hi harrythook
thanx for your help
i've been able to remove the prompt "Best Wishes M.A.A.A" on login.
rest of the problems remain.
malwarebytes log::
Malwarebytes' Anti-Malware 1.10
Database version: 582
Scan type: Quick Scan
Objects scanned: 29539
Time elapsed: 3 minute(s), 51 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
combofix log::
ComboFix 08-04-01.2 - Toshiba 2008-04-02 10:58:31.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.461 [GMT 5.5:30]
Running from: C:\Documents and Settings\Toshiba\Application Data\Opera\Opera\profile\cache4\temporary_download\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\CMMGR32.EXE
D:\Autorun.inf
E:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2008-03-02 to 2008-04-02 )))))))))))))))))))))))))))))))
.
2008-04-02 10:50 . 2008-04-02 10:50 <DIR> d-------- C:\Documents and Settings\Toshiba\Application Data\Malwarebytes
2008-04-02 10:50 . 2008-04-02 10:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-29 11:54 . 2008-03-31 12:33 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-03-29 11:54 . 2008-03-31 11:48 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-03-29 11:54 . 2008-03-31 11:48 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-03-29 11:54 . 2008-03-31 11:48 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-03-28 12:48 . 2008-03-31 11:52 <DIR> d-------- C:\Documents and Settings\Toshiba\Application Data\UpdateStar
2008-03-27 13:24 . 2008-03-27 13:24 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-27 12:35 . 2008-03-31 12:30 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-03-27 12:35 . 2008-03-27 12:35 <DIR> d-------- C:\Documents and Settings\Toshiba\Application Data\SUPERAntiSpyware.com
2008-03-27 12:35 . 2008-03-27 12:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-27 11:35 . 2004-03-09 00:00 152,848 --a------ C:\WINDOWS\system32\comdlg32.OCX
2008-03-27 11:35 . 2004-03-09 00:00 124,688 --a------ C:\WINDOWS\system32\mswinsck.ocx
2008-03-17 12:00 . 2008-03-17 12:00 <DIR> d-------- C:\WINDOWS\Sun
2008-03-14 19:25 . 2008-03-14 19:25 19,552 --a------ C:\Documents and Settings\Toshiba\Application Data\GDIPFONTCACHEV1.DAT
2008-03-14 17:42 . 2008-03-29 10:08 115 --a------ C:\WINDOWS\system32\KillAll.bat
2008-03-08 10:15 . 2008-03-08 10:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\GRETECH
2008-03-08 10:14 . 2008-03-08 10:14 <DIR> d-------- C:\Documents and Settings\Toshiba\Application Data\GRETECH
2008-03-05 17:05 . 2008-03-05 17:05 376 --a------ C:\WINDOWS\ODBC.INI
2008-03-05 17:04 . 2008-03-05 17:04 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-03-05 17:02 . 2008-03-05 17:03 <DIR> d-------- C:\WINDOWS\ShellNew
2008-03-05 17:02 . 2008-03-05 17:02 <DIR> d-------- C:\Program Files\Common Files\L&H
2008-03-05 12:09 . 2008-03-12 10:35 <DIR> d-------- C:\Downloads
2008-03-04 13:21 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-03 12:28 . 2008-03-03 12:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FreeDownloadManager.ORG
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-02 05:30 8,265,760 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-04-02 05:30 --------- d-----w C:\Documents and Settings\Toshiba\Application Data\Free Download Manager
2008-04-01 15:30 100,472 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-03-31 07:01 --------- d-----w C:\Program Files\ZTE CDMA1X CARD
2008-03-31 07:00 --------- d-----w C:\Program Files\Opera
2008-03-29 07:42 --------- d-----w C:\Program Files\Common Files\Webroot Shared
2008-03-27 07:05 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-13 06:38 --------- d-----w C:\Documents and Settings\Toshiba\Application Data\LimeWire
2008-03-04 08:07 --------- d-----w C:\Program Files\Java
2008-03-03 07:51 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-03 07:51 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-01 06:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avira
2008-02-17 06:47 197,120 ----a-w C:\WINDOWS\system32\3-D_Disco_Baby_Demo.scr
2008-02-17 06:35 --------- d-----w C:\Program Files\3D Canyon Flight Screensaver
2008-02-13 13:17 --------- d-----w C:\Program Files\Common Files\Java
2008-02-13 06:23 --------- d-----w C:\Documents and Settings\Toshiba\Application Data\Auslogics
2008-02-12 13:22 --------- d-----w C:\Program Files\PeaZip
2008-02-12 12:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-12 06:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-02-12 06:01 --------- d-----w C:\Program Files\Yahoo!
2008-02-08 15:10 --------- d-----w C:\Program Files\Webroot
2008-02-08 15:10 --------- d-----w C:\Documents and Settings\Toshiba\Application Data\Webroot
2008-02-08 15:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Webroot
2008-02-07 14:57 --------- d-----w C:\Program Files\ZoneAlarmSB
2008-02-07 14:56 --------- d-----w C:\Program Files\Zone Labs
2008-02-07 14:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-02-07 13:32 --------- d-----w C:\Program Files\Alwil Software
2008-02-06 12:06 155,995 ----a-w C:\WINDOWS\java\Packages\NVL37V3T.ZIP
2008-02-05 08:25 --------- d-----w C:\Program Files\REALTEK RTL8187B Wireless LAN Driver
2008-02-05 08:25 --------- d-----w C:\Documents and Settings\Toshiba\Application Data\InstallShield
2008-02-05 08:23 315,392 ----a-w C:\WINDOWS\HideWin.exe
2008-02-05 08:23 --------- d-----w C:\Program Files\Realtek
2008-02-05 08:19 --------- d-----w C:\Program Files\ltmoh
2008-02-05 08:18 --------- d-----w C:\Program Files\Intel
2008-02-05 08:01 --------- d-----w C:\Program Files\microsoft frontpage
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
2008-02-07 20:27 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= "C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL" [2008-02-07 20:27 262144]
[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [2008-02-07 20:27 262144]
[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Window Washer"="C:\Program Files\Webroot\Washer\wwDisp.exe" [2007-11-26 14:47 1206600]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704]
"Free Download Manager"="E:\Program Files\Free Download Manager\fdm.exe" [2008-02-25 21:17 2465839]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 11:39 1310720]
"UpdateStar"="C:\Documents and Settings\Toshiba\Application Data\UpdateStar\UpdateStar.exe" [2008-03-25 15:45 4108976]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2008-01-24 12:09 142104]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2008-01-24 12:09 162584]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2008-01-24 12:09 138008]
"RTHDCPL"="RTHDCPL.EXE" [2007-11-06 15:40 16384512 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2007-11-06 15:40 1826816 C:\WINDOWS\SkyTel.exe]
"CDMA1X CARD"="C:\Program Files\ZTE CDMA1X CARD\Startup.exe" [2005-05-30 08:56 122880]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 18:30 79224]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]
"avgnt"="E:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoFileMenu"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\ODIN\\DIET\\DietOdin.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"E:\\Program Files\\LimeWire\\LimeWire.exe"=
R1 oxser;OX16C95x Serial port driver;C:\WINDOWS\system32\DRIVERS\oxser.sys [2005-02-20 17:37]
R2 wwEngineSvc;Window Washer Engine;C:\Program Files\Webroot\Washer\WasherSvc.exe [2007-11-26 14:47]
R3 RTL8187B;Realtek RTL8187B Wireless 802.11g 54Mbps USB 2.0 Network Adapter;C:\WINDOWS\system32\DRIVERS\RTL8187B.sys [2008-01-24 12:09]
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2008-04-02 11:00:09
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-04-02 11:00:48
ComboFix-quarantined-files.txt 2008-04-02 05:30:45
Pre-Run: 28,515,680,256 bytes free
Post-Run: 28,495,085,568 bytes free
.
2008-03-12 09:21:37 --- E O F ---
hijack this log::
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:02:40 AM, on 4/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Documents and Settings\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
E:\Program Files\Free Download Manager\fdm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Documents and Settings\Toshiba\Application Data\UpdateStar\UpdateStar.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\ZTE CDMA1X CARD\PcmciaApp.exe
C:\Program Files\Opera\Opera.exe
C:\TradeAnywhere\TradeAnywhere.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft....k/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft....k/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft....k/?LinkId=54896O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - E:\Program Files\Free Download Manager\iefdm2.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [CDMA1X CARD] C:\Program Files\ZTE CDMA1X CARD\Startup.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avgnt] "E:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Free Download Manager] "E:\Program Files\Free Download Manager\fdm.exe" -autorun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [UpdateStar] C:\Documents and Settings\Toshiba\Application Data\UpdateStar\UpdateStar.exe -A
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download all with Free Download Manager - file://E:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://E:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://E:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://E:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) -
http://downloads.ewi...oOnlineScan.cabO16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
http://acs.pandasoft...free/asinst.cabO17 - HKLM\System\CCS\Services\Tcpip\..\{375D8B12-A8D6-4395-9D7A-A1F434A52594}: NameServer = 202.138.97.193 202.138.96.2
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Documents and Settings\aawservice.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Unknown owner - E:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe (file missing)
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Unknown owner - E:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe
--
End of file - 6659 bytes