sage5
Thanks so much for your speedy help.
I actually ran the second one (combofix) first because I didnt think SmitfraudFix.exe was going to work, but it did. Not sure if this makes a difference... Popups seem to have stop but I havent opened IE yet
Here is SmitfraudFix.exe report:SmitFraudFix v2.314
Scan done at 15:57:19.54, Fri 04/18/2008
Run from C:\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» Process
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\DigitalPersona\Bin\DPWinLct.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\DigitalPersona\Bin\DpHost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DigitalPersona\Bin\DPAgnt.exe
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\CNYHKey.exe
C:\WINDOWS\StopHid.exe
C:\Program Files\Creative\Desktop Wireless\mouse_2k.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\NOTEPAD.EXE
»»»»»»»»»»»»»»»»»»»»»»»» hosts
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Devin
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Devin\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Devin\MYDOCU~1\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="file:///C:/DOCUME~1/Devin/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg"
"SubscribedURL"="file:///C:/DOCUME~1/Devin/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg"
"FriendlyName"=""
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!
IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!
VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Rustock
»»»»»»»»»»»»»»»»»»»»»»»» DNS
Description: Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport
DNS Server Search Order: 192.168.0.1
Description: Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{3DC62886-88B7-4853-B8C5-119710C4D0F1}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{9AE26FFD-AE45-406C-A9D8-37F482D2E3CD}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{3DC62886-88B7-4853-B8C5-119710C4D0F1}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{9AE26FFD-AE45-406C-A9D8-37F482D2E3CD}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{3DC62886-88B7-4853-B8C5-119710C4D0F1}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{9AE26FFD-AE45-406C-A9D8-37F482D2E3CD}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
And here is ComboFix report:ComboFix 08-04-17.1 - Devin 2008-04-18 14:21:57.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.135 [GMT 2:00]
Running from: C:\Documents and Settings\Devin\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\CKUvGfhk.ini
C:\WINDOWS\system32\CKUvGfhk.ini2
C:\WINDOWS\system32\fclhntrk.ini
C:\WINDOWS\system32\geBtqRKE.dll
C:\WINDOWS\system32\jclugwos.dll
C:\WINDOWS\system32\khfGvUKC.dll
C:\WINDOWS\system32\krtnhlcf.dll
C:\WINDOWS\system32\sowgulcj.ini
C:\WINDOWS\system32\ssqRJAtU.dll
C:\WINDOWS\system32\UtAJRqss.ini
C:\WINDOWS\system32\UtAJRqss.ini2
C:\WINDOWS\system32\wvUkJCro.dll
.
((((((((((((((((((((((((( Files Created from 2008-03-18 to 2008-04-18 )))))))))))))))))))))))))))))))
.
2030-08-31 02:38 . 2006-11-23 20:55 <DIR> d-------- C:\Program Files\ESET
2030-08-31 02:38 . 2030-08-31 02:38 245,760 --a------ C:\WINDOWS\system32\imon.dll
2030-08-31 02:38 . 2030-08-31 02:38 114,688 --a------ C:\WINDOWS\system32\nms32.dll
2030-08-31 02:38 . 2030-08-31 02:38 442 --a------ C:\WINDOWS\system32\mapisvc.inf
2008-04-18 14:18 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-04-18 14:18 . 2008-04-14 19:28 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-04-18 14:18 . 2008-04-12 13:49 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-04-18 14:18 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-04-18 14:18 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-04-18 14:16 . 2008-04-18 14:11 1,308,557 --a------ C:\SmitfraudFix.exe
2008-04-18 14:15 . 2008-04-18 14:18 <DIR> d-------- C:\SmitfraudFix
2008-04-18 14:15 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-04-18 14:15 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-04-18 05:33 . 2008-04-18 05:33 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-17 16:57 . 2008-04-17 16:57 <DIR> d-------- C:\Program Files\iTunes
2008-04-17 16:57 . 2008-04-17 16:57 <DIR> d-------- C:\Program Files\iPod
2008-04-17 16:55 . 2008-04-17 16:55 <DIR> d-------- C:\Program Files\QuickTime
2008-04-17 16:39 . 2008-04-17 16:39 <DIR> d-------- C:\Program Files\Apple Software Update
2008-04-17 06:14 . 2008-04-17 18:29 <DIR> d-------- C:\Program Files\IBP 9
2008-04-17 00:17 . 2008-04-17 00:17 32,768 --a------ C:\WINDOWS\AutoUpdateWin33.exe
2008-04-17 00:13 . 2008-04-17 00:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TechSmith
2008-04-16 21:16 . 2008-04-17 06:13 <DIR> d-------- C:\Program Files\IBP 10
2008-04-16 21:16 . 2008-04-17 18:34 <DIR> d-------- C:\Documents and Settings\Devin\Application Data\IBP
2008-04-15 02:57 . 2008-04-17 18:36 <DIR> d-------- C:\Program Files\e-Campaign 6
2008-04-15 02:57 . 2008-04-17 00:22 <DIR> d-------- C:\Documents and Settings\Devin\Application Data\e-Campaign
2008-04-13 19:07 . 2008-04-13 19:07 21,176 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-04-12 02:28 . 2008-04-12 02:28 131 --a------ C:\WINDOWS\mix-fx.ini
2008-04-12 01:42 . 2008-04-12 01:42 <DIR> d-------- C:\Program Files\Common Files\Macromedia Shared
2008-04-12 01:41 . 2008-04-12 01:41 <DIR> d-------- C:\Program Files\Common Files\Macromedia
2008-04-12 01:40 . 2008-04-12 01:40 <DIR> d-------- C:\Program Files\Macromedia
2008-04-12 01:02 . 2008-04-12 01:02 <DIR> d-------- C:\Program Files\Mix-FX
2008-04-12 00:49 . 2008-04-12 00:49 <DIR> d-------- C:\WINDOWS\system32\QuickTime
2008-04-12 00:49 . 2008-04-12 00:49 <DIR> d-------- C:\Program Files\TechSmith
2008-04-12 00:49 . 2006-06-14 21:13 102,400 --a------ C:\WINDOWS\system32\tsccvid.dll
2008-04-11 20:08 . 2008-04-11 22:03 19 --a------ C:\Documents and Settings\Devin\~datefaker.ini
2008-04-08 20:20 . 2008-04-18 14:36 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-08 20:20 . 2008-04-08 20:20 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-03 06:54 . 2008-04-03 10:33 <DIR> d-------- C:\Program Files\WDE
2008-04-03 06:03 . 2008-04-03 10:40 <DIR> d-------- C:\Program Files\Web Data Extractor 4.3
2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-03-20 16:07 . 2008-04-17 16:43 <DIR> d-------- C:\Program Files\Safari
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2030-08-31 00:38 300,048 ----a-w C:\WINDOWS\system32\drivers\amon.sys
2008-04-18 02:39 --------- d-----w C:\Program Files\PestPatrol
2008-04-14 20:50 --------- d-----w C:\Program Files\Group Mail
2008-04-13 17:01 --------- d-----w C:\Documents and Settings\Devin\Application Data\Apple Computer
2008-04-11 23:40 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-11 20:47 --------- d-----w C:\Program Files\Advanced Email Extractor PRO
2008-04-05 10:11 --------- d-----w C:\Documents and Settings\Alice\Application Data\Skype
2008-04-03 03:17 --------- d-----w C:\Program Files\Lencom Software Inc
2008-04-03 03:17 --------- d-----w C:\Program Files\Common Files\LencomShare
2008-04-03 00:08 94,817 ----a-w C:\Program Files\Common Files\Engines.lnl
2008-03-27 01:59 --------- d-----w C:\Documents and Settings\Devin\Application Data\Skype
2008-03-23 21:39 --------- d-----w C:\Program Files\7-Zip
2008-03-23 21:27 --------- d-----w C:\Program Files\CoolMenu
2008-03-17 20:49 --------- d-----w C:\Documents and Settings\Devin\Application Data\AdobeUM
2008-03-16 23:21 --------- d-----w C:\Program Files\SmartFTP Client
2008-03-16 23:19 --------- d-----w C:\Program Files\SmartFTP Client 2.5 Setup Files
2008-03-06 17:32 --------- d-----w C:\Program Files\Avanquest update
2008-03-06 17:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\BVRP Software
2008-03-06 17:30 --------- d-----w C:\Program Files\Sony Ericsson
2008-03-06 17:30 --------- d-----w C:\Documents and Settings\Devin\Application Data\InstallShield
2008-03-06 17:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sony Ericsson
2008-03-06 15:58 --------- d-----w C:\Program Files\T-Mobile
2008-02-10 12:32 19,552 ----a-w C:\Documents and Settings\Alice\Application Data\GDIPFONTCACHEV1.DAT
2008-01-30 21:42 19,552 ----a-w C:\Documents and Settings\Devin\Application Data\GDIPFONTCACHEV1.DAT
2007-04-25 03:25 1,205,365 ----a-w C:\Program Files\wrar361.exe
2006-08-13 21:30 182 ----a-w C:\Program Files\readme.txt
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 14:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-28 14:14 68856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DPAgnt"="C:\Program Files\DigitalPersona\Bin\DPAgnt.exe" [2004-10-14 03:24 913408]
"CHotkey"="mHotkey.exe" [2004-02-23 23:41 539136 C:\WINDOWS\mHotkey.exe]
"CNYHKey"="CNYHKey.exe" [2004-02-23 23:40 338944 C:\WINDOWS\CNYHKey.exe]
"StopHid"="StopHid.exe" [2004-02-23 23:41 40960 C:\WINDOWS\StopHid.exe]
"CreativeMouse "="C:\Program Files\Creative\Desktop Wireless\mouse_2k.exe" [2003-08-01 06:03 499712]
"PPMemCheck"="c:\PROGRA~1\PESTPA~1\PPMemCheck.exe" [2004-04-03 00:11 148480]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-09-14 20:28 180269]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 10:01:04 83360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DPWLN ]
C:\WINDOWS\system32\DPWLEvHd.dll 2004-10-14 03:29 102400 C:\WINDOWS\system32\DPWLEvHd.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geBtqRKE]
geBtqRKE.dll
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Microsoft Outlook"=C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE Outlook:Inbox /recycle
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
"NVRaidService"=C:\WINDOWS\system32\nvraidservice.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=
"C:\\Program Files\\Miranda IM\\miranda32.exe"=
"C:\\Program Files\\BitLord\\BitLord.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\totalcmd\\TOTALCMD.EXE"=
"C:\\Documents and Settings\\Devin\\Local Settings\\Application Data\\Abacast\\Abaclient.exe"=
"C:\\Program Files\\tswebeditor\\tswebeditor.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Adobe\\Adobe Dreamweaver CS3\\Dreamweaver.exe"=
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\IBP 10\\IBP.exe"=
"C:\\Program Files\\IBP 9\\IBP.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
R2 Ethpdrv;Ethernet Packet Driver;C:\WINDOWS\system32\DRIVERS\ethpdrv.sys [2005-09-08 01:18]
R3 dpK0Bx01;Fingerprint Reader Filter Driver;C:\WINDOWS\system32\DRIVERS\dpK0Bx01.sys [2004-08-05 01:58]
R3 UsbdpFP;Fingerprint Reader Class Driver;C:\WINDOWS\system32\DRIVERS\UsbdpFP.sys [2004-08-05 01:59]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{203f34dd-f3c1-11db-a637-000129d434df}]
\Shell\AutoRun\command - G:\wd_windows_tools\setup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{773480ec-4741-11db-a586-000129d434df}]
\Shell\AutoRun\command - H:\SafeGuard\Windows\SafeGuard20.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-04-17 14:39:44 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-18 04:00:02 C:\WINDOWS\Tasks\SyncBack Devin.job"
- C:\Program Files\2BrightSparks\SyncBack\SyncBack.exe
"2008-04-18 04:15:20 C:\WINDOWS\Tasks\SyncBack Drive C Backup.job"
- C:\Program Files\2BrightSparks\SyncBack\SyncBack.exe
"2008-04-18 04:52:17 C:\WINDOWS\Tasks\SyncBack Drive E Backup.job"
- C:\Program Files\2BrightSparks\SyncBack\SyncBack.exe
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2008-04-18 14:35:36
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\WINDOWS\system32\imon.dll
-> C:\Program Files\Eset\pr_imon.dll
PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\DigitalPersona\Bin\DpOFeedb.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\DigitalPersona\Bin\DPWinLct.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\DigitalPersona\Bin\DpHost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\ESET\nod32krn.exe
C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-04-18 14:48:03 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-18 12:47:30
Pre-Run: 28,621,762,560 bytes free
And Hijack this report:Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:24:58 PM, on 4/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\DigitalPersona\Bin\DPWinLct.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\DigitalPersona\Bin\DpHost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DigitalPersona\Bin\DPAgnt.exe
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\CNYHKey.exe
C:\WINDOWS\StopHid.exe
C:\Program Files\Creative\Desktop Wireless\mouse_2k.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.prague.tv/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft....k/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft....k/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft....k/?LinkId=54896R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: del.icio.us Toolbar Helper - {7AA07AE6-01EF-44EC-93CA-9D7CD41CCDB6} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: del.icio.us - {981FE6A8-260C-4930-960F-C3BC82746CB0} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O3 - Toolbar: Refresh Bar - {6F2DB0CA-D4CA-455B-9F0B-DB135C875345} - C:\Program Files\Refresh Bar\IERefresh.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM\..\Run: [DPAgnt] C:\Program Files\DigitalPersona\Bin\DPAgnt.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [CNYHKey] CNYHKey.exe
O4 - HKLM\..\Run: [StopHid] StopHid.exe
O4 - HKLM\..\Run: [CreativeMouse ] C:\Program Files\Creative\Desktop Wireless\mouse_2k.exe
O4 - HKLM\..\Run: [PPMemCheck] c:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Advanced Email Extractor - res://C:\Program%20Files\Advanced%20Email%20Extractor%20PRO\AeePMsie.dll/page.html
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Scan link with AEE - res://C:\Program%20Files\Advanced%20Email%20Extractor%20PRO\AeePMsie.dll/link.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Refresh Bar - {F009BAD5-2FAF-4E10-B7AA-61A22524AC30} - C:\Program Files\Refresh Bar\IERefresh.dll
O9 - Extra 'Tools' menuitem: Refresh Bar - {F009BAD5-2FAF-4E10-B7AA-61A22524AC30} - C:\Program Files\Refresh Bar\IERefresh.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Email Extractor - {AFA7DB99-3E4D-4396-94F8-B0B135BCB472} - res://C:\Program%20Files\Advanced%20Email%20Extractor%20PRO\AeePMsie.dll/page.html (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Advanced Email Extractor - {AFA7DB99-3E4D-4396-94F8-B0B135BCB472} - res://C:\Program%20Files\Advanced%20Email%20Extractor%20PRO\AeePMsie.dll/page.html (file missing) (HKCU)
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) -
http://www.cult3d.co...wnload/cult.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://www.update.mi...b?1200701451890O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
http://fpdownload.ad...ash/swflash.cabO18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: DPWLN - C:\WINDOWS\system32\DPWLEvHd.dll
O20 - Winlogon Notify: geBtqRKE - geBtqRKE.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Windows XP FUS Manager (DPFUSMgr) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
O23 - Service: Biometric Authentication Service (DpHost) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DpHost.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Devin/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg
--
End of file - 9331 bytes