New log

[shades9323]

ComboFix 08-05-21.3 - Scott 2008-05-23 22:07:00.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.220 [GMT -4:00]
Running from: C:\Documents and Settings\Scott\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Scott\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Program Files\Internet Explorer\kyzeqe.html
C:\Program Files\Online Services\howynyka.html
C:\WINDOWS\system32\barseek.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Brooke\Application Data\ECURIT~1
C:\Documents and Settings\Brooke\Application Data\FNTS~1
C:\Documents and Settings\Brooke\My Documents\RACLE~1
C:\Documents and Settings\Brooke\My Documents\SSEMBL~1
C:\Documents and Settings\Brooke\My Documents\WNSXS~1
C:\Documents and Settings\Scott\Application Data\ErrorProtector Free
C:\Documents and Settings\Scott\Application Data\install.dat
C:\Documents and Settings\Scott\Application Data\WinTouch
C:\Documents and Settings\Scott\Application Data\YSTEM3~1
C:\Documents and Settings\Scott\Local Settings\Temporary Internet Files\bestwiner.stt
C:\Documents and Settings\Scott\My Documents\ICROSO~1
C:\Documents and Settings\Scott\My Documents\STEM~1
C:\Documents and Settings\Scott\My Documents\STEM~1\New Folder\backups\backup-20060627-222517-119
C:\Documents and Settings\Scott\My Documents\STEM~1\New Folder\backups\backup-20060627-222517-145
C:\Documents and Settings\Scott\My Documents\STEM~1\New Folder\backups\backup-20060627-222517-199
C:\Documents and Settings\Scott\My Documents\STEM~1\New Folder\backups\backup-20060627-222517-261
C:\Documents and Settings\Scott\My Documents\STEM~1\New Folder\backups\backup-20060627-222517-266
C:\Documents and Settings\Scott\My Documents\STEM~1\New Folder\backups\backup-20060627-222517-273
C:\Documents and Settings\Scott\My Documents\STEM~1\New Folder\backups\backup-20060627-222517-284
C:\Documents and Settings\Scott\My Documents\STEM~1\New Folder\backups\backup-20060627-222517-300
C:\Documents and Settings\Scott\My Documents\STEM~1\New Folder\backups\backup-20060627-222517-328
C:\Documents and Settings\Scott\My Documents\STEM~1\New Folder\backups\backup-20060627-222517-332
C:\Documents and Settings\Scott\My Documents\STEM~1\New Folder\backups\backup-20060627-222517-356
C:\Documents and Settings\Scott\My Documents\STEM~1\New Folder\backups\backup-20060627-222517-358
C:\Documents and Settings\Scott\My Documents\STEM~1\New Folder\backups\backup-20060627-222517-371
C:\Documents and Settings\Scott\My Documents\STEM~1\New Folder\backups\backup-20060627-222517-407
C:\Documents and Settings\Scott\My Documents\STEM~1\New Folder\backups\backup-20060627-222517-422
C:\Documents and Settings\Scott\My Documents\STEM~1\New Folder\backups\backup-20060627-222517-423
C:\Documents and Settings\Scott\My Documents\STEM~1\New Folder\backups\backup-20060627-222517-428
C:\Documents and Settings\Scott\My Documents\STEM~1\New Folder\backups\backup-20060627-222517-453-Z_Start.lnk
C:\Documents and Settings\Scott\My Documents\STEM~1\New Folder\backups\backup-20060627-222517-453
C:\Documents and Settings\Scott\My Documents\STEM~1\New Folder\backups\backup-20060627-222517-456
C:\Documents and Settings\Scott\My Documents\STEM~1\New Folder\backups\backup-20060627-222517-526
C:\Documents and Settings\Scott\My Documents\STEM~1\New Folder\backups\backup-20060627-222517-542
C:\Documents and Settings\Scott\My Documents\STEM~1\New Folder\backups\backup-20060627-222517-544
C:\Documents and Settings\Scott\My Documents\STEM~1\New Folder\backups\backup-20060627-222517-545
C:\Documents and Settings\Scott\My Documents\STEM~1\New Folder\backups\backup-20060627-222517-598
C:\Documents and Settings\Scott\My Documents\STEM~1\New Folder\backups\backup-20060627-222517-621
C:\Documents and Settings\Scott\My Documents\STEM~1\New Folder\backups\backup-20060627-222517-622
C:\Documents and Settings\Scott\My Documents\STEM~1\New Folder\backups\backup-20060627-222517-650
C:\Documents and Settings\Scott\My Documents\STEM~1\New Folder\backups\backup-20060627-222517-661
C:\Documents and Settings\Scott\My Documents\STEM~1\New Folder\backups\backup-20060627-222517-703
C:\Documents and Settings\Scott\My Documents\STEM~1\New Folder\backups\backup-20060627-222517-752
C:\Documents and Settings\Scott\My Documents\STEM~1\New Folder\backups\backup-20060627-222517-755
C:\Documents and Settings\Scott\My Documents\STEM~1\New Folder\backups\backup-20060627-222517-756
C:\Documents and Settings\Scott\My Documents\STEM~1\New Folder\backups\backup-20060627-222517-776
C:\Documents and Settings\Scott\My Documents\STEM~1\New Folder\backups\backup-20060627-222517-779
C:\Documents and Settings\Scott\My Documents\STEM~1\New Folder\backups\backup-20060627-222517-894
C:\Documents and Settings\Scott\My Documents\STEM~1\New Folder\backups\backup-20060627-222517-929
C:\Documents and Settings\Scott\My Documents\STEM~1\New Folder\backups\backup-20060627-222517-962
C:\Documents and Settings\Scott\My Documents\STEM~1\New Folder\backups\backup-20060627-222517-974
C:\Documents and Settings\Scott\My Documents\STEM~1\New Folder\backups\backup-20060627-222517-998
C:\Documents and Settings\Scott\My Documents\STEM~1\New Folder\default.xex
C:\Documents and Settings\Scott\My Documents\STEM~1\New Folder\HijackThis.exe
C:\Documents and Settings\Scott\My Documents\STEM~1\New Folder\hijackthis.log
C:\Documents and Settings\Scott\My Documents\YSTEM3~1
C:\PROGRA~1\COMMON~1\miiu
C:\PROGRA~1\COMMON~1\miiu\miiua.lck
C:\PROGRA~1\COMMON~1\miiu\miiud\class-barrel
C:\PROGRA~1\COMMON~1\miiu\miiul.lck
C:\PROGRA~1\COMMON~1\miiu\miium.lck
C:\PROGRA~1\COMMON~1\miiu\miiup.lck
C:\Program Files\Common Files\{B4BDA~1
C:\Program Files\Common Files\{B4BDA~2
C:\Program Files\Common Files\{B4BDA~3
C:\Program Files\Common Files\simtest
C:\Program Files\Common Files\sks~1
C:\Program Files\inetget2
C:\Program Files\JavaCore
C:\Program Files\JavaCore\JavaCore.exe
C:\Program Files\outerinfo
C:\Program Files\Router
C:\Program Files\stem32~1
C:\Program Files\windows
C:\WINDOWS\ms011262639300-2006.exe
C:\WINDOWS\ssembl~1
C:\WINDOWS\system32\cemetrix.dll
C:\WINDOWS\system32\smante~1
C:\WINDOWS\system32\wnsintit.exe
C:\WINDOWS\system32\wnsintsv32.exe
C:\WINDOWS\system32\ystem~1
C:\WINDOWS\system32\ystem~1\?ystem\
C:\WINDOWS\system32\ystem~1\wowexec.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Legacy_COM+_MESSAGES
-------\Legacy_NETWORK_MONITOR
-------\Legacy_WINDOWS_OVERLAY_COMPONENTS


((((((((((((((((((((((((( Files Created from 2008-04-24 to 2008-05-24 )))))))))))))))))))))))))))))))
.

2008-05-23 18:30 . 2008-05-23 18:30 <DIR> d-------- C:\Deckard
2008-05-14 20:00 . 2008-05-14 20:00 <DIR> d-------- C:\CB_3075
2008-05-14 19:57 . 2008-05-14 19:57 <DIR> d-------- C:\WINDOWS\A5W_DATA
2008-05-14 19:57 . 2008-05-14 19:57 28,042 --a------ C:\WINDOWS\Run32A50.mch
2008-05-14 19:57 . 2008-05-14 19:57 35 --a------ C:\WINDOWS\A5W.INI
2008-05-14 19:56 . 2008-05-14 19:56 <DIR> d-------- C:\CB_3058
2008-05-14 19:50 . 2008-05-14 19:50 <DIR> d-------- C:\Program Files\EpiCalc 2000
2008-05-14 19:50 . 2008-05-21 12:34 4,840 --a------ C:\WINDOWS\EpiCalc.ini
2008-05-14 19:49 . 1996-11-05 16:13 299,008 --a------ C:\WINDOWS\uninst.exe
2008-05-13 07:27 . 2008-05-13 07:27 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-13 07:27 . 2008-05-13 07:27 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-02 00:05 . 2008-05-02 00:05 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-05-01 23:53 . 2008-05-01 23:54 <DIR> d-------- C:\Program Files\Ruckus Player
2008-05-01 23:53 . 2008-05-01 23:55 <DIR> d-------- C:\Program Files\Common Files\PC Tools
2008-05-01 23:53 . 2008-05-01 23:53 <DIR> d-------- C:\Documents and Settings\Scott\.realobjects
2008-04-30 19:01 . 2008-04-30 19:01 <DIR> d-------- C:\Program Files\ESET
2008-04-30 19:01 . 2008-04-30 19:01 <DIR> d-------- C:\Documents and Settings\Scott\Application Data\Uniblue
2008-04-30 19:01 . 2008-04-30 19:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-04-27 11:57 . 2008-04-27 11:58 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-04-26 19:47 . 2008-05-01 23:55 <DIR> d-------- C:\Program Files\Spyware Doctor

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-24 02:16 --------- d-----w C:\Documents and Settings\Scott\Application Data\AVG7
2008-05-20 22:26 --------- d-----w C:\Documents and Settings\Brooke\Application Data\AVG7
2008-05-14 00:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-02 04:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-05-02 04:04 --------- d--h--w C:\Documents and Settings\Scott\Application Data\Move Networks
2008-05-02 04:04 --------- d-----w C:\Program Files\McAfee.com
2008-05-02 04:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2008-05-02 03:55 --------- d-----w C:\Program Files\WAV to MP3 Encoder
2008-05-02 03:55 --------- d-----w C:\Program Files\MP3 to WAV Decoder
2008-05-02 03:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-02 03:16 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-02 02:16 --------- d-----w C:\Program Files\Winamp
2008-05-02 02:15 --------- d-----w C:\Program Files\BitLord
2008-04-27 13:36 --------- d-----w C:\Program Files\ewido anti-malware
2008-04-02 10:02 --------- d-----w C:\Program Files\NetRatingsNetSight
2008-03-30 02:11 --------- d-----w C:\Documents and Settings\Scott\Application Data\Viewpoint
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2006-01-07 05:16 120 -c--a-w C:\Documents and Settings\Scott\Application Data\wklnhst.dat
2005-07-29 21:24 472 -csha-r C:\WINDOWS\U2NvdHQg\oZhSxJk0.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 03:32 65536]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]
"Microsoft Location Finder"="C:\Program Files\Microsoft Location Finder\LocationFinder.exe" [2005-08-24 18:25 101080]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 20:04 139264]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-11-01 21:03 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-11-01 20:59 126976]
"AGRSMMSG"="AGRSMMSG.exe" [2005-04-12 19:17 88358 C:\WINDOWS\agrsmmsg.exe]
"NDSTray.exe"="NDSTray.exe" []
"HWSetup"="C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe" [2005-04-20 23:38 28672]
"SVPWUTIL"="C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe" [2005-02-25 18:59 65536]
"TOSHIBA Accessibility"="C:\Program Files\TOSHIBA\Accessibility\FnKeyHook.exe" [2005-02-22 16:51 24576]
"CeEKEY"="C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe" [2005-04-28 23:08 675840]
"TPSMain"="TPSMain.exe" [2004-12-28 19:02 270336 C:\WINDOWS\system32\TPSMain.exe]
"PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [2004-09-07 17:03 1077301]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-15 19:51 122880]
"TPNF"="C:\Program Files\TOSHIBA\TouchPad\TPTray.exe" [2004-11-30 00:06 53248]
"Tvs"="C:\Program Files\Toshiba\Tvs\TvsTray.exe" [2005-04-05 19:25 73728]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-17 19:37 151552]
"ACU"="C:\Program Files\Atheros\ACU.exe" [2005-03-28 17:28 290816]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40 155648]
"ZoomingHook"="ZoomingHook.exe" [2004-05-01 02:03 24576 C:\WINDOWS\system32\ZoomingHook.exe]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-05-14 18:22 35328]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-02-04 12:43 185896]
"TFncKy"="TFncKy.exe" []
"TCtryIOHook"="TCtrlIOHook.exe" [2004-05-01 17:03 28672 C:\WINDOWS\system32\TCtrlIOHook.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-05-23 17:49 98304]
"Notebook Maximizer"="C:\Program Files\Notebook Maximizer\maximizer_startup.exe" [2004-05-25 17:35 28672]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [2006-01-11 12:05 212992]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-09-22 18:29 303104]
"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [ ]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 01:47 31016]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2004-03-24 01:40 196608]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-27 15:06 579584]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 12:09 63712]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-03-13 16:48 1443072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-13 18:04 219136]

C:\Documents and Settings\Scott\Start Menu\Programs\Startup\
Microsoft Office Groove.lnk - C:\Program Files\Microsoft Office\Office12\GROOVE.EXE [2006-10-27 16:37:44 338216]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2005-05-23 16:39:01 155648]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\MSN Gaming Zone\profsyvyra.html
FriendlyName=

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{B9E618A2-A4FE-11D4-83C2-005004636C96}"= C:\Program Files\Metamail Inc\Metamail Reader\OESHook.dll [2005-04-26 18:26 45056]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-03-13 16:52]

.
Contents of the 'Scheduled Tasks' folder
"2008-05-02 19:00:00 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Program Files\Norton Security Scan\Nss.exe
"2005-09-19 16:25:53 C:\WINDOWS\Tasks\Registration reminder 3.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-23 22:13:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

C:\WINDOWS\explorer.exe [1408] 0x81D983E8

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\acs.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\CDANTSRV.EXE
C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\McAfee.com\Agent\Mcdetect.exe
C:\PROGRA~1\McAfee.com\Agent\McTskshd.exe
C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
C:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Program Files\Toshiba\TOSHIBA Controls\TFncKy.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Apoint2K\ApntEx.exe
.
**************************************************************************
.
Completion time: 2008-05-23 22:22:20 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-24 02:22:09

Pre-Run: 34,318,012,416 bytes free
Post-Run: 34,549,694,464 bytes free

263 --- E O F --- 2008-05-14 00:04:39

 

[techpro5238]

Step1

1. Please open Notepad

• Click Start, then Run
• Type "notepad.exe" in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\imsins.BAK

Folder::
C:\WINDOWS\U2NvdHQg

3. Then in the text file go to FILE => SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply

Step2

Please do an online scan with Kaspersky WebScanner

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Extended (if available otherwise Standard)
  • Scan Options:
  • Scan Archives
    Scan Mail Bases
• Click OK
• Now under select a target to scan:
  • Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
• Save the file to your desktop.
• Copy and paste that information in your next post.

 

[shades9323]

SDFix: Version 1.185
Run by Scott on Fri 05/23/2008 at 10:37 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Missing SharedAccess Service

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-23 22:44:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:00000060
"TracesSuccessful"=dword:00000002

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE:*isabled:Microsoft Office Groove"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Tue 26 Dec 2006 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Tue 2 Oct 2007 27,136 ...H. --- "C:\Documents and Settings\Scott\My Documents\~WRL0003.tmp"
Tue 26 Dec 2006 4,348 ...H. --- "C:\Documents and Settings\Scott\My Documents\My Music\License Backup\drmv1key.bak"
Wed 12 Sep 2007 20 A..H. --- "C:\Documents and Settings\Scott\My Documents\My Music\License Backup\drmv1lic.bak"
Tue 26 Dec 2006 9,655 A.SH. --- "C:\Documents and Settings\Scott\My Documents\My Music\License Backup\drmv2key.bak"
Sun 14 Jan 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\73b38e6399921b83cdcc05584d085f4b\BIT3A.tmp"
Sun 14 Jan 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\9dbaac1e50a4706a8b8dbd434a19e435\BIT3C.tmp"
Sun 14 Jan 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\a47321bdd5009003a9abdb62d9a718c7\BIT3B.tmp"
Sun 14 Jan 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\b68cb38dc8dc3be185a274d0a0d9edc5\BIT39.tmp"
Sun 14 Jan 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\dc3d5e1c0c70bb9a1b890316e8665042\download\BIT44.tmp"

Finished!

 

[shades9323]

ComboFix 08-05-21.3 - Scott 2008-05-23 22:52:29.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.130 [GMT -4:00]
Running from: C:\Documents and Settings\Scott\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Scott\Desktop\cfscript.txt
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\imsins.BAK
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\imsins.BAK
C:\WINDOWS\U2NvdHQg
C:\WINDOWS\U2NvdHQg\oZhSxJk0.vbs

.
((((((((((((((((((((((((( Files Created from 2008-04-24 to 2008-05-24 )))))))))))))))))))))))))))))))
.

2008-05-23 22:32 . 2008-05-23 22:33 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-23 22:27 . 2008-05-23 22:47 <DIR> d-------- C:\SDFix
2008-05-23 18:30 . 2008-05-23 18:30 <DIR> d-------- C:\Deckard
2008-05-14 20:00 . 2008-05-14 20:00 <DIR> d-------- C:\CB_3075
2008-05-14 19:57 . 2008-05-14 19:57 <DIR> d-------- C:\WINDOWS\A5W_DATA
2008-05-14 19:57 . 2008-05-14 19:57 28,042 --a------ C:\WINDOWS\Run32A50.mch
2008-05-14 19:57 . 2008-05-14 19:57 35 --a------ C:\WINDOWS\A5W.INI
2008-05-14 19:56 . 2008-05-14 19:56 <DIR> d-------- C:\CB_3058
2008-05-14 19:50 . 2008-05-14 19:50 <DIR> d-------- C:\Program Files\EpiCalc 2000
2008-05-14 19:50 . 2008-05-21 12:34 4,840 --a------ C:\WINDOWS\EpiCalc.ini
2008-05-14 19:49 . 1996-11-05 16:13 299,008 --a------ C:\WINDOWS\uninst.exe
2008-05-13 07:27 . 2008-05-13 07:27 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-13 07:27 . 2008-05-13 07:27 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-02 00:05 . 2008-05-02 00:05 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-05-01 23:53 . 2008-05-01 23:54 <DIR> d-------- C:\Program Files\Ruckus Player
2008-05-01 23:53 . 2008-05-01 23:55 <DIR> d-------- C:\Program Files\Common Files\PC Tools
2008-05-01 23:53 . 2008-05-01 23:53 <DIR> d-------- C:\Documents and Settings\Scott\.realobjects
2008-04-30 19:01 . 2008-04-30 19:01 <DIR> d-------- C:\Program Files\ESET
2008-04-30 19:01 . 2008-04-30 19:01 <DIR> d-------- C:\Documents and Settings\Scott\Application Data\Uniblue
2008-04-30 19:01 . 2008-04-30 19:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-04-26 19:47 . 2008-05-01 23:55 <DIR> d-------- C:\Program Files\Spyware Doctor

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-24 02:16 --------- d-----w C:\Documents and Settings\Scott\Application Data\AVG7
2008-05-20 22:26 --------- d-----w C:\Documents and Settings\Brooke\Application Data\AVG7
2008-05-14 00:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-02 04:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-05-02 04:04 --------- d--h--w C:\Documents and Settings\Scott\Application Data\Move Networks
2008-05-02 04:04 --------- d-----w C:\Program Files\McAfee.com
2008-05-02 04:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2008-05-02 03:55 --------- d-----w C:\Program Files\WAV to MP3 Encoder
2008-05-02 03:55 --------- d-----w C:\Program Files\MP3 to WAV Decoder
2008-05-02 03:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-02 03:16 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-02 02:16 --------- d-----w C:\Program Files\Winamp
2008-05-02 02:15 --------- d-----w C:\Program Files\BitLord
2008-04-27 13:36 --------- d-----w C:\Program Files\ewido anti-malware
2008-04-02 10:02 --------- d-----w C:\Program Files\NetRatingsNetSight
2008-03-30 02:11 --------- d-----w C:\Documents and Settings\Scott\Application Data\Viewpoint
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2006-01-07 05:16 120 -c--a-w C:\Documents and Settings\Scott\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((( snapshot@2008-05-23_22.21.37.89 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-24 02:12:56 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-24 02:42:09 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-23 07:54:18 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-05-24 02:33:22 5,500,928 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
+ 2008-05-24 02:33:22 36,864 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-05-23 07:54:18 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-05-24 02:33:00 5,500,928 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\ntuser.dat
+ 2008-05-24 02:33:00 36,864 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
- 2008-04-27 18:59:48 54,682 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-05-24 02:17:59 54,682 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-04-27 18:59:48 385,164 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-05-24 02:17:59 385,164 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 03:32 65536]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]
"Microsoft Location Finder"="C:\Program Files\Microsoft Location Finder\LocationFinder.exe" [2005-08-24 18:25 101080]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 20:04 139264]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-11-01 21:03 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-11-01 20:59 126976]
"AGRSMMSG"="AGRSMMSG.exe" [2005-04-12 19:17 88358 C:\WINDOWS\agrsmmsg.exe]
"NDSTray.exe"="NDSTray.exe" []
"HWSetup"="C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe" [2005-04-20 23:38 28672]
"SVPWUTIL"="C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe" [2005-02-25 18:59 65536]
"TOSHIBA Accessibility"="C:\Program Files\TOSHIBA\Accessibility\FnKeyHook.exe" [2005-02-22 16:51 24576]
"CeEKEY"="C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe" [2005-04-28 23:08 675840]
"TPSMain"="TPSMain.exe" [2004-12-28 19:02 270336 C:\WINDOWS\system32\TPSMain.exe]
"PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [2004-09-07 17:03 1077301]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-15 19:51 122880]
"TPNF"="C:\Program Files\TOSHIBA\TouchPad\TPTray.exe" [2004-11-30 00:06 53248]
"Tvs"="C:\Program Files\Toshiba\Tvs\TvsTray.exe" [2005-04-05 19:25 73728]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-17 19:37 151552]
"ACU"="C:\Program Files\Atheros\ACU.exe" [2005-03-28 17:28 290816]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40 155648]
"ZoomingHook"="ZoomingHook.exe" [2004-05-01 02:03 24576 C:\WINDOWS\system32\ZoomingHook.exe]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-05-14 18:22 35328]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-02-04 12:43 185896]
"TFncKy"="TFncKy.exe" []
"TCtryIOHook"="TCtrlIOHook.exe" [2004-05-01 17:03 28672 C:\WINDOWS\system32\TCtrlIOHook.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-05-23 17:49 98304]
"Notebook Maximizer"="C:\Program Files\Notebook Maximizer\maximizer_startup.exe" [2004-05-25 17:35 28672]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [2006-01-11 12:05 212992]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-09-22 18:29 303104]
"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [ ]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 01:47 31016]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2004-03-24 01:40 196608]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-27 15:06 579584]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 12:09 63712]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-03-13 16:48 1443072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-13 18:04 219136]

C:\Documents and Settings\Scott\Start Menu\Programs\Startup\
Microsoft Office Groove.lnk - C:\Program Files\Microsoft Office\Office12\GROOVE.EXE [2006-10-27 16:37:44 338216]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2005-05-23 16:39:01 155648]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\MSN Gaming Zone\profsyvyra.html
FriendlyName=

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{B9E618A2-A4FE-11D4-83C2-005004636C96}"= C:\Program Files\Metamail Inc\Metamail Reader\OESHook.dll [2005-04-26 18:26 45056]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-03-13 16:52]

.
Contents of the 'Scheduled Tasks' folder
"2008-05-02 19:00:00 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Program Files\Norton Security Scan\Nss.exe
"2005-09-19 16:25:53 C:\WINDOWS\Tasks\Registration reminder 3.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-23 22:55:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-23 22:56:36
ComboFix-quarantined-files.txt 2008-05-24 02:56:13
ComboFix2.txt 2008-05-24 02:22:21

Pre-Run: 34,426,134,528 bytes free
Post-Run: 34,418,180,096 bytes free

162 --- E O F --- 2008-05-14 00:04:39

 

[techpro5238]

Jotti File Submission:

• Please go to Jotti's malware scan
  
• Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
  
  • C:\WINDOWS\system32\DRIVERS\epfw tdir.sys
• Click on the submit button
  
• Please post the results in your next reply.

---------------

After doing this, post up the Kasperky Log and the Jotti Log.

 

[shades9323]

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, May 24, 2008 9:59:21 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 24/05/2008
Kaspersky Anti-Virus database records: 799502
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 56998
Number of viruses found: 1
Number of infected objects: 2
Number of suspicious objects: 0
Duration of the scan process: 01:35:15

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Charon\CACHE.NDB Object is locked skipped
C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Logs\virlog.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Logs\warnlog.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\Logs\TaskScheduler\McTskshd002.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Scott\Application Data\AVG7\l_000191.log Object is locked skipped
C:\Documents and Settings\Scott\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Scott\Local Settings\Application Data\Ahead\Nero Home\bl.db Object is locked skipped
C:\Documents and Settings\Scott\Local Settings\Application Data\Ahead\Nero Home\bl.db-journal Object is locked skipped
C:\Documents and Settings\Scott\Local Settings\Application Data\Ahead\Nero Home\is2.db Object is locked skipped
C:\Documents and Settings\Scott\Local Settings\Application Data\Ahead\Nero Home\is2.db-journal Object is locked skipped
C:\Documents and Settings\Scott\Local Settings\Application Data\Microsoft\Office\Groove\System\csm.xss Object is locked skipped
C:\Documents and Settings\Scott\Local Settings\Application Data\Microsoft\Office\Groove\System\csm.xsslog Object is locked skipped
C:\Documents and Settings\Scott\Local Settings\Application Data\Microsoft\Office\Groove\System\groove.xss Object is locked skipped
C:\Documents and Settings\Scott\Local Settings\Application Data\Microsoft\Office\Groove\System\groove.xsslog Object is locked skipped
C:\Documents and Settings\Scott\Local Settings\Application Data\Microsoft\Office\Groove\System\groovebinaryfilestore.xss Object is locked skipped
C:\Documents and Settings\Scott\Local Settings\Application Data\Microsoft\Office\Groove\System\groovebinaryfilestore.xssr Object is locked skipped
C:\Documents and Settings\Scott\Local Settings\Application Data\Microsoft\Office\Groove\System\groovecommunicationsservices.xss Object is locked skipped
C:\Documents and Settings\Scott\Local Settings\Application Data\Microsoft\Office\Groove\System\groovecommunicationsservices.xsslog Object is locked skipped
C:\Documents and Settings\Scott\Local Settings\Application Data\Microsoft\Office\Groove\System\groovedevice.xss Object is locked skipped
C:\Documents and Settings\Scott\Local Settings\Application Data\Microsoft\Office\Groove\System\groovedevice.xsslog Object is locked skipped
C:\Documents and Settings\Scott\Local Settings\Application Data\Microsoft\Office\Groove\System\groovedevice.xssr Object is locked skipped
C:\Documents and Settings\Scott\Local Settings\Application Data\Microsoft\Office\Groove\System\groovefetchservices.xss Object is locked skipped
C:\Documents and Settings\Scott\Local Settings\Application Data\Microsoft\Office\Groove\System\groovefetchservices.xsslog Object is locked skipped
C:\Documents and Settings\Scott\Local Settings\Application Data\Microsoft\Office\Groove\System\grooverdbsystemdefinitions.xss Object is locked skipped
C:\Documents and Settings\Scott\Local Settings\Application Data\Microsoft\Office\Groove\System\grooverdbsystemdefinitions.xsslog Object is locked skipped
C:\Documents and Settings\Scott\Local Settings\Application Data\Microsoft\Office\Groove\System\_systeminstall_\InstallQ.stg Object is locked skipped
C:\Documents and Settings\Scott\Local Settings\Application Data\Microsoft\Office\Groove\System\__XSSTemp__.xss Object is locked skipped
C:\Documents and Settings\Scott\Local Settings\Application Data\Microsoft\Office\Groove\User\Accounts\Eymszbxh32ugxi9p8efqypdjbvgvcvvgt6rwbca\id.xss Object is locked skipped
C:\Documents and Settings\Scott\Local Settings\Application Data\Microsoft\Office\Groove\User\Accounts\summary.xss Object is locked skipped
C:\Documents and Settings\Scott\Local Settings\Application Data\Microsoft\Office\Groove\User\Accounts\summary.xsslog Object is locked skipped
C:\Documents and Settings\Scott\Local Settings\Application Data\Microsoft\Office\Groove\User\Accounts\summary.xssr Object is locked skipped
C:\Documents and Settings\Scott\Local Settings\Application Data\Microsoft\Office\Groove\User\Accounts\Zzb7qbvfgdf5c5aubdgt78anf728scpekjiazj2\id.xss Object is locked skipped
C:\Documents and Settings\Scott\Local Settings\Application Data\Microsoft\Office\Groove\User\Accounts\Zzb7qbvfgdf5c5aubdgt78anf728scpekjiazj2\id.xsslog Object is locked skipped
C:\Documents and Settings\Scott\Local Settings\Application Data\Microsoft\Office\Groove\User\Accounts\Zzb7qbvfgdf5c5aubdgt78anf728scpekjiazj2\id.xssr Object is locked skipped
C:\Documents and Settings\Scott\Local Settings\Application Data\Microsoft\Office\Groove\User\groovemisc.xss Object is locked skipped
C:\Documents and Settings\Scott\Local Settings\Application Data\Microsoft\Office\Groove\User\groovemisc.xsslog Object is locked skipped
C:\Documents and Settings\Scott\Local Settings\Application Data\Microsoft\Office\Groove\User\resources.xss Object is locked skipped
C:\Documents and Settings\Scott\Local Settings\Application Data\Microsoft\Office\Groove\User\resources.xsslog Object is locked skipped
C:\Documents and Settings\Scott\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Scott\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Scott\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Scott\Local Settings\temp\~DFDD63.tmp Object is locked skipped
C:\Documents and Settings\Scott\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Scott\ntuser.dat Object is locked skipped
C:\Documents and Settings\Scott\ntuser.dat.LOG Object is locked skipped
C:\QooBox\Quarantine\C\Program Files\JavaCore\JavaCore.exe.vir Infected: not-a-virus:AdWare.Win32.Insider.b skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{1D1D6F93-1B0C-4060-8D79-09274A81BD2A}\RP2\A0000016.exe Infected: not-a-virus:AdWare.Win32.Insider.b skipped
C:\System Volume Information\_restore{1D1D6F93-1B0C-4060-8D79-09274A81BD2A}\RP3\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{665D61A8-71EF-4370-8D88-AFE49EED6235}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

 

[shades9323]

Jotti File Submission:

• Please go to Jotti's malware scan
  
• Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
  
  • C:\WINDOWS\system32\DRIVERS\epfw tdir.sys
• Click on the submit button
  
• Please post the results in your next reply.

---------------

After doing this, post up the Kasperky Log and the Jotti Log.

I get the following error message on Jotti:

The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

 

[techpro5238]

Can you please zip that file into a post here, and attach it.

Please NOTE, nobody download the ZIP and unarchive it until I can test it.

-------------------

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

• 
  Double-click ATF-Cleaner.exe to run the program.
  Under Main choose: Select All
  Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

---------------------

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

 

[shades9323]

Can you please zip that file into a post here, and attach it.

Please NOTE, nobody download the ZIP and unarchive it until I can test it.

-------------------

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

• 
  Double-click ATF-Cleaner.exe to run the program.
  Under Main choose: Select All
  Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

---------------------

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Zip what file? and how do i do it?

 

[techpro5238]

Did you do the other steps? Do those.

Create a ZIP Archive and put that file in it. Then there is a way when you are posting to attach it.