virus

stephy5214 · Joined: Jan 05, 2009 Posts: 7

Here is what the virus is doing:

1) Even though popup blocker is on full, I am still getting popups.

2) Every now and then my Windows close for no reason.

3) Norton and Malware are not removing the virus completely; each time they are ran the virus count discovered increases.

4) The computer freezes a lot more than usual.

5) My desktop background changed to saying that I need to check my computer with a special program which I believe is actually part of the virus.

Here is the Hijack Log I just ran:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:16:33 PM, on 1/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\userinit.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\D-Link\AirPlus XtremeG DWL-G132\AirPlusCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\frmwrk32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Nexon\Mabinogi\npkcmsvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\ntdll64.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\program files\aol\aim toolbar 5.0\AolTbServer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: {eafc0fe8-a154-9f18-6494-1d90c9dd05fe} - {ef50dd9c-09d1-4946-81f9-451a8ef0cfae} - C:\WINDOWS\system32\yiwtnn.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG DWL-G132] C:\Program Files\D-Link\AirPlus XtremeG DWL-G132\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Framework Windows] frmwrk32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKUS\S-1-5-18\..\Run: [msiexec.exe] msiconf.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msiexec.exe] msiconf.exe (User 'Default user')
O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\temp\ntdll64.dll
O10 - Unknown file in Winsock LSP: c:\windows\temp\ntdll64.dll
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/cli.../wuweb_
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/c...nt/muwe
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Wireless Service - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Nexon\Mabinogi\npkcmsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 11813 bytes

greyknight17 · Joined: Feb 03, 2003 Posts: 5523 Location: Brooklyn, NY

Welcome to Lockergnome.

Please print the below instructions or copy them to Notepad. Make sure to work through the fixes in the order mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Download LSPFix http://www.greyknight17.com/spy/LSPFix.exe and run it. Check the box that says I know what I'm doing. Click on ntdll64.dll on the left window and then click on the arrow pointing to the right. Click Finish and follow the prompts.

Download Malwarebytes ' Anti-Malware at http://www.besttechie.net/tools/mbam-setup.exe or http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html Double-click on mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform Full Scan, then click Scan.
* The scan may take some time to finish, so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to restart (see Extra Note below).
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy & paste the entire report into your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Download ATF Cleaner at http://www.atribune.org/ccount/click.php?id=1
Double-click ATF-Cleaner.exe to run the program. Under Main choose Select All
Click the Empty Selected button.

If you use the Firefox browser click Firefox at the top and choose Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use the Opera browser click 'Opera' at the top and choose 'Select All'
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Uninstall the following via the Add/Remove Panel (Start->Settings->Control Panel->Add/Remove Programs) if found:

Viewpoint

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one:

O2 - BHO: {eafc0fe8-a154-9f18-6494-1d90c9dd05fe} - {ef50dd9c-09d1-4946-81f9-451a8ef0cfae} - C:\WINDOWS\system32\yiwtnn.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [Framework Windows] frmwrk32.exe
O4 - HKUS\S-1-5-18\..\Run: [msiexec.exe] msiconf.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msiexec.exe] msiconf.exe (User 'Default user')
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

Locate the following Files/Folders and delete them if they exist (if no location given, just do a search for them):

C:\WINDOWS\system32\frmwrk32.exe
C:\WINDOWS\system32\ntdll64.exe
C:\WINDOWS\system32\yiwtnn.dll
C:\WINDOWS\system32\msiconf.exe
C:\Program Files\Viewpoint\

Download SDFix at http://downloads.andymanchesta.com/RemovalTools/SDFix.exe and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

* Restart your computerAfter hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, the Advanced Options Menu should appear;
* Select the first option, to run Windows in Safe Mode, then press Enter.
* Choose your usual account.
* Open the extracted SDFix folder and double click RunThis.bat to start the script.
* Type Y to begin the cleanup process.
* It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
* Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt (Report.txt will also be copied to Clipboard ready for posting back on the forum).
* Finally paste the contents of the Report.txt back on the forum with a new HijackThis log.

stephy5214 · Joined: Jan 05, 2009 Posts: 7

when going to the site of http://www.greyknight17.com/spy/LSPFix.exe the inner link of ntdll64.dll is not there.

greyknight17 · Joined: Feb 03, 2003 Posts: 5523 Location: Brooklyn, NY

Skip that part for now. Proceed with all the remaining steps.

stephy5214 · Joined: Jan 05, 2009 Posts: 7

Thank you for your help.

SDFix: Version 1.240
Run by Fou_ on Tue 01/06/2009 at 06:39 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Restoring Default Security Values
Restoring Default Hosts File

Rebooting

Checking Files :

Trojan Files Found:

C:\DOCUME~1\Fou_\LOCALS~1\Temp\TMP10.tmp - Deleted
C:\DOCUME~1\Fou_\LOCALS~1\Temp\TMP11.tmp - Deleted
C:\DOCUME~1\Fou_\LOCALS~1\Temp\TMP12.tmp - Deleted
C:\DOCUME~1\Fou_\LOCALS~1\Temp\TMP13.tmp - Deleted
C:\DOCUME~1\Fou_\LOCALS~1\Temp\TMP15.tmp - Deleted
C:\DOCUME~1\Fou_\LOCALS~1\Temp\TMP16.tmp - Deleted
C:\DOCUME~1\Fou_\LOCALS~1\Temp\TMP17.tmp - Deleted
C:\DOCUME~1\Fou_\LOCALS~1\Temp\TMP18.tmp - Deleted
C:\DOCUME~1\Fou_\LOCALS~1\Temp\TMP1C.tmp - Deleted
C:\DOCUME~1\Fou_\LOCALS~1\Temp\TMP1D.tmp - Deleted
C:\DOCUME~1\Fou_\LOCALS~1\Temp\TMP1E.tmp - Deleted
C:\DOCUME~1\Fou_\LOCALS~1\Temp\TMP4D.tmp - Deleted
C:\DOCUME~1\Fou_\LOCALS~1\Temp\TMP4E.tmp - Deleted
C:\DOCUME~1\Fou_\LOCALS~1\Temp\TMP4F.tmp - Deleted
C:\DOCUME~1\Fou_\LOCALS~1\Temp\TMP52.tmp - Deleted
C:\DOCUME~1\Fou_\LOCALS~1\Temp\TMP56.tmp - Deleted
C:\DOCUME~1\Fou_\LOCALS~1\Temp\TMP57.tmp - Deleted
C:\DOCUME~1\Fou_\LOCALS~1\Temp\TMP58.tmp - Deleted
C:\DOCUME~1\Fou_\LOCALS~1\Temp\TMP65.tmp - Deleted
C:\DOCUME~1\Fou_\LOCALS~1\Temp\TMP66.tmp - Deleted
C:\DOCUME~1\Fou_\LOCALS~1\Temp\TMP67.tmp - Deleted
C:\DOCUME~1\Fou_\LOCALS~1\Temp\TMP77.tmp - Deleted
C:\DOCUME~1\Fou_\LOCALS~1\Temp\TMP79.tmp - Deleted
C:\DOCUME~1\Fou_\LOCALS~1\Temp\TMP7B.tmp - Deleted
C:\DOCUME~1\Fou_\LOCALS~1\Temp\TMP7E.tmp - Deleted
C:\DOCUME~1\Fou_\LOCALS~1\Temp\TMP80.tmp - Deleted
C:\DOCUME~1\Fou_\LOCALS~1\Temp\TMP9.tmp - Deleted
C:\DOCUME~1\Fou_\LOCALS~1\Temp\TMPA.tmp - Deleted
C:\DOCUME~1\Fou_\LOCALS~1\Temp\TMPB.tmp - Deleted
C:\DOCUME~1\Fou_\LOCALS~1\Temp\TMPC.tmp - Deleted
C:\DOCUME~1\Fou_\LOCALS~1\Temp\TMPD.tmp - Deleted
C:\WINDOWS\system32\13.tmp - Deleted

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-06 18:51:17
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe:*:Enabled:hpqnrs08.exe"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

Remaining Files :

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 28 Jan 2008 80 ..SHR --- "C:\WINDOWS\system32\0AB7A1A76B.dll"
Thu 7 Aug 2008 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Thu 11 Sep 2008 11,102 ...H. --- "C:\Documents and Settings\Fou_\Desktop\Boyd\~WRL2432.tmp"
Wed 8 Aug 2007 400 A..H. --- "C:\Program Files\Common Files\Symantec Shared\COH\COH32LU.reg"
Wed 8 Aug 2007 403 A..H. --- "C:\Program Files\Common Files\Symantec Shared\COH\COHDLU.reg"
Tue 6 Jan 2009 10,703,680 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\1c4d287cb5e1d3fe5a44ef46a2ff751a\BIT4.tmp"
Wed 25 Jun 2008 50,176 ...H. --- "C:\Documents and Settings\Fou_\Application Data\Microsoft\Word\~WRL1484.tmp"
Tue 22 Apr 2008 53,760 ...H. --- "C:\Documents and Settings\Fou_\Application Data\Microsoft\Word\~WRL2936.tmp"
Sun 30 Sep 2007 50,688 A..H. --- "C:\Documents and Settings\Fou_\Desktop\RP Files\Kachua's Files\~WRL0165.tmp"
Tue 10 Jul 2007 73,728 A..H. --- "C:\Documents and Settings\Fou_\Desktop\RP Files\Kachua's Files\~WRL0263.tmp"
Fri 13 Jul 2007 34,304 A..H. --- "C:\Documents and Settings\Fou_\Desktop\RP Files\Kachua's Files\~WRL0560.tmp"
Fri 13 Jul 2007 47,616 A..H. --- "C:\Documents and Settings\Fou_\Desktop\RP Files\Kachua's Files\~WRL0635.tmp"
Mon 16 Jul 2007 130,048 A..H. --- "C:\Documents and Settings\Fou_\Desktop\RP Files\Kachua's Files\~WRL0637.tmp"
Sun 8 Jul 2007 43,008 A..H. --- "C:\Documents and Settings\Fou_\Desktop\RP Files\Kachua's Files\~WRL0844.tmp"
Tue 10 Jul 2007 73,728 A..H. --- "C:\Documents and Settings\Fou_\Desktop\RP Files\Kachua's Files\~WRL0850.tmp"
Mon 1 Oct 2007 67,072 A..H. --- "C:\Documents and Settings\Fou_\Desktop\RP Files\Kachua's Files\~WRL1036.tmp"
Tue 10 Jul 2007 71,168 A..H. --- "C:\Documents and Settings\Fou_\Desktop\RP Files\Kachua's Files\~WRL1145.tmp"
Fri 13 Jul 2007 34,304 A..H. --- "C:\Documents and Settings\Fou_\Desktop\RP Files\Kachua's Files\~WRL1185.tmp"
Wed 18 Jul 2007 34,816 A..H. --- "C:\Documents and Settings\Fou_\Desktop\RP Files\Kachua's Files\~WRL1583.tmp"
Tue 9 Oct 2007 54,272 A..H. --- "C:\Documents and Settings\Fou_\Desktop\RP Files\Kachua's Files\~WRL1590.tmp"
Fri 13 Jul 2007 115,712 A..H. --- "C:\Documents and Settings\Fou_\Desktop\RP Files\Kachua's Files\~WRL1727.tmp"
Tue 10 Jul 2007 70,144 A..H. --- "C:\Documents and Settings\Fou_\Desktop\RP Files\Kachua's Files\~WRL1732.tmp"
Mon 16 Jul 2007 130,048 A..H. --- "C:\Documents and Settings\Fou_\Desktop\RP Files\Kachua's Files\~WRL1745.tmp"
Sun 30 Sep 2007 47,104 A..H. --- "C:\Documents and Settings\Fou_\Desktop\RP Files\Kachua's Files\~WRL1763.tmp"
Fri 13 Jul 2007 45,056 A..H. --- "C:\Documents and Settings\Fou_\Desktop\RP Files\Kachua's Files\~WRL1841.tmp"
Sun 30 Sep 2007 39,424 A..H. --- "C:\Documents and Settings\Fou_\Desktop\RP Files\Kachua's Files\~WRL1986.tmp"
Fri 13 Jul 2007 47,616 A..H. --- "C:\Documents and Settings\Fou_\Desktop\RP Files\Kachua's Files\~WRL2053.tmp"
Wed 11 Jul 2007 56,320 A..H. --- "C:\Documents and Settings\Fou_\Desktop\RP Files\Kachua's Files\~WRL2453.tmp"
Tue 10 Jul 2007 70,656 A..H. --- "C:\Documents and Settings\Fou_\Desktop\RP Files\Kachua's Files\~WRL2483.tmp"
Tue 10 Jul 2007 73,728 A..H. --- "C:\Documents and Settings\Fou_\Desktop\RP Files\Kachua's Files\~WRL2494.tmp"
Tue 10 Jul 2007 74,752 A..H. --- "C:\Documents and Settings\Fou_\Desktop\RP Files\Kachua's Files\~WRL2586.tmp"
Fri 27 Jul 2007 67,584 A..H. --- "C:\Documents and Settings\Fou_\Desktop\RP Files\Kachua's Files\~WRL2666.tmp"
Sat 29 Sep 2007 46,592 A..H. --- "C:\Documents and Settings\Fou_\Desktop\RP Files\Kachua's Files\~WRL2744.tmp"
Thu 28 Jun 2007 41,472 A..H. --- "C:\Documents and Settings\Fou_\Desktop\RP Files\Kachua's Files\~WRL2910.tmp"
Fri 13 Jul 2007 45,056 A..H. --- "C:\Documents and Settings\Fou_\Desktop\RP Files\Kachua's Files\~WRL3008.tmp"
Fri 13 Jul 2007 43,520 A..H. --- "C:\Documents and Settings\Fou_\Desktop\RP Files\Kachua's Files\~WRL3019.tmp"
Fri 13 Jul 2007 33,280 A..H. --- "C:\Documents and Settings\Fou_\Desktop\RP Files\Kachua's Files\~WRL3249.tmp"
Tue 10 Jul 2007 73,728 A..H. --- "C:\Documents and Settings\Fou_\Desktop\RP Files\Kachua's Files\~WRL3288.tmp"
Wed 11 Jul 2007 44,032 A..H. --- "C:\Documents and Settings\Fou_\Desktop\RP Files\Kachua's Files\~WRL3299.tmp"
Sat 30 Jun 2007 115,200 A..H. --- "C:\Documents and Settings\Fou_\Desktop\RP Files\Kachua's Files\~WRL3355.tmp"
Tue 10 Jul 2007 74,752 A..H. --- "C:\Documents and Settings\Fou_\Desktop\RP Files\Kachua's Files\~WRL3431.tmp"
Tue 10 Jul 2007 73,728 A..H. --- "C:\Documents and Settings\Fou_\Desktop\RP Files\Kachua's Files\~WRL3435.tmp"
Fri 13 Jul 2007 49,664 A..H. --- "C:\Documents and Settings\Fou_\Desktop\RP Files\Kachua's Files\~WRL3522.tmp"
Mon 16 Jul 2007 130,048 A..H. --- "C:\Documents and Settings\Fou_\Desktop\RP Files\Kachua's Files\~WRL3635.tmp"
Tue 10 Jul 2007 69,120 A..H. --- "C:\Documents and Settings\Fou_\Desktop\RP Files\Kachua's Files\~WRL3816.tmp"
Tue 10 Jul 2007 73,728 A..H. --- "C:\Documents and Settings\Fou_\Desktop\RP Files\Kachua's Files\~WRL3869.tmp"
Fri 13 Jul 2007 42,496 A..H. --- "C:\Documents and Settings\Fou_\Desktop\RP Files\Kachua's Files\~WRL3905.tmp"
Sun 30 Sep 2007 51,200 A..H. --- "C:\Documents and Settings\Fou_\Desktop\RP Files\Kachua's Files\~WRL4064.tmp"
Fri 13 Jul 2007 49,664 A..H. --- "C:\Documents and Settings\Fou_\Desktop\RP Files\Kachua's Files\~WRL4080.tmp"
Mon 1 Oct 2007 18,944 A..H. --- "C:\Documents and Settings\Fou_\Desktop\Zip drive\Word\Lesson 10\~WRL3080.tmp"
Mon 1 Oct 2007 20,480 A..H. --- "C:\Documents and Settings\Fou_\Desktop\Zip drive\Word\Lesson 10\~WRL3230.tmp"
Sun 13 Apr 2008 11,355 A..H. --- "C:\Documents and Settings\Fou_\Desktop\Copy of files\Active files\Kachua\Abby's Party\~WRL0074.tmp"
Mon 2 Jun 2008 14,131 ...H. --- "C:\Documents and Settings\Fou_\Desktop\Copy of files\Active files\Kachua\Kachua's House\~WRL0624.tmp"
Sat 3 May 2008 12,917 ...H. --- "C:\Documents and Settings\Fou_\Desktop\Copy of files\Active files\Kachua\Kachua's Party\~WRL0005.tmp"

Finished!

And here's the HiJackThis Log:

SDFix: Version 1.240
Run by Fou_ on Tue 01/06/2009 at 06:39 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Restoring Default Security Values
Restoring Default Hosts File

Rebooting

Checking Files :

Trojan Files Found:

C:\DOCUME~1\Fou_\LOCALS~1\Temp\TMP10.tmp - Deleted
C:\DOCUME~1\Fou_\LOCALS~1\Temp\TMP11.tmp - Deleted
C:\DOCUME~1\Fou_\LOCALS~1\Temp\TMP12.tmp - Deleted
C:\DOCUME~1\Fou_\LOCALS~1\Temp\TMP13.tmp - Deleted
C:\DOCUME~1\Fou_\LOCALS~1\Temp\TMP15.tmp - Deleted
C:\DOCUME~1\Fou_\LOCALS~1\Temp\TMP16.tmp - Deleted
C:\DOCUME~1\Fou_\LOCALS~1\Temp\TMP17.tmp - Deleted
C:\DOCUME~1\Fou_\LOCALS~1\Temp\TMP18.tmp - Deleted
C:\DOCUME~1\Fou_\LOCALS~1\Temp\TMP1C.tmp - Deleted
C:\DOCUME~1\Fou_\LOCALS~1\Temp\TMP1D.tmp - Deleted
C:\DOCUME~1\Fou_\LOCALS~1\Temp\TMP1E.tmp - Deleted
C:\DOCUME~1\Fou_\LOCALS~1\Temp\TMP4D.tmp - Deleted
C:\DOCUME~1\Fou_\LOCALS~1\Temp\TMP4E.tmp - Deleted
C:\DOCUME~1\Fou_\LOCALS~1\Temp\TMP4F.tmp - Deleted
C:\DOCUME~1\Fou_\LOCALS~1\Temp\TMP52.tmp - Deleted
C:\DOCUME~1\Fou_\LOCALS~1\Temp\TMP56.tmp - Deleted
C:\DOCUME~1\Fou_\LOCALS~1\Temp\TMP57.tmp - Deleted
C:\DOCUME~1\Fou_\LOCALS~1\Temp\TMP58.tmp - Deleted
C:\DOCUME~1\Fou_\LOCALS~1\Temp\TMP65.tmp - Deleted
C:\DOCUME~1\Fou_\LOCALS~1\Temp\TMP66.tmp - Deleted
C:\DOCUME~1\Fou_\LOCALS~1\Temp\TMP67.tmp - Deleted
C:\DOCUME~1\Fou_\LOCALS~1\Temp\TMP77.tmp - Deleted
C:\DOCUME~1\Fou_\LOCALS~1\Temp\TMP79.tmp - Deleted
C:\DOCUME~1\Fou_\LOCALS~1\Temp\TMP7B.tmp - Deleted
C:\DOCUME~1\Fou_\LOCALS~1\Temp\TMP7E.tmp - Deleted
C:\DOCUME~1\Fou_\LOCALS~1\Temp\TMP80.tmp - Deleted
C:\DOCUME~1\Fou_\LOCALS~1\Temp\TMP9.tmp - Deleted
C:\DOCUME~1\Fou_\LOCALS~1\Temp\TMPA.tmp - Deleted
C:\DOCUME~1\Fou_\LOCALS~1\Temp\TMPB.tmp - Deleted
C:\DOCUME~1\Fou_\LOCALS~1\Temp\TMPC.tmp - Deleted
C:\DOCUME~1\Fou_\LOCALS~1\Temp\TMPD.tmp - Deleted
C:\WINDOWS\system32\13.tmp - Deleted

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-06 18:51:17
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe:*:Enabled:hpqnrs08.exe"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

Remaining Files :

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 28 Jan 2008 80 ..SHR --- "C:\WINDOWS\system32\0AB7A1A76B.dll"
Thu 7 Aug 2008 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Thu 11 Sep 2008 11,102 ...H. --- "C:\Documents and Settings\Fou_\Desktop\Boyd\~WRL2432.tmp"
Wed 8 Aug 2007 400 A..H. --- "C:\Program Files\Common Files\Symantec Shared\COH\COH32LU.reg"
Wed 8 Aug 2007 403 A..H. --- "C:\Program Files\Common Files\Symantec Shared\COH\COHDLU.reg"
Tue 6 Jan 2009 10,703,680 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\1c4d287cb5e1d3fe5a44ef46a2ff751a\BIT4.tmp"
Wed 25 Jun 2008 50,176 ...H. --- "C:\Documents and Settings\Fou_\Application Data\Microsoft\Word\~WRL1484.tmp"
Tue 22 Apr 2008 53,760 ...H. --- "C:\Documents and Settings\Fou_\Application Data\Microsoft\Word\~WRL2936.tmp"
Sun 30 Sep 2007 50,688 A..H. --- "C:\Documents and Settings\Fou_\Desktop\RP Files\Kachua's Files\~WRL0165.tmp"
Tue 10 Jul 2007 73,728 A..H. --- "C:\Documents and Settings\Fou_\Desktop\RP Files\Kachua's Files\~WRL0263.tmp"
Fri 13 Jul 2007 34,304 A..H. --- "C:\Documents and Settings\Fou_\Desktop\RP Files\Kachua's Files\~WRL0560.tmp"
Fri 13 Jul 2007 47,616 A..H. --- "C:\Documents and Settings\Fou_\Desktop\RP Files\Kachua's Files\~WRL0635.tmp"
Mon 16 Jul 2007 130,048 A..H. --- "C:\Documents and Settings\Fou_\Desktop\RP Files\Kachua's Files\~WRL0637.tmp"
Sun 8 Jul 2007 43,008 A..H. --- "C:\Documents and Settings\Fou_\Desktop\RP Files\Kachua's Files\~WRL0844.tmp"
Tue 10 Jul 2007 73,728 A..H. --- "C:\Documents and Settings\Fou_\Desktop\RP Files\Kachua's Files\~WRL0850.tmp"
Mon 1 Oct 2007 67,072 A..H. --- "C:\Documents and Settings\Fou_\Desktop\RP Files\Kachua's Files\~WRL1036.tmp"
Tue 10 Jul 2007 71,168 A..H. --- "C:\Documents and Settings\Fou_\Desktop\RP Files\Kachua's Files\~WRL1145.tmp"
Fri 13 Jul 2007 34,304 A..H. --- "C:\Documents and Settings\Fou_\Desktop\RP Files\Kachua's Files\~WRL1185.tmp"
Wed 18 Jul 2007 34,816 A..H. --- "C:\Documents and Settings\Fou_\Desktop\RP Files\Kachua's Files\~WRL1583.tmp"
Tue 9 Oct 2007 54,272 A..H. --- "C:\Documents and Settings\Fou_\Desktop\RP Files\Kachua's Files\~WRL1590.tmp"
Fri 13 Jul 2007 115,712 A..H. --- "C:\Documents and Settings\Fou_\Desktop\RP Files\Kachua's Files\~WRL1727.tmp"
Tue 10 Jul 2007 70,144 A..H. --- "C:\Documents and Settings\Fou_\Desktop\RP Files\Kachua's Files\~WRL1732.tmp"
Mon 16 Jul 2007 130,048 A..H. --- "C:\Documents and Settings\Fou_\Desktop\RP Files\Kachua's Files\~WRL1745.tmp"
Sun 30 Sep 2007 47,104 A..H. --- "C:\Documents and Settings\Fou_\Desktop\RP Files\Kachua's Files\~WRL1763.tmp"
Fri 13 Jul 2007 45,056 A..H. --- "C:\Documents and Settings\Fou_\Desktop\RP Files\Kachua's Files\~WRL1841.tmp"
Sun 30 Sep 2007 39,424 A..H. --- "C:\Documents and Settings\Fou_\Desktop\RP Files\Kachua's Files\~WRL1986.tmp"
Fri 13 Jul 2007 47,616 A..H. --- "C:\Documents and Settings\Fou_\Desktop\RP Files\Kachua's Files\~WRL2053.tmp"
Wed 11 Jul 2007 56,320 A..H. --- "C:\Documents and Settings\Fou_\Desktop\RP Files\Kachua's Files\~WRL2453.tmp"
Tue 10 Jul 2007 70,656 A..H. --- "C:\Documents and Settings\Fou_\Desktop\RP Files\Kachua's Files\~WRL2483.tmp"
Tue 10 Jul 2007 73,728 A..H. --- "C:\Documents and Settings\Fou_\Desktop\RP Files\Kachua's Files\~WRL2494.tmp"
Tue 10 Jul 2007 74,752 A..H. --- "C:\Documents and Settings\Fou_\Desktop\RP Files\Kachua's Files\~WRL2586.tmp"
Fri 27 Jul 2007 67,584 A..H. --- "C:\Documents and Settings\Fou_\Desktop\RP Files\Kachua's Files\~WRL2666.tmp"
Sat 29 Sep 2007 46,592 A..H. --- "C:\Documents and Settings\Fou_\Desktop\RP Files\Kachua's Files\~WRL2744.tmp"
Thu 28 Jun 2007 41,472 A..H. --- "C:\Documents and Settings\Fou_\Desktop\RP Files\Kachua's Files\~WRL2910.tmp"
Fri 13 Jul 2007 45,056 A..H. --- "C:\Documents and Settings\Fou_\Desktop\RP Files\Kachua's Files\~WRL3008.tmp"
Fri 13 Jul 2007 43,520 A..H. --- "C:\Documents and Settings\Fou_\Desktop\RP Files\Kachua's Files\~WRL3019.tmp"
Fri 13 Jul 2007 33,280 A..H. --- "C:\Documents and Settings\Fou_\Desktop\RP Files\Kachua's Files\~WRL3249.tmp"
Tue 10 Jul 2007 73,728 A..H. --- "C:\Documents and Settings\Fou_\Desktop\RP Files\Kachua's Files\~WRL3288.tmp"
Wed 11 Jul 2007 44,032 A..H. --- "C:\Documents and Settings\Fou_\Desktop\RP Files\Kachua's Files\~WRL3299.tmp"
Sat 30 Jun 2007 115,200 A..H. --- "C:\Documents and Settings\Fou_\Desktop\RP Files\Kachua's Files\~WRL3355.tmp"
Tue 10 Jul 2007 74,752 A..H. --- "C:\Documents and Settings\Fou_\Desktop\RP Files\Kachua's Files\~WRL3431.tmp"
Tue 10 Jul 2007 73,728 A..H. --- "C:\Documents and Settings\Fou_\Desktop\RP Files\Kachua's Files\~WRL3435.tmp"
Fri 13 Jul 2007 49,664 A..H. --- "C:\Documents and Settings\Fou_\Desktop\RP Files\Kachua's Files\~WRL3522.tmp"
Mon 16 Jul 2007 130,048 A..H. --- "C:\Documents and Settings\Fou_\Desktop\RP Files\Kachua's Files\~WRL3635.tmp"
Tue 10 Jul 2007 69,120 A..H. --- "C:\Documents and Settings\Fou_\Desktop\RP Files\Kachua's Files\~WRL3816.tmp"
Tue 10 Jul 2007 73,728 A..H. --- "C:\Documents and Settings\Fou_\Desktop\RP Files\Kachua's Files\~WRL3869.tmp"
Fri 13 Jul 2007 42,496 A..H. --- "C:\Documents and Settings\Fou_\Desktop\RP Files\Kachua's Files\~WRL3905.tmp"
Sun 30 Sep 2007 51,200 A..H. --- "C:\Documents and Settings\Fou_\Desktop\RP Files\Kachua's Files\~WRL4064.tmp"
Fri 13 Jul 2007 49,664 A..H. --- "C:\Documents and Settings\Fou_\Desktop\RP Files\Kachua's Files\~WRL4080.tmp"
Mon 1 Oct 2007 18,944 A..H. --- "C:\Documents and Settings\Fou_\Desktop\Zip drive\Word\Lesson 10\~WRL3080.tmp"
Mon 1 Oct 2007 20,480 A..H. --- "C:\Documents and Settings\Fou_\Desktop\Zip drive\Word\Lesson 10\~WRL3230.tmp"
Sun 13 Apr 2008 11,355 A..H. --- "C:\Documents and Settings\Fou_\Desktop\Copy of files\Active files\Kachua\Abby's Party\~WRL0074.tmp"
Mon 2 Jun 2008 14,131 ...H. --- "C:\Documents and Settings\Fou_\Desktop\Copy of files\Active files\Kachua\Kachua's House\~WRL0624.tmp"
Sat 3 May 2008 12,917 ...H. --- "C:\Documents and Settings\Fou_\Desktop\Copy of files\Active files\Kachua\Kachua's Party\~WRL0005.tmp"

Finished!

greyknight17 · Joined: Feb 03, 2003 Posts: 5523 Location: Brooklyn, NY

1. Download combofix at http://download.bleepingcomputer.com/sUBs/ComboFix.exe Save it to your Desktop before you run it.
2. Double-click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply.

Note:
Do not click on combofix's window while it's running. That may cause it to stall.

Run a new HijackThis scan and post the log here for it as well.

stephy5214 · Joined: Jan 05, 2009 Posts: 7

ComboFix 09-01-08.01 - Fou_ 2009-01-08 15:44:46.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.766.354 [GMT -5:00]
Running from: c:\documents and settings\Fou_\Desktop\ComboFix.exe
AV: Norton Internet Security *On-access scanning enabled* (Updated)
AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated)
FW: Norton Internet Security *enabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Downloaded Program Files\setup.inf
c:\windows\system32\ikqesjag.ini
c:\windows\system32\test.ttt
c:\windows\system32\uniq.tll
c:\windows\system32\win32hlp.cnf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_seneka

((((((((((((((((((((((((( Files Created from 2008-12-08 to 2009-01-08 )))))))))))))))))))))))))))))))
.

2009-01-06 18:38 . 2009-01-06 18:38 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll
2009-01-06 18:35 . 2009-01-06 18:36 <DIR> d-------- c:\windows\ERUNT
2009-01-06 18:08 . 2009-01-06 18:54 <DIR> d-------- C:\SDFix
2009-01-06 14:52 . 2009-01-06 14:52 <DIR> d-------- c:\program files\Follett
2009-01-06 14:34 . 2009-01-06 14:37 <DIR> d-------- c:\windows\system32\URTTemp
2009-01-06 14:30 . 2009-01-06 14:50 <DIR> d-------- C:\GDPHOME
2009-01-06 14:30 . 2009-01-07 17:17 <DIR> d-------- C:\GDPDATA
2009-01-06 14:30 . 2009-01-06 14:30 <DIR> d-------- c:\documents and settings\Fou_\Application Data\InstallShield
2009-01-05 15:15 . 2009-01-05 15:15 <DIR> d-------- c:\program files\Trend Micro
2008-12-31 18:30 . 2009-01-05 15:33 <DIR> d-------- c:\program files\CA Yahoo! Anti-Spy
2008-12-30 23:36 . 2008-12-30 23:36 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\Yahoo!
2008-12-13 12:45 . 2008-12-13 12:45 <DIR> d-------- c:\documents and settings\Fou_\Application Data\MSN6
2008-12-13 12:45 . 2008-12-13 12:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\MSN6
2008-12-11 15:11 . 2008-12-11 15:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\Office Genuine Advantage

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-08 20:48 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-08 20:31 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-08 17:16 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-01-08 11:09 --------- d-----w c:\program files\Spyware Doctor
2009-01-06 22:57 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-01-06 22:53 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-01-06 19:30 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-04 23:41 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-04 23:41 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-12-10 08:13 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-01-28 06:39 80 --sh--r c:\windows\system32\0AB7A1A76B.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-08-06 50472]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-08-30 4670704]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-05 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"D-Link AirPlus XtremeG DWL-G132"="c:\program files\D-Link\AirPlus XtremeG DWL-G132\AirPlusCFG.exe" [2007-06-13 1314816]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2007-01-19 49152]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-02-10 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-02-10 118784]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton Internet Security\osCheck.exe" [2007-08-24 714608]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-09-29 144792]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 c:\windows\BCMSMMSG.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=

R1 pctfw2;pctfw2;c:\windows\system32\drivers\pctfw2.sys [2008-04-23 160792]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-01-06 99376]
R3 ZG760_XP;ZyXEL 802.11g XG762 1211 Driver;c:\windows\system32\drivers\WlanGZXP.sys [2008-01-24 402944]
R4 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [2007-08-25 149352]
R4 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-04-23 337800]
S3 A5AGU;D-Link USB Wireless Network Adapter Service;c:\windows\system32\drivers\A5AGU.sys [2008-01-23 377920]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2007-05-29 23888]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2008-08-12 38496]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2009-01-08 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 10:20]

2009-01-08 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Fou_.job
- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-08-26 20:19]
.
.
------- Supplementary Scan -------
.
IE: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-08 15:53:08
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1316)
c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\nexon\Mabinogi\npkcmsvc.exe
c:\windows\system32\HPZipm12.exe
c:\progra~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
c:\program files\AIM6\aolsoftware.exe
.
**************************************************************************
.
Completion time: 2009-01-08 16:01:12 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-08 21:00:42

Pre-Run: 23,962,152,960 bytes free
Post-Run: 24,104,460,288 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect

162 --- E O F --- 2009-01-07 22:23:15

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:04:15 PM, on 1/8/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Nexon\Mabinogi\npkcmsvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\D-Link\AirPlus XtremeG DWL-G132\AirPlusCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
c:\program files\aol\aim toolbar 5.0\AolTbServer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Windows Live Toolbar\msn_sl.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG DWL-G132] C:\Program Files\D-Link\AirPlus XtremeG DWL-G132\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/cli.../wuweb_
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/c...nt/muwe
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Wireless Service - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Nexon\Mabinogi\npkcmsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 10548 bytes

greyknight17 · Joined: Feb 03, 2003 Posts: 5523 Location: Brooklyn, NY

Download the OTMoveIt3 by OldTimer.

Save it to your desktop.
Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

Code:

:files
c:\documents and settings\All Users\Application Data\Viewpoint
c:\windows\system32\0AB7A1A76B.dll /u
Return to OTMoveIt3, right click in the Paste Instructions for Items to be Moved window (under the yellow bar) and choose Paste.+ vbCrLf+ vbCrLf
Click the red MoveIt! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Good job. Your log is clean.

To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If none, go to Start->Run, copy/paste in combofix /u and hit OK to remove it. You should be set to go.

stephy5214 · Joined: Jan 05, 2009 Posts: 7

========== FILES ==========
c:\documents and settings\All Users\Application Data\Viewpoint moved successfully.
File/Folder c:\windows\system32\0AB7A1A76B.dll not found.

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 01122009_185338

greyknight17 · Joined: Feb 03, 2003 Posts: 5523 Location: Brooklyn, NY

Is everything ok now? If so, I will close this topic.

stephy5214 · Joined: Jan 05, 2009 Posts: 7

i believe so yes thank you