - HKLM\..\Policies\Explorer\Run: [mininyust] C:\WINDOWS\system32\inf\svchoct.exe C:\WINDOWS\wftadfi16_080827a.dll tanlt88
[*]O4 - Global Startup: moffice.lnk = C:\WINDOWS\system\sgcxcxxaspf080823.exe
[*]O23 - Service: afisicx Manages messages (afisicx) - Unknown owner - C:\WINDOWS\system32\afisicx.exe
[*]O23 - Service: macidwe Manages messages (macidwe) - Unknown owner - C:\WINDOWS\system32\macidwe.exe
[*]O23 - Service: NNServ - New.net, Inc. - C:\Program Files\NewDotNet\nnrun.exe
[*]O23 - Service: noxtcyr Manages messages (noxtcyr) - Unknown owner - C:\WINDOWS\system32\noxtcyr.exe
[*]O23 - Service: roxtctm Co. Ltd. (roxtctm) - Unknown owner - C:\WINDOWS\system32\roxtctm.exe
[*]O23 - Service: sotpeca Event propagation service (sotpeca) - Unknown owner - C:\WINDOWS\system32\sotpeca.exe
[*]O23 - Service: tdxdowkc Settings storage service (tdxdowkc) - Unknown owner - C:\WINDOWS\system32\tdxdowkc.exe
[*]O23 - Service: wsldoekd Settings storage service (wsldoekd) - Unknown owner - C:\WINDOWS\system32\wsldoekd.exe
*

If you chose to remove System Soap Pro, please also check the following entry (if still present): 

*O4 - HKCU\..\Run: [System Soap Pro] C:\PROGRA~1\SYSTEM~1\soap.exe min*
If you chose to remove Weatherbug, please also check the following entries (if still present): 

*
[*]O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
[*]O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
*
If you chose to remove Viewpoint, please also check the following entry (if still present): 

*O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe*
Please close all open windows except for HijackThis and choose *Fix checked*



Please download this file - *ComboFix* to your Desktop but do not run it yet.


Open *Notepad* (Start -> Run -> type *notepad* in the Open field -> OK) and copy and paste the text present *inside* the code box below:



		Code:
	

File::
C:\WINDOWS\system32\inf\svchoct.exe
C:\WINDOWS\wftadfi16_080827a.dll
C:\WINDOWS\system\sgcxcxxaspf080823.exe
C:\WINDOWS\system32\afisicx.exe
C:\WINDOWS\system32\macidwe.exe
C:\WINDOWS\system32\noxtcyr.exe
C:\WINDOWS\system32\roxtctm.exe
C:\WINDOWS\system32\sotpeca.exe
C:\WINDOWS\system32\tdxdowkc.exe
C:\WINDOWS\system32\wsldoekd.exe
C:\WINDOWS\system32\dbi102.dll
C:\WINDOWS\system32\zordisa.dll

Folder::
C:\Program Files\NewDotNet


Save this as *CFScript.txt* and change the *Save as type* to *All Files* and place it on your *desktop*.









Referring to the screenshot above, *drag CFScript.txt into ComboFix.exe*.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. *Copy and paste the contents of the log in your next reply, along with a new HijackThis log.  How is your system running now?*
*CAUTION*:
Do *NOT* mouse-click ComboFix's window while it is running. That may cause it to stall.
Also, please do *NOT* adjust your time format while ComboFix is running.


----------



## Aztec97gt

i uninstalled a lot of programs but now when i try and download combofix i am told the current security settings do not allow this file to be downloaded and when i try and unzip LSPfix i get a windows security warning that says it has found this file potentially harmfull and will not let me unzip it


----------



## ceewi1

OK, we'll deal with the LSPs in another way.

Please open up Internet Explorer and click on *Tools -> Internet Options*.  Click on the *Security* tab.  Select *Internet* and choose *Default level*.  Click on *Restricted Sites* and then click the *Sites* button.  Delete any sites that appear under *Sites* and click *OK* twice.  

Please click on *Start -> Run*.  Type in *cmd* and click *OK*.  This should bring up a command prompt.  At this prompt, type *netsh winsock reset*.  This should show "Successfully reset the Winsock Catalog."  

Please reboot the computer.

Try downloading ComboFix again from one of the following links:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

If you are able to, drag in CFScript as in my previous post and post the requested logs.  If not, carry out the HijackThis fixes anyway, reboot your PC, and post a new HijackThis log.


----------



## survivor

will I need to post a new thread to get help with my system with hijack this?


----------



## milkman

as a noob, and my first post, i feel i learn best with experience

what are you guys reading in the log that tells you infection details?


----------



## cohen

survivor said:


> will I need to post a new thread to get help with my system with hijack this?



Yes you will, do the following:

Create your own thread in the security section and post a hijackthis log

If after that you are still infected, please post a Hijackthis log. To post a Hijackthis log, please do the following:
Click *Here* to download HJTsetup.exe


    * Save HJTsetup.exe to your desktop.
    * Double click on the HJTsetup.exe icon on your desktop.
    * By default it will install to C:\Program Files\Hijack This.
    * Continue to click Next in the setup dialogue boxes until you get to the Select Additional Tasks dialogue.
    * Put a check by Create a desktop icon then click Next again.
    * Continue to follow the rest of the prompts from there.
    * At the final dialogue box click Finish and it will launch Hijack This.
    * Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
    * Click Save to save the log file and then the log will open in notepad.
    * Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    * DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.


We will look at your log as soon as we see it, and give you further instructions on how to fix your computer. Most of the time it will involve downloading more programs that will either give us logs to locate the malware or delete those malware.

Once you have posted a HJT Thread DO NOT make any changes to your PC unless the advisor helping you has instructed you to do so!



milkman said:


> as a noob, and my first post, i feel i learn best with experience
> 
> what are you guys reading in the log that tells you infection details?



There are various forums were you can learn how to do what we do, i have the basic training .

You can tell what's there by the running processes and some of the other thingss that are part of the log, and that is what you learn while training.


----------



## Aztec97gt

ok i tried and i still could not get combo fix to download or LSPfix to unzip. so i ran a hijack log and went threw and tried to pick out the programs you listed and had hijack delete them. here is a new hijack log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:52:01 PM, on 8/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\afisicx.exe
C:\WINDOWS\system32\macidwe.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\noxtcyr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\roxtctm.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Works\WksSb.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Verizon Online\bin\mpbtn.exe
C:\WINDOWS\system32\sotpeca.exe
C:\WINDOWS\system32\tdxdowkc.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\wsldoekd.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [mininyust] C:\WINDOWS\system32\inf\svchoct.exe C:\WINDOWS\wftadfi16_080828a.dll tanlt88
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: CreataCard Gold 2 Forget Me Not Reminders.lnk = C:\Program Files\CreataCard\Gold\fmrmd32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: moffice.lnk = C:\WINDOWS\system\sgcxcxxaspf080823.exe
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\bin\matcli.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: Encarta &Definition - http://encarta.msn.com/encnet/features/dictionary/quickDictionary.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://targetphoto.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://ak.imgag.com/imgag/cp/install/AxCtp2.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: afisicx  Manages  messages (afisicx) - Unknown owner - C:\WINDOWS\system32\afisicx.exe
O23 - Service: AutoComplete Service (Autocomplete) - Unknown owner - C:\PROGRA~1\SYSTEM~1\autocomp.exe (file missing)
O23 - Service: macidwe  Corporation (macidwe) - Unknown owner - C:\WINDOWS\system32\macidwe.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: noxtcyr  Manages  messages (noxtcyr) - Unknown owner - C:\WINDOWS\system32\noxtcyr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: roxtctm  Co. Ltd. (roxtctm) - Unknown owner - C:\WINDOWS\system32\roxtctm.exe
O23 - Service: sotpeca  Event propagation service (sotpeca) - Unknown owner - C:\WINDOWS\system32\sotpeca.exe
O23 - Service: tdxdowkc  Event propagation service (tdxdowkc) - Unknown owner - C:\WINDOWS\system32\tdxdowkc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
O23 - Service: wsldoekd  Settings storage service (wsldoekd) - Unknown owner - C:\WINDOWS\system32\wsldoekd.exe

--
End of file - 6045 bytes


----------



## johnb35

Download combofix from another computer and copy it to a flash drive and then run it on your computer from the flash drive.  You are severely infected still.


----------



## ceewi1

If you have a second PC available that's a good idea.  If not, try the below.

Download The Avenger by Swandog46, and save it to your Desktop.

Extract avenger.exe from the Zip file and save it to your Desktop.
Run *avenger.exe* by double-clicking on it.
Do not change any check box options!!
Copy everything in the Code box below, and paste it into the *Input script here:* part of the window.  Please do not include the word Code:



		Code:
	

[b]Files to delete:
C:\WINDOWS\system32\inf\svchoct.exe
C:\WINDOWS\wftadfi16_080827a.dll
C:\WINDOWS\wftadfi16_080828a.dll
C:\WINDOWS\system\sgcxcxxaspf080823.exe
C:\WINDOWS\system32\afisicx.exe
C:\WINDOWS\system32\macidwe.exe
C:\WINDOWS\system32\noxtcyr.exe
C:\WINDOWS\system32\roxtctm.exe
C:\WINDOWS\system32\sotpeca.exe
C:\WINDOWS\system32\tdxdowkc.exe
C:\WINDOWS\system32\wsldoekd.exe
C:\WINDOWS\system32\dbi102.dll
C:\WINDOWS\system32\zordisa.dll
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\moffice.lnk

Folders to delete:
C:\Program Files\NewDotNet

Registry values to delete:
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | mininyust

Drivers to delete:
afisicx
macidwe
noxtcyr
roxtctm
sotpeca
tdxdowkc
wsldoekd[/b]


Now click the *Execute* button.
Click Yes to the prompt to confirm you want to execute.
Click Yes to the Reboot now? question that will appear when Avenger finishes running.
Your PC should reboot, if not, reboot it yourself.
A log file from Avenger will be produced at *C:\avenger.txt* and it will popup for you to view when you login after reboot.
Please post the content of the logfile.

Once done, please download *OTViewIt* to your desktop.

Close all windows and open it
Click *Run Scan* and let the program run uninterrupted
It will produce two logs for you, one will pop up called *OTViewIt.txt*, the other will be saved on your desktop and called *Extras*. Post both those logs here.
You may need to use two posts to get it all on the forum

Please post both the Avenger and OTViewIt logs as well as a new HijackThis log.


----------



## Aztec97gt

*OT View IT*

OTViewIt logfile created on: 2008-08-30 17:19:07 - Run 1
OTViewIt by OldTimer - Version 1.0.1.7     Folder = C:\Documents and Settings\michele\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: yyyy-MM-dd

511.48 Mb Total Physical Memory | 342.65 Mb Available Physical Memory | 66.99% Memory free
1.22 Gb Paging File | 1.08 Gb Available in Paging File | 88.27% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 64.85 Gb Free Space | 87.02% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: MICHELE
Current User Name: michele
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: Current user
Whitelist: On

===== Processes - Non-Microsoft Only =====

[06-25-2004 02:05 PM | 00,045,056 | ---- | M] () - C:\WINDOWS\system32\WLTRYSVC.EXE
[08-23-2001 05:52 PM | 00,331,830 | ---- | M] (Microsoft® Corporation) - C:\Program Files\Microsoft Works\wkssb.exe
[08-17-2001 12:41 AM | 00,028,738 | ---- | M] (Microsoft® Corporation) - C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
[09-12-2002 01:13 PM | 01,101,824 | ---- | M] (Copyright (C) ahead software gmbh and its licensors) - C:\Program Files\Ahead\InCD\InCD.exe
[07-20-2005 12:19 PM | 00,385,024 | ---- | M] (Motive Communications, Inc.) - C:\Program Files\Verizon Online\SmartBridge\MotiveSB.exe
[08-07-2001 07:06 PM | 00,024,633 | ---- | M] (Microsoft® Corporation) - C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
[08-09-2002 06:00 PM | 00,221,184 | ---- | M] (Motive Communications, Inc.) - C:\Program Files\Verizon Online\bin\mpbtn.exe

===== Win32 Services - Non-Microsoft Only =====

(Autocomplete) AutoComplete Service [On_Demand | Stopped] 
File not found - C:\PROGRA~1\SYSTEM~1\autocomp.exe

(WLTRYSVC) WLTRYSVC [Auto | Running] 
[06-25-2004 02:05 PM | 00,045,056 | ---- | M] () - C:\WINDOWS\system32\WLTRYSVC.EXE

===== Driver Services - Non-Microsoft Only =====

(BsStor) InCD Storage Helper Driver [Boot | Running] 
[06-05-2002 07:07 PM | 00,009,344 | ---- | M] (B.H.A Co.,Ltd.) - C:\WINDOWS\system32\drivers\bsstor.sys

(BsUDF) InCD UDF Driver [Auto | Running] 
[09-13-2002 08:35 AM | 00,448,640 | ---- | M] (ahead software) - C:\WINDOWS\System32\drivers\bsudf.sys

(catchme) catchme [On_Demand | Stopped] 
File not found - C:\ComboFix\catchme.sys

(GMSIPCI) GMSIPCI [On_Demand | Stopped] 
File not found - E:\INSTALL\GMSIPCI.SYS

(rtl8139) Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver [On_Demand | Stopped] 
[08-04-2004 01:31 AM | 00,020,992 | ---- | M] (Realtek Semiconductor Corporation) - C:\WINDOWS\system32\drivers\RTL8139.sys

(USBNET_XP) Instant Wireless XP USB Network Adapter ver.2.6 Driver [On_Demand | Stopped] 
[02-19-2002 02:34 PM | 00,072,576 | R--- | M] (The LinkSys Group, Inc.) - C:\WINDOWS\system32\drivers\netusbxp.sys

========== Run Keys ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"InCD" = C:\Program Files\Ahead\InCD\InCD.exe [09-12-2002 01:13 PM | 01,101,824 | ---- | M] (Copyright (C) ahead software gmbh and its licensors)
"Microsoft Works Portfolio" = C:\Program Files\Microsoft Works\WksSb.exe /AllUsers [08-23-2001 05:52 PM | 00,331,830 | ---- | M] (Microsoft® Corporation)
"Microsoft Works Update Detection" = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe [08-17-2001 12:41 AM | 00,028,738 | ---- | M] (Microsoft® Corporation)
"Motive SmartBridge" = C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe [07-20-2005 12:19 PM | 00,385,024 | ---- | M] (Motive Communications, Inc.)
"NeroCheck" = C:\WINDOWS\system32\NeroCheck.exe [07-09-2001 04:50 AM | 00,155,648 | ---- | M] (Ahead Software Gmbh)
"NvCplDaemon" = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup [03-20-2003 08:13 AM | 04,616,192 | ---- | M] (NVIDIA Corporation)
"vptray" = C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe [05-21-2003 02:21 AM | 00,090,112 | ---- | M] (Symantec Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"load" = Reg Error: Key does not exist or could not be opened.
"run" = Reg Error: Key does not exist or could not be opened.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM" = C:\Program Files\AIM\aim.exe -cnetwait.odl File not found

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"load" = Reg Error: Value load does not exist or could not be read.
"run" = Reg Error: Value run does not exist or could not be read.

========== Startup Folders ==========

[All Users Startup Folder - C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
[04-23-2008 03:38 AM | 00,029,696 | ---- | M] (Adobe Systems Incorporated) - C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
[01-27-1998 02:10 AM | 00,055,296 | ---- | M] (Micrografx, Inc.) - C:\Documents and Settings\All Users\Start Menu\Programs\Startup\CreataCard Gold 2 Forget Me Not Reminders.lnk = C:\Program Files\CreataCard\Gold\fmrmd32.exe
[08-07-2001 07:06 PM | 00,024,633 | ---- | M] (Microsoft® Corporation) - C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
[08-06-2002 11:07 AM | 00,204,800 | ---- | M] (Motive Communications, Inc.) - C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\bin\matcli.exe

[michele Startup Folder - C:\Documents and Settings\michele\Start Menu\Programs\Startup]

========== BHO's ==========

========== Toolbars ==========

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser]

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
HKLM CLSID: (Reg Error: Key does not exist or could not be opened.) - File not found Reg Error: Key does not exist or could not be opened.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]

"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"
HKLM CLSID: (Yahoo! Toolbar) - File not found Reg Error: Key does not exist or could not be opened.

========== AppInit_Dlls ==========

========== HKLM Security Providers ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders]
"msapsspc.dllschannel.dlldigest.dllmsnsspc.dll" - File not found 

========== HKLM Winlogon Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell]
"Explorer.exe" - [06-13-2007 06:23 AM | 01,033,216 | ---- | M] (Microsoft Corporation) C:\WINDOWS\explorer.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit]
"C:\WINDOWS\system32\userinit.exe" - [08-04-2004 03:56 AM | 00,024,576 | ---- | M] (Microsoft Corporation) C:\WINDOWS\system32\userinit.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UIHost]
"logonui.exe" - [08-04-2004 03:56 AM | 00,514,560 | ---- | M] (Microsoft Corporation) C:\WINDOWS\system32\logonui.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet]
"rundll32 shell32" - [10-25-2007 11:34 PM | 08,460,288 | ---- | M] (Microsoft Corporation) C:\WINDOWS\system32\shell32.dll
"Control_RunDLL "sysdm.cpl"" - [08-04-2004 03:56 AM | 00,298,496 | ---- | M] (Microsoft Corporation) C:\WINDOWS\system32\sysdm.cpl

========== User's Winlogon Settings ==========

========== Winlogon Notify Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
"DllName" = C:\WINDOWS\system32\NavLogon.dll [05-21-2003 02:19 AM | 00,045,056 | ---- | M] ()

========== Policies ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveAutoRun" = 67108863
"NoDriveTypeAutoRun" = 255
"NoDrives" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"dontdisplaylastusername" = 0
"legalnoticecaption" = 
"legalnoticetext" = 
"shutdownwithoutlogon" = 1
"undockwithoutlogon" = 1
"DisableRegistryTools" = 0
"HideLegacyLogonScripts" = 0
"HideLogoffScripts" = 0
"RunLogonScriptSync" = 1
"RunStartupScriptSync" = 0
"HideStartupScripts" = 0

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun" = 145
"NoDrives" = 0

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"HideLegacyLogonScripts" = 0
"HideLogoffScripts" = 0
"RunLogonScriptSync" = 1
"RunStartupScriptSync" = 0
"HideStartupScripts" = 0

========== Lsa Authentication Packages ==========

========== Lsa Security Packages ==========

========== Desktop Components ==========

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"FriendlyName" = "My Current Home Page"
"Source" = "About:Home"
"SubscribedURL" = "About:Home"

========== Safeboot Options ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot]
"AlternateShell" = cmd.exe

========== Disabled MsConfig Items ==========
Unable to open key or key not present!


========== CDRom AutoRun Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun" = 1

========== Autorun Files on Drives ==========

AUTOEXEC.BAT []
[07-11-2003 01:27 AM | 00,000,000 | ---- | M] () C:\AUTOEXEC.BAT [ NTFS ]

========== MountPoints2 ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{06eb2976-d4b1-11d7-93b9-000c410c8bb4}\Shell]
"" = None

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{200abfe4-c03a-11da-945e-000e2e216509}\Shell]
"" = None

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{32754293-d6d6-11d9-9428-000e2e216509}\Shell]
"" = Open

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4131139c-2877-11dd-94bf-000e2e216509}\Shell]
"" = Open

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{565e4c3a-79b4-11db-947a-000f661bb2bb}\Shell]
"" = None

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{565e4c46-79b4-11db-947a-000f661bb2bb}\Shell]
"" = None

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6007a5f8-5b4a-11dc-94a1-000e2e216509}\Shell]
"" = None

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{936fda1e-6cd0-11d9-9411-000f661bb2bb}\Shell]
"" = Open

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9d356454-8aeb-11db-947b-000e2e216509}\Shell]
"" = None

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b8a45af1-9592-11dc-94a6-000e2e216509}\Shell]
"" = AutoRun

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b8a45af2-9592-11dc-94a6-000e2e216509}\Shell]
"" = None

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d1c6be90-b839-11d9-941d-000f661bb2bb}\Shell]
"" = None

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{efd0c32a-b37e-11d7-93a8-b0c80decdf80}\Shell]
"" = None

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F\Shell]
"" = AutoRun

========== DNS Name Servers ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\{7C48A721-0A35-4753-BE40-E80EBE593471}]
Servers:  | Description: Instant Wireless USB Network Adapter ver.2.6

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\{836D4178-AA3D-4AEA-8210-609376CBBB7A}]
Servers:  | Description: Linksys LNE100TX Fast Ethernet Adapter(LNE100TX v4)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\{A6A5C012-00A3-4209-A6B7-1E6CA2BA5C11}]
Servers:  | Description: Linksys Wireless-G PCI Adapter with SpeedBooster

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\{AB0DBDA3-DFDA-495C-A2E7-A88BC5504E89}]
Servers:  | Description: Realtek RTL8139 Family PCI Fast Ethernet NIC

========== Hosts File ==========

HOSTS File = (686 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
First 25 entries...
127.0.0.1 localhost



========== Files/Folders - Created Within 30 days ==========

[1 C:\*.tmp files]
[08-28-2008 03:04 AM | 01,417,602 | ---- | C] () - C:\SDFix.exe
[08-28-2008 03:07 AM | ---D | C] - C:\SDFix
[08-30-2008 04:26 PM | ---D | C] - C:\ComboFix
[08-30-2008 04:26 PM | ---D | C] - C:\QooBox
[08-30-2008 05:09 PM | ---D | C] - C:\Avenger
[2 C:\WINDOWS\System32\*.tmp files]
[08-01-2008 05:29 PM | ---D | C] - C:\WINDOWS\System32\CatRoot_bak
[08-13-2008 01:02 AM | 00,588,800 | ---- | C] () - C:\WINDOWS\System32\Psetup.exe
[08-16-2008 03:04 AM | 00,000,206 | ---- | C] () - C:\WINDOWS\System32\MRT.INI
[08-17-2008 01:08 PM | ---D | C] - C:\WINDOWS\System32\inf
[08-20-2008 11:23 PM | 00,125,804 | ---- | C] () - C:\WINDOWS\System32\newcool.exe
[08-23-2008 04:51 PM | ---D | C] - C:\WINDOWS\System32\1024
[08-24-2008 02:35 PM | 00,029,764 | ---- | C] () - C:\WINDOWS\System32\mf0824.exe
[08-28-2008 02:17 PM | 00,062,464 | ---- | C] () - C:\WINDOWS\System32\dwbins.exe
[3 C:\WINDOWS\*.tmp files]
[08-25-2008 11:13 AM | 00,001,409 | ---- | C] () - C:\WINDOWS\QTFont.for
[08-25-2008 11:13 AM | 00,054,156 | -H-- | C] () - C:\WINDOWS\QTFont.qfn
[08-28-2008 03:11 AM | ---D | C] - C:\WINDOWS\ERUNT
[08-29-2008 05:57 AM | 00,002,560 | ---- | C] () - C:\WINDOWS\_MSRSTRT.EXE
[08-30-2008 04:26 PM | 00,028,672 | ---- | C] (NirSoft) - C:\WINDOWS\Nircmd.exe
[08-30-2008 04:26 PM | 00,049,152 | ---- | C] () - C:\WINDOWS\VFind.exe
[08-30-2008 04:26 PM | 00,068,096 | ---- | C] () - C:\WINDOWS\zip.exe
[08-30-2008 04:26 PM | 00,080,412 | ---- | C] () - C:\WINDOWS\grep.exe
[08-30-2008 04:26 PM | 00,089,504 | ---- | C] (Smallfrogs Studio) - C:\WINDOWS\fdsv.exe
[08-30-2008 04:26 PM | 00,098,816 | ---- | C] () - C:\WINDOWS\sed.exe
[08-30-2008 04:26 PM | 00,136,704 | ---- | C] (SteelWerX) - C:\WINDOWS\swsc.exe
[08-30-2008 04:26 PM | 00,161,792 | ---- | C] (SteelWerX) - C:\WINDOWS\swreg.exe
[08-30-2008 04:26 PM | 00,212,480 | ---- | C] (SteelWerX) - C:\WINDOWS\swxcacls.exe
[08-30-2008 04:26 PM | ---D | C] - C:\WINDOWS\erdnt
[08-28-2008 03:05 AM | ---D | C] - C:\Documents and Settings\All Users\Application Data\Malwarebytes
[08-27-2008 12:30 AM | ---D | C] - C:\Documents and Settings\michele\Application Data\Help
[08-28-2008 03:05 AM | ---D | C] - C:\Documents and Settings\michele\Application Data\Malwarebytes
[08-30-2008 05:18 PM | ---D | C] - C:\Documents and Settings\michele\Application Data\InterVideo
[08-16-2008 10:50 PM | 00,000,793 | ---- | C] () - C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk
[08-28-2008 03:05 AM | 00,000,696 | ---- | C] () - C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[08-27-2008 12:48 PM | 00,001,734 | ---- | C] () - C:\Documents and Settings\michele\Desktop\HijackThis.lnk
[08-16-2008 10:49 PM | ---D | C] - C:\Program Files\Common Files\Wise Installation Wizard
[08-28-2008 03:05 AM | ---D | C] - C:\Program Files\Malwarebytes' Anti-Malware

========== Files - Modified Within 30 days ==========

[1 C:\*.tmp files]
[08-28-2008 03:04 AM | 01,417,602 | ---- | M] () - C:\SDFix.exe
[08-23-2008 10:51 AM | 00,091,136 | ---- | M] () - C:\WINDOWS\System32\dllcache\msgsvc.dll
[08-29-2008 11:39 PM | 00,000,686 | ---- | M] () - C:\WINDOWS\System32\drivers\etc\HOSTS
[2 C:\WINDOWS\System32\*.tmp files]
[08-13-2008 01:02 AM | 00,588,800 | ---- | M] () - C:\WINDOWS\System32\Psetup.exe
[08-16-2008 03:04 AM | 00,000,206 | ---- | M] () - C:\WINDOWS\System32\MRT.INI
[08-26-2008 01:09 PM | 00,029,764 | ---- | M] () - C:\WINDOWS\System32\mf0824.exe
[08-29-2008 02:10 PM | 00,062,464 | ---- | M] () - C:\WINDOWS\System32\dwbins.exe
[08-29-2008 02:10 PM | 00,125,804 | ---- | M] () - C:\WINDOWS\System32\newcool.exe
[08-30-2008 05:12 PM | 00,002,206 | ---- | M] () - C:\WINDOWS\System32\wpa.dbl
[3 C:\WINDOWS\*.tmp files]
[08-16-2008 03:05 AM | 00,001,374 | ---- | M] () - C:\WINDOWS\imsins.BAK
[08-23-2008 01:34 PM | 00,000,049 | ---- | M] () - C:\WINDOWS\wpd99.drv
[08-25-2008 11:13 AM | 00,001,409 | ---- | M] () - C:\WINDOWS\QTFont.for
[08-25-2008 11:13 AM | 00,054,156 | -H-- | M] () - C:\WINDOWS\QTFont.qfn
[08-28-2008 03:01 AM | 00,000,139 | ---- | M] () - C:\WINDOWS\msicpl.ini
[08-29-2008 05:57 AM | 00,002,560 | ---- | M] () - C:\WINDOWS\_MSRSTRT.EXE
[08-30-2008 05:09 PM | 00,002,048 | --S- | M] () - C:\WINDOWS\bootstat.dat
[08-30-2008 05:10 PM | 00,000,006 | -H-- | M] () - C:\WINDOWS\tasks\SA.DAT
[1 C:\Documents and Settings\michele\My Documents\*.tmp files]
[08-11-2008 12:59 PM | 00,027,136 | ---- | M] () - C:\Documents and Settings\michele\My Documents\INFO.doc
[08-16-2008 10:50 PM | 00,000,793 | ---- | M] () - C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk
[08-28-2008 03:05 AM | 00,000,696 | ---- | M] () - C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[08-27-2008 01:19 PM | 00,002,483 | ---- | M] () - C:\Documents and Settings\michele\Desktop\Microsoft Word.lnk
[08-27-2008 12:48 PM | 00,001,734 | ---- | M] () - C:\Documents and Settings\michele\Desktop\HijackThis.lnk

< End of report >


----------



## Aztec97gt

*Extras*

OTViewIt Extras logfile created on: 2008-08-30 17:19:07 - Run 1
OTViewIt by OldTimer - Version 1.0.1.7     Folder = C:\Documents and Settings\michele\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: yyyy-MM-dd

511.48 Mb Total Physical Memory | 342.65 Mb Available Physical Memory | 66.99% Memory free
1.22 Gb Paging File | 1.08 Gb Available in Paging File | 88.27% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 64.85 Gb Free Space | 87.02% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabledxpsp2res.dll,-22019
[08-04-2004 03:56 AM | 00,140,800 | ---- | M] (Microsoft Corporation)

"C:\Program Files\AIM\aim.exe" = C:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger
[08-01-2006 04:35 PM | 00,067,112 | ---- | M] (America Online, Inc.)

"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000
[10-10-2006 08:44 AM | 00,557,568 | ---- | M] (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabledxpsp2res.dll,-22019
[08-04-2004 03:56 AM | 00,140,800 | ---- | M] (Microsoft Corporation)

"C:\Program Files\Abacast\Abaclient.exe" = C:\Program Files\Abacast\Abaclient.exe:*isabled:Abaclient
[11-20-2004 04:55 PM | 00,845,312 | ---- | M] (Abacast, Inc.)

"C:\Program Files\Real\RealPlayer\realplay.exe" = C:\Program Files\Real\RealPlayer\realplay.exe:*isabled:RealPlayer
File not found

"C:\Program Files\Common Files\AOL\Loader\aolload.exe" = C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader
File not found

"C:\Program Files\Common Files\AOL\1143661978\ee\aolsoftware.exe" = C:\Program Files\Common Files\AOL\1143661978\ee\aolsoftware.exe:*:Enabled:AOL Services
File not found

"C:\Program Files\Common Files\AOL\1143661978\ee\aim6.exe" = C:\Program Files\Common Files\AOL\1143661978\ee\aim6.exe:*:Enabled:AIM
File not found

"C:\Program Files\AIM\aim.exe" = C:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger
[08-01-2006 04:35 PM | 00,067,112 | ---- | M] (America Online, Inc.)

"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000
[10-10-2006 08:44 AM | 00,557,568 | ---- | M] (Microsoft Corporation)

"C:\WINDOWS\system32\1024\SVCHOST.EXE" = C:\WINDOWS\system32\1024\SVCHOST.EXE:*:Enabled:SVCHOST.EXE
File not found

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.bat [@ = batfile] - "%1" %*
.cmd [@ = cmdfile] - "%1" %*
.com [@ = ComFile] - "%1" %*
.exe [@ = exefile] - "%1" %*
.pif [@ = piffile] - "%1" %*
.scr [@ = scrfile] - "%1" /S

========== Winsock2 Catalogs ==========

========== HKEY_LOCAL_MACHINE Protocol Defaults ==========


========== HKEY_CURRENT_USER Protocol Defaults ==========


========== Protocol Handlers ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
ipp: [HKLM - No CLSID value]
msdaipp: [HKLM - No CLSID value]

========== Protocol Filters ==========

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{01001201-823E-46CD-A70E-BEE818F97169}" = Microsoft Encarta Encyclopedia Standard 2002
"{0456ebd7-5f67-4ab6-852e-63781e3f389c}" = Macromedia Flash Player
"{0EFC6259-3AD8-4CD2-BC57-D4937AF5CC0E}" = Symantec AntiVirus Client
"{12BDDF23-B1DB-49C8-92D3-3E6841CCED61}" = Microsoft Streets and Trips 2002
"{25EF00BE-F17B-11D6-88EA-000476CD2443}" = Verizon Online
"{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31}" = Rhapsody Player Engine
"{30BB4D60-81DB-11D5-BB77-00400536ABAC}" = OLYMPUS CAMEDIA Master 4.0
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{55937F00-A69B-4049-8D3A-1C7729742B6F}" = BUM
"{7148F0A8-6813-11D6-A77B-00B0D0142050}" = Java 2 Runtime Environment, SE v1.4.2_05
"{901B0409-6000-11D3-8CFE-0050048383C9}" = Microsoft Word 2002
"{A1B7B9B3-E1D2-41CA-9B4A-F18DC2710704}" = Microsoft Works 6.0
"{A4D7B764-4140-11D4-88EB-0050DA3579C0}" = Nero - Burning Rom
"{AAE10BE5-F398-41C1-9AAF-A59EBF17DFDE}" = Norton Spyware Scan
"{AC76BA86-7AD7-1033-7B44-A71000000002}" = Adobe Reader 7.1.0
"{B608EFA2-977B-4039-8C71-2DD823B058A6}" = Install Menu
"{BD3DCAB0-3FE5-44FB-90DA-EFB0A2CD1387}" = Works Synchronization
"{C1939820-A945-11D4-86F6-0001031E5712}" = MSI MSIDVD
"{C3A439E4-7303-491F-A678-CEA36A87D517}" = Microsoft Works Suite Add-in for Microsoft Word
"{C769A271-7E1C-48F9-B331-474600DD4C06}" = Microsoft Picture It! Photo 2002
"{D087F95B-5C55-4481-BA53-9618538EE098}" = MSN Encarta Right-Click Dictionary
"{DC19E750-988B-4005-A355-85EF66055EFE}" = Works Suite OS Pack
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"Abacast Client" = Abacast Client
"Abacast Version 1.25f1" = Abacast Version 1.25f1
"AC3Filter" = AC3Filter (remove only)
"ActiveTouchMeetingClient" = WebEx
"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
"AOL Instant Messenger" = AOL Instant Messenger
"Broadcom 802.11 Application" = Broadcom 802.11 Control Panel
"Broadcom 802.11b Network Adapter" = Broadcom 802.11 Driver
"CCleaner" = CCleaner (remove only)
"CreataCard Gold 2" = CreataCard Gold 2
"Half-Life" = Half-Life
"HijackThis" = HijackThis 2.0.2
"Httper" = Httper
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"InCD!UninstallKey" = InCD (Ahead Software)
"KB834707" = Windows XP Hotfix - KB834707
"KB867282" = Windows XP Hotfix - KB867282
"KB870669" = Microsoft Data Access Components KB870669
"KB873333" = Windows XP Hotfix - KB873333
"KB873339" = Windows XP Hotfix - KB873339
"KB883939" = Security Update for Windows XP (KB883939)
"KB885250" = Windows XP Hotfix - KB885250
"KB885835" = Windows XP Hotfix - KB885835
"KB885836" = Windows XP Hotfix - KB885836
"KB885884" = Windows XP Hotfix - KB885884
"KB886185" = Windows XP Hotfix - KB886185
"KB887472" = Windows XP Hotfix - KB887472
"KB887742" = Windows XP Hotfix - KB887742
"KB888113" = Windows XP Hotfix - KB888113
"KB888302" = Windows XP Hotfix - KB888302
"KB890046" = Security Update for Windows XP (KB890046)
"KB890047" = Windows XP Hotfix - KB890047
"KB890175" = Windows XP Hotfix - KB890175
"KB890859" = Windows XP Hotfix - KB890859
"KB890923" = Windows XP Hotfix - KB890923
"KB891781" = Windows XP Hotfix - KB891781
"KB893066" = Windows XP Hotfix - KB893066
"KB893086" = Windows XP Hotfix - KB893086
"KB893756" = Security Update for Windows XP (KB893756)
"KB893803" = Windows Installer 3.1 (KB893803)
"KB893803v2" = Windows Installer 3.1 (KB893803)
"KB894391" = Update for Windows XP (KB894391)
"KB895316" = Windows Media Player 10 Hotfix - KB895316
"KB896358" = Security Update for Windows XP (KB896358)
"KB896422" = Security Update for Windows XP (KB896422)
"KB896423" = Security Update for Windows XP (KB896423)
"KB896424" = Security Update for Windows XP (KB896424)
"KB896428" = Security Update for Windows XP (KB896428)
"KB896688" = Security Update for Windows XP (KB896688)
"KB896727" = Update for Windows XP (KB896727)
"KB898461" = Update for Windows XP (KB898461)
"KB899587" = Security Update for Windows XP (KB899587)
"KB899588" = Security Update for Windows XP (KB899588)
"KB899589" = Security Update for Windows XP (KB899589)
"KB899591" = Security Update for Windows XP (KB899591)
"KB900485" = Update for Windows XP (KB900485)
"KB900725" = Security Update for Windows XP (KB900725)
"KB901017" = Security Update for Windows XP (KB901017)
"KB901214" = Security Update for Windows XP (KB901214)
"KB902400" = Security Update for Windows XP (KB902400)
"KB903235" = Security Update for Windows XP (KB903235)
"KB904706" = Security Update for Windows XP (KB904706)
"KB904942" = Update for Windows XP (KB904942)
"KB905414" = Security Update for Windows XP (KB905414)
"KB905749" = Security Update for Windows XP (KB905749)
"KB905915" = Security Update for Windows XP (KB905915)
"KB908519" = Security Update for Windows XP (KB908519)
"KB908531" = Security Update for Windows XP (KB908531)
"KB910437" = Update for Windows XP (KB910437)
"KB911280" = Security Update for Windows XP (KB911280)
"KB911562" = Security Update for Windows XP (KB911562)
"KB911564" = Security Update for Windows Media Player (KB911564)
"KB911565" = Security Update for Windows Media Player 10 (KB911565)
"KB911567" = Security Update for Windows XP (KB911567)
"KB911927" = Security Update for Windows XP (KB911927)
"KB912812" = Security Update for Windows XP (KB912812)
"KB912919" = Security Update for Windows XP (KB912919)
"KB913446" = Security Update for Windows XP (KB913446)
"KB913580" = Security Update for Windows XP (KB913580)
"KB914388" = Security Update for Windows XP (KB914388)
"KB914389" = Security Update for Windows XP (KB914389)
"KB914440" = Hotfix for Windows XP (KB914440)
"KB915865" = Hotfix for Windows XP (KB915865)
"KB916281" = Security Update for Windows XP (KB916281)
"KB916595" = Update for Windows XP (KB916595)
"KB917159" = Security Update for Windows XP (KB917159)
"KB917344" = Security Update for Windows XP (KB917344)
"KB917422" = Security Update for Windows XP (KB917422)
"KB917734_WMP10" = Security Update for Windows Media Player 10 (KB917734)
"KB917953" = Security Update for Windows XP (KB917953)
"KB918118" = Security Update for Windows XP (KB918118)
"KB918439" = Security Update for Windows XP (KB918439)
"KB918899" = Security Update for Windows XP (KB918899)
"KB919007" = Security Update for Windows XP (KB919007)
"KB920213" = Security Update for Windows XP (KB920213)
"KB920214" = Security Update for Windows XP (KB920214)
"KB920670" = Security Update for Windows XP (KB920670)
"KB920683" = Security Update for Windows XP (KB920683)
"KB920685" = Security Update for Windows XP (KB920685)
"KB920872" = Update for Windows XP (KB920872)
"KB921398" = Security Update for Windows XP (KB921398)
"KB921503" = Security Update for Windows XP (KB921503)
"KB921883" = Security Update for Windows XP (KB921883)
"KB922582" = Update for Windows XP (KB922582)
"KB922616" = Security Update for Windows XP (KB922616)
"KB922760" = Security Update for Windows XP (KB922760)
"KB922819" = Security Update for Windows XP (KB922819)
"KB923191" = Security Update for Windows XP (KB923191)
"KB923414" = Security Update for Windows XP (KB923414)
"KB923689" = Security Update for Windows XP (KB923689)
"KB923694" = Security Update for Windows XP (KB923694)
"KB923980" = Security Update for Windows XP (KB923980)
"KB924191" = Security Update for Windows XP (KB924191)
"KB924270" = Security Update for Windows XP (KB924270)
"KB924496" = Security Update for Windows XP (KB924496)
"KB924667" = Security Update for Windows XP (KB924667)
"KB925398_WMP64" = Security Update for Windows Media Player 6.4 (KB925398)
"KB925454" = Security Update for Windows XP (KB925454)
"KB925486" = Security Update for Windows XP (KB925486)
"KB925902" = Security Update for Windows XP (KB925902)
"KB926255" = Security Update for Windows XP (KB926255)
"KB926436" = Security Update for Windows XP (KB926436)
"KB927779" = Security Update for Windows XP (KB927779)
"KB927802" = Security Update for Windows XP (KB927802)
"KB927891" = Update for Windows XP (KB927891)
"KB928090" = Security Update for Windows XP (KB928090)
"KB928255" = Security Update for Windows XP (KB928255)
"KB928843" = Security Update for Windows XP (KB928843)
"KB929123" = Security Update for Windows XP (KB929123)
"KB929338" = Update for Windows XP (KB929338)
"KB929969" = Security Update for Windows XP (KB929969)
"KB930178" = Security Update for Windows XP (KB930178)
"KB930916" = Update for Windows XP (KB930916)
"KB931261" = Security Update for Windows XP (KB931261)
"KB931768" = Security Update for Windows XP (KB931768)
"KB931784" = Security Update for Windows XP (KB931784)
"KB931836" = Update for Windows XP (KB931836)
"KB932168" = Security Update for Windows XP (KB932168)
"KB933360" = Update for Windows XP (KB933360)
"KB933566" = Security Update for Windows XP (KB933566)
"KB933729" = Security Update for Windows XP (KB933729)
"KB935839" = Security Update for Windows XP (KB935839)
"KB935840" = Security Update for Windows XP (KB935840)
"KB936021" = Security Update for Windows XP (KB936021)
"KB936357" = Update for Windows XP (KB936357)
"KB936782_WMP10" = Security Update for Windows Media Player 10 (KB936782)
"KB937143" = Security Update for Windows XP (KB937143)
"KB937894" = Security Update for Windows XP (KB937894)
"KB938127" = Security Update for Windows XP (KB938127)
"KB938828" = Update for Windows XP (KB938828)
"KB938829" = Security Update for Windows XP (KB938829)
"KB939653" = Security Update for Windows XP (KB939653)
"KB941202" = Security Update for Windows XP (KB941202)
"KB941568" = Security Update for Windows XP (KB941568)
"KB941569" = Security Update for Windows XP (KB941569)
"KB941644" = Security Update for Windows XP (KB941644)
"KB941693" = Security Update for Windows XP (KB941693)
"KB942615" = Security Update for Windows XP (KB942615)
"KB942763" = Update for Windows XP (KB942763)
"KB942840" = Update for Windows XP (KB942840)
"KB943055" = Security Update for Windows XP (KB943055)
"KB943460" = Security Update for Windows XP (KB943460)
"KB943485" = Security Update for Windows XP (KB943485)
"KB944338" = Security Update for Windows XP (KB944338)
"KB944533" = Security Update for Windows XP (KB944533)
"KB944653" = Security Update for Windows XP (KB944653)
"KB945553" = Security Update for Windows XP (KB945553)
"KB946026" = Security Update for Windows XP (KB946026)
"KB946627" = Update for Windows XP (KB946627)
"KB946648" = Security Update for Windows XP (KB946648)
"KB947864" = Security Update for Windows XP (KB947864)
"KB948590" = Security Update for Windows XP (KB948590)
"KB948881" = Security Update for Windows XP (KB948881)
"KB950749" = Security Update for Windows XP (KB950749)
"KB950759" = Security Update for Windows XP (KB950759)
"KB950760" = Security Update for Windows XP (KB950760)
"KB950762" = Security Update for Windows XP (KB950762)
"KB950974" = Security Update for Windows XP (KB950974)
"KB951066" = Security Update for Windows XP (KB951066)
"KB951072-v2" = Update for Windows XP (KB951072-v2)
"KB951376" = Security Update for Windows XP (KB951376)
"KB951376-v2" = Security Update for Windows XP (KB951376-v2)
"KB951698" = Security Update for Windows XP (KB951698)
"KB951748" = Security Update for Windows XP (KB951748)
"KB952287" = Hotfix for Windows XP (KB952287)
"KB952954" = Security Update for Windows XP (KB952954)
"KB953838" = Security Update for Windows XP (KB953838)
"KB953839" = Security Update for Windows XP (KB953839)
"LiveUpdate" = LiveUpdate 1.80 (Symantec Corporation)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"MySearchSearchAssistant" = Search Assistant - My Search
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Norton Spyware Scan provided by Yahoo!" = Norton Spyware Scan provided by Yahoo!
"NVIDIA" = NVIDIA Windows 2000/XP Display Drivers
"OfotoEZUpload" = KODAK EASYSHARE Gallery Upload ActiveX Control
"Pdf995" = Pdf995
"QuickTime" = QuickTime
"Sierra Utilities" = Sierra Utilities
"SysInfo" = Creative System Information
"Verizon.MCCInstall" = Verizon Online Support Center
"WgaNotify" = Windows Genuine Advantage Notifications (KB905474)
"Winamp" = Winamp (remove only)
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows Media Player" = Windows Media Player 10
"Windows XP Service Pack" = Windows XP Service Pack 2
"Works2002Setup" = Microsoft Works 2002 Setup Launcher

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{9863F141-7A33-4c9a-A5F2-96996461B216}" = KODAK EASYSHARE Gallery Easy Upload, v2.1

========== Last 10 Event Log Errors ==========


[ Application Events ]
Error - 2008-08-24 12:24:56 - Computer Name = MICHELE - User Name = User SID not found - Source = Norton AntiVirus
Description =       Virus Found!Virus name: Trojan Horse in File: C:\WINDOWS\system32\mmchost.dll
 by: Realtime Protection scan.  Action: Clean failed : Delete failed : Access denied

Error - 2008-08-24 12:25:36 - Computer Name = MICHELE - User Name = User SID not found - Source = Norton AntiVirus
Description =       Virus Found!Virus name: Trojan Horse in File: C:\WINDOWS\system32\mmchost.dll
 by: Realtime Protection scan.  Action: Clean failed : Delete failed : Access denied

Error - 2008-08-24 12:26:16 - Computer Name = MICHELE - User Name = User SID not found - Source = Norton AntiVirus
Description =       Virus Found!Virus name: Trojan Horse in File: C:\WINDOWS\system32\mmchost.dll
 by: Realtime Protection scan.  Action: Clean failed : Delete failed : Access denied

Error - 2008-08-24 12:26:56 - Computer Name = MICHELE - User Name = User SID not found - Source = Norton AntiVirus
Description =       Virus Found!Virus name: Trojan Horse in File: C:\WINDOWS\system32\mmchost.dll
 by: Realtime Protection scan.  Action: Clean failed : Delete failed : Access denied

Error - 2008-08-24 12:27:36 - Computer Name = MICHELE - User Name = User SID not found - Source = Norton AntiVirus
Description =       Virus Found!Virus name: Trojan Horse in File: C:\WINDOWS\system32\mmchost.dll
 by: Realtime Protection scan.  Action: Clean failed : Delete failed : Access denied

Error - 2008-08-24 12:28:16 - Computer Name = MICHELE - User Name = User SID not found - Source = Norton AntiVirus
Description =       Virus Found!Virus name: Trojan Horse in File: C:\WINDOWS\system32\mmchost.dll
 by: Realtime Protection scan.  Action: Clean failed : Delete failed : Access denied

Error - 2008-08-24 16:44:01 - Computer Name = MICHELE - User Name = User SID not found - Source = Norton AntiVirus
Description =       Virus Found!Virus name: Trojan Horse in File: C:\WINDOWS\system32\mmchost.dll
 by: Realtime Protection scan.  Action: Clean failed : Delete failed : Access denied

Error - 2008-08-30 20:28:05 - Computer Name = MICHELE - User Name = User SID not found - Source = Norton AntiVirus
Description =       Virus Found!Virus name: W32.Hitapop in File: C:\WINDOWS\system32\inf\scsys16_080828.dll
 by: Realtime Protection scan.  Action: Delete succeeded : Access denied

Error - 2008-08-30 20:28:05 - Computer Name = MICHELE - User Name = User SID not found - Source = Norton AntiVirus
Description =       Virus Found!Virus name: W32.Hitapop in File: C:\WINDOWS\system32\inf\sppdcrs080828.scr
 by: Realtime Protection scan.  Action: Delete succeeded : Access denied

Error - 2008-08-30 20:28:06 - Computer Name = MICHELE - User Name = User SID not found - Source = Norton AntiVirus
Description =       Virus Found!Virus name: W32.Hitapop in File: C:\WINDOWS\system\sgcxcxxaspf080828.exe
 by: Realtime Protection scan.  Action: Delete succeeded : Access denied


[ Internet Explorer Events ]

[ Security Events ]

[ System Events ]
Error - 2008-08-30 20:27:46 - Computer Name = MICHELE - User Name = User SID not found - Source = Service Control Manager
Description = The sotpeca  Event propagation service service terminated unexpectedly.
  It has done this 1 time(s).

Error - 2008-08-30 20:27:46 - Computer Name = MICHELE - User Name = User SID not found - Source = Service Control Manager
Description = The tdxdowkc  Event propagation service service terminated unexpectedly.
  It has done this 1 time(s).

Error - 2008-08-30 20:27:46 - Computer Name = MICHELE - User Name = User SID not found - Source = Service Control Manager
Description = The wsldoekd  Settings storage service service terminated unexpectedly.
  It has done this 1 time(s).

Error - 2008-08-30 20:58:50 - Computer Name = MICHELE - User Name = User SID not found - Source = Service Control Manager
Description = The 6to4 service terminated with the following error:   %%126

Error - 2008-08-30 20:58:50 - Computer Name = MICHELE - User Name = User SID not found - Source = Service Control Manager
Description = The Ias service terminated with the following error:   %%126

Error - 2008-08-30 20:58:50 - Computer Name = MICHELE - User Name = User SID not found - Source = Service Control Manager
Description = The Symantec AntiVirus Client service terminated with the following
 error:   %%5

Error - 2008-08-30 21:10:16 - Computer Name = MICHELE - User Name = User SID not found - Source = Service Control Manager
Description = The 6to4 service terminated with the following error:   %%126

Error - 2008-08-30 21:10:16 - Computer Name = MICHELE - User Name = User SID not found - Source = Service Control Manager
Description = The Ias service terminated with the following error:   %%126

Error - 2008-08-30 21:10:16 - Computer Name = MICHELE - User Name = User SID not found - Source = Service Control Manager
Description = The Symantec AntiVirus Client service terminated with the following
 error:   %%5

Error - 2008-08-30 21:10:22 - Computer Name = MICHELE - User Name = User SID not found - Source = Service Control Manager
Description = The following boot-start or system-start driver(s) failed to load:
   IntelIde


< End of report >


----------



## Aztec97gt

*Hijackthis*

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:28, on 2008-08-30
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Microsoft Works\WksSb.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Verizon Online\bin\mpbtn.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: CreataCard Gold 2 Forget Me Not Reminders.lnk = C:\Program Files\CreataCard\Gold\fmrmd32.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\bin\matcli.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: Encarta &Definition - http://encarta.msn.com/encnet/features/dictionary/quickDictionary.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://targetphoto.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://ak.imgag.com/imgag/cp/install/AxCtp2.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AutoComplete Service (Autocomplete) - Unknown owner - C:\PROGRA~1\SYSTEM~1\autocomp.exe (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 4464 bytes


----------



## ceewi1

Great! That's gotten rid of almost everything, there are a few more files to go and then I'd like you to run an online scan to check for any more leftovers.


Double click on *avenger.exe* to run it again
Do not change any check box options!!
Copy everything in the Code box below, and paste it into the *Input script here:* part of the window.  Please do not include the word Code:



		Code:
	

Files to delete:
C:\WINDOWS\System32\newcool.exe
C:\WINDOWS\System32\mf0824.exe
C:\WINDOWS\System32\dwbins.exe
C:\WINDOWS\System32\Psetup.exe
C:\WINDOWS\system32\mmchost.dll

Folders to delete:
C:\WINDOWS\System32\1024

Registry values to delete:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List | C:\WINDOWS\system32\1024\SVCHOST.EXE


Now click the *Execute* button.
Click Yes to the prompt to confirm you want to execute.
Click Yes to the Reboot now? question that will appear when Avenger finishes running.
Your PC should reboot, if not, reboot it yourself.
A log file from Avenger will be produced at *C:\avenger.txt* and it will popup for you to view when you login after reboot.
Please post the content of the logfile.

Please do a scan with Kaspersky Online Scanner

Click on the *Accept* button and install any components it needs.
The program will install and then begin downloading the latest definition files.
After the files have been downloaded on the left side of the page in the *Scan* section select *My Computer*.
This will start the program and scan your system.
The scan will take a while, so be patient and let it run.
Once the scan is complete, click on *View scan report*
Now, click on the *Save Report as* button.
In the drop down box labeled *Files of type* change the type to *Text file*.
Save the file to your desktop.
Copy and paste that information in your next post.

Please post
The Avenger log
The Kaspersky report
An update on how your system is running


----------



## Aztec97gt

*Avenger*

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform:  Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\WINDOWS\System32\newcool.exe" deleted successfully.
File "C:\WINDOWS\System32\mf0824.exe" deleted successfully.
File "C:\WINDOWS\System32\dwbins.exe" deleted successfully.
File "C:\WINDOWS\System32\Psetup.exe" deleted successfully.

Error:  file "C:\WINDOWS\system32\mmchost.dll" not found!
Deletion of file "C:\WINDOWS\system32\mmchost.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist

Folder "C:\WINDOWS\System32\1024" deleted successfully.

Error:  could not delete registry value "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List|C:\WINDOWS\system32\1024\SVCHOST.EXE"
Deletion of registry value "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List|C:\WINDOWS\system32\1024\SVCHOST.EXE" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Completed script processing.

*******************

Finished!  Terminate.


----------



## Aztec97gt

*Online scan*

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
 Sunday, August 31, 2008
 Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
 Kaspersky Online Scanner 7 version: 7.0.25.0
 Program database last update: Sunday, August 31, 2008 18:39:13
 Records in database: 1172153
--------------------------------------------------------------------------------

Scan settings:
	Scan using the following database: extended
	Scan archives: yes
	Scan mail databases: yes

Scan area - My Computer:
	A:\
	C:\
	D:\
	E:\

Scan statistics:
	Files scanned: 38045
	Threat name: 23
	Infected objects: 46
	Suspicious objects: 0
	Duration of the scan: 00:41:24


File name / Threat name / Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\105C0002.VBN	Infected: Trojan-Spy.Win32.Pophot.bzg	1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\105C0004.VBN	Infected: Trojan-Spy.Win32.Pophot.cao	1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\105C0005.VBN	Infected: Trojan-Spy.Win32.Pophot.cbj	1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\105C0006.VBN	Infected: Trojan.Win32.Agent.yvp	1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\105C0007.VBN	Infected: Backdoor.Win32.Small.flb	1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\105C0008.VBN	Infected: Trojan.Win32.Agent.zwy	1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\105C0009.VBN	Infected: Trojan.Win32.Agent.yvv	1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\105C000A.VBN	Infected: Trojan.Win32.Agent.yvv	1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\105C000B.VBN	Infected: Trojan.Win32.Agent.zbc	1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\105C000C.VBN	Infected: Trojan-Spy.Win32.Pophot.cap	1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\105C000D.VBN	Infected: Trojan-Spy.Win32.Pophot.cap	1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\105C000E.VBN	Infected: Trojan.Win32.Agent.yvp	1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\105C000F.VBN	Infected: Trojan-Spy.Win32.Pophot.cbh	1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\105C0010.VBN	Infected: Trojan-Spy.Win32.Pophot.cbh	1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\137C0003.VBN	Infected: Trojan.Win32.Agent.yvp	1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\137C0004.VBN	Infected: Backdoor.Win32.Small.flb	1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\137C0005.VBN	Infected: Trojan.Win32.Agent.zwy	1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\137C0006.VBN	Infected: Trojan.Win32.Agent.yvv	1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\137C0007.VBN	Infected: Trojan.Win32.Agent.yvv	1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\137C0008.VBN	Infected: Trojan.Win32.Agent.zbc	1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\137C0009.VBN	Infected: Trojan.Win32.Agent.yvp	1
C:\QooBox\Quarantine\C\DOCUME~1\michele\LOCALS~1\Temp\WowInitcode.dll.vir	Infected: Trojan-GameThief.Win32.WOW.bvz	1
C:\QooBox\Quarantine\C\WINDOWS\dcbdcatys32_080828a.dll.vir	Infected: Trojan-Spy.Win32.Pophot.cdv	1
C:\QooBox\Quarantine\C\WINDOWS\NDNuninstall4_85.exe.vir	Infected: not-a-virus:AdWare.Win32.NewDotNet	1
C:\QooBox\Quarantine\C\WINDOWS\NDNuninstall6_38.exe.vir	Infected: not-a-virus:AdWare.Win32.NewDotNet	1
C:\QooBox\Quarantine\C\WINDOWS\NDNuninstall6_90.exe.vir	Infected: not-a-virus:AdWare.Win32.NewDotNet.e	1
C:\QooBox\Quarantine\C\WINDOWS\NDNuninstall6_98.exe.vir	Infected: not-a-virus:AdWare.Win32.NewDotNet.e	1
C:\QooBox\Quarantine\C\WINDOWS\NDNuninstall7_14.exe.vir	Infected: not-a-virus:AdWare.Win32.NewDotNet.e	1
C:\QooBox\Quarantine\C\WINDOWS\NDNuninstall7_22.exe.vir	Infected: not-a-virus:AdWare.Win32.NewDotNet.e	1
C:\QooBox\Quarantine\C\WINDOWS\NDNuninstall7_48.exe.vir	Infected: not-a-virus:AdWare.Win32.NewDotNet.e	1
C:\QooBox\Quarantine\C\WINDOWS\system32\123123.exe.vir	Infected: Trojan-GameThief.Win32.WOW.bvw	1
C:\QooBox\Quarantine\C\WINDOWS\system32\atsxyzd.sys.vir	Infected: Trojan.Win32.DNSChanger.ign	1
C:\QooBox\Quarantine\C\WINDOWS\system32\oduxftw.sys.vir	Infected: Trojan-Clicker.Win32.VB.brv	1
C:\QooBox\Quarantine\C\WINDOWS\system32\zordisa.dll.vir	Infected: Trojan-GameThief.Win32.OnLineGames.syhe	1
C:\SDFix\backups\backups.zip	Infected: Trojan.Win32.DNSChanger.ign	1
C:\SDFix\backups_old\backups.zip	Infected: Trojan.Win32.Agent.yvp	2
C:\SDFix\backups_old\backups.zip	Infected: Trojan.Win32.DNSChanger.icx	1
C:\SDFix\backups_old\backups.zip	Infected: Trojan-Clicker.Win32.VB.bqi	1
C:\SDFix\backups_old\backups.zip	Infected: Trojan.Win32.Agent.zjn	1
C:\SDFix\backups_old\backups.zip	Infected: Trojan.Win32.Agent.zwy	1
C:\SDFix\backups_old\backups.zip	Infected: Trojan.Win32.Agent.yvv	2
C:\SDFix\backups_old\backups.zip	Infected: Trojan.Win32.Agent.zbc	1
C:\SDFix\backups_old\backups.zip	Infected: Trojan.Win32.Agent.zmz	1
C:\WINDOWS\system32\fduvfct.sys	Infected: Trojan-Clicker.Win32.VB.btw	1

The selected area was scanned.


----------



## Aztec97gt

The computer is running so much better !


----------



## ceewi1

Excellent, the Kaspersky scan shows only one remnant which we can remove now, the others are all quarantined items.

Please run *avenger.exe* again by double clicking on it.
Do not change any check box options!!
Copy everything in the Code box below, and paste it into the *Input script here:* part of the window.  Please do not include the word Code:



		Code:
	

[b]Files to delete:[/b]
C:\WINDOWS\system32\fduvfct.sys


Now click the *Execute* button.
Click Yes to the prompt to confirm you want to execute.
Click Yes to the Reboot now? question that will appear when Avenger finishes running.
Your PC should reboot, if not, reboot it yourself.

Please download *OTCleanIt* and save it to desktop.  This will remove the tools we've used and the backups they've created.
Double-click *OTCleanIt.exe*.
Click the *CleanUp!* button.
Select *Yes* when the Begin cleanup Process? prompt appears.
If you are prompted to Reboot during the cleanup, select *Yes*.
The tool will delete itself once it finishes, if not delete it by yourself.

You can keep Malwarebytes' Anti-Malware if you'd like, as it's one of the best anti-malware scanners available and a very good program for running on-demand scans.

Below I have included some ideas on how to prevent future infections.

Please consider using these ideas to help secure your computer.  While there is no way to guarantee safety when you use a computer, these steps will make it much less likely that you will need to endure another infection.  While we really like to help people, we would rather help you protect yourself so that you won't need that help in the future.

Please navigate to http://windowsupdate.microsoft.com and download all the Critical Updates for Windows. These will patch many of the security holes through which attackers can gain access to your computer. 

Please either enable *Automatic Updates* under Start -> Control Panel -> Automatic Updates or get into the habit of checking Windows Update regularly.  They usually have security updates every month.  You can set Windows to notify you of Updates so that you can choose, but only do this if you believe you are able to understand which ones are needed.   *This is a crucial security measure.*

As a minimum, you need at least an antivirus, firewall and some type of anti-spyware program.

Some good free firewalls are ZoneAlarm, Kerio, or Outpost.  All of these will provide a far greater level of protection than the firewall built into Windows.
A tutorial on understanding and using firewalls may be found here.

I notice that you are running Ad-Aware, which is good.  You might want to consider installing and running some of the following programs; they are either free or have free versions of commercial programs:

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here.  Please also remember to enable Spybot's 
Immunize and TeaTimer features if you don't have the resident part of another anti-spyware program running.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent malware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for real-time protection against spyware and hijackers may be found here.

If you use Internet Explorer, it is a good idea to use IE-Spyad which provides protections against malicious websites.  

Please *keep these programs up-to-date* and run them whenever you suspect a problem to prevent malware problems.  A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection.  However, it is important to run only one resident program of each type since they can conflict and become less effective.  That means only one antivirus, firewall and scanning anti-spyware program at a time.  Passive protectors, like SpywareBlaster and IE-Spyad can be run with any of them.  

Note that there are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs.  If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately.  It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information.  Ask in a security forum that you trust if you are not sure.  If you are unsure are looking for anti-spyware programs, you can find out if it is a rogue here:

http://www.spywarewarrior.com/rogue_anti-spyware.htm

Please consider using an *alternate browser*. Mozilla's Firefox browser is a very good alternative.  In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScripts, can make it even more secure.  Opera is another good option.
If you are interested, Firefox may be downloaded from here
Opera is available here:  http://www.opera.com/download/

Hopefully these steps will help to keep you error free.  If you run into more difficulty, we will certainly do what we can to help.


----------

