Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Multiple problems, including blocking firewall startup [RESOLVED]

Started by dervampyre , Jun 14 2008 04:27 PM

  • This topic is locked This topic is locked

#1
dervampyre
Posted 14 June 2008 - 04:27 PM

dervampyre

    New Member

  • Member
  • Pip
  • 6 posts
Had this problem for a few days now, and can't seem to figure it out. I've used AVG, Windows Defender, AdAware, Spybot, but they find a few things and fix but still have problem. Stopzilla finds alot of stuff, but i am waiting for them to give me a new key so i can't delete it with that program. It started after i installed the .NET framework from MS. Originally, web was really slow and it disabled virus protection, firewall, and auto updates through windows security center. but now i have virus and updates working just not firewall. and the clock changed to military time somehow yesterday. but i got it displaying correctly now, just with 2 hh places. anyhow, i'm not sure exactly what is wrong, but i have all the logs.

Malwarebytes Log
Malwarebytes' Anti-Malware 1.17
Database version: 854

11:33:04 PM 6/13/2008
mbam-log-6-13-2008 (23-33-04).txt

Scan type: Full Scan (C:\|)
Objects scanned: 84693
Time elapsed: 27 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 17
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\mgmqjxem.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{90ce74cc-788a-4a00-b38d-cbca08cc9e8f} (Adware.ISTBar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{cc257918-f435-4a33-8231-2b8195990cca} (Adware.ISTBar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{03657894-7c44-4ef3-a162-e70d19564373} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{03657894-7c44-4ef3-a162-e70d19564373} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9afb8248-617f-460d-9366-d71cdeda3179} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4cca5e81 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{03657894-7c44-4ef3-a162-e70d19564373} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BM4ff96d1d (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\mgmqjxem.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\mexjqmgm.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fnvctwbf.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\28dayslater.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\ATMFONTS.ZIP (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\HIM.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\mason.zip (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\acrsecB.fon (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\acrsecI.fon (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.


SuperAntiSpyware Log
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/14/2008 at 01:03 AM

Application Version : 4.15.1000

Core Rules Database Version : 3482
Trace Rules Database Version: 1473

Scan type : Complete Scan
Total Scan Time : 00:58:16

Memory items scanned : 368
Memory threats detected : 0
Registry items scanned : 4683
Registry threats detected : 8
File items scanned : 49448
File threats detected : 25

Adware.Tracking Cookie
C:\Documents and Settings\Holly\Cookies\[email protected][2].txt
C:\Documents and Settings\Holly\Cookies\holly@findwhat[1].txt
C:\Documents and Settings\Holly\Cookies\holly@mediaplex[1].txt
C:\Documents and Settings\Holly\Cookies\[email protected][1].txt
C:\Documents and Settings\Holly\Cookies\holly@tribalfusion[1].txt
C:\Documents and Settings\Holly\Cookies\holly@clickbank[7].txt
C:\Documents and Settings\Holly\Cookies\[email protected][1].txt
C:\Documents and Settings\Holly\Cookies\holly@atdmt[2].txt
C:\Documents and Settings\Holly\Cookies\[email protected][1].txt
C:\Documents and Settings\Holly\Cookies\holly@adrevolver[2].txt
C:\Documents and Settings\Holly\Cookies\holly@serving-sys[2].txt
C:\Documents and Settings\Holly\Cookies\holly@doubleclick[1].txt
C:\Documents and Settings\Holly\Cookies\[email protected][3].txt
C:\Documents and Settings\Holly\Cookies\[email protected][1].txt
C:\Documents and Settings\Holly\Cookies\holly@overture[2].txt
C:\Documents and Settings\Holly\Cookies\[email protected][1].txt
C:\Documents and Settings\Holly\Cookies\holly@clickbank[1].txt
C:\Documents and Settings\Holly\Cookies\holly@clickbank[2].txt
C:\Documents and Settings\Holly\Cookies\holly@clickbank[3].txt
C:\Documents and Settings\Holly\Cookies\holly@clickbank[4].txt
C:\Documents and Settings\Holly\Cookies\holly@clickbank[5].txt
C:\Documents and Settings\Holly\Cookies\holly@clickbank[6].txt
C:\Documents and Settings\Holly\Cookies\[email protected][1].txt
C:\Documents and Settings\Holly\Cookies\[email protected][2].txt

Spyware.WebSearch (WinTools/Huntbar)
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000#DeviceDesc

Adware.Vundo Variant/Rel
C:\WINDOWS\SYSTEM32\MCRH.TMP


Panda ActiveScan Log
;*******************************************************************************
*********************************************************************************
*******************
ANALYSIS: 2008-06-14 15:14:17
PROTECTIONS: 1
MALWARE: 20
SUSPECTS: 1
;*******************************************************************************
*********************************************************************************
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
=================================================================================
===================
AVG Anti-Virus Free 8.0 Yes Yes
;===============================================================================
=================================================================================
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
=================================================================================
===================
00013869 adware/cydoor Adware No 0 Yes No c:\windows\cdmxtras
00020302 adware/ncase Adware No 0 Yes No c:\temp\salmau.dat
00020302 adware/ncase Adware No 0 Yes No c:\temp\salm_gdf.dat
00020302 adware/ncase Adware No 0 Yes No c:\temp\salm_kyf.dat
00029036 adware/superspider Adware No 1 Yes No HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
00029258 application/altnet HackTools No 0 Yes No hkey_local_machine\software\microsoft\windows\currentversion\app management\arpcache\altnetdm
00029426 adware/sbsoft Adware No 0 Yes No HKEY_CLASSES_ROOT\Interface\{9D573D0E-663C-435F-BF31-2C4497373C41}
00032745 adware/sahagent Adware No 0 Yes No c:\windows\downloaded program files\bunsetup.cab
00032745 adware/sahagent Adware No 0 Yes No c:\windows\downloaded program files\lsp_.dll
00032745 adware/sahagent Adware No 0 Yes No hkey_local_machine\software\microsoft\windows\currentversion\app management\arpcache\shopathomeselect agent
00040415 adware/wintools Adware No 0 Yes No hkey_local_machine\software\classes\protocols\name-space handler\res
00040415 adware/wintools Adware No 0 Yes No hkey_classes_root\protocols\name-space handler\res
00040415 adware/wintools Adware No 0 Yes No hkey_local_machine\system\controlset001\enum\root\legacy_tbpssvc
00040467 adware/elitebar Adware No 1 Yes No hkey_local_machine\software\microsoft\windows\currentversion\internet settings\user agent\post platform\iebar
00041446 application/myway HackTools No 0 Yes No HKEY_LOCAL_MACHINE\software\classes\CLSID\{66FC8717-EFA7-4546-8C4A-E224F3A80C76}
00041446 application/myway HackTools No 0 Yes No hkey_classes_root\clsid\{66fc8717-efa7-4546-8c4a-e224f3a80c76}
00047993 adware/powerscan Adware No 0 Yes No hkey_local_machine\software\microsoft\windows\currentversion\app management\arpcache\power scan
00134692 Adware/IST.YourSiteBar Adware No 0 Yes No C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\D92840B7-FFAA-4FD0-B769-729550.asq
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Holly\Cookies\holly@doubleclick[1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Holly\Cookies\holly@atdmt[2].txt
00139535 Application/Processor HackTools No 0 Yes No C:\Documents and Settings\Holly\Local Settings\Temp\nsp8.tmp
00139535 Application/Processor HackTools No 0 No No C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP675\A0089737.exe[²ƒÇ]
00139535 Application/Processor HackTools No 0 Yes No C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP675\A0089746.exe
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Holly\Cookies\holly@tribalfusion[2].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\Holly\Cookies\holly@mediaplex[1].txt
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Holly\Cookies\holly@com[1].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Holly\Cookies\[email protected][2].txt
00207862 Cookie/did-it TrackingCookie No 0 Yes No C:\Documents and Settings\Holly\Cookies\holly@did-it[1].txt
00519333 Application/Processor HackTools No 0 Yes No C:\System Volume Information\_restore{42AFE6C2-268D-4678-990C-727A4B90EFB0}\RP675\A0089737.exe
;===============================================================================
=================================================================================
===================
SUSPECTS
Sent Location
;===============================================================================
=================================================================================
===================
No C:\WINDOWS\SYSTEM32\HXMEMLOG.DLL
;===============================================================================
=================================================================================
===================
VULNERABILITIES
Id Severity Description
;===============================================================================
=================================================================================
===================
182048 HIGH MS07-069
176382 HIGH MS07-057
170907 HIGH MS07-046
170906 HIGH MS07-045
170904 HIGH MS07-043
164913 HIGH MS07-033
160623 HIGH MS07-027
150253 HIGH MS07-016
;===============================================================================
=================================================================================
===================


HiJackThis Log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:00:37, on 6/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe
C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimt.../aimtoolbar.jsp
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: (no name) - {03657894-7C44-4EF3-A162-E70D19564373} - (no file)
O2 - BHO: SITEguard BHO - {1827766B-9F49-4854-8034-F6EE26FCB1EC} - C:\Program Files\STOPzilla!\SZSG.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: {36de3a4f-e5f3-879b-37c4-3f5768ef6c95} - {59c6fe86-75f3-4c73-b978-3f5ef4a3ed63} - C:\WINDOWS\system32\hxmemlog.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: (no name) - {81792112-1545-447D-B032-84A3FB34551B} - C:\WINDOWS\system32\mlJBSIab.dll (file missing)
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\STOPzilla!\SZSG.dll
O4 - HKLM\..\Run: [start extracting] spoolvse.exe
O4 - HKLM\..\Run: [Lexmark 3100 Series] "C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe"
O4 - HKLM\..\Run: [LXBRKsk] C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [4cca5e81] rundll32.exe "C:\WINDOWS\system32\mgmqjxem.dll",b
O4 - HKLM\..\Run: [BM4ff96d1d] Rundll32.exe "C:\WINDOWS\system32\fnvctwbf.dll",s
O4 - HKLM\..\RunServices: [start extracting] spoolvse.exe
O4 - HKCU\..\Run: [start extracting] spoolvse.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\RunServices: [start extracting] spoolvse.exe
O4 - HKUS\S-1-5-18\..\Run: [start extracting] spoolvse.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Starting up] wvsvc.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Microsoftkeysd] systemwin32.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [Microsoftkeysd] systemwin32.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunServices: [start extracting] spoolvse.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [start extracting] spoolvse.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [Microsoftkeysd] systemwin32.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunServices: [start extracting] spoolvse.exe (User 'Default user')
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Search - ?p=ZJzed002YYUS_ZJYYYYYYYYUS
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://ax.web-nexus....8/installer.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst_current.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6FDB0065-2787-11D6-B1D8-0001023916FC} (CLOActiveXInstaller Control) - http://www.igl.net/c...tallerProj1.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - http://c.ancestry.co...er/MFImgVwr.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} - http://pictures04.ai...AIM.9.5.1.8.cab
O16 - DPF: {AFDD01B0-7ABB-11D9-9669-0800200C9A66} (MFInstall Class) - http://c.ancestry.co...l/MFInstall.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe

--
End of file - 12095 bytes


HiJackThis UnInstall Log
ABBYY FineReader 5.0 Sprint
Ad-Aware
Adobe Acrobat 5.0
Adobe Flash Player ActiveX
AIM 6.0
AIM Toolbar
AOL Instant Messenger
Apple Mobile Device Support
Apple Software Update
ArcSoft PhotoImpression 5
AVG Free 8.0
Big Money Deluxe 1.22
BitLord 1.1
Bonjour
BookWorm Deluxe 1.02
CCleaner (remove only)
CLO
CreataCard Gold 2
Creative WebCam Center
Creative WebCam Instant Driver (1.00.08.0416)
Creative WebCam Instant User's Guide (English)
dBpowerAMP WMA V9.1 Codec
DivX
DivX Player
Express Burn Uninstall
Express Rip Uninstall
Family Tree Maker
Family Tree Maker 2006
FaxTools
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Intel® Extreme Graphics Driver
Intel® PRO Network Adapters and Drivers
Intel® PROSet
InterActual Player
IOI Multimedia Card Reader
iTunes
Java 2 Runtime Environment Standard Edition v1.3.1
Java 2 Runtime Environment Standard Edition v1.3.1_02
Lexmark 3100 Series
Lexmark 640 Series
LiveUpdate 2.6 (Symantec Corporation)
Macromedia Shockwave Player
Malwarebytes' Anti-Malware
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2003
Microsoft Money 2003 System Pack
Microsoft National Language Support Downlevel APIs
Microsoft Visual C++ 2005 Redistributable
Microsoft Windows Media Video 9 VCM
Microsoft Works 6.0
MSN
MSXML 6.0 Parser (KB933579)
NingPo MahJong Deluxe 1.04
Norton WMI Update
Panda ActiveScan 2.0
Pattern Maker for cross stitch - v4 (Std)
PowerDVD
QuarkXPress 4.0
QuickTime
RealPlayer Basic
Realtek AC'97 Audio
RecordPad Sound Recorder Uninstall
Scrapbook Factory Deluxe
Security Task Manager 1.7f
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
SoftV92 Data Fax Modem with SmartCP
Spybot - Search & Destroy
STOPzilla
SUPERAntiSpyware Free Edition
TipTop Deluxe 1.1
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Windows Backup Utility
Windows Defender
Windows Defender Signatures
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format Runtime
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinRAR archiver
Yahoo! Anti-Spy
Yahoo! extras
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Photos Easy Upload Tool 1v4
Yahoo! Search Suggest Add-on for IE7
Yahoo! Toolbar
  • 0

Advertisements

#2
Mike
Posted 15 June 2008 - 11:00 AM

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi dervampyre welcome to GeeksToGo!

I am currently reviewing your log and will post back soon.

Please take note of the following points.
  • Please keep in mind that there may be a time difference between us, If you are not in the GMT +1 time zone, than you can expect a slight delay.

  • Please do not run any tools other than what I request of you to run. Some of the tools we will use are very powerful, and using them without the required knowledge could cause more damage and prove to be more troublesome than the problem you are currently facing.

  • If at any time you have a doubt about what you are to do, please stop there and ask. No question is considered dumb here at GeeksToGo!.
Thanks,

Mike :)
  • 0

#3
dervampyre
Posted 15 June 2008 - 12:02 PM

dervampyre

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Thank you for the welcome and your reply, i will be patiently waiting your advice.
  • 0

#4
Mike
Posted 15 June 2008 - 12:49 PM

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi there dervampyre,

The virus is causing the firewall from starting is part of the RBOT/SDBot family - That should be fixed after this run though.

If you haven't payed for STOPZilla, I would recommend you use another program. It USED to be considered a "rouge program" but has since been taken of that list. However there are a lot of better alternatives out there like SUPERAntiSpyware and MalwareBytes' Anti-Malware.

Very Important!

You have a backdoor trojan installed on your computer.
Backdoor Trojans, IRCBots and Infostealers are very dangerous because they provide a means of accessing a computer system that bypasses security mechanisms and steal sensitive information like passwords, personal and financial data which they send back to the hacker. Remote attackers use backdoor Trojans as part of an exploit to to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned.
All passwords should be changed immediately to include those used for banking, email, eBay and forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach.

If you choose to reformat, please tell me in your next reply.

Preparation

I will need you to temporarily disable Teatimer, Windows Defender and Ad-Aware. Please go here for instructions on how to do so http://wiki.castleco...toring_Programs

Step 1. Running SDFix

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
Step 2. Combofix

Please go here to install the recovery console and for a guide on using combofix.
Please note: Installing the Recovery Console plays a vital part in making this process of cleaning your computer safe, please don't overlook this!

Now please download combofix from [url="http://subs.geekstogo.com/ComboFix.exe""]here[/url] or here. It is important that you save this file to your desktop.

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a Hijack This log in your next reply.

A quick heads up, if you click on combofix's window when it's running, you may cause it to stall.

In your next reply

Please post the log from SDFix.
Please post the log from ComboFix.
Please post the log from Hijack This (After running the above programs)

If the logs are to big to fit in one reply please spread them out over multiple replies.

Edited by Mike, 15 June 2008 - 12:55 PM.

  • 0

#5
dervampyre
Posted 15 June 2008 - 04:24 PM

dervampyre

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
okay here are the logs you asked for. should i remove spybot and stopzilla since i'm using MalwareBytes and SuperAnti now? just curious since you said to get rid of stopzilla.

SDFix Log

SDFix: Version 1.192
Run by Holly on Sun 06/15/2008 at 02:02

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-15 14:26:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.0"
"C:\\Program Files\\aim\\aim.exe"="C:\\Program Files\\aim\\aim.exe:*:Enabled:AOL Instant Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.0"
"C:\\Program Files\\aim\\aim.exe"="C:\\Program Files\\aim\\aim.exe:*:Enabled:AOL Instant Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :



Files with Hidden Attributes :

Wed 13 Oct 2004 1,694,208 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Thu 17 Feb 2005 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Thu 17 Feb 2005 401 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv16.bak"
Fri 9 Dec 2005 401 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv17.bak"
Wed 5 Jul 2006 314 A..H. --- "C:\Program Files\InterActual\InterActual Player\iti31.tmp"

Finished!


ComboFix Log
ComboFix 08-06-15.2 - Holly 2008-06-15 15:00:48.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.644 [GMT -7:00]
Running from: C:\Documents and Settings\Holly\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Holly\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM4ff96d1d.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\baISBJlm.ini
C:\WINDOWS\system32\baISBJlm.ini2
C:\WINDOWS\system32\devudrfu.ini
C:\WINDOWS\system32\hxmemlog.dll

.
((((((((((((((((((((((((( Files Created from 2008-05-15 to 2008-06-15 )))))))))))))))))))))))))))))))
.

2008-06-15 13:56 . 2008-06-15 13:56 <DIR> d-------- C:\WINDOWS\ERUNT
2008-06-15 13:48 . 2008-06-15 14:37 <DIR> d-------- C:\SDFix
2008-06-14 02:00 . 2008-06-14 02:00 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-14 01:37 . 2008-06-14 01:38 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-06-13 23:59 . 2008-06-13 23:59 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-06-13 23:59 . 2008-06-13 23:59 <DIR> d-------- C:\Documents and Settings\Holly\Application Data\SUPERAntiSpyware.com
2008-06-13 23:59 . 2008-06-13 23:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-13 22:45 . 2008-06-13 22:45 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-13 22:45 . 2008-06-13 22:45 <DIR> d-------- C:\Documents and Settings\Holly\Application Data\Malwarebytes
2008-06-13 22:45 . 2008-06-13 22:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-13 22:45 . 2008-06-10 19:02 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-13 22:45 . 2008-06-10 19:02 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-13 20:24 . 2008-06-13 20:25 <DIR> d-------- C:\Program Files\Panda Security
2008-06-13 18:30 . 2008-06-13 18:30 <DIR> d-------- C:\VundoFix Backups
2008-06-13 17:18 . 2008-06-13 17:18 1,346 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-13 00:56 . 2008-06-13 00:56 <DIR> d-------- C:\Program Files\Security Task Manager
2008-06-13 00:35 . 2008-06-13 00:35 <DIR> d-------- C:\Program Files\CCleaner
2008-06-12 22:23 . 2008-06-12 22:23 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-12 22:23 . 2008-06-12 22:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-12 22:22 . 2008-06-13 23:54 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-12 14:05 . 2008-06-12 14:05 <DIR> d-------- C:\Program Files\Alwil Software
2008-06-12 13:44 . 2008-06-13 21:44 <DIR> d--h----- C:\$AVG8.VAULT$
2008-06-12 12:47 . 2008-06-14 20:16 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-06-12 12:47 . 2008-06-12 12:47 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-06-12 12:47 . 2008-06-12 12:47 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-06-12 12:47 . 2008-06-12 12:47 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-06-12 12:46 . 2008-06-12 12:46 <DIR> d-------- C:\Program Files\AVG
2008-06-12 12:46 . 2008-06-12 12:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-06-12 00:20 . 2008-06-12 01:14 153 --a------ C:\WINDOWS\wininit.ini
2008-06-11 23:52 . 2008-06-11 23:52 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-11 23:52 . 2008-06-12 01:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-11 23:06 . 2008-06-11 23:10 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-06-11 16:01 . 2008-06-15 15:05 42,056 --a------ C:\WINDOWS\system32\drivers\kgpcpy.cfg
2008-06-11 16:00 . 2008-06-15 10:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SITEguard
2008-06-11 15:58 . 2008-06-11 15:58 <DIR> d-------- C:\Program Files\STOPzilla!
2008-06-11 15:58 . 2008-06-11 15:58 <DIR> d-------- C:\Program Files\Common Files\iS3
2008-06-11 15:58 . 2008-06-15 15:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-06-10 22:43 . 2006-06-29 13:07 14,048 --a------ C:\WINDOWS\system32\spmsg2.dll
2008-06-10 22:35 . 2008-06-10 22:35 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-06-10 20:32 . 2008-06-10 20:32 4,808 --a------ C:\WINDOWS\system32\gaeffect.sti
2008-06-10 20:32 . 2008-06-10 20:32 3,176 --a------ C:\WINDOWS\system32\gafilter.sti
2008-06-10 20:31 . 2008-06-11 13:13 326 --a------ C:\WINDOWS\ULEAD32.INI
2008-06-10 17:32 . 2008-04-14 04:01 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-10 00:12 . 2008-06-10 00:12 <DIR> d-------- C:\WINDOWS\Noslip
2008-06-10 00:12 . 2008-06-10 20:03 <DIR> d-------- C:\Program Files\BitLord
2008-06-10 00:12 . 2008-06-10 00:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ulead Systems
2008-06-09 17:59 . 2008-06-09 17:59 401,408 -ra------ C:\WINDOWS\system32\SZComp5.dll
2008-06-09 17:59 . 2008-06-09 17:59 258,048 -ra------ C:\WINDOWS\system32\SZBase5.dll
2008-06-03 20:54 . 2008-06-03 20:58 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2008-06-03 20:48 . 2008-04-22 21:16 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-06-03 20:48 . 2007-04-17 02:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-06-03 20:48 . 2007-03-07 22:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-06-03 20:48 . 2008-04-22 21:16 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-06-03 20:48 . 2008-04-22 21:16 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-06-03 20:48 . 2008-04-22 21:16 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-06-03 20:48 . 2008-04-22 21:16 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-06-03 20:48 . 2008-04-22 21:16 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-06-03 20:48 . 2008-04-22 00:39 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-06-03 20:47 . 2007-08-13 18:54 33,792 --a--c--- C:\WINDOWS\system32\dllcache\custsat.dll
2008-06-03 20:22 . 2008-06-03 20:22 <DIR> d-------- C:\Program Files\Windows Defender
2008-06-03 14:43 . 2008-06-03 14:43 364,544 -ra------ C:\WINDOWS\system32\IS3DBA5.dll
2008-06-03 14:43 . 2008-06-03 14:43 126,976 -ra------ C:\WINDOWS\system32\IS3HTUI5.dll
2008-06-03 14:42 . 2008-06-03 14:42 372,736 -ra------ C:\WINDOWS\system32\IS3UI5.dll
2008-06-03 14:42 . 2008-06-03 14:42 61,440 -ra------ C:\WINDOWS\system32\IS3Hks5.dll
2008-06-03 14:42 . 2008-06-03 14:42 23,040 -ra------ C:\WINDOWS\system32\IS3XDat5.dll
2008-06-03 14:41 . 2008-06-03 14:41 196,608 -ra------ C:\WINDOWS\system32\IS3Win325.dll
2008-06-03 14:41 . 2008-06-03 14:41 94,208 -ra------ C:\WINDOWS\system32\IS3Inet5.dll
2008-06-03 14:40 . 2008-06-03 14:40 90,112 -ra------ C:\WINDOWS\system32\IS3Svc5.dll
2008-06-03 14:37 . 2008-06-03 14:37 708,608 -ra------ C:\WINDOWS\system32\IS3Base5.dll
2008-05-31 18:28 . 2008-05-31 18:28 <DIR> d-------- C:\Program Files\Lexmark 640 Series
2008-05-31 18:28 . 2008-05-31 18:28 <DIR> d-------- C:\Lexmark
2008-05-31 18:28 . 2006-03-28 05:29 73,728 --a------ C:\WINDOWS\system32\lxdapwr.dll
2008-05-31 18:19 . 2008-05-31 18:19 <DIR> d-------- C:\Documents and Settings\Holly\Application Data\acccore
2008-05-31 18:19 . 2008-05-31 18:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-05-31 18:18 . 2008-05-31 18:19 <DIR> d-------- C:\Program Files\AIM6
2008-05-31 18:16 . 2008-05-31 18:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-05-31 18:16 . 2008-05-31 18:16 29 --a------ C:\WINDOWS\atid.ini
2008-05-31 16:41 . 2008-05-31 16:41 <DIR> d-------- C:\Program Files\iPod
2008-05-31 16:40 . 2008-05-31 16:40 <DIR> d-------- C:\Program Files\Bonjour
2008-05-31 16:38 . 2008-05-31 16:38 <DIR> d-------- C:\Program Files\Apple Software Update
2008-05-31 16:37 . 2008-05-31 16:37 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-05-31 16:37 . 2008-05-31 16:37 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-05-31 16:37 . 2008-05-31 16:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-05-30 19:43 . 2007-07-09 06:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-05-30 19:34 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-05-30 19:34 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-05-30 19:34 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-05-30 19:34 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-05-30 19:16 . 2003-04-06 08:05 155,648 --a------ C:\WINDOWS\system32\igfxres.dll
2008-05-30 19:03 . 2004-08-03 21:31 20,992 --a------ C:\WINDOWS\system32\drivers\RTL8139.sys
2008-05-30 19:03 . 2004-08-03 21:31 20,992 --a--c--- C:\WINDOWS\system32\dllcache\rtl8139.sys
2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ C:\WINDOWS\system32\lsdelete.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-13 07:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-06-13 05:13 --------- d-----w C:\Documents and Settings\Holly\Application Data\Lavasoft
2008-06-12 18:42 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-12 18:42 --------- d-----w C:\Program Files\Creative
2008-06-12 18:39 --------- d-----w C:\Program Files\Yahoo! Games
2008-06-04 04:52 --------- d-----w C:\Program Files\NCH Swift Sound
2008-06-04 04:45 --------- d-----w C:\Program Files\PopCap Games
2008-06-04 03:56 --------- d-----w C:\Program Files\Yahoo!
2008-06-04 03:54 --------- d--h--r C:\Documents and Settings\Holly\Application Data\yahoo!
2008-06-01 01:30 --------- d-----w C:\Program Files\Common Files\AOL
2008-06-01 01:30 --------- d-----w C:\Program Files\aim
2008-06-01 01:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-05-31 23:43 --------- d-----w C:\Program Files\iTunes
2008-05-31 23:39 --------- d-----w C:\Program Files\QuickTime
2008-05-31 23:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-05-13 17:03 34,432 ----a-r C:\WINDOWS\system32\drivers\SZKG.sys
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-29 18:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 18:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 18:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{81792112-1545-447D-B032-84A3FB34551B}]
C:\WINDOWS\system32\mlJBSIab.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Update Detection"="c:\Program Files\Microsoft Works\WkDetect.exe" [2000-07-13 13:00 28739]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Lexmark 3100 Series"="C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe" [2003-09-03 19:33 106496]
"LXBRKsk"="C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe" [2003-06-13 07:57 294912]
"SoundMan"="SOUNDMAN.EXE" [2003-06-10 21:12 55296 C:\WINDOWS\SOUNDMAN.EXE]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-04-06 08:19 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-06 08:07 114688]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-06-12 12:46 1177368]
"4cca5e81"="C:\WINDOWS\system32\mgmqjxem.dll" [ ]
"BM4ff96d1d"="C:\WINDOWS\system32\fnvctwbf.dll" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Starting up"="wvsvc.exe" []
"Microsoftkeysd"="systemwin32.exe" []
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 16:38 39264]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Microsoftkeysd"="systemwin32.exe" []

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=C:\WINDOWS\pss\BigFix.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^CreataCard Gold 2 Forget Me Not Reminders.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\CreataCard Gold 2 Forget Me Not Reminders.lnk
backup=C:\WINDOWS\pss\CreataCard Gold 2 Forget Me Not Reminders.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Admanager Controller]
C:\Program Files\Admanager Controller\AdManCtl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdStatus Service]
C:\Program Files\AdStatus Service\AdStatServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2005-08-05 15:08 67160 C:\Program Files\aim\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2006-11-07 08:29 50736 C:\Program Files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BullsEye Network]
C:\Program Files\BullsEye Network\bin\bargains.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Internet Optimizer]
C:\Program Files\Internet Optimizer\optimize.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
---hs---- 2004-10-13 09:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2004-01-30 19:49 26112 C:\Program Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sdkupdate22]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sunkist2k]
--a------ 2003-11-19 20:32 139264 C:\Program Files\Multimedia Card Reader\shwicon2k.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2005-08-19 19:34 3084288 C:\Program Files\Yahoo!\Messenger\ypager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Messenger"=2 (0x2)
"AOL ACS"=2 (0x2)
"SBService"=2 (0x2)
"SharedAccess"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\aim\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 szkg5;szkg;C:\WINDOWS\system32\DRIVERS\szkg.sys [2008-05-13 10:03]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-06-12 12:47]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-06-12 12:46]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-06-12 12:46]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-06-12 12:47]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6f7ffe5b-69aa-11d9-a23a-806d6172696f}]
\Shell\AutoRun\command - D:\autoplay.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-06-09 20:24:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-15 22:08:27 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-06-15 20:32:17 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-15 15:04:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Lexmark 3100 Series\lxbrksk.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmon.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2008-06-15 15:12:07 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-15 22:12:02

Pre-Run: 69,107,503,104 bytes free
Post-Run: 69,036,773,376 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

269 --- E O F --- 2008-06-14 08:52:28


HiJackThis Log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 03:20:51, on 6/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe
C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: SITEguard BHO - {1827766B-9F49-4854-8034-F6EE26FCB1EC} - C:\Program Files\STOPzilla!\SZSG.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: (no name) - {81792112-1545-447D-B032-84A3FB34551B} - C:\WINDOWS\system32\mlJBSIab.dll (file missing)
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\STOPzilla!\SZSG.dll
O4 - HKLM\..\Run: [Lexmark 3100 Series] "C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe"
O4 - HKLM\..\Run: [LXBRKsk] C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [4cca5e81] rundll32.exe "C:\WINDOWS\system32\mgmqjxem.dll",b
O4 - HKLM\..\Run: [BM4ff96d1d] Rundll32.exe "C:\WINDOWS\system32\fnvctwbf.dll",s
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [Starting up] wvsvc.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Microsoftkeysd] systemwin32.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [Microsoftkeysd] systemwin32.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Starting up] wvsvc.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [Microsoftkeysd] systemwin32.exe (User 'Default user')
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Search - ?p=ZJzed002YYUS_ZJYYYYYYYYUS
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://ax.web-nexus....8/installer.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst_current.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6FDB0065-2787-11D6-B1D8-0001023916FC} (CLOActiveXInstaller Control) - http://www.igl.net/c...tallerProj1.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - http://c.ancestry.co...er/MFImgVwr.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} - http://pictures04.ai...AIM.9.5.1.8.cab
O16 - DPF: {AFDD01B0-7ABB-11D9-9669-0800200C9A66} (MFInstall Class) - http://c.ancestry.co...l/MFInstall.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe

--
End of file - 10620 bytes
  • 0

#6
Mike
Posted 16 June 2008 - 02:58 AM

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi there,

okay here are the logs you asked for. should i remove spybot and stopzilla since i'm using MalwareBytes and SuperAnti now? just curious since you said to get rid of stopzilla.


Sounds good, keep in mind that neither MBAM nor SUPERAntiSpyware have realtime protection in the free version. I would still remove StopZilla, but keep MBAM and Spybot S&D.

Go to add or remove programs for me and uninstall the following if present:

Admanager Controller
AdStatus Service
Internet Optimizer
BullsEye Network

Step 1. Making a CFScript

Please click Start then Run, in the window appears type in Notepad.exe.
Highlight the entire content of the codebox below. Copy (Control + C) and Paste (Control + V) the content into the notepad window:
File::
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\mlJBSIab.dll
C:\WINDOWS\system32\fnvctwbf.dll
C:\WINDOWS\system32\mgmqjxem.dll
C:\Windows\system32\wvsvc.exe
C:\WINDOWS\system32\systemwin32.exe

Folder::
C:\Program Files\Admanager Controller
C:\Program Files\AdStatus Service
C:\Program Files\Internet Optimizer
C:\Program Files\BullsEye Network

DirLook::
C:\WINDOWS\SxsCaPendDel
C:\Documents and Settings\All Users\Application Data\SecTaskMan

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{81792112-1545-447D-B032-84A3FB34551B}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"4cca5e81"=-
"BM4ff96d1d"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Starting up"=-
"Microsoftkeysd"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Microsoftkeysd"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Admanager Controller]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdStatus Service]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BullsEye Network]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Internet Optimizer]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sdkupdate22]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6f7ffe5b-69aa-11d9-a23a-806d6172696f}]
Now in Notepad, go to File and in the menu that drops down click on Save As...
Save the file as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
Posted Image

After that please reboot your computer if it asks you to and post ComboFix.txt (the report the ComboFix will generate) in your next reply.

Step 2. Running MalwareByte's Anti-Malware

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

In your next reply

Please post the log from ComboFix.
Please post the log from MBAM.

Also a new Hijack This log please.
If the logs are to big to fit in one reply please spread them out over multiple replies.

Edited by Mike, 16 June 2008 - 02:59 AM.

  • 0

#7
dervampyre
Posted 16 June 2008 - 01:19 PM

dervampyre

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
ok, i removed stopzilla, but since you said to keep spybot for the real-time protection, do i need to keep Windows Defender and the SuperAntispyware?

ComboFix Log
ComboFix 08-06-15.2 - Holly 2008-06-16 6:30:40.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.618 [GMT -7:00]
Running from: C:\Documents and Settings\Holly\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Holly\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\fnvctwbf.dll
C:\WINDOWS\system32\mgmqjxem.dll
C:\WINDOWS\system32\mlJBSIab.dll
C:\WINDOWS\system32\systemwin32.exe
C:\WINDOWS\system32\tmp.reg
C:\Windows\system32\wvsvc.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Holly\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\WINDOWS\system32\tmp.reg

.
((((((((((((((((((((((((( Files Created from 2008-05-16 to 2008-06-16 )))))))))))))))))))))))))))))))
.

2008-06-15 15:12 . 2008-06-15 15:12 6,736 --a------ C:\WINDOWS\system32\drivers\PROCEXP90.SYS
2008-06-15 13:56 . 2008-06-15 13:56 <DIR> d-------- C:\WINDOWS\ERUNT
2008-06-15 13:48 . 2008-06-15 14:37 <DIR> d-------- C:\SDFix
2008-06-14 02:00 . 2008-06-14 02:00 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-14 01:37 . 2008-06-14 01:38 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-06-13 23:59 . 2008-06-13 23:59 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-06-13 23:59 . 2008-06-13 23:59 <DIR> d-------- C:\Documents and Settings\Holly\Application Data\SUPERAntiSpyware.com
2008-06-13 23:59 . 2008-06-13 23:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-13 22:45 . 2008-06-13 22:45 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-13 22:45 . 2008-06-13 22:45 <DIR> d-------- C:\Documents and Settings\Holly\Application Data\Malwarebytes
2008-06-13 22:45 . 2008-06-13 22:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-13 22:45 . 2008-06-10 19:02 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-13 22:45 . 2008-06-10 19:02 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-13 20:24 . 2008-06-13 20:25 <DIR> d-------- C:\Program Files\Panda Security
2008-06-13 18:30 . 2008-06-13 18:30 <DIR> d-------- C:\VundoFix Backups
2008-06-13 00:56 . 2008-06-13 00:56 <DIR> d-------- C:\Program Files\Security Task Manager
2008-06-13 00:35 . 2008-06-13 00:35 <DIR> d-------- C:\Program Files\CCleaner
2008-06-12 22:23 . 2008-06-12 22:23 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-12 22:23 . 2008-06-12 22:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-12 22:22 . 2008-06-13 23:54 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-12 14:05 . 2008-06-12 14:05 <DIR> d-------- C:\Program Files\Alwil Software
2008-06-12 13:44 . 2008-06-13 21:44 <DIR> d--h----- C:\$AVG8.VAULT$
2008-06-12 12:47 . 2008-06-15 21:15 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-06-12 12:47 . 2008-06-12 12:47 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-06-12 12:47 . 2008-06-12 12:47 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-06-12 12:47 . 2008-06-12 12:47 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-06-12 12:46 . 2008-06-12 12:46 <DIR> d-------- C:\Program Files\AVG
2008-06-12 12:46 . 2008-06-12 12:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-06-12 00:20 . 2008-06-12 01:14 153 --a------ C:\WINDOWS\wininit.ini
2008-06-11 23:52 . 2008-06-11 23:52 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-11 23:52 . 2008-06-12 01:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-11 23:06 . 2008-06-11 23:10 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-06-11 16:00 . 2008-06-16 04:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SITEguard
2008-06-11 15:58 . 2008-06-11 15:58 <DIR> d-------- C:\Program Files\Common Files\iS3
2008-06-11 15:58 . 2008-06-16 06:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-06-10 22:43 . 2006-06-29 13:07 14,048 --a------ C:\WINDOWS\system32\spmsg2.dll
2008-06-10 22:35 . 2008-06-10 22:35 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-06-10 20:32 . 2008-06-10 20:32 4,808 --a------ C:\WINDOWS\system32\gaeffect.sti
2008-06-10 20:32 . 2008-06-10 20:32 3,176 --a------ C:\WINDOWS\system32\gafilter.sti
2008-06-10 20:31 . 2008-06-11 13:13 326 --a------ C:\WINDOWS\ULEAD32.INI
2008-06-10 17:32 . 2008-04-14 04:01 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-10 00:12 . 2008-06-10 00:12 <DIR> d-------- C:\WINDOWS\Noslip
2008-06-10 00:12 . 2008-06-10 20:03 <DIR> d-------- C:\Program Files\BitLord
2008-06-10 00:12 . 2008-06-10 00:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ulead Systems
2008-06-03 20:54 . 2008-06-03 20:58 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2008-06-03 20:48 . 2008-04-22 21:16 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-06-03 20:48 . 2007-04-17 02:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-06-03 20:48 . 2007-03-07 22:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-06-03 20:48 . 2008-04-22 21:16 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-06-03 20:48 . 2008-04-22 21:16 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-06-03 20:48 . 2008-04-22 21:16 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-06-03 20:48 . 2008-04-22 21:16 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-06-03 20:48 . 2008-04-22 21:16 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-06-03 20:48 . 2008-04-22 00:39 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-06-03 20:47 . 2007-08-13 18:54 33,792 --a--c--- C:\WINDOWS\system32\dllcache\custsat.dll
2008-06-03 20:22 . 2008-06-03 20:22 <DIR> d-------- C:\Program Files\Windows Defender
2008-05-31 18:28 . 2008-05-31 18:28 <DIR> d-------- C:\Program Files\Lexmark 640 Series
2008-05-31 18:28 . 2008-05-31 18:28 <DIR> d-------- C:\Lexmark
2008-05-31 18:28 . 2006-03-28 05:29 73,728 --a------ C:\WINDOWS\system32\lxdapwr.dll
2008-05-31 18:19 . 2008-05-31 18:19 <DIR> d-------- C:\Documents and Settings\Holly\Application Data\acccore
2008-05-31 18:19 . 2008-05-31 18:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-05-31 18:18 . 2008-05-31 18:19 <DIR> d-------- C:\Program Files\AIM6
2008-05-31 18:16 . 2008-05-31 18:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-05-31 18:16 . 2008-05-31 18:16 29 --a------ C:\WINDOWS\atid.ini
2008-05-31 16:41 . 2008-05-31 16:41 <DIR> d-------- C:\Program Files\iPod
2008-05-31 16:40 . 2008-05-31 16:40 <DIR> d-------- C:\Program Files\Bonjour
2008-05-31 16:38 . 2008-05-31 16:38 <DIR> d-------- C:\Program Files\Apple Software Update
2008-05-31 16:37 . 2008-05-31 16:37 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-05-31 16:37 . 2008-05-31 16:37 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-05-31 16:37 . 2008-05-31 16:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-05-30 19:43 . 2007-07-09 06:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-05-30 19:34 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-05-30 19:34 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-05-30 19:34 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-05-30 19:34 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-05-30 19:16 . 2003-04-06 08:05 155,648 --a------ C:\WINDOWS\system32\igfxres.dll
2008-05-30 19:03 . 2004-08-03 21:31 20,992 --a------ C:\WINDOWS\system32\drivers\RTL8139.sys
2008-05-30 19:03 . 2004-08-03 21:31 20,992 --a--c--- C:\WINDOWS\system32\dllcache\rtl8139.sys
2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ C:\WINDOWS\system32\lsdelete.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-13 07:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-06-13 05:13 --------- d-----w C:\Documents and Settings\Holly\Application Data\Lavasoft
2008-06-12 18:42 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-12 18:42 --------- d-----w C:\Program Files\Creative
2008-06-12 18:39 --------- d-----w C:\Program Files\Yahoo! Games
2008-06-04 04:52 --------- d-----w C:\Program Files\NCH Swift Sound
2008-06-04 04:45 --------- d-----w C:\Program Files\PopCap Games
2008-06-04 03:56 --------- d-----w C:\Program Files\Yahoo!
2008-06-04 03:54 --------- d--h--r C:\Documents and Settings\Holly\Application Data\yahoo!
2008-06-01 01:30 --------- d-----w C:\Program Files\Common Files\AOL
2008-06-01 01:30 --------- d-----w C:\Program Files\aim
2008-06-01 01:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-05-31 23:43 --------- d-----w C:\Program Files\iTunes
2008-05-31 23:39 --------- d-----w C:\Program Files\QuickTime
2008-05-31 23:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-29 18:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 18:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 18:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Documents and Settings\All Users\Application Data\SecTaskMan ----

2008-06-13 00:56 907 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_b25099274a207264182f8181add555d0.dll
2008-06-13 00:56 901 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_B0B35DEDC76B4424EAA66DDFC3821DFE
2008-06-13 00:56 522 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_b25099274a207264182f8181add555d0
2008-06-13 00:56 4492 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_12341
2008-06-13 00:56 132 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_B0B35DEDC76B4424EAA66DDFC3821DFE.dll
2008-06-13 00:56 10594 --a--c--- C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_12345
2008-06-11 23:27 758 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_8A59AC069BF05AA4CAA330E5E112E5C3
2008-06-11 23:27 5325 --a--c--- C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_12340
2008-06-11 23:27 522 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_56A968A049C8C7F45A7C79D2C3C8DEE9
2008-06-11 23:27 41 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_56A968A049C8C7F45A7C79D2C3C8DEE9.dll
2008-06-11 23:27 1579 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_8A59AC069BF05AA4CAA330E5E112E5C3.dll
2008-06-03 21:57 782 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_BC7AD522377C86F4088681C404282C1F.dll
2008-06-03 21:57 653 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_2A5C838123BA5414581CBBB9D8AF42DC
2008-06-03 21:57 634 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_CB6775856DB42DB41AA9D1C64BA404B3
2008-06-03 21:57 616 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_9714374497A8EED4BB803730F7605534.dll
2008-06-03 21:57 601 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_4F57260AB42358E4596E782BDC274910
2008-06-03 21:57 585 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_BF4B2EC9721885040B825C6921244A18
2008-06-03 21:57 581 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_6DB1FB74CACDF8640ADA5EEDCC22113C
2008-06-03 21:57 545 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_E240F47B9B1EB5A4D86483B71B270F4A
2008-06-03 21:57 538 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_BC7AD522377C86F4088681C404282C1F
2008-06-03 21:57 522 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_90A2CC5A3D9ECE9429D33078B4DBC4C2
2008-06-03 21:57 515 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_BF4B2EC9721885040B825C6921244A18.dll
2008-06-03 21:57 448 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_4F57260AB42358E4596E782BDC274910.dll
2008-06-03 21:57 3743 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_2A5C838123BA5414581CBBB9D8AF42DC.dll
2008-06-03 21:57 27 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_90A2CC5A3D9ECE9429D33078B4DBC4C2.dll
2008-06-03 21:57 2308 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_CB6775856DB42DB41AA9D1C64BA404B3.dll
2008-06-03 21:57 1180 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_E240F47B9B1EB5A4D86483B71B270F4A.dll
2008-06-03 21:57 1026 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_9714374497A8EED4BB803730F7605534
2008-06-03 21:57 1024 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_6DB1FB74CACDF8640ADA5EEDCC22113C.dll
2005-05-02 12:11 50 --a--c--- C:\Documents and Settings\All Users\Application Data\SecTaskMan\_spoolvse33B0
2005-04-14 02:49 15481 --a--c--- C:\Documents and Settings\All Users\Application Data\SecTaskMan\_lxbrksk28178004
2005-04-11 17:09 832 --a--c--- C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_DDE7F2BCF1D91C3409CFF425AE1E271A
2005-04-11 17:09 670 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_FF41E933CDF89084AA2F78AB2209C5F7.dll
2005-04-11 17:09 522 --a--c--- C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_FF41E933CDF89084AA2F78AB2209C5F7
2005-04-11 17:09 3257 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_DDE7F2BCF1D91C3409CFF425AE1E271A.dll
2005-02-26 11:45 636 --a--c--- C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_0296961D4979CBB4A803A78867D35E2A
2005-02-26 11:45 26534 --a--c--- C:\Documents and Settings\All Users\Application Data\SecTaskMan\_fsg_420342FF521D
2005-02-26 11:45 1263 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_0296961D4979CBB4A803A78867D35E2A.dll
2005-02-23 02:19 6674 --a--c--- C:\Documents and Settings\All Users\Application Data\SecTaskMan\_shwicon2k2C502002
2005-02-23 02:19 23966 --a--c--- C:\Documents and Settings\All Users\Application Data\SecTaskMan\_ycomp5_5_7_03B4B7857
2005-02-18 20:04 559 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\GMT.exe.q_13C16052_q.ini
2005-02-16 22:28 3805 --a--c--- C:\Documents and Settings\All Users\Application Data\SecTaskMan\_CMESys253C6001
2005-02-16 22:27 186917 --a--c--- C:\Documents and Settings\All Users\Application Data\SecTaskMan\_GMT1DDB6052
2005-02-16 22:22 930 --a--c--- C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_C9280D8FF6C93D110808000CF43A92AA
2005-02-16 22:22 93 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_60CD2626A0CF1FE48967AA29DE3A81C8.dll
2005-02-16 22:22 862 --a--c--- C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_C88D9F1068C328E448A001A123126FA7
2005-02-16 22:22 777 --a--c--- C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_FC6B5F6CC906E82478F6AC3871C620B1
2005-02-16 22:22 767 --a--c--- C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_47C7F635B44838640B5CAE931EA9F63E
2005-02-16 22:22 662 --a--c--- C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_4E8B961723621B64AAF561C75BEF0592
2005-02-16 22:22 658 --a--c--- C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_60CD2626A0CF1FE48967AA29DE3A81C8
2005-02-16 22:22 651 --a--c--- C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_F56FE4FE26D47D44289CA1CEBC7AC405
2005-02-16 22:22 631 --a--c--- C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_BF8EE74E0CCA806458C9E482151BA8A6
2005-02-16 22:22 618 --a--c--- C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_806763CD7A467FB4294FB8AA52AB20BD
2005-02-16 22:22 60 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_9CFA723DAAB7A3743891E67B0A4D1083.dll
2005-02-16 22:22 59 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_4E8B961723621B64AAF561C75BEF0592.dll
2005-02-16 22:22 571 --a--c--- C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_C78D6251559ABAF4FB8196B74A753E25
2005-02-16 22:22 539 --a--c--- C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_C7CFFE676A71D974E974E856C86159EA
2005-02-16 22:22 539 --a--c--- C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_32D24B202F012684DA4AD31FAE00122B
2005-02-16 22:22 537 --a--c--- C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_9CFA723DAAB7A3743891E67B0A4D1083
2005-02-16 22:22 522 --a--c--- C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_CF05CF94569F9D04984BBCFF08490133
2005-02-16 22:22 522 --a--c--- C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_9399EE5EF9522ED40832C5941EA6F434
2005-02-16 22:22 522 --a--c--- C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_7CC4146D512FF764881B45E68D363FB5
2005-02-16 22:22 522 --a--c--- C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_0DBA73CF8012beb40B0121450E66B2A5
2005-02-16 22:22 522 --a--c--- C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_0B79C053C7D38EE4AB9A00CB3B5D2472
2005-02-16 22:22 502 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_806763CD7A467FB4294FB8AA52AB20BD.dll
2005-02-16 22:22 40 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_9399EE5EF9522ED40832C5941EA6F434.dll
2005-02-16 22:22 339 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_47C7F635B44838640B5CAE931EA9F63E.dll
2005-02-16 22:22 313 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_0DBA73CF8012beb40B0121450E66B2A5.dll
2005-02-16 22:22 27 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_BF8EE74E0CCA806458C9E482151BA8A6.dll
2005-02-16 22:22 2366 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_C9280D8FF6C93D110808000CF43A92AA.dll
2005-02-16 22:22 227 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_32D24B202F012684DA4AD31FAE00122B.dll
2005-02-16 22:22 1946 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_F56FE4FE26D47D44289CA1CEBC7AC405.dll
2005-02-16 22:22 1668 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_C88D9F1068C328E448A001A123126FA7.dll
2005-02-16 22:22 123 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_CF05CF94569F9D04984BBCFF08490133.dll
2005-02-16 22:22 1183 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_FC6B5F6CC906E82478F6AC3871C620B1.dll
2005-02-16 22:22 108 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_0B79C053C7D38EE4AB9A00CB3B5D2472.dll
2005-02-16 22:22 107 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_C78D6251559ABAF4FB8196B74A753E25.dll
2005-02-16 22:22 10 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_C7CFFE676A71D974E974E856C86159EA.dll
2005-02-16 22:22 10 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_7CC4146D512FF764881B45E68D363FB5.dll
2005-02-15 04:15 1677 --a--c--- C:\Documents and Settings\All Users\Application Data\SecTaskMan\GMT.exe.q_13C16052_q.start
2004-08-04 00:56 708096 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\_enviewlist.dll
2004-08-04 00:56 616960 --a------ C:\Documents and Settings\All Users\Application Data\SecTaskMan\_entreelist.dll

---- Directory of C:\WINDOWS\SxsCaPendDel ----



((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Update Detection"="c:\Program Files\Microsoft Works\WkDetect.exe" [2000-07-13 13:00 28739]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Lexmark 3100 Series"="C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe" [2003-09-03 19:33 106496]
"LXBRKsk"="C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe" [2003-06-13 07:57 294912]
"SoundMan"="SOUNDMAN.EXE" [2003-06-10 21:12 55296 C:\WINDOWS\SOUNDMAN.EXE]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-04-06 08:19 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-06 08:07 114688]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-06-12 12:46 1177368]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 16:38 39264]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=C:\WINDOWS\pss\BigFix.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^CreataCard Gold 2 Forget Me Not Reminders.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\CreataCard Gold 2 Forget Me Not Reminders.lnk
backup=C:\WINDOWS\pss\CreataCard Gold 2 Forget Me Not Reminders.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2005-08-05 15:08 67160 C:\Program Files\aim\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2006-11-07 08:29 50736 C:\Program Files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
---hs---- 2004-10-13 09:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2004-01-30 19:49 26112 C:\Program Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sunkist2k]
--a------ 2003-11-19 20:32 139264 C:\Program Files\Multimedia Card Reader\shwicon2k.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2005-08-19 19:34 3084288 C:\Program Files\Yahoo!\Messenger\ypager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Messenger"=2 (0x2)
"AOL ACS"=2 (0x2)
"SBService"=2 (0x2)
"SharedAccess"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\aim\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-06-12 12:47]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-06-12 12:46]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-06-12 12:46]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-06-12 12:47]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-06-09 20:24:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-16 08:31:38 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-06-16 12:30:14 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-16 06:32:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\Program Files\Common Files\iS3\Anti-Spyware\iS3lsp.dll
.
Completion time: 2008-06-16 6:34:39
ComboFix-quarantined-files.txt 2008-06-16 13:34:25
ComboFix2.txt 2008-06-15 22:12:09

Pre-Run: 68,965,031,936 bytes free
Post-Run: 69,014,638,592 bytes free

303 --- E O F --- 2008-06-14 08:52:28


MalwareBytes Log
Malwarebytes' Anti-Malware 1.17
Database version: 860

06:52:58 AM 6/16/2008
mbam-log-6-16-2008 (06-52-58).txt

Scan type: Quick Scan
Objects scanned: 36718
Time elapsed: 3 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


HijackThis Log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 06:54:09, on 6/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe
C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmon.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [Lexmark 3100 Series] "C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe"
O4 - HKLM\..\Run: [LXBRKsk] C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Search - ?p=ZJzed002YYUS_ZJYYYYYYYYUS
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://ax.web-nexus....8/installer.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst_current.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6FDB0065-2787-11D6-B1D8-0001023916FC} (CLOActiveXInstaller Control) - http://www.igl.net/c...tallerProj1.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - http://c.ancestry.co...er/MFImgVwr.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} - http://pictures04.ai...AIM.9.5.1.8.cab
O16 - DPF: {AFDD01B0-7ABB-11D9-9669-0800200C9A66} (MFInstall Class) - http://c.ancestry.co...l/MFInstall.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 8974 bytes
  • 0

#8
Mike
Posted 17 June 2008 - 03:04 AM

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi there dervampyre :)

Let's Straighten your security situation out. You are fine with what you have, If you have Spybot Search and Destroy you won't need windows defender.
I see you still have Symantec on your computer. It is very bad to have two antivirus programs running on your computer at the same time, I recommend you uninstall Symantec or use the Removal Tool.

Can your firewall still not start up? I don't see it in your log, you need to have one running.

These programs are necessary in keeping your computer safe from hackers and remote attacks against your computer. Without one you are opening a door for hackers. I would like you to download one of these free programs I have listed here for you.
Note: Make sure to only install ONE program, as having more can cause confliction between these programs, which in turn lowers your protection and slows down your computer.
Step 1. Fixes with Hijack This

Please open HijackThis again and choose "Do a system scan only". Please put a check next to each of the following entries (if still present):

O8 - Extra context menu item: &Search - ?p=ZJzed002YYUS_ZJYYYYYYYYUS
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://ax.web-nexus....8/installer.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)

Now please close all open windows except HJT and press "Fix checked".

Step 2. Making a CFScript

Please click Start then Run, in the window appears type in Notepad.exe.
Highlight the entire content of the codebox below. Copy (Control + C) and Paste (Control + V) the content into the notepad window:
File::
C:\WINDOWS\imsins.BAK

Folder::
C:\Program Files\Common Files\iS3
C:\Documents and Settings\All Users\Application Data\STOPzilla!
C:\Documents and Settings\All Users\Application Data\SecTaskMan
C:\WINDOWS\SxsCaPendDel
Now in Notepad, go to File and in the menu that drops down click on Save As...
Save the file as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
Posted Image

After that please reboot your computer if it asks you to and post ComboFix.txt (the report the ComboFix will generate) in your next reply.

Step 3. Running Kaspersky Online Virusscaner

  • Click here to visit Java's website.
  • Scroll down to Java Runtime Environment (JRE) 6 Update 6. Click on Download.
  • Select Windows from the drop-down list for Platform.
  • Select Multi-language from the drop-down list for Language.
  • Check (tick) I agree to the Java SE Runtime Environment 6 License Agreement box and click on Continue.
  • Click on jre-6u6-windows-i586-p.exe link to download it and save this to a convenient location.
  • Double click on jre-6u6-windows-i586-p.exe to install Java.
  • After the Java installation has finished, please go to Kaspersky website and perform an online antivirus scan.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.

In your next reply

Please post the log from ComboFix.
Please post the log from Kaspersky.
Please post the log from Hijack This(after doing the above steps)

If the logs are to big to fit in one reply please spread them out over multiple replies.

How is your computer running now?

Edited by Mike, 17 June 2008 - 03:05 AM.

  • 0

#9
dervampyre
Posted 17 June 2008 - 07:21 PM

dervampyre

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
the web browsing is a bit better, still slow though. and something is keeping the firewall from being able to turn on, but i installed ZoneAlarm now so thats ok. the symantec stuff was an update thing and WMI something but i uninstalled all that too. and i still have popups but not as frequently.

ComboFix Log
ComboFix 08-06-15.2 - Holly 2008-06-17 2:52:26.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.673 [GMT -7:00]
Running from: C:\Documents and Settings\Holly\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Holly\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\imsins.BAK
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\SecTaskMan
C:\Documents and Settings\All Users\Application Data\SecTaskMan\_CMESys253C6001
C:\Documents and Settings\All Users\Application Data\SecTaskMan\_entreelist.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\_enviewlist.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\_fsg_420342FF521D
C:\Documents and Settings\All Users\Application Data\SecTaskMan\_GMT1DDB6052
C:\Documents and Settings\All Users\Application Data\SecTaskMan\_lxbrksk28178004
C:\Documents and Settings\All Users\Application Data\SecTaskMan\_shwicon2k2C502002
C:\Documents and Settings\All Users\Application Data\SecTaskMan\_spoolvse33B0
C:\Documents and Settings\All Users\Application Data\SecTaskMan\_ycomp5_5_7_03B4B7857
C:\Documents and Settings\All Users\Application Data\SecTaskMan\GMT.exe.q_13C16052_q.ini
C:\Documents and Settings\All Users\Application Data\SecTaskMan\GMT.exe.q_13C16052_q.start
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_0296961D4979CBB4A803A78867D35E2A
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_0296961D4979CBB4A803A78867D35E2A.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_0B79C053C7D38EE4AB9A00CB3B5D2472
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_0B79C053C7D38EE4AB9A00CB3B5D2472.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_0DBA73CF8012beb40B0121450E66B2A5
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_0DBA73CF8012beb40B0121450E66B2A5.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_12340
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_12341
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_12345
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_2A5C838123BA5414581CBBB9D8AF42DC
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_2A5C838123BA5414581CBBB9D8AF42DC.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_32D24B202F012684DA4AD31FAE00122B
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_32D24B202F012684DA4AD31FAE00122B.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_47C7F635B44838640B5CAE931EA9F63E
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_47C7F635B44838640B5CAE931EA9F63E.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_4E8B961723621B64AAF561C75BEF0592
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_4E8B961723621B64AAF561C75BEF0592.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_4F57260AB42358E4596E782BDC274910
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_4F57260AB42358E4596E782BDC274910.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_56A968A049C8C7F45A7C79D2C3C8DEE9
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_56A968A049C8C7F45A7C79D2C3C8DEE9.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_60CD2626A0CF1FE48967AA29DE3A81C8
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_60CD2626A0CF1FE48967AA29DE3A81C8.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_6DB1FB74CACDF8640ADA5EEDCC22113C
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_6DB1FB74CACDF8640ADA5EEDCC22113C.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_7CC4146D512FF764881B45E68D363FB5
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_7CC4146D512FF764881B45E68D363FB5.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_806763CD7A467FB4294FB8AA52AB20BD
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_806763CD7A467FB4294FB8AA52AB20BD.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_8A59AC069BF05AA4CAA330E5E112E5C3
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_8A59AC069BF05AA4CAA330E5E112E5C3.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_90A2CC5A3D9ECE9429D33078B4DBC4C2
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_90A2CC5A3D9ECE9429D33078B4DBC4C2.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_9399EE5EF9522ED40832C5941EA6F434
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_9399EE5EF9522ED40832C5941EA6F434.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_9714374497A8EED4BB803730F7605534
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_9714374497A8EED4BB803730F7605534.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_9CFA723DAAB7A3743891E67B0A4D1083
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_9CFA723DAAB7A3743891E67B0A4D1083.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_B0B35DEDC76B4424EAA66DDFC3821DFE
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_B0B35DEDC76B4424EAA66DDFC3821DFE.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_b25099274a207264182f8181add555d0
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_b25099274a207264182f8181add555d0.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_BC7AD522377C86F4088681C404282C1F
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_BC7AD522377C86F4088681C404282C1F.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_BF4B2EC9721885040B825C6921244A18
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_BF4B2EC9721885040B825C6921244A18.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_BF8EE74E0CCA806458C9E482151BA8A6
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_BF8EE74E0CCA806458C9E482151BA8A6.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_C78D6251559ABAF4FB8196B74A753E25
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_C78D6251559ABAF4FB8196B74A753E25.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_C7CFFE676A71D974E974E856C86159EA
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_C7CFFE676A71D974E974E856C86159EA.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_C88D9F1068C328E448A001A123126FA7
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_C88D9F1068C328E448A001A123126FA7.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_C9280D8FF6C93D110808000CF43A92AA
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_C9280D8FF6C93D110808000CF43A92AA.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_CB6775856DB42DB41AA9D1C64BA404B3
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_CB6775856DB42DB41AA9D1C64BA404B3.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_CF05CF94569F9D04984BBCFF08490133
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_CF05CF94569F9D04984BBCFF08490133.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_DDE7F2BCF1D91C3409CFF425AE1E271A
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_DDE7F2BCF1D91C3409CFF425AE1E271A.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_E240F47B9B1EB5A4D86483B71B270F4A
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_E240F47B9B1EB5A4D86483B71B270F4A.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_F56FE4FE26D47D44289CA1CEBC7AC405
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_F56FE4FE26D47D44289CA1CEBC7AC405.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_FC6B5F6CC906E82478F6AC3871C620B1
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_FC6B5F6CC906E82478F6AC3871C620B1.dll
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_FF41E933CDF89084AA2F78AB2209C5F7
C:\Documents and Settings\All Users\Application Data\SecTaskMan\icn_FF41E933CDF89084AA2F78AB2209C5F7.dll
C:\Documents and Settings\All Users\Application Data\STOPzilla!
C:\Documents and Settings\All Users\Application Data\STOPzilla!\modules_scanned.db
C:\Documents and Settings\All Users\Application Data\STOPzilla!\modules_scanned.db.bak
C:\Documents and Settings\All Users\Application Data\STOPzilla!\scanner.log
C:\Documents and Settings\All Users\Application Data\STOPzilla!\sgdefs.db
C:\Documents and Settings\All Users\Application Data\STOPzilla!\sgdwc.db
C:\Documents and Settings\All Users\Application Data\STOPzilla!\sgupdater.log
C:\Documents and Settings\All Users\Application Data\STOPzilla!\userdata.db
C:\Documents and Settings\All Users\Application Data\STOPzilla!\zilla5.log
C:\Documents and Settings\Holly\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\Program Files\Common Files\iS3
C:\Program Files\Common Files\iS3\Anti-Spyware\phishing.rsf
C:\Program Files\Common Files\iS3\Anti-Spyware\sgdfull.rsf
C:\WINDOWS\imsins.BAK
C:\WINDOWS\SxsCaPendDel

.
((((((((((((((((((((((((( Files Created from 2008-05-17 to 2008-06-17 )))))))))))))))))))))))))))))))
.

2008-06-17 02:39 . 2008-06-17 02:59 127,008 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-17 02:39 . 2008-06-17 02:39 32 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-06-17 02:36 . 2008-06-17 02:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-06-17 02:36 . 2008-06-17 02:37 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-06-17 02:35 . 2008-04-02 21:07 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-06-17 02:34 . 2008-06-17 02:34 <DIR> d-------- C:\Program Files\Zone Labs
2008-06-15 13:56 . 2008-06-15 13:56 <DIR> d-------- C:\WINDOWS\ERUNT
2008-06-15 13:48 . 2008-06-15 14:37 <DIR> d-------- C:\SDFix
2008-06-14 02:00 . 2008-06-14 02:00 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-13 23:59 . 2008-06-13 23:59 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-06-13 23:59 . 2008-06-13 23:59 <DIR> d-------- C:\Documents and Settings\Holly\Application Data\SUPERAntiSpyware.com
2008-06-13 23:59 . 2008-06-13 23:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-13 22:45 . 2008-06-13 22:45 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-13 22:45 . 2008-06-13 22:45 <DIR> d-------- C:\Documents and Settings\Holly\Application Data\Malwarebytes
2008-06-13 22:45 . 2008-06-13 22:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-13 22:45 . 2008-06-10 19:02 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-13 22:45 . 2008-06-10 19:02 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-13 20:24 . 2008-06-13 20:25 <DIR> d-------- C:\Program Files\Panda Security
2008-06-13 18:30 . 2008-06-13 18:30 <DIR> d-------- C:\VundoFix Backups
2008-06-13 00:56 . 2008-06-13 00:56 <DIR> d-------- C:\Program Files\Security Task Manager
2008-06-13 00:35 . 2008-06-13 00:35 <DIR> d-------- C:\Program Files\CCleaner
2008-06-12 22:23 . 2008-06-12 22:23 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-12 22:23 . 2008-06-12 22:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-12 22:22 . 2008-06-13 23:54 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-12 14:05 . 2008-06-12 14:05 <DIR> d-------- C:\Program Files\Alwil Software
2008-06-12 13:44 . 2008-06-13 21:44 <DIR> d--h----- C:\$AVG8.VAULT$
2008-06-12 12:47 . 2008-06-16 08:55 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-06-12 12:47 . 2008-06-12 12:47 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-06-12 12:47 . 2008-06-12 12:47 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-06-12 12:47 . 2008-06-12 12:47 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-06-12 12:46 . 2008-06-12 12:46 <DIR> d-------- C:\Program Files\AVG
2008-06-12 12:46 . 2008-06-12 12:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-06-12 00:20 . 2008-06-12 01:14 153 --a------ C:\WINDOWS\wininit.ini
2008-06-11 23:52 . 2008-06-11 23:52 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-11 23:52 . 2008-06-12 01:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-11 16:00 . 2008-06-16 04:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SITEguard
2008-06-10 22:43 . 2006-06-29 13:07 14,048 --a------ C:\WINDOWS\system32\spmsg2.dll
2008-06-10 22:35 . 2008-06-10 22:35 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-06-10 20:32 . 2008-06-10 20:32 4,808 --a------ C:\WINDOWS\system32\gaeffect.sti
2008-06-10 20:32 . 2008-06-10 20:32 3,176 --a------ C:\WINDOWS\system32\gafilter.sti
2008-06-10 20:31 . 2008-06-11 13:13 326 --a------ C:\WINDOWS\ULEAD32.INI
2008-06-10 17:32 . 2008-04-14 04:01 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-10 00:12 . 2008-06-10 00:12 <DIR> d-------- C:\WINDOWS\Noslip
2008-06-10 00:12 . 2008-06-10 20:03 <DIR> d-------- C:\Program Files\BitLord
2008-06-10 00:12 . 2008-06-10 00:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ulead Systems
2008-06-03 20:54 . 2008-06-03 20:58 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2008-06-03 20:48 . 2008-04-22 21:16 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-06-03 20:48 . 2007-04-17 02:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-06-03 20:48 . 2007-03-07 22:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-06-03 20:48 . 2008-04-22 21:16 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-06-03 20:48 . 2008-04-22 21:16 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-06-03 20:48 . 2008-04-22 21:16 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-06-03 20:48 . 2008-04-22 21:16 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-06-03 20:48 . 2008-04-22 21:16 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-06-03 20:48 . 2008-04-22 00:39 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-06-03 20:47 . 2007-08-13 18:54 33,792 --a--c--- C:\WINDOWS\system32\dllcache\custsat.dll
2008-05-31 18:28 . 2008-05-31 18:28 <DIR> d-------- C:\Program Files\Lexmark 640 Series
2008-05-31 18:28 . 2008-05-31 18:28 <DIR> d-------- C:\Lexmark
2008-05-31 18:28 . 2006-03-28 05:29 73,728 --a------ C:\WINDOWS\system32\lxdapwr.dll
2008-05-31 18:19 . 2008-05-31 18:19 <DIR> d-------- C:\Documents and Settings\Holly\Application Data\acccore
2008-05-31 18:19 . 2008-05-31 18:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-05-31 18:18 . 2008-05-31 18:19 <DIR> d-------- C:\Program Files\AIM6
2008-05-31 18:16 . 2008-05-31 18:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-05-31 18:16 . 2008-05-31 18:16 29 --a------ C:\WINDOWS\atid.ini
2008-05-31 16:41 . 2008-05-31 16:41 <DIR> d-------- C:\Program Files\iPod
2008-05-31 16:40 . 2008-05-31 16:40 <DIR> d-------- C:\Program Files\Bonjour
2008-05-31 16:38 . 2008-05-31 16:38 <DIR> d-------- C:\Program Files\Apple Software Update
2008-05-31 16:37 . 2008-05-31 16:37 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-05-31 16:37 . 2008-05-31 16:37 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-05-31 16:37 . 2008-05-31 16:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-05-30 19:43 . 2007-07-09 06:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-05-30 19:34 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-05-30 19:34 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-05-30 19:34 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-05-30 19:34 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-05-30 19:16 . 2003-04-06 08:05 155,648 --a------ C:\WINDOWS\system32\igfxres.dll
2008-05-30 19:03 . 2004-08-03 21:31 20,992 --a------ C:\WINDOWS\system32\drivers\RTL8139.sys
2008-05-30 19:03 . 2004-08-03 21:31 20,992 --a--c--- C:\WINDOWS\system32\dllcache\rtl8139.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-17 09:19 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-13 05:13 --------- d-----w C:\Documents and Settings\Holly\Application Data\Lavasoft
2008-06-12 18:42 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-12 18:42 --------- d-----w C:\Program Files\Creative
2008-06-12 18:39 --------- d-----w C:\Program Files\Yahoo! Games
2008-06-04 04:52 --------- d-----w C:\Program Files\NCH Swift Sound
2008-06-04 04:45 --------- d-----w C:\Program Files\PopCap Games
2008-06-04 03:56 --------- d-----w C:\Program Files\Yahoo!
2008-06-04 03:54 --------- d--h--r C:\Documents and Settings\Holly\Application Data\yahoo!
2008-06-01 01:30 --------- d-----w C:\Program Files\Common Files\AOL
2008-06-01 01:30 --------- d-----w C:\Program Files\aim
2008-06-01 01:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-05-31 23:43 --------- d-----w C:\Program Files\iTunes
2008-05-31 23:39 --------- d-----w C:\Program Files\QuickTime
2008-05-31 23:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-05-16 18:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-29 18:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 18:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 18:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-04-03 04:07 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
.

((((((((((((((((((((((((((((( snapshot@2008-06-15_15.11.31.53 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-15 22:03:51 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-17 09:39:48 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2007-07-19 23:10:28 127,768 ----a-w C:\WINDOWS\system32\drivers\klif.sys
+ 2008-04-03 04:07:36 796,048 ----a-w C:\WINDOWS\system32\libeay32_0.9.6l.dll
- 2008-06-14 09:00:47 52,648 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-06-16 19:32:56 52,648 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-06-14 09:00:47 342,510 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-06-16 19:32:56 342,510 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-04-03 04:07:40 83,432 ----a-w C:\WINDOWS\system32\vsdata.dll
+ 2008-04-03 04:08:00 394,952 ----a-w C:\WINDOWS\system32\vsdatant.sys
+ 2008-04-03 04:07:40 157,160 ----a-w C:\WINDOWS\system32\vsinit.dll
+ 2008-04-03 04:07:40 103,912 ----a-w C:\WINDOWS\system32\vsmonapi.dll
+ 2008-04-03 04:07:40 275,944 ----a-w C:\WINDOWS\system32\vspubapi.dll
+ 2008-04-03 04:07:42 71,144 ----a-w C:\WINDOWS\system32\vsregexp.dll
+ 2008-04-03 04:07:42 472,552 ----a-w C:\WINDOWS\system32\vsutil.dll
+ 2008-04-03 04:07:42 46,568 ----a-w C:\WINDOWS\system32\vswmi.dll
+ 2008-04-03 04:07:42 99,816 ----a-w C:\WINDOWS\system32\vsxml.dll
+ 2008-04-03 04:07:44 83,432 ----a-w C:\WINDOWS\system32\zlcomm.dll
+ 2008-04-03 04:07:44 71,144 ----a-w C:\WINDOWS\system32\zlcommdb.dll
+ 2008-04-03 04:07:32 370,208 ----a-w C:\WINDOWS\system32\ZoneLabs\av.dll
+ 2007-05-31 08:03:30 65,248 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\bases\aphish.dat
+ 2006-06-30 22:47:36 21,568 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\bases\avcmhk4.dll
+ 2007-05-31 08:03:30 1,628 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\bases\pdmkl.dat
+ 2007-05-31 08:03:16 77,824 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\CKAHComm.dll
+ 2007-05-31 08:03:16 110,592 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\CKAHrule.dll
+ 2007-05-31 08:03:16 331,776 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\CKAHUM.dll
+ 2007-05-31 08:03:16 38,400 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\FSSync.dll
+ 2006-09-20 07:12:14 208,960 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\inv.dll
+ 2007-12-03 22:53:58 282,624 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\kave.dll
+ 2006-12-20 02:13:52 1,093,632 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\libeay32.dll
+ 2007-05-31 08:03:20 548,864 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\msvcp80.dll
+ 2007-05-31 08:03:20 626,688 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\msvcr80.dll
+ 2007-05-31 08:03:18 184,320 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\prloader.dll
+ 2007-05-31 08:03:22 90,112 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\prremote.dll
+ 2007-12-03 22:53:58 139,264 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
+ 2006-12-20 02:13:52 200,704 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\ssleay32.dll
+ 2008-04-03 04:07:32 99,816 ----a-w C:\WINDOWS\system32\ZoneLabs\camupd.dll
+ 2004-01-30 20:35:08 813,568 ----a-w C:\WINDOWS\system32\ZoneLabs\dbghelp.dll
+ 2008-04-03 04:07:34 128,480 ----a-w C:\WINDOWS\system32\ZoneLabs\fbl.dll
+ 2008-04-03 04:07:34 38,376 ----a-w C:\WINDOWS\system32\ZoneLabs\featuremap.dll
+ 2008-04-03 04:07:34 321,016 ----a-w C:\WINDOWS\system32\ZoneLabs\imsecure.dll
+ 2008-04-03 04:08:02 288,144 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\ConfigWizard.zip.dll
+ 2008-04-03 04:08:02 152,976 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\licenseui.zip.dll
+ 2008-04-03 04:08:02 26,000 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\zlsvc.zip.dll
+ 2008-04-03 04:08:02 1,361,296 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\zpy.zip.dll
+ 2008-04-03 04:08:02 71,056 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\zui.zip.dll
+ 2008-04-03 04:09:10 30,184 ----a-w C:\WINDOWS\system32\ZoneLabs\plugins\rpc_server\rpc_server.dll
+ 2008-04-03 04:09:12 30,216 ----a-w C:\WINDOWS\system32\ZoneLabs\plugins\vsmon_plugin\vsmon_plugin.dll
+ 2008-02-27 11:10:26 714,208 ----a-w C:\WINDOWS\system32\ZoneLabs\qrbase.dll
+ 2008-02-27 11:10:28 792,032 ----a-w C:\WINDOWS\system32\ZoneLabs\qrsrecl.dll
+ 2008-04-03 04:07:38 173,544 ----a-w C:\WINDOWS\system32\ZoneLabs\scheduler.dll
+ 2008-01-21 16:34:36 7,603,688 ----a-w C:\WINDOWS\system32\ZoneLabs\spyware.dat
+ 2008-02-27 11:10:32 1,504,736 ----a-w C:\WINDOWS\system32\ZoneLabs\srescan.dll
+ 2008-02-27 11:10:44 51,176 ----a-w C:\WINDOWS\system32\ZoneLabs\srescan.sys
+ 2008-04-03 04:07:38 456,168 ----a-w C:\WINDOWS\system32\ZoneLabs\ssleay32.dll
+ 2008-04-03 04:09:12 214,528 ----a-w C:\WINDOWS\system32\ZoneLabs\streamapi\httpblocker\httpblocker.dll
+ 2008-04-03 04:09:14 3,266,040 ----a-w C:\WINDOWS\system32\ZoneLabs\streamapi\imslsp\imslsp.dll
+ 2006-09-05 04:59:14 503,875 ----a-w C:\WINDOWS\system32\ZoneLabs\upd_core.dll
+ 2007-10-12 00:50:32 832,984 ----a-w C:\WINDOWS\system32\ZoneLabs\updating.dll
+ 2008-04-03 04:07:54 144,936 ----a-w C:\WINDOWS\system32\ZoneLabs\updclient.exe
+ 2007-01-12 01:31:06 286,787 ----a-w C:\WINDOWS\system32\ZoneLabs\updtrsdk.dll
+ 2008-04-03 04:07:40 108,008 ----a-w C:\WINDOWS\system32\ZoneLabs\vsavpro.dll
+ 2008-04-03 04:07:40 83,432 ----a-w C:\WINDOWS\system32\ZoneLabs\vsdb.dll
+ 2008-04-03 04:07:54 75,304 ----a-w C:\WINDOWS\system32\ZoneLabs\vsmon.exe
+ 2008-04-03 04:07:40 2,029,032 ----a-w C:\WINDOWS\system32\ZoneLabs\vsmondll.dll
+ 2008-04-03 04:07:42 1,361,384 ----a-w C:\WINDOWS\system32\ZoneLabs\vsruledb.dll
+ 2008-04-03 04:07:42 239,080 ----a-w C:\WINDOWS\system32\ZoneLabs\vsvault.dll
+ 2008-01-21 16:34:36 7,603,688 ----a-w C:\WINDOWS\system32\ZoneLabs\zlasdbup.dat
+ 2008-04-03 04:07:44 177,640 ----a-w C:\WINDOWS\system32\ZoneLabs\zlparser.dll
+ 2008-04-03 04:07:44 79,344 ----a-w C:\WINDOWS\system32\ZoneLabs\zlquarantine.dll
+ 2008-04-03 04:07:46 382,440 ----a-w C:\WINDOWS\system32\ZoneLabs\zlsre.dll
+ 2008-04-03 04:07:46 120,296 ----a-w C:\WINDOWS\system32\ZoneLabs\zlupdate.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Update Detection"="c:\Program Files\Microsoft Works\WkDetect.exe" [2000-07-13 13:00 28739]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Lexmark 3100 Series"="C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe" [2003-09-03 19:33 106496]
"LXBRKsk"="C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe" [2003-06-13 07:57 294912]
"SoundMan"="SOUNDMAN.EXE" [2003-06-10 21:12 55296 C:\WINDOWS\SOUNDMAN.EXE]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-04-06 08:19 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-06 08:07 114688]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-06-12 12:46 1177368]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-04-02 21:07 919016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [ ]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=C:\WINDOWS\pss\BigFix.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^CreataCard Gold 2 Forget Me Not Reminders.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\CreataCard Gold 2 Forget Me Not Reminders.lnk
backup=C:\WINDOWS\pss\CreataCard Gold 2 Forget Me Not Reminders.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2005-08-05 15:08 67160 C:\Program Files\aim\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2006-11-07 08:29 50736 C:\Program Files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
---hs---- 2004-10-13 09:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2004-01-30 19:49 26112 C:\Program Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sunkist2k]
--a------ 2003-11-19 20:32 139264 C:\Program Files\Multimedia Card Reader\shwicon2k.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2005-08-19 19:34 3084288 C:\Program Files\Yahoo!\Messenger\ypager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Messenger"=2 (0x2)
"AOL ACS"=2 (0x2)
"SBService"=2 (0x2)
"SharedAccess"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\aim\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-06-12 12:47]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-06-12 12:46]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-06-12 12:46]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-06-12 12:47]

*Newly Created Service* - KLIF
*Newly Created Service* - SRESCAN
*Newly Created Service* - VSMON
.
Contents of the 'Scheduled Tasks' folder
"2008-06-16 20:24:08 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-17 02:58:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-17 3:01:18
ComboFix-quarantined-files.txt 2008-06-17 10:01:09
ComboFix2.txt 2008-06-16 13:34:40
ComboFix3.txt 2008-06-15 22:12:09

Pre-Run: 68,818,862,080 bytes free
Post-Run: 68,849,459,200 bytes free

384 --- E O F --- 2008-06-14 08:52:28


Kaspersky Log
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, June 17, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, June 17, 2008 23:22:51
Records in database: 877234
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Files scanned: 52133
Threat name: 2
Infected objects: 2
Suspicious objects: 0
Duration of the scan: 01:17:03


File name / Threat name / Threats count
C:\WINDOWS\system32\.pif Infected: Trojan-Downloader.BAT.Ftp.z 1
C:\WINDOWS\system32\70tovmto.ini Infected: not-a-virus:AdWare.Win32.Sahat.ao 1

The selected area was scanned.


HijackThis Log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 06:16:45, on 6/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe
C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [Lexmark 3100 Series] "C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe"
O4 - HKLM\..\Run: [LXBRKsk] C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst_current.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6FDB0065-2787-11D6-B1D8-0001023916FC} (CLOActiveXInstaller Control) - http://www.igl.net/c...tallerProj1.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - http://c.ancestry.co...er/MFImgVwr.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} - http://pictures04.ai...AIM.9.5.1.8.cab
O16 - DPF: {AFDD01B0-7ABB-11D9-9669-0800200C9A66} (MFInstall Class) - http://c.ancestry.co...l/MFInstall.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 9322 bytes
  • 0

#10
Mike
Posted 18 June 2008 - 07:37 AM

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi there,

Please click Start then Run, in the window appears type in Notepad.exe.
Highlight the entire content of the codebox below. Copy (Control + C) and Paste (Control + V) the content into the notepad window:
File::
C:\WINDOWS\system32\70tovmto.ini
C:\WINDOWS\system32\.pif 
Folder::
C:\WINDOWS\system32\.pif
Now in Notepad, go to File and in the menu that drops down click on Save As...
Save the file as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
Posted Image

After that please reboot your computer if it asks you to and post ComboFix.txt (the report the ComboFix will generate) in your next reply.

Other than that your logs look clean, are you still getting popups? If so could you tell me what they are advertising? Or the URL to the popup?
  • 0

#11
dervampyre
Posted 18 June 2008 - 11:33 AM

dervampyre

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
ok, after keeping an eye on it yesterday, there haven't been any popups at all. everything seems to be better now, thank you. below is the ComboFix log and i also included program list to see if there's anything else that isn't necessary or conflicts with something else.

ComboFix Log
ComboFix 08-06-15.2 - Holly 2008-06-18 10:12:04.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.561 [GMT -7:00]
Running from: C:\Documents and Settings\Holly\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Holly\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\.pif
C:\WINDOWS\system32\70tovmto.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\.pif
C:\WINDOWS\system32\.pif\
C:\WINDOWS\system32\70tovmto.ini

.
((((((((((((((((((((((((( Files Created from 2008-05-18 to 2008-06-18 )))))))))))))))))))))))))))))))
.

2008-06-17 03:09 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-17 03:08 . 2008-06-17 03:09 <DIR> d-------- C:\Program Files\Java
2008-06-17 03:08 . 2008-06-17 03:08 <DIR> d-------- C:\Program Files\Common Files\Java
2008-06-17 02:39 . 2008-06-18 10:18 3,528,480 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-17 02:39 . 2008-06-17 02:39 32 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-06-17 02:36 . 2008-06-17 02:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-06-17 02:36 . 2008-06-17 02:37 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-06-17 02:35 . 2008-04-02 21:07 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-06-17 02:34 . 2008-06-17 02:34 <DIR> d-------- C:\Program Files\Zone Labs
2008-06-15 13:56 . 2008-06-15 13:56 <DIR> d-------- C:\WINDOWS\ERUNT
2008-06-15 13:48 . 2008-06-15 14:37 <DIR> d-------- C:\SDFix
2008-06-14 02:00 . 2008-06-14 02:00 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-13 23:59 . 2008-06-13 23:59 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-06-13 23:59 . 2008-06-13 23:59 <DIR> d-------- C:\Documents and Settings\Holly\Application Data\SUPERAntiSpyware.com
2008-06-13 23:59 . 2008-06-13 23:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-13 22:45 . 2008-06-13 22:45 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-13 22:45 . 2008-06-13 22:45 <DIR> d-------- C:\Documents and Settings\Holly\Application Data\Malwarebytes
2008-06-13 22:45 . 2008-06-13 22:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-13 22:45 . 2008-06-10 19:02 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-13 22:45 . 2008-06-10 19:02 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-13 20:24 . 2008-06-13 20:25 <DIR> d-------- C:\Program Files\Panda Security
2008-06-13 18:30 . 2008-06-13 18:30 <DIR> d-------- C:\VundoFix Backups
2008-06-13 00:56 . 2008-06-13 00:56 <DIR> d-------- C:\Program Files\Security Task Manager
2008-06-13 00:35 . 2008-06-13 00:35 <DIR> d-------- C:\Program Files\CCleaner
2008-06-12 22:23 . 2008-06-12 22:23 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-12 22:23 . 2008-06-12 22:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-12 22:22 . 2008-06-13 23:54 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-12 14:05 . 2008-06-12 14:05 <DIR> d-------- C:\Program Files\Alwil Software
2008-06-12 13:44 . 2008-06-13 21:44 <DIR> d--h----- C:\$AVG8.VAULT$
2008-06-12 12:47 . 2008-06-18 10:07 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-06-12 12:47 . 2008-06-12 12:47 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-06-12 12:47 . 2008-06-12 12:47 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-06-12 12:47 . 2008-06-12 12:47 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-06-12 12:46 . 2008-06-12 12:46 <DIR> d-------- C:\Program Files\AVG
2008-06-12 12:46 . 2008-06-12 12:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-06-12 00:20 . 2008-06-12 01:14 153 --a------ C:\WINDOWS\wininit.ini
2008-06-11 23:52 . 2008-06-11 23:52 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-11 23:52 . 2008-06-12 01:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-11 16:00 . 2008-06-16 04:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SITEguard
2008-06-10 22:43 . 2006-06-29 13:07 14,048 --a------ C:\WINDOWS\system32\spmsg2.dll
2008-06-10 22:35 . 2008-06-10 22:35 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-06-10 20:32 . 2008-06-10 20:32 4,808 --a------ C:\WINDOWS\system32\gaeffect.sti
2008-06-10 20:32 . 2008-06-10 20:32 3,176 --a------ C:\WINDOWS\system32\gafilter.sti
2008-06-10 20:31 . 2008-06-11 13:13 326 --a------ C:\WINDOWS\ULEAD32.INI
2008-06-10 17:32 . 2008-04-14 04:01 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-10 00:12 . 2008-06-10 00:12 <DIR> d-------- C:\WINDOWS\Noslip
2008-06-10 00:12 . 2008-06-10 20:03 <DIR> d-------- C:\Program Files\BitLord
2008-06-10 00:12 . 2008-06-10 00:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ulead Systems
2008-06-03 20:54 . 2008-06-03 20:58 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2008-06-03 20:48 . 2008-04-22 21:16 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-06-03 20:48 . 2007-04-17 02:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-06-03 20:48 . 2007-03-07 22:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-06-03 20:48 . 2008-04-22 21:16 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-06-03 20:48 . 2008-04-22 21:16 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-06-03 20:48 . 2008-04-22 21:16 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-06-03 20:48 . 2008-04-22 21:16 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-06-03 20:48 . 2008-04-22 21:16 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-06-03 20:48 . 2008-04-22 00:39 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-06-03 20:47 . 2007-08-13 18:54 33,792 --a--c--- C:\WINDOWS\system32\dllcache\custsat.dll
2008-05-31 18:28 . 2008-05-31 18:28 <DIR> d-------- C:\Program Files\Lexmark 640 Series
2008-05-31 18:28 . 2008-05-31 18:28 <DIR> d-------- C:\Lexmark
2008-05-31 18:28 . 2006-03-28 05:29 73,728 --a------ C:\WINDOWS\system32\lxdapwr.dll
2008-05-31 18:19 . 2008-05-31 18:19 <DIR> d-------- C:\Documents and Settings\Holly\Application Data\acccore
2008-05-31 18:19 . 2008-05-31 18:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-05-31 18:18 . 2008-05-31 18:19 <DIR> d-------- C:\Program Files\AIM6
2008-05-31 18:16 . 2008-05-31 18:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-05-31 18:16 . 2008-05-31 18:16 29 --a------ C:\WINDOWS\atid.ini
2008-05-31 16:41 . 2008-05-31 16:41 <DIR> d-------- C:\Program Files\iPod
2008-05-31 16:40 . 2008-05-31 16:40 <DIR> d-------- C:\Program Files\Bonjour
2008-05-31 16:38 . 2008-05-31 16:38 <DIR> d-------- C:\Program Files\Apple Software Update
2008-05-31 16:37 . 2008-05-31 16:37 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-05-31 16:37 . 2008-05-31 16:37 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-05-31 16:37 . 2008-05-31 16:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-05-30 19:43 . 2007-07-09 06:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-05-30 19:34 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-05-30 19:34 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-05-30 19:34 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-05-30 19:34 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-05-30 19:16 . 2003-04-06 08:05 155,648 --a------ C:\WINDOWS\system32\igfxres.dll
2008-05-30 19:03 . 2004-08-03 21:31 20,992 --a------ C:\WINDOWS\system32\drivers\RTL8139.sys
2008-05-30 19:03 . 2004-08-03 21:31 20,992 --a--c--- C:\WINDOWS\system32\dllcache\rtl8139.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-17 09:19 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-13 05:13 --------- d-----w C:\Documents and Settings\Holly\Application Data\Lavasoft
2008-06-12 18:42 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-12 18:42 --------- d-----w C:\Program Files\Creative
2008-06-12 18:39 --------- d-----w C:\Program Files\Yahoo! Games
2008-06-04 04:52 --------- d-----w C:\Program Files\NCH Swift Sound
2008-06-04 04:45 --------- d-----w C:\Program Files\PopCap Games
2008-06-04 03:56 --------- d-----w C:\Program Files\Yahoo!
2008-06-04 03:54 --------- d--h--r C:\Documents and Settings\Holly\Application Data\yahoo!
2008-06-01 01:30 --------- d-----w C:\Program Files\Common Files\AOL
2008-06-01 01:30 --------- d-----w C:\Program Files\aim
2008-06-01 01:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-05-31 23:43 --------- d-----w C:\Program Files\iTunes
2008-05-31 23:39 --------- d-----w C:\Program Files\QuickTime
2008-05-31 23:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-05-16 18:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-29 18:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 18:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 18:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-04-03 04:07 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
.

((((((((((((((((((((((((((((( snapshot_2008-06-17_ 3.00.27.84 )))))))))))))))))))))))))))))))))))))))))
.
- 2001-05-06 19:14:22 20,547 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-03-25 08:28:39 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2001-05-06 19:14:22 20,549 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-03-25 08:28:43 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-03-25 09:37:01 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
- 2008-04-03 04:08:02 152,976 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\licenseui.zip.dll
+ 2008-06-17 10:03:41 152,976 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\licenseui.zip.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Update Detection"="c:\Program Files\Microsoft Works\WkDetect.exe" [2000-07-13 13:00 28739]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Lexmark 3100 Series"="C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe" [2003-09-03 19:33 106496]
"LXBRKsk"="C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe" [2003-06-13 07:57 294912]
"SoundMan"="SOUNDMAN.EXE" [2003-06-10 21:12 55296 C:\WINDOWS\SOUNDMAN.EXE]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-04-06 08:19 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-06 08:07 114688]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-06-12 12:46 1177368]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-04-02 21:07 919016]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [ ]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=C:\WINDOWS\pss\BigFix.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^CreataCard Gold 2 Forget Me Not Reminders.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\CreataCard Gold 2 Forget Me Not Reminders.lnk
backup=C:\WINDOWS\pss\CreataCard Gold 2 Forget Me Not Reminders.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2005-08-05 15:08 67160 C:\Program Files\aim\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2006-11-07 08:29 50736 C:\Program Files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
---hs---- 2004-10-13 09:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2004-01-30 19:49 26112 C:\Program Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sunkist2k]
--a------ 2003-11-19 20:32 139264 C:\Program Files\Multimedia Card Reader\shwicon2k.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2005-08-19 19:34 3084288 C:\Program Files\Yahoo!\Messenger\ypager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Messenger"=2 (0x2)
"AOL ACS"=2 (0x2)
"SBService"=2 (0x2)
"SharedAccess"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\aim\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-06-12 12:47]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-06-12 12:46]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-06-12 12:46]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-06-12 12:47]

*Newly Created Service* - KLIF
*Newly Created Service* - SRESCAN
*Newly Created Service* - VSMON
.
Contents of the 'Scheduled Tasks' folder
"2008-06-16 20:24:08 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-18 10:17:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-18 10:20:43
ComboFix-quarantined-files.txt 2008-06-18 17:20:33
ComboFix2.txt 2008-06-17 10:01:20
ComboFix3.txt 2008-06-16 13:34:40
ComboFix4.txt 2008-06-15 22:12:09

Pre-Run: 68,427,714,560 bytes free
Post-Run: 68,484,956,160 bytes free

228 --- E O F --- 2008-06-14 08:52:28


HijackThis Uninstall List
ABBYY FineReader 5.0 Sprint
Ad-Aware
Adobe Acrobat 5.0
Adobe Flash Player ActiveX
AIM 6.0
AIM Toolbar
AOL Instant Messenger
Apple Mobile Device Support
Apple Software Update
ArcSoft PhotoImpression 5
AVG Free 8.0
Big Money Deluxe 1.22
BitLord 1.1
Bonjour
BookWorm Deluxe 1.02
CCleaner (remove only)
CLO
CreataCard Gold 2
Creative WebCam Center
Creative WebCam Instant Driver (1.00.08.0416)
Creative WebCam Instant User's Guide (English)
dBpowerAMP WMA V9.1 Codec
DivX
DivX Player
Express Burn Uninstall
Express Rip Uninstall
Family Tree Maker
Family Tree Maker 2006
FaxTools
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Intel® Extreme Graphics Driver
Intel® PRO Network Adapters and Drivers
Intel® PROSet
InterActual Player
IOI Multimedia Card Reader
iTunes
Java 2 Runtime Environment Standard Edition v1.3.1
Java 2 Runtime Environment Standard Edition v1.3.1_02
Java™ 6 Update 6
Lexmark 3100 Series
Lexmark 640 Series
Macromedia Shockwave Player
Malwarebytes' Anti-Malware
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2003
Microsoft Money 2003 System Pack
Microsoft National Language Support Downlevel APIs
Microsoft Visual C++ 2005 Redistributable
Microsoft Windows Media Video 9 VCM
Microsoft Works 6.0
MSN
MSXML 6.0 Parser (KB933579)
NingPo MahJong Deluxe 1.04
Panda ActiveScan 2.0
Pattern Maker for cross stitch - v4 (Std)
PowerDVD
QuarkXPress 4.0
QuickTime
RealPlayer Basic
Realtek AC'97 Audio
RecordPad Sound Recorder Uninstall
Scrapbook Factory Deluxe
Security Task Manager 1.7f
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
SoftV92 Data Fax Modem with SmartCP
Spybot - Search & Destroy
SUPERAntiSpyware Free Edition
TipTop Deluxe 1.1
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Windows Backup Utility
Windows Defender Signatures
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format Runtime
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinRAR archiver
Yahoo! Anti-Spy
Yahoo! extras
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Photos Easy Upload Tool 1v4
Yahoo! Search Suggest Add-on for IE7
Yahoo! Toolbar
ZoneAlarm
  • 0

#12
Mike
Posted 18 June 2008 - 02:44 PM

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi there,

Your logs look good :)

Go to add or remove programs and remove the following for me.

Java 2 Runtime Environment Standard Edition v1.3.1
Java 2 Runtime Environment Standard Edition v1.3.1_02
Viewpoint Manager (Remove Only)
Viewpoint Media Player

Viewpoint is considered foistware, however i recommend you uninstall it. Take a look here for some information http://www.clickz.co...ml?page=3561546

Step 1. Removing ComboFix

Click START then RUN
Now type Combofix /u in the runbox and click OK
Posted Image
Notice the space between the x and / -- That needs to be there.

Now please download OTCleanIt.
  • Save it to your desktop.
  • Double Click on OTCleanIt.exe, a window will appear.
  • Please press the CleanUp! Button.
This will remove the tools we used during the process of cleaning your computer.

Step 2. Configuring Automatic Updates

Click the Automatic Updates tab. Choose the update option that best suits your needs, but be sure that Automatic Updates is not turned off. Windows XP will now notify you and download important updates and security patches as they become available.
Click "OK" to save your new settings and close the System Properties dialogue.

Step 3. Preventing future infection

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems.

In order to protect yourself against spyware, you should consider installing and running the following free programs:

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
http://www.spywarewa...uc/resource.htm

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.o...oducts/firefox/

Also make sure to run your antivirus software regularly, and to keep it up-to-date.

There are many programs that can be used for your protection, most falling within the three main categories of anti-virus, anti-spyware and firewall. Please be careful to never run more than one program of the same category in resident mode, as conflicts between the different programs can actually decrease your protection.

Please also read Tony Klein's excellent article: How I got Infected in the First Place

Hopefully this should take care of your problems! Good luck. :)

Please post back and tell me if everything is OK, so that I may mark this thread as Resolved.
  • 0

#13
Mike
Posted 25 June 2008 - 06:47 AM

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP