Trojan-Spy.HTML; Trojan-Spy.win32.Zbot; Trojan.Win32.small.aarn; not-a

hello Lorrie_W

welcome to geekstogo

could you post the Rooter.txt log and the OTListIt2 Logs in reply to this thread as detailed on this page here starting at Step Five: Rootkit Detection.

The text from these files may exceed the maximum post length for this forum. Hence, you may need to post the information over 2 or more posts.

andrewuk

Hi Andrew,
Thanks so much for your help!

I had trouble with both Rooter and OTListIt. Rooter would act like it was checking for a disk, then freeze or if I managed to get it past that point would scan for a very quick moment and then again freeze, never popping up a notebook window at all. I did find the root.txt document and what there is of it I will paste below.

OTListIt generated the following error on each attempt:
"Access violation at address 004045B4 in module OTListIt2.exe. Read of address 00000000.

I appreciate your help more than I can express!!!

Rooter Log:
Microsoft Windows XP Professional (5.1.2600) Service Pack 2

C:\ [Fixed] - NTFS - (Total:232981 Mo/Free:2681 Mo)
D:\ [Fixed] - FAT32 - (Total:5480 Mo/Free:3483 Mo)
E:\ [CD-Rom] (Total:174 Mo/Free:0 Mo)
F:\ [Removable] (Total:0 Mo/Free:0 Mo)
G:\ [Removable] (Total:0 Mo/Free:0 Mo)
H:\ [Removable] (Total:0 Mo/Free:0 Mo)
I:\ [Removable] (Total:0 Mo/Free:0 Mo)
K:\ [Fixed] - FAT32 - (Total:238414 Mo/Free:2285 Mo)

Thu 04/30/2009|15:24

----------------------\\ Processes..

--Locked-- [System Process]
---------- System
---------- \SystemRoot\System32\smss.exe
---------- \??\C:\WINDOWS\system32\csrss.exe
---------- \??\C:\WINDOWS\system32\winlogon.exe
---------- C:\WINDOWS\system32\services.exe
---------- C:\WINDOWS\system32\lsass.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
---------- C:\WINDOWS\system32\spoolsv.exe
---------- C:\Program Files\Avira\AntiVir Desktop\sched.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\Program Files\Digital Media Reader\readericon45G.exe
---------- C:\Program Files\QuickTime\qttask.exe
---------- C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
---------- C:\WINDOWS\system32\igfxtray.exe
---------- C:\WINDOWS\system32\igfxpers.exe
---------- C:\WINDOWS\explorer.exe
---------- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
---------- C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
---------- C:\WINDOWS\arservice.exe
---------- C:\Program Files\Bonjour\mDNSResponder.exe
---------- C:\WINDOWS\eHome\ehRecvr.exe
---------- C:\WINDOWS\eHome\ehSched.exe
---------- C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
---------- C:\Program Files\Java\jre6\bin\jqs.exe
---------- C:\Program Files\Kodak\AiO\center\KodakSvc.exe
---------- C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\Program Files\Viewpoint\Common\ViewpointService.exe
---------- C:\Program Files\Kodak\AiO\Center\EKDiscovery.exe
---------- C:\WINDOWS\ehome\mcrdsvc.exe
---------- C:\WINDOWS\system32\imapi.exe
---------- C:\WINDOWS\system32\dllhost.exe
---------- C:\WINDOWS\System32\alg.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\WINDOWS\system32\wuauclt.exe
---------- C:\WINDOWS\system32\wuauclt.exe
---------- C:\Program Files\Kodak\AiO\PrinterDriver\i386\EKIJ5000MUI.exe
---------- C:\WINDOWS\system32\cmd.exe
---------- C:\Rooter$\RK.exe

----------------------\\ Search..

----------------------\\ ROOTKIT !!

====STEP 1====
Please run the MGA Diagnostic Tool and post back the report it shall produce:

• Download MGADiag to your desktop.
• Double-click on MGADiag.exe to launch the program
• Click "Continue"
• Ensure that the "Windows" tab is selected (it should be by default).
• Click the "Copy" button to copy the MGA Diagnostic Report to the Windows clipboard.
• Paste the MGA Diagnostic Report back here in your next reply.

====STEP 2====
Click here to download HJTInstall.exe

• Save HJTInstall.exe to your desktop.
• Doubleclick on the HJTInstall.exe icon on your desktop.
• By default it will install to C:\Program Files\Trend Micro\HijackThis .
• Click on Install.
• It will create a HijackThis icon on the desktop.
• Once installed, it will launch Hijackthis.
• Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
• Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
• Come back here to this thread and Paste the log in your next reply.
• DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

The text from these files may exceed the maximum post length for this forum. Hence, you may need to post the information over 2 or more posts.

andrewuk

Pasted from MGA:
Diagnostic Report (1.9.0006.1):
-----------------------------------------
WGA Data-->
Validation Status: Genuine
Validation Code: 0
Online Validation Code: N/A
Cached Validation Code: N/A
Windows Product Key: *****-*****-FV9MY-C68YK-JPJ36
Windows Product Key Hash: uakrz1+qrPq09hMi8GQpOvK271Q=
Windows Product ID: 76487-OEM-2283841-29346
Windows Product ID Type: 3
Windows License Type: OEM System Builder
Windows OS version: 5.1.2600.2.00010100.2.0.med
ID: {EF6C9E62-4907-4C47-98EA-E8BD6B157096}(1)
Is Admin: Yes
TestCab: 0x0
WGA Version: Registered, 1.5.512.0
Signed By: Microsoft
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-230-1_E2AD56EA-765-d003_E2AD56EA-766-0_E2AD56EA-134-80004005
Resolution Status: N/A

WgaER Data-->
ThreatID(s): N/A
Version: N/A

WGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
WGATray.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 100 Genuine
Microsoft Office Standard Edition 2003 - 100 Genuine
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-230-1_E2AD56EA-765-d003_E2AD56EA-766-0_E2AD56EA-134-80004005

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 7.0; Win32)
Default Browser: C:\Program Files\Internet Explorer\IEXPLORE.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{EF6C9E62-4907-4C47-98EA-E8BD6B157096}</UGUID><Version>1.9.0006.1</Version><OS>5.1.2600.2.00010100.2.0.med</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-JPJ36</PKey><PID>76487-OEM-2283841-29346</PID><PIDType>3</PIDType><SID>S-1-5-21-3446352966-3102448826-3494502117</SID><SYSTEM><Manufacturer>INTEL_</Manufacturer><Model>D945GCZ_</Model></SYSTEM><BIOS><Manufacturer>Intel Corp.</Manufacturer><Version>NT94510J.86A.1616.2005.0708.1742</Version><SMBIOSVersion major="2" minor="3"/><Date>20050708000000.000000+000</Date><SLPBIOS>Gateway,Gateway,Gateway,Gateway</SLPBIOS></BIOS><HWID>3CF9347F0184E07C</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>0</iJoin><SBID><stat>2</stat><msppid></msppid><name>Gateway</name><model>GT5263E</model></SBID><OEM/><GANotification/></MachineData> <Software><Office><Result>100</Result><Products><Product GUID="{91120409-6000-11D3-8CFE-0150048383C9}"><LegitResult>100</LegitResult><Name>Microsoft Office Standard Edition 2003</Name><Ver>11</Ver><Val>5D4C94C0F82306C</Val><Hash>K2n4SaBZ1AzSgD8fVjmAkRJZ71g=</Hash><Pid>70141-054-7945386-56396</Pid><PidType>1</PidType></Product></Products><Applications><App Id="16" Version="11" Result="100"/><App Id="18" Version="11" Result="100"/><App Id="1A" Version="11" Result="100"/><App Id="1B" Version="11" Result="100"/></Applications></Office></Software></GenuineResults>

Licensing Data-->
N/A

HWID Data-->
N/A

OEM Activation 1.0 Data-->
BIOS string matches: no
Marker string from BIOS: N/A
Marker string from OEMBIOS.DAT: Gateway,Gateway,Gateway,Gateway

OEM Activation 2.0 Data-->
N/A

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:10:23 PM, on 4/30/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kodak\AiO\center\KodakSvc.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Kodak\AiO\Center\EKDiscovery.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Documents and Settings\Owner.Lorrie-Office\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AIM Toolbar Search Class - {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll
R3 - URLSearchHook: (no name) - - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AIM Toolbar Loader - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files\AIM Toolbar\aimtb.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll (file missing)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll
O4 - HKLM\..\Run: [Conime] %windir%\system32\conime.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" TRAY
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [eligmini] C:\Program Files\Fisher-Price\Easy-Link internet launch pad\Easy-Link internet launch pad.exe 0
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [CCUTRAYICON] C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Cleanup] C:\DOCUME~1\OWNER~1.LOR\LOCALS~1\Temp\2009429232915_mcappins.exe /v=3 /cleanup
O4 - HKLM\..\Run: [msci] C:\DOCUME~1\OWNER~1.LOR\LOCALS~1\Temp\2009429232912_mcinfo.exe /insfin
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O8 - Extra context menu item: &AIM Toolbar Search - C:\Documents and Settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.bluemountain.com
O15 - Trusted Zone: http://www.toletownphoto.com
O15 - Trusted Zone: *.webkinz.com
O15 - Trusted IP range: http://66.48.69.102
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebo...toUploader5.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/b...lineScanner.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://frontier.web...ort/ieatgpc.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: Intel® Software Services Manager (ISSM) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak AiO Network Discovery Service - Eastman Kodak Company - C:\Program Files\Kodak\AiO\Center\EKDiscovery.exe
O23 - Service: Kodak AiO Device Service (KodakSvc) - Eastman Kodak Company - C:\Program Files\Kodak\AiO\center\KodakSvc.exe
O23 - Service: Intel® Viiv™ Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
O23 - Service: Intel® Application Tracker (MCLServiceATL) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Intel® Remoting Service (Remote UI Service) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 10875 bytes

should these be in your trusted domains? i.e. when you go on these sites, you have minimal security

http://www.bluemountain.com
http://www.toletownphoto.com
*.webkinz.com

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingc...to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

and a new hijackthis log please.

andrewuk

Edited by andrewuk, 01 May 2009 - 05:54 PM.

Hi Andrewuk- here are the log files requested. Thanks so much!!!



ComboFix 09-05-02.4 - Owner 05/02/2009 1:19.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1569 [GMT -4:00]
Running from: c:\documents and settings\Owner.Lorrie-Office\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Outdated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Owner.Lorrie-Office\Application Data\FunWebProducts
D:\Autorun.inf
K:\Autorun.inf

----- BITS: Possible infected sites -----

hxxp://download.kodak.com
.
((((((((((((((((((((((((( Files Created from 2009-04-02 to 2009-05-02 )))))))))))))))))))))))))))))))
.

2009-05-01 02:05 . 2009-05-01 02:05 -------- d-----w c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-04-30 17:16 . 2009-04-30 19:25 -------- d-----w C:\Rooter$
2009-04-30 15:24 . 2009-04-30 15:24 -------- d-----w c:\program files\Common Files\Adobe AIR
2009-04-30 15:24 . 2009-04-30 15:24 -------- d-----w c:\program files\Common Files\Adobe
2009-04-30 15:20 . 2009-04-30 16:08 -------- d-----w c:\documents and settings\All Users\Application Data\NOS
2009-04-30 15:20 . 2009-04-30 16:08 -------- d-----w c:\program files\NOS
2009-04-30 03:38 . 2009-03-24 20:08 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys
2009-04-30 03:38 . 2009-04-30 03:38 -------- d-----w c:\documents and settings\All Users\Application Data\Avira
2009-04-30 03:38 . 2009-04-30 03:38 -------- d-----w c:\program files\Avira
2009-04-29 16:33 . 2009-04-29 16:33 -------- d-----w c:\program files\EsetOnlineScanner
2009-04-24 12:23 . 2009-04-24 12:23 -------- d-----w c:\windows\system32\scripting
2009-04-24 12:23 . 2009-04-24 12:23 -------- d-----w c:\windows\l2schemas
2009-04-24 12:21 . 2009-04-24 12:23 -------- d-----w c:\windows\ServicePackFiles
2009-04-23 18:00 . 2009-04-25 13:53 -------- d-----w c:\program files\ieSpell
2009-04-15 09:20 . 2009-03-06 14:00 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-15 09:20 . 2005-07-26 04:20 60416 -c----w c:\windows\system32\dllcache\colbact.dll
2009-04-15 09:20 . 2009-02-06 09:54 35328 -c----w c:\windows\system32\dllcache\sc.exe
2009-04-15 09:20 . 2009-02-09 10:01 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 09:20 . 2009-02-06 10:22 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-15 09:20 . 2009-02-09 10:01 473088 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 09:20 . 2009-02-06 09:41 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 09:20 . 2009-02-09 10:01 728576 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 09:20 . 2009-02-09 10:01 617984 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 09:20 . 2009-02-09 10:01 715264 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 09:19 . 2008-04-21 10:02 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-08 19:08 . 2009-04-08 19:08 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\AOL
2009-04-08 19:07 . 2009-04-08 19:07 -------- d-----w c:\documents and settings\Owner.Lorrie-Office\Local Settings\Application Data\AOL
2009-04-08 17:59 . 2009-04-20 23:35 -------- d-----w c:\documents and settings\Owner.Lorrie-Office\Application Data\CoreFTP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-02 05:25 . 2008-06-03 06:25 450 ----a-w c:\windows\Tasks\EasyShare Registration RunOnce Task.job
2009-05-02 05:25 . 2006-06-17 09:45 6 ---ha-w c:\windows\Tasks\SA.DAT
2009-05-02 01:08 . 2007-01-11 17:31 -------- d-----w c:\program files\Google
2009-04-30 18:08 . 2007-11-06 06:27 -------- d-----w c:\program files\Paint Shop Pro 6
2009-04-30 03:33 . 2008-03-20 10:58 -------- d-----w c:\program files\Citrix
2009-04-30 03:32 . 2007-01-11 17:36 -------- d-----w c:\program files\Gateway Games
2009-04-30 03:30 . 2007-01-11 17:38 -------- d-----w c:\program files\Napster
2009-04-19 02:32 . 2007-11-08 06:01 49 ----a-w c:\windows\wpd99.drv
2009-03-31 18:17 . 2007-11-04 01:41 -------- d-----w c:\program files\AIM6
2009-03-31 18:12 . 2009-03-31 18:12 -------- d-----w c:\program files\Common Files\Software Update Utility
2009-03-31 18:12 . 2009-03-31 18:12 -------- d-----w c:\program files\AIM Toolbar
2009-03-25 01:47 . 2009-03-25 01:45 -------- d-----w c:\program files\Yahoo!
2009-03-21 01:22 . 2009-03-21 01:19 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-21 01:22 . 2007-01-11 17:35 -------- d-----w c:\program files\Java
2009-03-15 12:31 . 2006-06-19 04:25 63280 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-14 03:02 . 2007-11-06 06:27 -------- d-----w c:\program files\WS_FTP
2009-03-06 14:00 . 2006-06-17 09:23 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-06 14:00 . 2006-06-17 09:23 284160 ----a-w c:\windows\system32\pdh(2).dll
2009-03-03 00:18 . 2006-06-17 09:23 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2006-06-17 09:23 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 10:19 . 2006-06-17 09:23 1846272 ----a-w c:\windows\system32\win32k.sys
2009-02-09 10:01 . 2006-06-17 09:23 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 10:01 . 2006-06-17 09:23 401408 ----a-w c:\windows\system32\rpcss(2).dll
2009-02-09 10:01 . 2006-06-17 09:23 728576 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 10:01 . 2006-06-17 09:23 617984 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 10:01 . 2006-06-17 09:23 715264 ----a-w c:\windows\system32\ntdll.dll
2009-02-06 10:29 . 2006-06-17 09:23 2142720 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:22 . 2006-06-17 09:23 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 09:54 . 2006-06-17 09:23 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 09:49 . 2004-08-04 05:59 2020864 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 20:08 . 2006-06-17 09:23 55808 ----a-w c:\windows\system32\secur32.dll
2009-02-03 20:08 . 2006-06-17 09:23 55808 ----a-w c:\windows\system32\secur32(2).dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-05-02 39408]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-31 50480]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-03-18 4363504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Conime"="c:\windows\system32\conime.exe" [2004-08-10 27648]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-12-10 139264]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-13 1121792]
"IntelAudioStudio"="c:\program files\Intel Audio Studio\IntelAudioStudio.exe" [2006-06-08 9129984]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"eligmini"="c:\program files\Fisher-Price\Easy-Link internet launch pad\Easy-Link internet launch pad.exe" [2007-03-16 487424]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"CCUTRAYICON"="c:\program files\Intel\IntelDH\CCU\CCU_TrayIcon.exe" [2006-07-27 303104]
"AOL Spyware Protection"="c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [2004-10-19 79448]
"EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2008-10-22 1310720]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-21 148888]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2007-04-11 56080]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2007-04-11 56080]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" - c:\windows\arpwrmsg.exe [2005-08-03 77312]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=c:\windows\pss\BigFix.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=3 (0x3)
"ELService"=2 (0x2)
"CarboniteService"=2 (0x2)
"AOL TopSpeedMonitor"=2 (0x2)
"AlertService"=2 (0x2)
"Access Remote PC Service 5.1"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1168537112\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\WS_FTP\\WS_FTP95.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9322:TCP"= 9322:TCP:EKDiscovery

S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-04-01 108289]
S2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\EKDiscovery.exe [2009-01-19 279960]
S2 KodakSvc;Kodak AiO Device Service;c:\program files\Kodak\AiO\center\KodakSvc.exe [2009-01-19 38296]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d290b09d-5751-11dc-a248-806d6172696f}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-SigmatelSysTrayApp - sttray.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: bluemountain.com\www
Trusted Zone: toletownphoto.com\www
Trusted Zone: webkinz.com
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-02 01:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(4044)
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\AOL\ACS\AOLacsd.exe
c:\windows\arservice.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\wscntfy.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2009-05-02 1:32 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-02 05:32

Pre-Run: 195,913,379,840 bytes free
Post-Run: 196,518,920,192 bytes free

220 --- E O F --- 2009-04-26 11:52







Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:36:17 AM, on 5/2/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kodak\AiO\center\KodakSvc.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Kodak\AiO\Center\EKDiscovery.exe
C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Fisher-Price\Easy-Link internet launch pad\Easy-Link internet launch pad.exe
C:\WINDOWS\ehome\ehtray.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Owner.Lorrie-Office\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AIM Toolbar Search Class - {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll
R3 - URLSearchHook: (no name) - - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: AIM Toolbar Loader - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files\AIM Toolbar\aimtb.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll (file missing)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [Conime] %windir%\system32\conime.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" TRAY
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [eligmini] C:\Program Files\Fisher-Price\Easy-Link internet launch pad\Easy-Link internet launch pad.exe 0
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [CCUTRAYICON] C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O8 - Extra context menu item: &AIM Toolbar Search - C:\Documents and Settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.bluemountain.com
O15 - Trusted Zone: http://www.toletownphoto.com
O15 - Trusted Zone: *.webkinz.com
O15 - Trusted IP range: http://66.48.69.102
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebo...toUploader5.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/b...lineScanner.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://frontier.web...ort/ieatgpc.cab
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: Intel® Software Services Manager (ISSM) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak AiO Network Discovery Service - Eastman Kodak Company - C:\Program Files\Kodak\AiO\Center\EKDiscovery.exe
O23 - Service: Kodak AiO Device Service (KodakSvc) - Eastman Kodak Company - C:\Program Files\Kodak\AiO\center\KodakSvc.exe
O23 - Service: Intel® Viiv™ Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
O23 - Service: Intel® Application Tracker (MCLServiceATL) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Intel® Remoting Service (Remote UI Service) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 11519 bytes

Edited by Lorrie_W, 01 May 2009 - 11:38 PM.

====STEP 1====
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R3 - URLSearchHook: (no name) - - (no file)

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.




====STEP 2====
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d290b09d-5751-11dc-a248-806d6172696f}]

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.




====STEP 3====
i want to scan a couple of files i do not recognise:

• Please go to VirSCAN.org FREE on-line scan service
• Copy and paste the following file path into the "Suspicious files to scan"box on the top of the page:
  
  
  • c:\windows\system32\conime.exe
• Click on the Upload button
• Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
• Paste the contents of the Clipboard in your next reply (you will need to paste the link onto a notepad before you do the other scans below, else the contents of your clipboard will be written over with the new links).

Could you do the same for the following files:

• C:\Program Files\Fisher-Price\Easy-Link internet launch pad\Easy-Link internet launch pad.exe

====STEP 3====
should these be in your trusted domains? i.e. when you go on these sites, you have minimal security

hxxp://www.bluemountain.com
hxxp://www.toletownphoto.com
*.webkinz.com

In your next reply could i see:
1. the combofix log
2. a new hijackthis log
3. the 2 virscan logs or links
4. the answer to the trusted domains question

The text from these files may exceed the maximum post length for this forum. Hence, you may need to post the information over 2 or more posts.

andrewuk

Good day Andrewuk.

I have removed all three sites from my trusted zone. Below are the log files for the requested scans.
Thanks for all you do! =)



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:12:02 AM, on 5/3/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Fisher-Price\Easy-Link internet launch pad\Easy-Link internet launch pad.exe
C:\WINDOWS\ehome\ehtray.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kodak\AiO\center\KodakSvc.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Kodak\AiO\Center\EKDiscovery.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner.Lorrie-Office\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AIM Toolbar Search Class - {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll
R3 - URLSearchHook: (no name) - - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: AIM Toolbar Loader - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files\AIM Toolbar\aimtb.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll (file missing)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [Conime] %windir%\system32\conime.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" TRAY
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [eligmini] C:\Program Files\Fisher-Price\Easy-Link internet launch pad\Easy-Link internet launch pad.exe 0
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [CCUTRAYICON] C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O8 - Extra context menu item: &AIM Toolbar Search - C:\Documents and Settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebo...toUploader5.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/b...lineScanner.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://frontier.web...ort/ieatgpc.cab
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: Intel® Software Services Manager (ISSM) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak AiO Network Discovery Service - Eastman Kodak Company - C:\Program Files\Kodak\AiO\Center\EKDiscovery.exe
O23 - Service: Kodak AiO Device Service (KodakSvc) - Eastman Kodak Company - C:\Program Files\Kodak\AiO\center\KodakSvc.exe
O23 - Service: Intel® Viiv™ Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
O23 - Service: Intel® Application Tracker (MCLServiceATL) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Intel® Remoting Service (Remote UI Service) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 11402 bytes








ComboFix 09-05-02.4 - Owner 05/03/2009 3:17.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1531 [GMT -4:00]
Running from: c:\documents and settings\Owner.Lorrie-Office\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner.Lorrie-Office\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((( Files Created from 2009-04-03 to 2009-05-03 )))))))))))))))))))))))))))))))
.

2009-05-01 02:05 . 2009-05-01 02:05 -------- d-----w c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-04-30 17:16 . 2009-04-30 19:25 -------- d-----w C:\Rooter$
2009-04-30 15:24 . 2009-04-30 15:24 -------- d-----w c:\program files\Common Files\Adobe AIR
2009-04-30 15:24 . 2009-04-30 15:24 -------- d-----w c:\program files\Common Files\Adobe
2009-04-30 15:20 . 2009-04-30 16:08 -------- d-----w c:\documents and settings\All Users\Application Data\NOS
2009-04-30 15:20 . 2009-04-30 16:08 -------- d-----w c:\program files\NOS
2009-04-30 03:38 . 2009-03-24 20:08 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys
2009-04-30 03:38 . 2009-04-30 03:38 -------- d-----w c:\documents and settings\All Users\Application Data\Avira
2009-04-30 03:38 . 2009-04-30 03:38 -------- d-----w c:\program files\Avira
2009-04-29 16:33 . 2009-04-29 16:33 -------- d-----w c:\program files\EsetOnlineScanner
2009-04-24 12:23 . 2009-04-24 12:23 -------- d-----w c:\windows\system32\scripting
2009-04-24 12:23 . 2009-04-24 12:23 -------- d-----w c:\windows\l2schemas
2009-04-24 12:21 . 2009-04-24 12:23 -------- d-----w c:\windows\ServicePackFiles
2009-04-23 18:00 . 2009-04-25 13:53 -------- d-----w c:\program files\ieSpell
2009-04-15 09:20 . 2009-03-06 14:00 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-15 09:20 . 2005-07-26 04:20 60416 -c----w c:\windows\system32\dllcache\colbact.dll
2009-04-15 09:20 . 2009-02-06 09:54 35328 -c----w c:\windows\system32\dllcache\sc.exe
2009-04-15 09:20 . 2009-02-09 10:01 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 09:20 . 2009-02-06 10:22 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-15 09:20 . 2009-02-09 10:01 473088 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 09:20 . 2009-02-06 09:41 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 09:20 . 2009-02-09 10:01 728576 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 09:20 . 2009-02-09 10:01 617984 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 09:20 . 2009-02-09 10:01 715264 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 09:19 . 2008-04-21 10:02 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-08 19:08 . 2009-04-08 19:08 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\AOL
2009-04-08 19:07 . 2009-04-08 19:07 -------- d-----w c:\documents and settings\Owner.Lorrie-Office\Local Settings\Application Data\AOL
2009-04-08 17:59 . 2009-04-20 23:35 -------- d-----w c:\documents and settings\Owner.Lorrie-Office\Application Data\CoreFTP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-03 07:17 . 2006-06-17 09:45 6 ---ha-w c:\windows\Tasks\SA.DAT
2009-05-02 18:54 . 2008-06-03 06:25 450 ----a-w c:\windows\Tasks\EasyShare Registration RunOnce Task.job
2009-05-02 01:08 . 2007-01-11 17:31 -------- d-----w c:\program files\Google
2009-04-30 18:08 . 2007-11-06 06:27 -------- d-----w c:\program files\Paint Shop Pro 6
2009-04-30 03:33 . 2008-03-20 10:58 -------- d-----w c:\program files\Citrix
2009-04-30 03:32 . 2007-01-11 17:36 -------- d-----w c:\program files\Gateway Games
2009-04-30 03:30 . 2007-01-11 17:38 -------- d-----w c:\program files\Napster
2009-04-19 02:32 . 2007-11-08 06:01 49 ----a-w c:\windows\wpd99.drv
2009-03-31 18:17 . 2007-11-04 01:41 -------- d-----w c:\program files\AIM6
2009-03-31 18:12 . 2009-03-31 18:12 -------- d-----w c:\program files\Common Files\Software Update Utility
2009-03-31 18:12 . 2009-03-31 18:12 -------- d-----w c:\program files\AIM Toolbar
2009-03-25 01:47 . 2009-03-25 01:45 -------- d-----w c:\program files\Yahoo!
2009-03-21 01:22 . 2009-03-21 01:19 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-21 01:22 . 2007-01-11 17:35 -------- d-----w c:\program files\Java
2009-03-15 12:31 . 2006-06-19 04:25 63280 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-14 03:02 . 2007-11-06 06:27 -------- d-----w c:\program files\WS_FTP
2009-03-06 14:00 . 2006-06-17 09:23 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-06 14:00 . 2006-06-17 09:23 284160 ----a-w c:\windows\system32\pdh(2).dll
2009-03-03 00:18 . 2006-06-17 09:23 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2006-06-17 09:23 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 10:19 . 2006-06-17 09:23 1846272 ----a-w c:\windows\system32\win32k.sys
2009-02-09 10:01 . 2006-06-17 09:23 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 10:01 . 2006-06-17 09:23 401408 ----a-w c:\windows\system32\rpcss(2).dll
2009-02-09 10:01 . 2006-06-17 09:23 728576 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 10:01 . 2006-06-17 09:23 617984 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 10:01 . 2006-06-17 09:23 715264 ----a-w c:\windows\system32\ntdll.dll
2009-02-06 10:29 . 2006-06-17 09:23 2142720 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:22 . 2006-06-17 09:23 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 09:54 . 2006-06-17 09:23 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 09:49 . 2004-08-04 05:59 2020864 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 20:08 . 2006-06-17 09:23 55808 ----a-w c:\windows\system32\secur32.dll
2009-02-03 20:08 . 2006-06-17 09:23 55808 ----a-w c:\windows\system32\secur32(2).dll
.

((((((((((((((((((((((((((((( SnapShot@2009-05-02_05.29.51 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-02 18:54 . 2009-05-02 18:54 16384 c:\windows\Temp\Perflib_Perfdata_8d8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
2009-04-30 17:14 259696 ----a-w c:\program files\Google\Google Toolbar\GoogleToolbar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
2009-05-02 01:09 668656 ----a-w c:\program files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b0cda128-b425-4eef-a174-61a11ac5dbf8}]
2008-10-07 19:09 1275176 ----a-w c:\program files\AIM Toolbar\aimtb.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}]
2009-04-30 17:14 470512 ----a-w c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
2009-03-21 01:22 35840 ----a-w c:\program files\Java\jre6\bin\jp2ssv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
2009-03-21 01:22 73728 ----a-w c:\program files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}]
2008-07-28 10:47 160496 ----a-w c:\progra~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"= "c:\progra~1\Yahoo!\Companion\Installs\cpn\yt.dll" [2008-07-28 882416]

[HKEY_CLASSES_ROOT\clsid\{ef99bd32-c1fb-11d2-892f-0090271d4f88}]
[HKEY_CLASSES_ROOT\yt.YToolbarBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{003028C2-EA1C-4676-A316-B5CB50917002}]
[HKEY_CLASSES_ROOT\yt.YToolbarBand]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{F2CF5485-4E02-4F68-819C-B92DE9277049}"= "c:\windows\system32\ieframe.dll" [2009-02-20 6066176]

[HKEY_CLASSES_ROOT\clsid\{f2cf5485-4e02-4f68-819c-b92de9277049}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-05-02 39408]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-31 50480]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-03-18 4363504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Conime"="c:\windows\system32\conime.exe" [2004-08-10 27648]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-12-10 139264]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-13 1121792]
"IntelAudioStudio"="c:\program files\Intel Audio Studio\IntelAudioStudio.exe" [2006-06-08 9129984]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"eligmini"="c:\program files\Fisher-Price\Easy-Link internet launch pad\Easy-Link internet launch pad.exe" [2007-03-16 487424]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"CCUTRAYICON"="c:\program files\Intel\IntelDH\CCU\CCU_TrayIcon.exe" [2006-07-27 303104]
"AOL Spyware Protection"="c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [2004-10-19 79448]
"EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2008-10-22 1310720]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-21 148888]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2007-04-11 56080]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2007-04-11 56080]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" - c:\windows\arpwrmsg.exe [2005-08-03 77312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"WebCheck"= {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - c:\windows\system32\webcheck.dll [2009-02-20 233472]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=c:\windows\pss\BigFix.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=3 (0x3)
"ELService"=2 (0x2)
"CarboniteService"=2 (0x2)
"AOL TopSpeedMonitor"=2 (0x2)
"AlertService"=2 (0x2)
"Access Remote PC Service 5.1"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1168537112\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\WS_FTP\\WS_FTP95.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9322:TCP"= 9322:TCP:EKDiscovery

S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-04-01 108289]
S2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\EKDiscovery.exe [2009-01-19 279960]
S2 KodakSvc;Kodak AiO Device Service;c:\program files\Kodak\AiO\center\KodakSvc.exe [2009-01-19 38296]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]

.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

BHO-{CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
ShellExecuteHooks-{AEB6717E-7E19-11d0-97EE-00C04FD91972} - shell32.dll
SSODL-CDBurn-{fbeb8a05-beee-4442-804e-409d6c4515e9} - %SystemRoot%\system32\SHELL32.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {{FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\Messenger\msmsgs.exe
IE: {{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
Handler: http\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - c:\program files\Common Files\System\Ole DB\MSDAIPP.DLL
Handler: http\oledb - {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - c:\program files\Common Files\System\Ole DB\MSDAIPP.DLL
Handler: https\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - c:\program files\Common Files\System\Ole DB\MSDAIPP.DLL
Handler: https\oledb - {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - c:\program files\Common Files\System\Ole DB\MSDAIPP.DLL
Handler: ipp\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - c:\program files\Common Files\System\Ole DB\MSDAIPP.DLL
Handler: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - c:\windows\system32\itss.dll
Handler: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - c:\windows\system32\itss.dll
Handler: msdaipp\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - c:\program files\Common Files\System\Ole DB\MSDAIPP.DLL
Handler: msdaipp\oledb - {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - c:\program files\Common Files\System\Ole DB\MSDAIPP.DLL
Handler: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - c:\windows\system32\msvidctl.dll
Name-Space Handler: mk\* - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - c:\windows\system32\itss.dll
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://frontier.webex.com/client/T26L/support/ieatgpc.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-03 03:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1668)
c:\windows\system32\msi.dll
.
Completion time: 2009-05-03 3:21
ComboFix-quarantined-files.txt 2009-05-03 07:21
ComboFix2.txt 2009-05-02 05:32

Pre-Run: 195,167,875,072 bytes free
Post-Run: 196,472,475,648 bytes free

233 --- E O F --- 2009-04-26 11:52










VirSCAN.org Scanned Report :
Scanned time : 2009/01/12 09:58:43 (EST)
Scanner results: All Scanners reported not find malware!
File Name : conime.exe
File Size : 27648 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 054df8f752497c6b74dd7b65cca61132
SHA1 : f4dfd45a4e08f385277a1fde27878fa11eb6cc46
Online report : http://virscan.org/r...3ccd119f20.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.0.0.29 20090111183159 2009-01-11 5.93 -
AhnLab V3 2009.01.13.00 2009.01.13 2009-01-13 2.46 -
AntiVir 7.9.0.54 7.1.1.101 2009-01-12 1.81 -
Antiy 2.0.18 20090105.1950502 2009-01-05 0.02 -
Authentium 5.1.1 200901101808 2009-01-10 1.13 -
AVAST! 3.0.1 090111-1 2009-01-11 0.01 -
AVG 7.5.52.442 270.10.6/1888 2009-01-12 1.87 -
BitDefender 7.81008.2441579 7.23114 2009-01-12 2.25 -
CA (VET) 9.0.0.143 31.6.6304 2009-01-12 6.09 -
ClamAV 0.94.2 8854 2009-01-12 0.01 -
Comodo 3.0 919 2009-01-12 2.48 -
CP Secure 1.1.0.715 2009.01.11 2009-01-11 6.48 -
Dr.Web 4.44.0.9170 2009.01.12 2009-01-12 3.82 -
ewido 4.0.0.2 2008.12.31 2008-12-31 4.76 -
F-Prot 4.4.4.56 20090112 2009-01-12 1.37 -
F-Secure 5.51.6100 2009.01.12.07 2009-01-12 0.09 -
Fortinet 2.81-3.117 9.918 2009-01-11 0.20 -
GData 19.2395/19.181 20090112 2009-01-12 6.97 -
ViRobot 20090112 2009.01.12 2009-01-12 0.83 -
Ikarus T3.1.01.45 2009.01.12.72139 2009-01-12 4.09 -
JiangMin 11.0.706 2009.01.12 2009-01-12 5.36 -
Kaspersky 5.5.10 2009.01.12 2009-01-12 0.06 -
KingSoft 2008.9.8.18 2009.1.12.20 2009-01-12 2.01 -
McAfee 5.3.00 5492 2009-01-11 3.00 -
Microsoft 1.4205 2009.01.12 2009-01-12 4.64 -
mks_vir 2.01 2009.01.10 2009-01-10 2.67 -
Norman 5.93.01 5.93.00 2009-01-05 6.09 -
Panda 9.05.01 2009.01.11 2009-01-11 9.46 -
Trend Micro 8.700-1004 5.764.03 2009-01-11 0.03 -
Quick Heal 10.00 2008.11.17 2008-11-17 1.11 -
Rising 20.0 21.12.02.00 2009-01-12 2.34 -
Sophos 2.82.1 4.37 2009-01-12 2.16 -
Sunbelt 4756 4756 2009-01-08 0.46 -
Symantec 1.3.0.24 20090111.004 2009-01-11 0.15 -
nProtect 20090112.01 2878121 2009-01-12 5.34 -
The Hacker 6.3.1.2 v00218 2009-01-11 0.99 -
VBA32 3.12.8.10 20090110.1127 2009-01-10 1.52 -
VirusBuster 4.5.11.10 10.100.22/762469 2009-01-11 0.97 -





VirSCAN.org Scanned Report :
Scanned time : 2009/05/03 03:24:30 (EDT)
Scanner results: All Scanners reported not find malware!
File Name : Easy-Link internet launch pad.exe
File Size : 487424 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 2e4cc256808635e58cb41fcdd834612e
SHA1 : dde441d1580446c19bf2f8cf72e9ffd4506d069b
Online report : http://virscan.org/r...7e466624e0.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.0.0.32 20090503080126 2009-05-03 7.94 -
AhnLab V3 2009.05.01.01 2009.05.01 2009-05-01 7.89 -
AntiVir 7.9.0.160 7.1.3.141 2009-05-02 2.05 -
Antiy 2.0.18 20090503.2333071 2009-05-03 0.12 -
Arcavir 2009 200905021130 2009-05-02 0.09 -
Authentium 5.1.1 200905021543 2009-05-02 2.95 -
AVAST! 3.0.1 090502-0 2009-05-02 0.03 -
AVG 7.5.52.442 270.12.11/2089 2009-04-30 2.06 -
BitDefender 7.81008.2901611 7.25164 2009-05-03 2.72 -
CA (VET) 9.0.0.143 31.6.6486 2009-05-02 40.13 -
ClamAV 0.95 9319 2009-05-03 0.09 -
Comodo 3.8 1147 2009-05-02 3.25 -
CP Secure 1.1.0.715 2009.05.03 2009-05-03 8.87 -
Dr.Web 4.44.0.9170 2009.05.03 2009-05-03 4.77 -
F-Prot 4.4.4.56 20090502 2009-05-02 3.12 -
F-Secure 5.51.6100 2009.05.02.01 2009-05-02 0.12 -
Fortinet 2.81-3.117 10.345 2009-05-02 0.63 -
GData 19.4987/19.317 20090503 2009-05-03 3.78 -
ViRobot 20090501 2009.05.01 2009-05-01 2.13 -
Ikarus T3.1.01.49 2009.05.02.72662 2009-05-02 3.02 -
JiangMin 11.0.706 2009.05.03 2009-05-03 10.62 -
Kaspersky 5.5.10 2009.05.03 2009-05-03 0.11 -
KingSoft 2009.2.5.15 2009.5.2.21 2009-05-02 4.10 -
McAfee 5.3.00 5603 2009-05-02 3.24 -
Microsoft 1.4602 2009.05.02 2009-05-02 15.45 -
mks_vir 2.01 2009.05.02 2009-05-02 2.79 -
Norman 6.00.06 6.00.00 2009-04-28 10.01 -
Panda 9.05.01 2009.05.02 2009-05-02 13.36 -
Trend Micro 8.700-1004 6.104.35 2009-05-02 0.03 -
Quick Heal 10.00 2009.05.02 2009-05-02 11.25 -
Rising 20.0 21.27.41.00 2009-05-01 13.72 -
Sophos 2.86.0 4.41 2009-05-03 2.85 -
Sunbelt 5118 5118 2009-05-02 10.29 -
Symantec 1.3.0.24 20090502.002 2009-05-02 2.48 -
nProtect 20090501.01 3562396 2009-05-01 38.63 -
The Hacker 6.3.4.1 v00317 2009-05-01 4.58 -
VBA32 3.12.10.4 20090502.1751 2009-05-02 2.19 -
VirusBuster 4.5.11.10 10.105.13/1315160 2009-05-02 1.84 -

in this post we will do some general scans to clear out the remnants and ensure nothing else sneaked onto your machine.

the scans will likely take 4 hours, quite possibly much longer. so just let them run.


====STEP 1====
Please download ATF Cleaner by Atribune.

Caution: This program is for Windows 2000, XP and Vista only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.



====STEP 2====
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Full Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.



====STEP 3====
Download and scan with SUPERAntiSpyware Free for Home Users

• Double-click SUPERAntiSpyware.exe and use the default settings for installation.
• An icon will be created on your desktop. Double-click that icon to launch the program.
• If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
• Under "Configuration and Preferences", click the Preferences button.
• Click the Scanning Control tab.
• Under Scanner Options make sure the following are checked (leave all others unchecked):
  • Close browsers before scanning.
  • Scan for tracking cookies.
  • Terminate memory threats before quarantining.
• Click the "Close" button to leave the control center screen.
• Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
• On the left, make sure you check C:\Fixed Drive.
• On the right, under "Complete Scan", choose Perform Complete Scan.
• Click "Next" to start the scan. Please be patient while it scans your computer.
• After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
• Make sure everything has a checkmark next to it and click "Next".
• A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
• If asked if you want to reboot, click "Yes".
• To retrieve the removal information after reboot, launch SUPERAntispyware again.
  • Click Preferences, then click the Statistics/Logs tab.
  • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
  • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
  • Please copy and paste the Scan Log results in your next reply.
• Click Close to exit the program.

====STEP 4====
Please do an online scan with Kaspersky WebScanner (this will identify any issues, we will clear them in the following post)

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instrutions below under Upgrading Java, to download and install the latest vesion.

• Read through the requirements and privacy statement and click on Accept button.
• It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
• When the downloads have finished, click on Settings.
• Make sure the following is checked.
  
  • Spyware, Adware, Dialers, and other potentially dangerous programs
    Archives
    Mail databases
• Click on My Computer under Scan.
• Once the scan is complete, it will display the results. Click on View Scan Report.
• You will see a list of infected items there. Click on Save Report As....
• Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
• Please post this log in your next reply.

Upgrading Java:

• Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 13.
• Click the "Download" button to the right.
• Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
• Click on Continue.
• Click on the link to download Windows Offline Installation (jre-6u13-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java version.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u13-windows-i586-p.exe and select "Run as an Administrator.")

In your next reply could i see:
1. the malwarebytes log
2. the superantispyware log
3. the kaspersky log
4. some idea of how your machine is running now

The text from these files may exceed the maximum post length for this forum. Hence, you may need to post the information over 2 or more posts.

andrewuk

Hi Andrewuk- Just a quick question... I already have Malwarebytes installed and use it regularly... should I uninstall and install from the link you gave me to be sure I have the most current? Or should the updater it uses be fine? Thanks! =)

update it and then run it.

Malwarebytes' Anti-Malware 1.36
Database version: 2071
Windows 5.1.2600 Service Pack 2

5/3/2009 8:26:08 PM
mbam-log-2009-05-03 (20-26-08).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|K:\|)
Objects scanned: 350881
Time elapsed: 1 hour(s), 31 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)





SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/03/2009 at 09:35 PM

Application Version : 4.26.1002

Core Rules Database Version : 3875
Trace Rules Database Version: 1823

Scan type : Complete Scan
Total Scan Time : 00:55:41

Memory items scanned : 512
Memory threats detected : 0
Registry items scanned : 5681
Registry threats detected : 0
File items scanned : 54367
File threats detected : 7

Adware.Tracking Cookie
C:\Documents and Settings\Owner.Lorrie-Office\Cookies\owner@advertising[1].txt
C:\Documents and Settings\Owner.Lorrie-Office\Cookies\owner@tacoda[2].txt
C:\Documents and Settings\Owner.Lorrie-Office\Cookies\owner@tribalfusion[2].txt
C:\Documents and Settings\Owner.Lorrie-Office\Cookies\owner@xiti[1].txt
C:\Documents and Settings\Owner.Lorrie-Office\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner.Lorrie-Office\Cookies\owner@smartadserver[2].txt
C:\Documents and Settings\Owner.Lorrie-Office\Cookies\owner@doubleclick[2].txt





--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Monday, May 4, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Monday, May 04, 2009 04:41:21
Records in database: 2125641
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
K:\

Scan statistics:
Files scanned: 247058
Threat name: 4
Infected objects: 3
Suspicious objects: 5
Duration of the scan: 03:10:36


File name / Threat name / Threats count
C:\Documents and Settings\Owner.Lorrie-Office\Local Settings\Application Data\Identities\{635ADD3D-5CEF-4046-8DBD-8F7AA70C8272}\Microsoft\Outlook Express\Deleted Items.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 2
C:\Documents and Settings\Owner.Lorrie-Office\Local Settings\Application Data\Identities\{635ADD3D-5CEF-4046-8DBD-8F7AA70C8272}\Microsoft\Outlook Express\Inbox.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 3
C:\Documents and Settings\Owner.Lorrie-Office\Local Settings\Application Data\Identities\{635ADD3D-5CEF-4046-8DBD-8F7AA70C8272}\Microsoft\Outlook Express\Inbox.dbx Infected: Trojan-Spy.Win32.Zbot.rxp 1
C:\Qoobox\Quarantine\C\WINDOWS\_swkt_.lws.zip Infected: Trojan.Win32.Small.aarn 1
D:\i386\Apps\App00577\comps\toolbar\toolbr.exe Infected: not-a-virus:AdWare.Win32.SearchIt.t 1

The selected area was scanned.



Thank you for looking at these, I'm so intrigued to see the "what's next"!
Just want to say again how awesome I think it is that you (and the others here) give of your time like this.... I hope your day is full of blessings for it!!

Edited by Lorrie_W, 04 May 2009 - 08:34 AM.

the malwarebytes scan was clean and the superantispyware only found cookies.

the kaspersky scan found some infections in your outlook express. one in the deletebox - so could you empty the delete box; and two in the inbox - though kaspersky does not show which emails they are. hence, see if you can have your antivirus program scan your inbox, and/or delete all mail that you are not sure about and dont open any attachments without scanning them first - personally, i would delete all emails with an attachment where i am not 100% sure of the source. as a rule, i am only 100% sure of the source if i sent it myself.

also, you can have kaspersky scan this folder only C:\Documents and Settings\Owner.Lorrie-Office\Local Settings\Application Data\Identities\{635ADD3D-5CEF-4046-8DBD-8F7AA70C8272}\Microsoft\Outlook Express which will of course be much quicker than scanning the entire computer and should confirm whether you have managed to delete the infected emails.

i am guessing that your machine was infected via your email.


also, how is your machine running now?

Edited by andrewuk, 04 May 2009 - 09:20 AM.