Author Topic: trouble, trouble, trouble! (Read 1899 times)

Benf · « **on:** August 28, 2006, 12:20:32 PM »

Hello have trawled through old posts and self help but cant get anywhere hope you can help me out, first time I have ever got a virus on my machine. Pretty computer literate but cant seem to shift this. PC-Cillin lists it as dial_dialer.jc tried convential methods of removel but no luck... her are my reports:

Logfile of HijackThis v1.99.1
Scan saved at 16:26:18, on 28/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [GBB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: ATITool.lnk = C:\Program Files\ATITool\ATITool.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1155766136796
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. -

AND PANDA ACTIVESCAN:

Dialer:Dialer.HPD Not disinfected C:\Documents and Settings\B\Local Settings\Temporary Internet Files\Content.IE5\QP3GTEFV\srvhpm[1].exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\B\My Documents\Utilities & Updates\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\B\My Documents\Utilities & Updates\SmitfraudFix.zip[SmitfraudFix/Process.exe]

Also tried to clean with Smitfraudfix but no luck.

Any ideas?

And as I typed that this came up, talk of the devil!!!!!.... I also have a report that trojan.pakes has been found have deleted through ewido though

Real-time Protection
Real-time Protection has detected a virus, spyware, or other security risk, and performed the action specified.

.
Action taken: Denied Access.
.
Incident name: C:\WINDOWS\TEMP\iddA2.tmp.exe
Detection name: DIAL_DIALER.JC
User name: B
Note: If Search for and clean Trojans is turned on and executed after scanning, click Next to view the final action taken

Benf · « **Reply #1 on:** August 28, 2006, 05:28:35 PM »

Have tried a couple of fixes but to no effect so I thought I would repost my hijack this report and rapport folder really need some help with this as my connection keeps cutting out and I keep getting calls to my home number that ring once then sound like a fax.....?

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\B\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [GBB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: ATITool.lnk = C:\Program Files\ATITool\ATITool.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1155766136796
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

and

mitFraudFix v2.81

Scan done at 23:11:48.51, 28/08/2006
Run from
C:\Documents and Settings\B\My Documents\Utilities & Updates\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\B\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\B\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

guestolo · « **Reply #2 on:** August 28, 2006, 09:46:17 PM »

Can you run one more online virus scanner please

From my signature below,
Use INTERNET EXPLORER
Run an online virus scan at Kaspersky's
You will be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make sure that the following are selected:

***Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
***Scan Options:
Scan Archives
Scan Mail Bases

Click OK
Now under select a target to scan:

Select My Computer

This program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.

***Now click on the Save as Text button:

Save the file to your desktop.

* Copy and paste that information in your next post

Additionally, can you do the following
Right click on Hijackthis.exe on your desktop, select RENAME
Rename Hijackthis to analyze.exe
Do a fresh Scan and save logfile and post the fresh log please

Benf · « **Reply #3 on:** August 29, 2006, 04:53:44 AM »

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' /> Thanks for your reply, here is what you requested....

Kaspersky:

KASPERSKY ONLINE SCANNER REPORT
Tuesday, August 29, 2006 10:47:46 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 29/08/2006
Kaspersky Anti-Virus database records: 219030
-------------------------------------------------------------------------------

Scan Settings:
   Scan using the following antivirus database: extended
   Scan Archives: true
   Scan Mail Bases: true

Scan Target - My Computer:
   A:\
   C:\
   D:\
   E:\
   F:\

Scan Statistics:
   Total number of scanned objects: 85475
   Number of viruses found: 12
   Number of infected objects: 36 / 0
   Number of suspicious objects: 0
   Duration of the scan process: 01:07:43

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\B\Cookies\index.dat   Object is locked   skipped
C:\Documents and Settings\B\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Inbox/30 Jul 2006 22:27 from [email protected]:

??.eml/[From [email protected]][Date Mon, 31 Jul 2006 06:27:17 +0800]/UNNAMED/buse_list.zip/document.txt .exe Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\B\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Inbox/30 Jul 2006 22:27 from [email protected]:

??.eml/[From [email protected]][Date Mon, 31 Jul 2006 06:27:17 +0800]/UNNAMED/buse_list.zip Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\B\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Inbox/30 Jul 2006 22:27 from [email protected]:

??.eml/[From [email protected]][Date Mon, 31 Jul 2006 06:27:17 +0800]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\B\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Inbox/30 Jul 2006 22:27 from [email protected]:

??.eml   Infected: Email-Worm.Win32.NetSky.q   skipped
C:\Documents and Settings\B\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst   Mail MS Mail: infected - 4   skipped
C:\Documents and Settings\B\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat   Object is locked   skipped
C:\Documents and Settings\B\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG   Object is locked   skipped
C:\Documents and Settings\B\Local Settings\History\History.IE5\index.dat   Object is locked   skipped
C:\Documents and Settings\B\Local Settings\History\History.IE5\MSHist012006082920060830\index.dat   Object is locked   skipped
C:\Documents and Settings\B\Local Settings\Temp\~DF9C8D.tmp   Object is locked   skipped
C:\Documents and Settings\B\Local Settings\Temporary Internet Files\Content.IE5\4OPYH1R5\srvzfk[1].exe   Infected: not-a-virus:Porn-Dialer.Win32.InstantAccess.k   skipped
C:\Documents and Settings\B\Local Settings\Temporary Internet Files\Content.IE5\index.dat   Object is locked   skipped
C:\Documents and Settings\B\Local Settings\Temporary Internet Files\Content.IE5\QP3GTEFV\srvhip[1].exe   Infected: Trojan.Win32.Pakes   skipped
C:\Documents and Settings\B\Local Settings\Temporary Internet Files\Content.IE5\QP3GTEFV\srvihe[1].exe   Infected: not-a-virus:Porn-Dialer.Win32.InstantAccess.k   skipped
C:\Documents and Settings\B\My Documents\Outlook Backup\NEW Outlook\NEW Outlook\Outlook4.pst/Personal Folders/Inbox/30 Jul 2006 22:27 from [email protected]:¼þÍ¶µÝ³¬Ê±´íÎó.eml/[From [email protected]][Date Mon, 31 Jul 2006 06:27:17 +0800]/UNNAMED/buse_list.zip/document.txt .exe   Infected: Email-Worm.Win32.NetSky.q   skipped
C:\Documents and Settings\B\My Documents\Outlook Backup\NEW Outlook\NEW Outlook\Outlook4.pst/Personal Folders/Inbox/30 Jul 2006 22:27 from [email protected]:¼þÍ¶µÝ³¬Ê±´íÎó.eml/[From [email protected]][Date Mon, 31 Jul 2006 06:27:17 +0800]/UNNAMED/buse_list.zip   Infected: Email-Worm.Win32.NetSky.q   skipped
C:\Documents and Settings\B\My Documents\Outlook Backup\NEW Outlook\NEW Outlook\Outlook4.pst/Personal Folders/Inbox/30 Jul 2006 22:27 from [email protected]:¼þÍ¶µÝ³¬Ê±´íÎó.eml/[From [email protected]][Date Mon, 31 Jul 2006 06:27:17 +0800]/UNNAMED   Infected: Email-Worm.Win32.NetSky.q   skipped
C:\Documents and Settings\B\My Documents\Outlook Backup\NEW Outlook\NEW Outlook\Outlook4.pst/Personal Folders/Inbox/30 Jul 2006 22:27 from [email protected]:¼þÍ¶µÝ³¬Ê±´íÎó.eml   Infected: Email-Worm.Win32.NetSky.q   skipped
C:\Documents and Settings\B\My Documents\Outlook Backup\NEW Outlook\NEW Outlook\Outlook4.pst   Mail MS Mail: infected - 4   skipped
C:\Documents and Settings\B\My Documents\Outlook Backup\NEW Outlook\Outlook4.pst/Personal Folders/Inbox/30 Jul 2006 22:27 from [email protected]:¼þÍ¶µÝ³¬Ê±´íÎó.eml/[From [email protected]][Date Mon, 31 Jul 2006 06:27:17 +0800]/UNNAMED/buse_list.zip/document.txt .exe   Infected: Email-Worm.Win32.NetSky.q   skipped
C:\Documents and Settings\B\My Documents\Outlook Backup\NEW Outlook\Outlook4.pst/Personal Folders/Inbox/30 Jul 2006 22:27 from [email protected]:¼þÍ¶µÝ³¬Ê±´íÎó.eml/[From [email protected]][Date Mon, 31 Jul 2006 06:27:17 +0800]/UNNAMED/buse_list.zip   Infected: Email-Worm.Win32.NetSky.q   skipped
C:\Documents and Settings\B\My Documents\Outlook Backup\NEW Outlook\Outlook4.pst/Personal Folders/Inbox/30 Jul 2006 22:27 from [email protected]:¼þÍ¶µÝ³¬Ê±´íÎó.eml/[From [email protected]][Date Mon, 31 Jul 2006 06:27:17 +0800]/UNNAMED   Infected: Email-Worm.Win32.NetSky.q   skipped
C:\Documents and Settings\B\My Documents\Outlook Backup\NEW Outlook\Outlook4.pst/Personal Folders/Inbox/30 Jul 2006 22:27 from [email protected]:¼þÍ¶µÝ³¬Ê±´íÎó.eml   Infected: Email-Worm.Win32.NetSky.q   skipped
C:\Documents and Settings\B\My Documents\Outlook Backup\NEW Outlook\Outlook4.pst   Mail MS Mail: infected - 4   skipped
C:\Documents and Settings\B\My Documents\Utilities & Updates\SmitfraudFix\Reboot.exe   Infected: not-a-virus:RiskTool.Win32.Reboot.f   skipped
C:\Documents and Settings\B\My Documents\Utilities & Updates\SmitfraudFix.zip/SmitfraudFix/Reboot.exe   Infected: not-a-virus:RiskTool.Win32.Reboot.f   skipped
C:\Documents and Settings\B\My Documents\Utilities & Updates\SmitfraudFix.zip   ZIP: infected - 1   skipped
C:\Documents and Settings\B\NTUSER.DAT   Object is locked   skipped
C:\Documents and Settings\B\ntuser.dat.LOG   Object is locked   skipped
C:\Documents and Settings\LocalService\Cookies\index.dat   Object is locked   skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat   Object is locked   skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG   Object is locked   skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat   Object is locked   skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat   Object is locked   skipped
C:\Documents and Settings\LocalService\NTUSER.DAT   Object is locked   skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG   Object is locked   skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat   Object is locked   skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG   Object is locked   skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT   Object is locked   skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG   Object is locked   skipped
C:\Program Files\BitComet\Downloads\Trend Micro PC-cillin Internet Security 2006 14.1.zip   Object is locked   skipped
C:\Program Files\BitComet\Downloads\Windows XP Key Changer Pack\Key Changer.exe   Object is locked   skipped
C:\System Volume Information\MountPointManagerRemoteDatabase   Object is locked   skipped
C:\System Volume Information\_restore{444CBD36-52CF-40A8-93B1-D5E65AE5E630}\RP14\A0001942.dll   Infected: not-a-virus:AdTool.Win32.WhenU.c   skipped
C:\System Volume Information\_restore{444CBD36-52CF-40A8-93B1-D5E65AE5E630}\RP40\A0017845.exe   Object is locked   skipped
C:\System Volume Information\_restore{444CBD36-52CF-40A8-93B1-D5E65AE5E630}\RP40\A0017848.exe   Object is locked   skipped
C:\System Volume Information\_restore{444CBD36-52CF-40A8-93B1-D5E65AE5E630}\RP40\A0018077.exe   Infected: not-a-virus:AdTool.Win32.WhenU.c   skipped
C:\System Volume Information\_restore{444CBD36-52CF-40A8-93B1-D5E65AE5E630}\RP70\A0024879.exe   Infected: Trojan-Downloader.Win32.Zlob.agf   skipped
C:\System Volume Information\_restore{444CBD36-52CF-40A8-93B1-D5E65AE5E630}\RP70\A0024893.exe   Infected: Trojan-Downloader.Win32.Zlob.agf   skipped
C:\System Volume Information\_restore{444CBD36-52CF-40A8-93B1-D5E65AE5E630}\RP70\A0024939.exe   Infected: not-a-virus:Porn-Dialer.Win32.InstantAccess.k   skipped
C:\System Volume Information\_restore{444CBD36-52CF-40A8-93B1-D5E65AE5E630}\RP70\A0024941.exe   Infected: Trojan.Win32.Small.js   skipped
C:\System Volume Information\_restore{444CBD36-52CF-40A8-93B1-D5E65AE5E630}\RP70\A0024958.exe   Infected: not-a-virus:AdWare.Win32.180Solutions.ak   skipped
C:\System Volume Information\_restore{444CBD36-52CF-40A8-93B1-D5E65AE5E630}\RP70\A0024978.exe   Infected: not-a-virus:AdTool.Win32.WhenU.a   skipped
C:\System Volume Information\_restore{444CBD36-52CF-40A8-93B1-D5E65AE5E630}\RP70\A0024979.exe   Infected: not-a-virus:Downloader.Win32.WinFixer.r   skipped
C:\System Volume Information\_restore{444CBD36-52CF-40A8-93B1-D5E65AE5E630}\RP70\change.log   Object is locked   skipped
C:\WINDOWS\CSC\00000001   Object is locked   skipped
C:\WINDOWS\Debug\PASSWD.LOG   Object is locked   skipped
C:\WINDOWS\SchedLgU.Txt   Object is locked   skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log   Object is locked   skipped
C:\WINDOWS\Sti_Trace.log   Object is locked   skipped
C:\WINDOWS\system32\CatRoot2\edb.log   Object is locked   skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb   Object is locked   skipped
C:\WINDOWS\system32\config\ACEEvent.evt   Object is locked   skipped
C:\WINDOWS\system32\config\AppEvent.Evt   Object is locked   skipped
C:\WINDOWS\system32\config\default   Object is locked   skipped
C:\WINDOWS\system32\config\default.LOG   Object is locked   skipped
C:\WINDOWS\system32\config\SAM   Object is locked   skipped
C:\WINDOWS\system32\config\SAM.LOG   Object is locked   skipped
C:\WINDOWS\system32\config\SecEvent.Evt   Object is locked   skipped
C:\WINDOWS\system32\config\SECURITY   Object is locked   skipped
C:\WINDOWS\system32\config\SECURITY.LOG   Object is locked   skipped
C:\WINDOWS\system32\config\software   Object is locked   skipped
C:\WINDOWS\system32\config\software.LOG   Object is locked   skipped
C:\WINDOWS\system32\config\SysEvent.Evt   Object is locked   skipped
C:\WINDOWS\system32\config\system   Object is locked   skipped
C:\WINDOWS\system32\config\system.LOG   Object is locked   skipped
C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat   Object is locked   skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat   Object is locked   skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat   Object is locked   skipped
C:\WINDOWS\system32\drivers\dtscsi.sys   Object is locked   skipped
C:\WINDOWS\system32\drivers\sptd.sys   Object is locked   skipped
C:\WINDOWS\system32\drivers\sptd0941.sys   Object is locked   skipped
C:\WINDOWS\system32\h323log.txt   Object is locked   skipped
C:\WINDOWS\system32\jkhhf.dll   Infected: not-a-virus:AdWare.Win32.Virtumonde.da   skipped
C:\WINDOWS\system32\svvhost.exe   Infected: Trojan.Win32.Small.js   skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR   Object is locked   skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP   Object is locked   skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER   Object is locked   skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP   Object is locked   skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP   Object is locked   skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA   Object is locked   skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP   Object is locked   skipped
C:\WINDOWS\system32\winghy32.dll   Infected: Packed.Win32.Klone.g   skipped
C:\WINDOWS\Temp\idd15.tmp.exe   Object is locked   skipped
C:\WINDOWS\Temp\idd3C.tmp.exe   Object is locked   skipped
C:\WINDOWS\Temp\idd4DBC.tmp.exe   Object is locked   skipped
C:\WINDOWS\Temp\idd55C6.tmp.exe   Object is locked   skipped
C:\WINDOWS\Temp\Perflib_Perfdata_69c.dat   Object is locked   skipped
C:\WINDOWS\Temp\win3B.tmp.exe   Infected: Trojan.Win32.Pakes   skipped
C:\WINDOWS\Temp\win4DBB.tmp.exe   Infected: Trojan.Win32.Pakes   skipped
C:\WINDOWS\Temp\win55C5.tmp.exe   Infected: Trojan.Win32.Pakes   skipped
C:\WINDOWS\wiadebug.log   Object is locked   skipped
C:\WINDOWS\wiaservc.log   Object is locked   skipped
C:\WINDOWS\WindowsUpdate.log   Object is locked   skipped
E:\System Volume Information\MountPointManagerRemoteDatabase   Object is locked   skipped

Scan process completed.

and analyze.exe:

Logfile of HijackThis v1.99.1
Scan saved at 09:54:42, on 29/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PCCGUIDE.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Documents and Settings\B\Desktop\analyze.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {771500C4-96C6-4983-BE5C-FC299B611918} - C:\WINDOWS\system32\jkhhf.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [GBB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: ATITool.lnk = C:\Program Files\ATITool\ATITool.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1155766136796
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F9E39900-48F2-4505-996B-A69666BF7069}: NameServer = 194.168.4.100 194.168.8.100
O20 - Winlogon Notify: jkhhf - C:\WINDOWS\system32\jkhhf.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winghy32 - C:\WINDOWS\SYSTEM32\winghy32.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/unsure.gif\' class=\'bbc_emoticon\' alt=\':unsure:\' />

guestolo · « **Reply #4 on:** August 29, 2006, 08:42:01 AM »

Can you do the following please
You may want to print these instructions or save them too a text file on your desktop
Some of the fixes require that you don't have any unnecessary programs running in the background
Including this browser window

Open Outlook, don't open any email attachments you don't recognize
Some are infected with Netzky Q virus
One indication is the date of the email is Date Mon, 31 Jul 2006 06:27:17
and 30 Jul 2006 22:27
Delete any emails from your Inbox that have attachments you don't recognize and my be unsafe

Download and save to your desktop
FxNetsky.exe
by Symantec's
We'll need it in a bit

Download and install Windows CleanUp! 4.5.2
Don't run it yet

CleanUp! attempts to delete files from various temporary directories (including download directories/caches),
as well as emptying the Recycle Bins.
If you make a habit of saving files that you wish to keep in any of these places, they will be deleted when CleanUp! is run.
Please move them too a different location before we run this tool if the above is true
Note: It is generally considered poor practice to use temporary folders or the Recycle Bin to store files you intend to keep.

Please download [color=\"red\"]VundoFix.exe[/color][/url] to your desktop.
We'll need it in a bit

Download The Avenger.zip by Swandog46 to your Desktop.

* Click on Avenger.zip to open the file
* Extract avenger.exe to your desktop

Copy ALL the text contained in [color=\"#3333FF\"]blue[/color] below to your Clipboard by highlighting it and pressing the (Ctrl+C) on your keyboard

[color=\"#3333FF\"]files to delete:
C:\WINDOWS\system32\jkhhf.dll
C:\WINDOWS\system32\svvhost.exe
C:\WINDOWS\system32\winghy32.dll
C:\WINDOWS\Temp\idd15.tmp.exe
C:\WINDOWS\Temp\idd3C.tmp.exe
C:\WINDOWS\Temp\idd4DBC.tmp.exe
C:\WINDOWS\Temp\idd55C6.tmp.exe
C:\WINDOWS\Temp\win3B.tmp.exe
C:\WINDOWS\Temp\win4DBB.tmp.exe
C:\WINDOWS\Temp\win55C5.tmp.exe
C:\WINDOWS\TEMP\iddA2.tmp.exe

folders to delete:
C:\Documents and Settings\B\Local Settings\Temporary Internet Files\Content.IE5\4OPYH1R5
C:\Documents and Settings\B\Local Settings\Temporary Internet Files\Content.IE5\QP3GTEFV[/color]

Now, start The Avenger program by clicking on its icon on your desktop

* Under "Script file to execute" choose "Input Script Manually".
* Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
* Paste the text copied to clipboard into this window by pressing (Ctrl+V).
* Click Done
* Now click on the Green Light to begin execution of the script
* Answer "Yes" twice when prompted.

Avenger should now Reboot your computer

Back in Windows
==Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

* Empty Recycle Bins
* Delete Cookies
* Delete Prefetch files
* Cleanup! All Users

Click OK
Close down all browser windows
Press the CleanUp! button to start the program.
When it's done>>Click Close
DECLINE to Log off or Restart the computer
NOTE: The first time you run CleanUp! it may prompt to run in Demonstration mode
You can do so to see what will be removed, but I still need you to run in non-demo mode
Run this twice please

Vundofix.exe

Double-click VundoFix.exe to run it.
Put a check next to Run VundoFix as a task.
You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
When VundoFix re-opens, click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
After it has completely shut down. Turn your computer back on.

Back in Windows
Close down all browser windows, including this one, close any unneeded programs that may be open
Double click to Open FxNetsky.exe
Click the START button, let it run a scan and fix whatever it finds
Reboot afterwards>>Run this twice to ensure it's gone
If you are networked with other computers, have them run this tool also to ensure that they are clear of Netsky

Back in Windows
I need to see all the following please, even if it takes more than one reply to post it all
1. Run another scan at Kaspersky's and post the report
2. Post a fresh Hijackthis log
3. Regardless if files were found by Vundofix, can I see the log it created
It will be found in this location>>>C:\Vundofix.txt

Benf · « **Reply #5 on:** August 29, 2006, 11:39:30 AM »

Thank you for your reply here are reports as requested please note FXnetsky did not find anything:

Logfile of HijackThis v1.99.1
Scan saved at 17:32:34, on 29/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Activision\Rome - Total War\RomeTW-BI.exe
C:\Documents and Settings\B\Desktop\analyze.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {CB188FD0-FC0F-4AA8-B3FC-0DE5863B5954} - C:\WINDOWS\system32\jkhhf.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [GBB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: ATITool.lnk = C:\Program Files\ATITool\ATITool.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1155766136796
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F9E39900-48F2-4505-996B-A69666BF7069}: NameServer = 194.168.4.100 194.168.8.100
O20 - Winlogon Notify: jkhhf - C:\WINDOWS\system32\jkhhf.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winghy32 - winghy32.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

AND

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, August 29, 2006 5:31:54 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 29/08/2006
Kaspersky Anti-Virus database records: 219135
-------------------------------------------------------------------------------

Scan Settings:
   Scan using the following antivirus database: extended
   Scan Archives: true
   Scan Mail Bases: true

Scan Target - My Computer:
   A:\
   C:\
   D:\
   E:\
   F:\

Scan Statistics:
   Total number of scanned objects: 84921
   Number of viruses found: 13
   Number of infected objects: 44 / 0
   Number of suspicious objects: 0
   Duration of the scan process: 00:57:50

Infected Object Name / Virus Name / Last Action
C:\avenger\backup.zip/avenger/4OPYH1R5/srvjxr[1].exe   Infected: not-a-virus:Porn-Dialer.Win32.InstantAccess.k   skipped
C:\avenger\backup.zip/avenger/4OPYH1R5/srvmxj[1].exe   Infected: Trojan.Win32.Pakes   skipped
C:\avenger\backup.zip/avenger/jkhhf.dll   Infected: not-a-virus:AdWare.Win32.Virtumonde.da   skipped
C:\avenger\backup.zip/avenger/QP3GTEFV/srvhip[1].exe   Infected: Trojan.Win32.Pakes   skipped
C:\avenger\backup.zip/avenger/svvhost.exe   Infected: Trojan.Win32.Small.js   skipped
C:\avenger\backup.zip/avenger/win3B.tmp.exe   Infected: Trojan.Win32.Pakes   skipped
C:\avenger\backup.zip/avenger/win4DBB.tmp.exe   Infected: Trojan.Win32.Pakes   skipped
C:\avenger\backup.zip/avenger/win55C5.tmp.exe   Infected: Trojan.Win32.Pakes   skipped
C:\avenger\backup.zip/avenger/winghy32.dll   Infected: Packed.Win32.Klone.g   skipped
C:\avenger\backup.zip   ZIP: infected - 9   skipped
C:\Documents and Settings\B\Cookies\index.dat   Object is locked   skipped
C:\Documents and Settings\B\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Inbox/30 Jul 2006 22:27 from [email protected]:

??.eml/[From [email protected]][Date Mon, 31 Jul 2006 06:27:17 +0800]/UNNAMED/buse_list.zip/document.txt .exe Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\B\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Inbox/30 Jul 2006 22:27 from [email protected]:

??.eml/[From [email protected]][Date Mon, 31 Jul 2006 06:27:17 +0800]/UNNAMED/buse_list.zip Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\B\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Inbox/30 Jul 2006 22:27 from [email protected]:

??.eml/[From [email protected]][Date Mon, 31 Jul 2006 06:27:17 +0800]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\B\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Inbox/30 Jul 2006 22:27 from [email protected]:

??.eml   Infected: Email-Worm.Win32.NetSky.q   skipped
C:\Documents and Settings\B\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst   Mail MS Mail: infected - 4   skipped
C:\Documents and Settings\B\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat   Object is locked   skipped
C:\Documents and Settings\B\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG   Object is locked   skipped
C:\Documents and Settings\B\Local Settings\History\History.IE5\index.dat   Object is locked   skipped
C:\Documents and Settings\B\Local Settings\History\History.IE5\MSHist012006082920060830\index.dat   Object is locked   skipped
C:\Documents and Settings\B\Local Settings\Temporary Internet Files\Content.IE5\index.dat   Object is locked   skipped
C:\Documents and Settings\B\My Documents\Outlook Backup\NEW Outlook\NEW Outlook\Outlook4.pst/Personal Folders/Inbox/30 Jul 2006 22:27 from [email protected]:¼þÍ¶µÝ³¬Ê±´íÎó.eml/[From [email protected]][Date Mon, 31 Jul 2006 06:27:17 +0800]/UNNAMED/buse_list.zip/document.txt .exe   Infected: Email-Worm.Win32.NetSky.q   skipped
C:\Documents and Settings\B\My Documents\Outlook Backup\NEW Outlook\NEW Outlook\Outlook4.pst/Personal Folders/Inbox/30 Jul 2006 22:27 from [email protected]:¼þÍ¶µÝ³¬Ê±´íÎó.eml/[From [email protected]][Date Mon, 31 Jul 2006 06:27:17 +0800]/UNNAMED/buse_list.zip   Infected: Email-Worm.Win32.NetSky.q   skipped
C:\Documents and Settings\B\My Documents\Outlook Backup\NEW Outlook\NEW Outlook\Outlook4.pst/Personal Folders/Inbox/30 Jul 2006 22:27 from [email protected]:¼þÍ¶µÝ³¬Ê±´íÎó.eml/[From [email protected]][Date Mon, 31 Jul 2006 06:27:17 +0800]/UNNAMED   Infected: Email-Worm.Win32.NetSky.q   skipped
C:\Documents and Settings\B\My Documents\Outlook Backup\NEW Outlook\NEW Outlook\Outlook4.pst/Personal Folders/Inbox/30 Jul 2006 22:27 from [email protected]:¼þÍ¶µÝ³¬Ê±´íÎó.eml   Infected: Email-Worm.Win32.NetSky.q   skipped
C:\Documents and Settings\B\My Documents\Outlook Backup\NEW Outlook\NEW Outlook\Outlook4.pst   Mail MS Mail: infected - 4   skipped
C:\Documents and Settings\B\My Documents\Outlook Backup\NEW Outlook\Outlook4.pst/Personal Folders/Inbox/30 Jul 2006 22:27 from [email protected]:¼þÍ¶µÝ³¬Ê±´íÎó.eml/[From [email protected]][Date Mon, 31 Jul 2006 06:27:17 +0800]/UNNAMED/buse_list.zip/document.txt .exe   Infected: Email-Worm.Win32.NetSky.q   skipped
C:\Documents and Settings\B\My Documents\Outlook Backup\NEW Outlook\Outlook4.pst/Personal Folders/Inbox/30 Jul 2006 22:27 from [email protected]:¼þÍ¶µÝ³¬Ê±´íÎó.eml/[From [email protected]][Date Mon, 31 Jul 2006 06:27:17 +0800]/UNNAMED/buse_list.zip   Infected: Email-Worm.Win32.NetSky.q   skipped
C:\Documents and Settings\B\My Documents\Outlook Backup\NEW Outlook\Outlook4.pst/Personal Folders/Inbox/30 Jul 2006 22:27 from [email protected]:¼þÍ¶µÝ³¬Ê±´íÎó.eml/[From [email protected]][Date Mon, 31 Jul 2006 06:27:17 +0800]/UNNAMED   Infected: Email-Worm.Win32.NetSky.q   skipped
C:\Documents and Settings\B\My Documents\Outlook Backup\NEW Outlook\Outlook4.pst/Personal Folders/Inbox/30 Jul 2006 22:27 from [email protected]:¼þÍ¶µÝ³¬Ê±´íÎó.eml   Infected: Email-Worm.Win32.NetSky.q   skipped
C:\Documents and Settings\B\My Documents\Outlook Backup\NEW Outlook\Outlook4.pst   Mail MS Mail: infected - 4   skipped
C:\Documents and Settings\B\My Documents\Utilities & Updates\SmitfraudFix\Reboot.exe   Infected: not-a-virus:RiskTool.Win32.Reboot.f   skipped
C:\Documents and Settings\B\My Documents\Utilities & Updates\SmitfraudFix.zip/SmitfraudFix/Reboot.exe   Infected: not-a-virus:RiskTool.Win32.Reboot.f   skipped
C:\Documents and Settings\B\My Documents\Utilities & Updates\SmitfraudFix.zip   ZIP: infected - 1   skipped
C:\Documents and Settings\B\NTUSER.DAT   Object is locked   skipped
C:\Documents and Settings\B\ntuser.dat.LOG   Object is locked   skipped
C:\Documents and Settings\B\UserData\index.dat   Object is locked   skipped
C:\Documents and Settings\LocalService\Cookies\index.dat   Object is locked   skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat   Object is locked   skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG   Object is locked   skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat   Object is locked   skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat   Object is locked   skipped
C:\Documents and Settings\LocalService\NTUSER.DAT   Object is locked   skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG   Object is locked   skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat   Object is locked   skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG   Object is locked   skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT   Object is locked   skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG   Object is locked   skipped
C:\Program Files\BitComet\Downloads\Windows XP Key Changer Pack\Key Changer.exe/data.rar/xpkey.exe   Infected: not-a-virus:PSWTool.Win32.RAS.a   skipped
C:\Program Files\BitComet\Downloads\Windows XP Key Changer Pack\Key Changer.exe/data.rar/officekey.exe   Infected: not-a-virus:PSWTool.Win32.RAS.a   skipped
C:\Program Files\BitComet\Downloads\Windows XP Key Changer Pack\Key Changer.exe/data.rar   Infected: not-a-virus:PSWTool.Win32.RAS.a   skipped
C:\Program Files\BitComet\Downloads\Windows XP Key Changer Pack\Key Changer.exe   RarSFX: infected - 3   skipped
C:\System Volume Information\MountPointManagerRemoteDatabase   Object is locked   skipped
C:\System Volume Information\_restore{444CBD36-52CF-40A8-93B1-D5E65AE5E630}\RP14\A0001942.dll   Infected: not-a-virus:AdTool.Win32.WhenU.c   skipped
C:\System Volume Information\_restore{444CBD36-52CF-40A8-93B1-D5E65AE5E630}\RP40\A0018077.exe   Infected: not-a-virus:AdTool.Win32.WhenU.c   skipped
C:\System Volume Information\_restore{444CBD36-52CF-40A8-93B1-D5E65AE5E630}\RP70\A0024879.exe   Infected: Trojan-Downloader.Win32.Zlob.agf   skipped
C:\System Volume Information\_restore{444CBD36-52CF-40A8-93B1-D5E65AE5E630}\RP70\A0024893.exe   Infected: Trojan-Downloader.Win32.Zlob.agf   skipped
C:\System Volume Information\_restore{444CBD36-52CF-40A8-93B1-D5E65AE5E630}\RP70\A0024939.exe   Infected: not-a-virus:Porn-Dialer.Win32.InstantAccess.k   skipped
C:\System Volume Information\_restore{444CBD36-52CF-40A8-93B1-D5E65AE5E630}\RP70\A0024941.exe   Infected: Trojan.Win32.Small.js   skipped
C:\System Volume Information\_restore{444CBD36-52CF-40A8-93B1-D5E65AE5E630}\RP70\A0024958.exe   Infected: not-a-virus:AdWare.Win32.180Solutions.ak   skipped
C:\System Volume Information\_restore{444CBD36-52CF-40A8-93B1-D5E65AE5E630}\RP70\A0024978.exe   Infected: not-a-virus:AdTool.Win32.WhenU.a   skipped
C:\System Volume Information\_restore{444CBD36-52CF-40A8-93B1-D5E65AE5E630}\RP70\A0024979.exe   Infected: not-a-virus:Downloader.Win32.WinFixer.r   skipped
C:\System Volume Information\_restore{444CBD36-52CF-40A8-93B1-D5E65AE5E630}\RP70\A0025129.dll   Infected: not-a-virus:AdWare.Win32.Virtumonde.da   skipped
C:\System Volume Information\_restore{444CBD36-52CF-40A8-93B1-D5E65AE5E630}\RP70\A0025130.exe   Infected: Trojan.Win32.Small.js   skipped
C:\System Volume Information\_restore{444CBD36-52CF-40A8-93B1-D5E65AE5E630}\RP70\A0025131.dll   Infected: Packed.Win32.Klone.g   skipped
C:\System Volume Information\_restore{444CBD36-52CF-40A8-93B1-D5E65AE5E630}\RP70\change.log   Object is locked   skipped
C:\WINDOWS\CSC\00000001   Object is locked   skipped
C:\WINDOWS\Debug\PASSWD.LOG   Object is locked   skipped
C:\WINDOWS\SchedLgU.Txt   Object is locked   skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log   Object is locked   skipped
C:\WINDOWS\Sti_Trace.log   Object is locked   skipped
C:\WINDOWS\system32\CatRoot2\edb.log   Object is locked   skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb   Object is locked   skipped
C:\WINDOWS\system32\config\ACEEvent.evt   Object is locked   skipped
C:\WINDOWS\system32\config\AppEvent.Evt   Object is locked   skipped
C:\WINDOWS\system32\config\default   Object is locked   skipped
C:\WINDOWS\system32\config\default.LOG   Object is locked   skipped
C:\WINDOWS\system32\config\SAM   Object is locked   skipped
C:\WINDOWS\system32\config\SAM.LOG   Object is locked   skipped
C:\WINDOWS\system32\config\SecEvent.Evt   Object is locked   skipped
C:\WINDOWS\system32\config\SECURITY   Object is locked   skipped
C:\WINDOWS\system32\config\SECURITY.LOG   Object is locked   skipped
C:\WINDOWS\system32\config\software   Object is locked   skipped
C:\WINDOWS\system32\config\software.LOG   Object is locked   skipped
C:\WINDOWS\system32\config\SysEvent.Evt   Object is locked   skipped
C:\WINDOWS\system32\config\system   Object is locked   skipped
C:\WINDOWS\system32\config\system.LOG   Object is locked   skipped
C:\WINDOWS\system32\drivers\dtscsi.sys   Object is locked   skipped
C:\WINDOWS\system32\drivers\sptd.sys   Object is locked   skipped
C:\WINDOWS\system32\drivers\sptd0941.sys   Object is locked   skipped
C:\WINDOWS\system32\h323log.txt   Object is locked   skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR   Object is locked   skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP   Object is locked   skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER   Object is locked   skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP   Object is locked   skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP   Object is locked   skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA   Object is locked   skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP   Object is locked   skipped
C:\WINDOWS\Temp\Perflib_Perfdata_780.dat   Object is locked   skipped
C:\WINDOWS\wiadebug.log   Object is locked   skipped
C:\WINDOWS\wiaservc.log   Object is locked   skipped
C:\WINDOWS\WindowsUpdate.log   Object is locked   skipped
E:\System Volume Information\MountPointManagerRemoteDatabase   Object is locked   skipped
E:\System Volume Information\_restore{444CBD36-52CF-40A8-93B1-D5E65AE5E630}\RP70\change.log   Object is locked   skipped

Scan process completed.

AND

VundoFix V6.1.2

Checking Java version...

Sun Java not detected
Scan started at 16:05:18 29/08/2006

Listing files found while scanning....

C:\WINDOWS\system32\urqpnno.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\urqpnno.dll
C:\WINDOWS\system32\urqpnno.dll Has been deleted!

Performing Repairs to the registry.
Done!

AND

Symantec W32.Netsky FixTool 1.12.0

C:\System Volume Information: (not scanned)
E:\System Volume Information: (not scanned)
W32.Netsky has not been found on your computer.

Benf · « **Reply #6 on:** August 29, 2006, 12:35:39 PM »

One of my two email accountss has got blocked up with multiple repeat emails it now gets to a point and stops recieving. I guess this is the worm vius in effect, I tried netsky twice it found nothing.

Benf · « **Reply #7 on:** August 29, 2006, 05:08:26 PM »

after following all your instructions I have not seen the virus warnings again but I do have the above problems with outlook and my DSL connection keeps disconnecting then it wont allow me to reconnect I have to restart my PC then I can connect again.

guestolo · « **Reply #8 on:** August 29, 2006, 11:00:19 PM »

Do a "System scan only" with Hijackthis and put a check next to these entries:

O2 - BHO: (no name) - {CB188FD0-FC0F-4AA8-B3FC-0DE5863B5954} - C:\WINDOWS\system32\jkhhf.dll (file missing)

O20 - Winlogon Notify: jkhhf - C:\WINDOWS\system32\jkhhf.dll (file missing)

O20 - Winlogon Notify: winghy32 - winghy32.dll (file missing)

After you have ticked the above entries, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Reboot your computer

Let's try and deal with the connectivity problem
Are you having problems with Trend Micros security suite
Is it still up to date? If not we can get you an alternative
The log indicates you may be
You may want to totally uninstall Trend Security suite>>Including firewall and reinstall it and see if that helps problems
If add/remove programs won't allow the uninstall
Take a look at this link
http://esupport.trendmicro.com/support/vie...p;id=EN-1030493

I don't use Outlook>>OE is suffice for my needs
I'll try and help, try the following
Use the following link and take note of the 'Using the Inbox Repair Tool'
http://articles.techrepublic.com.com/5100-...11-1052339.html

We could try and rename your Inbox and create a new one and see if that helps?

Post a fresh hijackthis log afterwards

Benf · « **Reply #9 on:** August 30, 2006, 04:41:03 PM »

Hi there, I think that may of sorted out the mail problem too.. I have got rid of Trend micro and I now have Kaspersky Anti Virus 6 with Comodo Firewall and they seem pretty good this is my latest hijack:

Logfile of HijackThis v1.99.1
Scan saved at 22:36:34, on 30/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Comodo\Personal Firewall\cmdagent.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Comodo\Personal Firewall\CPF.exe
C:\Program Files\Comodo\LaunchPad\CLPTray.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\cnmsm6y.exe
C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
C:\Documents and Settings\B\Desktop\analyze.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [GBB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Comodo Personal Firewall] C:\Program Files\Comodo\Personal Firewall\CPF.exe sysrestart
O4 - HKLM\..\Run: [Comodo Launch Pad Tray] C:\Program Files\Comodo\LaunchPad\CLPTray.exe
O4 - HKLM\..\Run: [kav] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: ATITool.lnk = C:\Program Files\ATITool\ATITool.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1155766136796
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F9E39900-48F2-4505-996B-A69666BF7069}: NameServer = 194.168.4.100 194.168.8.100
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Personal Firewall\cmdagent.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

How is it looking?!

Benf · « **Reply #10 on:** August 30, 2006, 05:20:06 PM »

unfortunately I still ahve the problem with my connection it cuts out after 10-15 mins then I cant reconnect through it I have to restart my computer, could the virus I had effected my networking files/settings?

guestolo · « **Reply #11 on:** August 30, 2006, 08:50:50 PM »

Let's just double check to see if it's now malware related
Download this file - Combofix.exe and save it too desktop

Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Benf · « **Reply #12 on:** September 01, 2006, 02:50:45 PM »

Sorry for delay in coming back to you but my computer suddenly refused to send any data. Could not post on here or send emails, or download from internet though could receive mails and surf ok
Working again now after reinstalling modem drivers. Now getting alerts that trojan-dropper.win32.agent.avl is in combofix file and it will not let me download it again. I have a log I made yesterday from it so will include that and a hijack report.

This virus removal business is pretty complex isn't it?!

Anyway:

B - 06-08-31 9:03:50.78
ComboFix 06.08.30BT - Running from: C:\Documents and Settings\B\Desktop

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\components

((((((((((((((((((((((((((((((( Files Created from 2006-07-31 to 2006-08-31 ))))))))))))))))))))))))))))))))))

2006-08-29   09:05   670,704   ---hs----   C:\WINDOWS\system32\fhhkj.bak2
2006-08-28   15:02   53,248   --a------   C:\WINDOWS\system32\Process.exe
2006-08-28   15:02   42,496   --a------   C:\WINDOWS\system32\swreg.exe
2006-08-28   15:02   40,960   --a------   C:\WINDOWS\system32\swsc.exe
2006-08-28   15:02   288,417   --a------   C:\WINDOWS\system32\SrchSTS.exe
2006-08-28   12:48   632,065   ---hs----   C:\WINDOWS\system32\fhhkj.bak1
2006-08-25   20:16   21,504   --a------   C:\WINDOWS\system32\hidserv.dll
2006-08-24   22:35   49,152   --a------   C:\WINDOWS\system32\ffdrv1.dll
2006-08-24   22:35   290,816   --a------   C:\WINDOWS\system32\Projoycpl.dll
2006-08-24   22:27   43,520   --a------   C:\WINDOWS\system32\CmdLineExt03.dll
2006-08-24   14:16   737,280   --a------   C:\WINDOWS\iun6002.exe
2006-08-23   13:53   5,632   --a------   C:\WINDOWS\system32\ptpusb.dll
2006-08-23   13:53   159,232   --a------   C:\WINDOWS\system32\ptpusd.dll
2006-08-22   22:58   476,320   ---------   C:\WINDOWS\system32\ImagXpr7.dll
2006-08-22   22:58   471,040   ---------   C:\WINDOWS\system32\ImagXRA7.dll
2006-08-22   22:58   262,144   ---------   C:\WINDOWS\system32\ImagXR7.dll
2006-08-22   22:58   155,648   --a------   C:\WINDOWS\system32\NeroCheck.exe
2006-08-22   22:58   106,496   --a------   C:\WINDOWS\system32\TwnLib20.dll
2006-08-22   22:58   1,568,768   ---------   C:\WINDOWS\system32\ImagX7.dll
2006-08-22   21:45   98,304   --a------   C:\WINDOWS\system32\CmdLineExt.dll
2006-08-18   15:06   86,016   --a------   C:\WINDOWS\system32\SageNatWestBankline.dll
2006-08-18   15:06   86,016   --a------   C:\WINDOWS\system32\SageBankPayments.dll
2006-08-18   15:06   81,920   --a------   C:\WINDOWS\system32\SGUserInfo.dll
2006-08-18   15:06   81,920   --a------   C:\WINDOWS\system32\SageNatWestOnline.dll
2006-08-18   15:06   81,920   --a------   C:\WINDOWS\system32\sageebanking.dll
2006-08-18   15:06   81,920   --a------   C:\WINDOWS\system32\SageBarclaysOnline.dll
2006-08-18   15:06   81,920   --a------   C:\WINDOWS\system32\SageBarclaysBusinessMasterII.dll
2006-08-18   15:06   69,632   --a------   C:\WINDOWS\system32\SageBankBalances.dll
2006-08-18   15:06   61,440   --a------   C:\WINDOWS\system32\BankServiceUtilities.dll
2006-08-18   15:06   37,224   --a------   C:\WINDOWS\system32\SageStorage.dll
2006-08-18   15:06   368,696   --a------   C:\WINDOWS\system32\S10DBC32.dll
2006-08-18   15:06   335,872   --a------   C:\WINDOWS\system32\SGINFMR.dll
2006-08-18   15:06   322,832   ---------   C:\WINDOWS\system32\MFC30.DLL
2006-08-18   15:06   192,512   --a------   C:\WINDOWS\system32\SageBankReconciliation.dll
2006-08-18   15:06   167,936   --a------   C:\WINDOWS\system32\SGXMLQry.dll
2006-08-18   15:06   139,264   --a------   C:\WINDOWS\system32\SGISAQry.dll
2006-08-18   15:06   127,352   --a------   C:\WINDOWS\system32\SageSoftwareUpdate.dll
2006-08-18   15:06   126,976   --a------   C:\WINDOWS\system32\SGInfProgressBar.dll
2006-08-18   15:06   119,160   --a------   C:\WINDOWS\system32\SageFolderBrowse.dll
2006-08-18   11:30   16,384   --a------   C:\WINDOWS\system32\FileOps.exe
2006-08-17   22:50   60,416   --a------   C:\WINDOWS\system32\DSETUP.dll
2006-08-17   22:48   92,160   --a------   C:\WINDOWS\system32\evntwin.exe
2006-08-17   22:48   8,704   --a------   C:\WINDOWS\system32\snmptrap.exe
2006-08-17   22:48   6,144   --a------   C:\WINDOWS\system32\snmpmib.dll
2006-08-17   22:48   39,936   --a------   C:\WINDOWS\system32\hostmib.dll
2006-08-17   22:48   33,792   --a------   C:\WINDOWS\system32\lmmib2.dll
2006-08-17   22:48   32,768   --a------   C:\WINDOWS\system32\snmp.exe
2006-08-17   22:48   24,064   --a------   C:\WINDOWS\system32\evntcmd.exe
2006-08-17   22:48   101,888   --a------   C:\WINDOWS\system32\evntagnt.dll
2006-08-17   14:41   7,680   --a------   C:\WINDOWS\system32\CNMVS6y.DLL
2006-08-17   14:41   116,736   --a------   C:\WINDOWS\system32\CNMLM6y.DLL
2006-08-17   14:32   98,304   --a------   C:\WINDOWS\system32\CNCSUT60.DLL
2006-08-17   14:32   90,112   --a------   C:\WINDOWS\system32\CNCI780.DLL
2006-08-17   14:32   81,920   --a------   C:\WINDOWS\system32\CNCSTR60.DLL
2006-08-17   14:32   81,920   --a------   C:\WINDOWS\system32\CNCSIF60.DLL
2006-08-17   14:32   77,824   --a------   C:\WINDOWS\system32\CNCSCM60.DLL
2006-08-17   14:32   69,632   --a------   C:\WINDOWS\system32\CNCL780.DLL
2006-08-17   14:32   561,152   --a------   C:\WINDOWS\system32\CNCC780.DLL
2006-08-17   14:32   49,152   --a------   C:\WINDOWS\system32\cncisco.dll
2006-08-17   14:32   389,180   --a------   C:\WINDOWS\system32\UCS32P.DLL
2006-08-17   14:32   110,592   --a------   C:\WINDOWS\system32\CNCSDO60.DLL
2006-08-17   14:31   20,480   --a------   C:\WINDOWS\system32\CNCFMS60.EXE
2006-08-17   14:31   120,320   --a------   C:\WINDOWS\system32\CNCF2L60.DLL
2006-08-17   13:02   1,650,688   --a------   C:\WINDOWS\system32\cdintf250.dll
2006-08-17   08:39   127,208   --a------   C:\WINDOWS\system32\mucltui.dll
2006-08-16   20:45   53,760   --a------   C:\WINDOWS\system32\vfwwdm32.dll
2006-08-16   20:45   363,520   --a------   C:\WINDOWS\system32\PsisDecd.dll
2006-08-16   20:43   520,192   ---------   C:\WINDOWS\system32\ati2sgag.exe
2006-08-16   13:10   4,096   --a------   C:\WINDOWS\system32\ksuser.dll
2006-08-16   13:08   74,240   --a------   C:\WINDOWS\system32\usbui.dll
2006-08-16   13:07   85,020   --a------   C:\WINDOWS\system32\dgsetup.dll
2006-08-16   13:07   8,192   -ra------   C:\WINDOWS\system32\kbdhept.dll
2006-08-16   13:07   7,168   -ra------   C:\WINDOWS\system32\kbdcz.dll
2006-08-16   13:07   6,656   -ra------   C:\WINDOWS\system32\kbdycl.dll
2006-08-16   13:07   6,656   -ra------   C:\WINDOWS\system32\kbdsl1.dll
2006-08-16   13:07   6,656   -ra------   C:\WINDOWS\system32\kbdsl.dll
2006-08-16   13:07   6,656   -ra------   C:\WINDOWS\system32\kbdpl.dll
2006-08-16   13:07   6,656   -ra------   C:\WINDOWS\system32\kbdhu.dll
2006-08-16   13:07   6,656   -ra------   C:\WINDOWS\system32\kbdhela3.dll
2006-08-16   13:07   6,656   -ra------   C:\WINDOWS\system32\kbdcz2.dll
2006-08-16   13:07   6,656   -ra------   C:\WINDOWS\system32\kbdcz1.dll
2006-08-16   13:07   6,656   -ra------   C:\WINDOWS\system32\kbdcr.dll
2006-08-16   13:07   6,656   -ra------   C:\WINDOWS\system32\KBDAL.DLL
2006-08-16   13:07   6,144   -ra------   C:\WINDOWS\system32\kbdtuq.dll
2006-08-16   13:07   6,144   -ra------   C:\WINDOWS\system32\kbdtuf.dll
2006-08-16   13:07   6,144   -ra------   C:\WINDOWS\system32\kbdlv1.dll
2006-08-16   13:07   6,144   -ra------   C:\WINDOWS\system32\kbdlv.dll
2006-08-16   13:07   6,144   -ra------   C:\WINDOWS\system32\kbdhela2.dll
2006-08-16   13:07   6,144   -ra------   C:\WINDOWS\system32\kbdgkl.dll
2006-08-16   13:07   6,144   -ra------   C:\WINDOWS\system32\kbdest.dll
2006-08-16   13:07   5,632   -ra------   C:\WINDOWS\system32\kbdycc.dll
2006-08-16   13:07   5,632   -ra------   C:\WINDOWS\system32\kbduzb.dll
2006-08-16   13:07   5,632   -ra------   C:\WINDOWS\system32\kbdur.dll
2006-08-16   13:07   5,632   -ra------   C:\WINDOWS\system32\kbdtat.dll
2006-08-16   13:07   5,632   -ra------   C:\WINDOWS\system32\kbdru1.dll
2006-08-16   13:07   5,632   -ra------   C:\WINDOWS\system32\kbdru.dll
2006-08-16   13:07   5,632   -ra------   C:\WINDOWS\system32\kbdro.dll
2006-08-16   13:07   5,632   -ra------   C:\WINDOWS\system32\kbdpl1.dll
2006-08-16   13:07   5,632   -ra------   C:\WINDOWS\system32\kbdmon.dll
2006-08-16   13:07   5,632   -ra------   C:\WINDOWS\system32\kbdlt1.dll
2006-08-16   13:07   5,632   -ra------   C:\WINDOWS\system32\kbdlt.dll
2006-08-16   13:07   5,632   -ra------   C:\WINDOWS\system32\kbdkyr.dll
2006-08-16   13:07   5,632   -ra------   C:\WINDOWS\system32\kbdkaz.dll
2006-08-16   13:07   5,632   -ra------   C:\WINDOWS\system32\kbdhu1.dll
2006-08-16   13:07   5,632   -ra------   C:\WINDOWS\system32\kbdhe319.dll
2006-08-16   13:07   5,632   -ra------   C:\WINDOWS\system32\kbdhe220.dll
2006-08-16   13:07   5,632   -ra------   C:\WINDOWS\system32\kbdhe.dll
2006-08-16   13:07   5,632   -ra------   C:\WINDOWS\system32\kbdbu.dll
2006-08-16   13:07   5,632   -ra------   C:\WINDOWS\system32\kbdblr.dll
2006-08-16   13:07   5,632   -ra------   C:\WINDOWS\system32\kbdazel.dll
2006-08-16   13:07   5,632   -ra------   C:\WINDOWS\system32\kbdaze.dll
2006-08-16   13:07   24,661   --a------   C:\WINDOWS\system32\spxcoins.dll
2006-08-16   13:07   176,157   --a------   C:\WINDOWS\system32\dgrpsetu.dll
2006-08-16   13:07   13,312   --a------   C:\WINDOWS\system32\irclass.dll
2006-08-16   13:06   8,704   --a------   C:\WINDOWS\system32\batt.dll
2006-08-16   13:06   74,752   --a------   C:\WINDOWS\system32\storprop.dll
2006-08-16   13:06   69,120   --a------   C:\WINDOWS\NOTEPAD.EXE
2006-08-16   13:06   15,360   --a------   C:\WINDOWS\TASKMAN.EXE
2006-08-16   13:06   103,424   --a------   C:\WINDOWS\system32\EqnClass.Dll
2006-08-16   12:34   5,606   --a------   C:\WINDOWS\system32\stci.dll
2006-08-16   12:29   9,709,568   -r-------   C:\WINDOWS\RTLCPL.exe
2006-08-16   12:29   86,016   -r-------   C:\WINDOWS\SoundMan.exe
2006-08-16   12:29   69,632   -r-------   C:\WINDOWS\Alcmtr.exe
2006-08-16   12:29   40,960   -r-------   C:\WINDOWS\system32\ChCfg.exe
2006-08-16   12:29   385,024   -r-------   C:\WINDOWS\system32\JMRaidTool.exe
2006-08-16   12:29   364,544   -r-------   C:\WINDOWS\RtlUpd.exe
2006-08-16   12:29   306,688   --a------   C:\WINDOWS\IsUninst.exe
2006-08-16   12:29   2,879,488   -r-------   C:\WINDOWS\SkyTel.exe
2006-08-16   12:29   2,808,832   -r-------   C:\WINDOWS\alcwzrd.exe
2006-08-16   12:29   2,158,592   -r-------   C:\WINDOWS\MicCal.exe
2006-08-16   12:29   16,208,384   -r-------   C:\WINDOWS\RTHDCPL.exe
2006-08-16   12:29   135,168   -r-------   C:\WINDOWS\system32\RtlCPAPI.dll
2006-08-16   12:28   487,424   -r-------   C:\WINDOWS\RtlExUpd.dll
2006-08-16   12:28   22,752   --a------   C:\WINDOWS\system32\spupdsvc.exe
2006-08-16   12:16   112,128   --a------   C:\WINDOWS\system32\mapi32.dll
2006-08-16   12:16   0   -rahs----   C:\MSDOS.SYS
2006-08-16   12:16   0   -rahs----   C:\IO.SYS
2006-08-16   12:16   0   --a------   C:\CONFIG.SYS
2006-08-16   12:16   0   --a------   C:\AUTOEXEC.BAT
2006-08-16   12:14   64,512   --a------   C:\WINDOWS\system32\acctres.dll
2006-08-16   12:14   6,656   --a------   C:\WINDOWS\system32\wuauserv.dll
2006-08-16   12:14   194,328   --a------   C:\WINDOWS\system32\wuaueng1.dll
2006-08-16   12:14   173,536   --a------   C:\WINDOWS\system32\wuweb.dll
2006-08-16   12:14   16,384   --a------   C:\WINDOWS\system32\icfgnt5.dll
2006-08-16   12:14   127,256   --a------   C:\WINDOWS\system32\wucltui.dll
2006-08-16   12:14   12,288   --a------   C:\WINDOWS\system32\nmevtmsg.dll
2006-08-16   12:14   11,264   --a------   C:\WINDOWS\system32\atrace.dll
2006-08-16   12:13   81,920   --a------   C:\WINDOWS\system32\isign32.dll
2006-08-16   12:13   81,920   --a------   C:\WINDOWS\system32\ils.dll
2006-08-16   12:13   8,192   --a------   C:\WINDOWS\system32\bitsprx2.dll
2006-08-16   12:13   73,728   --a------   C:\WINDOWS\system32\icwdial.dll
2006-08-16   12:13   7,168   --a------   C:\WINDOWS\system32\bitsprx3.dll
2006-08-16   12:13   69,632   --a------   C:\WINDOWS\system32\msconf.dll
2006-08-16   12:13   679,424   --a------   C:\WINDOWS\system32\inetcomm.dll
2006-08-16   12:13   67,584   --a------   C:\WINDOWS\system32\srclient.dll
2006-08-16   12:13   65,536   --a------   C:\WINDOWS\system32\icwphbk.dll
2006-08-16   12:13   48,128   --a------   C:\WINDOWS\system32\inetres.dll
2006-08-16   12:13   465,176   --a------   C:\WINDOWS\system32\wuapi.dll
2006-08-16   12:13   45,568   --a------   C:\WINDOWS\system32\safrslv.dll
2006-08-16   12:13   43,520   --a------   C:\WINDOWS\system32\safrcdlg.dll
2006-08-16   12:13   43,520   --a------   C:\WINDOWS\system32\racpldlg.dll
2006-08-16   12:13   41,240   --a------   C:\WINDOWS\system32\wups.dll
2006-08-16   12:13   382,464   --a------   C:\WINDOWS\system32\qmgr.dll
2006-08-16   12:13   34,560   --a------   C:\WINDOWS\system32\mnmdd.dll
2006-08-16   12:13   32,768   --a------   C:\WINDOWS\system32\mnmsrvc.exe
2006-08-16   12:13   32,768   --a------   C:\WINDOWS\system32\isrdbg32.dll
2006-08-16   12:13   29,696   --a------   C:\WINDOWS\system32\safrdm.dll
2006-08-16   12:13   28,672   --a------   C:\WINDOWS\system32\nmmkcert.dll
2006-08-16   12:13   274,944   --a------   C:\WINDOWS\system32\mstask.dll
2006-08-16   12:13   274,432   --a------   C:\WINDOWS\system32\inetcfg.dll
2006-08-16   12:13   252,928   --a------   C:\WINDOWS\system32\msoeacct.dll
2006-08-16   12:13   239,104   --a------   C:\WINDOWS\system32\srrstr.dll
2006-08-16   12:13   22,528   --a------   C:\WINDOWS\system32\fltMc.exe
2006-08-16   12:13   190,976   --a------   C:\WINDOWS\system32\schedsvc.dll
2006-08-16   12:13   18,944   --a------   C:\WINDOWS\system32\qmgrprxy.dll
2006-08-16   12:13   172,312   --a------   C:\WINDOWS\system32\wuauclt1.exe
2006-08-16   12:13   170,496   --a------   C:\WINDOWS\system32\srsvc.dll
2006-08-16   12:13   16,896   --a------   C:\WINDOWS\system32\fltlib.dll
2006-08-16   12:13   124,184   --a------   C:\WINDOWS\system32\wuauclt.exe
2006-08-16   12:13   12,288   --a------   C:\WINDOWS\system32\mstinit.exe
2006-08-16   12:13   105,984   --a------   C:\WINDOWS\system32\msoert2.dll
2006-08-16   12:13   1,343,768   --a------   C:\WINDOWS\system32\wuaueng.dll
2006-08-16   12:12   97,792   --a------   C:\WINDOWS\system32\comrepl.dll
2006-08-16   12:12   9,728   --a------   C:\WINDOWS\system32\reset.exe
2006-08-16   12:12   80,384   --a------   C:\WINDOWS\system32\charmap.exe
2006-08-16   12:12   73,216   --a------   C:\WINDOWS\system32\avwav.dll
2006-08-16   12:12   605,696   --a------   C:\WINDOWS\system32\getuname.dll
2006-08-16   12:12   56,832   --a------   C:\WINDOWS\system32\sol.exe
2006-08-16   12:12   55,296   --a------   C:\WINDOWS\system32\freecell.exe
2006-08-16   12:12   54,272   --a------   C:\WINDOWS\system32\stclient.dll
2006-08-16   12:12   5,632   --a------   C:\WINDOWS\system32\write.exe
2006-08-16   12:12   5,120   --a------   C:\WINDOWS\system32\dcomcnfg.exe
2006-08-16   12:12   44,544   --a------   C:\WINDOWS\system32\hticons.dll
2006-08-16   12:12   4,096   --a------   C:\WINDOWS\system32\rdpcfgex.dll
2006-08-16   12:12   4,096   --a------   C:\WINDOWS\system32\mtxex.dll
2006-08-16   12:12   35,328   --a------   C:\WINDOWS\system32\winchat.exe
2006-08-16   12:12   33,792   --a------   C:\WINDOWS\system32\regini.exe
2006-08-16   12:12   25,600   --a------   C:\WINDOWS\system32\comaddin.dll
2006-08-16   12:12   25,088   --a------   C:\WINDOWS\system32\mtxlegih.dll
2006-08-16   12:12   227,840   --a------   C:\WINDOWS\system32\avtapi.dll
2006-08-16   12:12   22,016   --a------   C:\WINDOWS\system32\qwinsta.exe
2006-08-16   12:12   20,992   --a------   C:\WINDOWS\system32\msg.exe
2006-08-16   12:12   20,480   --a------   C:\WINDOWS\system32\mtxdm.dll
2006-08-16   12:12   16,896   --a------   C:\WINDOWS\system32\tsshutdn.exe
2006-08-16   12:12   16,896   --a------   C:\WINDOWS\system32\qappsrv.exe
2006-08-16   12:12   16,384   --a------   C:\WINDOWS\system32\tskill.exe
2006-08-16   12:12   16,384   --a------   C:\WINDOWS\system32\avmeter.dll
2006-08-16   12:12   15,872   --a------   C:\WINDOWS\system32\rwinsta.exe
2006-08-16   12:12   15,872   --a------   C:\WINDOWS\system32\cdmodem.dll
2006-08-16   12:12   15,360   --a------   C:\WINDOWS\system32\logoff.exe
2006-08-16   12:12   147,456   --a------   C:\WINDOWS\system32\comsnap.dll
2006-08-16   12:12   14,848   --a------   C:\WINDOWS\system32\tsdiscon.exe
2006-08-16   12:12   14,848   --a------   C:\WINDOWS\system32\tscon.exe
2006-08-16   12:12   14,848   --a------   C:\WINDOWS\system32\shadow.exe
2006-08-16   12:12   138,752   --a------   C:\WINDOWS\system32\sndvol32.exe
2006-08-16   12:12   126,976   --a------   C:\WINDOWS\system32\mshearts.exe
2006-08-16   12:12   119,808   --a------   C:\WINDOWS\system32\winmine.exe
2006-08-16   12:12   114,688   --a------   C:\WINDOWS\system32\calc.exe
2006-08-16   12:12   1,161   --a------   C:\WINDOWS\system32\usrlogon.cmd
2006-08-16   12:11   956,416   --a------   C:\WINDOWS\system32\msdtctm.dll
2006-08-16   12:11   93,696   --a------   C:\WINDOWS\system32\tscfgwmi.dll
2006-08-16   12:11   91,136   --a------   C:\WINDOWS\system32\mtxoci.dll
2006-08-16   12:11   87,176   --a------   C:\WINDOWS\system32\rdpwsx.dll
2006-08-16   12:11   85,504   --a------   C:\WINDOWS\system32\catsrvps.dll
2006-08-16   12:11   67,072   --a------   C:\WINDOWS\system32\rdshost.exe
2006-08-16   12:11   655,360   --a------   C:\WINDOWS\system32\mstscax.dll
2006-08-16   12:11   625,152   --a------   C:\WINDOWS\system32\catsrvut.dll
2006-08-16   12:11   62,464   --a------   C:\WINDOWS\system32\rdpclip.exe
2006-08-16   12:11   60,416   --a------   C:\WINDOWS\system32\remotepg.dll
2006-08-16   12:11   60,416   --a------   C:\WINDOWS\system32\colbact.dll
2006-08-16   12:11   6,144   --a------   C:\WINDOWS\system32\msdtc.exe
2006-08-16   12:11   58,880   --a------   C:\WINDOWS\system32\msdtclog.dll
2006-08-16   12:11   58,880   --a------   C:\WINDOWS\system32\licwmi.dll
2006-08-16   12:11   56,320   --a------   C:\WINDOWS\system32\servdeps.dll
2006-08-16   12:11   540,160   --a------   C:\WINDOWS\system32\comuid.dll
2006-08-16   12:11   538,624   --a------   C:\WINDOWS\system32\spider.exe
2006-08-16   12:11   498,688   --a------   C:\WINDOWS\system32\clbcatq.dll
2006-08-16   12:11   44,544   --a------   C:\WINDOWS\system32\tscupgrd.exe
2006-08-16   12:11   426,496   --a------   C:\WINDOWS\system32\msdtcprx.dll
2006-08-16   12:11   407,552   --a------   C:\WINDOWS\system32\mstsc.exe
2006-08-16   12:11   38,912   --a------   C:\WINDOWS\system32\cfgbkend.dll
2006-08-16   12:11   347,136   --a------   C:\WINDOWS\system32\hypertrm.dll
2006-08-16   12:11   343,040   --a------   C:\WINDOWS\system32\mspaint.exe
2006-08-16   12:11   295,424   --a------   C:\WINDOWS\system32\termsrv.dll
2006-08-16   12:11   225,792   --a------   C:\WINDOWS\system32\catsrv.dll
2006-08-16   12:11   20,480   --a------   C:\WINDOWS\system32\qprocess.exe
2006-08-16   12:11   19,968   --a------   C:\WINDOWS\system32\rdpsnd.dll
2006-08-16   12:11   185,344   --a------   C:\WINDOWS\system32\cmprops.dll
2006-08-16   12:11   183,808   --a------   C:\WINDOWS\system32\accwiz.exe
2006-08-16   12:11   17,408   --a------   C:\WINDOWS\system32\mmfutil.dll
2006-08-16   12:11   161,280   --a------   C:\WINDOWS\system32\msdtcuiu.dll
2006-08-16   12:11   147,968   --a------   C:\WINDOWS\system32\rdchost.dll
2006-08-16   12:11   140,800   --a------   C:\WINDOWS\system32\sessmgr.exe
2006-08-16   12:11   131,584   --a------   C:\WINDOWS\system32\sndrec32.exe
2006-08-16   12:11   13,824   --a------   C:\WINDOWS\system32\rdsaddin.exe
2006-08-16   12:11   123,392   --a------   C:\WINDOWS\system32\mplay32.exe
2006-08-16   12:11   110,080   --a------   C:\WINDOWS\system32\clbcatex.dll
2006-08-16   12:11   11,776   --a------   C:\WINDOWS\system32\xolehlp.dll
2006-08-16   12:11   11,264   --a------   C:\WINDOWS\system32\icaapi.dll
2006-08-16   12:11   102,912   --a------   C:\WINDOWS\system32\clipbrd.exe
2006-08-16   12:11   1,267,200   --a------   C:\WINDOWS\system32\comsvcs.dll

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-08-31 00:47   --------   d--------   C:\Program Files\GetRight
2006-08-30 23:12   --------   d--------   C:\Documents and Settings\B\Application Data\Skype
2006-08-29 23:15   --------   d--------   C:\Documents and Settings\B\Application Data\GetRightToGo
2006-08-29 21:39   --------   d--------   C:\Program Files\ewido anti-spyware 4.0
2006-08-29 20:25   --------   d--------   C:\Program Files\Kaspersky Lab
2006-08-29 20:18   --------   d--------   C:\Program Files\Trustix
2006-08-29 19:20   --------   d--------   C:\Documents and Settings\B\Application Data\Comodo
2006-08-29 19:15   --------   d--------   C:\Program Files\Comodo
2006-08-29 16:02   --------   d--------   C:\Program Files\CleanUp!
2006-08-28 12:51   --------   d--------   C:\Program Files\Lavasoft
2006-08-28 12:51   --------   d--------   C:\Documents and Settings\B\Application Data\Lavasoft
2006-08-28 12:37   --------   d--------   C:\Documents and Settings\B\Application Data\Google
2006-08-28 12:36   --------   d--h-----   C:\Program Files\InstallShield Installation Information
2006-08-28 12:36   --------   d--------   C:\Program Files\Google
2006-08-27 21:38   --------   d--------   C:\Program Files\GameSpy Arcade
2006-08-27 20:13   --------   d--------   C:\Program Files\EA GAMES
2006-08-27 16:13   --------   d--------   C:\Program Files\The All-Seeing Eye
2006-08-27 14:55   --------   d--------   C:\Program Files\Common Files\EasyInfo
2006-08-27 14:55   --------   d--------   C:\Program Files\Common Files
2006-08-25 22:07   --------   d--------   C:\Program Files\OfficeUpdate11
2006-08-24 22:35   --------   d--------   C:\Program Files\Superjoy Box Pro
2006-08-24 22:25   --------   d--------   C:\Program Files\Pro Evolution Soccer 5
2006-08-24 14:15   --------   d--------   C:\Program Files\PES5
2006-08-24 10:07   --------   d---s----   C:\Documents and Settings\B\Application Data\Microsoft
2006-08-23 15:41   --------   d--------   C:\Documents and Settings\B\Application Data\Real
2006-08-23 15:40   --------   d--------   C:\Program Files\Real
2006-08-23 15:40   --------   d--------   C:\Program Files\Common Files\xing shared
2006-08-23 15:40   --------   d--------   C:\Program Files\Common Files\Real
2006-08-23 13:49   --------   d--------   C:\Documents and Settings\B\Application Data\Samsung
2006-08-23 10:33   --------   d--------   C:\Program Files\Karndean International
2006-08-22 22:58   --------   d--------   C:\Program Files\Common Files\Ahead
2006-08-22 22:58   --------   d--------   C:\Program Files\Ahead
2006-08-22 21:44   --------   d--------   C:\Program Files\Sierra
2006-08-22 07:55   --------   d--------   C:\Program Files\Microsoft IntelliPoint
2006-08-19 23:29   --------   d--------   C:\Program Files\ATITool
2006-08-19 19:36   --------   d--------   C:\Documents and Settings\B\Application Data\My Battle for Middle-earth(tm) II Files
2006-08-19 18:16   --------   d--------   C:\Program Files\Common Files\WhenU
2006-08-19 18:12   --------   d--------   C:\Program Files\Electronic Arts
2006-08-19 16:49   --------   d--------   C:\Program Files\Common Files\Wise Installation Wizard
2006-08-19 16:44   --------   d--------   C:\Documents and Settings\B\Application Data\Adobe
2006-08-19 16:42   --------   d--------   C:\Program Files\TechSmith
2006-08-19 15:38   --------   d--------   C:\Program Files\Windows Media Player
2006-08-18 20:11   41888   --a------   C:\WINDOWS\system32\drivers\Oreans.sys
2006-08-18 19:57   --------   d--------   C:\Program Files\Samsung
2006-08-18 16:14   --------   d--------   C:\Program Files\Inland Revenue
2006-08-18 15:17   --------   d--------   C:\Program Files\Common Files\Microsoft Shared
2006-08-18 15:06   --------   d--------   C:\Program Files\Sage EBanking
2006-08-18 15:06   --------   d--------   C:\Program Files\Informer50
2006-08-18 15:05   --------   d--------   C:\Program Files\Sage
2006-08-18 15:05   --------   d--------   C:\Program Files\Common Files\Sage Line50
2006-08-18 11:35   --------   d--------   C:\Program Files\Common Files\Adobe
2006-08-18 11:35   --------   d--------   C:\Program Files\Adobe
2006-08-18 09:26   --------   d--------   C:\Program Files\Microsoft IntelliType Pro 5.5
2006-08-18 09:26   --------   d--------   C:\Program Files\Microsoft IntelliType Pro
2006-08-17 23:06   --------   d--------   C:\Program Files\GIGABYTE
2006-08-17 22:06   --------   d--------   C:\Program Files\Valve
2006-08-17 18:17   163644   --a------   C:\WINDOWS\system32\drivers\secdrv.sys
2006-08-17 18:01   --------   d--------   C:\Program Files\Activision
2006-08-17 14:56   --------   d--------   C:\Program Files\Bethesda Softworks
2006-08-17 14:32   --------   d--------   C:\Program Files\Canon
2006-08-17 13:36   --------   d--------   C:\Program Files\Common Files\Intuit
2006-08-17 13:36   --------   d--------   C:\Program Files\Common Files\AnswerWorks 4.0
2006-08-17 13:35   --------   d--------   C:\Program Files\Intuit
2006-08-17 13:28   --------   d--------   C:\Documents and Settings\B\Application Data\AdobeUM
2006-08-17 12:58   --------   d--------   C:\Program Files\Common Files\SWF Studio
2006-08-17 12:58   --------   d--------   C:\Documents and Settings\B\Application Data\Macromedia
2006-08-17 12:11   --------   d--------   C:\Program Files\Common Files\Adobe Systems Shared
2006-08-17 11:28   --------   d--------   C:\Program Files\Microsoft IntelliPoint 5.2
2006-08-17 09:24   --------   d--------   C:\Program Files\Trend Micro
2006-08-17 08:41   --------   d--------   C:\Program Files\Smart Projects
2006-08-17 00:50   --------   d--------   C:\Program Files\Skype
2006-08-16 23:52   223128   --a------   C:\WINDOWS\system32\drivers\dtscsi.sys
2006-08-16 23:52   --------   d--------   C:\Program Files\DAEMON Tools
2006-08-16 23:48   --------   d--------   C:\Program Files\MSN
2006-08-16 23:40   --------   d--------   C:\Program Files\Messenger
2006-08-16 23:30   --------   d--------   C:\Documents and Settings\B\Application Data\MSNInstaller
2006-08-16 23:19   96256   --a------   C:\WINDOWS\system32\drivers\sptd0941.sys
2006-08-16 23:19   643072   --a------   C:\WINDOWS\system32\drivers\sptd.sys
2006-08-16 23:18   --------   d--------   C:\Program Files\BitComet
2006-08-16 23:08   --------   d--------   C:\Program Files\Internet Explorer
2006-08-16 22:07   --------   d--------   C:\Program Files\TuneUp Utilities 2006
2006-08-16 22:07   --------   d--------   C:\Documents and Settings\B\Application Data\TuneUp Software
2006-08-16 22:06   --------   d--------   C:\Program Files\WinRAR
2006-08-16 21:40   --------   d--------   C:\Program Files\Futuremark
2006-08-16 21:15   --------   d--------   C:\Program Files\Outlook Express
2006-08-16 21:15   --------   d--------   C:\Program Files\Common Files\System
2006-08-16 20:48   --------   d--------   C:\Documents and Settings\B\Application Data\ATI
2006-08-16 20:45   --------   d--------   C:\Program Files\Common Files\InstallShield
2006-08-16 20:45   --------   d--------   C:\Program Files\ATI Technologies
2006-08-16 20:40   --------   d--------   C:\Program Files\Microsoft Office
2006-08-16 20:40   --------   d--------   C:\Program Files\Microsoft ActiveSync
2006-08-16 20:40   --------   d--------   C:\Program Files\Common Files\Designer
2006-08-16 13:07   --------   d--------   C:\Program Files\Common Files\SpeechEngines
2006-08-16 13:07   --------   d--------   C:\Program Files\Common Files\ODBC
2006-08-16 13:06   62   --ahs----   C:\Documents and Settings\B\Application Data\desktop.ini
2006-08-16 12:34   --------   d--------   C:\Program Files\Thomson
2006-08-16 12:29   --------   d--------   C:\Program Files\Realtek
2006-08-16 12:26   --------   d--------   C:\Program Files\Intel
2006-08-16 12:22   --------   d--h-----   C:\Program Files\Uninstall Information
2006-08-16 12:22   --------   d--------   C:\Documents and Settings\B\Application Data\Identities
2006-08-16 12:16   --------   d--------   C:\Program Files\xerox
2006-08-16 12:16   --------   d--------   C:\Program Files\microsoft frontpage
2006-08-16 12:15   --------   d--h-----   C:\Program Files\WindowsUpdate
2006-08-16 12:14   --------   d--------   C:\Program Files\NetMeeting
2006-08-16 12:14   --------   d--------   C:\Program Files\Common Files\Services
2006-08-16 12:14   --------   d--------   C:\Program Files\Common Files\MSSoap
2006-08-16 12:13   --------   d--------   C:\Program Files\Movie Maker
2006-08-16 12:12   --------   d--------   C:\Program Files\Windows NT
2006-08-16 12:12   --------   d--------   C:\Program Files\Online Services
2006-08-16 12:12   --------   d--------   C:\Program Files\MSN Gaming Zone
2006-08-16 12:12   --------   d--------   C:\Program Files\ComPlus Applications
2006-07-21 09:24   72704   --a------   C:\WINDOWS\system32\hlink.dll
2006-07-19 03:58   258048   --a------   C:\WINDOWS\system32\ati2dvag.dll
2006-07-19 03:58   1621504   --a------   C:\WINDOWS\system32\drivers\ati2mtag.sys
2006-07-19 03:53   77824   --a------   C:\WINDOWS\system32\Oemdspif.dll
2006-07-19 03:53   26112   --a------   C:\WINDOWS\system32\Ati2mdxx.exe
2006-07-19 03:53   114688   --a------   C:\WINDOWS\system32\atipdlxx.dll
2006-07-19 03:52   86016   --a------   C:\WINDOWS\system32\ati2evxx.dll
2006-07-19 03:52   41984   --a------   C:\WINDOWS\system32\ati2edxx.dll
2006-07-19 03:51   53248   --a------   C:\WINDOWS\system32\ATIDDC.DLL
2006-07-19 03:51   401408   --a------   C:\WINDOWS\system32\ati2evxx.exe
2006-07-19 03:44   2732608   --a------   C:\WINDOWS\system32\ati3duag.dll
2006-07-19 03:39   1744416   --a------   C:\WINDOWS\system32\ativvaxx.dll
2006-07-19 03:27   204800   --a------   C:\WINDOWS\system32\atikvmag.dll
2006-07-19 03:26   17408   --a------   C:\WINDOWS\system32\atitvo32.dll
2006-07-19 03:23   307200   --a------   C:\WINDOWS\system32\atiiiexx.dll
2006-07-19 03:22   6684672   --a------   C:\WINDOWS\system32\atioglx1.dll
2006-07-19 03:22   286720   --a------   C:\WINDOWS\system32\ati2cqag.dll
2006-07-19 03:21   290816   --a------   C:\WINDOWS\system32\ATIDEMGR.dll
2006-07-19 03:13   5136384   --a------   C:\WINDOWS\system32\atioglxx.dll
2006-06-18 14:54   36864   --a------   C:\WINDOWS\system32\frapsvid.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GBB36X Configure"="C:\\WINDOWS\\system32\\JMRaidTool.exe boot"
"IntelliPoint"="\"C:\\Program Files\\Microsoft IntelliPoint\\point32.exe\""
@=""
"itype"="\"C:\\Program Files\\Microsoft IntelliType Pro\\itype.exe\""
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"Comodo Personal Firewall"="C:\\Program Files\\Comodo\\Personal Firewall\\CPF.exe sysrestart"
"Comodo Launch Pad Tray"="C:\\Program Files\\Comodo\\LaunchPad\\CLPTray.exe"
"kav"="\"C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 6.0\\avp.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"Skype"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
"Steam"="C:\\Program Files\\Valve\\Steam\\Steam.exe -silent"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000004

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-]
"Alcmtr"="ALCMTR.EXE"
"RTHDCPL"="RTHDCPL.EXE"
"SkyTel"="SkyTel.EXE"
"SpeedTouch USB Diagnostics"="\"C:\\Program Files\\Thomson\\SpeedTouch USB\\Dragdiag.exe\" /icon"
"DAEMON Tools"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"
"Acrobat Assistant 7.0"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Distillr\\Acrotray.exe\""
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\CLIStart.exe\""
"EasyTuneV"="C:\\Program Files\\Gigabyte\\ET5\\GUI.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\1-Click Maintenance.job

Completion time: 31/08/2006 9:04:30.81
ComboFix.txt

Logfile of HijackThis v1.99.1
Scan saved at 20:50:16, on 01/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\B\Desktop\analyze.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [GBB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [kav] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: ATITool.lnk = C:\Program Files\ATITool\ATITool.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1155766136796
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F9E39900-48F2-4505-996B-A69666BF7069}: NameServer = 194.168.4.100 194.168.8.100
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

Benf · « **Reply #13 on:** September 01, 2006, 03:04:58 PM »

Just had kaspersky giv an alert for this one too:

Trojan.Win32.Small.js

Kaspersky log:

Protection
----------
Total scanned:   26013
Detected:   9
Untreated:   1
Start time:   01/09/2006 20:25:39
Duration:   00:37:59

Detected
--------
Status   Object
------   ------
deleted: Trojan program Trojan-Downloader.Win32.Zlob.agf   File: C:\System Volume Information\_restore{444CBD36-52CF-40A8-93B1-D5E65AE5E630}\RP70\A0024879.exe
deleted: Trojan program Trojan-Downloader.Win32.Zlob.agf   File: C:\System Volume Information\_restore{444CBD36-52CF-40A8-93B1-D5E65AE5E630}\RP70\A0024893.exe
deleted: virus Email-Worm.Win32.NetSky.q   Mail body: C:\Documents and Settings\B\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst\Personal Folders\Top of Personal Folders\Inbox\[From:[email protected]][Subject:

??][Time:2006/07/30 23:27:18]\PlainBody/[From [email protected]][Date Mon, 31 Jul 2006 06:27:17 +0800]/UNNAMED/buse_list.zip\document.txt .exe
deleted: Trojan program Trojan-Dropper.Win32.Agent.avl   File: C:\Documents and Settings\B\Desktop\combofix.exe/PE_Patch.UPX/UPX
detected: Trojan program Trojan-Dropper.Win32.Agent.avl   File: C:\Documents and Settings\B\Local Settings\Temporary Internet Files\Content.IE5\C5Q3O1QJ\combofix[1].exe/PE_Patch.UPX/UPX
deleted: Trojan program Trojan.Win32.Small.js   File: C:\System Volume Information\_restore{444CBD36-52CF-40A8-93B1-D5E65AE5E630}\RP70\A0024941.exe
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.da   File: C:\System Volume Information\_restore{444CBD36-52CF-40A8-93B1-D5E65AE5E630}\RP70\A0025129.dll
deleted: Trojan program Trojan.Win32.Small.js   File: C:\System Volume Information\_restore{444CBD36-52CF-40A8-93B1-D5E65AE5E630}\RP70\A0025130.exe
deleted: virus Packed.Win32.Klone.g   File: C:\System Volume Information\_restore{444CBD36-52CF-40A8-93B1-D5E65AE5E630}\RP70\A0025131.dll/PE_Patch.PECompact/PecBundle/PECompact

Events
------
Time   Event
----   -----
29/08/2006 20:25:57   A full computer scan has never been performed. You are advised to perform a full scan as soon as possible.
29/08/2006 20:28:27   Update completed successfully.
29/08/2006 20:31:06   A full computer scan has never been performed. You are advised to perform a full scan as soon as possible.
29/08/2006 20:31:26   Process (PID 4) tried to access Kaspersky Anti-Virus 6.0 process (PID 1604), but it has been blocked. This is Self-Defense monitoring, and you do not need to do anything.
29/08/2006 20:33:11   Please restart your computer to complete the installation of new or updated protection components.
29/08/2006 20:33:11   Update completed successfully.
29/08/2006 20:57:06   A full computer scan has never been performed. You are advised to perform a full scan as soon as possible.
29/08/2006 20:57:37   Process (PID 4) tried to access Kaspersky Anti-Virus 6.0 process (PID 1676), but it has been blocked. This is Self-Defense monitoring, and you do not need to do anything.
29/08/2006 21:33:22   Some protection services are disabled.
29/08/2006 21:35:47   Update error: cannot establish connection.
29/08/2006 21:38:09   Kaspersky Anti-Virus 6.0 is not activated.
29/08/2006 21:39:19   A full computer scan has never been performed. You are advised to perform a full scan as soon as possible.
29/08/2006 21:39:25   Some protection services are disabled.
29/08/2006 23:05:07   A full computer scan has never been performed. You are advised to perform a full scan as soon as possible.
29/08/2006 23:05:11   Some protection services are disabled.
29/08/2006 23:27:13   Update completed successfully.
30/08/2006 21:59:02   A full computer scan has never been performed. You are advised to perform a full scan as soon as possible.
30/08/2006 21:59:02   Some protection services are disabled.
30/08/2006 22:12:52   A full computer scan has never been performed. You are advised to perform a full scan as soon as possible.
30/08/2006 22:12:53   Some protection services are disabled.
30/08/2006 22:14:24   A full computer scan has never been performed. You are advised to perform a full scan as soon as possible.
30/08/2006 22:14:24   Some protection services are disabled.
30/08/2006 23:18:00   A full computer scan has never been performed. You are advised to perform a full scan as soon as possible.
30/08/2006 23:18:00   Some protection services are disabled.
30/08/2006 23:26:02   Update completed successfully.
31/08/2006 08:20:21   A full computer scan has never been performed. You are advised to perform a full scan as soon as possible.
31/08/2006 08:20:21   Some protection services are disabled.
31/08/2006 08:56:42   A full computer scan has never been performed. You are advised to perform a full scan as soon as possible.
31/08/2006 08:56:43   Some protection services are disabled.
31/08/2006 09:29:12   A full computer scan has never been performed. You are advised to perform a full scan as soon as possible.
31/08/2006 09:29:13   Some protection services are disabled.
31/08/2006 21:08:11   A full computer scan has never been performed. You are advised to perform a full scan as soon as possible.
31/08/2006 21:08:11   Some protection services are disabled.
31/08/2006 21:39:49   File C:\System Volume Information\_restore{444CBD36-52CF-40A8-93B1-D5E65AE5E630}\RP70\A0024879.exe: detected Trojan program Trojan-Downloader.Win32.Zlob.agf
31/08/2006 21:39:49   Security threats have been detected. You are advised to neutralize them immediately.
31/08/2006 22:15:37   File C:\System Volume Information\_restore{444CBD36-52CF-40A8-93B1-D5E65AE5E630}\RP70\A0024879.exe: deleted
31/08/2006 22:26:41   Process (PID 1772) tried to access Kaspersky Anti-Virus 6.0 process (PID 1720), but it has been blocked. This is Self-Defense monitoring, and you do not need to do anything.
31/08/2006 22:27:41   Process (PID 2348) tried to access Kaspersky Anti-Virus 6.0 process (PID 1720), but it has been blocked. This is Self-Defense monitoring, and you do not need to do anything.
31/08/2006 22:27:41   Process (PID 2348) tried to access Kaspersky Anti-Virus 6.0 process (PID 2128), but it has been blocked. This is Self-Defense monitoring, and you do not need to do anything.
31/08/2006 22:29:06   Process (PID 1676) tried to access Kaspersky Anti-Virus 6.0 process (PID 1720), but it has been blocked. This is Self-Defense monitoring, and you do not need to do anything.
31/08/2006 22:29:06   Process (PID 1676) tried to access Kaspersky Anti-Virus 6.0 process (PID 2128), but it has been blocked. This is Self-Defense monitoring, and you do not need to do anything.
31/08/2006 23:02:50   File C:\System Volume Information\_restore{444CBD36-52CF-40A8-93B1-D5E65AE5E630}\RP70\A0024893.exe: detected Trojan program Trojan-Downloader.Win32.Zlob.agf
31/08/2006 23:02:50   Security threats have been detected. You are advised to neutralize them immediately.
31/08/2006 23:03:47   File C:\System Volume Information\_restore{444CBD36-52CF-40A8-93B1-D5E65AE5E630}\RP70\A0024893.exe: deleted
31/08/2006 23:09:32   A full computer scan has never been performed. You are advised to perform a full scan as soon as possible.
31/08/2006 23:09:33   Some protection services are disabled.
31/08/2006 23:12:31   A full computer scan has never been performed. You are advised to perform a full scan as soon as possible.
31/08/2006 23:12:31   Some protection services are disabled.
31/08/2006 23:14:47   Mail body C:\Documents and Settings\B\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst\Personal Folders\Top of Personal Folders\Inbox\[From:[email protected]][Subject:

??][Time:2006/07/30 23:27:18]\PlainBody/[From [email protected]][Date Mon, 31 Jul 2006 06:27:17 +0800]/UNNAMED/buse_list.zip\document.txt .exe: detected virus Email-Worm.Win32.NetSky.q
31/08/2006 23:14:47 Security threats have been detected. You are advised to neutralize them immediately.
31/08/2006 23:14:47 Mail body C:\Documents and Settings\B\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst\Personal Folders\Top of Personal Folders\Inbox\[From:[email protected]][Subject:

??][Time:2006/07/30 23:27:18]\PlainBody/[From [email protected]][Date Mon, 31 Jul 2006 06:27:17 +0800]/UNNAMED/buse_list.zip\document.txt .exe: is not disinfected, postponed
31/08/2006 23:15:36 Mail body c:\documents and settings\b\local settings\application data\microsoft\outlook\outlook.pst\Personal Folders\Top of Personal Folders\Inbox\[From:[email protected]][Subject:Message is infected :

??][Time:2006/07/30 23:27:18]\PlainBody/[From [email protected]][Date Mon, 31 Jul 2006 06:27:17 +0800]/UNNAMED/buse_list.zip\document.txt .exe: detected virus Email-Worm.Win32.NetSky.q
31/08/2006 23:19:08 Mail body c:\documents and settings\b\local settings\application data\microsoft\outlook\outlook.pst\Personal Folders\Top of Personal Folders\Inbox\[From:[email protected]][Subject:Message is infected :

??][Time:2006/07/30 23:27:18]\PlainBody: deleted
31/08/2006 23:22:44   Process (PID 608) tried to access Kaspersky Anti-Virus 6.0 process (PID 1672), but it has been blocked. This is Self-Defense monitoring, and you do not need to do anything.
31/08/2006 23:22:44   Process (PID 608) tried to access Kaspersky Anti-Virus 6.0 process (PID 2332), but it has been blocked. This is Self-Defense monitoring, and you do not need to do anything.
31/08/2006 23:26:04   Update completed successfully.
31/08/2006 23:37:29   File C:\Documents and Settings\B\Desktop\combofix.exe/PE_Patch.UPX/UPX: detected Trojan program Trojan-Dropper.Win32.Agent.avl
31/08/2006 23:37:29   Security threats have been detected. You are advised to neutralize them immediately.
31/08/2006 23:39:00   File C:\Documents and Settings\B\Desktop\combofix.exe: deleted
01/09/2006 08:06:40   A full computer scan has never been performed. You are advised to perform a full scan as soon as possible.
01/09/2006 08:06:40   Some protection services are disabled.
01/09/2006 20:08:00   A full computer scan has never been performed. You are advised to perform a full scan as soon as possible.
01/09/2006 20:08:01   Some protection services are disabled.
01/09/2006 20:22:29   Process (PID 412) tried to access Kaspersky Anti-Virus 6.0 process (PID 1668), but it has been blocked. This is Self-Defense monitoring, and you do not need to do anything.
01/09/2006 20:22:29   Process (PID 412) tried to access Kaspersky Anti-Virus 6.0 process (PID 2096), but it has been blocked. This is Self-Defense monitoring, and you do not need to do anything.
01/09/2006 20:25:38   A full computer scan has never been performed. You are advised to perform a full scan as soon as possible.
01/09/2006 20:25:39   Some protection services are disabled.
01/09/2006 20:39:32   File C:\Documents and Settings\B\Local Settings\Temporary Internet Files\Content.IE5\C5Q3O1QJ\combofix[1].exe/PE_Patch.UPX/UPX: detected Trojan program Trojan-Dropper.Win32.Agent.avl
01/09/2006 20:39:32   Security threats have been detected. You are advised to neutralize them immediately.
01/09/2006 20:40:00   File C:\Documents and Settings\B\Local Settings\Temporary Internet Files\Content.IE5\C5Q3O1QJ\combofix[1].exe/PE_Patch.UPX/UPX cannot be deleted
01/09/2006 20:47:24   File C:\Documents and Settings\B\Local Settings\Temporary Internet Files\Content.IE5\C5Q3O1QJ\combofix[1].exe/PE_Patch.UPX/UPX: detected Trojan program Trojan-Dropper.Win32.Agent.avl
01/09/2006 20:47:34   File C:\Documents and Settings\B\Local Settings\Temporary Internet Files\Content.IE5\C5Q3O1QJ\combofix[1].exe cannot be deleted
01/09/2006 20:54:56   Process (PID 3544) tried to access Kaspersky Anti-Virus 6.0 process (PID 1912), but it has been blocked. This is Self-Defense monitoring, and you do not need to do anything.
01/09/2006 20:54:56   Process (PID 3544) tried to access Kaspersky Anti-Virus 6.0 process (PID 2028), but it has been blocked. This is Self-Defense monitoring, and you do not need to do anything.
01/09/2006 21:00:45   File C:\System Volume Information\_restore{444CBD36-52CF-40A8-93B1-D5E65AE5E630}\RP70\A0024941.exe: detected Trojan program Trojan.Win32.Small.js
01/09/2006 21:02:19   File C:\System Volume Information\_restore{444CBD36-52CF-40A8-93B1-D5E65AE5E630}\RP70\A0024941.exe: deleted
01/09/2006 21:02:19   File C:\System Volume Information\_restore{444CBD36-52CF-40A8-93B1-D5E65AE5E630}\RP70\A0025129.dll: detected adware not-a-virus:AdWare.Win32.Virtumonde.da
01/09/2006 21:02:30   File C:\System Volume Information\_restore{444CBD36-52CF-40A8-93B1-D5E65AE5E630}\RP70\A0025129.dll: deleted
01/09/2006 21:02:30   File C:\System Volume Information\_restore{444CBD36-52CF-40A8-93B1-D5E65AE5E630}\RP70\A0025130.exe: detected Trojan program Trojan.Win32.Small.js
01/09/2006 21:02:36   File C:\System Volume Information\_restore{444CBD36-52CF-40A8-93B1-D5E65AE5E630}\RP70\A0025130.exe: deleted
01/09/2006 21:02:36   File C:\System Volume Information\_restore{444CBD36-52CF-40A8-93B1-D5E65AE5E630}\RP70\A0025131.dll/PE_Patch.PECompact/PecBundle/PECompact: detected virus Packed.Win32.Klone.g
01/09/2006 21:02:36   File C:\System Volume Information\_restore{444CBD36-52CF-40A8-93B1-D5E65AE5E630}\RP70\A0025131.dll: deleted

Reports
-------
Task   Status   Start   Finish   Size
----   ------   -----   ------   ----
Proactive Defense   running   01/09/2006 20:25:39      0 bytes
File Anti-Virus   running   01/09/2006 20:25:39      3.7 MB
Mail Anti-Virus   running   01/09/2006 20:25:39      16.2 KB
Scan Startup Objects   completed   01/09/2006 20:27:53   01/09/2006 20:28:08   629.3 KB

Quarantine
----------
Status   Object   Size   Added
------   ------   ----   -----

Backup
------
Status   Object   Size
------   ------   ----
Infected: Trojan program Trojan-Dropper.Win32.Agent.avl   C:\Documents and Settings\B\Desktop\combofix.exe   291.5 KB
Infected: adware not-a-virus:AdWare.Win32.Virtumonde.da   C:\System Volume Information\_restore{444CBD36-52CF-40A8-93B1-D5E65AE5E630}\RP70\A0025129.dll   560 KB
Infected: virus Email-Worm.Win32.NetSky.q   c:\documents and settings\b\local settings\application data\microsoft\outlook\outlook.pst   114.3 MB
Infected: Trojan program Trojan.Win32.Small.js   C:\System Volume Information\_restore{444CBD36-52CF-40A8-93B1-D5E65AE5E630}\RP70\A0024941.exe   11.5 KB
Infected: Trojan program Trojan.Win32.Small.js   C:\System Volume Information\_restore{444CBD36-52CF-40A8-93B1-D5E65AE5E630}\RP70\A0025130.exe   11.5 KB
Infected: Trojan program Trojan-Downloader.Win32.Zlob.agf   C:\System Volume Information\_restore{444CBD36-52CF-40A8-93B1-D5E65AE5E630}\RP70\A0024879.exe   5 KB
Infected: Trojan program Trojan-Downloader.Win32.Zlob.agf   C:\System Volume Information\_restore{444CBD36-52CF-40A8-93B1-D5E65AE5E630}\RP70\A0024893.exe   35.5 KB
Infected: Trojan program Trojan-Dropper.Win32.Agent.avl   C:\Documents and Settings\B\Local Settings\Temporary Internet Files\Content.IE5\C5Q3O1QJ\combofix[1].exe   291.5 KB
Infected: virus Packed.Win32.Klone.g   C:\System Volume Information\_restore{444CBD36-52CF-40A8-93B1-D5E65AE5E630}\RP70\A0025131.dll   18.5 KB

guestolo · « **Reply #14 on:** September 01, 2006, 11:57:16 PM »

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, in the menu, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.

Post the whole report from Dr.Web[/s]

Sorry, that was meant for a different user
How is everything running on your end?

Can you redownload Combofix please and post a new log from it, thanks

Benf · « **Reply #15 on:** September 07, 2006, 04:52:14 AM »

Thankyou very much for all your help I think I am ok now, I got rid of comodo and it appears that was causing the network problems so am now running windows firewall with Kaspersky AV and seems ok. Thanks again.

Ben

the one and only · « **Reply #16 on:** September 07, 2006, 06:10:29 AM »

TheTechGuide Forum

News:

Author Topic: trouble, trouble, trouble! (Read 1899 times)

Benf

trouble, trouble, trouble!

Benf

trouble, trouble, trouble!

guestolo

trouble, trouble, trouble!

Benf

trouble, trouble, trouble!

guestolo

trouble, trouble, trouble!

Benf

trouble, trouble, trouble!

Benf

trouble, trouble, trouble!

Benf

trouble, trouble, trouble!

guestolo

trouble, trouble, trouble!

Benf

trouble, trouble, trouble!

Benf

trouble, trouble, trouble!

guestolo

trouble, trouble, trouble!

Benf

trouble, trouble, trouble!

Benf

trouble, trouble, trouble!

guestolo

trouble, trouble, trouble!

Benf

trouble, trouble, trouble!

the one and only

trouble, trouble, trouble!