Jump to content


Photo

Constant error message saying low disk space. I have deleted loads of files, programmes etc but it doesn't free any space. Help!


  • This topic is locked This topic is locked
29 replies to this topic

#1 lucyd88

lucyd88

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 03 January 2009 - 11:09 AM

Hi,
Recently, my computer has constantly displayed a message warning about critically low disk space. I didn't realise it was some sort of virus eating up my memory at first, so I kept deleting files, temporary files, programmes etc but realised it wasn't freeing up any space. (In this process I naiively decided to reinstall itunes, but of course once it was uninstalled there was "not enough disk space" to reinstall so I am now without my music!) I have noticed it has affected my web browsing, as pictures on websites show up blurry, with a message saying "shift + r improves the quality of this image".

Also, when i'm using the internet, quite often a message pops up saying something like "a recent attempt to hack your computer was blocked"

I'm pretty useless with computers but have followed the FAQ and would be really grateful for any help.

Here is the malwarebytes log:

Malwarebytes' Anti-Malware 1.31
Database version: 1602
Windows 5.1.2600 Service Pack 2

03/01/2009 16:31:08
mbam-log-2009-01-03 (16-31-08).txt

Scan type: Quick Scan
Objects scanned: 65677
Time elapsed: 49 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 6
Files Infected: 21

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\MacroVirus (Rogue.MacroVirus) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{dd651081-a909-45ad-bd71-2335b0ade043} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\MacroVirus (Rogue.MacroVirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lucy Doyle\Application Data\MacroVirus (Rogue.MacroVirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lucy Doyle\Application Data\MacroVirus\Log (Rogue.MacroVirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lucy Doyle\Application Data\MacroVirus\Quarantine (Rogue.MacroVirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lucy Doyle\Application Data\MacroVirus\Registry Backups (Rogue.MacroVirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lucy Doyle\Application Data\MacroVirus\Settings (Rogue.MacroVirus) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\MacroVirus\mav.db.version (Rogue.MacroVirus) -> Quarantined and deleted successfully.
C:\Program Files\MacroVirus\mav.log (Rogue.MacroVirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lucy Doyle\Application Data\MacroVirus\Log\2008 Dec 12 - 12_51_48 PM_765.log (Rogue.MacroVirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lucy Doyle\Application Data\MacroVirus\Log\2008 Dec 12 - 12_51_49 PM_031.log (Rogue.MacroVirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lucy Doyle\Application Data\MacroVirus\Log\2008 Dec 12 - 12_55_13 PM_953.log (Rogue.MacroVirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lucy Doyle\Application Data\MacroVirus\Log\2008 Dec 12 - 12_55_13 PM_984.log (Rogue.MacroVirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lucy Doyle\Application Data\MacroVirus\Log\2008 Dec 12 - 12_55_15 PM_437.log (Rogue.MacroVirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lucy Doyle\Application Data\MacroVirus\Log\2008 Dec 12 - 12_55_15 PM_468.log (Rogue.MacroVirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lucy Doyle\Application Data\MacroVirus\Log\2008 Dec 12 - 12_56_50 PM_437.log (Rogue.MacroVirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lucy Doyle\Application Data\MacroVirus\Log\2008 Dec 12 - 12_56_50 PM_468.log (Rogue.MacroVirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lucy Doyle\Application Data\MacroVirus\Log\2008 Dec 12 - 12_56_51 PM_750.log (Rogue.MacroVirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lucy Doyle\Application Data\MacroVirus\Log\2008 Dec 12 - 12_56_51 PM_781.log (Rogue.MacroVirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lucy Doyle\Application Data\MacroVirus\Settings\CustomScan.stg (Rogue.MacroVirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lucy Doyle\Application Data\MacroVirus\Settings\IgnoreList.stg (Rogue.MacroVirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lucy Doyle\Application Data\MacroVirus\Settings\ScanInfo.stg (Rogue.MacroVirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lucy Doyle\Application Data\MacroVirus\Settings\ScanResults.stg (Rogue.MacroVirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lucy Doyle\Application Data\MacroVirus\Settings\SelectedFolders.stg (Rogue.MacroVirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lucy Doyle\Application Data\MacroVirus\Settings\Settings.stg (Rogue.MacroVirus) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\MacroVirus Scheduled Scan.job (Rogue.MacroVirus) -> Quarantined and deleted successfully.
C:\WINDOWS\mywallpaper.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\sysawpbkvnq.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.



Here is the hijackthis log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:38:31, on 03/01/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\TODDSrv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\system32\ZoomingHook.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\system32\TCtrlIOHook.exe
C:\Program Files\TOSHIBA\Tvs\TvsTray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\ddwmon.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Browser MOUSE\mouse32a.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\T-Mobile\web'n'walk Manager\DataCardMonitor.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Toshiba\TOSHIBA Controls\TFncKy.exe
C:\Program Files\T-Mobile\web'n'walk Manager\web'n'walk Manager.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\T-Mobile\web'n'walk Manager\bmctl.exe
C:\Program Files\T-Mobile\web'n'walk Manager\bmop.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\T-Mobile\web'n'walk Manager\WTGU.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hijack\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.crawler.c...a...&tbid=60327
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: EmailBHO - {647FD14A-C4F1-46F4-8FC3-0B40F54226F7} - C:\Program Files\jZip\WebmailPlugin.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [Zooming] ZoomingHook.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [TCtryIOHook] TCtrlIOHook.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\TOSHIBA\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [DDWMon] C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [DataCardMonitor] C:\Program Files\T-Mobile\web'n'walk Manager\DataCardMonitor.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKLM\..\RunOnce: [SpybotDeletingA9275] command /c del "C:\Documents and Settings\Lucy Doyle\Application Data\MacroVirus\Log\2008 Dec 12 - 12_51_48 PM_765.log"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1435] cmd /c del "C:\Documents and Settings\Lucy Doyle\Application Data\MacroVirus\Log\2008 Dec 12 - 12_51_48 PM_765.log"
O4 - HKLM\..\RunOnce: [SpybotDeletingA981] command /c del "C:\Documents and Settings\Lucy Doyle\Application Data\MacroVirus\Log\2008 Dec 12 - 12_51_49 PM_031.log"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5346] cmd /c del "C:\Documents and Settings\Lucy Doyle\Application Data\MacroVirus\Log\2008 Dec 12 - 12_51_49 PM_031.log"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7579] command /c del "C:\Documents and Settings\Lucy Doyle\Application Data\MacroVirus\Log\2008 Dec 12 - 12_55_13 PM_953.log"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2805] cmd /c del "C:\Documents and Settings\Lucy Doyle\Application Data\MacroVirus\Log\2008 Dec 12 - 12_55_13 PM_953.log"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2206] command /c del "C:\Documents and Settings\Lucy Doyle\Application Data\MacroVirus\Log\2008 Dec 12 - 12_55_13 PM_984.log"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6171] cmd /c del "C:\Documents and Settings\Lucy Doyle\Application Data\MacroVirus\Log\2008 Dec 12 - 12_55_13 PM_984.log"
O4 - HKLM\..\RunOnce: [SpybotDeletingA174] command /c del "C:\Documents and Settings\Lucy Doyle\Application Data\MacroVirus\Log\2008 Dec 12 - 12_55_15 PM_437.log"
O4 - HKLM\..\RunOnce: [SpybotDeletingC696] cmd /c del "C:\Documents and Settings\Lucy Doyle\Application Data\MacroVirus\Log\2008 Dec 12 - 12_55_15 PM_437.log"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7072] command /c del "C:\Documents and Settings\Lucy Doyle\Application Data\MacroVirus\Log\2008 Dec 12 - 12_55_15 PM_468.log"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9569] cmd /c del "C:\Documents and Settings\Lucy Doyle\Application Data\MacroVirus\Log\2008 Dec 12 - 12_55_15 PM_468.log"
O4 - HKLM\..\RunOnce: [SpybotDeletingA1130] command /c del "C:\Documents and Settings\Lucy Doyle\Application Data\MacroVirus\Log\2008 Dec 12 - 12_56_50 PM_437.log"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7386] cmd /c del "C:\Documents and Settings\Lucy Doyle\Application Data\MacroVirus\Log\2008 Dec 12 - 12_56_50 PM_437.log"
O4 - HKLM\..\RunOnce: [SpybotDeletingA74] command /c del "C:\Documents and Settings\Lucy Doyle\Application Data\MacroVirus\Log\2008 Dec 12 - 12_56_50 PM_468.log"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2484] cmd /c del "C:\Documents and Settings\Lucy Doyle\Application Data\MacroVirus\Log\2008 Dec 12 - 12_56_50 PM_468.log"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7212] command /c del "C:\Documents and Settings\Lucy Doyle\Application Data\MacroVirus\Log\2008 Dec 12 - 12_56_51 PM_750.log"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7422] cmd /c del "C:\Documents and Settings\Lucy Doyle\Application Data\MacroVirus\Log\2008 Dec 12 - 12_56_51 PM_750.log"
O4 - HKLM\..\RunOnce: [SpybotDeletingA8986] command /c del "C:\Documents and Settings\Lucy Doyle\Application Data\MacroVirus\Log\2008 Dec 12 - 12_56_51 PM_781.log"
O4 - HKLM\..\RunOnce: [SpybotDeletingC548] cmd /c del "C:\Documents and Settings\Lucy Doyle\Application Data\MacroVirus\Log\2008 Dec 12 - 12_56_51 PM_781.log"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2154] command /c del "C:\WINDOWS\Tasks\MacroVirus Scheduled Scan.job"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8221] cmd /c del "C:\WINDOWS\Tasks\MacroVirus Scheduled Scan.job"
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB1737] command /c del "C:\Documents and Settings\Lucy Doyle\Application Data\MacroVirus\Log\2008 Dec 12 - 12_51_48 PM_765.log"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7129] cmd /c del "C:\Documents and Settings\Lucy Doyle\Application Data\MacroVirus\Log\2008 Dec 12 - 12_51_48 PM_765.log"
O4 - HKCU\..\RunOnce: [SpybotDeletingB9329] command /c del "C:\Documents and Settings\Lucy Doyle\Application Data\MacroVirus\Log\2008 Dec 12 - 12_51_49 PM_031.log"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6989] cmd /c del "C:\Documents and Settings\Lucy Doyle\Application Data\MacroVirus\Log\2008 Dec 12 - 12_51_49 PM_031.log"
O4 - HKCU\..\RunOnce: [SpybotDeletingB6958] command /c del "C:\Documents and Settings\Lucy Doyle\Application Data\MacroVirus\Log\2008 Dec 12 - 12_55_13 PM_953.log"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9023] cmd /c del "C:\Documents and Settings\Lucy Doyle\Application Data\MacroVirus\Log\2008 Dec 12 - 12_55_13 PM_953.log"
O4 - HKCU\..\RunOnce: [SpybotDeletingB9966] command /c del "C:\Documents and Settings\Lucy Doyle\Application Data\MacroVirus\Log\2008 Dec 12 - 12_55_13 PM_984.log"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7274] cmd /c del "C:\Documents and Settings\Lucy Doyle\Application Data\MacroVirus\Log\2008 Dec 12 - 12_55_13 PM_984.log"
O4 - HKCU\..\RunOnce: [SpybotDeletingB3420] command /c del "C:\Documents and Settings\Lucy Doyle\Application Data\MacroVirus\Log\2008 Dec 12 - 12_55_15 PM_437.log"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2129] cmd /c del "C:\Documents and Settings\Lucy Doyle\Application Data\MacroVirus\Log\2008 Dec 12 - 12_55_15 PM_437.log"
O4 - HKCU\..\RunOnce: [SpybotDeletingB6481] command /c del "C:\Documents and Settings\Lucy Doyle\Application Data\MacroVirus\Log\2008 Dec 12 - 12_55_15 PM_468.log"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7837] cmd /c del "C:\Documents and Settings\Lucy Doyle\Application Data\MacroVirus\Log\2008 Dec 12 - 12_55_15 PM_468.log"
O4 - HKCU\..\RunOnce: [SpybotDeletingB607] command /c del "C:\Documents and Settings\Lucy Doyle\Application Data\MacroVirus\Log\2008 Dec 12 - 12_56_50 PM_437.log"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2959] cmd /c del "C:\Documents and Settings\Lucy Doyle\Application Data\MacroVirus\Log\2008 Dec 12 - 12_56_50 PM_437.log"
O4 - HKCU\..\RunOnce: [SpybotDeletingB8979] command /c del "C:\Documents and Settings\Lucy Doyle\Application Data\MacroVirus\Log\2008 Dec 12 - 12_56_50 PM_468.log"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9488] cmd /c del "C:\Documents and Settings\Lucy Doyle\Application Data\MacroVirus\Log\2008 Dec 12 - 12_56_50 PM_468.log"
O4 - HKCU\..\RunOnce: [SpybotDeletingB6316] command /c del "C:\Documents and Settings\Lucy Doyle\Application Data\MacroVirus\Log\2008 Dec 12 - 12_56_51 PM_750.log"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5585] cmd /c del "C:\Documents and Settings\Lucy Doyle\Application Data\MacroVirus\Log\2008 Dec 12 - 12_56_51 PM_750.log"
O4 - HKCU\..\RunOnce: [SpybotDeletingB6873] command /c del "C:\Documents and Settings\Lucy Doyle\Application Data\MacroVirus\Log\2008 Dec 12 - 12_56_51 PM_781.log"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9875] cmd /c del "C:\Documents and Settings\Lucy Doyle\Application Data\MacroVirus\Log\2008 Dec 12 - 12_56_51 PM_781.log"
O4 - HKCU\..\RunOnce: [SpybotDeletingB1041] command /c del "C:\WINDOWS\Tasks\MacroVirus Scheduled Scan.job"
O4 - HKCU\..\RunOnce: [SpybotDeletingD939] cmd /c del "C:\WINDOWS\Tasks\MacroVirus Scheduled Scan.job"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: WTGU.lnk = C:\Program Files\T-Mobile\web'n'walk Manager\WTGU.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebo...toUploader5.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish...shUKActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {48DF87EE-F2DE-11D8-BE7F-302050C10801} (FlyLoader Class) - http://www.flysuite....derword_win.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail....es/MSNPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {A44B714B-EE0F-453E-9300-A69B321FEF6C} (MaxisSimsFamilyTeleX Control) - http://thesims.ea.co...FamilyTeleX.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photob...ploader_uni.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebo...Uploader4_5.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{82CC7D2F-10AF-4A6C-9034-535B9BDDC026}: NameServer = 149.254.192.126 149.254.201.126
O20 - Winlogon Notify: !SASWinLogon - C:\Documents and Settings\Lucy Doyle\Desktop\Downloads\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: lxcf_device - - C:\WINDOWS\system32\lxcfcoms.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\WINDOWS\system32\TODDSrv.exe

--
End of file - 21620 bytes



Here is the BitDefender log


Scan report generated at: Sat, Jan 03, 2009 - 20:07:35

Scan path: C:\;D:\;E:\;F:\;







Statistics

Time
02:31:51

Files
241118

Folders
7600

Boot Sectors
0

Archives
8830

Packed Files
12068




Results

Identified Viruses
13

Infected Files
24

Suspect Files
0

Warnings
0

Disinfected
3

Deleted Files
23




Engines Info

Virus Definitions
2404735

Engine build
AVCORE v1.7 (build 8314.19) (i386) (Sep 29 2008 17:19:14)

Scan plugins
17

Archive plugins
45

Unpack plugins
7

E-mail plugins
6

System plugins
4




Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions


Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes




Scanned File
Status

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\54603D3D.EXE=>(Quarantine-2)
Infected with: Win32.Wukill.E@mm

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\54603D3D.EXE=>(Quarantine-2)
Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\54603D3D.EXE
Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7E403F63.doc=>(Quarantine-2)
Infected with: W97M.Thus.EW

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7E403F63.doc=>(Quarantine-2)
Disinfected

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7E403F63.doc
Update failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7F262073.exe=>(Quarantine-2)
Infected with: Win32.Wukill.E@mm

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7F262073.exe=>(Quarantine-2)
Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7F262073.exe
Deleted

C:\Documents and Settings\Lucy Doyle\Desktop\Downloads\setupxv.exe=>(7z o)=>AntiSpywareApp\vistaCPtasks.xml=>(Embedded EXE)
Detected with: Adware.SpyClean.A

C:\Documents and Settings\Lucy Doyle\Desktop\Downloads\setupxv.exe=>(7z o)=>AntiSpywareApp\vistaCPtasks.xml=>(Embedded EXE)
Disinfection failed

C:\Documents and Settings\Lucy Doyle\Desktop\Downloads\setupxv.exe=>(7z o)=>AntiSpywareApp\vistaCPtasks.xml=>(Embedded EXE)
Deleted

C:\Documents and Settings\Lucy Doyle\Desktop\Downloads\setupxv.exe=>(7z o)=>AntiSpywareApp\vistaCPtasks.xml
Update failed

C:\Documents and Settings\Lucy Doyle\Desktop\Downloads\setupxv.exe=>(7z o)=>AntiSpywareApp\FilterDrv\AntiSpyware.cat=>(Embedded EXE)
Detected with: Adware.SpyClean.A

C:\Documents and Settings\Lucy Doyle\Desktop\Downloads\setupxv.exe=>(7z o)=>AntiSpywareApp\FilterDrv\AntiSpyware.cat=>(Embedded EXE)
Disinfection failed

C:\Documents and Settings\Lucy Doyle\Desktop\Downloads\setupxv.exe=>(7z o)=>AntiSpywareApp\FilterDrv\AntiSpyware.cat=>(Embedded EXE)
Deleted

C:\Documents and Settings\Lucy Doyle\Desktop\Downloads\setupxv.exe=>(7z o)=>AntiSpywareApp\FilterDrv\AntiSpyware.cat
Update failed

C:\Documents and Settings\Lucy Doyle\Desktop\Downloads\setupxv.exe=>(7z o)=>AntiSpywareApp\FilterDrv\AntiSpyware.inf
Detected with: Adware.SpyClean.B

C:\Documents and Settings\Lucy Doyle\Desktop\Downloads\setupxv.exe=>(7z o)=>AntiSpywareApp\FilterDrv\AntiSpyware.inf
Disinfection failed

C:\Documents and Settings\Lucy Doyle\Desktop\Downloads\setupxv.exe=>(7z o)=>AntiSpywareApp\FilterDrv\AntiSpyware.inf
Deleted

C:\Documents and Settings\Lucy Doyle\Desktop\Downloads\setupxv.exe=>(7z o)
Update failed

C:\Documents and Settings\Lucy Doyle\Desktop\Downloads\setupxv.exe=>(7z o)=>AntiSpywareApp\Difxapi.dll
Detected with: Adware.Spywarestop.B

C:\Documents and Settings\Lucy Doyle\Desktop\Downloads\setupxv.exe=>(7z o)=>AntiSpywareApp\Difxapi.dll
Deleted

C:\Documents and Settings\Lucy Doyle\Desktop\Downloads\setupxv.exe=>(7z o)
Update failed

C:\Documents and Settings\Lucy Doyle\Desktop\Downloads\setupxv.exe=>(7z o)=>AntiSpywareApp\zlib.dll
Detected with: Adware.SpyClean.E

C:\Documents and Settings\Lucy Doyle\Desktop\Downloads\setupxv.exe=>(7z o)=>AntiSpywareApp\zlib.dll
Deleted

C:\Documents and Settings\Lucy Doyle\Desktop\Downloads\setupxv.exe=>(7z o)
Update failed

C:\Documents and Settings\Lucy Doyle\Desktop\Downloads\setupxv.exe=>(7z o)=>AntiSpywareApp\FilterDrv\AntiSpyware.amd64.sys
Detected with: Adware.Spywarestop.B

C:\Documents and Settings\Lucy Doyle\Desktop\Downloads\setupxv.exe=>(7z o)=>AntiSpywareApp\FilterDrv\AntiSpyware.amd64.sys
Deleted

C:\Documents and Settings\Lucy Doyle\Desktop\Downloads\setupxv.exe=>(7z o)
Update failed

C:\Documents and Settings\Lucy Doyle\Desktop\Downloads\setupxv.exe=>(7z o)=>AntiSpywareApp\FilterDrv
Detected with: Adware.SpyClean.N

C:\Documents and Settings\Lucy Doyle\Desktop\Downloads\setupxv.exe=>(7z o)=>AntiSpywareApp\FilterDrv
Deleted

C:\Documents and Settings\Lucy Doyle\Desktop\Downloads\setupxv.exe=>(7z o)
Update failed

C:\Documents and Settings\Lucy Doyle\Desktop\Downloads\setupxv.exe=>(7z o)=>AntiSpywareApp
Detected with: Adware.SpyClean.N

C:\Documents and Settings\Lucy Doyle\Desktop\Downloads\setupxv.exe=>(7z o)=>AntiSpywareApp
Deleted

C:\Documents and Settings\Lucy Doyle\Desktop\Downloads\setupxv.exe=>(7z o)
Update failed

C:\Documents and Settings\Lucy Doyle\Desktop\Unused Desktop Shortcuts\xcodec.0(2).exe
Infected with: Trojan.Renos.NET

C:\Documents and Settings\Lucy Doyle\Desktop\Unused Desktop Shortcuts\xcodec.0(2).exe
Deleted

C:\Documents and Settings\Lucy Doyle\Desktop\Unused Desktop Shortcuts\xcodec.0(3).exe
Infected with: Trojan.Renos.NET

C:\Documents and Settings\Lucy Doyle\Desktop\Unused Desktop Shortcuts\xcodec.0(3).exe
Deleted

C:\Documents and Settings\Lucy Doyle\Desktop\Unused Desktop Shortcuts\xcodec.0(4).exe
Infected with: Trojan.Renos.NET

C:\Documents and Settings\Lucy Doyle\Desktop\Unused Desktop Shortcuts\xcodec.0(4).exe
Deleted

C:\Documents and Settings\Lucy Doyle\Desktop\Unused Desktop Shortcuts\xcodec.0(5).exe
Infected with: Trojan.Renos.NET

C:\Documents and Settings\Lucy Doyle\Desktop\Unused Desktop Shortcuts\xcodec.0(5).exe
Deleted

C:\Documents and Settings\Lucy Doyle\My Documents\LimeWire\Incomplete\Preview-T-3877629-look good in blue blondie.mp3
Infected with: Trojan.Wimad.Gen.1

C:\Documents and Settings\Lucy Doyle\My Documents\LimeWire\Incomplete\Preview-T-3877629-look good in blue blondie.mp3
Disinfected

C:\Documents and Settings\Lucy Doyle\My Documents\LimeWire\Saved\Blondie - The Attack Of The Giant Ants.mp3
Infected with: Trojan.Downloader.WMA.Wimad.Z

C:\Documents and Settings\Lucy Doyle\My Documents\LimeWire\Saved\Blondie - The Attack Of The Giant Ants.mp3
Deleted

C:\Documents and Settings\Lucy Doyle\My Documents\LimeWire\Saved\drag your heels.mp3
Infected with: Trojan.Downloader.Wimad.A

C:\Documents and Settings\Lucy Doyle\My Documents\LimeWire\Saved\drag your heels.mp3
Deleted

C:\Documents and Settings\Lucy Doyle\My Documents\LimeWire\Saved\drag your heels2.mp3
Infected with: Trojan.Downloader.WMA.Wimad.N

C:\Documents and Settings\Lucy Doyle\My Documents\LimeWire\Saved\drag your heels2.mp3
Deleted

C:\Documents and Settings\Lucy Doyle\My Documents\LimeWire\Saved\elegie patti smith.mp3
Infected with: Trojan.Downloader.WMA.Wimad.N

C:\Documents and Settings\Lucy Doyle\My Documents\LimeWire\Saved\elegie patti smith.mp3
Deleted

C:\Documents and Settings\Lucy Doyle\My Documents\LimeWire\Saved\kimberly patti smith.mp3
Infected with: Trojan.Downloader.WMA.Wimad.N

C:\Documents and Settings\Lucy Doyle\My Documents\LimeWire\Saved\kimberly patti smith.mp3
Deleted

C:\Documents and Settings\Lucy Doyle\My Documents\LimeWire\Saved\look good in blue blondie.mp3
Infected with: Trojan.Wimad.Gen.1

C:\Documents and Settings\Lucy Doyle\My Documents\LimeWire\Saved\look good in blue blondie.mp3
Disinfected

C:\Documents and Settings\Lucy Doyle\My Documents\LimeWire\Saved\night train kills.mp3
Infected with: Trojan.Downloader.WMA.Wimad.N

C:\Documents and Settings\Lucy Doyle\My Documents\LimeWire\Saved\night train kills.mp3
Deleted

C:\WINDOWS\system32\oobe\ISPSoftware\BTYahoo\BroadbandFromBT.exe
Detected with: Dialer.BT

C:\WINDOWS\system32\oobe\ISPSoftware\BTYahoo\BroadbandFromBT.exe
Disinfection failed

C:\WINDOWS\system32\oobe\ISPSoftware\BTYahoo\BroadbandFromBT.exe
Deleted

Edited by lucyd88, 07 January 2009 - 11:01 AM.


#2 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,533 posts

Posted 05 January 2009 - 11:18 PM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.

#3 Rocket Grannie

Rocket Grannie

    SWI Australian Rebel

  • Administrators
  • PipPipPipPipPip
  • 7,961 posts

Posted 08 January 2009 - 02:30 AM

Hello lucyd88. Welcome to SWI.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps.

First of all, I suggest you uninstall LimeWire.
All of the MP3 files you downloaded through LimeWire were infected.

The most current version of Limewire is reported to include spyware. LimeWire 4.9.28 is clean (Older and newer version may not be) Chances are junk was bundled with this product even if you paid for it. If you are going to use p2p file sharing, I suggest you choose a safe program from here: http://p2p.malwareremoval.com/.

Download Security Check by screen317 and save it to your Desktop.
  • Unzip SecurityCheck.zip and a folder named Security Check should appear.
  • Open the Security Check folder and double-click Security Check.bat
  • Follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
Note: if a security program requests permission from dig.exe to access the Internet, allow it to do so.

Download ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt, Security check report, and a fresh HijackThis log in your next reply for further review.
And let me know how the computer is performing now.



Rocket Grannie
a120.gif




My help is free however if you wish to make a donation please see Here

#4 lucyd88

lucyd88

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 09 January 2009 - 09:55 AM

Hi, thanks for the response! I have uninstalled limewire and followed your instructions. The issue of blurred pictures on the internet has been resolved.

Here is the security check report:

Results of screen317's Security Check version 0.97.6.8
``````````````````````````````
Antivirus/Firewall Check:
``````````````````````````````

``````````````````````````````
Anti-malware/Other Utilities Check:
``````````````````````````````

``````````````````````````````
Process Check:
objlist.exe by Laurent
``````````````````````````````

``````````````````````````````
DNS Vulnerability Check:
``````````````````````````````


Scan took 3 seconds.
`````````End of Log```````````



Here is the combofix report:

ComboFix 09-01-08.04 - Lucy Doyle 2009-01-09 13:40:25.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.502.209 [GMT 0:00]
Running from: c:\documents and settings\Lucy Doyle\Desktop\ComboFix.exe
AV: Norton Internet Security 2006 *On-access scanning disabled* (Outdated)
FW: Norton Internet Security 2006 *disabled*
FW: Norton Internet Worm Protection *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\LUCYDO~1\LOCALS~1\Temp\tmp2.tmp

.
((((((((((((((((((((((((( Files Created from 2008-12-09 to 2009-01-09 )))))))))))))))))))))))))))))))
.

2009-01-08 20:38 . 2009-01-08 20:37 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-08 20:38 . 2009-01-08 20:37 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-03 17:12 . 2009-01-03 20:07 <DIR> d-------- c:\windows\BDOSCAN8
2009-01-03 16:32 . 2009-01-03 16:32 1,344 --a------ c:\windows\wininit.ini
2009-01-03 15:38 . 2009-01-03 15:38 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-03 15:38 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-03 15:38 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-12 11:41 . 2008-12-12 11:41 736 --a------ c:\windows\SamsungMaster.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-09 13:29 388,608 ----a-w c:\windows\system32\CF2341.exe
2009-01-09 13:22 45,332 ----a-w c:\documents and settings\Lucy Doyle\Application Data\wklnhst.dat
2009-01-09 13:22 --------- d-----w c:\program files\Lx_cats
2009-01-09 12:48 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-09 01:02 --------- d-----w c:\documents and settings\Lucy Doyle\Application Data\LimeWire
2009-01-08 20:37 --------- d-----w c:\program files\Java
2009-01-06 16:28 --------- d-----w c:\program files\FriendBlasterPro
2009-01-03 16:38 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-03 15:26 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-31 13:12 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-31 13:12 --------- d-----w c:\program files\TOSHIBA
2008-12-12 13:42 --------- d-----w c:\program files\Steinberg
2008-12-12 13:21 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-12 11:41 --------- d-----w c:\program files\Samsung
2008-12-12 11:20 --------- d-----w c:\program files\Common Files\Apple
2008-12-04 14:53 --------- d-----w c:\program files\WP-S1 PCSync
2008-12-04 14:40 --------- d-----w c:\program files\MP3 Player Utilities 3.57
2008-11-18 19:27 --------- d-----w c:\program files\Microsoft Works
2008-11-13 22:29 107,888 ----a-w c:\windows\system32\CmdLineExt.dll
2008-11-13 21:30 --------- d-----w c:\program files\EA GAMES
2008-11-13 21:18 --------- d--h--r c:\documents and settings\All Users\Application Data\yahoo!
2008-11-13 21:18 --------- d-----w c:\program files\Yahoo!
2008-11-13 20:56 --------- d-----w c:\program files\DivX
2008-11-13 20:54 --------- d-----w c:\program files\Google
2008-10-23 13:01 283,648 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 14:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 14:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 14:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 14:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 14:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 14:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 14:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 14:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 14:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-08-20 07:50 7,333,224 -c--a-w c:\program files\Firefox Setup 3.0.1.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2005-04-11 65536]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-02-20 68856]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-02-07 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-02-07 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-02-07 118784]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2004-03-24 196608]
"PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [2005-12-21 1077330]
"CeEKEY"="c:\program files\TOSHIBA\E-KEY\CeEKey.exe" [2006-04-12 638976]
"HWSetup"="c:\program files\TOSHIBA\TOSHIBA Applet\HWSetup.exe" [2004-05-01 28672]
"SVPWUTIL"="c:\program files\Toshiba\Windows Utilities\SVPWUTIL.exe" [2004-05-01 65536]
"TPNF"="c:\program files\TOSHIBA\TouchPad\TPTray.exe" [2006-04-04 53248]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-05-12 118784]
"Tvs"="c:\program files\TOSHIBA\Tvs\TvsTray.exe" [2006-02-02 73728]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-22 52840]
"DDWMon"="c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe" [2006-04-28 262144]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 602182]
"LXCFCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll" [2005-07-20 73728]
"FLMOFFICE4DMOUSE"="c:\program files\Browser MOUSE\mouse32a.exe" [2006-10-06 360448]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-11-03 26112]
"DataCardMonitor"="c:\program files\T-Mobile\web'n'walk Manager\DataCardMonitor.exe" [2008-11-06 253952]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-08 136600]
"RTHDCPL"="RTHDCPL.EXE" [2006-04-17 c:\windows\RTHDCPL.exe]
"TPSMain"="TPSMain.exe" [2005-08-11 c:\windows\system32\TPSMain.exe]
"Zooming"="ZoomingHook.exe" [2005-06-06 c:\windows\system32\ZoomingHook.exe]
"TCtryIOHook"="TCtrlIOHook.exe" [2006-01-03 c:\windows\system32\TCtrlIOHook.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2006-03-18 c:\windows\agrsmmsg.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\Lucy Doyle\Start Menu\Programs\Startup\
Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-04-19 64864]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
NkvMon.exe.lnk - c:\program files\Nikon\NkView6\NkvMon.exe [2006-11-03 241664]
WTGU.lnk - c:\program files\T-Mobile\web'n'walk Manager\WTGU.exe [2008-11-06 857544]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-29 17:52 352256 c:\documents and settings\Lucy Doyle\Desktop\Downloads\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=

R1 SASDIFSV;SASDIFSV;c:\documents and settings\Lucy Doyle\Desktop\Downloads\SUPERAntiSpyware\SASDIFSV.SYS [2008-02-29 8944]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\eengine\EraserUtilRebootDrv.sys [2006-11-30 102712]
R4 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [2006-04-18 98816]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS --> c:\program files\SUPERAntiSpyware\SASENUM.SYS [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7eacbbab-c641-11dd-ba03-0016d42a656a}]
\Shell\AutoRun\command - E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7eacbbac-c641-11dd-ba03-0016d42a656a}]
\Shell\AutoRun\command - E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{80fcbc52-ac5b-11dd-b9b7-0016d42a656a}]
\Shell\AutoRun\command - E:\AutoRun.exe
.
Contents of the 'Scheduled Tasks' folder

2008-08-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-01-09 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]

2008-12-26 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - Lucy Doyle.job
- c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2007-05-23 12:13]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-SUPERAntiSpyware - c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\SUPERAntiSpyware\SASSEH.DLL


.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
LSP: bmnet.dll

c:\windows\Downloaded Program Files\FlyLoader.dll - O16 -: {48DF87EE-F2DE-11D8-BE7F-302050C10801}
hxxp://www.flysuite.com/flyword/loaderword_win.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-09 13:43:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCFCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
DataCardMonitor = c:\program files\T-Mobile\web'n'walk Manager\DataCardMonitor.exe?rs\CancelAutoplay\CLSID?dows_NT?? ?????????????????????SOFTWARE\Microsoft\Windows\CurrentVersion\Run?am ???????????OCUME~1\LUCYDO~1\LOCALS~1\Temp\DataCardPM32.tmp?me\QTSystem\;C:\Prog?? ????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(968)
c:\documents and settings\Lucy Doyle\Desktop\Downloads\SUPERAntiSpyware\SASWINLO.DLL

- - - - - - - > 'lsass.exe'(1024)
c:\windows\system32\bmnet.dll
.
Completion time: 2009-01-09 13:45:47
ComboFix-quarantined-files.txt 2009-01-09 13:45:00

Pre-Run: 566,906,880 bytes free
Post-Run: 1,051,394,048 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

189 --- E O F --- 2008-12-27 00:05:17



Here is a new hijack this report:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:14:02, on 09/01/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\TODDSrv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\system32\ZoomingHook.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\system32\TCtrlIOHook.exe
C:\Program Files\TOSHIBA\Tvs\TvsTray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\ddwmon.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Browser MOUSE\mouse32a.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\T-Mobile\web'n'walk Manager\DataCardMonitor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Toshiba\TOSHIBA Controls\TFncKy.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Hijack\HiJackThis\HijackThis.exe
C:\Program Files\T-Mobile\web'n'walk Manager\WTGU.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: EmailBHO - {647FD14A-C4F1-46F4-8FC3-0B40F54226F7} - C:\Program Files\jZip\WebmailPlugin.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [Zooming] ZoomingHook.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [TCtryIOHook] TCtrlIOHook.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\TOSHIBA\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [DDWMon] C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [DataCardMonitor] C:\Program Files\T-Mobile\web'n'walk Manager\DataCardMonitor.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: WTGU.lnk = C:\Program Files\T-Mobile\web'n'walk Manager\WTGU.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebo...toUploader5.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish...shUKActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {48DF87EE-F2DE-11D8-BE7F-302050C10801} (FlyLoader Class) - http://www.flysuite....derword_win.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail....es/MSNPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.su...ows-i586-jc.cab
O16 - DPF: {A44B714B-EE0F-453E-9300-A69B321FEF6C} (MaxisSimsFamilyTeleX Control) - http://thesims.ea.co...FamilyTeleX.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photob...ploader_uni.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebo...Uploader4_5.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Documents and Settings\Lucy Doyle\Desktop\Downloads\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: lxcf_device - - C:\WINDOWS\system32\lxcfcoms.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\WINDOWS\system32\TODDSrv.exe

--
End of file - 15005 bytes

#5 lucyd88

lucyd88

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 09 January 2009 - 11:46 AM

All of the issues seem to have been resolved, as the low disk message has also gone, and I was able to re-install itunes. Thanks for your help, let me know if there is anything else I should do.

#6 Rocket Grannie

Rocket Grannie

    SWI Australian Rebel

  • Administrators
  • PipPipPipPipPip
  • 7,961 posts

Posted 09 January 2009 - 05:24 PM

Hello lucyd88

All of the issues seem to have been resolved, as the low disk message has also gone, and I was able to re-install itunes.


Great!

thanks for your help,


You are welcome.

let me know if there is anything else I should do.


Just some leftovers to clean.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open Notepad:- Click Start->All Programs->Accessories click Notepad
Do NOT use any other text editor than Notepad or the script will fail.
Copy/Paste the text in the quote box below into Notepad:



KILLALL::
File::
c:\windows\wininit.ini
Folder::
c:\documents and settings\Lucy Doyle\Application Data\LimeWire


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), it will produce a log for you. Post that log in your next reply please.

Please reboot the computer (if ComboFix did not ask for a reboot)

Please Open HijackThis.
Click Do a system scan only button, then place a check against each of the following:

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)


Then, close all other open windows, leaving only HijackThis open, and select Fix checked.
Close HijackThis.

Please reboot the computer.

In Internet Explorer, please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer.
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • In the drop down box labeled Files of type change the type to Text file.
  • Save the file to your Desktop.
  • Copy and Paste that information in your next post.
To optimize scanning time and produce a more sensible report for review:

  • Close any open programs.
  • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

Please post:

ComboFix log.
Kaspersky report.
A fresh HJT log.



Rocket Grannie
a120.gif




My help is free however if you wish to make a donation please see Here

#7 lucyd88

lucyd88

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 11 January 2009 - 12:12 PM

Thanks so much. I don't know how relevant this is, but just to let you know - web pictures are back to being blurry again with the "shift + r improves the quality of this image" message.

Here is the combofix log:

ComboFix 09-01-08.04 - Lucy Doyle 2009-01-10 18:21:26.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.502.138 [GMT 0:00]
Running from: c:\documents and settings\Lucy Doyle\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Lucy Doyle\Desktop\CFScript.txt
AV: Norton Internet Security 2006 *On-access scanning disabled* (Outdated)
FW: Norton Internet Security 2006 *disabled*
FW: Norton Internet Worm Protection *disabled*
* Created a new restore point

FILE ::
c:\windows\wininit.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\LUCYDO~1\LOCALS~1\Temp\tmp2.tmp
c:\documents and settings\Lucy Doyle\Application Data\LimeWire
c:\documents and settings\Lucy Doyle\Application Data\LimeWire\.AppSpecialShare\Ministry Of Sound - Pump It Up Workout MUSIC DVD.torrent
c:\documents and settings\Lucy Doyle\Application Data\LimeWire\.AppSpecialShare\Nell Mcandrew - Maximum Impact.torrent
c:\documents and settings\Lucy Doyle\Application Data\LimeWire\certificate\limewire.keystore
c:\documents and settings\Lucy Doyle\Application Data\LimeWire\createtimes.cache
c:\documents and settings\Lucy Doyle\Application Data\LimeWire\downloads.dat
c:\documents and settings\Lucy Doyle\Application Data\LimeWire\fileurns.bak
c:\documents and settings\Lucy Doyle\Application Data\LimeWire\fileurns.cache
c:\documents and settings\Lucy Doyle\Application Data\LimeWire\filters.props
c:\documents and settings\Lucy Doyle\Application Data\LimeWire\gnutella.net
c:\documents and settings\Lucy Doyle\Application Data\LimeWire\installation.props
c:\documents and settings\Lucy Doyle\Application Data\LimeWire\library.dat
c:\documents and settings\Lucy Doyle\Application Data\LimeWire\limewire.props
c:\documents and settings\Lucy Doyle\Application Data\LimeWire\mojito.props
c:\documents and settings\Lucy Doyle\Application Data\LimeWire\promotion\promodb.backup
c:\documents and settings\Lucy Doyle\Application Data\LimeWire\promotion\promodb.data
c:\documents and settings\Lucy Doyle\Application Data\LimeWire\promotion\promodb.lck
c:\documents and settings\Lucy Doyle\Application Data\LimeWire\promotion\promodb.log
c:\documents and settings\Lucy Doyle\Application Data\LimeWire\promotion\promodb.properties
c:\documents and settings\Lucy Doyle\Application Data\LimeWire\promotion\promodb.script
c:\documents and settings\Lucy Doyle\Application Data\LimeWire\questions.props
c:\documents and settings\Lucy Doyle\Application Data\LimeWire\responses.cache
c:\documents and settings\Lucy Doyle\Application Data\LimeWire\simpp.xml
c:\documents and settings\Lucy Doyle\Application Data\LimeWire\spam.dat
c:\documents and settings\Lucy Doyle\Application Data\LimeWire\tables.props
c:\documents and settings\Lucy Doyle\Application Data\LimeWire\themes\windows_theme.lwtp
c:\documents and settings\Lucy Doyle\Application Data\LimeWire\themes\windows_theme\01_star.gif
c:\documents and settings\Lucy Doyle\Application Data\LimeWire\themes\windows_theme\02_star.gif
c:\documents and settings\Lucy Doyle\Application Data\LimeWire\themes\windows_theme\03_star.gif
c:\documents and settings\Lucy Doyle\Application Data\LimeWire\themes\windows_theme\04_star.gif
c:\documents and settings\Lucy Doyle\Application Data\LimeWire\themes\windows_theme\05_star.gif
c:\documents and settings\Lucy Doyle\Application Data\LimeWire\themes\windows_theme\chat.gif
c:\documents and settings\Lucy Doyle\Application Data\LimeWire\themes\windows_theme\forward_dn.gif
c:\documents and settings\Lucy Doyle\Application Data\LimeWire\themes\windows_theme\forward_up.gif
c:\documents and settings\Lucy Doyle\Application Data\LimeWire\themes\windows_theme\kill.gif
c:\documents and settings\Lucy Doyle\Application Data\LimeWire\themes\windows_theme\kill_on.gif
c:\documents and settings\Lucy Doyle\Application Data\LimeWire\themes\windows_theme\logo.png
c:\documents and settings\Lucy Doyle\Application Data\LimeWire\themes\windows_theme\notsearching.png
c:\documents and settings\Lucy Doyle\Application Data\LimeWire\themes\windows_theme\pause_dn.gif
c:\documents and settings\Lucy Doyle\Application Data\LimeWire\themes\windows_theme\pause_up.gif
c:\documents and settings\Lucy Doyle\Application Data\LimeWire\themes\windows_theme\play_dn.gif
c:\documents and settings\Lucy Doyle\Application Data\LimeWire\themes\windows_theme\play_up.gif
c:\documents and settings\Lucy Doyle\Application Data\LimeWire\themes\windows_theme\question.gif
c:\documents and settings\Lucy Doyle\Application Data\LimeWire\themes\windows_theme\rewind_dn.gif
c:\documents and settings\Lucy Doyle\Application Data\LimeWire\themes\windows_theme\rewind_up.gif
c:\documents and settings\Lucy Doyle\Application Data\LimeWire\themes\windows_theme\searching.gif
c:\documents and settings\Lucy Doyle\Application Data\LimeWire\themes\windows_theme\stop_dn.gif
c:\documents and settings\Lucy Doyle\Application Data\LimeWire\themes\windows_theme\stop_up.gif
c:\documents and settings\Lucy Doyle\Application Data\LimeWire\themes\windows_theme\theme.txt
c:\documents and settings\Lucy Doyle\Application Data\LimeWire\themes\windows_theme\version.txt
c:\documents and settings\Lucy Doyle\Application Data\LimeWire\themes\windows_theme\warning.gif
c:\documents and settings\Lucy Doyle\Application Data\LimeWire\version.xml
c:\documents and settings\Lucy Doyle\Application Data\LimeWire\versions.props
c:\documents and settings\Lucy Doyle\Application Data\LimeWire\xml\data\audio.sxml2
c:\windows\wininit.ini

.
((((((((((((((((((((((((( Files Created from 2008-12-10 to 2009-01-10 )))))))))))))))))))))))))))))))
.

2009-01-09 16:58 . 2009-01-09 16:59 <DIR> d-------- c:\program files\iTunes
2009-01-09 16:58 . 2009-01-09 16:58 <DIR> d-------- c:\program files\iPod
2009-01-09 16:58 . 2009-01-09 16:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-01-09 16:55 . 2009-01-09 16:55 <DIR> d-------- c:\program files\Bonjour
2009-01-09 16:54 . 2009-01-09 16:55 <DIR> d-------- c:\program files\QuickTime
2009-01-09 16:13 . 2009-01-09 16:13 54,156 --ah----- c:\windows\QTFont.qfn
2009-01-09 16:13 . 2009-01-09 16:13 1,409 --a------ c:\windows\QTFont.for
2009-01-08 20:38 . 2009-01-08 20:37 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-08 20:38 . 2009-01-08 20:37 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-03 17:12 . 2009-01-03 20:07 <DIR> d-------- c:\windows\BDOSCAN8
2009-01-03 15:38 . 2009-01-03 15:38 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-03 15:38 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-03 15:38 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-12 11:41 . 2008-12-12 11:41 736 --a------ c:\windows\SamsungMaster.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-10 14:21 45,332 ----a-w c:\documents and settings\Lucy Doyle\Application Data\wklnhst.dat
2009-01-09 19:56 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-09 19:55 --------- d-----w c:\program files\DivX
2009-01-09 16:58 --------- d-----w c:\program files\Common Files\Apple
2009-01-09 13:22 --------- d-----w c:\program files\Lx_cats
2009-01-08 20:37 --------- d-----w c:\program files\Java
2009-01-06 16:28 --------- d-----w c:\program files\FriendBlasterPro
2009-01-03 16:38 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-03 15:26 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-31 13:12 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-31 13:12 --------- d-----w c:\program files\TOSHIBA
2008-12-12 13:42 --------- d-----w c:\program files\Steinberg
2008-12-12 13:21 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-12 11:41 --------- d-----w c:\program files\Samsung
2008-12-04 14:53 --------- d-----w c:\program files\WP-S1 PCSync
2008-12-04 14:40 --------- d-----w c:\program files\MP3 Player Utilities 3.57
2008-11-18 19:27 --------- d-----w c:\program files\Microsoft Works
2008-11-13 21:30 --------- d-----w c:\program files\EA GAMES
2008-11-13 21:18 --------- d--h--r c:\documents and settings\All Users\Application Data\yahoo!
2008-11-13 21:18 --------- d-----w c:\program files\Yahoo!
2008-11-13 20:54 --------- d-----w c:\program files\Google
2008-08-20 07:50 7,333,224 -c--a-w c:\program files\Firefox Setup 3.0.1.exe
.

((((((((((((((((((((((((((((( snapshot@2009-01-09_13.43.38.96 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-09 17:00:03 102,400 ----a-r c:\windows\Installer\{318AB667-3230-41B5-A617-CB3BF748D371}\iTunesIco.exe
+ 2009-01-09 16:55:58 86,016 ----a-r c:\windows\Installer\{8A25392D-C5D2-4E79-A2BD-C15DDC5B0959}\PrntWzrdIco.exe
+ 2008-08-29 10:18:58 87,336 ----a-w c:\windows\system32\dns-sd.exe
+ 2008-08-29 09:53:50 61,440 ----a-w c:\windows\system32\dnssd.dll
+ 2008-11-07 14:23:30 32,000 -c--a-w c:\windows\system32\DRVSTORE\usbaapl_246F92BBD6449C86FC3F3F28C40D59AC1F69C558\usbaapl.sys
+ 2008-11-06 16:35:00 1,044,480 ----a-w c:\windows\system32\libdivx.dll
- 2008-12-16 20:59:37 89,102 ----a-w c:\windows\system32\Macromed\Flash\uninstall_activeX.exe
+ 2009-01-09 20:34:39 89,102 ----a-w c:\windows\system32\Macromed\Flash\uninstall_activeX.exe
+ 2008-11-06 16:35:00 200,704 ----a-w c:\windows\system32\ssldivx.dll
+ 2006-12-01 22:54:32 479,232 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcm80.dll
+ 2006-12-01 22:54:34 548,864 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcp80.dll
+ 2006-12-01 22:54:32 626,688 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2005-04-11 65536]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-02-20 68856]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-02-07 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-02-07 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-02-07 118784]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2004-03-24 196608]
"PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [2005-12-21 1077330]
"CeEKEY"="c:\program files\TOSHIBA\E-KEY\CeEKey.exe" [2006-04-12 638976]
"HWSetup"="c:\program files\TOSHIBA\TOSHIBA Applet\HWSetup.exe" [2004-05-01 28672]
"SVPWUTIL"="c:\program files\Toshiba\Windows Utilities\SVPWUTIL.exe" [2004-05-01 65536]
"TPNF"="c:\program files\TOSHIBA\TouchPad\TPTray.exe" [2006-04-04 53248]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-05-12 118784]
"Tvs"="c:\program files\TOSHIBA\Tvs\TvsTray.exe" [2006-02-02 73728]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-22 52840]
"DDWMon"="c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe" [2006-04-28 262144]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 602182]
"LXCFCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll" [2005-07-20 73728]
"FLMOFFICE4DMOUSE"="c:\program files\Browser MOUSE\mouse32a.exe" [2006-10-06 360448]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-11-03 26112]
"DataCardMonitor"="c:\program files\T-Mobile\web'n'walk Manager\DataCardMonitor.exe" [2008-11-06 253952]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-08 136600]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"RTHDCPL"="RTHDCPL.EXE" [2006-04-17 c:\windows\RTHDCPL.exe]
"TPSMain"="TPSMain.exe" [2005-08-11 c:\windows\system32\TPSMain.exe]
"Zooming"="ZoomingHook.exe" [2005-06-06 c:\windows\system32\ZoomingHook.exe]
"TCtryIOHook"="TCtrlIOHook.exe" [2006-01-03 c:\windows\system32\TCtrlIOHook.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2006-03-18 c:\windows\agrsmmsg.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\Lucy Doyle\Start Menu\Programs\Startup\
Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-04-19 64864]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
NkvMon.exe.lnk - c:\program files\Nikon\NkView6\NkvMon.exe [2006-11-03 241664]
WTGU.lnk - c:\program files\T-Mobile\web'n'walk Manager\WTGU.exe [2008-11-06 857544]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-29 17:52 352256 c:\documents and settings\Lucy Doyle\Desktop\Downloads\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 SASDIFSV;SASDIFSV;c:\documents and settings\Lucy Doyle\Desktop\Downloads\SUPERAntiSpyware\SASDIFSV.SYS [2008-02-29 8944]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\eengine\EraserUtilRebootDrv.sys [2006-11-30 102712]
R4 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [2006-04-18 98816]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS --> c:\program files\SUPERAntiSpyware\SASENUM.SYS [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7eacbbab-c641-11dd-ba03-0016d42a656a}]
\Shell\AutoRun\command - E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7eacbbac-c641-11dd-ba03-0016d42a656a}]
\Shell\AutoRun\command - E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{80fcbc52-ac5b-11dd-b9b7-0016d42a656a}]
\Shell\AutoRun\command - E:\AutoRun.exe
.
Contents of the 'Scheduled Tasks' folder

2008-08-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-01-10 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]

2009-01-09 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - Lucy Doyle.job
- c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2007-05-23 12:13]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
LSP: bmnet.dll

c:\windows\Downloaded Program Files\FlyLoader.dll - O16 -: {48DF87EE-F2DE-11D8-BE7F-302050C10801}
hxxp://www.flysuite.com/flyword/loaderword_win.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-10 18:27:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCFCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
DataCardMonitor = c:\program files\T-Mobile\web'n'walk Manager\DataCardMonitor.exe?rs\CancelAutoplay\CLSID?dows_NT?? ?????????????????????SOFTWARE\Microsoft\Windows\CurrentVersion\Run?am ???????????OCUME~1\LUCYDO~1\LOCALS~1\Temp\DataCardPM32.tmp?me\QTSystem\;C:\Prog?? ????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(940)
c:\documents and settings\Lucy Doyle\Desktop\Downloads\SUPERAntiSpyware\SASWINLO.DLL

- - - - - - - > 'lsass.exe'(996)
c:\windows\system32\bmnet.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\Symantec Shared\CCSETMGR.EXE
c:\program files\Common Files\Symantec Shared\CCEVTMGR.EXE
c:\program files\Common Files\Symantec Shared\CCPROXY.EXE
c:\program files\Common Files\Symantec Shared\SNDSrvc.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Norton Internet Security\Norton AntiVirus\NAVAPSVC.EXE
c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\DDWMon.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Apoint2K\ApntEx.exe
c:\windows\system32\TPSBattM.exe
c:\windows\system32\TODDSrv.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
c:\program files\Symantec\LiveUpdate\AUPDATE.EXE
c:\progra~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
c:\program files\Symantec\LiveUpdate\LuCallbackProxy.exe
c:\program files\Symantec\LiveUpdate\LuCallbackProxy.exe
c:\program files\Symantec\LiveUpdate\LuCallbackProxy.exe
c:\program files\Symantec\LiveUpdate\LuCallbackProxy.exe
c:\program files\Messenger\msmsgs.exe
c:\program files\Symantec\LiveUpdate\LuCallbackProxy.exe
.
**************************************************************************
.
Completion time: 2009-01-10 18:35:57 - machine was rebooted [Lucy Doyle]
ComboFix-quarantined-files.txt 2009-01-10 18:35:51
ComboFix2.txt 2009-01-09 13:45:49

Pre-Run: 348,106,752 bytes free
Post-Run: 351,117,312 bytes free

283 --- E O F --- 2008-12-27 00:05:17


Here is the kaspersky log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, January 11, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, January 11, 2009 14:04:36
Records in database: 1602813
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 88989
Threat name: 4
Infected objects: 5
Suspicious objects: 0
Duration of the scan: 02:13:08


File name / Threat name / Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\54603D3D.EXE Infected: Email-Worm.Win32.Rays.c 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7E403F63.doc Infected: Virus.MSWord.Thus.ew 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7F262073.exe Infected: Email-Worm.Win32.Rays.c 1
C:\Documents and Settings\Lucy Doyle\Desktop\Downloads\setupxv.exe Infected: not-a-virus:FraudTool.Win32.SpywareStop.b 1
C:\Documents and Settings\Lucy Doyle\Shared\01 Track 1.wma Infected: Trojan-Downloader.WMA.Wimad.l 1

The selected area was scanned.



And here is the new hijack this log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:58:37, on 11/01/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\TODDSrv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\system32\ZoomingHook.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\system32\TCtrlIOHook.exe
C:\Program Files\TOSHIBA\Tvs\TvsTray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\ddwmon.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Browser MOUSE\mouse32a.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\T-Mobile\web'n'walk Manager\DataCardMonitor.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\system32\lxcfcoms.exe
C:\Program Files\Toshiba\TOSHIBA Controls\TFncKy.exe
C:\Program Files\T-Mobile\web'n'walk Manager\WTGU.exe
C:\Program Files\Hijack\HiJackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: EmailBHO - {647FD14A-C4F1-46F4-8FC3-0B40F54226F7} - C:\Program Files\jZip\WebmailPlugin.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [Zooming] ZoomingHook.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [TCtryIOHook] TCtrlIOHook.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\TOSHIBA\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [DDWMon] C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [DataCardMonitor] C:\Program Files\T-Mobile\web'n'walk Manager\DataCardMonitor.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: WTGU.lnk = C:\Program Files\T-Mobile\web'n'walk Manager\WTGU.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebo...toUploader5.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish...shUKActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {48DF87EE-F2DE-11D8-BE7F-302050C10801} (FlyLoader Class) - http://www.flysuite....derword_win.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail....es/MSNPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.su...ows-i586-jc.cab
O16 - DPF: {A44B714B-EE0F-453E-9300-A69B321FEF6C} (MaxisSimsFamilyTeleX Control) - http://thesims.ea.co...FamilyTeleX.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photob...ploader_uni.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebo...Uploader4_5.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Documents and Settings\Lucy Doyle\Desktop\Downloads\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: lxcf_device - - C:\WINDOWS\system32\lxcfcoms.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\WINDOWS\system32\TODDSrv.exe

--
End of file - 15595 bytes

#8 Rocket Grannie

Rocket Grannie

    SWI Australian Rebel

  • Administrators
  • PipPipPipPipPip
  • 7,961 posts

Posted 11 January 2009 - 05:28 PM

Hello lucyd88

web pictures are back to being blurry again with the "shift + r improves the quality of this image


This message is being generated by Firefox.
Apparently, the blurry pictures are caused by image compression through your service provider.
Please go here for some general information.

Now, back to the fix.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps.

First of all, let’s get rid of the five infections Kaspersky is flagging.

Now you need to delete the infected files in your Norton AntiVirus Quarantine.
Go to this page and follow the directions for emptying Quarantine for your version of Norton Antivirus:
Removing files from Norton AntiVirus Quarantine

Click Start>>Search>>select All Files and Folders.
Under More Advanced Options, check the following options:

Search system folders.
Search hidden files and folders.
Search subfolders.

Copy/Paste each of the following file names into the All or part of the file name box, search for each one and delete if they are found.

setupxv.exe
01 Track 1.wma


Please download: CCleaner
Run the installer, and UNcheck the option to install Yahoo toolbar (unless you want Yahoo toolbar).
  • Double-click CCleaner
  • Click the Windows tab
  • The following should be selected by default, if not, please select:
    Posted Image
  • Click Options
  • Click the Advanced tab
  • Uncheck: Only delete files in Windows Temp folders older than 48 hrs
  • Click Cleaner (The picture of a broom)
  • Click Run Cleaner (bottom right)
  • A warning will pop-up. Click OK
  • Exit
Please post a fresh HJT log, and let me know if any problems remain.


Rocket Grannie
a120.gif




My help is free however if you wish to make a donation please see Here

#9 lucyd88

lucyd88

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 12 January 2009 - 06:13 PM

Thanks for your help, heres the new hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:04:12, on 13/01/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\TODDSrv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\system32\ZoomingHook.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\system32\TCtrlIOHook.exe
C:\Program Files\TOSHIBA\Tvs\TvsTray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\ddwmon.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Browser MOUSE\mouse32a.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\T-Mobile\web'n'walk Manager\DataCardMonitor.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Toshiba\TOSHIBA Controls\TFncKy.exe
C:\Program Files\T-Mobile\web'n'walk Manager\web'n'walk Manager.exe
C:\Program Files\T-Mobile\web'n'walk Manager\bmctl.exe
C:\Program Files\T-Mobile\web'n'walk Manager\bmop.exe
C:\Program Files\T-Mobile\web'n'walk Manager\WTGU.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hijack\HiJackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: EmailBHO - {647FD14A-C4F1-46F4-8FC3-0B40F54226F7} - C:\Program Files\jZip\WebmailPlugin.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [Zooming] ZoomingHook.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [TCtryIOHook] TCtrlIOHook.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\TOSHIBA\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [DDWMon] C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [DataCardMonitor] C:\Program Files\T-Mobile\web'n'walk Manager\DataCardMonitor.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: WTGU.lnk = C:\Program Files\T-Mobile\web'n'walk Manager\WTGU.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebo...toUploader5.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish...shUKActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {48DF87EE-F2DE-11D8-BE7F-302050C10801} (FlyLoader Class) - http://www.flysuite....derword_win.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail....es/MSNPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.su...ows-i586-jc.cab
O16 - DPF: {A44B714B-EE0F-453E-9300-A69B321FEF6C} (MaxisSimsFamilyTeleX Control) - http://thesims.ea.co...FamilyTeleX.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photob...ploader_uni.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebo...Uploader4_5.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{82CC7D2F-10AF-4A6C-9034-535B9BDDC026}: NameServer = 149.254.192.126 149.254.201.126
O20 - Winlogon Notify: !SASWinLogon - C:\Documents and Settings\Lucy Doyle\Desktop\Downloads\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: lxcf_device - - C:\WINDOWS\system32\lxcfcoms.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\WINDOWS\system32\TODDSrv.exe

--
End of file - 16440 bytes

#10 Rocket Grannie

Rocket Grannie

    SWI Australian Rebel

  • Administrators
  • PipPipPipPipPip
  • 7,961 posts

Posted 13 January 2009 - 01:23 AM

Hello lucyd88

Well done! Your logs appear to be clean.

Now, we need to uninstall ComboFix.
To uninstall ComboFix

Go to Start->Run, and type in ComboFix /u
Make sure there is a space between ComboFix and /u
Click OK

Posted Image

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections.
Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems.
As happy as we at SWI are to help you, for your sake we would rather not have repeat customers.

Note: All of the programs I am suggesting are either free or have free versions.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here

If you use Internet Explorer, it is a good idea to use IE-Spyad for ZonedOut which provides protections against malicious websites. (Requires 2 downloads)

For help to install IE-Spyad, please go here

Please make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware from being installed.
Please set your anti-virus and anti-spyware programs to check for updates automatically. If the programs are not able to update automatically, then I suggest you manually check for updates every few days.

Windows needs to be kept up-to-date.

IMPORTANT: Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates, or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

Please also read Tony Klein's excellent article: How I got Infected in the First Place

PLEASE NOTE:

A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall and scanning anti-spyware program at a time. Passive protectors, like SpywareBlaster and IE-Spyad can be run with any of them.


Hopefully this should take care of your problems!

Safe Surfing:

Rocket Grannie.
a120.gif




My help is free however if you wish to make a donation please see Here

#11 lucyd88

lucyd88

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 13 January 2009 - 11:44 AM

Thanks so much for all of your help. Just one little thing: how do i uninstall combofix? After going to start, run and typing in ComboFix /u, a message asks if I want to run it? Wasn't sure whether to do that...

Lucy

#12 Rocket Grannie

Rocket Grannie

    SWI Australian Rebel

  • Administrators
  • PipPipPipPipPip
  • 7,961 posts

Posted 13 January 2009 - 11:06 PM

Hello lucyd88

Thanks so much for all of your help


You are welcome.

how do i uninstall combofix? After going to start, run and typing in ComboFix /u, a message asks if I want to run it? Wasn't sure whether to do that...


Yes please click “Yes” and it should uninstall.

Please don’t forget the space between ComboFix and /u.


Rocket Grannie
a120.gif




My help is free however if you wish to make a donation please see Here

#13 Rocket Grannie

Rocket Grannie

    SWI Australian Rebel

  • Administrators
  • PipPipPipPipPip
  • 7,961 posts

Posted 22 January 2009 - 02:27 PM

Since this issue appears resolved ... this Topic is closed.

[Reopened]

Everyone else please begin a New Topic.
a120.gif




My help is free however if you wish to make a donation please see Here

#14 cnm

cnm

    Mother Lion of SWI

  • Retired Staff
  • PipPipPipPipPip
  • 25,317 posts

Posted 24 January 2009 - 01:07 PM

Reopened at request of topic owner.
Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE

#15 Rocket Grannie

Rocket Grannie

    SWI Australian Rebel

  • Administrators
  • PipPipPipPipPip
  • 7,961 posts

Posted 24 January 2009 - 06:21 PM

Hello lucyd88

How can I help you?


Rocket Grannie
a120.gif




My help is free however if you wish to make a donation please see Here

#16 lucyd88

lucyd88

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 25 January 2009 - 12:42 PM

Hi again,
Well unfortunately, I'm having the same problem as before. My computer was fine for about a week, but then the low disk message started appearing again.
Appreciate your help,
Lucy

#17 Rocket Grannie

Rocket Grannie

    SWI Australian Rebel

  • Administrators
  • PipPipPipPipPip
  • 7,961 posts

Posted 25 January 2009 - 01:18 PM

Hello lucyd88

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps.

In Internet Explorer, please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer.
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • In the drop down box labeled Files of type change the type to Text file.
  • Save the file to your Desktop.
  • Copy and Paste that information in your next post.
To optimize scanning time and produce a more sensible report for review:

  • Close any open programs.
  • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

Now, download ATF Cleaner
Save it to your Desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
If you use Firefox browser, do this also:
  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser, do this also:
  • Click Opera at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE: : If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

  • Download random's system information tool (RSIT) by random/random from
    here and save it to your Desktop.
  • Double click on RSIT.exe
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open.
  • Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

Edited by Rocket Grannie, 25 January 2009 - 01:20 PM.

a120.gif




My help is free however if you wish to make a donation please see Here

#18 lucyd88

lucyd88

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 28 January 2009 - 10:28 AM

Hi, thanks for getting back to me.
Unfortunately, it won't let me do the kaspersky scan. After I pressed 'accept', a message kept came up saying:

Program has failed to start. Program has failed to start. Close the kaspersky online scanner 7.0 window and open it again to install the program.
[Error: java.security.priveleged action exception: java.io.exce[tion: There is not enough space on the disk].]

Should I go onto the next step and try to download ATF cleaner?

Regards,
Lucy

#19 Rocket Grannie

Rocket Grannie

    SWI Australian Rebel

  • Administrators
  • PipPipPipPipPip
  • 7,961 posts

Posted 28 January 2009 - 12:33 PM

Hello lucyd88

Should I go onto the next step and try to download ATF cleaner?


No. Time to change tactics.

The virus will keep eating up your disk space.
We need to kill it----again, then discover how it regenerated.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps.

Please navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following program (if present):

Macro Virus

Locate and delete this folder using Windows Explorer. (if present.)

C:\Program Files\MacroVirus<<<this folder

Now, navigate to C:\Documents and Settings\Lucy Doyle\Application Data
Delete everything in the Application Data folder.
If a file cannot be deleted, skip it and go on to the next one.

Download the latest version of Kaspersky Virus Removal Tool
  • Close all other applications and double-click and run the installer.
  • When AVPTool starts, select all the scanable items except for CD-ROM drives and click the Scan button.
  • If malware is detected, place a checkmark in the Apply to all box, and click the Delete button (or Disinfect if the button is active).
  • After the scan finishes, if any threat remains in the Scan window (Red exclamation point), click the Neutralize all button
  • In the window that opens, place a checkmark in the Apply to all box, and click the Delete button (or Disinfect if the button is active).
  • If advised that a special disinfection procedure is required which demands system reboot: click the Ok button to close the window.
  • In the Scan window click the Reports button and select Save to file.
  • Name the report AVPT.txt, and save it to the Desktop.
  • Close AVPTool.
  • You will be prompted if you want to uninstall the program; click Yes.
  • You will then be prompted that to complete the uninstallation, the computer must be restarted. Select Yes to restart the system.
  • Copy and paste the first part of the report (Detected) that you saved in your next reply. Do not include the longer list marked Events.
Please let me know if you are still getting the low disk space warnings.


Rocket Grannie
a120.gif




My help is free however if you wish to make a donation please see Here

#20 lucyd88

lucyd88

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 31 January 2009 - 06:43 PM

Thanks for the instructions. There was no macro virus, and the kaspersky scanner didn't find any threats but i'm still getting the low disk space message.

Here is the report:

Scan
----
Scanned: 445066
Detected: 0
Untreated: 0
Start time: 31/01/2009 21:10:41
Duration: 02:29:05
Finish time: 31/01/2009 23:39:46


Detected
--------
Status Object
------ ------

#21 Rocket Grannie

Rocket Grannie

    SWI Australian Rebel

  • Administrators
  • PipPipPipPipPip
  • 7,961 posts

Posted 01 February 2009 - 12:38 AM

Hello lucyd88

Okay, let’s see what's taking up that space on your computer

Download, install, and run [url=http://www.diskdata.com/web/Overview.html]DiskData

Please post the log back here to me.

Navigate to Local Disc (C:) right click Properties, and tell me what is written beside Free Space: Used Space.


Rocket Grannie
a120.gif




My help is free however if you wish to make a donation please see Here

#22 lucyd88

lucyd88

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 01 February 2009 - 08:06 AM

Thank you.

I'm a bit confused as to how to use it though. Should I scan each individual drive? (c: d: e: [web'n'walk] and f:)
And is there anything I need to tick/untick in the options menu?

Web'n'walk is my mobile internet, which has stopped working recently. It says "init fail!" when i try to open it so i'm having to 'piggy back' off a wireless connection. Thought I'd mention that, in case it's relevant to the virus.

#23 Rocket Grannie

Rocket Grannie

    SWI Australian Rebel

  • Administrators
  • PipPipPipPipPip
  • 7,961 posts

Posted 01 February 2009 - 04:14 PM

Hello lucyd88

Your logs appear to be clean so the problem is not malware related.

It says "init fail!" when i try to open it


This is a hardware problem.

Please uninstall DiskData

Now, reset System Restore.

To delete all existing Restore Points:
  • Click Start
  • Click Control Panel
  • Double Click System
  • Click System Restore tab
  • Check Mark Turn off System Restore
  • Click Apply
    When you see the confirmation message, click Yes. That will erase all restore points.

    Please wait a few moments before turning it back on.

    To Re-Enable System Restore:
  • Remove the check you placed beside Turn off System Restore, and click apply.
    When you see the confirmation message, click Yes. This will turn System Restore back on.
  • In the Disk space usage box, move the slider to the left until it reads 3%
  • Click Apply
  • Click OK
Now, navigate to Local Disc (C:) right click Properties, and tell me what is written beside Free Space: Used Space.



Rocket Grannie
a120.gif




My help is free however if you wish to make a donation please see Here

#24 lucyd88

lucyd88

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 01 February 2009 - 06:16 PM

Thanks Rocket Grannie.

Besides used space, it says 40,003,518,464 bytes 37.2 GB
Besides free space, it says 4,210,688 bytes 4.01 MB

Lucy

#25 Rocket Grannie

Rocket Grannie

    SWI Australian Rebel

  • Administrators
  • PipPipPipPipPip
  • 7,961 posts

Posted 01 February 2009 - 09:39 PM

Hello lucyd88

For the size of your hard drive, the recommended minimum is about 6GB of free space.

Unless you can free up some space your computer will stop working.

The average computer with Windows XP should use between 8GB and 10GB

Please go here and download TreeSize Free.

This program will show you which files/folders are taking up all the space.

I also suggest you run Disk Cleanup and Disk Defragmenter. (if you can)
And clear your Internet cache.

When you are finished, please mark down used and free space again.
Then read it again after a few hours to see if it has changed significantly.
Please post those readings back here to me.


Rocket Grannie

Edited by Rocket Grannie, 02 February 2009 - 02:43 AM.

a120.gif




My help is free however if you wish to make a donation please see Here

#26 lucyd88

lucyd88

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 03 February 2009 - 11:14 AM

Thanks Rocket Grannie.
I deleted as much as I could, athough there are so many files that I haven't got a clue what they are!

Besides used space, it now says 35,197,349,888 bytes 32.7GB
Besides free space, it now says 4,810,379,264 bytes 4.47 GB

Lucy

#27 Rocket Grannie

Rocket Grannie

    SWI Australian Rebel

  • Administrators
  • PipPipPipPipPip
  • 7,961 posts

Posted 03 February 2009 - 06:16 PM

Hello lucyd88

That’s excellent. We went from 4MB to 4GB.

However, I need you to talk to me please.

I need to know what is happening with the computer.

Did you run Disk Cleanup and Disk Defragmenter.
And clear your Internet cache?

Did you reset Restore Points and change System Restore to 3%?

Is the free space remaining constant or is it falling?
Does it fall at a constant rate or is it a sudden fall?

Reset TreeSize index to show the largest to the smallest.
Take a screenshot of the first page, and post the URL link back here to me.

There is a worm that causes exactly these symptoms.
And even though your logs appear to be clean, I would like to run a tool that will kill it, if it is on the computer.

Please print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site in Safe Mode.

Please download
SDFix
by AndyManchesta and save it to your Desktop.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"

  • Double click SDFix.exe and it will extract the files to %systemdrive%
  • This is the drive that contains the Windows Directory, typically C:\SDFix.
Do NOT run it yet.

Now, restart your computer, and just before Windows begins to load, please tap F8, then highlight Safe Mode on the list and press Enter

Open the SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the computer.
  • When the computer restarts, the Fixtool will run again and complete the removal process then display Finished
  • Press any key to end the script and load your Desktop icons.
  • Once the Desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  • Copy/Paste the contents of the results file Report.txt in your next reply..
    And let me know how the free space is going.


Rocket Grannie
a120.gif




My help is free however if you wish to make a donation please see Here

#28 lucyd88

lucyd88

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 04 February 2009 - 08:16 AM

Hi Rocket Grannie,

Yes, I ran Disk Cleanup and Disk Defragmenter, cleared my internet cache, reset restore points and changed system restore to 3%.

The free space so far has remained constant.

Here is the link for the screenshot of treesize:

http://s730.photobuc...=screenshot.jpg

Here is the SDfix report:

SDFix: Version 1.240
Run by Administrator on 04/02/2009 at 13:56

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\zetasvrfgce.exe - Deleted
C:\WINDOWS\zetjmnefwqh.exe - Deleted
C:\WINDOWS\zetuhxdafgn.exe - Deleted
C:\WINDOWS\zetzfhjbnud.exe - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-04 14:04:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch]
"Epoch"=dword:00008d87
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8825378D-AE0D-4C49-979C-CD9E805B6596}]
"LeaseObtainedTime"=dword:4989a05a
"T1"=dword:4989a186
"T2"=dword:4989a267
"LeaseTerminatesTime"=dword:4989a2b2
"DhcpRetryTime"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{8825378D-AE0D-4C49-979C-CD9E805B6596}\Parameters\Tcpip]
"LeaseObtainedTime"=dword:4989a05a
"T1"=dword:4989a186
"T2"=dword:4989a267
"LeaseTerminatesTime"=dword:4989a2b2

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\DNA\\btdna.exe"="C:\\Program Files\\DNA\\btdna.exe:*:Enabled:DNA"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\AOL 9.0\\waol.exe"="C:\\Program Files\\AOL 9.0\\waol.exe:*:Enabled:AOL 9.0"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Wed 15 Oct 2008 633,632 A.SH. --- "C:\Program Files\Internet Explorer\iexplore.exe"
Wed 22 Oct 2008 949,072 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\advcheck.dll"
Wed 30 Jul 2008 1,429,840 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Wed 30 Jul 2008 4,891,984 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Wed 22 Oct 2008 962,896 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\Tools.dll"
Thu 26 Oct 2006 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Thu 7 Aug 2008 1,024 A..H. --- "C:\System Volume Information\_restore{17A4E34B-B0F7-41F0-9E0F-14EE907186CC}\RP25\A0003643.sys"
Mon 26 Jan 2009 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Documents and Settings\Lucy Doyle\Desktop\Downloads\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Documents and Settings\Lucy Doyle\Desktop\Downloads\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Documents and Settings\Lucy Doyle\Desktop\Downloads\Spybot - Search & Destroy\TeaTimer.exe"

Finished!

Thanks,
Lucy

#29 Rocket Grannie

Rocket Grannie

    SWI Australian Rebel

  • Administrators
  • PipPipPipPipPip
  • 7,961 posts

Posted 04 February 2009 - 04:02 PM

Hello lucyd88

Your problem is your Documents and Settings folder.
The size of my Documents and Settings folder is 1.22GB
The size of your Documents and Settings folder is 25GB

Navigate to your D&S folder, open each user’s account, and delete whatever is no longer necessary.
Such as: Under Applications Data you may find references to old programs which are no longer installed on the computer.

If you are unsure about deleting a file, give it a different extention----Lucy.exe change it to Lucy.old
If there is no problem with running the computer, it is safe to delete that file.
If it causes a problem, change the file back to its original name---Lucy.exe

Please don’t delete any Windows or System files.

When you are finished, reboot the computer, and let me know what problems remain.


Rocket Grannie
a120.gif




My help is free however if you wish to make a donation please see Here

#30 Rocket Grannie

Rocket Grannie

    SWI Australian Rebel

  • Administrators
  • PipPipPipPipPip
  • 7,961 posts

Posted 14 February 2009 - 12:42 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
a120.gif




My help is free however if you wish to make a donation please see Here




Member of UNITE
Support SpywareInfo Forum - click the button