57 Internet Explorer Windows

**Jonathon28** · #11 19th Feb 2008, 11:39

Here's the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:38:05, on 19/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\Program Files\TCM\TCM Keyboard Only\PS2USBKbdDrv.exe
C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\VM301Snap.exe
C:\WINDOWS\Domino.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TuneUp Utilities 2008\MemOptimizer.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Program Files\trend micro\HijackThis\sniper.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://127.0.0.1/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [LANSchoolTeacher] C:\Program Files\LANSchool\Teacher.exe
O4 - HKLM\..\Run: [WireLessKeyboard ] C:\Program Files\TCM\TCM Keyboard Only\PS2USBKbdDrv.exe
O4 - HKLM\..\Run: [vmware-tray] C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM301Snap.exe Vimicro USB PC Camera (ZC0301PL)
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Domino] C:\WINDOWS\Domino.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TuneUp MemOptimizer] "C:\Program Files\TuneUp Utilities 2008\MemOptimizer.exe" autostart
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1197889408156
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/.../en/crlocx.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{1E911D8D-B71D-4B09-BAAD-691C33A34AA9}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{1E911D8D-B71D-4B09-BAAD-691C33A34AA9}: NameServer = 192.168.0.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{1E911D8D-B71D-4B09-BAAD-691C33A34AA9}: NameServer = 192.168.0.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8546 bytes

**Jonathon28** · #12 19th Feb 2008, 11:45

by the way, just as I posted that, my computer just restarted, so i am definately thinking there is a virus on here somewhere.

**evilfantasy** · #13 19th Feb 2008, 11:47

Please download Combofix by sUBs from one of the below links.
(Try all three if necessary)

Important! Combofix.exe MUST be saved to and ran from the Desktop.

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting Combofix.
Important! Temporarily disable your antivirus, script blocking and any antispyware real time protection before performing a scan.
- Click this link to see a list of security programs that should be disabled and how to disable them.
- If yours is not listed and you don't know how to disable it, please ask.
Warning: Combofix disconnects your computer from the internet. The connection is automatically restored before Combofix completes its run.
Double click combofix.exe & follow the prompts.
- From the keyboard select 1 and press Enter
When finished, it will produce a log for you.
Post that log in your next reply.

Warning: Do not mouseclick combofix's window while it is running. That may cause it to stall

If Combofix runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your computer.
Important: Remember to re-enable your antivirus and antispyware before reconnecting to the Internet.

----------

Next post
Combofix log

**Jonathon28** · #14 19th Feb 2008, 12:41

tried the above with combo fix, but when do i press 1 and enter? it didn't prompt me to?

it removed 3 items and restarted my pc automatically. but how can i get the log?

**evilfantasy** · #15 19th Feb 2008, 12:49

Go to C:\Combofix.txt and get the log.

**Jonathon28** · #16 19th Feb 2008, 13:40

ComboFix 08-02-20.1 - Jonathon 2008-02-20 19:15:37.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.593 [GMT 0:00]
Running from: C:\Documents and Settings\Jonathon\Desktop\ComboFix(2).exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_NPF

((((((((((((((((((((((((( Files Created from 2008-01-20 to 2008-02-20 )))))))))))))))))))))))))))))))
.

2008-02-20 19:15 . 2008-02-20 19:20 <DIR> d-------- C:\ComboFix(2)
2008-02-19 19:01 . 2008-02-20 19:07 <DIR> d-------- C:\QooBox
2008-02-19 19:01 . 2000-08-31 08:00 212,480 --a------ C:\WINDOWS\system32\swxcacls.exe
2008-02-19 19:01 . 2000-08-31 08:00 161,792 --a------ C:\WINDOWS\system32\swreg.exe
2008-02-19 19:01 . 2000-08-31 08:00 136,704 --a------ C:\WINDOWS\system32\swsc.exe
2008-02-19 19:01 . 2000-08-31 08:00 98,816 --a------ C:\WINDOWS\system32\sed.exe
2008-02-19 19:01 . 2000-08-31 08:00 80,412 --a------ C:\WINDOWS\system32\grep.exe
2008-02-19 19:01 . 2000-08-31 08:00 73,728 --a------ C:\WINDOWS\system32\fdsv.exe
2008-02-19 19:01 . 2000-08-31 08:00 68,096 --a------ C:\WINDOWS\system32\zip.exe
2008-02-19 19:01 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-02-19 19:01 . 2000-08-31 08:00 49,152 --a------ C:\WINDOWS\system32\VFind.exe
2008-02-19 18:53 . 2004-08-04 12:00 388,608 --a------ C:\WINDOWS\system32\kmd.exe
2008-02-19 18:35 . 2008-02-19 18:35 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-19 17:20 . 2008-02-19 17:20 268 --ah----- C:\sqmdata03.sqm
2008-02-19 17:20 . 2008-02-19 17:20 244 --ah----- C:\sqmnoopt03.sqm
2008-02-19 12:11 . 2008-02-19 12:20 91,700 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-02-19 12:11 . 2008-02-19 12:11 85,860 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-02-19 12:10 . 2008-02-19 12:10 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-02-19 12:10 . 2008-02-20 19:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-19 12:10 . 2008-02-20 19:08 3,598,368 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-02-19 12:10 . 2008-02-20 19:19 9,248 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-02-19 12:10 . 2008-02-20 19:08 5,816 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-02-19 12:10 . 2008-02-20 19:08 1,700 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-02-19 12:09 . 2008-02-19 12:09 <DIR> d-------- C:\kav
2008-02-19 09:05 . 2007-04-04 20:27 1,471,104 --a------ C:\WINDOWS\system32\drivers\usbVM31b.sys
2008-02-19 09:05 . 2007-03-28 10:48 225,357 --a------ C:\WINDOWS\system32\VM31bPrp.Ax
2008-02-19 09:05 . 2004-12-10 10:07 94,208 --a------ C:\WINDOWS\VMCap.exe
2008-02-19 09:05 . 2004-12-10 14:30 61,440 --a------ C:\WINDOWS\system32\VM31bSTI.dll
2008-02-19 09:05 . 2007-03-27 17:24 49,152 --a------ C:\WINDOWS\VM301Snap.exe
2008-02-19 09:05 . 2006-07-04 14:16 49,152 --a------ C:\WINDOWS\Domino.exe
2008-02-19 08:53 . 2007-01-05 13:37 114,688 --a------ C:\WINDOWS\VM305Cap.exe
2008-02-19 08:53 . 2007-01-05 13:37 61,440 --a------ C:\WINDOWS\VM305_STI.EXE
2008-02-19 08:53 . 2002-10-16 09:29 49,152 --a------ C:\WINDOWS\amcap.exe
2008-02-19 08:53 . 2007-02-02 17:12 46,080 --a------ C:\WINDOWS\system32\vvftctrl.dll
2008-02-19 08:53 . 2002-02-26 02:47 15,086 --a------ C:\WINDOWS\uninstall.ico
2008-02-19 08:53 . 2006-03-05 17:55 9,728 --ahs---- C:\WINDOWS\Thumbs.db
2008-02-19 08:53 . 2005-09-29 00:26 8,990 --a------ C:\WINDOWS\Product.ico
2008-02-19 08:40 . 2008-02-19 08:40 <DIR> d-------- C:\Program Files\Vimicro
2008-02-19 08:40 . 2008-02-19 08:40 <DIR> d-------- C:\Documents and Settings\Jonathon\Application Data\InstallShield
2008-02-19 08:40 . 2007-01-25 03:26 319,456 --a------ C:\WINDOWS\system32\DIFxAPI.dll
2008-02-19 08:40 . 2007-03-29 12:08 126,976 --a------ C:\WINDOWS\system32\vmcoinst_zc0301plh.dll
2008-02-18 16:22 . 2008-02-18 16:22 268 --ah----- C:\sqmdata02.sqm
2008-02-18 16:22 . 2008-02-18 16:22 244 --ah----- C:\sqmnoopt02.sqm
2008-02-15 20:36 . 2008-02-15 20:36 <DIR> d-------- C:\Program Files\Microsoft Network Monitor 3
2008-02-15 17:42 . 2008-02-15 17:42 268 --ah----- C:\sqmdata01.sqm
2008-02-15 17:42 . 2008-02-15 17:42 244 --ah----- C:\sqmnoopt01.sqm
2008-02-15 17:18 . 2008-02-15 17:18 244 --ah----- C:\sqmnoopt00.sqm
2008-02-15 17:18 . 2008-02-15 17:18 232 --ah----- C:\sqmdata00.sqm
2008-02-14 11:20 . 2008-02-14 11:20 <DIR> d-------- C:\Documents and Settings\Jon\_notes
2008-02-13 09:25 . 2008-02-13 19:29 <DIR> d-------- C:\Documents and Settings\Jonathon\Contacts
2008-02-12 21:48 . 2008-02-12 21:48 <DIR> d-------- C:\Program Files\MSBuild
2008-02-12 21:45 . 2008-02-12 21:45 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-02-12 21:45 . 2008-02-12 21:45 <DIR> d-------- C:\WINDOWS\system32\en-us
2008-02-12 21:44 . 2008-02-12 21:44 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-02-12 21:40 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2008-02-12 21:38 . 2008-02-12 21:38 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-02-12 20:51 . 2008-02-12 21:49 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-02-12 20:44 . 2007-07-30 19:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2008-02-12 20:44 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-02-12 20:44 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-02-12 20:44 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-02-12 20:44 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-02-12 20:39 . 2008-02-12 20:39 <DIR> d-------- C:\Program Files\Windows Live
2008-02-12 11:21 . 2004-08-03 23:06 25,600 --a------ C:\WINDOWS\system32\setupcl.exe
2008-02-12 11:14 . 2008-02-12 11:15 <DIR> d-------- C:\XP
2008-02-11 12:05 . 2008-02-11 12:05 <DIR> d-------- C:\Program Files\iTunes
2008-02-11 12:05 . 2008-02-11 12:05 <DIR> d-------- C:\Program Files\iPod
2008-02-11 12:05 . 2008-02-20 19:11 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-11 12:05 . 2008-02-11 12:05 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-11 12:04 . 2008-02-11 12:04 <DIR> d-------- C:\Program Files\QuickTime
2008-02-11 12:04 . 2008-02-11 12:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-02-11 12:03 . 2008-02-19 08:53 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-02-11 12:02 . 2008-02-11 12:02 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-02-10 10:37 . 2008-02-10 10:37 702,233 --a------ C:\WINDOWS\system32\unins000.exe
2008-02-10 10:37 . 2008-01-24 20:11 575,488 --a--c--- C:\WINDOWS\system32\RunOnceEx.exe
2008-02-10 10:37 . 2008-01-01 16:52 15,086 --a------ C:\WINDOWS\system32\Installer.ico
2008-02-10 10:37 . 2008-02-10 10:37 1,720 --a------ C:\WINDOWS\system32\unins000.dat
2008-02-10 10:37 . 2008-01-18 10:27 528 --a------ C:\WINDOWS\system32\RunOnceEx.exe.manifest
2008-02-10 10:37 . 2008-02-10 10:37 96 --a------ C:\ur.dll
2008-02-10 10:37 . 2008-02-10 10:37 66 --a------ C:\WINDOWS\runonceex.bat
2008-02-10 09:48 . 2008-02-12 11:16 <DIR> d-------- C:\XPCD
2008-02-10 09:46 . 2008-02-10 10:01 <DIR> d-------- C:\Program Files\nLite
2008-02-10 09:29 . 2008-02-10 09:29 <DIR> d-------- C:\Program Files\Icon Constructor 3
2008-02-10 09:29 . 2008-02-10 09:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Icon Constructor 3
2008-02-07 11:45 . 2008-02-07 11:45 2,403 --a------ C:\WINDOWS\system32\sugo2.WMP
2008-02-07 11:45 . 2008-02-07 11:45 2,403 --a------ C:\WINDOWS\system32\sugo2.WML
2008-02-06 19:40 . 2008-02-06 19:40 <DIR> d-------- C:\Documents and Settings\Jonathon\Application Data\AdobeUM
2008-02-06 19:40 . 2008-02-06 19:40 <DIR> d-------- C:\Documents and Settings\Jonathon\Application Data\AdobeAUM
2008-02-06 18:08 . 2008-02-06 18:08 <DIR> d-------- C:\Documents and Settings\Jonathon\Application Data\SmartFTP
2008-02-06 18:07 . 2008-02-06 18:07 <DIR> d-------- C:\Program Files\SmartFTP Client 2.5 Setup Files
2008-02-06 18:07 . 2008-02-06 18:07 <DIR> d-------- C:\Program Files\SmartFTP Client
2008-02-06 17:31 . 2008-02-06 17:32 <DIR> d-------- C:\Program Files\Macromedia
2008-02-06 17:31 . 2008-02-06 17:32 <DIR> d-------- C:\Program Files\Common Files\Macromedia
2008-02-05 21:47 . 2008-02-05 21:47 <DIR> d-------- C:\WINDOWS\Driving Test Complete
2008-02-05 21:47 . 2008-02-10 00:34 <DIR> d-------- C:\Program Files\Driving Test Complete
2008-02-02 19:45 . 2008-02-08 14:02 <DIR> d-------- C:\Program Files\Accent WORD Password Recovery
2008-02-02 15:57 . 2008-02-11 12:05 <DIR> d-------- C:\Documents and Settings\Jonathon\Application Data\Apple Computer
2008-02-01 18:01 . 2008-02-01 18:01 <DIR> d-------- C:\Documents and Settings\James\Application Data\Apple Computer
2008-01-31 23:13 . 2008-01-31 23:13 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-01-31 23:13 . 2008-01-31 23:13 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-02-20 19:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kontiki
2008-02-20 19:13 --------- d-----w C:\Program Files\Mozilla Firefox
2008-02-20 19:11 --------- d-----w C:\Documents and Settings\Jonathon\Application Data\VMware
2008-02-20 19:09 1,610,612,736 --sha-w C:\pagefile.sys
2008-02-20 19:09 --------- d-----w C:\Documents and Settings\LocalService\Application Data\VMware
2008-02-20 19:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\VMware
2008-02-19 18:55 3,782,184 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-02-19 17:58 --------- d-----w C:\Documents and Settings\Jonathon\Application Data\Skype
2008-02-19 17:56 --------- d-----w C:\Documents and Settings\Jonathon\Application Data\skypePM
2008-02-19 16:34 --------- d-----w C:\Documents and Settings\James\Application Data\VMware
2008-02-19 12:20 195,344 ----a-w C:\WINDOWS\system32\drivers\klif.sys
2008-02-19 12:18 --------- d-----w C:\Program Files\FlashGet
2008-02-19 12:16 2,861,056 ----a-w C:\WINDOWS\Internet Logs\xDB4.tmp
2008-02-19 12:15 3,997,184 ----a-w C:\WINDOWS\Internet Logs\xDB5.tmp
2008-02-19 08:53 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-18 23:11 --------- d-----w C:\Documents and Settings\Jonathon\Application Data\LimeWire
2008-02-13 09:30 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-12 21:37 --------- d-----w C:\Program Files\Outlook Express
2008-02-12 21:37 --------- d-----w C:\Program Files\Common Files\System
2008-02-12 21:30 --------- d-----w C:\Program Files\Windows Media Player
2008-02-11 12:04 --------- d-----w C:\Program Files\Bonjour
2008-02-11 12:02 --------- d-----w C:\Program Files\Common Files
2008-02-11 09:57 --------- d-----w C:\Program Files\LimeWire
2008-02-09 18:50 --------- d-----w C:\Documents and Settings\Jonathon\Application Data\Ahead
2008-02-08 23:19 3,403,264 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp
2008-02-06 20:42 --------- d-----w C:\Program Files\Adobe
2008-02-06 20:29 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-30 13:12 --------- d-----w C:\Program Files\Serif
2008-01-30 13:06 --------- d-----w C:\Documents and Settings\Jonathon\Application Data\Serif
2008-01-27 10:24 --------- d-----w C:\Program Files\STK017_V2.01
2008-01-24 21:31 --------- d-----w C:\Program Files\Kontiki
2008-01-13 21:29 --------- d-----w C:\Program Files\activePDF
2008-01-13 16:57 6,656 ----a-w C:\WINDOWS\system32\pndx5016.dll
2008-01-13 16:57 5,632 ----a-w C:\WINDOWS\system32\pndx5032.dll
2008-01-13 16:57 278,528 ----a-w C:\WINDOWS\system32\pncrt.dll
2008-01-13 16:57 185,944 ----a-w C:\WINDOWS\system32\rmoc3260.dll
2008-01-13 16:57 --------- d-----w C:\Program Files\Real
2008-01-13 16:57 --------- d-----w C:\Program Files\Common Files\xing shared
2008-01-13 16:57 --------- d-----w C:\Program Files\Common Files\Real
2008-01-11 23:17 --------- d-----r C:\Documents and Settings\Jonathon\Application Data\Brother
2008-01-11 23:15 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-01-11 23:15 --------- d-----w C:\Program Files\Brownie
2008-01-11 23:15 --------- d-----w C:\Program Files\Brother
2008-01-10 18:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-01-10 18:09 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2008-01-07 17:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\NtiDvdCopy
2008-01-06 18:39 --------- d-----w C:\Program Files\Common Files\Microsoft Shared
2008-01-05 18:36 90,786 ----a-w C:\WINDOWS\wubi-uninstall.exe
2008-01-04 21:09 25,992 ----a-w C:\WINDOWS\system32\pgdfgsvc.exe
2008-01-04 15:05 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-01-04 15:01 --------- d-----w C:\Program Files\Channel4
2008-01-04 15:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Channel4
2008-01-04 14:41 --------- d-----w C:\Program Files\Internet Explorer
2008-01-04 11:24 737,280 ----a-w C:\WINDOWS\iun6002.exe
2008-01-04 11:24 --------- d-----w C:\Program Files\FireTune
2008-01-04 11:05 --------- d-----w C:\Program Files\smhtp
2007-12-31 18:27 --------- d-----w C:\Program Files\TCM
2007-12-30 21:52 --------- d-----w C:\Program Files\Samsung Network Printer Utilities
2007-12-30 17:57 2,288,128 ----a-w C:\WINDOWS\system32\TUKernel.exe
2007-12-30 17:51 306,432 ----a-w C:\WINDOWS\system32\TuneUpDefragService.exe
2007-12-30 17:51 --------- d-----w C:\Program Files\TuneUp Utilities 2008
2007-12-30 17:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\TuneUp Software
2007-12-30 17:44 --------- d-----w C:\Documents and Settings\Jonathon\Application Data\Azureus
2007-12-30 17:17 --------- d-----w C:\Documents and Settings\Jonathon\Application Data\TuneUp Software
2007-12-29 18:55 --------- d-----w C:\Program Files\Alwil Software
2007-12-29 16:47 --------- d-----w C:\Program Files\Samsung
2007-12-29 11:57 --------- d-----w C:\Documents and Settings\Jonathon\Application Data\CSOdessa
2007-12-29 11:33 3,011,584 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2007-12-29 11:33 2,849,792 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
2007-12-27 18:15 86,016 ----a-w C:\WINDOWS\system32\Lsk_iBlk.dll
2007-12-27 18:15 5,632 ------w C:\WINDOWS\system32\drivers\lsmirror.sys
2007-12-27 18:15 40,960 ----a-w C:\WINDOWS\system32\LSKLREMV.EXE
2007-12-27 18:15 12,800 ----a-w C:\WINDOWS\system32\lsmirror.dll
2007-12-27 18:15 --------- d-----w C:\Program Files\LANSchool
2007-12-27 10:02 --------- d--h--w C:\Documents and Settings\All Users\Application Data\CanonBJ
2007-12-26 12:17 --------- d-----w C:\Program Files\Electronic Arts
2007-12-24 11:32 --------- d-----w C:\Program Files\MiTAC Research (Shanghai) Ltd
2007-12-20 10:41 29,440 ----a-w C:\WINDOWS\system32\uxtuneup.dll
2007-12-18 00:44 219,664 ----a-w C:\WINDOWS\system32\klogon.dll
2007-12-15 16:01 75,056 ------w C:\WINDOWS\system32\LskHook.dll
2007-12-15 16:01 14,336 ----a-w C:\WINDOWS\system32\itaUninst.dll
2007-12-15 16:01 14,336 ----a-w C:\WINDOWS\system32\fraUninst.dll
2007-12-15 16:01 14,336 ----a-w C:\WINDOWS\system32\espUninst.dll
2007-12-15 16:01 14,336 ----a-w C:\WINDOWS\system32\deuUninst.dll
2007-12-15 16:01 13,824 ----a-w C:\WINDOWS\system32\ptbUninst.dll
2007-12-15 16:01 13,824 ----a-w C:\WINDOWS\system32\jpnUninst.dll
2007-12-08 21:15 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-12-04 18:36 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-12-04 18:36 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-12-04 18:36 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-12-04 18:36 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-12-04 18:36 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2007-12-04 18:36 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-12-04 18:36 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-12-04 18:36 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-12-04 18:36 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-12-04 18:36 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-12-04 18:36 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-12-04 18:36 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-12-04 18:35 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00 15360]
"TuneUp MemOptimizer"="C:\Program Files\TuneUp Utilities 2008\MemOptimizer.exe" [2007-12-21 15:17 196864]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"CTSysVol"="C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 10:43 57344]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"LANSchoolTeacher"="C:\Program Files\LANSchool\Teacher.exe" [2007-12-27 18:15 323584]
"WireLessKeyboard "="C:\Program Files\TCM\TCM Keyboard Only\PS2USBKbdDrv.exe" [2005-06-15 15:38 188416]
"vmware-tray"="C:\Program Files\VMware\VMware Workstation\vmware-tray.exe" [2007-05-01 22:52 68400]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-01-13 16:57 185896]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-31 23:13 385024]
"BigDogPath"="C:\WINDOWS\VM301Snap.exe" [2007-03-27 17:24 49152]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2007-12-18 00:43 227856]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-04 14:18 267048]
"Domino"="C:\WINDOWS\Domino.exe" [2006-07-04 14:16 49152]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 12:00 15360]

R0 UBHelper;UBHelper;C:\WINDOWS\system32\drivers\UBHe lper.sys [2004-12-17 16:14]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 12:00]
R2 vstor2-ws60;Vstor2 WS60 Virtual Storage Driver;C:\Program Files\VMware\VMware Workstation\vstor2-ws60.sys [2007-04-09 13:55]
R3 genmcmnUSB;USB Scroll Mouse Driver;C:\WINDOWS\system32\DRIVERS\gflmouhid.sys [2004-04-19 15:01]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]
R3 vmkbd;VMware kbd;C:\WINDOWS\system32\drivers\VMkbd.sys [2007-05-01 22:52]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.ex e [2007-12-30 17:51]
S3 ufad-ws60;VMware Agent Service;"C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe" -d "C:\Program Files\VMware\VMware Workstation\\" []

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{73ea1077-d0c6-11dc-822a-00123fa97c6b}]
\Shell\AutoRun\command - P:\SETUP.EXE /AUTORUN
\Shell\configure\command - P:\SETUP.EXE
\Shell\install\command - P:\SETUP.EXE

.
Contents of the 'Scheduled Tasks' folder
"2008-02-15 18:15:27 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2008\OneClick.exe
"2008-02-13 14:08:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
************************************************** ************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-20 19:20:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.

**evilfantasy** · #17 19th Feb 2008, 14:03

Download SUPERAntispyware Free Edition (SAS)

Double-click the icon on your desktop to run the installer.
When asked to Update the program definitions, click Yes
If you encounter any problems while downloading the updates, manually download and unzip them from here
Next click the Preferences button.
Click the Scanning Control tab.
Under Scanner Options make sure only the following are checked:
- Close browsers before scanning
- Scan for tracking cookies
- Terminate memory threats before quarantining
- Please leave the others unchecked.
- Click the Close button to leave the control center screen.
Click the Close button to leave the control center screen.
On the main screen click Scan your computer
On the left check C:\Fixed Drive
On the right choose Perform Complete Scan
Click Next to start the scan. Please be patient while it scans your computer.
After the scan is complete a summary box will appear. Click OK
Make sure everything in the white box has a check next to it, then click Next
It will quarantine what it found and if it asks if you want to reboot, click Yes
To retrieve the removal information please do the following:
- After reboot, double-click the SUPERAntiSpyware icon on your desktop.
- Click Preferences. Click the Statistics/Logs tab.
- Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
- It will open in your default text editor (such as Notepad/Wordpad).
- Save the notepad file to your desktop by clicking (in notepad) File > Save As...
Save the log somewhere you can easily find it. (normally the desktop)
Click close and close again to exit the program.
Please copy and then paste the log in your post.

----------

Next post
SuperAntispyware log

**Jonathon28** · #18 20th Feb 2008, 02:51

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/20/2008 at 11:52 PM

Application Version : 3.9.1008

Core Rules Database Version : 3259
Trace Rules Database Version: 1270

Scan type : Complete Scan
Total Scan Time : 02:39:21

Memory items scanned : 427
Memory threats detected : 0
Registry items scanned : 6637
Registry threats detected : 0
File items scanned : 172096
File threats detected : 58

Adware.Tracking Cookie
C:\Documents and Settings\Jonathon\Cookies\jonathon@casalemedia[2].txt
C:\Documents and Settings\Jonathon\Cookies\jonathon@revsci[1].txt
C:\Documents and Settings\Jonathon\Cookies\jonathon@adecn[2].txt
C:\Documents and Settings\Jonathon\Cookies\jonathon@ad.yieldmanager[2].txt
C:\Documents and Settings\Jonathon\Cookies\jonathon@advertising[1].txt
C:\Documents and Settings\Jonathon\Cookies\jonathon@apmebf[1].txt
C:\Documents and Settings\Jonathon\Cookies\jonathon@adrevolver[2].txt
C:\Documents and Settings\Jonathon\Cookies\jonathon@atdmt[2].txt
C:\Documents and Settings\Jonathon\Cookies\jonathon@adtech[1].txt
C:\Documents and Settings\Jonathon\Cookies\jonathon@adserver[1].txt
C:\Documents and Settings\Jonathon\Cookies\jonathon@adopt.euroclick[1].txt
C:\Documents and Settings\Jonathon\Cookies\jonathon@media6degrees[1].txt
C:\Documents and Settings\Jonathon\Cookies\jonathon@ad.primopdf[1].txt
C:\Documents and Settings\Jonathon\Cookies\jonathon@mediaplex[1].txt
C:\Documents and Settings\Jonathon\Cookies\jonathon@tribalfusion[1].txt
C:\Documents and Settings\Jonathon\Cookies\jonathon@adrevolver[3].txt
C:\Documents and Settings\Jonathon\Cookies\jonathon@hitbox[2].txt
C:\Documents and Settings\Jonathon\Cookies\jonathon@fastclick[1].txt
C:\Documents and Settings\Jonathon\Cookies\jonathon@media.adrevolve r[1].txt
C:\Documents and Settings\Jonathon\Cookies\jonathon@msnportal.112.2 o7[1].txt
C:\Documents and Settings\Jonathon\Cookies\jonathon@ehg-myspaceinc.hitbox[2].txt
C:\Documents and Settings\Jonathon\Cookies\jonathon@tradedoubler[1].txt
C:\Documents and Settings\James\Cookies\james@ad.yieldmanager[1].txt
C:\Documents and Settings\James\Cookies\james@ad.zanox[1].txt
C:\Documents and Settings\James\Cookies\james@ad1.emediate[1].txt
C:\Documents and Settings\James\Cookies\james@adecn[1].txt
C:\Documents and Settings\James\Cookies\james@adopt.euroclick[2].txt
C:\Documents and Settings\James\Cookies\james@adrevolver[1].txt
C:\Documents and Settings\James\Cookies\james@adrevolver[2].txt
C:\Documents and Settings\James\Cookies\james@ads.pointroll[1].txt
C:\Documents and Settings\James\Cookies\james@adserver[1].txt
C:\Documents and Settings\James\Cookies\james@adtech[1].txt
C:\Documents and Settings\James\Cookies\james@advertising[1].txt
C:\Documents and Settings\James\Cookies\james@apmebf[1].txt
C:\Documents and Settings\James\Cookies\james@atdmt[2].txt
C:\Documents and Settings\James\Cookies\james@bluestreak[1].txt
C:\Documents and Settings\James\Cookies\james@bs.serving-sys[1].txt
C:\Documents and Settings\James\Cookies\james@casalemedia[1].txt
C:\Documents and Settings\James\Cookies\james@doubleclick[1].txt
C:\Documents and Settings\James\Cookies\james@fastclick[2].txt
C:\Documents and Settings\James\Cookies\james@linksynergy[2].txt
C:\Documents and Settings\James\Cookies\james@media.adrevolver[1].txt
C:\Documents and Settings\James\Cookies\james@media6degrees[1].txt
C:\Documents and Settings\James\Cookies\james@mediaplex[1].txt
C:\Documents and Settings\James\Cookies\james@mediaservices.myspace[1].txt
C:\Documents and Settings\James\Cookies\james@msnportal.112.2o7[1].txt
C:\Documents and Settings\James\Cookies\james@pro-market[2].txt
C:\Documents and Settings\James\Cookies\james@questionmarket[2].txt
C:\Documents and Settings\James\Cookies\james@revsci[1].txt
C:\Documents and Settings\James\Cookies\james@serving-sys[2].txt
C:\Documents and Settings\James\Cookies\james@tradedoubler[2].txt
C:\Documents and Settings\James\Cookies\james@videoegg.adbureau[2].txt
C:\Documents and Settings\James\Cookies\james@zbox.zanox[1].txt
H:\Users\Jon\AppData\Roaming\Microsoft\Windows\Coo kies\Low\jon@atdmt[2].txt
H:\Users\Jon\AppData\Roaming\Microsoft\Windows\Coo kies\Low\jon@doubleclick[1].txt
H:\Users\Jon\AppData\Roaming\Microsoft\Windows\Coo kies\Low\jon@imrworldwide[2].txt
H:\Users\Jon\AppData\Roaming\Microsoft\Windows\Coo kies\Low\jon@tacoda[2].txt

Unclassified.Unknown Origin
C:\DOWNLOADS\ADOBE PHOTOSHOP CS3 EXTENDED KEYGEN\KEYGEN.NFO

**evilfantasy** · #19 20th Feb 2008, 08:29

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.

Click Start , then Run
Type notepad.exe in the Run Box.

2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code:

File::
C:\WINDOWS\system32\swxcacls.exe
C:\WINDOWS\system32\swreg.exe
C:\WINDOWS\system32\swsc.exe
C:\WINDOWS\system32\sed.exe
C:\WINDOWS\system32\grep.exe
C:\WINDOWS\system32\fdsv.exe
C:\WINDOWS\system32\zip.exe
C:\WINDOWS\Nircmd.exe
C:\WINDOWS\system32\VFind.exe
C:\WINDOWS\system32\kmd.exe
C:\sqmdata03.sqm
C:\sqmnoopt03.sqm
C:\sqmdata02.sqm
C:\sqmnoopt02.sqm
C:\sqmdata01.sqm
C:\sqmnoopt01.sqm
C:\sqmnoopt00.sqm
C:\sqmdata00.sqm

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to freeze

----------

Next post
Combofix log
New Hijackthis log