Hello Jouju,
Please follow the step from my last post to you, downloading and running ComboFix.
Here it is:
ComboFix 08-07-26.1 - judith 2008-07-29 20:05:12.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.102 [GMT -4:00]
Running from: C:\Documents and Settings\judith\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\judith\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\judith\Application Data\macromedia\Flash Player\#SharedObjects\D33M66HE\interclick.com
C:\Documents and Settings\judith\Application Data\macromedia\Flash Player\#SharedObjects\D33M66HE\interclick.com\ud.sol
C:\Documents and Settings\judith\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\judith\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
.
((((((((((((((((((((((((( Files Created from 2008-06-28 to 2008-07-30 )))))))))))))))))))))))))))))))
.
2008-07-19 13:40 . 2008-07-27 17:14 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-07-19 13:40 . 2008-07-19 13:40 1,409 --a------ C:\WINDOWS\QTFont.for
2008-07-19 13:06 . 2008-07-19 13:06 <DIR> d-------- C:\Program Files\Apple Software Update
2008-07-07 19:50 . 2008-07-12 06:31 <DIR> d----c--- C:\Documents and Settings\judith\DoctorWeb
2008-07-04 09:05 . 2008-07-04 09:05 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-04 09:05 . 2008-07-04 09:05 <DIR> d----c--- C:\Documents and Settings\judith\Application Data\Malwarebytes
2008-07-04 09:05 . 2008-07-04 09:05 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-04 09:05 . 2008-06-28 14:16 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-07-04 09:05 . 2008-06-28 14:16 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-29 09:10 . 2008-06-29 09:10 <DIR> d----c--- C:\_OTMoveIt
2008-06-28 08:18 . 2008-06-28 08:18 <DIR> d----c--- C:\Deckard
2008-06-28 08:10 . 2008-06-28 08:10 2,358 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-26 22:45 . 2008-06-26 22:45 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-09 21:24 . 2008-06-09 21:24 <DIR> d----c--- C:\Documents and Settings\judith\viewone
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-14 16:58 --------- d-----w C:\Program Files\Java
2008-07-01 11:23 --------- d-----w C:\Program Files\Bonjour
2008-06-26 23:40 --------- dc--a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-26 01:46 --------- d-----w C:\Program Files\Spyware Doctor
2008-03-02 05:32 722,176 -c--a-w C:\Documents and Settings\judith\gotomypc_428.exe
2007-01-15 00:58 563,712 -c--a-w C:\Documents and Settings\judith\gotomypc_370.exe
.
((((((((((((((((((((((((((((( snapshot@2008-06-26_22.31.45.38 )))))))))))))))))))))))))))))))))))))))))
.
- 2004-08-04 04:56:50 1,034,752 ----a-w C:\WINDOWS\explorer.exe
+ 2004-08-04 04:56:50 1,032,192 ----a-w C:\WINDOWS\explorer.exe
+ 2008-07-19 17:06:40 27,136 ----a-r C:\WINDOWS\Installer\{02DFF6B1-1654-411C-8D7B-FD6052EF016F}\AppleSoftwareUpdateIco.exe
- 2005-08-13 17:32:55 16,384 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-06-30 03:31:01 16,384 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2005-08-13 17:32:55 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-06-30 03:31:01 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2005-08-13 17:32:55 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-06-30 03:31:01 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2004-08-04 04:56:50 1,032,192 -c--a-w C:\WINDOWS\system32\dllcache\explorer.exe
+ 2004-08-04 04:56:52 13,312 -c--a-w C:\WINDOWS\system32\dllcache\lsass.exe
+ 2004-08-04 04:56:56 108,032 -c--a-w C:\WINDOWS\system32\dllcache\services.exe
+ 2004-08-04 04:56:58 57,856 -c--a-w C:\WINDOWS\system32\dllcache\spoolsv.exe
+ 2004-08-04 04:56:58 14,336 -c--a-w C:\WINDOWS\system32\dllcache\svchost.exe
+ 2004-08-04 04:56:58 502,272 -c--a-w C:\WINDOWS\system32\dllcache\winlogon.exe
- 2008-02-22 06:23:35 135,168 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-06-10 05:21:01 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2008-02-22 06:23:39 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-06-10 05:21:04 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2008-02-22 07:33:32 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2008-06-10 06:32:34 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
- 2004-08-04 04:56:52 14,848 ----a-w C:\WINDOWS\system32\lsass.exe
+ 2004-08-04 04:56:52 13,312 ----a-w C:\WINDOWS\system32\lsass.exe
- 2004-08-04 04:56:56 110,592 ----a-w C:\WINDOWS\system32\services.exe
+ 2004-08-04 04:56:56 108,032 ----a-w C:\WINDOWS\system32\services.exe
- 2005-06-10 23:53:32 58,880 ----a-w C:\WINDOWS\system32\spoolsv.exe
+ 2004-08-04 04:56:58 57,856 ----a-w C:\WINDOWS\system32\spoolsv.exe
- 2004-08-04 04:56:58 17,408 ----a-w C:\WINDOWS\system32\svchost.exe
+ 2004-08-04 04:56:58 14,336 ----a-w C:\WINDOWS\system32\svchost.exe
- 2004-08-04 04:56:58 506,368 ----a-w C:\WINDOWS\system32\winlogon.exe
+ 2004-08-04 04:56:58 502,272 ----a-w C:\WINDOWS\system32\winlogon.exe
+ 2008-07-26 13:56:59 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_f8.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-10-07 12:39 90112]
"NeroCheck"="C:\WINDOWS\system32\\NeroCheck.exe" [2001-07-09 06:50 155648]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe" [2005-05-10 16:04 11776]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-01 00:13 385024]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"GoToMyPC"="C:\Program Files\Citrix\GoToMyPC\g2svc.exe" [2007-01-12 18:45 249904]
C:\Documents and Settings\judith\Start Menu\Programs\Startup\
HotSync Manager.lnk - C:\Program Files\Sony Handheld\HOTSYNC.EXE [2002-08-09 16:36:20 299008]
PowerReg SchedulerV2.exe [2005-11-05 13:59:51 256000]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-24 00:37:56 217194]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2005-08-13 21:04:48 724992]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
2007-01-12 18:45 10800 C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Sony Handheld\\HOTSYNC.EXE"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2002-08-28 18:59]
R3 ati2mtaa;ati2mtaa;C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys [2004-08-03 22:29]
S3 BrSerIf;Brother MFC Serial Port Interface WDM Driver;C:\WINDOWS\system32\Drivers\BrSerIf.sys [2004-09-29 04:24]
S3 BrUsbSer;Brother MFC USB Serial WDM Driver;C:\WINDOWS\system32\Drivers\BrUsbSer.sys [2004-01-10 05:28]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{44b1caa1-0c18-11da-aa89-000c41ebd843}]
\Shell\AutoRun\command - G:\JDSecure\Windows\JDSecure20.exe
.
Contents of the 'Scheduled Tasks' folder
2008-07-24 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - s!:C:\Program Files\Apple Software Update\SoftwareUpdate.exe-taskSYSTEM0 []
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.yahoo.com/
R0 -: HKLM-Main,Search Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 -: HKCU-Internet Connection Wizard,ShellNext = hxxp://www.bulletproofsoft.com/special-offer-spyware-98743.html
R1 -: HKCU-Internet Settings,ProxyOverride = *.local
R1 -: HKCU-SearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
O8 -: E&xport to Microsoft Office Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2008-07-29 20:07:36
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll
.
Completion time: 2008-07-29 20:09:34
ComboFix-quarantined-files.txt 2008-07-30 00:09:31
ComboFix2.txt 2008-07-03 00:39:48
ComboFix3.txt 2008-07-01 01:39:16
ComboFix4.txt 2008-06-30 02:04:57
ComboFix5.txt 2008-07-30 00:00:12
Pre-Run: 3,725,348,864 bytes free
Post-Run: 3,743,723,520 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
160
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:31:39, on 7/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\MUSICM~1\MUSICM~2\MMDiag.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Citrix\GoToMyPC\g2svc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\SMASHER\Smasher.exe
C:\Program Files\SMASHER\Smasher.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.yahoo.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft....k/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft....k/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://us.rd.yahoo.c...rch/search.htmlR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft....k/?LinkId=54896R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
http://us.rd.yahoo.c...//www.yahoo.comR1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
http://www.bulletpro...ware-98743.htmlR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [GoToMyPC] C:\Program Files\Citrix\GoToMyPC\g2svc.exe -logon
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
https://download.mac...ash/swflash.cabO23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: GoToMyPC - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToMyPC\g2svc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
--
End of file - 6039 bytes