Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Warning! Spyware Detected on your Computer blue and yellow Windows


  • Please log in to reply

#1
vinceblast

vinceblast

    Member

  • Member
  • PipPip
  • 11 posts
My computer has the background "Warning! Spyware detected on your computer. Install an antivirus or spyware remover to clean your computer."

This warning is in a blue and yellow box (yellow on top) on my Windows desktop background.

Here is my HiJackthis log file...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:56:52 AM, on 6/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\CTHELPER.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\IE New Window Maximizer\iemaximizer.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://espn.go.com/
N3 - Netscape 7: user_pref("browser.startup.homepage",

"http://www.yahoo.com"); (C:\Documents and Settings\MIKEO\Application

Data\Mozilla\Profiles\default\a9m1l0so.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine",

"engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb

_01.src"); (C:\Documents and Settings\MIKEO\Application

Data\Mozilla\Profiles\default\a9m1l0so.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper -

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat

7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -

C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program

Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -

C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program

Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE

C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE

C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe"

-atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt

Software\CounterSpy\SBCSTray.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [IE New Window Maximizer] C:\Program Files\IE New Window

Maximizer\iemaximizer.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat

7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common

Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common

Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program

Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft

Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program

Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} -

C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) -

http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {1340C00E-B1FF-4117-B993-E58FF774A605} (CLaunchRBO10 Object) -

http://www.playrealb...BO_v1.1.0.0.cab
O16 - DPF: {18CD2FD8-81CE-44C3-99E1-0822E1C7116C} (EARTPatch8X Class) -

http://files.ea.com/.../v4/EARTP8X.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) -

http://www.symantec....sa/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner)

- http://security.syma...bin/AvSniff.cab
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} -

http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://v5.windowsupd...x86/client/wuwe

b_site.cab?1111266935530
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility

Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C} (VaPgCtrl Class) -

http://turfcam.jmu.e...in/h263ctrl.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) -

http://www.symantec....sa/SymAData.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common

Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation -

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation -

C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program

Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec

Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -

C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software -

C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation -

C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program

Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 7057 bytes
  • 0

Advertisements


#2
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Please make sure that Word Wrap is turned OFF in Notepad before you post your HijackThis log next time. As you can see, the formatting it creates (see the log you posted) makes it harder for us to read it. To turn this off, go to Format and make sure Word Wrap is unchecked.

1. Download combofix at http://download.blee...Bs/ComboFix.exe Save it to your Desktop before you run it.
2. Double-click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply.

Note:
Do not click on combofix's window while it's running. That may cause it to stall.

Run a new HijackThis scan and post the log here. Make sure word wrap is turned off this time :)
  • 0

#3
vinceblast

vinceblast

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Sorry about the Word Wrap being on. Here is the new HijackThis log after running Combofix...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:42:49 PM, on 6/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\CTHELPER.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\IE New Window Maximizer\iemaximizer.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://espn.go.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.yahoo.com"); (C:\Documents and Settings\MIKEO\Application Data\Mozilla\Profiles\default\a9m1l0so.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\MIKEO\Application Data\Mozilla\Profiles\default\a9m1l0so.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [IE New Window Maximizer] C:\Program Files\IE New Window Maximizer\iemaximizer.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {1340C00E-B1FF-4117-B993-E58FF774A605} (CLaunchRBO10 Object) - http://www.playrealb...BO_v1.1.0.0.cab
O16 - DPF: {18CD2FD8-81CE-44C3-99E1-0822E1C7116C} (EARTPatch8X Class) - http://files.ea.com/.../v4/EARTP8X.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....sa/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1111266935530
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C} (VaPgCtrl Class) - http://turfcam.jmu.e...in/h263ctrl.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....sa/SymAData.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 7370 bytes
  • 0

#4
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
I need the Combofix log also. Don't run it again. Go to C:\Combofix\ and you should see the Combofix.txt file there. Copy and paste the contents of that file here.
  • 0

#5
vinceblast

vinceblast

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Below is the Combofix log as well...

ComboFix 08-06-20.4 - Mikeo 2008-06-30 21:33:52.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.623 [GMT -4:00]
Running from: C:\Documents and Settings\Mikeo\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Mikeo\Local Settings\Temporary Internet Files\ENCSC-Download.com.2.5.1040.0.exe
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\system32\b6hVzd.syz
C:\WINDOWS\system32\wl.exe

.
((((((((((((((((((((((((( Files Created from 2008-06-01 to 2008-07-01 )))))))))))))))))))))))))))))))
.

2008-06-30 21:09 . 2008-06-30 21:09 8,192 --ahs---- C:\WINDOWS\system32\Thumbs.db
2008-06-30 19:23 . 2008-06-30 19:23 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-06-30 19:23 . 2008-06-30 19:23 <DIR> d-------- C:\Documents and Settings\Mikeo\Application Data\SUPERAntiSpyware.com
2008-06-30 19:23 . 2008-06-30 19:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-30 19:22 . 2008-06-30 19:22 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-30 19:20 . 2008-06-30 19:20 <DIR> d-------- C:\SuperAntiSpyware
2008-06-30 08:32 . 2008-06-30 08:32 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-30 08:32 . 2008-06-30 08:32 <DIR> d-------- C:\Malware Bytes
2008-06-30 08:32 . 2008-06-30 08:32 <DIR> d-------- C:\Documents and Settings\Mikeo\Application Data\Malwarebytes
2008-06-30 08:32 . 2008-06-30 08:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-30 08:32 . 2008-06-28 14:16 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-30 08:32 . 2008-06-28 14:16 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-30 00:54 . 2008-06-30 00:54 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-30 00:54 . 2008-06-30 00:54 <DIR> d-------- C:\HiJackThis
2008-06-29 23:34 . 2008-06-29 23:34 15,544 --a------ C:\WINDOWS\system32\drivers\sbhr.sys
2008-06-29 23:34 . 2008-06-29 23:34 0 --a------ C:\WINDOWS\system32\SBRC.dat
2008-06-29 23:34 . 2008-06-29 23:34 0 --a------ C:\WINDOWS\system32\SBFC.dat
2008-06-29 23:28 . 2008-06-29 23:28 <DIR> d-------- C:\Program Files\Sunbelt Software
2008-06-29 23:28 . 2008-06-29 23:28 <DIR> d-------- C:\Documents and Settings\Mikeo\Application Data\Sunbelt Software
2008-06-29 23:28 . 2008-06-29 23:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sunbelt Software
2008-06-29 23:23 . 2008-06-29 23:27 <DIR> d-------- C:\CounterSpy
2008-06-29 00:17 . 2008-06-29 00:17 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-29 00:17 . 2008-06-29 00:17 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-10 19:24 . 2008-06-13 09:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-26 14:38 --------- d-----w C:\Documents and Settings\Mikeo\Application Data\uTorrent
2008-06-26 05:14 --------- d-----w C:\Documents and Settings\Mikeo\Application Data\WeatherBug
2008-06-21 22:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\TrackMania United
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-30 23:07 --------- d-----w C:\Documents and Settings\Mikeo\Application Data\Netscape
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-21 07:04 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2005-12-14 05:52 17,920 ----a-w C:\Documents and Settings\Mikeo\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Weather"="C:\Program Files\AWS\WeatherBug\Weather.exe" [2004-11-08 18:13 1597440]
"IE New Window Maximizer"="C:\Program Files\IE New Window Maximizer\iemaximizer.exe" [2003-01-24 13:21 348160]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 10:50 19968 C:\WINDOWS\LOGI_MWX.EXE]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-02-24 08:32 5537792]
"nwiz"="nwiz.exe" [2005-02-24 08:32 1495040 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-02-24 08:32 86016]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-04-24 13:29 98304]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" [ ]
"CTHelper"="CTHELPER.EXE" [2006-08-11 14:56 17920 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 14:56 18944 C:\WINDOWS\system32\CTXFIHLP.EXE]
"NAV Agent"="C:\PROGRA~1\NORTON~1\navapw32.exe" [2001-08-16 18:52 74832]
"<NO NAME>"="" []
"SBCSTray"="C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe" [2007-08-27 12:09 698864]

C:\Documents and Settings\Mikeo\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50 113664]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50 113664]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispScrSavPage"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.jxvd"= JetMPVx.dll
"vidc.X264"= x264vfw.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^CoreCenter.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\CoreCenter.lnk
backup=C:\WINDOWS\pss\CoreCenter.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DigiCell.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DigiCell.lnk
backup=C:\WINDOWS\pss\DigiCell.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDElbyCDFL]
C:\Program Files\CloneCD\ElbyCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2004-04-17 12:41 196608 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2004-04-13 06:07 69632 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2005-04-24 13:29 98304 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
C:\WINDOWS\system32\dumprep 0 -u

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
--a------ 2004-11-11 00:15 111816 C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\EA SPORTS\\NASCAR SimRacing\\NASCAR SimRacing.exe"=
"C:\\Program Files\\NetMeeting\\conf.exe"=
"C:\\Program Files\\palmOne\\HOTSYNC.EXE"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Macromedia\\Dreamweaver MX 2004\\Dreamweaver.exe"=
"D:\\UTorrent\\utorrent.exe"=
"C:\\StubInstaller.exe"=
"D:\\Limewire\\LimeWire.exe"=
"C:\\Documents and Settings\\Mikeo\\Application Data\\SopCast\\adv\\SopAdver.exe"=
"D:\\Sopcast\\Sopcast\\SopCast.exe"=
"D:\\Medal of Honor Pacific Assault\\mohpa.exe"=
"C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"C:\\Program Files\\TrackMania United\\TmUnited.exe"=
"C:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"D:\\Links 2003\\LinksMMIII.exe"=
"D:\\CalRipkenRealBaseball\\patcher\\fc.exe"=
"D:\\CalRipkenRealBaseball\\game\\RealBaseball.exe"=
"C:\\Documents and Settings\\Mikeo\\Local Settings\\Application Data\\Abacast\\Abaclient.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"21:TCP"= 21:TCP:ServU

R0 SBHR;SBHR;C:\WINDOWS\system32\drivers\sbhr.sys [2008-06-29 23:34]
R0 SI3132r5;SiI-3132 SATALink Controller;C:\WINDOWS\system32\DRIVERS\SI3132r5.sys [2004-11-12 01:24]
R3 SBAPIFS;SBAPIFS;C:\WINDOWS\system32\drivers\sbapifs.sys []
S3 cdrmkaun;cdrmkaun;C:\DOCUME~1\Mikeo\LOCALS~1\Temp\cdrmkaun.sys []
S3 LwAdiHid;Logitech WingMan Digital Devices(Auto-Detect);C:\WINDOWS\system32\DRIVERS\LwAdiHid.sys [2002-08-29 02:16]
S3 RushTopDevice;RushTopDevice;C:\Program Files\MSI\Core Center\RushTop.sys [2004-11-16 12:54]

*Newly Created Service* - CATCHME
*Newly Created Service* - SBAPIFS
.
Contents of the 'Scheduled Tasks' folder
"2008-03-15 05:29:58 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NAVW32.exeG/task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca
"2008-07-01 01:39:04 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-30 21:38:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-30 21:39:42
ComboFix-quarantined-files.txt 2008-07-01 01:39:32

Pre-Run: 12,899,639,296 bytes free
Post-Run: 14,719,541,248 bytes free

170 --- E O F --- 2008-06-20 05:09:20
  • 0

#6
vinceblast

vinceblast

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
One other thing if it helps. The Blue/Yellow "Warning" on my background is gone. However, Internet Explorer seems to not be running correctly. Sometimes when I open IE, it will just "hang" and not open the homepage. Usually I have to cancel out of that and restart the browser again or a couple of times (or go to Start>Run>www.google.com, to get it to work and open correctly).

Also, using IE when accessing Gmail usually causes the browser to crash after about 30-seconds to a minute of usage clicking around Gmail (general program crash error where they want you to send information to diagnose, etc.). Neither of these problems occur when I use either Firefox or Netscape Navigator browsers. It also did not occur prior to me receiving the "Warning! Spyware..." message.
  • 0

#7
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy the text from the quotebox below into Notepad:

Driver::
cdrmkaun
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"<NO NAME>"=-

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.

Download ATF Cleaner at http://www.atribune..../click.php?id=1
Double-click ATF-Cleaner.exe to run the program. Under Main choose Select All
Click the Empty Selected button.

If you use the Firefox browser click Firefox at the top and choose Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use the Opera browser click 'Opera' at the top and choose 'Select All'
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.


Perform an online scan with Internet Explorer at Panda ActiveScan http://www.pandasoft.../activescan.htm

* Click on 'Scan your PC' button. There should be a popup - if you have a pop-up blocker, make sure it's not blocking it.
* Click 'Check Now' & a pop-up window will appear.
* Enter your Country, State and E-mail Address & click 'Scan Now' - begin downloading Panda's ActiveX controls (8 MB size).
* Begin the scan by selecting My Computer.
* If it finds any malware, it will offer you a report. Ignore any entry it finds (since it wants you to buy the program for removal) as we will address this later.
* Click on see report. Then click Save report.
* Post that log in your next reply.

  • 0

#8
vinceblast

vinceblast

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Here is the latest Combofix log...

ComboFix 08-06-30.2 - Mikeo 2008-07-01 20:18:39.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.638 [GMT -4:00]
Running from: C:\Documents and Settings\Mikeo\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Mikeo\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\ctcoinst.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CDRMKAUN
-------\Service_cdrmkaun


((((((((((((((((((((((((( Files Created from 2008-06-02 to 2008-07-02 )))))))))))))))))))))))))))))))
.

2008-07-01 20:13 . 2008-07-01 20:13 <DIR> d-------- C:\ATFCleaner
2008-06-30 21:09 . 2008-06-30 21:09 8,192 --ahs---- C:\WINDOWS\system32\Thumbs.db
2008-06-30 19:23 . 2008-06-30 19:23 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-06-30 19:23 . 2008-06-30 19:23 <DIR> d-------- C:\Documents and Settings\Mikeo\Application Data\SUPERAntiSpyware.com
2008-06-30 19:23 . 2008-06-30 19:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-30 19:22 . 2008-06-30 19:22 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-30 19:20 . 2008-06-30 19:20 <DIR> d-------- C:\SuperAntiSpyware
2008-06-30 08:32 . 2008-06-30 08:32 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-30 08:32 . 2008-06-30 08:32 <DIR> d-------- C:\Malware Bytes
2008-06-30 08:32 . 2008-06-30 08:32 <DIR> d-------- C:\Documents and Settings\Mikeo\Application Data\Malwarebytes
2008-06-30 08:32 . 2008-06-30 08:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-30 08:32 . 2008-06-28 14:16 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-30 08:32 . 2008-06-28 14:16 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-30 00:54 . 2008-06-30 00:54 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-30 00:54 . 2008-06-30 00:54 <DIR> d-------- C:\HiJackThis
2008-06-29 23:34 . 2008-06-29 23:34 15,544 --a------ C:\WINDOWS\system32\drivers\sbhr.sys
2008-06-29 23:34 . 2008-06-29 23:34 0 --a------ C:\WINDOWS\system32\SBRC.dat
2008-06-29 23:34 . 2008-06-29 23:34 0 --a------ C:\WINDOWS\system32\SBFC.dat
2008-06-29 23:28 . 2008-06-29 23:28 <DIR> d-------- C:\Program Files\Sunbelt Software
2008-06-29 23:28 . 2008-06-29 23:28 <DIR> d-------- C:\Documents and Settings\Mikeo\Application Data\Sunbelt Software
2008-06-29 23:28 . 2008-06-29 23:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sunbelt Software
2008-06-29 23:23 . 2008-06-29 23:27 <DIR> d-------- C:\CounterSpy
2008-06-29 00:17 . 2008-06-29 00:17 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-29 00:17 . 2008-06-29 00:17 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-10 19:24 . 2008-06-13 09:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-26 14:38 --------- d-----w C:\Documents and Settings\Mikeo\Application Data\uTorrent
2008-06-26 05:14 --------- d-----w C:\Documents and Settings\Mikeo\Application Data\WeatherBug
2008-06-21 22:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\TrackMania United
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-30 23:07 --------- d-----w C:\Documents and Settings\Mikeo\Application Data\Netscape
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2005-12-14 05:52 17,920 ----a-w C:\Documents and Settings\Mikeo\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( [email protected]_21.39.17.71 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-01 01:13:54 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-02 00:24:07 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2005-10-21 00:02:28 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Weather"="C:\Program Files\AWS\WeatherBug\Weather.exe" [2004-11-08 18:13 1597440]
"IE New Window Maximizer"="C:\Program Files\IE New Window Maximizer\iemaximizer.exe" [2003-01-24 13:21 348160]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-02-24 08:32 5537792]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-02-24 08:32 86016]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-04-24 13:29 98304]
"NAV Agent"="C:\PROGRA~1\NORTON~1\navapw32.exe" [2001-08-16 18:52 74832]
"SBCSTray"="C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe" [2007-08-27 12:09 698864]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 10:50 19968 C:\WINDOWS\LOGI_MWX.EXE]
"nwiz"="nwiz.exe" [2005-02-24 08:32 1495040 C:\WINDOWS\system32\nwiz.exe]
"CTHelper"="CTHELPER.EXE" [2006-08-11 14:56 17920 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 14:56 18944 C:\WINDOWS\system32\CTXFIHLP.EXE]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50 113664]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.jxvd"= JetMPVx.dll
"vidc.X264"= x264vfw.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^CoreCenter.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\CoreCenter.lnk
backup=C:\WINDOWS\pss\CoreCenter.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DigiCell.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DigiCell.lnk
backup=C:\WINDOWS\pss\DigiCell.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2004-04-17 12:41 196608 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2004-04-13 06:07 69632 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2005-04-24 13:29 98304 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
--a------ 2004-11-11 00:15 111816 C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\EA SPORTS\\NASCAR SimRacing\\NASCAR SimRacing.exe"=
"C:\\Program Files\\NetMeeting\\conf.exe"=
"C:\\Program Files\\palmOne\\HOTSYNC.EXE"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Macromedia\\Dreamweaver MX 2004\\Dreamweaver.exe"=
"D:\\UTorrent\\utorrent.exe"=
"C:\\StubInstaller.exe"=
"D:\\Limewire\\LimeWire.exe"=
"C:\\Documents and Settings\\Mikeo\\Application Data\\SopCast\\adv\\SopAdver.exe"=
"D:\\Sopcast\\Sopcast\\SopCast.exe"=
"D:\\Medal of Honor Pacific Assault\\mohpa.exe"=
"C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"C:\\Program Files\\TrackMania United\\TmUnited.exe"=
"C:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"D:\\Links 2003\\LinksMMIII.exe"=
"D:\\CalRipkenRealBaseball\\patcher\\fc.exe"=
"D:\\CalRipkenRealBaseball\\game\\RealBaseball.exe"=
"C:\\Documents and Settings\\Mikeo\\Local Settings\\Application Data\\Abacast\\Abaclient.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"21:TCP"= 21:TCP:ServU

.
Contents of the 'Scheduled Tasks' folder
"2008-03-15 05:29:58 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NAVW32.exeG/task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca
"2008-07-02 00:29:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-CloneCDElbyCDFL - C:\Program Files\CloneCD\ElbyCheck.exe
MSConfigStartUp-UserFaultCheck - C:\WINDOWS\system32\dumprep 0 -u


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-01 20:25:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Norton AntiVirus\Navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Logitech\MouseWare\system\EM_EXEC.EXE
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
.
**************************************************************************
.
Completion time: 2008-07-01 20:30:13 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-02 00:30:08
ComboFix2.txt 2008-07-01 01:39:47

Pre-Run: 14,778,662,912 bytes free
Post-Run: 14,742,781,952 bytes free

172 --- E O F --- 2008-06-20 05:09:20


-----------

Here is the Panda ActiveScan log...

;*******************************************************************************
*********************************************************************************
*******************
ANALYSIS: 2008-07-01 21:36:34
PROTECTIONS: 1
MALWARE: 41
SUSPECTS: 0
;*******************************************************************************
*********************************************************************************
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
=================================================================================
===================
Norton AntiVirus 2002 Yes Yes
;===============================================================================
=================================================================================
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
=================================================================================
===================
00000431 adware/ist.istbar Adware No 1 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7C559105-9ECF-42b8-B3F7-832E75EDD959}
00034463 adware/wupd Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6}
00047863 adware/ieplugin Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{886DDE35-E585-11D0-A707-000000521958}
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Mikeo\Application Data\Mozilla\Profiles\default\a9m1l0so.slt\cookies.txt[.trafficmp.com/]
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Mikeo\Application Data\Mozilla\Profiles\default\a9m1l0so.slt\cookies.txt[.trafficmp.com/]
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Mikeo\Application Data\Mozilla\Profiles\default\a9m1l0so.slt\cookies.txt[.trafficmp.com/]
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Mikeo\Application Data\Mozilla\Profiles\default\a9m1l0so.slt\cookies.txt[.trafficmp.com/]
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Mikeo\Application Data\Mozilla\Profiles\default\a9m1l0so.slt\cookies.txt[.trafficmp.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Mikeo\Application Data\Mozilla\Profiles\default\a9m1l0so.slt\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Mikeo\Application Data\Mozilla\Profiles\default\a9m1l0so.slt\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Mikeo\Application Data\Mozilla\Profiles\default\a9m1l0so.slt\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Mikeo\Application Data\Mozilla\Profiles\default\a9m1l0so.slt\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Mikeo\Application Data\Mozilla\Profiles\default\a9m1l0so.slt\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Mikeo\Application Data\Mozilla\Profiles\default\a9m1l0so.slt\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Mikeo\Application Data\Mozilla\Profiles\default\a9m1l0so.slt\cookies.txt[.casalemedia.com/]
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Mikeo\Application Data\Mozilla\Profiles\default\a9m1l0so.slt\cookies.txt[.doubleclick.net/]
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Mikeo\Cookies\[email protected][1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Mikeo\Application Data\Mozilla\Profiles\default\a9m1l0so.slt\cookies.txt[.atdmt.com/]
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Mikeo\Application Data\Mozilla\Profiles\default\a9m1l0so.slt\cookies.txt[.fastclick.net/]
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Mikeo\Application Data\Mozilla\Profiles\default\a9m1l0so.slt\cookies.txt[.fastclick.net/]
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Mikeo\Application Data\Mozilla\Profiles\default\a9m1l0so.slt\cookies.txt[.fastclick.net/]
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Mikeo\Application Data\Mozilla\Profiles\default\a9m1l0so.slt\cookies.txt[.fastclick.net/]
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Mikeo\Application Data\Mozilla\Profiles\default\a9m1l0so.slt\cookies.txt[.fastclick.net/]
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Mikeo\Application Data\Mozilla\Profiles\default\a9m1l0so.slt\cookies.txt[.tribalfusion.com/]
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Mikeo\Application Data\Mozilla\Profiles\default\a9m1l0so.slt\cookies.txt[.tribalfusion.com/]
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Mikeo\Application Data\Mozilla\Profiles\default\a9m1l0so.slt\cookies.txt[.tribalfusion.com/]
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Mikeo\Application Data\Mozilla\Profiles\default\a9m1l0so.slt\cookies.txt[.tribalfusion.com/]
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\Mikeo\Application Data\Mozilla\Profiles\default\a9m1l0so.slt\cookies.txt[.mediaplex.com/]
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\Mikeo\Application Data\Mozilla\Profiles\default\a9m1l0so.slt\cookies.txt[.mediaplex.com/]
00148019 Application/FamilyKeylogger HackTools No 0 No No C:\System Volume Information\_restore{5E55DABB-6B44-46DB-A1A0-C8F7FD9A9560}\RP1038\A0082501.exe[ctfmon.dll]
00148021 Application/FamilyKeylogger HackTools No 0 Yes No C:\System Volume Information\_restore{5E55DABB-6B44-46DB-A1A0-C8F7FD9A9560}\RP1038\A0082513.exe
00149645 Application/Keylogger-Pro HackTools No 0 Yes No C:\System Volume Information\_restore{5E55DABB-6B44-46DB-A1A0-C8F7FD9A9560}\RP1038\A0082512.Dll
00157347 Application/ServUBased.A HackTools No 0 No No C:\SERVU\serv-u.rar[Serv-U32.exe]
00157347 Application/ServUBased.A HackTools No 0 Yes No C:\System Volume Information\_restore{5E55DABB-6B44-46DB-A1A0-C8F7FD9A9560}\RP1038\A0082515.exe
00167704 Cookie/Xiti TrackingCookie No 0 Yes No C:\Documents and Settings\Mikeo\Application Data\Mozilla\Profiles\default\a9m1l0so.slt\cookies.txt[.xiti.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Mikeo\Application Data\Mozilla\Profiles\default\a9m1l0so.slt\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Mikeo\Application Data\Mozilla\Profiles\default\a9m1l0so.slt\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Mikeo\Application Data\Mozilla\Profiles\default\a9m1l0so.slt\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Mikeo\Application Data\Mozilla\Profiles\default\a9m1l0so.slt\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Mikeo\Application Data\Mozilla\Profiles\default\a9m1l0so.slt\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Mikeo\Application Data\Mozilla\Profiles\default\a9m1l0so.slt\cookies.txt[ad.yieldmanager.com/]
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Documents and Settings\Mikeo\Application Data\Mozilla\Profiles\default\a9m1l0so.slt\cookies.txt[.burstnet.com/]
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Documents and Settings\Mikeo\Application Data\Mozilla\Profiles\default\a9m1l0so.slt\cookies.txt[.burstnet.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Mikeo\Application Data\Mozilla\Profiles\default\a9m1l0so.slt\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Mikeo\Application Data\Mozilla\Profiles\default\a9m1l0so.slt\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Mikeo\Application Data\Mozilla\Profiles\default\a9m1l0so.slt\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Mikeo\Application Data\Mozilla\Profiles\default\a9m1l0so.slt\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Mikeo\Application Data\Mozilla\Profiles\default\a9m1l0so.slt\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Mikeo\Application Data\Mozilla\Profiles\default\a9m1l0so.slt\cookies.txt[.serving-sys.com/]
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Mikeo\Application Data\Mozilla\Profiles\default\a9m1l0so.slt\cookies.txt[.bs.serving-sys.com/]
00168097 Cookie/BurstBeacon TrackingCookie No 0 Yes No C:\Documents and Settings\Mikeo\Application Data\Mozilla\Profiles\default\a9m1l0so.slt\cookies.txt[www.burstbeacon.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Mikeo\Application Data\Mozilla\Profiles\default\a9m1l0so.slt\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Mikeo\Application Data\Mozilla\Profiles\default\a9m1l0so.slt\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Mikeo\Application Data\Mozilla\Profiles\default\a9m1l0so.slt\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Mikeo\Application Data\Mozilla\Profiles\default\a9m1l0so.slt\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Mikeo\Application Data\Mozilla\Profiles\default\a9m1l0so.slt\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Mikeo\Application Data\Mozilla\Profiles\default\a9m1l0so.slt\cookies.txt[.advertising.com/]
00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No C:\Documents and Settings\Mikeo\Application Data\Mozilla\Profiles\default\a9m1l0so.slt\cookies.txt[statse.webtrendslive.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Mikeo\Application Data\Mozilla\Profiles\default\a9m1l0so.slt\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Mikeo\Application Data\Mozilla\Profiles\default\a9m1l0so.slt\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Mikeo\Application Data\Mozilla\Profiles\default\a9m1l0so.slt\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Mikeo\Application Data\Mozilla\Profiles\default\a9m1l0so.slt\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Mikeo\Application Data\Mozilla\Profiles\default\a9m1l0so.slt\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Mikeo\Application Data\Mozilla\Profiles\default\a9m1l0so.slt\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Mikeo\Application Data\Mozilla\Profiles\default\a9m1l0so.slt\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Mikeo\Application Data\Mozilla\Profiles\default\a9m1l0so.slt\cookies.txt[.ads.pointroll.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Mikeo\Application Data\Mozilla\Profiles\default\a9m1l0so.slt\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Mikeo\Application Data\Mozilla\Profiles\default\a9m1l0so.slt\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Mikeo\Application Data\Mozilla\Profiles\default\a9m1l0so.slt\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Mikeo\Application Data\Mozilla\Profiles\default\a9m1l0so.slt\cookies.txt[.realmedia.com/]
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Mikeo\Application Data\Mozilla\Profiles\default\a9m1l0so.slt\cookies.txt[.questionmarket.com/]
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Mikeo\Application Data\Mozilla\Profiles\default\a9m1l0so.slt\cookies.txt[.questionmarket.com/]
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Mikeo\Application Data\Mozilla\Profiles\default\a9m1l0so.slt\cookies.txt[.zedo.com/]
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Mikeo\Application Data\Mozilla\Profiles\default\a9m1l0so.slt\cookies.txt[.zedo.com/]
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Mikeo\Application Data\Mozilla\Profiles\default\a9m1l0so.slt\cookies.txt[.zedo.com/]
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Mikeo\Application Data\Mozilla\Profiles\default\a9m1l0so.slt\cookies.txt[.zedo.com/]
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Mikeo\Application Data\Mozilla\Profiles\default\a9m1l0so.slt\cookies.txt[.adrevolver.com/]
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Mikeo\Application Data\Mozilla\Profiles\default\a9m1l0so.slt\cookies.txt[.adrevolver.com/]
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Mikeo\Application Data\Mozilla\Profiles\default\a9m1l0so.slt\cookies.txt[.adrevolver.com/]
00188737 Application/GoldenKeyLog HackTools No 0 No No C:\System Volume Information\_restore{5E55DABB-6B44-46DB-A1A0-C8F7FD9A9560}\RP1038\A0082501.exe[ctfs.dll]
00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:\Documents and Settings\Mikeo\Application Data\Mozilla\Profiles\default\a9m1l0so.slt\cookies.txt[.adultfriendfinder.com/]
00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:\Documents and Settings\Mikeo\Application Data\Mozilla\Profiles\default\a9m1l0so.slt\cookies.txt[.adultfriendfinder.com/]
00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:\Documents and Settings\Mikeo\Application Data\Mozilla\Profiles\default\a9m1l0so.slt\cookies.txt[.adultfriendfinder.com/]
00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:\Documents and Settings\Mikeo\Application Data\Mozilla\Profiles\default\a9m1l0so.slt\cookies.txt[.adultfriendfinder.com/]
00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:\Documents and Settings\Mikeo\Application Data\Mozilla\Profiles\default\a9m1l0so.slt\cookies.txt[.adultfriendfinder.com/]
00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:\Documents and Settings\Mikeo\Application Data\Mozilla\Profiles\default\a9m1l0so.slt\cookies.txt[.adultfriendfinder.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Mikeo\Application Data\Mozilla\Profiles\default\a9m1l0so.slt\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Mikeo\Application Data\Mozilla\Profiles\default\a9m1l0so.slt\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Mikeo\Cookies\[email protected][1].txt
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Mikeo\Application Data\Mozilla\Profiles\default\a9m1l0so.slt\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Mikeo\Application Data\Mozilla\Profiles\default\a9m1l0so.slt\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Mikeo\Application Data\Mozilla\Profiles\default\a9m1l0so.slt\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Mikeo\Application Data\Mozilla\Profiles\default\a9m1l0so.slt\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Mikeo\Application Data\Mozilla\Profiles\default\a9m1l0so.slt\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Mikeo\Application Data\Mozilla\Profiles\default\a9m1l0so.slt\cookies.txt[.go.com/]
00211481 Application/FamilyKeylogger HackTools No 0 Yes No C:\System Volume Information\_restore{5E55DABB-6B44-46DB-A1A0-C8F7FD9A9560}\RP1038\A0082514.exe
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Mikeo\Application Data\Mozilla\Profiles\default\a9m1l0so.slt\cookies.txt[.atwola.com/]
00271403 Application/FamilyKeylogger HackTools No 0 No No C:\System Volume Information\_restore{5E55DABB-6B44-46DB-A1A0-C8F7FD9A9560}\RP1038\A0082501.exe[ctfmon.exe]
00387960 Generic Trojan Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{5E55DABB-6B44-46DB-A1A0-C8F7FD9A9560}\RP1038\A0082501.exe
01048936 Generic Malware Virus/Trojan No 0 Yes No C:\Program Files\GameSpy Arcade\Services\_common\PortraitLoader.dll
01139232 Generic Malware Virus/Trojan No 0 Yes No C:\Morpheus\Windows XP Pro SP1 Crack.exe
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{5E55DABB-6B44-46DB-A1A0-C8F7FD9A9560}\RP1041\A0082803.EXE
02034333 Trj/Downloader.QFY Virus/Trojan No 1 Yes No D:\System Volume Information\_restore{5E55DABB-6B44-46DB-A1A0-C8F7FD9A9560}\RP1038\A0082542.exe
02034333 Trj/Downloader.QFY Virus/Trojan No 1 Yes No D:\System Volume Information\_restore{5E55DABB-6B44-46DB-A1A0-C8F7FD9A9560}\RP1037\A0082499.exe
02034333 Trj/Downloader.QFY Virus/Trojan No 1 Yes No D:\System Volume Information\_restore{5E55DABB-6B44-46DB-A1A0-C8F7FD9A9560}\RP1038\A0082534.exe
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{5E55DABB-6B44-46DB-A1A0-C8F7FD9A9560}\RP1041\A0082791.sys
03173390 Bck/Agent.JBM Virus/Trojan No 0 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\b6hVzd.syz.vir
03173391 Bck/Agent.JBM Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{5E55DABB-6B44-46DB-A1A0-C8F7FD9A9560}\RP1038\A0082516.exe
;===============================================================================
=================================================================================
===================
SUSPECTS
Sent Location p
;===============================================================================
=================================================================================
===================
;===============================================================================
=================================================================================
===================
VULNERABILITIES
Id Severity Description p
;===============================================================================
=================================================================================
===================
;===============================================================================
=================================================================================
===================
  • 0

#9
vinceblast

vinceblast

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
One other note. After I ran the Combofix, ATFCleaner, and the PandaSecurity instructions you gave above, Internet Explorer was working properly and the "e" icon for IE changed from the dark blue back to the normal light blue.

However, when I restarted my computer this morning, the "e" icon went back to the dark blue color and now IE hangs and/or crashes every now and then when I'm on certain sites. I assume it's some sort of registry key setting that is missing.
  • 0

#10
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. Close the Registry Editor now. Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

REGEDIT4
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7C559105-9ECF-42b8-B3F7-832E75EDD959}]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6}]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{886DDE35-E585-11D0-A707-000000521958}]


Save the file as "delete.reg". Make sure to save it with the quotes. Close Notepad. Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards.

Go into Firefox->Tools->Clear Private Data and hit OK to delete all your cookie and temp files.

Read here on how to repair IE to see if it helps.
  • 0

Advertisements


#11
vinceblast

vinceblast

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Ok, I completed all of the steps above, including both Method #1 & #2 in the link you posted. However, neither ended up fixing the IE problems. After I restarted the computer, I am back to occasional hanging of IE when opening it and/or crashing (only on certain sites, such as gmail. this site works fine in IE). Any other ideas?

Edited by vinceblast, 02 July 2008 - 08:43 PM.

  • 0

#12
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Not sure if this can still be a malware issue. For those sites that are crashing, are they related in any way?

Go to Start->Run and type in eventvwr.msc and hit OK.

What we're looking for are the Errors from the System and Application viewers. You'll see something like this: Application Error...

Locate the ones with a big red X that say error. Double click to open it. Hit the Tablet (Says Copy to Clipboard if you hover mouse over it) and then CTRL+V to paste the info into the post. Give us like 5 of the last errors found.
  • 0

#13
vinceblast

vinceblast

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
When IE "hangs", it seems to be after I restart and open IE for the first time. About 50% of the time, I will open IE after restarting and it will sit there and not go to the homepage, even though it looks like it's trying to open something. I then have to Ctrl-Alt-Del out of it and restart the browser. It then opens to the homepage with no issue.

As far as it crashing on random sites, it seems to be sites with either java or flash on them (I can't tell which app they are using). Examples include gmail.com and the PGATour site that has live scoring (http://www.pgatour.c...oard/index.html). I'm wondering if upgrading to IE 7 would help and/or just sticking with Firefox. That ATFcleaner program seemed to help (I could use the two above sites for hours without crashing...normally it crashes within a few minutes), but then when I restarted it was back to the hanging and crashing.

Here are the error logs...

APPLICATION

Event Type: Error
Event Source: Application Hang
Event Category: (101)
Event ID: 1002
Date: 7/4/2008
Time: 6:13:50 PM
User: N/A
Computer: VINCEBLAST
Description:
Hanging application iexplore.exe, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

For more information, see Help and Support Center at http://go.microsoft....link/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 48 61 6e 67 ion Hang
0010: 20 20 69 65 78 70 6c 6f iexplo
0018: 72 65 2e 65 78 65 20 36 re.exe 6
0020: 2e 30 2e 32 39 30 30 2e .0.2900.
0028: 32 31 38 30 20 69 6e 20 2180 in
0030: 68 75 6e 67 61 70 70 20 hungapp
0038: 30 2e 30 2e 30 2e 30 20 0.0.0.0
0040: 61 74 20 6f 66 66 73 65 at offse
0048: 74 20 30 30 30 30 30 30 t 000000
0050: 30 30 00



Event Type: Error
Event Source: Application Error
Event Category: None
Event ID: 1000
Date: 7/4/2008
Time: 6:13:30 PM
User: N/A
Computer: VINCEBLAST
Description:
Faulting application iexplore.exe, version 6.0.2900.2180, faulting module unknown, version 0.0.0.0, fault address 0x0118c838.

For more information, see Help and Support Center at http://go.microsoft....link/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 69 65 78 ure iex
0018: 70 6c 6f 72 65 2e 65 78 plore.ex
0020: 65 20 36 2e 30 2e 32 39 e 6.0.29
0028: 30 30 2e 32 31 38 30 20 00.2180
0030: 69 6e 20 75 6e 6b 6e 6f in unkno
0038: 77 6e 20 30 2e 30 2e 30 wn 0.0.0
0040: 2e 30 20 61 74 20 6f 66 .0 at of
0048: 66 73 65 74 20 30 31 31 fset 011
0050: 38 63 38 33 38 0d 0a 8c838..


Event Type: Error
Event Source: Application Error
Event Category: None
Event ID: 1000
Date: 7/2/2008
Time: 10:35:06 PM
User: N/A
Computer: VINCEBLAST
Description:
Faulting application iexplore.exe, version 6.0.2900.2180, faulting module unknown, version 0.0.0.0, fault address 0x04781f1f.

For more information, see Help and Support Center at http://go.microsoft....link/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 69 65 78 ure iex
0018: 70 6c 6f 72 65 2e 65 78 plore.ex
0020: 65 20 36 2e 30 2e 32 39 e 6.0.29
0028: 30 30 2e 32 31 38 30 20 00.2180
0030: 69 6e 20 75 6e 6b 6e 6f in unkno
0038: 77 6e 20 30 2e 30 2e 30 wn 0.0.0
0040: 2e 30 20 61 74 20 6f 66 .0 at of
0048: 66 73 65 74 20 30 34 37 fset 047
0050: 38 31 66 31 66 0d 0a 81f1f..



Event Type: Error
Event Source: Application Error
Event Category: None
Event ID: 1000
Date: 7/2/2008
Time: 10:19:43 PM
User: N/A
Computer: VINCEBLAST
Description:
Faulting application iexplore.exe, version 6.0.2900.2180, faulting module unknown, version 0.0.0.0, fault address 0x01471f1f.

For more information, see Help and Support Center at http://go.microsoft....link/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 69 65 78 ure iex
0018: 70 6c 6f 72 65 2e 65 78 plore.ex
0020: 65 20 36 2e 30 2e 32 39 e 6.0.29
0028: 30 30 2e 32 31 38 30 20 00.2180
0030: 69 6e 20 75 6e 6b 6e 6f in unkno
0038: 77 6e 20 30 2e 30 2e 30 wn 0.0.0
0040: 2e 30 20 61 74 20 6f 66 .0 at of
0048: 66 73 65 74 20 30 31 34 fset 014
0050: 37 31 66 31 66 0d 0a 71f1f..


Event Type: Error
Event Source: Application Error
Event Category: None
Event ID: 1001
Date: 7/2/2008
Time: 10:10:18 PM
User: N/A
Computer: VINCEBLAST
Description:
Fault bucket 754781122.

For more information, see Help and Support Center at http://go.microsoft....link/events.asp.
Data:
0000: 42 75 63 6b 65 74 3a 20 Bucket:
0008: 37 35 34 37 38 31 31 32 75478112
0010: 32 0d 0a 2..



Event Type: Error
Event Source: Application Hang
Event Category: None
Event ID: 1001
Date: 7/2/2008
Time: 10:10:15 PM
User: N/A
Computer: VINCEBLAST
Description:
Fault bucket 126637809.

For more information, see Help and Support Center at http://go.microsoft....link/events.asp.
Data:
0000: 42 75 63 6b 65 74 3a 20 Bucket:
0008: 31 32 36 36 33 37 38 30 12663780
0010: 39 0d 0a 9..



SYSTEM


Event Type: Error
Event Source: nvatabus
Event Category: None
Event ID: 4
Date: 7/4/2008
Time: 6:09:21 PM
User: N/A
Computer: VINCEBLAST
Description:
Device slot returned an invalid status value. See data for detailed information.
Data:
0000: 1b 00 0c 00 01 00 66 00 ......f.
0008: 00 00 00 00 04 00 de c0 ......
0010: 00 00 00 00 00 00 00 00 ........
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........
0028: 00 00 01 00 53 00 de 10 ....S..
0030: ff 00 00 00 ...






Event Type: Error
Event Source: nvatabus
Event Category: None
Event ID: 4
Date: 7/4/2008
Time: 5:53:27 PM
User: N/A
Computer: VINCEBLAST
Description:
Device slot returned an invalid status value. See data for detailed information.
Data:
0000: 1b 00 0c 00 01 00 66 00 ......f.
0008: 00 00 00 00 04 00 de c0 ......
0010: 00 00 00 00 00 00 00 00 ........
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........
0028: 00 00 01 00 53 00 de 10 ....S..
0030: ff 00 00 00 ...





Event Type: Error
Event Source: nvatabus
Event Category: None
Event ID: 4
Date: 7/4/2008
Time: 10:18:19 AM
User: N/A
Computer: VINCEBLAST
Description:
Device slot returned an invalid status value. See data for detailed information.
Data:
0000: 1b 00 0c 00 01 00 66 00 ......f.
0008: 00 00 00 00 04 00 de c0 ......
0010: 00 00 00 00 00 00 00 00 ........
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........
0028: 00 00 01 00 53 00 de 10 ....S..
0030: ff 00 00 00 ...



I appreciate the help on all of this. Any idea what the name of the virus/worm/trojan/malware was on my computer when this all started?
  • 0

#14
vinceblast

vinceblast

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
In addition to the above, my Internet Connection will go out after about 3 hours and I will have to re-start. Here is the problem:

Event Type: Warning
Event Source: Tcpip
Event Category: None
Event ID: 4226
Date: 7/5/2008
Time: 12:51:11 AM
User: N/A
Computer: VINCEBLAST
Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

For more information, see Help and Support Center at http://go.microsoft....link/events.asp.
Data:
0000: 00 00 00 00 01 00 54 00 ......T.
0008: 00 00 00 00 82 10 00 80 ....‚..€
0010: 01 00 00 00 00 00 00 00 ........
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........



Here is the explanation...

http://www.microsoft...e...p&LCID=1033

So maybe there is still some malware on my computer if it's trying to connect to other computers, according to the site explanation above? Here are the connections when I run netstat -no after the Internet goes out at about the 3 hour mark...

Proto Local Address Foreign Address State PID
TCP 127.0.0.1:1027 127.0.0.1:2841 TIME_WAIT 0
TCP 127.0.0.1:1027 127.0.0.1:2843 TIME_WAIT 0
TCP 127.0.0.1:1027 127.0.0.1:2845 ESTABLISHED 564
TCP 127.0.0.1:1071 127.0.0.1:1072 ESTABLISHED 3140
TCP 127.0.0.1:1072 127.0.0.1:1071 ESTABLISHED 3140
TCP 127.0.0.1:1073 127.0.0.1:1074 ESTABLISHED 3140
TCP 127.0.0.1:1074 127.0.0.1:1073 ESTABLISHED 3140
TCP 127.0.0.1:2845 127.0.0.1:1027 ESTABLISHED 2944
TCP 192.168.11.2:2846 65.61.209.5:110 SYN_SENT 564

3140 is Firefox browser and 564 is Microsoft Outlook email

Edited by vinceblast, 05 July 2008 - 01:24 PM.

  • 0

#15
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Do you have any add-ons for the IE6 browser? If so, you might want to try disabling them to see if it helps.

For the internet issue, does anything work at all? Can you ping anything from the command prompt? I see that you have uTorrent running. I don't recommend using any file sharing programs as they can help contribute to malware infections. Try turning that off to see if it helps.

You have one of the common infections by rogueware programs and some other trojans.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP